January 09, 2017

Former Uber Employee Files Suit for Retaliation in Reporting Insecure Data Privacy Practices

Angel Chiang – January 9, 2017

A former Uber employee has filed suit against the San Francisco-based ride-sharing company, alleging that he was wrongfully terminated after he blew the whistle on the company’s insecure data privacy practices just a few weeks before his shares vested. Samuel Ward Spangenberg of Larkspur, California, who was hired by Uber in March 2015 as a forensic investigator, alleges that “Uber collected data regarding every ride a user requested, their username, the location the ride was requested from, the amount they paid, the device used to request the ride, the name and email of the customer, and a myriad of other data that the user may or may not know they were even providing Uber by requesting a ride,” and allowed access to such information to all Uber employees. In a declaration filed in October 2016, Spangenberg alleges that he reported to Uber managers that Uber “lacked security regarding its storage of driver information, including Social Security numbers, which are available . . . to all Uber employees, without regard to any particular level of employment or security clearance.” In so doing, Spangenberg alleges, Uber violated “governmental regulations regarding data protection and consumer privacy rights.”

In response, Uber issued an official statement denying Spangenberg’s allegations and stating that Uber has “built an entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs.” The statement further says that “Many employees are in operational roles and have legitimate reasons to access customer data. If a rider requests a refund, an authorized customer support representative would access data needed to credit that rider’s account. In the case of a traffic incident, a dedicated member of [Uber’s] safety team needs to access customer data to conduct a proper investigation and help the affected parties reach resolution.”

John Flynn, Uber’s chief information security officer, notes that employees are presented with Uber’s data access policy each time they access customer data, which warns them not to abuse their access to look for information about personal acquaintances or celebrities, and that access to data is audited regularly to detect abuse. Specifically, Flynn states that “All data access is logged and routinely audited, and all potential violations are quickly and thoroughly investigated.  We have terminated employees in the past for violating this policy.”

This is not the first time Uber has been accused of privacy violations. Uber announced in June 2016 that its database had been breached by a third party on May 12, 2014, which resulted in the exposure of more than 100,000 of its drivers’ personal information. According to Uber’s public statement, the breach was not discovered until September 17, 2014. Then, in November 2016, Uber was accused of tracking users’ location before and after they enter the vehicle, because the Uber app is often running on the background of mobile devices.

Angel Chiang is an associate at Fenwick & West LLP in Mountain View, California.


Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).

Angel Chiang – January 9, 2017