On April 12, 2018, the Federal Trade Commission (FTC) announced that it was withdrawing its proposed August 2017 privacy and data security settlement with Uber Technologies and issuing a new and expanded proposed settlement.1 According to the FTC, the reason for this extraordinary step was to address additional allegations of misconduct by the ride-sharing company in connection with a data breach it suffered in 2016. The revised complaint includes new factual allegations regarding that breach,2 and the revised consent order includes significant new reporting obligations for the company regarding future breaches, new obligations for the order’s mandated privacy program, and additional reporting and recordkeeping obligations that will last for longer periods of time.3
Those that closely follow the FTC know that any modifications to consumer protection settlements after they have been proposed by the FTC are extremely rare, so it’s worth taking a closer look at what triggered this unusual action and the important new insight it provides into the FTC’s current thinking on what it considers unreasonable security practices. Additionally, the FTC’s revised complaint provides, for the first time, concrete guidance on what it considers “legitimate” uses of a bug bounty program.
Background
We discussed the original settlement in our September 2017 issue of the WSGR Data Advisor, but here’s a recap of the alleged facts that led to that settlement and the claims asserted by the FTC in its complaint. The original settlement arose out of two events that occurred back in 2014. First, the company was subject to numerous negative news reports regarding its “God View” internal customer tracking tool, which resulted in Uber issuing a public apology and promising to closely monitor and audit employees’ access to customer data going forward. The FTC alleged, however, that Uber did not honor this promise. Second, Uber experienced a data breach in 2014 affecting the names and driver’s license numbers of about 110,000 Uber drivers, but did not disclose the breach until early 2015 to half the drivers and mid-2016 to the other half. The FTC alleged that the breach was caused by Uber’s insecure handling of its Amazon Web Services (AWS) Simple Storage Service (S3) Datastore access key, resulting in the key being posted to a public GitHub repository and then being used by intruders to access driver data.
Under the facts alleged in its original complaint, the FTC charged Uber with engaging in two counts of deception: (1) not living up to public promises to monitor and audit internal access to consumers’ personal information; and (2) promising, but not implementing, reasonable security measures to protect that same information. To settle these claims, Uber agreed to not misrepresent how it monitors or audits internal access to consumers’ personal information or how it protects and secures that data. Additionally, Uber agreed to implement a comprehensive privacy program that will be subject to independent biennial audits for the next 20 years, and to comply with various recordkeeping and compliance reporting and monitoring requirements that have become standard in FTC consumer protection orders.
What’s New
The new facts alleged in the FTC’s revised complaint relate to an additional data breach involving GitHub and Uber’s Amazon S3 Datastore that Uber discovered in November 2016 during the FTC’s nonpublic investigation into the company’s data security practices. According to the complaint, Uber did not disclose the breach to the FTC or consumers until a year later, in November 2017, even though the circumstances of the breach were remarkably similar to those of the 2014 breach that the commission was investigating. Specifically, the FTC alleges that intruders again gained access to Uber’s Amazon S3 Datastore via an access key that an Uber engineer posted to GitHub, though this time in a private repository.
Although the GitHub repository was private, Uber allegedly allowed engineers to access the company’s repositories using their individual GitHub accounts, which were generally associated with engineers’ personal email addresses. The FTC claimed that Uber did not have a policy prohibiting engineers from reusing credentials, nor did it require engineers to enable multi-factor authentication for their GitHub accounts. According to the FTC, this led to intruders using passwords exposed in other large data breaches to gain access to an engineer’s personal GitHub account, and thus the access key for Uber’s Amazon S3 Datastore. The intruders then allegedly downloaded 16 files from the datastore containing unencrypted consumer personal information.
According to the complaint, Uber discovered the breach in November 2016 when one of the intruders contacted the company and demanded a six-figure payout. Uber then allegedly paid the intruders $100,000 through its bug bounty program, though it did not disclose the breach to consumers or the FTC until November 2017. The FTC asserted that these facts further supported its second count in the complaint, namely that Uber “did not provide reasonable security for consumers’ personal information stored in its databases.”4
In addition to the new facts added to the complaint, the FTC added several new requirements to its revised consent order, of which two in particular stand out: First, the commission expanded the types of risks Uber will have to consider in its mandated privacy program to specifically include: (1) secure software design, development, and testing, including regarding key management for secure cloud storage; (2) how the company reviews, assesses, and responds to third-party security vulnerability reports, including through its bug bounty program; and (3) how the company prevents, detects, and responds to attacks, intrusions, or system failures. Second, Uber must file detailed reports to the FTC if it discovers any data breaches that trigger a requirement to notify other U.S. federal, state, or local government entities. This type of notification requirement is the first of its kind to appear in an FTC data security consent order.
The FTC also added several new reporting and recordkeeping obligations to the consent order, including that Uber: (1) proactively submit all third party biennial assessments of its mandated privacy program to the FTC within 10 days after they have been completed, rather than just the first assessment; (2) send copies of the consent order to all employees who regularly access personal information, rather than just employees who have managerial responsibilities related to the subject matter of the order; (3) provide additional information in its initial compliance report regarding the personal information that each of its businesses collect, maintain, transfer, or store; and (4) maintain certain regards regarding the operation of its bug bounty program and communications with law enforcement, as well all records that contradict, qualify, or call into question Uber’s compliance with the consent order.
Key Takeaways
There are a few important takeaways from the FTC’s revised complaint and consent order with Uber. First, the FTC’s decision to take the extraordinary step of withdrawing and revising its complaint and consent order shows that the commission will take action against a company that it feels was not candid, or otherwise withheld pertinent information, during the course of an investigation. In the FTC’s press release announcing the revised complaint and consent order, Acting FTC Chairman Maureen K. Ohlhausen stated that “Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach.”5 The consequences of not disclosing its 2016 data breach to the FTC and the resulting stricter consent order will now stick with Uber for at least the next 20 years.
Second, the revised complaint provides additional insight into what the FTC views as necessary to demonstrate “reasonable” security practices for cloud-based storage services. Specifically, it appears from the FTC’s complaint that the commission expects companies to have security policies in place that (1) prohibit engineers from reusing credentials and (2) require engineers to enable multi-factor authentication when accessing code repositories that could be used to gain access to consumers’ personal information. Furthermore, the complaint’s allegations regarding Uber’s 2016 data breach reemphasize the FTC’s expectation that companies encrypt sensitive information stored in cloud-based storage services, as the complaint twice highlights that the information obtained by the intruders was stored unencrypted.
Finally, the revised complaint is the first time the FTC has publically issued any statement on what it considers to be a “legitimate” use of a bug bounty program. While the FTC has previously held data security workshops where panelists have discussed the history of bug bounty programs and how they can be part of an effective data security program,6 the FTC’s publications to date have only made general suggestions that companies may want to consider implementing such a program without providing much detail as to what such a program entails.7 Specifically, in the complaint, the FTC asserts that the intruders that reported the 2016 data breach to Uber “were fundamentally different from legitimate bug bounty recipients” because they “maliciously exploited the vulnerability and acquired personal information relating to millions of consumers” rather than simply identifying the vulnerability and disclosing it responsibly.8 Thus, the lesson here appears to be that vulnerability researchers are not acting responsibly if they obtain personal information of consumers and companies should not pay out bounties to such individuals, a position that dives directly into a hotly debated topic in the security community as to where the line should be drawn between a researcher acting responsibly and one that should be treated as a hostile intruder.
Conclusion
When the FTC takes the extremely rare step of withdrawing and revising a proposed complaint and consent order, it’s worth taking notice. In this case, there are key additional lessons for companies to learn regarding the importance of not withholding material information from the FTC during an investigation, the FTC’s expectations for reasonable security practices regarding cloud-based storage services, and how to appropriately use a bug bounty program. Companies should use this opportunity to take a closer look at their bug bounty programs and revise their security policies regarding cloud services accordingly.
1 Press Release, FTC, “Uber Agrees to Expanded Settlement with FTC Related to Privacy, Security Claims,” April 12, 2018, https://www.ftc.gov/news-events/press-releases/2018/04/uber-agrees-expanded-settlement-ftc-related-privacy-security.
2 FTC Revised Complaint, In the Matter of Uber Technologies, Inc., https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_revised_complaint_0.pdf.
3 FTC Revised Decision and Order, In the Matter of Uber Technologies, Inc., https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_revised_decision_and_order.pdf.
4 FTC Revised Complaint, supra note 2, at 6.
5 Press Release, supra note 1.
6 See, e.g., FTC, Start with Security – San Francisco, September 9, 2015, https://www.ftc.gov/news-events/events-calendar/2015/09/start-security-san-francisco.
7 See, e.g., FTC, Careful Connections: Building Security in the Internet of Things, January 2015, https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things (“One method some companies have adopted: bug bounty programs that offer rewards – perhaps free products or cash – to people who identify significant security vulnerabilities in their products.”).
8 FTC Revised Complaint, supra note 2, at 6.