Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Uber Technologies Inc. reached a no-fault settlement Aug. 15 with the Federal Trade Commission over data security and privacy claims involving sensitive consumer data stored in the cloud.
The settlement demonstrates that the FTC intends to hold companies to their privacy promises to consumers and require they maintain a reasonable level of protection for personal data, even in the absence of a direct showing of harm. It also underscores the agency’s assessment that geolocation information is sensitive personal data.
The FTC alleged that the San Francisco-based ride-hailing company failed to monitor employee access to consumer data and failed to reasonably secure data stored in the cloud. Under the terms of the consent order, Uber will implement a comprehensive privacy program and conduct independent privacy and security audits on a regular basis for 20 years. Privately-held Uber won’t pay a fine under the terms of the order, but could face monetary penalties for failure to follow the agreement.
The investigation stemmed from 2014 reports that Uber employees were accessing sensitive consumer data without permission. Uber had said in November 2014 that it doesn’t allow employees to access that type of data about consumers or drivers. Uber said then it developed a comprehensive system for monitoring access to driver and customer data. However, according to the FTC, Uber stopped using that system within a year. The FTC’s investigation also focused on data security controls at Uber after a 2014 breach that led to the exposure of driver’s license data, including names and numbers.
An Uber spokesperson told Bloomberg BNA Aug. 15 that the company has “significantly strengthened” its data security and privacy practices since 2014 and “will continue to invest heavily in these programs.” Uber will continue to work with the FTC to make sure its programs “protect user privacy and personal information,” the spokesperson said.
The agency’s action against Uber “fits squarely in the FTC’s wheelhouse,” James C. Cooper, associate professor of law at the George Mason University Antonin Scalia Law School and director of the school’s program on economics and privacy, told Bloomberg BNA Aug. 15.
Uber made a highly publicized statement regarding data security and privacy stemming from the 2014 reports, said Cooper, who served as deputy and acting director of the FTC’s office of policy planning from 2005 to 2009. Companies that tout in public their privacy and data security promises, especially in regards to sensitive information, need to make sure to follow through on such pledges, he said.
The FTC “is going to be watching” if Uber or other companies fail to live up to their consumer promises, Cooper said.
FTC Acting Chairman Maureen K. Ohlhausen told reporters Aug. 15 that “companies must honor promises” they make about protecting consumer data and they must protect data “at all points in the life cycle.”
Uber misrepresented “the extent to which it monitored its employees’ access to personal information about users and drivers” and didn’t take “reasonable steps to secure that data,” Ohlhausen said.
The agency asserted that Uber’s failure to protect geolocation data “created serious risks for consumers.”
Melissa Krasnow, privacy partner at VLP Law Group LLP in Minneapolis, told Bloomberg BNA Aug. 15 that the FTC’s “enforcement action makes clear that geolocation information is sensitive information for which reasonable security must be provided.” It “continues the trend” of FTC enforcement and regulation of corporate “collection, use, sharing, protection, and storage of geolocation information,” Krasnow said
Ohlhausen said that the commission treats geolocation data as sensitive information and will “continue to focus” on geolocation privacy and data security issues.
To contact the reporter on this story: Daniel R. Stoller in Washington at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Full text of the consent agreement is available at http://src.bna.com/rHi.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)