Policy Patty Toolkit 

Making the world a little more compliant one toolkit at a time.


Uber Agrees to Expanded Settlement with FTC Related to Privacy, Security Claims

Posted on April 12, 2018 at 3:20 PM

The Federal Trade Commission (FTC) settled with Uber Technologies, over charges that the ride-sharing company deceived consumers about its privacy and data security practices. This follows the revelation following the announcement of last year's proposed settlement that Uber had failed to disclose a significant breach of consumer data that occurred in 2016 -- during the FTC's investigation that led to the August 2017 settlement announcement. As a result, Uber will be subject to additional requirements. Among other things, the revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access to consumer information.

In the revised complaint, the FTC alleged:

• Uber learned in November 2016 that intruders had again accessed consumer data the company stored on its third-party cloud provider's servers by using an access key an Uber engineer had posted on a code-sharing website.

• Intruders used the access key to download from Uber's cloud storage unencrypted files that contained more than 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver's license numbers of U.S. Uber drivers and riders.

• Uber paid the intruders $100,000 through its third-party "bug bounty" program and failed to disclose the breach to consumers or the Commission until November 2017.

• The bug bounty program was created to provide financial rewards to parties who responsibly disclose security vulnerabilities rather than those who maliciously exploit vulnerabilities to access consumers' personal information.

In addition to compelling Uber to disclose certain future incidents involving consumer data, the new provisions in the revised proposed order require Uber to:

• submit to the Commission all the reports from the required third-party audits of Uber's privacy program rather than only the initial such report; and

• retain certain records related to bug bounty reports regarding vulnerabilities that relate to potential or actual unauthorized access to consumer data.

The Commission vote to withdraw the original administrative complaint and proposed consent agreement and to issue the revised administrative complaint and to accept the revised proposed consent agreement was 2-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 14, 2018, after which the Commission will decide whether to make the proposed consent order final.

Interested parties can submit comments electronically by following the instructions in the "Invitation to Comment" part of the "Supplementary Information" section.

Read More:


Revised Complaint

Categories: Fraud, Fair Dealing