October 17, 2018

October 16, 2018

Subscribe to Latest Legal News and Analysis

October 15, 2018

Subscribe to Latest Legal News and Analysis

Uber Goes 0-2 in Data Breach Notifications

In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson.

The FTC expanded the initial complaint and order, and Uber has accepted the new terms. Among the additions to the “comprehensive privacy program”, the new agreement requires that Uber adhere to strict reporting and recording procedures that includes the generation of a reporting each and every incident where a consumer’s information may have been accessed by unauthorized users. According to the FTC press release, other additions include: “1) secure software design, development, and testing, including access key management and secure cloud storage; 2) how Uber reviews and responds to third-party security vulnerability reports, including its bug bounty program; and 3) prevention, detection, and response to attacks, intrusions, or systems failures”.

The new agreement sends a clear message that the FTC is taking a “no prisoners” approach towards companies that attempt to bypass data breach notification regulations. FTC Chairman Maureen K. Ohlhausen stated, “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.” Data breaches will continue to be an issue, hopefully corporate America learns from Uber’s uber-mistake.

Brad Davis authored this post.

© Copyright 2018 Murtha Cullina

TRENDING LEGAL ANALYSIS


About this Author

Dena Castricone, Murtha Cullina Law Firm, Privacy and Cybersecurity Attorney
Partner

Dena M. Castricone is a member of the Long Term Care and Health Care practice groups.  She is the Chair of the Privacy and Cybersecurity practice group and the Chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

Dena’s long term care and health care clients compete in a constantly evolving industry, facing both rising administrative and regulatory burdens and shrinking reimbursement rates. She helps skilled nursing centers, physician groups, home health and...

203-772-7767
Daniel Kagan, Murtha Cullina, health care attorney, regulatory compliance lawyer, reimbursement issue legal counsel
Associate

Mr. Kagan is an associate in the Health Care Group of Murtha Cullina.  He represents hospitals, physicians and other health care clients with a wide range of regulatory, compliance, risk management and reimbursement issues.

Prior to joining Murtha Cullina, Mr. Kagan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court. 

Mr. Kagan received his J.D. with honors from the University of Connecticut Law School where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal.  He earned his Bachelor of Arts in Economics from McGill University.

203-772-7726