Recently, the Federal Trade Commission (“FTC”) announced that it has finalized its expanded settlement with ride-haling giant, Uber Technologies, Inc. (“Uber”) related to two major data breach incidents. The initial breach occurred in 2014 and led to an FTC investigation into Uber’s data storage practices for rider and driver data. While the FTC was conducting its investigation into Uber’s data security practices as a result of that breach, however, Uber hid a second, even larger data breach, which had occurred in fall of 2016 and affected over 50 million people. After it came to light that Uber had failed to disclose the 2016 breach for over a year, the FTC negotiated a revised and expanded settlement.
The FTC’s two-count Complaint alleges that Uber violated Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, by making material misrepresentations about its privacy and data security practices for personal information it collected from consumers. Count One alleged that Uber misrepresented the extent to which it monitored and audited internal access to consumers’ personal information. And Count Two alleged that Uber misrepresented that it provided reasonable security for consumers’ personal information stored in its databases.
The revised settlement includes an array of terms intended to tighten Uber’s privacy practices. Uber must implement a comprehensive privacy program; undergo third-party privacy assessments every two years for twenty years, and submit those audits to the FTC; and retain records related to its “bug bounty” program, which offers payouts to hackers for finding and disclosing certain vulnerabilities to Uber. Uber is also prohibited from misrepresenting how it monitors internal access to consumers’ personal information and the extent to which it protects the privacy, confidentiality, security, and integrity of personal information. A failure to notify the FTC of future security incidents involving unauthorized access to consumer and driver information could lead to civil penalties.
The FTC received three comments on the settlement, from the Electronic Privacy Information Center (“EPIC”), The World Privacy Forum, and an individual privacy and information policy consultant. While the commenters supported the FTC’s decision to expand the earlier consent order in light of the recently discovered breach, they all agreed that the FTC’s final decision did not go far enough. The World Privacy Forum and Electronic Privacy Information Center urged the FTC to make the mandatory auditors’ reports and assessments automatically public, but the FTC declined. The FTC responded that the reports will be accessible pursuant to Freedom of Information Act requests. The two Democratic Commissioners, Rohit Chopra and Rebecca Slaughter, supported the commenters’ requests. EPIC provided a number of other suggestions, including asking the FTC to impose specific data security requirements for third-party data storage, and compelling Uber to use an automated system to monitor abuses of consumer location data. Both the World Privacy Forum and independent privacy consultant called for objective and formal standards to be applied to Uber’s privacy assessments. The FTC addressed the commenters’ concerns in letters, explaining that while it does not itself set specific standards, the independent third-party review promises to be objective and thorough.
These expanded modifications make clear that companies will face enhanced penalties if they misrepresent their business practices to the FTC or conceal breaches during the course of an FTC investigation. What is noteworthy about the settlement, however, is what is conspicuously missing. The FTC did not impose a civil penalty, nor, as commenters pointed out, did it lay out objective standards with which Uber would need to comply going forward.
However, Uber did not get off scot-free financially. The FTC settlement comes in addition to a $148 million fine imposed in late September after an investigation conducted by state attorneys general, led by Massachusetts AG Maura Healey. All 50 states and the District of Columbia sued Uber, saying the company violated laws requiring it to promptly notify people affected by its breach.