Uber reaches settlement with FTC over data security breaches
Photo: Smith Collection/Gado/Getty Images.
The Federal Trade Commission approved a settlement Friday with Uber Technologies over allegations that Uber deceived consumers about its privacy and data security practices.
Why it matters: The settlement is the latest consequence for Uber's free-wheeling behavior under then-CEO Travis Kalanick. Under the two data breaches, Uber did not disclose the second to consumers or the FTC for more than a year.
The details: The FTC alleged Uber failed to monitor employee access to consumers’ personal information on an ongoing basis and to reasonably secure sensitive consumer data it stored in the cloud.
- If Uber fails to notify the FTC in the future, the ride-sharing company could face civil penalties involving unauthorized access to driver and rider information.
- Uber cannot mislead how it monitors internal access to consumers’ personal information.
- Uber must also start a "privacy program" and have independent assessors monitor Uber's compliance to the FTC for 20 years.
What they're saying:
"The threat of civil penalties would provide a greater incentive to firms to follow through on the promises they make to consumers and to make appropriate investments to implement reasonable data security safeguards."— FTC Commissioner Rebecca Kelly Slaughter
"Given the serious misconduct uncovered in this investigation, I support this action. But, I believe the Commission should have given greater weight to several of the suggestions made in the comments."— FTC Commissioner Rohit Chopra
Background: Instead of immediately disclosing the incident to customers and relevant government agencies, Uber paid the hackers responsible $100,000 to delete the data and keep the incident quiet. Ex-Uber CEO Travis Kalanick learned of the incident one month after it happened. Uber's new CEO Dara Khosrowshahi parted ways with the companies chief security officer Joe Sullivan once he took the helm of the company.
Flashback: Last month, Uber agreed to pay $148 million in a California-led settlement related to the breach.