Uber enters settlement after FTC alleges deceptive data privacy claims: 6 things to know

Jessica Kim Cohen - Print  | 

San Francisco-based Uber Technologies will implement a comprehensive privacy program as part of a settlement to resolve Federal Trade Commission allegations it made deceptive privacy and data security claims.

Here are six things to know.

1. In November 2014, Uber responded to news reports alleging employees improperly accessed consumer data by issuing a statement it had a "strict policy prohibiting" employees from accessing consumer and driver data. The statement said employee access would be monitored on an ongoing basis.

2. Uber developed an automated system to monitor employee access to personal information in December 2014. However, the FTC said the company stopped using it less than a year after it was deployed. The FTC alleges Uber rarely monitored access to personal information for more than nine months afterward.

3. In its complaint, the FTC alleged Uber misrepresented the extent to which it monitored employees' access to consumer and driver data. It also alleged the company failed to deploy reasonable, low-cost measures to secure personal information stored with a third-party cloud provider.

The FTC noted Uber did not require engineers or programmers to use distinct access keys for personal information. Instead, Uber provided employees with a single key that gave full administrative access to all personal data.

4. In May 2014, an unauthorized individual accessed personal information related to Uber drivers, including more than 100,000 names and driver's license numbers, from a database operated by Amazon Web Services. The FTC alleged Uber did not take measures that could have prevented the breach.

5. Under the settlement, Uber is prohibited from misrepresenting how it monitors internal access to consumers' personal information; prohibited from misrepresenting how it protects and secures that data; required to implement a comprehensive privacy program; and required to obtain independent, third-party audits.

"This case shows that, even if you're a fast growing company, you can't leave consumers behind: you must honor your privacy and security promises," said FTC Acting Chairman Maureen K. Ohlhausen.

6. The agreement is subject to public comment through Sept. 15, after which the FTC will decide whether to finalize the proposed consent order.

More articles on cybersecurity:
15k patients affected after Texas OB-GYN provider hit with keylogger malware
New 'Defray' ransomware targets healthcare sector: 4 things to know
Salina Family Healthcare Center updates ransomware notice after delivery mixup

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.