July 15, 2020

Volume X, Number 197

July 15, 2020

Subscribe to Latest Legal News and Analysis

July 14, 2020

Subscribe to Latest Legal News and Analysis

July 13, 2020

Subscribe to Latest Legal News and Analysis

FTC Announces Expanded Settlement with Uber

The FTC withdrew its August 2017 administrative complaint and proposed consent agreement with Uber Technologies, Inc. (Uber) and issued a revised complaint against Uber Technologies, Inc. Uber has accepted a revised proposed consent agreement which will be subject to public comment for 30 days.

FTC’s August 2017 Uber consent agreement resolved allegations that Uber had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it used reasonable measures to secure personal information stored on a third-party cloud provider’s servers. The previous consent agreement focused on conduct that occurred in late 2014.

Before the FTC issued the consent in final form, the FTC learned that Uber failed to disclose a significant breach of consumer data that occurred in 2016 while the FTC investigation was underway.

The revised complaint details the 2016 data breach of consumer data stored in Uber’s Amazon cloud-based S3 Datastore. Specifically, it describes how intruders downloaded 16 files from the Datastore that contained unencrypted consumer personal information relating to U.S. riders and drivers. This included, among other things unencrypted personally identifying information (PII) of over 25 million names and email address, over 22 million names and mobile phone numbers, and over 600,000 names and driver’s license numbers. The attackers gained access by utilizing an access key that Uber engineers used to access the S3 Datastore, which was located by the attackers in plain text in a web-based repository for computer code. According to the revised complaint, “Uber did not have a policy prohibiting engineers from reusing credentials and did not require engineers to enable multi-factor authentication” when accessing the private repositories. This allowed the attackers to use passwords that were exposed in prior data breaches to access the repositories and find the access key.

The revised complaint further describes that Uber discovered the 2016 breach after one of the attackers contacted Uber and demanded a six-figure payout. Although the attackers “maliciously exploited” the uncovered PII, Uber paid the attackers the $100,000 through the third party that administers the company’s “bug bounty” program. The program was originally created to pay financial reward in exchange for the responsible disclosure of security vulnerabilities. Uber did not disclose the breach to the FTC until November 2017, more than a year after its discovery.

The revised consent order includes a definition of “covered incident” and a new provision that requires Uber to report such incidents to the FTC along with any notice required by any federal, state, or local government entity. The requirement to report breaches to the FTC is similar to the HIPAA statutory scheme that requires that certain breaches be reported to HHS’s Office of Civil Rights.

The revised order is broadened to require that Uber submit all the reports from the required third-party audits of Uber’s privacy program rather than only the initial report to the FTC. Finally, certain of the recordkeeping requirements have been extended from three to five years and must also provide all copies of subpoenas and other communications with law enforcement related to compliance with the order and all records which call into question Uber’s compliance with the order.

It is very unusual for the FTC to take the action it has taken with Uber. Had the ink been dry and the order final, it is possible that the facts surrounding the 2016 breach would have been found to violate the order. If the FTC had determined that the order was violated, it would be able to seek civil penalties. Instead, the FTC broadened the complaint allegations and the order. It should be noted that the commission has requested that U.S. Congress grant it civil penalty authority for data security breaches.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VIII, Number 106


About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

Anand Raj Shah, Drinker Biddle Law Firm, Cybersecurity Attorney

Anand Raj Shah counsels clients on issues relating to cybersecurity, information governance, privacy, eDiscovery and data analytics. He assists clients in proactively evaluating and managing risks associated with their information practices, particularly during breach response or cybercrime investigations. Anand advises clients on a wide range of federal laws and regulations, including CFAA, ECPA, HIPAA, GLB, FISMA, CAN-SPAM, VPPA, COPPA, FCRA, and CISA, along with international and state data protection and breach notification laws. He guides clients on the implementation of information sharing practices, such as the DHS’s Automated Indicator Sharing initiative, and industry standards, such as the NIST Cybersecurity Framework. Anand assists in crafting incident response plans, vulnerability assessment tools, information security agreements, corporate policies, and product design reviews that are tailored to meet the needs of companies and boards seeking to safeguard their data.