InfoBytes Blog
New York AG Requires Transportation Company to Enhance Data Security Practices
On January 6, New York AG Schneiderman announced a settlement with a California-based transportation network company that requires the company to enhance its data security protection practices to ensure protection of consumers’ personal information. In November 2014, the AG’s office launched an investigation into the company’s collection, maintenance, and disclosure of users’ personal information “amid reports that [company] executives had access to riders’ locations and that the company displayed this information in an aerial view, known internally as ‘God View.’” Moreover, in February 2015, the company reported to the AG’s office that, as early as September 2014, it had experienced a data breach where company drivers’ names and license numbers were exposed to an unauthorized third party. In addition to the $20,000 penalty for failure to provide timely notice regarding the data breach, the settlement requires the company to (i) limit access to geo-location information to designated employees through technical access controls and a formal authorization and approval process; (ii) designate at least one employee to coordinate and supervise its privacy and security program; (iii) conduct annual training for employees implementing its data security practices and the handling of private information; (iv) adopt protective technologies for the storage, access, and transfer of private information, and the credentials required to access such information; (v) conduct regular assessments of the effectiveness of internal controls and procedures related to securing private information and geo-location information, as well as implement updates to such controls based on the assessments; and (vi) include a separate section in its consumer-facing privacy policy describing policies regarding location information collected from riders.