Enter to open, tab to navigate, enter to select
Uber Settles NY AG Investigations Into Data Breach and Privacy Practices
Practical Law Legal Update w-001-3143 (Approx. 4 pages)
Uber Settles NY AG Investigations Into Data Breach and Privacy Practices
by Practical Law Intellectual Property & Technology
| Published on 12 Jan 2016 • USA (National/Federal) |
The New York Attorney General’s office has settled two investigations into Uber Technologies, Inc.’s collection, maintenance, disclosure, and display of personal information, including real-time rider geo-location data, and its failure to provide timely notification of a data breach that exposed driver names and driver license numbers.
On January 6, 2016, the New York Attorney General’s office announced in a press release that it settled two investigations into Uber Technologies, Inc.’s privacy and data security practices. The Attorney General’s office was investigating Uber’s:
- Collection, maintenance, and disclosure of passenger personally-identifiable information (PII), such as names, email addresses, phone numbers, and payment details.
- Practices that allowed Uber employees, including executives, to track individuals by accessing riders’ real-time geo-location data combined with PII.
- Failure to provide timely notification of a May 12, 2014 data breach that exposed Uber driver names and driver license numbers to unauthorized individuals.
Uber operates a platform that allows riders to connect with Uber drivers using an app on their mobile phones. To operate its service, Uber collects:
- PII from riders.
- Data from drivers, such as driver license information, vehicle registration and licensing information, and vehicle inspection documentation.
- Real-time geo-location information of riders and drivers.
Specifically, Uber supported an aerial view of the real-time movement of cars on its platform for operations purposes. This aerial view was accessible to Uber employees and executives, and displayed riders’ PII, allowing the tracking of individuals.
In settling the investigation, Uber agreed to:
- Maintain geo-location information in a password-protected environment, and encrypt such data-in-transit.
- Adopt protective technologies, including multifactor authentication or similar controls, for the storage, access, and transfer of private information.
- Only allow designated employees with a legitimate purpose to access geo-location information, and enforce those limits with technical controls and a formal access authorization process.
- Designate one or more employees to coordinate and supervise its privacy and security program.
- Conduct:
- regular assessments of its privacy and data security practices and implement appropriate updates to its controls; and
- annual employee training on data security practices for those who handle private information.
- Describe its policies regarding rider geo-location information in a separate section of its consumer-facing privacy policy.
Uber also agreed to pay $20,000 for a separate failure to timely notify affected drivers and the NY Attorney General’s office of a data breach that exposed driver names and driver license numbers to unauthorized access. Though the data breach occurred at least as early as May 12, 2014, and Uber discovered it in September 2014, the company did not notify the affected drivers or the Attorney General’s office until February 2015.
The notification was deemed untimely under NY's data breach notification law that calls for notice to affected individuals and certain government agencies in the most expedient time possible and without unreasonable delay.
This action serves as a reminder that organizations should:
- Closely examine access control policies and procedures to ensure that only those with a legitimate need-to-know may access PII.
- Conduct regular risk assessments, especially regarding privacy and data security practices for sensitive PII such as geo-location information.
- Implement appropriate technical controls to protect PII.
- Review their data breach response plans to ensure timely notices.