A Thing
The Green SheetGreen Sheet

Friday, August 18, 2017

Uber agrees to FTC privacy guidelines

Uber Technologies Inc. disclosed Aug. 15, 2017, it will cooperate with a proposed consent order by the Federal Trade Commission by implementing stricter privacy guidelines. A court ruling upheld the FTC's proposal for repairing what the FTC deemed to be Uber's egregious privacy policies.

FTC Acting Chairman Maureen K. Ohlhausen said Uber had both underplayed employee access to databases and failed to secure user and driver information. Uber called one of its publicized practices "Creepy Stalker View," suggesting it was fully aware of its unauthorized and illegal behavior.

Peter Sims, founder and Chief Executive Officer of parliament inc., said he was contacted in October 2014 by an attendee at an Uber launch party where the company was streaming celebrity avatars in real time as they took Uber rides in New York City.

"After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission," he later blogged. "She told me to calm down, and that it was all a 'cool' event and as if I should be honored to have been one of the chosen." Sims said he later quit the ride-sharing service, despite having been impressed by its product design and user experience.

GDPR, global privacy concerns

As previously reported July 19, 2017, in The Green Sheet, a joint study by Crowd Research Partners and Stealthbits Technologies Inc. found most companies may not be ready for the European Union General Data Protection Regulation (EU GDPR), which becomes law May 25, 2018. The companies surveyed 500 cybersecurity professionals who belonged to LinkedIn's Information Security Community. Nearly 90 percent of survey respondents in the 2017 EU GDPR Readiness Report were familiar with the EU GDPR; only 32 percent considered themselves compliant or nearly compliant. The guidelines will affect U.S. companies that work with European individuals and organizations, researchers noted.

Willy Leichter, Vice President of Marketing at security firm Virsec Systems Inc. said the Uber settlement highlights the need for companies to take customer privacy more seriously or face significant penalties and fines. "Regardless of fines, it's no longer acceptable or prudent for companies to handle customer data carelessly," he stated. "If this type of breach occurs after the EU GDPR takes effect in May 2018, Uber could be liable for up to 4 percent of [its] annual revenue, no doubt a huge number."

Leichter further noted that compliance requirements increasingly demand security practices that are up to date, well documented and actively enforced. This includes using current technology like encryption and advanced malware protection. "Even if a company is hacked, they will be held responsible for the lost data," he noted.

Christian Vezina, Chief Information Security Officer at Vasco Data Security International Inc., said the approaching GDPR deadline and massive privacy breaches around the world make it imperative for organizations to focus on protecting personal information and improve how they manage and protect that data. "We will see more fines and penalties among companies that fail to apply generally accepted privacy principles," he said. "A true focus on data privacy, like applying the Privacy by Design principle, and limiting data collection to what is strictly required will become a differentiator for data subjects who are tired of getting notified that their personal information has been breached, again."

Proposed consent order

Uber has agreed to the terms and conditions of the FTC ruling by observing the following guidelines:

  • Consumer personal information: Uber will no longer misrepresent how it monitors consumer data and personal information.

  • Data protection: Uber will implement clear and transparent methods of protecting and securing data.

  • Privacy guidelines: Uber will implement a comprehensive privacy program to address privacy risks related to new and existing products and services. It will also protect the privacy and confidentiality of personal information it collects.

  • Compliance: Uber will submit to independent, third-party audits within 180 days, and every two years after that for the next 20 years, certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.

The FTC has invited the public to review and comment on the ruling until Sept. 15, 2017, when the proposed consent order becomes final. "This case shows that, even if you're a fast-growing company, you can't leave consumers behind; you must honor your privacy and security promises," Ohlhausen said. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing