Do Companies Have to Notify You of a Data Breach?

Do Companies Have to Notify You of a Data Breach?

November 28, 2017         Written By Bill Hardekopf

Ride-sharing company Uber has been sued this week for failure to disclose a 2016 data breach. The company had paid hackers a $100,000 ransom to keep quiet about stealing the personal information of 57 million customers and 600,000 drivers, according to the Chicago Tribune. In addition to lawsuits from Chicago and Cook County, Illinois, Congress has started an inquiry into the matter, according to Recode.

If you are an Uber customer or driver, you may be angry you were not told your email address, driver’s license and other personal information may have been exposed to criminals. You may also be wondering what legal obligations companies have to notify their customers of these breaches. Generally speaking, you should be notified if your personal information has been breached.

The National Conference of State Legislatures lists the specific laws governing data breaches in 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands. Many cities have laws on the books that require companies to notify consumers of data breaches, which is why Uber may be in trouble.

While the verbiage of each law is different, regulations typically require companies to notify customers if their personal information—including names, social security numbers, drivers license numbers, or account numbers—have been illegally acquired by an unauthorized third party.

Since laws vary from state-to-state, legislatures are proposing a single national standard for data breach notifications. Last month, Rhode Island Congressman Jim Langevin introduced the Personal Data Notification and Protection Act of 2017. The bill states that “any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify… any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.”

Similar bills have been introduced in the past, but they were opposed as some legislatures believed such laws should be made at the state level.

The information contained within this article was accurate as of November 28, 2017. For up-to-date information on any of the terms, cards or offers mentioned above, visit the issuer's website. Many of the offers on this article are from our affiliate partners, and may be compensated if you take action with any of our affiliate partners.


About Bill Hardekopf

Bill Hardekopf is the CEO of and covers the credit card industry from all perspectives. Bill has been involved with personal finance for over 15 years. He is a frequent contributor to Forbes, The Street and The Christian Science Monitor.
View all posts by Bill Hardekopf
Featured No Annual Fee Card
Top Features : Earn cash back twice. 1% when you buy plus 1% as you pay; 0% APR for 18 months on balance transfers
Featured Low Interest Card
Top Features : No annual fee; $150 statement credit after spending $1,200 in first 90 days; 0% on Purchases for 12 months and Balance Transfers for 18 months
Featured Balance Transfer Card
Top Features : 0% APR for 21 months on Balance Transfers and 12 months on Purchases; no annual fee, late fee or penalty rate
Featured Bad Credit Card
Top Features : Reports to all three credit bureaus, perfect credit not required for approval
Featured Fair Credit Card
Top Features : All credit types welcome to apply!