Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not keep its promises to protect customer data. The FTC had alleged two separate failures by Uber: first, misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second, misrepresenting that it deployed reasonable measures to secure personal information it stored on a third-party cloud provider’s servers. This week’s settlement made clear the FTC’s view that being an early-phase company is no excuse for weak data protection measures or misleading statements regarding consumer data privacy.

The settlement resolved an investigation that began in November 2014, after a series of media reports alleging improper access and use of customer personal information by Uber employees caused an outcry among consumers. One article reported that an Uber executive (now former) had suggested that the company hire “opposition researchers” to look into the “personal lives” of journalists who had raised questions regarding Uber’s business practices. A second article described an internal tracking tool, known as “God View,” that displayed the personal information of riders using Uber’s services. 

In response to the resulting uproar, Uber issued a statement declaring that “Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business interests. . . . The policy is also clear that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violation of the policy will result in disciplinary action. . . .” Uber also developed and deployed, in December 2014, an automated system for monitoring employee access to consumer personal information.

The FTC’s complaint alleged that Uber’s monitoring system was not designed or staffed to scale to support review of access to personal data by Uber’s thousands of employees and contractors, and that in August 2015 Uber ceased to use the system at all while developing a new monitoring system. According to the FTC, Uber also failed to follow up on automated alerts regarding possible improper access during that time. Instead, Uber monitored only access to account information belonging to Uber executives.

Separately, the FTC investigation examined Uber’s data security policies. Although Uber’s privacy policy expressly represented that “the Personal Information and Usage Information we collect is securely stored within our databases, and we use standard, industry-wide commercially reasonable security practices such as encryption, firewalls and SSL (Secure Socket Layers) for protecting your information . . .,” Uber actually stored sensitive personal information on an Amazon Web Services (AWS) storage solution known as Amazon S3 Datastore. The FTC complaint alleged that Uber failed to implement appropriate controls on access to the Amazon S3 Datastore, including allowing all programs and engineers who accessed the Datastore to use a single AWS key, failing to restrict access based on employees’ job functions and failing to require multifactor access to the Datastore. The complaint further alleged that, until September 2014, Uber failed to implement adequate security training, had no written information security program, and stored sensitive information in the Amazon S3 Datastore in clear, unencrypted, readable text.

In May 2014, an attacker accessed consumer personal information in Uber’s Amazon S3 Datastore using an access key that had been publicly posted by an Uber engineer. The attacker accessed a file containing sensitive personal information of more than 100,000 Uber drivers, including unencrypted names and driver’s license numbers, and bank account and Social Security numbers for hundreds of individuals. Uber learned of the breach in September 2014, and took steps to limit further unauthorized access. However, Uber did not notify affected individuals until February 2015; Uber later learned that the initial notification of more than 40,000 individuals significantly undercounted those affected, and it then sent breach notification letters to an additional 60,000 Uber drivers in the summer of 2016.

Under its agreement with the FTC, Uber is prohibited from misrepresenting how it monitors internal access to customers’ personal information, and how it protects and secures data. Uber is also required to implement a comprehensive privacy program and to submit to annual third-party audits.

In a statement, FTC Acting Chairman Maureen K. Olhausen made clear that this week’s settlement should be viewed as a message from the FTC to tech startups and other early-phase companies: “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.” The lessons – for startup and mature companies alike – are equally clear: first, your privacy policy must accurately represent your data collection, use and protection practices, not simply attest to compliance with vague statements about “industry best practices.” Second, when a flaw in your privacy protections is revealed, take good faith, serious and long-term steps to correct the problem. Although media and public scrutiny may move on, regulators will likely still be watching.