There are several key takeaways from a 20-year proposed consent order agreed to by Uber Technologies, Inc. (Uber) and the Federal Trade Commission (FTC):

• If you maintain sensitive information like precise geolocation data, you must protect it adequately whether you store it locally or in the cloud.

• If you impose access controls, make sure that they are actually implemented.

• If you describe your information-security practices to consumers, use precise language and not puffery.

The settlement addresses the FTC's claims that Uber misrepresented the extent to which it monitored its employees' access to personal information about riders and drivers, and that it took reasonable steps to secure that data—including through the use of cloud-based storage.

Employee Access to Consumer Personal Information

In 2014, multiple media sources reported that Uber employees had improper access to consumer data. In November 2014, Uber responded that it had "a strict policy prohibiting all employees at every level from accessing a rider or driver's data" and that "access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis."

The FTC complaint alleged that although Uber had developed an automated monitoring system for such employee access, the company did not follow up on automated alerts generated by the system in a timely fashion—and that it stopped using the system less than a year after it was put in place.

Database Security

The FTC also took issue with Uber's internal security measures in connection with its use of a third-party cloud storage service provider. In 2014, Uber used the Amazon Simple Storage Service (Amazon S3 Datastore) to store personal information, including full and partial backups of personal information, such as names, addresses, unique device identifiers, driver's license numbers and geolocation information.

In May 2014, an intruder was able to access unencrypted personal information stored in the Amazon S3 Datastore using an access key that one of Uber's engineers had publicly posted to a code-sharing website.

The FTC complaint alleged that Uber failed to provide reasonable security to prevent unauthorized access to personal information stored in the Amazon S3 Datastore by failing to:

• require distinct access keys and instead utilizing a single access key that provided full administrative privileges for all data;

• restrict access to systems based on employees' job functions;

• require multifactor authentication;

• implement reasonable security training and guidance; and

• maintain a written information security program.

The FTC also alleged that Uber stored sensitive personal information in the Amazon S3 Datastore in clear, readable text, rather than encrypting the information.

Broad Statements

The FTC complaint alleged that, in light of the above deficient practices, certain public statements Uber made about its information security practices were deceptive. Specifically, Uber's privacy policy represented that it securely stored all personal information using "standard, industry-wide, commercially reasonable security practices." In addition, Uber's customer service representatives provided the following assurances to consumers

• "We use the most up to date technology and services to ensure that none of [your information is] compromised;"

• "We're extra vigilant in protecting all private and personal information;" and

• "All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available."

Settlement Terms

Under the terms of the proposed consent order, Uber is not required to pay a civil penalty, but the company will be:

• prohibited from misrepresenting how it monitors internal access to personal information or how it secures personal information;

• required to implement a comprehensive privacy program; and

• required to obtain independent, third-party audits every two years for the next 20 years.

A comprehensive privacy program that complies with the FTC's expectations will require Uber to implement numerous security controls and procedures, including:

• designating an employee or employees to be responsible for the privacy program;

• identifying reasonable foreseeable risks and conducting an assessment of the sufficiency of any safeguards in place, including, at a minimum, risks associated with employee training and product design;

• designing and implementing reasonable controls and procedures to address the risks;

• performing regular testing and monitoring of the effectiveness of those controls and procedures;

• developing and using reasonable steps to select and retain service providers capable of appropriately protecting the privacy of the personal information they receive from Uber and requiring, by contract, that service providers implement and maintain appropriate privacy protections; and

• evaluating and adjusting the privacy program based on the results of the testing and monitoring.

The Uber settlement serves as a reminder that storing personal information through a third-party service provider does not relieve a company of its independent obligation to ensure the security of that data—even if that provider is a reputable company that is not alleged to have violated any of its duties. In this sense, the settlement demonstrates that a company cannot outsource its information security obligations simply by storing personal information through a trusted cloud service.

The settlement is also a reminder that—regardless of size or sophistication—every company that collects personal information must be aware of the contents of its public-facing privacy policy and ensure that the company adheres to any security representations in that policy. As stated by Maureen K. Ohlhausen, acting Chair of the FTC, "This case shows that, even if you're a fast-growing company, you can't leave consumers behind: you must honor your privacy and security promises."