Friday, August 18, 2017
FTC Acting Chairman Maureen K. Ohlhausen said Uber had both underplayed employee access to databases and failed to secure user and driver information. Uber called one of its publicized practices "Creepy Stalker View," suggesting it was fully aware of its unauthorized and illegal behavior.
Peter Sims, founder and Chief Executive Officer of parliament inc., said he was contacted in October 2014 by an attendee at an Uber launch party where the company was streaming celebrity avatars in real time as they took Uber rides in New York City.
"After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission," he later blogged. "She told me to calm down, and that it was all a 'cool' event and as if I should be honored to have been one of the chosen." Sims said he later quit the ride-sharing service, despite having been impressed by its product design and user experience.
As previously reported July 19, 2017, in The Green Sheet, a joint study by Crowd Research Partners and Stealthbits Technologies Inc. found most companies may not be ready for the European Union General Data Protection Regulation (EU GDPR), which becomes law May 25, 2018. The companies surveyed 500 cybersecurity professionals who belonged to LinkedIn's Information Security Community. Nearly 90 percent of survey respondents in the 2017 EU GDPR Readiness Report were familiar with the EU GDPR; only 32 percent considered themselves compliant or nearly compliant. The guidelines will affect U.S. companies that work with European individuals and organizations, researchers noted.
Willy Leichter, Vice President of Marketing at security firm Virsec Systems Inc. said the Uber settlement highlights the need for companies to take customer privacy more seriously or face significant penalties and fines. "Regardless of fines, it's no longer acceptable or prudent for companies to handle customer data carelessly," he stated. "If this type of breach occurs after the EU GDPR takes effect in May 2018, Uber could be liable for up to 4 percent of [its] annual revenue, no doubt a huge number."
Leichter further noted that compliance requirements increasingly demand security practices that are up to date, well documented and actively enforced. This includes using current technology like encryption and advanced malware protection. "Even if a company is hacked, they will be held responsible for the lost data," he noted.
Christian Vezina, Chief Information Security Officer at Vasco Data Security International Inc., said the approaching GDPR deadline and massive privacy breaches around the world make it imperative for organizations to focus on protecting personal information and improve how they manage and protect that data. "We will see more fines and penalties among companies that fail to apply generally accepted privacy principles," he said. "A true focus on data privacy, like applying the Privacy by Design principle, and limiting data collection to what is strictly required will become a differentiator for data subjects who are tired of getting notified that their personal information has been breached, again."
Uber has agreed to the terms and conditions of the FTC ruling by observing the following guidelines:
The FTC has invited the public to review and comment on the ruling until Sept. 15, 2017, when the proposed consent order becomes final. "This case shows that, even if you're a fast-growing company, you can't leave consumers behind; you must honor your privacy and security promises," Ohlhausen said.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
