Uber is expanding the proposed settlement it made with the Federal Trade Commission last August pertaining to data mishandling, privacy and security complaints that dated back to 2014 and 2015. In August, Uber agreed to 20 years of privacy audits.
That proposed settlement happened prior to Uber’s disclosure of the massive 2016 data breach that affected some 57 million riders and drivers. Now, Uber will be subject to “additional requirements,” according to the FTC.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” Acting FTC Chairman Maureen K. Ohlhausen said in a statement. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
As part of the revised settlement, Uber may be subject to civil penalties if it fails to notify the FTC of future privacy breaches. Uber must also submit all third-party audits of the company’s privacy program, as well as retain records pertaining to bug bounty programs that relate to unauthorized access to consumer data.
“My first week at Uber was the week we disclosed the 2016 breach. When Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business and put integrity at the core of every decision we made,” Uber Chief Legal Officer Tony West said in a statement to TechCrunch. “Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts.”