There are several key takeaways from a 20-year proposed consent order agreed to by Uber Technologies, Inc. (Uber) and the Federal Trade Commission (FTC):

  • If you maintain sensitive information like precise geolocation data, you must protect it adequately whether you store it locally or in the cloud.

  • If you impose access controls, make sure that they are actually implemented.

  • If you describe your information-security practices to consumers, use precise language and not puffery.

The settlement addresses the FTC's claims that Uber misrepresented the extent to which it monitored its employees' access to personal information about riders and drivers, and that it took reasonable steps to secure that data—including through the use of cloud-based storage.

Employee Access to Consumer Personal Information

In 2014, multiple media sources reported that Uber employees had improper access to consumer data. In November 2014, Uber responded that it had "a strict policy prohibiting all employees at every level from accessing a rider or driver's data" and that "access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis."

The FTC complaint alleged that although Uber had developed an automated monitoring system for such employee access, the company did not follow up on automated alerts generated by the system in a timely fashion—and that it stopped using the system less than a year after it was put in place.

Database Security

The FTC also took issue with Uber's internal security measures in connection with its use of a third-party cloud storage service provider. In 2014, Uber used the Amazon Simple Storage Service (Amazon S3 Datastore) to store personal information, including full and partial backups of personal information, such as names, addresses, unique device identifiers, driver's license numbers and geolocation information.

In May 2014, an intruder was able to access unencrypted personal information stored in the Amazon S3 Datastore using an access key that one of Uber's engineers had publicly posted to a code-sharing website.

The FTC complaint alleged that Uber failed to provide reasonable security to prevent unauthorized access to personal information stored in the Amazon S3 Datastore by failing to:

  • require distinct access keys and instead utilizing a single access key that provided full administrative privileges for all data;

  • restrict access to systems based on employees' job functions;

  • require multifactor authentication;

  • implement reasonable security training and guidance; and

  • maintain a written information security program.

The FTC also alleged that Uber stored sensitive personal information in the Amazon S3 Datastore in clear, readable text, rather than encrypting the information.

Broad Statements

The FTC complaint alleged that, in light of the above deficient practices, certain public statements Uber made about its information security practices were deceptive. Specifically, Uber's privacy policy represented that it securely stored all personal information using "standard, industry-wide, commercially reasonable security practices." In addition, Uber's customer service representatives provided the following assurances to consumers

  • "We use the most up to date technology and services to ensure that none of [your information is] compromised;"

  • "We're extra vigilant in protecting all private and personal information;" and

  • "All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available."

Settlement Terms

Under the terms of the proposed consent order, Uber is not required to pay a civil penalty, but the company will be:

  • prohibited from misrepresenting how it monitors internal access to personal information or how it secures personal information;

  • required to implement a comprehensive privacy program; and

  • required to obtain independent, third-party audits every two years for the next 20 years.

A comprehensive privacy program that complies with the FTC's expectations will require Uber to implement numerous security controls and procedures, including:

  • designating an employee or employees to be responsible for the privacy program;

  • identifying reasonable foreseeable risks and conducting an assessment of the sufficiency of any safeguards in place, including, at a minimum, risks associated with employee training and product design;

  • designing and implementing reasonable controls and procedures to address the risks;

  • performing regular testing and monitoring of the effectiveness of those controls and procedures;

  • developing and using reasonable steps to select and retain service providers capable of appropriately protecting the privacy of the personal information they receive from Uber and requiring, by contract, that service providers implement and maintain appropriate privacy protections; and

  • evaluating and adjusting the privacy program based on the results of the testing and monitoring.

The Uber settlement serves as a reminder that storing personal information through a third-party service provider does not relieve a company of its independent obligation to ensure the security of that data—even if that provider is a reputable company that is not alleged to have violated any of its duties. In this sense, the settlement demonstrates that a company cannot outsource its information security obligations simply by storing personal information through a trusted cloud service.

The settlement is also a reminder that—regardless of size or sophistication—every company that collects personal information must be aware of the contents of its public-facing privacy policy and ensure that the company adheres to any security representations in that policy. As stated by Maureen K. Ohlhausen, acting Chair of the FTC, "This case shows that, even if you're a fast-growing company, you can't leave consumers behind: you must honor your privacy and security promises."

Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. Our team of nearly 50 lawyers across the country includes investigators and advocates with deep experience in cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and civil and criminal litigation.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices