Under the terms of the NPA, Uber accepted responsibility for its conduct in the wake of the 2016 data breach, specifically for concealing the data breach from the Federal Trade Commission (FTC), which at the time had a pending investigation into Uber’s data security practices resulting from a 2014 data breach. Uber did not report the breach to the FTC until approximately a year later when the company was under new leadership.
In October 2018, Uber reached a settlement with the FTC, in which it was required to maintain “a detailed and comprehensive privacy program, including biennial assessments of Uber’s privacy controls by qualified, objective, independent third-party professionals” for a period of 20 years.
Additionally, Uber reached a $148 million multistate settlement with the attorneys general for all 50 states and the District of Columbia, in which it agreed to implement a corporate integrity program; specific and robust data security safeguards; a comprehensive incident response and data breach notification plan; and biennial assessments of Uber’s information security program by a qualified, independent third party, for a period of 10 years.
For the reasons listed above, the Department of Justice stated that an independent compliance monitor was not necessary.
Cooperation Factors
Other factors considered by the Justice Department in agreeing to the NPA included Uber’s change of executive leadership in 2017, which the agency credited with “acting promptly upon learning of the 2016 data breach to investigate and ultimately disclose it to government authorities, drivers, and the public.”
The agency additionally credited Uber’s investment in “significantly restructuring and enhancing the company’s compliance, legal, and security functions.” It also hired a chief ethics and compliance officer, a chief legal officer, and a chief trust and security officer, “all of whom had significant experience,” the Justice Department noted in the NPA.
The agency also credited Uber with hiring its first chief privacy officer “responsible for managing the Company’s global data privacy compliance program,” and terminating the two individuals responsible for Uber’s response to the 2016 data breach, including its former chief security officer.
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.