This week’s blog we have a special guest writer- John Wood from Egerton McAfee! Keep reading to get John’s legal perspective on how you can avoid making the same privacy mistake Uber made.
In September Uber agreed to pay all 50 states a combined $148,000,000 to settle a claim that Uber failed to abide by the states notification laws for a privacy breach that occurred in November of 2016. Ironically, Uber had a similar privacy breach in 2014 and was under investigation by the Federal Trade Commission for the 2014 breach at the time the 2016 breach happened. The 2016 privacy breach by Uber resulted in the largest privacy related payment to the states to date. What did Uber do wrong in the second privacy breach that resulted in the largest privacy payment to the states in history?
The first thing Uber did wrong was not learn from its prior mistakes. Uber uses an Amazon S3 Datastore to store files that contain the personal information for riders and drivers. According to the FTC, Uber did not properly protect the access to the Amazon Datastore.
The failures noted by the FTC are that Uber allowed engineers to use a single access key with full administrative privileges, did not restrict access based on employee’s job functions, did not implement multi-factor authentication, and did not implement reasonable security training. As a result of these failures, sometime around May 12, 2014, a hacker was able to access a file that had over 100,000 names and driver license numbers and a handful of bank account numbers and social security numbers. Uber discovered the breach in September of 2014 but did not send breach notification letters until February of 2015.
In response to the 2014 breach Uber fixed several of its poor security practices related to the Amazon S3 Datastore, but continued to store personal information in plain text. In other words, there was no encryption. Uber also created a bug bounty program that was designed to encourage the finding and reporting of security issues in Uber’s software. Uber announced that payouts under the bug bounty program would go up to $10,000.
In October of 2016, hackers were able to access Uber’s Amazon S3 Datastore again and over the course of a month downloaded the unencrypted personal information of over 47 million individuals. Uber finally discovered the breach in November of 2016 when the hackers contacted Uber and demanded payment. The FTC noted that in addition to storing personal information in clear text, Uber allowed users to reuse credentials and did not require multi-factor authentication. Instead of reporting the breach and notifying the individuals affected, Uber decided to pay the hackers $100,000 under the bug bounty program. It appears that as a result of Uber’s payment the hackers did not release the personal information. It appears that Uber decided if it classified the breach as part of the bug bounty program then notifying individuals of the breach was not necessary. The problem with Uber’s apparent reasoning is that the breach did not happen as a part of the bug bounty program and even if it did having a program does not excuse Uber from the notification laws.
Finally, on November 21, 2017, Uber reported the 2016 data breach.
All 50 states have data breach notification laws that require notification within a month or two of the breach. Tennessee law requires that notification be made no later than 45 days after the discovery of the breach. Tenn. Code Ann. § 47-18-2107. Uber did not meet the deadlines for any of the states. Apparently, the personal information of residents of every state was exposed in the 2016 breach. Since Uber violated the notification laws of each state, the states initiated an action against Uber which resulted in the $148 million settlement.
The biggest lesson in Uber’s missteps is that taking steps to remedy a breach of personal information does not excuse a company from complying with state notification laws. Company’s need to take the state notification laws seriously.