Uber Settles FTC Customer Data Security, Privacy Enforcement Action

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Uber Technologies Inc. reached a no-fault settlement Aug. 15 with the Federal Trade Commission over data security and privacy claims involving sensitive consumer data stored in the cloud.

The settlement demonstrates that the FTC intends to hold companies to their privacy promises to consumers and require they maintain a reasonable level of protection for personal data, even in the absence of a direct showing of harm. It also underscores the agency’s assessment that geolocation information is sensitive personal data.

The FTC alleged that the San Francisco-based ride-hailing company failed to monitor employee access to consumer data and failed to reasonably secure data stored in the cloud. Under the terms of the consent order, Uber will implement a comprehensive privacy program and conduct independent privacy and security audits on a regular basis for 20 years. Privately-held Uber won’t pay a fine under the terms of the order, but could face monetary penalties for failure to follow the agreement.

The investigation stemmed from 2014 reports that Uber employees were accessing sensitive consumer data without permission. Uber had said in November 2014 that it doesn’t allow employees to access that type of data about consumers or drivers. Uber said then it developed a comprehensive system for monitoring access to driver and customer data. However, according to the FTC, Uber stopped using that system within a year. The FTC’s investigation also focused on data security controls at Uber after a 2014 breach that led to the exposure of driver’s license data, including names and numbers.

An Uber spokesperson told Bloomberg BNA Aug. 15 that the company has “significantly strengthened” its data security and privacy practices since 2014 and “will continue to invest heavily in these programs.” Uber will continue to work with the FTC to make sure its programs “protect user privacy and personal information,” the spokesperson said.

Keeping Privacy Promises

The agency’s action against Uber “fits squarely in the FTC’s wheelhouse,” James C. Cooper, associate professor of law at the George Mason University Antonin Scalia Law School and director of the school’s program on economics and privacy, told Bloomberg BNA Aug. 15.

Uber made a highly publicized statement regarding data security and privacy stemming from the 2014 reports, said Cooper, who served as deputy and acting director of the FTC’s office of policy planning from 2005 to 2009. Companies that tout in public their privacy and data security promises, especially in regards to sensitive information, need to make sure to follow through on such pledges, he said.

The FTC “is going to be watching” if Uber or other companies fail to live up to their consumer promises, Cooper said.

FTC Acting Chairman Maureen K. Ohlhausen told reporters Aug. 15 that “companies must honor promises” they make about protecting consumer data and they must protect data “at all points in the life cycle.”

Uber misrepresented “the extent to which it monitored its employees’ access to personal information about users and drivers” and didn’t take “reasonable steps to secure that data,” Ohlhausen said.

Geolocation Data

The agency asserted that Uber’s failure to protect geolocation data “created serious risks for consumers.”

Melissa Krasnow, privacy partner at VLP Law Group LLP in Minneapolis, told Bloomberg BNA Aug. 15 that the FTC’s “enforcement action makes clear that geolocation information is sensitive information for which reasonable security must be provided.” It “continues the trend” of FTC enforcement and regulation of corporate “collection, use, sharing, protection, and storage of geolocation information,” Krasnow said

Ohlhausen said that the commission treats geolocation data as sensitive information and will “continue to focus” on geolocation privacy and data security issues.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the consent agreement is available at http://src.bna.com/rHi.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security