The FTC and Uber have settled the enforcement action the FTC brought against the company. This action stems from Uber’s data breach of more than 100,000 individuals’ PII despite its promises that their data was “securely stored within our databases.” The FTC found this promise was misleading when compared with the actions the company was really taking. In settling the dispute, Uber entered into a Consent Decree that requires it to lay bare its activities before the FTC for the next 20 years. It also requires Uber to establish a Cyber Risk Management Program, a requirement that is increasingly becoming more common in FTC consent decrees.
In the Uber Consent Decree, Uber must establish, implement, and maintain
a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of Personal Information. Such program, the content and implementation of which must be documented in writing, must contain controls and procedures appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the Personal Information.
This program must include the following elements:
- Designation of person responsible for the program;
- Regular risk assessments considering existing and reasonably foreseeable risks and specifically consider employee training and management focused on cybersecurity and privacy and product design, development, and research;
- Implementation of reasonable internal controls and procedures focused on the risks;
- Third-party risk management program for cybersecurity and privacy risks;
- Regular testing of this Cyber Risk Management Program; and
- Re-evaluation and modification of the Program in light of the updated risk assessments, changes in third-party risks, and lessons learned from testing the Program.
While this is not the first time the FTC has required companies to implement such a program, it offers insight into the kinds of activities the FTC believes companies should be doing with their Cyber Risk Managment Programs, starting with the fact that they should have one!
In the FTC v. GMR Transcription Consent Decree, the FTC required a similar 20-year commitment by GMR to implement such a program:
GMR Transcription Services, Inc. . . . shall, no later than the date of service of this order, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ or the business entity’s size and complexity, the nature and scope of respondents’ or the business entity’s activities, and the sensitivity of the personal information collected from or about consumers, including:
A. the designation of an employee or employees to coordinate and be accountable for the information security program;
B. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondents, and requiring service providers by contract to implement and maintain appropriate safeguards; and
E. the evaluation and adjustment of the information security program in light
of the results of the testing and monitoring required by subpart C, any material changes to any operations or business arrangements, or any other circumstances that respondents know or have reason to know may have a material impact on the effectiveness of the information security program.
Companies need a Cyber Risk Management Program that is uniquely tailored to their company, business activities, size, complexity, jurisdiction, and the types and volume of data they are handling. While the intricacies of what these programs should look like continue to evolve, it is clear that companies that are being proactive in addressing their cyber risk should focus on the legal and regulatory risk as well as the more traditional areas of cyber risk outlined in these two cases.
Cybersecurity is no longer just an IT issue. It is an overall business risk issue–and a legal issue–and should be treated as such.
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.