Member News

Key New Takeaways from Uber’s Privacy and Data Security Settlement with the FTC

BY

On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1

Specifically, the FTC levied two deception counts against Uber: (1) that the company had failed to consistently monitor and audit internal access to consumers’ personal information, despite public promises to do so; and (2) that the company had failed to provide reasonable security for consumers’ personal information stored in its databases, despite its security promises. Under the resulting proposed consent order, Uber will be prohibited from misrepresenting how it monitors or audits internal access to consumers’ personal information and how it protects and secures that data. Uber will also be required to implement a comprehensive privacy program that will be subject to independent biennial audits for the next 20 years, and will need to comply with the standard set of consent order recordkeeping and compliance reporting and monitoring requirements.

On its face, the FTC’s complaint and resulting settlement with Uber may seem fairly straightforward: if you make privacy and security promises, but do not keep them, the FTC will come after you. But, as with many FTC privacy and security cases, the devil is in the details, and there are a couple of notable takeaways that may not be apparent to those not steeped in the intricacies of FTC actions and settlements. First, the FTC has reached beyond privacy policy statements to support deception claims by relying on press statements released in the aftermath of negative news coverage and statements made by customer service representatives to individual customers. Second, the FTC has taken steps for the first time to delineate what is reasonable security for a popular cloud-based storage service. Before we examine these takeaways in more detail, some background on the facts of the FTC’s case is warranted.

Background

Uber’s issues with the FTC date back to November 2014, when the company was the subject of numerous negative press reports alleging employees improperly accessed and used customer’s personal information, and in particular their geolocation information, to investigate the personal lives of journalists through the use of an internal tracking tool called “God View.”2 In an effort to quell the considerable consumer uproar stemming from these reports, Uber issued a public statement promising “that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.”3

Also in 2014, Uber experienced a data breach affecting the names and driver’s license numbers of about 110,000 Uber drivers, although the breach was not disclosed until early 2015 to about half the drivers, and in mid-2016 to the other half.4 The breach also affected the Social Security numbers and bank account and routing numbers of hundreds of drivers. According to the FTC’s complaint, the breach was caused because an Uber engineer had posted the company’s Amazon Web Services (AWS) Simple Storage Service (S3) Datastore access key to GitHub, a code-sharing site commonly used by developers. An intruder then used that key to access an unencrypted file that contained the compromised information in May 2014. Uber discovered the breach in September 2014, at which point it took steps to prevent further unauthorized access.

Uber’s settlement with the FTC to resolve these issues may sound familiar, as Uber entered into a very similar settlement with the New York Attorney General’s office on January 6, 2016, over essentially the same set of circumstances.5 That settlement required Uber to implement and maintain a number of specific data security practices, including encrypting and limiting employee access to geolocation information, and required Uber to pay a $20,000 penalty for failing to provide timely notice of the breach to affected drivers. The Assurance of Discontinuance that details the settlement, however, provides little to explain the basis for that settlement other than the failure to timely notify drivers of the breach. The FTC complaint contains more detail and offers some interesting and important takeaways for any company collecting consumer information, not just those collecting geolocation information.

FTC’s Expanding Scope of Potentially Deceptive Privacy and Security Statements

The first count of the complaint, which deals with employee access to user accounts, such as through the “God View” tool,6 contains the FTC’s first apparent expansion of the scope of the privacy and security statements that it will take into consideration for deception cases. The FTC alleges that Uber’s reactive public promises, issued in the wake of negative press coverage, to closely monitor and audit access to rider and driver accounts were false or misleading. According to the complaint, this is because Uber did not always consistently follow through with these promises. Specifically, the complaint alleges that while Uber developed an automated system to monitor employee access to consumer personal information in December 2014, the company ceased using the system in August 2015 and began to develop a new automated monitoring system. In the meantime, the complaint alleges that the company did not timely follow up on automated alerts concerning the potential misuse of consumer information between August 2015 and May 2016, and only monitored access to certain high-profile user accounts, such as those of Uber executives, during a portion of this gap period.

The key takeaway here is that a company’s public relations strategy must take into account potential FTC liability for deception. Companies are often under significant pressure to respond to negative news coverage by issuing statements that make significant promises of improvements. Of course, there are valid brand-management reasons to be very assertive in reactive press statements. The FTC’s reliance on these reactive press statements in the Uber case, however, makes clear that a public relations strategy has to be married to a compliance commitment. Without a formal structure in place to ensure that promises made in reactive press statements are met, not just initially when the press coverage is acute, but over the long term as well, then a company risks FTC liability for misrepresentation. Companies are certainly used to ensuring that they comply with their commitments in privacy policies, as a result of years of FTC enforcement of those promises. Now the compliance task is broader.

The second expansion of the scope of the privacy and security statements that the FTC will take into consideration for deception cases appears in the second count of its complaint, which addresses Uber’s data security practices with respect to the company’s AWS S3 Datastore. Specifically, the complaint relies not just on statements made in Uber’s privacy policy, but also on security assurances offered by the company’s customer service representatives. This appears to be the first time that the FTC has based a deception claim on statements made by customer service representatives to consumers who were reluctant to provide the company with their personal information. Specifically, the complaint cites assurances such as “we’re extra vigilant in protecting all private and personal information,” “[a]ll of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available,” and “[w]e use the most up to date technology and services to ensure that none of these are compromised.”

One of the key takeaways here is that companies should pay attention to the privacy and security representations being made by their customer service representatives. More specifically, companies should monitor and train their customer services representatives to keep their representations in line with the company’s privacy policy and approved privacy and security statements. With the FTC’s complaint against Uber, it is clear that the agency will be looking at those representations during an investigation and will hold the company to account for misleading statements made by its representatives.

Reasonable Security Practices for Cloud-Based Storage Services

The other major point of interest in the second count of the FTC’s complaint is that it is the first time that the FTC has alleged specific unreasonable practices in connection with a cloud-based storage service, in this case the popular AWS S3 Datastore. Specifically, the FTC cited as unreasonable: (1) using a single access key with full administrative privileges for the AWS S3 Datastore rather than requiring programs and engineers to use distinct access keys; (2) failing to limit employee access based on the employee’s job functions; (3) failing to require the use of multi-factor authentication to access the datastore; and (4) storing sensitive personal information in clear, readable text, including in database backups and prune files, rather than encrypting the information. More broadly, the FTC also cited a failure to implement reasonable security training and guidance, and a failure to have a written information security program. The FTC contended that Uber could have prevented or mitigated these failings through the use of relatively low-cost measures.

The practical security takeaways from this count are significant. Securing access to AWS S3 Datastores that hold sensitive consumer information is incredibly important. A great number of companies use these datastores for projects, but many take only minimal steps to keep them safe. While using a single, shared AWS key may work for certain small startups or small projects, the FTC will likely view limiting employee access and using distinct access keys to be essential as the company or project grows. Also, the FTC will likely consider persistent threats of account credential compromise through phishing attacks to require the use of multi-factor authentication wherever available. Finally, the FTC is likely to argue that companies should utilize secure encryption technology whenever storing sensitive consumer information, particularly if a breach of that information would trigger a requirement to send data breach notifications (as was the case for Uber).

The FTC’s settlement with Uber also furthers the agency’s view that companies should document their information security practices and provide adequate training to their employees to make sure those practices are followed. While these principles are not new to the FTC’s settlement with Uber, their appearance in the complaint is a reminder that the agency continues to view them as important even under new leadership.

Conclusion

While perhaps not apparent on its surface, the FTC’s recent settlement with Uber treads new ground and offers important privacy and data security takeaways. The FTC’s privacy allegations against Uber make clear that companies need to prevent compliance gaps from occurring in their privacy promises, including promises made in press statements. Additionally, the FTC’s data security allegations set the stage for future enforcement actions where companies fail to adequately secure their AWS S3 Datastores, and flag the agency’s new willingness to bring in security promises made by customer service representatives to support their deception claims. Companies would do well to review their existing privacy and security practices with these takeaways in mind to avoid winding up at the wrong end of a 20-year FTC consent order.

1 Press Release, FTC, “Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims,” August 15, 2017, https://www.ftc.gov/news-events/press-releases/2017/08/uber-settles-ftc-allegations-it-made-deceptive-privacy-data.

2 See, e.g., Ben Smith, “Uber Executive Suggests Digging Up Dirt On Journalists,” BuzzFeed News, November 17, 2014, https://www.buzzfeed.com/bensmith/uber-executive-suggests-digging-up-dirt-on-journalists; Johana Bhuiyan & Charlie Warzel, “God View: Uber Investigates Its Top New York Executive For Privacy Violations,” BuzzFeed News, November 18, 2014, https://www.buzzfeed.com/johanabhuiyan/uber-is-investigating-its-top-new-york-executive-for-privacy.

3 Uber’s Data Privacy Policy, Uber Newsroom, November 18, 2014, https://newsroom.uber.com/ubers-data-privacy-policy/.

4 Uber Statement, Uber Newsroom, February 27, 2015, https://newsroom.uber.com/uber-statement/; Uber Statement Update, Uber Newsroom, June 17, 2016, https://newsroom.uber.com/statement-update/.

5 Press Release, New York State Office of the Attorney General, “A.G. Schneiderman Announces Settlement with Uber to Enhance Rider Privacy,” January 6, 2016, https://ag.ny.gov/press-release/ag-schneiderman-announces-settlement-uber-enhance-rider-privacy.

6 FTC Complaint, In the Matter of Uber Technologies, Inc., https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf.

Compliments of WSGR, an EACCNY member company