The FTC withdrew its August 2017 administrative complaint and proposed consent agreement with Uber Technologies, Inc. (Uber) and issued a revised complaint against Uber Technologies, Inc. Uber has accepted a revised proposed consent agreement which will be subject to public comment for 30 days.
As noted in a previous blog post, “Do What You Say and Say What You Do,” the FTC’s August 2017 Uber consent agreement resolved allegations that Uber had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it used reasonable measures to secure personal information stored on a third-party cloud provider’s servers. The previous consent agreement focused on conduct that occurred in late 2014.
Before the FTC issued the consent in final form, the FTC learned that Uber failed to disclose a significant breach of consumer data that occurred in 2016 while the FTC investigation was underway.
The revised complaint details the 2016 data breach of consumer data stored in Uber’s Amazon cloud-based S3 Datastore. Specifically, it describes how intruders downloaded 16 files from the Datastore that contained unencrypted consumer personal information relating to U.S. riders and drivers. This included, among other things unencrypted personally identifying information (PII) of over 25 million names and email address, over 22 million names and mobile phone numbers, and over 600,000 names and driver’s license numbers. The attackers gained access by utilizing an access key that Uber engineers used to access the S3 Datastore, which was located by the attackers in plain text in a web-based repository for computer code. According to the revised complaint, “Uber did not have a policy prohibiting engineers from reusing credentials and did not require engineers to enable multi-factor authentication” when accessing the private repositories. This allowed the attackers to use passwords that were exposed in prior data breaches to access the repositories and find the access key.
The revised complaint further describes that Uber discovered the 2016 breach after one of the attackers contacted Uber and demanded a six-figure payout. Although the attackers “maliciously exploited” the uncovered PII, Uber paid the attackers the $100,000 through the third party that administers the company’s “bug bounty” program. The program was originally created to pay financial reward in exchange for the responsible disclosure of security vulnerabilities. Uber did not disclose the breach to the FTC until November 2017, more than a year after its discovery.
The revised consent order includes a definition of “covered incident” and a new provision that requires Uber to report such incidents to the FTC along with any notice required by any federal, state, or local government entity. The requirement to report breaches to the FTC is similar to the HIPAA statutory scheme that requires that certain breaches be reported to HHS’s Office of Civil Rights.
The revised order is broadened to require that Uber submit all the reports from the required third-party audits of Uber’s privacy program rather than only the initial report to the FTC. Finally, certain of the recordkeeping requirements have been extended from three to five years and must also provide all copies of subpoenas and other communications with law enforcement related to compliance with the order and all records which call into question Uber’s compliance with the order.
It is very unusual for the FTC to take the action it has taken with Uber. Had the ink been dry and the order final, it is possible that the facts surrounding the 2016 breach would have been found to violate the order. If the FTC had determined that the order was violated, it would be able to seek civil penalties. Instead, the FTC broadened the complaint allegations and the order. It should be noted that the commission has requested that U.S. Congress grant it civil penalty authority for data security breaches.
Special Note from DBR on Data
The authors of this post, Editorial Board, and each of the contributors of DBR on Data would like to recognize former business development and marketing coordinator, Linda Cui, who has moved on to another career opportunity. Linda has been our all-star blog manager and marketing extraordinaire, who helped launch and manage DBR on Data’s editorial operations and content creation. She is very much the reason we have been able to maintain consistency in posts and blogging excellence in the evolving areas of data privacy, security, and governance. We thank her for all of her contributions and hard work.
Linda, we will miss you and wish you well in your future endeavors!
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.