On April 12, 2018, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced an agreement with Uber Technologies, Inc., to expand an August 2017 settlement regarding a 2014 data breach to include new violations arising from a second data breach that Uber discovered in 2016 but did not publicly disclose for over one year.  The revised settlement order imposes new notification, reporting, and records retention obligations on Uber for up to 20 years regarding third-party audits of its privacy program, future data breaches involving personal data, and its bug bounty program.  The proposed settlement order will be open for public comment for 30 days, after which time the Commission is likely to make the order final.

In August 2017, Uber entered into a consent agreement with the FTC related to a data breach that occurred three years before.  The complaint resolved by the 2017 settlement order alleged that, in May 2014, an intruder used an access key publicly posted on the website GitHub to access sensitive personal information of Uber drivers (who the FTC treats as consumers) that Uber stored with a cloud provider.  This information allegedly included unencrypted names, driver’s license numbers, bank account and routing numbers, and Social Security numbers.  The FTC alleged that Uber had failed to (1) “implement reasonable access controls” to safeguard personal data of drivers and riders stored in the cloud, (2) implement reasonable security training and guidance, (3) maintain a written security program, and (4) encrypt certain information stored with the cloud provider.  The complaint charged that Uber’s representations about the security of, and internal monitoring and auditing regarding access to, consumers’ personal information were false or misleading in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

In the 2018 complaint, the FTC alleges that Uber contemporaneously discovered a second data breach that had occurred in the fall of 2016—during the midst of the FTC’s nonpublic investigation into the 2014 breach.  According to the complaint, intruders used an access key that had been posted to a private repository associated with GitHub to download unencrypted files containing personal data of U.S. riders and drivers, including approximately “25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers.”

Uber allegedly discovered this second breach in November 2016 when one of the attackers contacted it “claiming to have compromised Uber’s ‘databases’ and demanding a six-figure payout.”  In response to the intruders’ demands, Uber allegedly paid the intruders $100,000 USD through the administrator of its “bug bounty” program.  Finally, the revised complaint alleges that Uber did not disclose the second breach until November 2017—more than a year after the company discovered the breach and despite the pendency of an ongoing FTC investigation into Uber’s data security practices.

Like the 2017 order, the 2018 order requires Uber to, among other things:

  • Cease future misrepresentations regarding the extent to which it “monitors or audits internal access to consumers’ [p]ersonal [i]nformation,” and “protects the privacy, confidentiality, security, or integrity” of any personal information;
  • Implement a “comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services” and “protect the privacy and confidentiality” of personal information; and
  • Obtain biennial third-party assessments of these new privacy controls.

While the revised order does not impose a fine on Uber, it adds several key obligations that will be in effect for twenty years.  Most significantly, Uber must timely notify the FTC of any future incident in which information it collected or received “about an individual consumer was, or is reasonably believed to have been, accessed or acquired without authorization,” if that incident is required to be reported to a U.S. federal, state, or local governmental entity.  This notification must be made “within a reasonable time” after the date of discovery of the breach or at least within 10 days of notifying a federal, state, or local entity and include detailed information about the breach, remedial actions, and affected consumers and the content of notices provided to government entities or consumers.  As a result of the revisions to the order, any future failure to notify the FTC of data breaches that expose consumer information could result in civil penalties.

The revised order also requires Uber to incorporate additional areas, such as its bug bounty program, into the risk assessment component of its mandated privacy program, and to share its biennial, third-party privacy assessments with the FTC on a going-forward basis.  Finally, the order requires Uber to create and retain certain types of records, including records related to its use of a bug bounty program.

The FTC’s new complaint and order provide lessons for companies seeking to mitigate risk exposure to cyber-attacks and navigate regulatory enforcement actions regarding data breaches that implicate personal data.

First, in the press release issued with the new order, the FTC noted that the intruders in the 2016 breach exploited a similar vulnerability as was used to conduct the 2014 breach and used passwords that had been revealed exposed in prior large breaches.  Companies should ensure that known vulnerabilities are addressed expediently and thoroughly in order to prevent future exploitation or breaches using similar techniques.  In addition, revealed or leaked passwords should be replaced in accordance with best practices.

Second, companies grappling with a breach involving a demand for payment should be mindful of the FTC’s explicit criticism of the use of a bug bounty program to effectuate such payments.  Typically, bug bounties are payments are made to responsible third-parties who assist in identifying and repairing security vulnerabilities or other bugs.  The FTC’s 2018 complaint makes clear that the Commission does not consider Uber’s payment to the intruders to be a legitimate bug bounty since these intruders “maliciously exploited the vulnerability and acquired personal information relating to millions of consumers.”