Uber has agreed to a mandate from the Federal Trade Commission that the ride-sharing service conduct independent audits every other year for the next 20 years, according to an agency announcement Tuesday. In addition, the company will implement a comprehensive new privacy program and remain transparent about how Uber accesses and protects consumer data.
These changes come amid allegations that Uber failed to secure personally identifiable consumer and driver data, specifically from its own employees and generally within a third-party cloud service.
Uber noted that it has launched efforts to strengthen its privacy and data security practices over the last several years, such as hiring its first CSO in 2015 and bringing in hundreds of specialists, according to an Uber spokesperson. "This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information."
With the rise of modern technology, the FTC has morphed into the federal government's "chief cybersecurity enforcer" and has sued scores of companies, including Snapchat, Oracle and LifeLock, for failing to adequately protect consumers. With the risk of costly reparations and reputation-damaging allegations from the commission, companies have to carefully navigate the uncertain terrain of data security.
This is not the first of Uber’s FTC woes. In January, Uber agreed to pay $20 million to settle an FTC case regarding misleading claims of prospective driver earning potential and financing options for their vehicle.
The most recent set of problems are grounded in the company’s cybersecurity. In 2014 an intruder accessed the personal information of 100,000 Uber drivers, and recent reports allege Uber employees accessed rider and driver data for non-business purposes.
The FTC’s regulation of Uber does not stand alone at home or abroad in efforts to protect consumer data from internal and external misuse. The EU’s General Data Protection Regulation goes into effect May 2018, and the U.K. has announced legislative plans to strengthen and improve its own data security laws in accordance with the GDPR.