Regulators established additional data retention and reporting requirements on Uber, after the tech giant waited 12 months before disclosing a major information security breach.
The company agreed to the new rules in an expanded settlement with the Federal Trade Commission, announced on Thursday by the agency.
Uber had entered into an FTC consent agreement in August 2017, over deficient internal controls on employee access to information. In November, the data breach was revealed by CEO Dara Khosrowshahi, who was then in his first few weeks on the job.
Hackers had stolen information about roughly 57 million people around the world. The company paid $100,000 to the attackers to erase the data and keep quiet, Khosrowshahi revealed in an interview with Bloomberg.
The executive also said that the two employees who led the response were fired, and pledged to change “the way we do business.”
Uber’s chief of information security, however, defended the “bug bounty” in February testimony before a Senate subcommittee. John Flynn said the initiative “unquestionably has increased the scale and speed at which we are able to identify and eliminate cybersecurity threats.”
As part of Thursday’s revised settlement, Uber agreed to report “bug bounty” payments to the FTC for the next five years. The company also said it would submit to the agency all third party audits arising from the August 2017 consent agreement.
“The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future,” said Acting FTC Chair Maureen Ohlhausen.