Thursday, April 9, 2020

Uber Agrees to Expanded Privacy and Security Settlement with FTC

Must read

Immunity Supplement Marketers Face Heightened Regulatory Scrutiny

Immunity supplements and express or implied COVID-19 prevention, treatment, cure or diagnosis-related representations are squarely within the crosshairs. Without limitation, a lack of competent and reliable scientific evidence with respect to the final product formulation - not just a single/handful of ingredient(s) - could prove disastrous for those hurriedly seeking to bring products to market without first ensuring that lawfully adequate substantiation is possessed prior to dissemination of claims.

Skimlinks and Commission Junction Banned from Amazon Affiliate Program

Amazon banned Commission Junction and Skimlinks from Amazon starting in April from running Amazon's affiliate program. These affiliates will not earn a...

Does Coronavirus Excuse Non-Performance Under a Contract?

The Coronavirus outbreak has raised a number of issues relating to contractual performance obligations. An excuse for non-performance of contractual obligations may...

Ways to Avoid Spam Traps in Email Marketing

New research by Trustwave reveals that 26 per cent of spam is infected with malware. As a result spam filters are getting...
Avatar
Richard B. Newmanhttp://www.hinchnewman.com
Richard B. Newman is an Internet Lawyer at Hinch Newman LLP focusing on advertising law, Internet marketing compliance, regulatory defense and digital media matters. His practice involves conducting legal compliance reviews of advertising campaigns across all media channels, regularly representing clients in high-profile investigative proceedings and enforcement actions brought by the Federal Trade Commission and state attorneys general throughout the country, advertising and marketing litigation, advising on email and telemarketing best practice protocol implementation, counseling on eCommerce guidelines and promotional marketing programs, and negotiating and drafting legal agreements.

The FTC has announced that Uber Technologies, Inc. has agreed to expand the proposed settlement it reached with the agency last year over charges that the ride-sharing company deceived consumers about its privacy and data security practices.

After the announcement of last year’s proposed settlement, the FTC learned that Uber had failed to disclose a significant breach of consumer data that occurred in 2016 — in the midst of the FTC’s investigation that led to the August 2017 settlement announcement.  Due to Uber’s misconduct related to the 2016 breach, according to the Commission, the company will be subject to additional requirements.  Among other things, the revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen.  “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”

In announcing the original proposed settlement with Uber in August 2017, the FTC charged that the company had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it deployed reasonable measures to secure personal information stored on a third-party cloud provider’s servers.

In a revised complaint, the FTC alleges that Uber learned in November 2016 that intruders had again accessed consumer data the company stored on its third-party cloud provider’s servers by using an access key an Uber engineer had posted on a code-sharing website.  This time, the intruders used the access key to download from Uber’s cloud storage unencrypted files that contained more than 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of U.S. Uber drivers and riders.

The revised proposed complaint further notes that Uber paid the intruders $100,000 through its third-party “bug bounty” program and failed to disclose the breach to consumers or the Commission until November 2017.  The bug bounty program was created to provide financial rewards to parties who responsibly disclose security vulnerabilities rather than those who maliciously exploit vulnerabilities to access consumers’ personal information.

In addition to compelling Uber to disclose certain future incidents involving consumer data, the new provisions in the revised proposed order include requirements for Uber to submit to the Commission all the reports from the required third-party audits of Uber’s privacy program rather than only the initial such report.  It also must retain certain records related to bug bounty reports regarding vulnerabilities that relate to potential or actual unauthorized access to consumer data.

Experienced FTC defense lawyers such as the author can assist with the implementation of preventative privacy compliance protocols, and defending regulatory investigations and enforcement actions.  Contact the author via his website located at hinchnewman.com.  You can also follow him on LinkedIn at FTC Defense Attorney.

ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005.

- Advertisement -

More articles

What's your opinion?

- Advertisement -

Latest article

Immunity Supplement Marketers Face Heightened Regulatory Scrutiny

Immunity supplements and express or implied COVID-19 prevention, treatment, cure or diagnosis-related representations are squarely within the crosshairs. Without limitation, a lack of competent and reliable scientific evidence with respect to the final product formulation - not just a single/handful of ingredient(s) - could prove disastrous for those hurriedly seeking to bring products to market without first ensuring that lawfully adequate substantiation is possessed prior to dissemination of claims.

Skimlinks and Commission Junction Banned from Amazon Affiliate Program

Amazon banned Commission Junction and Skimlinks from Amazon starting in April from running Amazon's affiliate program. These affiliates will not earn a...

Does Coronavirus Excuse Non-Performance Under a Contract?

The Coronavirus outbreak has raised a number of issues relating to contractual performance obligations. An excuse for non-performance of contractual obligations may...

Ways to Avoid Spam Traps in Email Marketing

New research by Trustwave reveals that 26 per cent of spam is infected with malware. As a result spam filters are getting...

How to do Email Marketing During Coronovirus

During a crisis, your email communication can make or break your business. Even more importantly, it can help, hurt, or confuse people.  You...