• by Wendy Davis  @wendyndavis, October 26, 2018

Uber and the Federal Trade Commission have finalized a new settlement stemming from allegations that the company failed to monitor employees' ability to access users' location data, as well as allegations that it failed to adequately secure data of drivers and consumers.

The revised settlement requires Uber to institute a comprehensive privacy policy and undergo privacy audits for 20 years. It also requires Uber to provide the FTC with the auditors' reports, and to retain records related to a new “bug bounty” program -- which pays hackers to find security vulnerabilities.

The deal resolves a host of allegations related to data breaches and privacy practices dating back to 2014. In November of that year, it emerged that Uber had an internal tool, "God View," that gave employees access to customers' geolocation data while en route.

Faced with widespread criticism, Uber issued a privacy policy stating that employees were prohibited from accessing riders' or drivers' data, except for specific business purposes, like facilitating payments and fraud monitoring.

Despite that promise, between August of 2015 and May of 2016, Uber allegedly failed to follow up on alerts about the "potential misuse of consumer personal information," according to the FTC.

For part of that time, Uber also only monitored account information for "a set of internal high-profile users, such as Uber executives," the FTC alleged in a 2017 complaint against the company.

Uber also suffered a 2014 data breach in which hackers may have obtained sensitive data of around 100,000 drivers -- including names, driver's license numbers, bank account details and Social Security numbers.

Last year, Uber and the FTC reached a settlement related to the 2014 data breach and the geolocation privacy allegations. But it later emerged that Uber also suffered a 2016 data breach that affected 57 million people. What's more, Uber concealed that breach for one year, going so far as to pay hackers $100,000 to destroy the data, Bloomberg reported. Data taken in that incident included names, email addresses and phone numbers of around 50 million customers and 7 million drivers, and driver's license numbers for 600,000 people.

News of that data breach prompted the FTC to revise its settlement by including new mandates that Uber provide the agency with copies of the privacy audits, and retain information related to its new bounty program.

Two groups -- the World Privacy Forum and Electronic Privacy Information Center -- had urged the FTC to automatically make the auditors' reports public. The FTC denied that request, but said reports could be released in response to Freedom of Information Act requests. Two commissioners -- Rohit Chopra and Rebecca Slaughter -- said Friday they supported the request to automatically make the reports available to the public.