Pressured by gov’t, Uber agrees to protect rider data

Tom Krisher
Associated Press

Detroit — Ride-hailing service Uber has agreed to protect data and audit use of rider information to settle a complaint from the federal government that it deceived customers.

The Federal Trade Commission, in a complaint settled on Tuesday, alleged that Uber failed to secure data about rider trips and neglected to monitor employee access to the information. It’s another in a long string of missteps for the San Francisco-based company, which faces a separate federal investigation for allegedly using its app to block city inspectors from monitoring its service.

Uber misrepresented how well it monitored employee access to personal information about users and drivers, and it misstated that it took steps to secure customer data, FTC Acting Chairman Maureen Ohlhausen said in a statement. “This case shows that even if you’re a fast-growing company, you can’t leave consumers behind: You must honor your privacy and security promises,” she said.

Uber said the allegations date to 2014 and that since then, it has strengthened its privacy and data security practices and will keep investing in security programs.

But the FTC alleged in its complaint that after news reports of Uber employees improperly accessing customer data, the company issued a statement in November of 2014 that it had a strict policy prohibiting employees from viewing the data except for legitimate business purposes. The company also said employee access would be closely monitored.

But Uber stopped using a monitoring system less than a year later and for nine months, rarely monitored access to customer and driver information.

Also, Uber claimed that data was securely stored in its databases, but an intruder gained access to driver data in May of 2014, including 100,000 names and driver’s license numbers, the complaint said.

“The FTC alleges that Uber did not take reasonable, low-cost measures that could have helped the company prevent the breach,” the FTC statement said.

To settle the complaint, Uber agreed to stop misrepresenting how it monitors access to customer information and to stop misrepresenting how it secures the data, the FTC said. Uber Technologies Inc. also agreed to put a program in place to protect customer privacy. It also must do an audit every two years for the next two decades to make sure the privacy program remains in place.

The FTC voted 2-0 to accept the agreement. The public will be able to comment for 30 days, after which a final decision will be made.

Uber said it hired its first chief security officer in 2015 and now has hundreds of employees who work to protect consumer information. “This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information,” a company statement said.