Key New Takeaways from Uber’s Privacy and Data Security Settlement with the FTC

by Wilson Sonsini Goodrich & Rosati
Contact

On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1 Specifically, the FTC levied two deception counts against Uber: (1) that the company had failed to consistently monitor and audit internal access to consumers’ personal information, despite public promises to do so; and (2) that the company had failed to provide reasonable security for consumers’ personal information stored in its databases, despite its security promises. Under the resulting proposed consent order, Uber will be prohibited from misrepresenting how it monitors or audits internal access to consumers’ personal information and how it protects and secures that data. Uber will also be required to implement a comprehensive privacy program that will be subject to independent biennial audits for the next 20 years, and will need to comply with the standard set of consent order recordkeeping and compliance reporting and monitoring requirements.

On its face, the FTC’s complaint and resulting settlement with Uber may seem fairly straightforward: if you make privacy and security promises, but do not keep them, the FTC will come after you. But, as with many FTC privacy and security cases, the devil is in the details, and there are a couple of notable takeaways that may not be apparent to those not steeped in the intricacies of FTC actions and settlements. First, the FTC has reached beyond privacy policy statements to support deception claims by relying on press statements released in the aftermath of negative news coverage and statements made by customer service representatives to individual customers. Second, the FTC has taken steps for the first time to delineate what is reasonable security for a popular cloud-based storage service. Before we examine these takeaways in more detail, some background on the facts of the FTC’s case is warranted.

Background

Uber’s issues with the FTC date back to November 2014, when the company was the subject of numerous negative press reports alleging employees improperly accessed and used customer’s personal information, and in particular their geolocation information, to investigate the personal lives of journalists through the use of an internal tracking tool called “God View.”2 In an effort to quell the considerable consumer uproar stemming from these reports, Uber issued a public statement promising “that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.”3

Also in 2014, Uber experienced a data breach affecting the names and driver’s license numbers of about 110,000 Uber drivers, although the breach was not disclosed until early 2015 to about half the drivers, and in mid-2016 to the other half.4 The breach also affected the Social Security numbers and bank account and routing numbers of hundreds of drivers. According to the FTC’s complaint, the breach was caused because an Uber engineer had posted the company’s Amazon Web Services (AWS) Simple Storage Service (S3) Datastore access key to GitHub, a code-sharing site commonly used by developers. An intruder then used that key to access an unencrypted file that contained the compromised information in May 2014. Uber discovered the breach in September 2014, at which point it took steps to prevent further unauthorized access.

Uber’s settlement with the FTC to resolve these issues may sound familiar, as Uber entered into a very similar settlement with the New York Attorney General’s office on January 6, 2016, over essentially the same set of circumstances.5 That settlement required Uber to implement and maintain a number of specific data security practices, including encrypting and limiting employee access to geolocation information, and required Uber to pay a $20,000 penalty for failing to provide timely notice of the breach to affected drivers. The Assurance of Discontinuance that details the settlement, however, provides little to explain the basis for that settlement other than the failure to timely notify drivers of the breach. The FTC complaint contains more detail and offers some interesting and important takeaways for any company collecting consumer information, not just those collecting geolocation information.

FTC’s Expanding Scope of Potentially Deceptive Privacy and Security Statements

The first count of the complaint, which deals with employee access to user accounts, such as through the “God View” tool,6 contains the FTC’s first apparent expansion of the scope of the privacy and security statements that it will take into consideration for deception cases. The FTC alleges that Uber’s reactive public promises, issued in the wake of negative press coverage, to closely monitor and audit access to rider and driver accounts were false or misleading. According to the complaint, this is because Uber did not always consistently follow through with these promises. Specifically, the complaint alleges that while Uber developed an automated system to monitor employee access to consumer personal information in December 2014, the company ceased using the system in August 2015 and began to develop a new automated monitoring system. In the meantime, the complaint alleges that the company did not timely follow up on automated alerts concerning the potential misuse of consumer information between August 2015 and May 2016, and only monitored access to certain high-profile user accounts, such as those of Uber executives, during a portion of this gap period.

The key takeaway here is that a company’s public relations strategy must take into account potential FTC liability for deception. Companies are often under significant pressure to respond to negative news coverage by issuing statements that make significant promises of improvements. Of course, there are valid brand-management reasons to be very assertive in reactive press statements. The FTC’s reliance on these reactive press statements in the Uber case, however, makes clear that a public relations strategy has to be married to a compliance commitment. Without a formal structure in place to ensure that promises made in reactive press statements are met, not just initially when the press coverage is acute, but over the long term as well, then a company risks FTC liability for misrepresentation. Companies are certainly used to ensuring that they comply with their commitments in privacy policies, as a result of years of FTC enforcement of those promises. Now the compliance task is broader.

The second expansion of the scope of the privacy and security statements that the FTC will take into consideration for deception cases appears in the second count of its complaint, which addresses Uber’s data security practices with respect to the company’s AWS S3 Datastore. Specifically, the complaint relies not just on statements made in Uber’s privacy policy, but also on security assurances offered by the company’s customer service representatives. This appears to be the first time that the FTC has based a deception claim on statements made by customer service representatives to consumers who were reluctant to provide the company with their personal information. Specifically, the complaint cites assurances such as “we’re extra vigilant in protecting all private and personal information,” “[a]ll of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available,” and “[w]e use the most up to date technology and services to ensure that none of these are compromised.”

One of the key takeaways here is that companies should pay attention to the privacy and security representations being made by their customer service representatives. More specifically, companies should monitor and train their customer services representatives to keep their representations in line with the company’s privacy policy and approved privacy and security statements. With the FTC’s complaint against Uber, it is clear that the agency will be looking at those representations during an investigation and will hold the company to account for misleading statements made by its representatives.

Reasonable Security Practices for Cloud-Based Storage Services

The other major point of interest in the second count of the FTC’s complaint is that it is the first time that the FTC has alleged specific unreasonable practices in connection with a cloud-based storage service, in this case the popular AWS S3 Datastore. Specifically, the FTC cited as unreasonable: (1) using a single access key with full administrative privileges for the AWS S3 Datastore rather than requiring programs and engineers to use distinct access keys; (2) failing to limit employee access based on the employee’s job functions; (3) failing to require the use of multi-factor authentication to access the datastore; and (4) storing sensitive personal information in clear, readable text, including in database backups and prune files, rather than encrypting the information. More broadly, the FTC also cited a failure to implement reasonable security training and guidance, and a failure to have a written information security program. The FTC contended that Uber could have prevented or mitigated these failings through the use of relatively low-cost measures.

The practical security takeaways from this count are significant. Securing access to AWS S3 Datastores that hold sensitive consumer information is incredibly important. A great number of companies use these datastores for projects, but many take only minimal steps to keep them safe. While using a single, shared AWS key may work for certain small startups or small projects, the FTC will likely view limiting employee access and using distinct access keys to be essential as the company or project grows. Also, the FTC will likely consider persistent threats of account credential compromise through phishing attacks to require the use of multi-factor authentication wherever available. Finally, the FTC is likely to argue that companies should utilize secure encryption technology whenever storing sensitive consumer information, particularly if a breach of that information would trigger a requirement to send data breach notifications (as was the case for Uber).

The FTC’s settlement with Uber also furthers the agency’s view that companies should document their information security practices and provide adequate training to their employees to make sure those practices are followed. While these principles are not new to the FTC’s settlement with Uber, their appearance in the complaint is a reminder that the agency continues to view them as important even under new leadership.

Conclusion

While perhaps not apparent on its surface, the FTC’s recent settlement with Uber treads new ground and offers important privacy and data security takeaways. The FTC’s privacy allegations against Uber make clear that companies need to prevent compliance gaps from occurring in their privacy promises, including promises made in press statements. Additionally, the FTC’s data security allegations set the stage for future enforcement actions where companies fail to adequately secure their AWS S3 Datastores, and flag the agency’s new willingness to bring in security promises made by customer service representatives to support their deception claims. Companies would do well to review their existing privacy and security practices with these takeaways in mind to avoid winding up at the wrong end of a 20-year FTC consent order.

1 Press Release, FTC, “Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims,” August 15, 2017, https://www.ftc.gov/news-events/press-releases/2017/08/uber-settles-ftc-allegations-it-made-deceptive-privacy-data.

2 See, e.g., Ben Smith, “Uber Executive Suggests Digging Up Dirt On Journalists,” BuzzFeed News, November 17, 2014, https://www.buzzfeed.com/bensmith/uber-executive-suggests-digging-up-dirt-on-journalists; Johana Bhuiyan & Charlie Warzel, “God View: Uber Investigates Its Top New York Executive For Privacy Violations,” BuzzFeed News, November 18, 2014, https://www.buzzfeed.com/johanabhuiyan/uber-is-investigating-its-top-new-york-executive-for-privacy.

3 Uber’s Data Privacy Policy, Uber Newsroom, November 18, 2014, https://newsroom.uber.com/ubers-data-privacy-policy/.

4 Uber Statement, Uber Newsroom, February 27, 2015, https://newsroom.uber.com/uber-statement/; Uber Statement Update, Uber Newsroom, June 17, 2016, https://newsroom.uber.com/statement-update/.

5 Press Release, New York State Office of the Attorney General, “A.G. Schneiderman Announces Settlement with Uber to Enhance Rider Privacy,” January 6, 2016, https://ag.ny.gov/press-release/ag-schneiderman-announces-settlement-uber-enhance-rider-privacy.

6 FTC Complaint, In the Matter of Uber Technologies, Inc., https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.