Uber Will Pay No Fines to FTC for 2016 Breach
The FTC has ruled that Uber will face no fines after paying hackers $100,000 to delete information on 57 million passengers and drivers stolen from Uber’s database in 2016.
In lieu of fines, the company has agreed to a number of compliance requirements, which include:
- Creating a Privacy Program: Uber will have to share with the FTC a list of all employees responsible for the privacy protection program, identify reasonable risks, and design a program for dealing with these risks. The company will also need to have a process for retaining security service providers. All plans must be evaluated and approved by the FTC.
- Privacy Assessment: The company must have a third-party evaluate their privacy system. After the initial assessment, Uber will need biennial reviews by a third-party. The third-party security company hired must have at least three years of experience in privacy and data protection.
- Reporting Covered Incidents: In the future, if information is once again accessed by an unauthorized party, Uber must report it to U.S. federal, state or local governments within 10 days of discovering the breach. The report must include the date range and a description of the incident, the information accessed, and the steps taken to remediate the incident.
Even though the FTC will not be charging Uber any fines, the company may still face financial repercussions over the breach through a series of lawsuits, according to Gizmodo.