On Wednesday, January 6, 2016, New York’s Attorney General announced a settlement with Uber Technologies, Inc. (“Uber”), which requires the company to institute a number of practices intended to increase the data privacy of its customers.  In exchange, the Attorney General has agreed to stop his office’s investigation of Uber’s geo-location data practices.

Uber owns and operates a service that allows customers (“riders”) to use their cellular phones to summon people to drive them places (“drivers”).  Uber collects various types of information from riders and drivers, such as names, e-mail addresses, driver’s license numbers, and geographic locations (“geo-locations”).

In September 2014, Uber discovered that it suffered a data breach in May 2014 involving the names and driver’s license numbers of Uber drivers.  The company did not notify the Attorney General or the affected drivers until February 26, 2015.  The Attorney General maintained that Uber knowingly or recklessly violated New York General Business Law § 899-aa(2)’s requirement that Uber disclose such breaches “in the most expedient time possible and without unreasonable delay.”  

In the settlement announced last week, Uber agreed to pay $20,000 in costs and penalties. Second, the company agreed to implement the following policies, practices, and procedures (to the extent that it had not done so already):

• Designate an employee or employees to coordinate and supervise Uber’s program to protect the privacy and security of private information;
• Train employees annually to, at a minimum, inform employees who are responsible for handling private information about Uber’s data security practices the importance of consumer privacy and the employees’ duty to help maintain its integrity;
• Adopt protective technologies for the storage, access, and transfer of private information and credentials related to its access, including multi-factor authentication or similarly protective access control methodologies that may in future be developed;
• Assess regularly the effectiveness of its internal controls and procedures related to the securing of private information and geo-location information and the implementation of updates to such controls based on those assessments; and
• Respond to events involving unauthorized acquisition, access, use, or disclosure of private information including training all appropriate staff on data breach notification laws.

Third, Uber consented to another set of reforms connected to the Attorney General’s investigation of how Uber collects, maintains, and uses the geo-location data captured by its application. Specifically, Uber agreed to:

• Maintain and store in a password-protected environment, and encrypt when in transit where feasible, WiFi, cell-based, or GPS-based location information from a mobile device using the device’s location services and that is associated with other information that identifies a specific individual or a device;
• Limit access to geo-location information to designated employees with a legitimate business purpose, and enforce this limitation through technical access controls and a formal authorization and approval or permissions process;
• Maintain a separate section in Uber’s consumer-facing privacy policy describing its policies regarding geo-location information collected from riders; and
• Inform the New York Attorney General if Uber adopts the practice of collecting geo-location information from the rider Uber app when the app is not open in the foreground and any proposed additional notice and choice mechanism for such collection.

In exchange, the Attorney General agreed to stop the investigation of Uber’s geo-location data practices.  The Attorney General, however, reserved the right to resume the investigation if Uber breaches or voids the settlement.  A copy of the settlement is available here.

Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, bryoung@kslaw.com.