The advice we always give to clients regarding privacy policies is: “say what you do and do what you say.” It seems simple, but simplicity can be deceiving. Companies want to reassure consumers that their personal data is safe and secure; however, in today’s world, no one can make fail-safe representations of security. Uber’s recent settlement with the FTC illustrates this problem.

Uber claimed in privacy policies and statements that it “closely” monitored internal access to consumers’ personal information on an ongoing basis and provided “reasonable” security for consumers’ personal information stored in its databases. Uber stated that “we use standard, industry-wide commercially reasonable security practices”; “we use the most up to date technology”; “we’re extra vigilant in protecting all private and personal information”; and “all your personal information… is kept secure and encrypted to the highest security standards available.”

The FTC alleged that Uber violated Section 5 of the FTC Act by failing to live up to these statements. For example, the FTC claimed that Uber did not take reasonable measures to prevent a data breach because Uber did not implement basic access controls, such as multi-factor authentication, to safeguard data stored in the cloud, and Uber failed to encrypt certain consumer personal information and stored such information in plain readable text. Even though Uber claimed to use the best technology available to protect consumer data, the FTC alleged that Uber failed to take certain low-cost measures that could have helped prevent a data breach. And while Uber at one point developed an automated system for monitoring access to consumer personal information, the FTC said the company stopped using this system and rarely monitored internal access to personal information. As a result of Uber’s failure to comply with its privacy statements, the company suffered a data breach and an intruder was able to access consumers’ personal information.

The FTC’s settlement with Uber demonstrates that even an industry-disrupting technology company can overpromise in its privacy policy in an effort to encourage consumers to do business with the company. The claims Uber made in its privacy statements are claims that companies often include in privacy policies, such as “highest standards available” and “most up to date technology”. Companies would be wise to review their privacy policies to ensure they are not making superlative, overbroad, or absolute statements they cannot substantiate. And companies should ensure that, if they claim to use “reasonable” or “standard” security practices, the company understands what regulators view as reasonable or standard in the industry.

Our Data Privacy, Security and Breach Response team regularly helps clients with their privacy statements and policies and procedures. Please reach out to us if you have any questions.