FTC-Uber data settlement subjects company to privacy audits for next 20 years

Uber has settled a privacy complaint brought by the Federal Trade Commission (FTC), charging that it failed to sufficiently protect consumer and driver data from improper employee access and by third parties on Amazon’s cloud-based servers.

In its complaint (.pdf) the FTC cited and paraphrased Uber’s terms and policies representing that rider and driver data were secure:

Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors . . .

The Personal Information and Usage Information we collect is securely stored within our databases, and we use standard, industry-wide, commercially reasonable security practices such as encryption, firewalls and SSL (Secure Socket Layers) for protecting your information—such as 4 any portions of your credit card number which we retain (we do not ourselves retain your entire credit card information) and geo-location information.

The complaint alleges Uber failed to monitor internal access to rider and driver data or secure that data from improper access and thus was deceptive in its representations about data privacy and security. It also pointed out that Uber’s servers on Amazon were accessed by third parties and that there was a significant data breach in 2014 involving nearly 100,000 driver records, including highly sensitive personal information.

This is the second Uber-FTC settlement of 2017. Earlier this year Uber agreed to pay $20 million to settle a complaint that it misrepresented and exaggerated potential driver earnings and car financing terms, through its Vehicle Solutions Program. The $20 million was distributed as compensation to drivers.

Under the current FTC settlement, Uber is prohibited from misrepresenting its handling of rider and driver data and related security measures. It’s also “required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company.”

Uber will also have to submit to twice yearly privacy audits for the next 20 years and receive a certification that its privacy program “meets or exceeds the requirements of the FTC order.”

“This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises,” FTC Acting Chairman Maureen K. Ohlhausen said in a statement.