Commission: company policies had not changed sufficiently since major incidents

Under the Hood

Uber had something of a difficult year in 2014 in terms of its data privacy. In May, an intruder accessed the personal information of Uber drivers: 100,000 names and driver’s license numbers were viewed by the intruder. And then, that November, an Uber employee was accused of accessing the ride history of a journalist who had written extensively about the company.

An internal audit was launched regarding the company’s privacy policies. Changes were recommended. But the Federal Trade Commission (FTC) was watching, and it believed that the company hadn’t changed enough.

Where Are My Keys?

This August, Uber settled allegations made by the Commission that the company had continued to fail to protect its customers’ privacy.

The Commission claimed that Uber’s automated monitoring system, which had been established in response to its internal review, had been abandoned less than a year later. Internal access to private data was rarely monitored after that point.

Moreover, the FTC claimed that Uber failed to implement straightforward and affordable strategies to secure its data. For instance, in the May 2014 hack, the intruder gained entry to the company’s systems by using a special access key published openly on the web by an Uber engineer. The Commission also noted that the company stored consumer information in plaintext, readable format in the Internet’s storage “cloud.”

The Takeaway

The settlement prohibits Uber from misrepresenting its efforts to monitor internal access to personal customer information and its efforts to secure its data generally. The company must institute a comprehensive privacy and confidentiality policy to protect customer information. And the agreement requires 20 years of independent audits to verify that the FTC’s concerns are addressed.

Uber’s rise has been phenomenal, and it has at times claimed that its privacy problems are due to its rapid growth. This agreement underscores the necessity of a privacy policy that “scales” alongside enterprises. Companies – especially new companies that depend on leveraging data as a matter of course – need to ensure that the security of their data grows in lockstep with their business as a whole.