pexels-photo-417418On May 12, 2014, an intruder was able to access sensitive personal information belonging to over 100,000 Uber drivers including names, driver license numbers, social security numbers, and bank account information. Uber did not detect this major breach until September 2014 and failed to notify Uber users until February 2015.

While Uber’s Privacy Policy provided that it implemented reasonable security measures to protect the personal information of Uber Riders and Drivers, a complaint and investigation by the Federal Trade Commission (FTC) against Uber demonstrated that they needed to take serious precautionary measures to protect consumer information. FTC’s recent settlement with Uber, which imposes a requirement of third party privacy audits for 20-years and a fine of $20 million, hi-lights a number of important guidelines that corporations collecting personal data can follow to reduce the risk of a data breach. Below are the top five privacy practices to adopt based on the FTC’s settlement with Uber:

  1. Implement Two factor authentication for internal access to personal information

Prior to the complaint, Uber stored all of its data in an Amazon S3 Datastore, a scalable cloud storage device that could be used to store and retrieve large amounts of data. The S3 Datastore preserves information in “buckets,” small virtual containers in which individual access controls can be applied. However, Uber used a single access key (or password) that provided full administrative access to all data which made it significantly easier to hack. Using a two factor authentication for internal access helps control who can access certain types of information as well as making it more difficult for an intruder to access confidential data.

  1. Closely monitor and audit employee access to consumer data

Similarly, FTC’s complaint against Uber noted all Uber employees could access all of consumer (through the single access key), regardless of their job functions. This left Uber more open to potential data breaches. Limiting employee access to data based on job functions and requirement to access such data greatly improves security.

  1. Encrypt Personal Information

In the complaint against Uber, as well as in the FTC’s settlement, one of the biggest critiques was that Uber stored all of the personal data in the S3 buckets in plain language, meaning that once a potential intruder got into the data storage the sensitive information of Uber riders and drivers was readily available to them. One of the easiest fixes is for Uber and other companies storing sensitive data to begin encrypting any personal information they receive when they place it in data storage, adding another layer of security protecting their customers.

  1. Implement and update internal privacy and security programs

Having a well-documented security program which identifies and addresses foreseeable risks, defines employee authorization to access data, and details strict authentication mechanisms, is important for companies to protect the risk to the data in their possession. Compliance with this policy needs to be continuously evaluated as companies innovate and launch new products, add employees, expand to new regions, reorganize internal processes, or even as new threats get detected.  Providing security training to employees is an important component of implementing the privacy policy. Up until the Uber decision, Uber employees received little to no training with regards to protecting client data and best industry security practices.

Prior to the complaint, Uber did not have a strong documented policy, nor did it have monitoring or evaluation of its privacy practices. Thus, a major part of the Uber settlement was the requirement that Uber undertake regular third-party evaluation to determine if it had successfully implemented effective safeguards for consumer data. For companies looking to take lessons from Uber, it is essential to be aware of the need for neutral evaluation and continual upkeep to reinforce privacy policy.

  1. Ensure your Privacy Policy is accurate

Between July 13 and July 15th, 2015 Uber disseminated a privacy policy that contained statements about using “standard, industry wide security practices… for protecting your information.” This overstatement of Uber’s security policies was part of a systemic issue in which Uber’s rhetoric and practices were not aligned. In response to these issues, Uber should have closely examined its privacy policies to make sure that the statements within them were accurate and if not, to adjust its own policies.

Similarly, in the months prior to the decision against Uber, the company continually misrepresented the scope of its privacy practices trying to assure its customers that their data was safe. Since Uber did not enforce the privacy standards it claimed to, this meant that a large part of the FTC’s settlement focused on evaluation and recordkeeping.  Corporations should align their statements with their actual privacy practices in order to both protect the privacy of their customers and remain compliant with the FTC.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s