Uber Technologies, Inc. (“Uber”) has agreed to an expansion of its initial August 2017 proposed consent agreement with the Federal Trade Commission (“FTC”), in light of revelations of an additional security breach in October 2016, which it knew about but did not disclose until November 2017, after it settled over its initial May 2014 breach. The second security breach occurred right in the middle of the FTC’s nonpublic investigation into Uber’s security practices from the initial breach; nevertheless, Uber failed to disclose the breach. Both breaches resulted from Uber’s lax security practices and Acting FTC Chairman Maureen K. Ohlhausen described them as “strikingly similar.” In light of the additional information, the FTC withdrew from the original proposed settlement it reached after the May 2014 breach, expanded the terms, and threatened to fine Uber for future incidents. In an attempt by new CEO Dara Khosrowshahi to set a new tone for the company, Uber agreed to the revised terms on April 12.   Continue Reading Failure to Signal: Uber Forced to Accept Expanded Settlement after Concealing Security Breach from FTC

 Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data….This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”  

–Acting Federal Trade Commission Chair Maureen K. Oldhausen, In the Matter of Uber Technologies, Inc., Consent Order

To read more about this important FTC Consent Order and its implications for all companies with respect to privacy policies and the promises made to users/consumers, check out this Mintz Levin Privacy Alert.