Lyft recently confirmed that it is investigating whether its employees were accessing its customer database without appropriate authorization to obtain personal information, including rides taken by Facebook CEO Mark Zuckerberg. The investigation was announced less than six months after Uber entered into a Federal Trade Commission (FTC) consent order to resolve allegations of similar behavior by its own employees.
The investigation demonstrates the importance of revisiting internal compliance measures in the wake of legal developments that may be relevant to a particular company or industry. Companies need to maintain comprehensive privacy programs to ensure the confidentiality of the personal information that they collect. Such programs should include, at a minimum:
- Board level attention to the risks associated with privacy violations involving personal information, such as operational and reputational risks;
- Policies and procedures that establish strict access management controls relating to personal information;
- Training on these policies and procedures tailored specifically to each employees’ job responsibilities and level of access to personal information;
- Monitoring of employee access to personal information;
- Technical controls to prevent unauthorized access to personal information;
- Audits of the effectiveness of the administrative, technical, and physical controls put into place to protect personal information;
- Responding to consumers’ complaints relating to their personal information; and
- Constantly updating the program to address evolving risks and responding to relevant developments.
Without adequate compliance management of privacy risks, companies could face not only regulatory scrutiny from governmental entities, such as the FTC and state attorneys general, but could also be forced to respond to consumer class actions, charges under the Computer Fraud and Abuse Act, or potential liability arising from cyberstalking crimes committed by employees.