On August 15, 2017, three years after it faced backlash from the media, Uber has settled with the Federal Trade Commission (FTC) over allegations that despite its representations, the company failed to secure customer data and failed to monitor employee access to that data, thus engaging in unfair or deceptive acts or practices affecting commerce in violation of the Federal Trade Commission Act, 15 U.S.C. § 45(a). We cannot explain why it took three years for the decision to be issued. Regardless, the decision is a reminder that parties must accurately describe their security programs, must take reasonable and appropriate steps to protect personal information, and must test the efficacy of their privacy programs.

In 2014, news outlets reported that Uber employees had been accessing consumer data. In response, Uber issued a statement that it had policies restricting employee access to the data and that the company had developed a system to review employee access to consumer information. However, Uber failed to actually review employee access to this information and the company dropped the system less than a year later. In addition, despite its assurances that its data was secured, in May 2014, a hacker accessed personal information of Uber drivers, including their drivers license numbers.

In response to these allegations, Uber settled with the FTC and agreed to a number of requirements. First, Uber agreed that it and all of its officers, agents, employees, and attorneys would not misrepresent the extent to which the company actually monitors or audits access to consumers’ personal information and the extent to which the company protects the privacy of any personal information.

Second, the company agreed to establish a privacy program, effective as of the date of the Order, to address privacy risks and to protect the privacy and confidentiality of personal information. This privacy program must be assessed by an independent third-party professional, approved by the FTC six months after the Order, and every two years following for 20 years. The Order also requires this policy to be regularly tested, evaluated and adjusted, and changed if the company undergoes any alterations to its operations or business arrangements.

Third, in addition to the privacy program, the Order requires Uber to submit a compliance report, one year after the Order, describing how the company and each of its entities are in compliance with the Order. The report must be supplemented if the company has a change in the designated point of contact within the company or if the company undergoes any restructuring or sale that directly or indirectly affects the compliance requirements of the Order. In addition, the company must respond to the FTC within 10 days of receipt of a written request with sworn records, additional compliance reports, or requested information. The FTC can even interview individuals affiliated with the company.

Fourth, Uber agreed to implement and maintain records for 20 years following issuance of the Order. The Order requires Uber to create and retain (for five years) accounting records, personnel information (including those of independent contractors, which Uber considers its drivers to be), records of consumer complaints, and records necessary to show compliance with the FTC Order. The company must also keep for three years all documents it used to prepare each assessment ordered by the FTC and the company must keep for five years all documents that demonstrate non-compliance with the Order.

Of note, in the settlement, Uber did not admit or deny any of the allegations in the Complaint. The Complaint was published in the Federal Registrar on August 21, 2017, with comments due on September 15, 2017. Following the public comment period, the FTC will decide if the Consent Order is final.