Do Companies Have to Notify You of a Data Breach?
Ride-sharing company Uber has been sued this week for failure to disclose a 2016 data breach. The company had paid hackers a $100,000 ransom to keep quiet about stealing the personal information of 57 million customers and 600,000 drivers, according to the Chicago Tribune. In addition to lawsuits from Chicago and Cook County, Illinois, Congress has started an inquiry into the matter, according to Recode.
If you are an Uber customer or driver, you may be angry you were not told your email address, driver’s license and other personal information may have been exposed to criminals. You may also be wondering what legal obligations companies have to notify their customers of these breaches. Generally speaking, you should be notified if your personal information has been breached.
The National Conference of State Legislatures lists the specific laws governing data breaches in 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands. Many cities have laws on the books that require companies to notify consumers of data breaches, which is why Uber may be in trouble.
While the verbiage of each law is different, regulations typically require companies to notify customers if their personal information—including names, social security numbers, drivers license numbers, or account numbers—have been illegally acquired by an unauthorized third party.
Since laws vary from state-to-state, legislatures are proposing a single national standard for data breach notifications. Last month, Rhode Island Congressman Jim Langevin introduced the Personal Data Notification and Protection Act of 2017. The bill states that “any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify… any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.”
Similar bills have been introduced in the past, but they were opposed as some legislatures believed such laws should be made at the state level.