Uber and the Federal Trade Commission (FTC) have at long last finalized a settlement related to two major data breaches the company suffered in 2014 and 2016. The initial breach in 2014 revealed problems with the way the ride-sharing service used and stored rider and driver data, and resulted in an FTC complaint over Uber's alleged failure to protect the personal information of both riders and drivers. To make matters worse, the company was under investigation by the FTC in relation to this hack when a second, larger data breach occurred in October-November 2016 that Uber neglected to disclose for over a year. As a result of Uber's failures, the FTC revised and expanded an initial settlement agreement whose terms have been folded into the finalized agreement. We previously reported on the settlement agreement here.
The final agreement requires that Uber implement a comprehensive privacy program, conduct third-party privacy audits for 20 years, provide the FTC with the auditors' reports, and retain records of
bug bounty reports related to unauthorized access to consumer data. It also prohibits Uber from misrepresenting its privacy measures.
The FTC voted 4-0-1 to approve the settlement (Commissioner Christine Wilson did not participate). Although third-party audit requirements are now a common remedy for privacy and security violations, Commissioners Rohit Chopra and Rebecca Slaughter, the two Democrats on the Commission, issued individual statements in which they advocated for requiring the release of Uber's mandated third-party audit results. Their reasoning is that Uber is a repeat violator and public interest in the case is significant.
Slaughter's comments suggest that the FTC needs greater rulemaking and enforcement authority. Echoing recent
testimony given by FTC Chair Joseph Simons, a Republican, before the Senate Subcommittee on Digital Commerce and Consumer Protection last July, Slaughter called for legislation that would give the Commission the ability to seek civil penalties, jurisdiction over non-profits and common carriers, and authority to issue implementing rules under the Administrative Procedure Act. The continued expression of bipartisan support for broader privacy and security authority will likely mean action on the legislative and regulatory front in 2019.
For more information on privacy and data security matters, please contact us:
Join our mailing list to receive industry specific information and invitations to seminars and webinars from Keller and Heckman LLP.
OPT-OUT: Keller and Heckman LLP provides announcements as an information tool to businesses. If you prefer not to receive announcements, please use the SafeUnsubscribe link in the footer below.
OPT-IN: If this was sent to you by a third party and you would like to be included on our mailing list, click here. Then complete the brief form and select which topics are of interest to you.
If you have already requested to opt out from this announcement and you continue to receive messages, please be sure to send an email to email@example.com and include all email addresses that may be associated with your email account or any predecessors email address that may be getting forwarded to your current email address. We make every effort to remove email addresses once we receive the opt out request and we apologize for any inconvenience this has caused.