In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson.
The FTC expanded the initial complaint and order, and Uber has accepted the new terms. Among the additions to the “comprehensive privacy program”, the new agreement requires that Uber adhere to strict reporting and recording procedures that includes the generation of a reporting each and every incident where a consumer’s information may have been accessed by unauthorized users. According to the FTC press release, other additions include: “1) secure software design, development, and testing, including access key management and secure cloud storage; 2) how Uber reviews and responds to third-party security vulnerability reports, including its bug bounty program; and 3) prevention, detection, and response to attacks, intrusions, or systems failures”.
The new agreement sends a clear message that the FTC is taking a “no prisoners” approach towards companies that attempt to bypass data breach notification regulations. FTC Chairman Maureen K. Ohlhausen stated, “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.” Data breaches will continue to be an issue, hopefully corporate America learns from Uber’s uber-mistake.