In August 2017, the U.S. Federal Trade Commission and Uber agreed to settle an FTC complaint regarding Uber’s alleged deceptive representations about its privacy and data security practices. The complaint and settlement provide useful cybersecurity guidance for Canadian organizations.

The Complaint

The FTC’s complaint alleged that Uber failed to provide reasonable security for consumers’ personal information stored in Uber’s databases (including data stored in a commercial cloud service), contrary to Uber’s privacy policy and public statements about its data security practices, and as a result an intruder was able to gain unauthorized access to some of that information (including 100,000 unencrypted names and driver’s license numbers).

In particular, the complaint alleged that Uber’s data security practices were deficient in the following respects:

• Written Program:  Failure to have a written information security program.
• Training:  Failure to implement reasonable security training and guidance.
• Encryption:  Storing sensitive personal information in readable text rather than encrypting the information.
• Access Controls:  Failure to implement reasonable access controls to safeguard stored personal information, including requiring individuals to use distinct access keys (rather than sharing an access key), restricting access based on job functions, and requiring multi-factor authentication for access to cloud data stores.
• Monitoring:  Failure to have a system that effectively monitors access to consumer’s personal information by employees and contract workers.

The complaint alleged that Uber could have prevented or mitigated the alleged data security deficiencies “through relatively low-cost measures”.

The Settlement Agreement

The settlement agreement prohibits Uber from making any false statements regarding Uber’s privacy and data security practices.

The settlement agreement requires Uber to establish, implement and maintain a comprehensive, documented privacy program that is reasonably designed to address privacy risks relating to existing and new products and services and to protect the privacy and confidentiality of personal information. The privacy program must contain controls and procedures appropriate to Uber’s size and complexity, the nature and scope of Uber’s activities, and the sensitivity of personal information collected or received by Uber.

In particular, the privacy program must include the following:

• Accountability:  Designated employees responsible for the privacy program.
• Risk Assessment:  An assessment of internal and external risks in each area of Uber’s operations (including employee training and management and product design, development and research) that could result in the unauthorized collection, use or disclosure of personal information, and an assessment of the sufficiency of existing safeguards to control those risks.
• Security Measures:  The design and implementation of security controls to address identified risks, and regular testing/monitoring the effectiveness of those controls.
• Service Providers:  The use of reasonable procedures regarding the selection of service providers capable of protecting personal information received from Uber, and contract provisions that require service providers to protect personal information.
• Periodic Assessments/Adjustments:  The assessment and adjustment of the privacy program in light of the results of periodic testing and monitoring, changes to operations or business arrangements, and other circumstances that may impact the effectiveness of the privacy program.

Comment

The data security measures required by the settlement agreement, and the guidance implied in the FTC complaint, are consistent with Canadian personal information protection laws, which provide that organizations are accountable for the information they collect and must protect personal information using appropriate safeguards. Canadian privacy commissioners have issued helpful guidance for protecting personal information.

Read more here.