Today the Federal Trade Commission (FTC) announced that it has reached a non-monetary agreement with Uber to settle allegations that the company failed to properly protect consumers’ personal information, with the ride-sharing company agreeing to implement a comprehensive privacy program designed to address privacy risks and protect consumers’ confidential information.
In December 2014, Uber developed an automated system for monitoring employee access to consumer personal information, but the company stopped using it less than a year after it was put in place. The FTC’s complaint alleges that Uber, for more than nine months afterwards, rarely monitored internal access to personal information about users and drivers.
The FTC’s complaint also alleges that despite Uber’s claim that data was securely stored within the company’s databases, Uber’s security practices failed to provide reasonable security to prevent unauthorized access to consumers’ personal information in databases Uber stored with a third-party cloud provider. As a result, an intruder accessed personal information about Uber drivers in May 2014, including more than 108,000 names and driver’s license numbers that Uber stored in a datastore operated by Amazon Web Services.
Now Uber must make changes, which include creating a privacy program that will identify consumer privacy risks posed by new and existing Uber products and ensure that consumers’ personal information is properly secured. The settlement requires Uber to obtain an independent third-party audit every two years for the next 20 years to ensure that its privacy program is being implemented.
The company is also barred from making misrepresentations about the way it monitors internal access to consumers’ data and the measures it takes to secure this data, according to the terms of the settlement. Uber will not face a monetary penalty at this time.