EPIC.org also noted yesterday’s record data breach settlement between state attorneys general and Uber, but took the opportunity to remind everyone that the federal agency that could have gone after Uber, the Federal Trade Commission, had not done as much as they might have. EPIC writes:
The attorneys general of all 50 states and the District of Columbia have settled their lawsuit with Uber for $148 Million. The nationwide investigation found that Uber had violated data breach notification laws because the company payed a hacker $100,000 to keep quiet about the breach instead of notifying consumers that their information had been compromised. The settlement also requires Uber to adopt model data breach notification and data security practices, a corporate integrity program, and hire an independent third party to conduct data security assessments. After Uber made the breach public, EPIC wrote detailed comments to the FTC and the agency revised its settlement with the company. While EPIC supported the FTC’s action, EPC said that “the FTC should make Uber’s privacy assessments public so that consumers can evaluate whether the company is meeting its obligations under the Consent Order.” The FTC’s initial investigation and subsequent settlement with Uber were prompted by EPIC’s complaint against Uber’s in 2015.