NEW YORK – The Wall Street Journal reports that former Uber CEO Travis Kalanick, who resigned as CEO in June, knew of a massive data breach and paid off hackers $100,000 to destroy the stolen data. Current Uber CEO Dara Khosrowshahi, who learned of 2016 breach two weeks after taking the helm of the company in September, waited another two months to notify customers and its drivers on November 21.

Uber says that its outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information, including:

• The names and driver’s license numbers of around 600,000 Uber drivers in the United States.
• Some personal information of 57 million Uber users around the world, including the drivers described above.

“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it,” Khosrowshahi says on Uber’s website, noting that the learnings prompted Uber to individually notify the drivers whose driver’s license numbers were downloaded and provide those drivers with free credit monitoring and identity theft protection.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers,” he said.

Uber’s data breach brings into question an acceptable timeline for notifying the public of a possible breach. The Journal writes that several states, the Federal Trade Commission and at least three European government agencies have opened inquiries into why it took Uber more than a year to disclose the breach, but other companies have also been criticized for making disclosures of data breaches after shorter periods of time. For example, Equifax Inc. was faulted by lawmakers during congressional hearings for taking just under six weeks to disclose its massive data breach publicly, a hack that compromised the personal information of more than 145 million consumers.

“In the U.S. today, most [state] laws allow six to eight weeks for companies to notify regulators and consumers,” Bo Holland, the chief executive of AllClear ID Inc., told the Journal, adding that companies meeting these standards can still suffer a tarnished reputation. “Equifax met the letter of the law, no one was happy with their response, and the executives and shareholders suffered the consequences,” he said.

There is currently no federal law on breach notification, leaving the incidents subject to a patchwork of 48 state laws, notes the Journal. NACS believes that federal legislation should incorporate the following principles:

• Ensure all breached entities have notice obligations so that telecommunications companies, banks, card networks, card processors, and others cannot have a breach and push their notification obligations onto retailers.
• Do not exempt favored industries (like financial services businesses) from data security or data breach responsibilities.
• Promote reasonable data security standards without dictating detailed requirements that are not appropriate for many businesses.
• Maintain an appropriate enforcement regime so that the Federal Trade Commission cannot immediately seek penalties without first giving businesses a chance to come into compliance.
• Establish a uniform nationwide law that preempts state laws.

Several congressional committees are looking at cybersecurity and data security issues and may consider legislation this Congress. In past Congresses, there have been bills introduced which would set federal data breach notification and data security requirements.