Uber Reaches Privacy Settlement with New York Authorities

January 18, 2016

Uber reutersTransportation service, Uber, has reached a settlement agreement with authorities in New York over information privacy claims.  Uber has reportedly agreed to pay $20,000 and to make modifications to its data security practices in exchange for settlement of the state inquiries.  This agreement highlights the privacy challenges associated with services that rely on massive collections of personal information.

One of the issues raised by the authorities in New York was privacy of geo-location information associated with individual Uber users.  The Uber system has the ability to identify and monitor the location of individual riders in Uber cars.  This capability enables Uber to track, in real-time, the location of individual users in the system.

Matsuura Blakeley BannerReportedly, on a variety of occasions, Uber personnel shared the geo-location information associated with specific riders with parties outside of the Uber organization.  Concerns regarding this sharing of rider information were expressed by New York authorities.

A second data security issue raised by the New York authorities was concern regarding access to personal information associated with Uber drivers.  Authorities in New York alleged that names and drivers license number associated with approximately 50,000 Uber drivers were accessed by unauthorized external parties due to apparent Uber data security breaches.

In order to resolve the concerns expressed by the New York authorities, Uber agreed to take several actions.  The company agreed to pay New York approximately $20,000.  The company also agreed to enhance its data security measures.

Uber now encrypts all geo-location information associated with its riders.  The company now also uses a more robust data access security system which makes use of multiple controls to limit user access.  These security enhancements were reportedly implemented as part of the New York settlement.

The privacy concerns expressed by New York authorities in the context of Uber are applicable for all service providers that make use of personally identifiable information, including geo-location data.  The security enhancements Uber has agreed to implement for this settlement provide a useful framework for all organizations that process personal data.

All organizations that collect and use personally identifiable information should use the data security measures outlined in the Uber settlement as a baseline establishing minimum data security standards.  Some organizations will likely find that they require even more robust data security measures than those implemented by Uber.  The practices arising from the Uber settlement with New York do, however, offer useful guidance regarding minimum acceptable data security practices.