On April 12, 2018, Uber reached an expanded settlement agreement with the Federal Trade Commission (“FTC”) over charges of misrepresentation of data privacy practices.
The 2018 settlement is yet another round in Uber’s data privacy-related fisticuffs with the FTC, the administrative agency tasked with regulating business practices to protect consumer interests. In 2017, the FTC charged Uber with misleading consumers about its information access and security practices under the Federal Trade Commission Act. The FTC alleged that Uber did not monitor employee access to rider and driver information as promised, and similarly, did not secure rider information stored on Amazon web servers as claimed in assurances to customers. A 2014 data breach prompted the original FTC charges and subsequent investigation. In response to the administrative action, Uber agreed to settlement terms to implement a privacy program and submit to regular external audits.
The FTC later discovered, however, that Uber suffered—and did not disclose—a data breach in November 2016. This latter breach occurred during the FTC’s investigation of Uber’s 2014 breach and resulted in unauthorized access to rider and driver personal information, including names, phone numbers, or driver license numbers. Uber disclosed the breach in November 2017 and initially claimed that it paid the responsible hackers for exposing vulnerabilities through its “bug bounty” program. However, in testimony to the Senate Committee on Commerce, Science, and Technology in February 2018, Uber’s Chief Information Security Officer acknowledged that the payment to the intruders—who had not simply exposed a vulnerability but exploited it—was inconsistent with the bug bounty program. Instead, Uber paid the perpetrators to delete the data they collected and remain silent about the exploit. Uber waited for over one year to disclose the incident to the FTC and consumers. The breach and subsequent failure to disclose prompted the FTC to expand its complaint to cite the incident as another instance of Uber’s misrepresentation of its data protection practices.
In addition to a privacy program and regular audits, the updated settlement adds a requirement that any customer data access incident that Uber reports to federal, state, or local authorities must also be reported to the FTC. The settlement also requires Uber to share with the FTC reports from all external audits, and maintain records of all consumer data-related vulnerabilities exposed through its bug bounty program.
The FTC will collect public comments on the new consent order until May 14, 2018. After the comment period, the FTC can issue a final order that will bind Uber with the force of law and provide a route to civil action in case of future noncompliance. While federal action may be limited to fines associated with noncompliance, Uber is already facing a number of suits under state laws for failure to disclose the 2016 breach sooner.
Ashwini Bharatkumar is a 1L student at Harvard Law School.