Perhaps the easiest way for a business to find itself on a collision course with the Federal Trade Commission (FTC) is to make deceptive claims about its privacy and cybersecurity practices. Earlier this month, Uber agreed to a settlement with the FTC for doing just that.
In November of 2014, news reports alleged that Uber employees were accessing and using consumers’ personal information (including geolocation data). These reports described Uber’s internal tracking tool, known as “God View,” which displayed the personal information of Uber’s consumers in real time, and was used by Uber employees to track celebrities, politicians, and reporters. Other news reports revealed that an Uber executive suggested that the company should hire “opposition researchers” and journalists to look into the personal lives of journalists that were critical of Uber.
In response to these news reports, Uber said that it “has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data,” except for “a limited set of legitimate business purposes.” It also stated that employee access to consumer personal information “is being closely monitored and audited by security specialists on an ongoing basis.”
According to the FTC’s complaint, Uber failed to closely monitor and audit internal access to consumers’ personal information on an ongoing basis, and failed to respond in a timely fashion to alerts of potential misuse of consumer personal information. Therefore, Uber’s statements to the contrary were false or misleading, and thus in violation of Section 5(a) of the FTC Act (which prohibits unfair or deceptive acts or practices).
The FTC’s complaint also alleged that Uber made additional false or misleading statements about the cybersecurity measures it took to safeguard consumers’ personal information.
Uber failed to live up to these statements in multiple ways. According to the complaint, Uber stored consumers’ personal information on an Amazon Web Services (AWS) cloud, and failed to implement proper access controls to protect consumers’ data stored on the cloud. Specifically, Uber did not require its engineers and programmers to use unique access keys to access the consumer data stored on the cloud. Rather, Uber allowed them to use a single access key that provided full administrative privileges over all of the data. In addition, Uber did not require multifactor authentication to access the data, and did not encrypt it.
The FTC alleged that Uber also failed to implement reasonable security training for employees, and failed to have a written information security program (WISP). For more insight about employee training and WISPs, see my previous article.
The FTC also alleged that in 2014 these cybersecurity failures resulted in a data breach of consumers’ personal information that Uber had stored on the AWS cloud. Specifically, a hacker used an access key that one of Uber’s engineers had publicly posted to GitHub, which is a code-sharing website used by software developers. This key granted full administrative privileges to all of the data that Uber had stored on the AWS cloud. In the complaint, the FTC highlighted the fact that low-cost cybersecurity improvements could have prevented or mitigated the impact of this breach.
According to the FTC, Uber’s statements about its cybersecurity measures were false or misleading since Uber’s security practices, taken as a whole, did not provide reasonable security. Thus, the FTC alleged that Uber’s statements were deceptive, and in violation of the FTC Act.
It is worth noting that in cases such as this one, the FTC’s complaints have usually charged businesses with not only being “deceptive” (based on false or misleading statements), but also charged businesses with being “unfair” (based on not having reasonable cybersecurity). Curiously, while the FTC’s complaint against Uber stated that it did not have reasonable cybersecurity, neither of the complaint’s two counts were based on this. Rather, they were both based on the deceptive theory. While the FTC has not explained why, it will be interesting to see if this becomes a trend.
Uber’s settlement obligations
Under the agreed upon terms of the settlement (known as a Consent Order), which will apply for 20 years, Uber is:
- prohibited from misrepresenting the extent to which it monitors or audits internal access to consumers’ personal information;
- prohibited from misrepresenting how it protects the privacy, confidentiality, security, or integrity of consumers’ personal information;
- required to implement a comprehensive written privacy program that addresses privacy risks and protects the privacy and confidentiality of the personal information it collects; and
- required to obtain initial and biennial independent third-party audits certifying that the program meets or exceeds the settlement’s requirements.
In a statement regarding the settlement, FTC Acting Chairman Maureen K. Ohlhausen said: “This case shows that, even if you’re a fast-growing company, you can’t leave consumers behind: you have to honor your privacy and security promises.” All businesses that collect, store, use, or share consumer information should realize the importance of making accurate statements about their privacy and cybersecurity practices, and ensuring that those statements are adhered to by all of their employees. These statements include not only those in website privacy notices that are easy for government regulators to find and scrutinize (for more insight about website privacy notices, see my previous article), but also any other statements a business makes, such as those by customer service representatives.
The settlement requirements that Uber must adhere to for 20 years are onerous, and quite common in FTC enforcement actions against companies that engage in unfair or deceptive acts pertaining to privacy or cybersecurity. Businesses should be proactive in assessing and mitigating the risks of similar enforcement actions, and hopefully prevent them entirely.