The Risks of Overpromising and Underperforming

Demonstrating its authority over all things cybersecurity, the Federal Trade Commission (FTC) announced that it has entered into a proposed consent order with Uber for the company's alleged false statements regarding the security of customer data and its failure to safeguard against data breaches going back to 2014. The consequences include a twenty year auditing program, designed to ensure compliance with the FTC's privacy requirements. This settlement is notable not only for its length and scope, but because it confirms the FTC's ability to punish what it considers to be lax data security practices.

In this case, the FTC's complaint alleged that Uber deceived consumers by failing to monitor employee access to consumers' personal information and by failing to reasonably secure sensitive consumer data stored in the cloud. In 2014, there were media reports that Uber employees were improperly accessing customer information including names, addresses, and other personally identifiable information ("PII"). In fact, Uber employees could make use of "God Mode," an access status that permitted users to view, in real-time, the physical location of Uber customers. Responding to those claims, Uber publicly stated that it had a "strict" policy prohibiting that kind of conduct, but that the company would take care to closely monitor employee conduct in the future to avoid reoccurrences. To that end, Uber instituted a monitoring system that would track employee access to consumer PII.

The problem, from the FTC's perspective, was that Uber stopped using the monitoring program within a year, and apparently only monitored access to PII intermittently thereafter. An analysis of the proposed consent order stated, “From approximately August 2015 until May 2016, [Uber] did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, [Uber] only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives. During this time, [Uber] did not otherwise monitor internal access to personal information unless an employee specifically reported that a co-worker had engaged in inappropriate access.”

Stated differently, no one was watching the watchers.

Additionally, the FTC alleges that Uber failed to securely store information in its databases, despite explicit promises to that effect. Instead, the FTC contended that Uber had not implemented a reasonable security protocol to prevent unauthorized access to both its customers' and its drivers' PII maintained in cloud storage.

Uber's failure to take reasonable steps to prevent data breaches was of substantial concern to the Commission. Specifically, the administrative complaint states that Uber did not require engineers and programmers to use distinct keys to access cloud-based PII. Instead access was permitted via a single key that granted indiscriminate administrative access to all the data. Uber also failed to require multi-factor authentication which itself was not encrypted when stored in the cloud.

Pursuant to the proposed consent order, Uber is:    

• prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
• prohibited from misrepresenting how it protects and secures data;
• required to implement a comprehensive privacy program addressing privacy risks related to new and existing products and services. The same must aim to protect the privacy and confidentiality of personal information collected by the company; and
• required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.

Uber is not likely to make the same mistake twice---when LifeLock, an identity theft protection company, failed to comply with a similar order in 2015, the FTC issued a $100 million fine. The proposed settlement is subject to public comment for 30 days, after which the Commission will likely render the order final.

This settlement presents valuable lessons for clients.

First, it further demonstrates the importance of implementing the "low hanging fruits" of data security---strong passwords, strong access control, and comprehensive data management. Combined these factors highlight how seriously companies address privacy concerns. Individual access keys---like strong passwords---can substantially deter unlawful access to data and cost nothing. In the Commission's view, it seems, a failure to implement these generally simple safeguards is a de facto admission that a company has fallen short of minimum standards.

Second, the order is consistent with FTC's longstanding role as watchdog over representations made to consumers. Uber promised that it was monitoring who accessed customer PII and that it had a robust security system in place, but failed to live up to its promises. That, alone, can be a potential source of liability. Follow-through is absolutely essential when it comes to data security, not only because it helps keep hackers at bay, but because it ensures that the FTC (or a plaintiff in a civil suit) cannot as easily contend that a company has engaged in an unfair business practice or ignored a known risk. In the same manner, companies must thoughtfully decide who may access certain information and for what purposes. Minimally, companies should thoroughly scrutinize whether policies like "God Mode" do more harm than good.

Finally, the scope of the settlement is revealing because it shows how broad of a view the FTC takes regarding its role in enforcing data security. The 20-year audit period imposed is substantial, particularly given that Uber itself is only eight years old. FTC clearly believes that its status as primary enforcer of data security standards is here to stay. As Acting Chair of the FTC, Maureen Ohlhausen said, "Companies will be held accountable for their promises...this is the only way we can foster true competition on privacy practices in the marketplace." As such, clients should work closely with counsel to craft data security policies and procedures that account for the evolving standards and regulations promulgated by the Commission.

If nothing else, the proposed settlement is additional evidence that developing a "datasmart" approach to information management is a necessity, and not simply an option.