The Federal Trade Commission ("FTC") filed a revised Complaint against Uber Technologies, Inc. ("Uber"), alleging that the company failed to disclose a significant breach of customer data that occurred in 2016 while still in negotiation with regulators regarding its mishandling of an earlier data breach incident from 2014. Uber has agreed to expand the proposed settlement agreement with the FTC.
In the initial Complaint, the FTC alleged that Uber misled consumers about its privacy and data security practices. According to the FTC, during the investigation Uber learned that its third-party cloud provider's servers had been subject to a significant data breach. The FTC revised its complaint to charge that Uber failed to disclose this new information to the FTC or its customers. Allegedly, the intruders were able to download an estimated "25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver's license numbers of U.S. Uber drivers and riders." The FTC also charged that Uber failed to disclose that it had paid the intruders $100,000 to delete the compromised data through its third-party "bug bounty" program.
Under the expanded settlement, Uber would be required to (i) submit all reports regarding third-party audits of its privacy program and (ii) retain records concerning its "bug bounty" reports on vulnerabilities for unauthorized access to consumer data.
The revised consent agreement will be published in the Federal Register. Comments concerning the agreement are open until May 14, 2018.
Commentary / Joseph V. Moreno
The FTC's characterization of Uber's handling of its second major data breach in two years as "misconduct" shows that regulators will have little tolerance for companies who are seen as failing to adequately safeguard their customers' personal information. Even the fact that Uber paid a $100,000 ransom to its attackers is effectively being held against the company, essentially putting the FTC in a "blame the victim" posture. The terms and conditions of Uber's settlement with the FTC will now be more onerous and expensive, and will no doubt keep the company under the close skeptical eye of regulators for years to come. This latest development in Uber's battle with the FTC illustrates not only the importance of preventing a cybersecurity incident in the first instance, but also how essential it is for a company to adequately identify and disclose a data breach to its customers if the worst in fact happens.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.