Uber Technologies Inc. agreed Tuesday to submit to regular audits of its privacy protocols to resolve Federal Trade Commission allegations that the ride-hailing platform failed to properly safeguard sensitive data and misrepresented its monitoring of employee access to consumers’ personal information.
Following news reports about employees improperly accessing customer data, Uber released a statement in November 2014 stating that the company had a “strict policy prohibiting” such practices and, the next month, developed an automated system for monitoring staff’s access to consumers’ personal information. But less than a year later, Uber stopped using that system, the FTC alleged Tuesday. The FTC also accused Uber of failing to adequately protect personal information stored with Amazon Web Services, a third-party cloud provider, allowing a hacker to access the names, driver’s license numbers and other sensitive data about more than 100,000 drivers in May 2014.
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC acting Chairwoman Maureen K. Ohlhausen. “This case shows that, even if you’re a fast-growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
The FTC said that low-cost measures, such as requiring programmers and engineers to use distinct access keys to access personal information, could have prevented the data breach. Instead, the FTC said, Uber allowed employees to use a single key that gave them full administrative access and did not require more secure, multifactor authentication to access the data.
Uber, represented by Perkins Coie partner Rebecca Engrav, did not admit or deny the FTC’s allegations.The settlement requires Uber to develop a program designed to protect the privacy and confidentiality of personal information. For the next 20 years, Uber will be required under the settlement to undergo privacy assessments by an independent, third-party auditor subject to the FTC’s approval.
Uber was already under a microscope. This year alone, amid claims of a toxic workplace culture, Uber commissioned a report by former Attorney General Eric Holder that suggested “reallocating” the responsibilities of Travis Kalanick, the company’s CEO at the time. Kalanick has since resigned and is now fighting fraud claims from Benchmark Capital Partners, one of Uber’s largest investors, in a case that could boot the former CEO off the company’s board.
Kalanick has said he is “baffled” by Benchmark’s allegations, which he described as hostile and “not in the best interests of Uber and its employees on whose behalf they claim to be acting.”
Uber has also come under scrutiny for its use of a software tool called Greyball, which allowed the company to evade local law enforcement agencies trying to shut down the service. The New York Times reported in May that the Justice Department is investigating Uber over the program.
Asked Tuesday about whether the FTC was conducting its own Greyball investigation, Ohlhausen declined to comment.
“The FTC, as you know, doesn’t reveal whether we have other investigations going on until we make something public. There’s no comment on that question about Greyball,” she said.
In a separate settlement with the FTC, Uber agreed in January to pay $20 million to resolve allegations that the ride-hailing platform duped drivers about auto financing and gave inflated projections for how much they could earn through the company. Uber did not admit or deny wrongdoing.
C. Ryan Barber, based in Washington, covers government affairs and regulatory compliance. Contact him at firstname.lastname@example.org. On Twitter: @cryanbarber.