June 26, 2019

June 26, 2019

Subscribe to Latest Legal News and Analysis

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

Uber Agrees to Expanded Settlement with FTC For Failure to Disclose Data Breach

Uber’s rough ride with privacy and data security continues with a revised settlement with the Federal Trade Commission (FTC) over a 2016 data breach affecting rider and driver data.  The revised settlement tacks on additional requirements to a settlement reached in 2017 pertaining to another breach that Uber experienced in 2014.

According to the revised FTC complaint, the second breach was known to Uber in November 2016 but not revealed to the FTC until a year later. The hackers gained access to unencrypted, cloud-stored data for approximately 57 million people around the world by using a key that an Uber engineer posted online. Uber paid the hackers a $100,000 “bug bounty” – ironically, a program created by Uber to reward individuals who identify security issues for the good of consumers.

In addition to failing to promptly inform the FTC about the data breach, Uber was charged with having inadequate security measures, including failure to: implement reasonable security training; ensure that its engineers were required to use distinct access keys instead of a single all-access key; restrict access based on employees’ job functions; and maintain a written security program. According to the FTC, Uber’s failure to provide reasonable security for personal information stored in its databases, including geolocation information, created serious risks for consumers.

Under the revised settlement, the ride-sharing company is required to maintain a comprehensive privacy program and submit all reports from required third-party audits of Uber’s privacy program to the FTC. Uber must also notify the FTC of any actual or potential unauthorized access to consumer data, maintain records related to bug bounty reports, and refrain from misrepresenting its privacy and data security measures. Failure to abide by the settlement terms could subject Uber to substantial civil penalties.

Acting FTC Chair Maureen Ohlhausen said “Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach. The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”

The Commission voted 2-0 to accept the revised settlement agreement and withdraw the original administrative complaint and proposed consent agreement.

© 2019 Keller and Heckman LLP


About this Author

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall joined Keller and Heckman in 2002. She assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.


Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies, data security and access procedures, manage trans-border data flows, respond to data breaches and create training programs. She assists clients on digital media issues, helping them develop social media, blogging and user-generated content policies, and to understand advertising technology and online behavioral advertising issues.  Ms. Millar also works with clients to navigate the array of federal and state requirements governing contests and sweepstakes, and advises on gift cards, coupons and rebates.  She represents clients on advertising and privacy matters before the Federal Trade Commission (FTC), the Children’s Advertising Review Unit (CARU), the National Advertising Division (NAD), as well as in connection with investigations by state regulatory bodies and Attorneys General.