Ride-Share Company Agrees to Expanded FTC Settlement

A prominent ride-share company has entered into an expanded consent agreement with the FTC due to its failure to disclose a significant data breach that occurred during the negotiation of an earlier settlement of a different data breach with FTC, which came to light during the public comment period for the previous settlement.  As a result of that discovery, the FTC withdrew the previous proposed consent agreement.

In a revised complaint, the FTC alleges that the company violated the FTC Act by deceptively describing its data security.  The FTC further alleges that the company suffered from two separate data breaches:  one in May, 2014; and a separate one in November, 2016.  Following the 2014 breach, the company notified individuals affected by the breach shortly after its discovery.  Approximately a year after the initial notifications occurred, the company discovered that about 60,000 additional individuals had been affected and sent a second round of breach notifications.

The second breach allegedly occurred while the FTC was in the midst of investigating the 2014 breach, and involved a hack of the company’s online data storage.  While the first breach dealt with the private information of the company’s drivers, the 2016 breach included both drivers and riders utilizing the ride-sharing application.  This breach contained the names and email addresses of over 25 million users, the names and phone numbers of over 22 million users, and the names and driver’s license numbers of over 600,000 drivers.  Instead of immediately informing the FTC of the breach, the company allegedly paid the hackers $100,000.

The proposed settlement would order the company not to make misrepresentations regarding its data security and require the company to take certain steps to increase data security:  First, the company must implement and maintain a comprehensive privacy program that is designed to address privacy risks and protect the confidential information of consumers using the company’s ride-sharing application.  Second, the company must obtain an initial privacy assessment by a third-party, and then continue to receive biennial assessments for the next twenty (20) years.  Third, after any data breach incident is discovered by the company, it must notify the appropriate governmental entity, and then submit a report to the FTC including details of the breach, such as a description of the type of information that triggered the notification and the number of consumers whose information was breached.  Finally, the company must submit a compliance report, detailing how it has complied with the terms of the settlement and must create and maintain specified records, including related to data security.

The FTC’s revised proposed Decision and Order is subject to public comment until May 14, 2018.