Uber for Business: More Dangerous Than We Realized
There’s no arguing with the advantages of rideshare over more traditional options like public transportation, taxis or contracted bus services. Convenient, clean and cost-effective, the Ubers and Lyfts of the world are the primary way many people get from A to B.
Businesses and organizations recognize that too, and are increasingly partnering with rideshare platforms to offer the transportation service to customers and colleagues. However, risk managers could be underestimating the additional liability exposures created by these partnerships.
Despite their benefits, on-demand ride hailing apps may not be the best fit for every purpose. At the very least, organizations should consider how partnering with a rideshare platform impacts their liability exposure.
Cyber and Privacy Liability
Integrating with a rideshare platform creates another point of entry into a company’s corporate network. This exposes confidential company data to theft and increases vulnerability to a malware attack.
In 2017, Uber launched a B2B platform — Uber for Business — designed to allow companies to manage rides taken by their employees or ordered for customers or partners. The program allows approved rides to be automatically charged to the company account and provides detailed records of who took the ride, where and at what time. By linking directly to a corporate account, the platform exposes business users to direct financial theft.
According to an August 2017 report from cybersecurity firm Appthority, Uber updated its platform at the end of 2016 and did away with an encrypted connection to transmit data.
Uber had updated its platform at the end of 2016 and did away with an encrypted connection to transmit data.
“It’s unclear why Uber removed SSL support and important to note that not using proper data encryption during network transmission may lead to man-in-the-middle attacks or the disclosure of important information to unintended parties,” the report said.
Access to this information could allow third parties to track the movements of anyone using the system, and could potentially reveal personal private information as well as classified business information. This matters especially for health care organizations using rideshare platforms to provide non-emergent medical transportation for patients.
In March 2018, Uber officially launched its Uber Health platform and began partnering directly with healthcare facilities to provide patient rides. Lyft also began offering a similar service via Lyft Concierge. Integration with a hospital’s computer system, which allows the rideshare app to pre-load passenger information like name and address, could also create a pathway for hackers to access electronic medical records. That unlocks the potential for HIPAA noncompliance and subsequent regulatory action and lawsuits.
Liability for Sexual Assault and Bodily Injury
Neither Uber nor Lyft has a sparkling record when it comes to properly vetting its drivers. A 2018 CNN investigation found that in the past four years, at least 103 Uber drivers and 18 Lyft drivers in the U.S. have been accused of sexually assaulting or abusing passengers.
Each company conducts criminal background checks on drivers, but it’s not known how extensive or thorough they are. Because rides can be accepted by any nearby driver, companies can never know who exactly will be picking up their employee or customer.
A 2018 CNN investigation found that in the past four years, at least 103 Uber drivers and 18 Lyft drivers in the U.S. have been accused of sexually assaulting or abusing passengers.
They have no control over the vetting process and no way to conduct their own investigation into drivers ahead of time. This applies not just to a driver’s criminal history, but also his behavior behind the wheel. A history of speeding tickets, for example, would be a bright red flag, but that information may not be known to the rideshare company, and certainly not to the business partnered with them.
If a passenger picked up for a business-related ride gets injured, they may include the organization in a lawsuit along with the transportation company, alleging that the company was negligent in its selection of a vendor with unsafe hiring practices, thus exposing riders to risk.
Most states require rideshare providers to carry $1 million in auto liability limits, but in the case of a severe accident, a business partner utilizing the platform could be held vicariously liable. For healthcare organizations, that can also result in medical malpractice litigation.
If an employee is attacked or otherwise injured during the course of a ride arranged through their employer, they may be entitled to workers’ comp benefits. Some states’ “coming and going” rules bar compensation for injuries incurred while driving to or from work, but the fact that the car in question was arranged via a company-sponsored transportation platform could alter the equation.
Given the relative novelty of the Uber for Business platform, no such claims have yet been filed. But it’s likely that accidents and injuries could lead to claimants pushing the courts’ boundaries on the definition of work-related activities as they pertain to the coming and going rule. According to a June 2018 article in The Legal Intelligencer, three exceptions to the coming and going rule include:
- The employment contract includes transportation to and from work;
- The claimant is on a “special assignment or mission” for the employer; or
- Special circumstances are such that the claimant was furthering the business of the employer.
If a court decides that these exceptions apply and such claims are deemed compensable, that will increase the workers’ compensation exposure. &