Uber headquarters in San Francisco. Credit: Jason Doiy/ ALM

Uber Technologies Inc.'s admission Tuesday that it waited a year to disclose a massive data breach could put the company in the crosshairs of a California law that mandates prompt notification—both to the public and to state regulators—of significant cyberattacks.

California's 14-year-old data breach notification law, the first of its kind in the nation, requires government agencies and companies that do business in the state to alert customers if their unencrypted personal information is exposed. Breaches affecting more than 500 customers must also be reported to the California attorney general's office, which maintains details about security breaches in a public database.

Uber said the compromised data of 57 million drivers and riders globally included names, emails, addresses and phone numbers as well as 600,000 U.S. driver's licenses.

Bloomberg reported Tuesday that, instead of notifying customers when they learned of the attack in late 2016, company officials paid the data hackers $100,000 to delete the information and keep the breach quiet.

An unidentified law firm hired by Uber's new corporate leadership discovered the breach and payoff this year while investigating the work of Uber's former chief security officer Joe Sullivan and his security team, the report said. Sullivan and a senior lawyer, Craig Clark, in charge of security and law enforcement, have been ousted, according to Bloomberg.

“None of this should have happened, and I will not make excuses for it,” Uber CEO Dara Khosrowshahi said in a statement posted on the company's blog.

What response California regulators might take to Uber's delayed notification wasn't immediately known Tuesday.

“The California Department of Justice vigorously protects the rights and interests of the nearly 40 million people of our state and that includes protecting them against disclosure of their privacy data,” the state AG's office said late Tuesday. “Consistent with our longstanding policy and practice, we do not comment on any possible investigation or prosecution.”

“The fact that the company attempted to keep this secret for a year is egregious,” said Beth Givens, executive director of Privacy Rights Clearinghouse. “The purposes of notifying customers is so that they can take steps to protect themselves.”

California law does not specify how quickly a company must report a breach of nonmedical information, although it says efforts should be “expeditious.” The law also is silent on any penalty.

The attorney general's website shows records of only prosecution for similar circumstances in recent years. Then-Attorney General Kamala Harris sued Kaiser Foundation Health Plan Inc. in 2014—under the state's unfair competition law—for waiting three months to tell employees that a USB drive found for sale in a thrift store contained more than 20,000 employee records. Kaiser paid $150,000 to settle the lawsuit.

California does allow a private right of action for residents who can prove that they were injured by a violation of the breach notification statute. But proving actual damages can be difficult, Givens said.

“Connecting the dots between your identity theft and a specific breach is very difficult to do,” she said.

Khosrowshahi said forensic examiners found no evidence that hackers downloaded trip location histories, credit card numbers, bank account numbers, Social Security numbers or birth dates.

The delayed breach response marked at least the second time Uber failed to tell regulators about a cyberattack. New York Attorney General Eric Schneiderman in January 2016 said Uber had agreed to pay $20,000 to resolve claims the company failed to timely notify regulators about a breach that affected drivers.

Read more:

Uber headquarters in San Francisco. Credit: Jason Doiy/ ALM

Uber Technologies Inc.'s admission Tuesday that it waited a year to disclose a massive data breach could put the company in the crosshairs of a California law that mandates prompt notification—both to the public and to state regulators—of significant cyberattacks.

California's 14-year-old data breach notification law, the first of its kind in the nation, requires government agencies and companies that do business in the state to alert customers if their unencrypted personal information is exposed. Breaches affecting more than 500 customers must also be reported to the California attorney general's office, which maintains details about security breaches in a public database.

Uber said the compromised data of 57 million drivers and riders globally included names, emails, addresses and phone numbers as well as 600,000 U.S. driver's licenses.

Bloomberg reported Tuesday that, instead of notifying customers when they learned of the attack in late 2016, company officials paid the data hackers $100,000 to delete the information and keep the breach quiet.

An unidentified law firm hired by Uber's new corporate leadership discovered the breach and payoff this year while investigating the work of Uber's former chief security officer Joe Sullivan and his security team, the report said. Sullivan and a senior lawyer, Craig Clark, in charge of security and law enforcement, have been ousted, according to Bloomberg.

“None of this should have happened, and I will not make excuses for it,” Uber CEO Dara Khosrowshahi said in a statement posted on the company's blog.

What response California regulators might take to Uber's delayed notification wasn't immediately known Tuesday.

“The California Department of Justice vigorously protects the rights and interests of the nearly 40 million people of our state and that includes protecting them against disclosure of their privacy data,” the state AG's office said late Tuesday. “Consistent with our longstanding policy and practice, we do not comment on any possible investigation or prosecution.”

“The fact that the company attempted to keep this secret for a year is egregious,” said Beth Givens, executive director of Privacy Rights Clearinghouse. “The purposes of notifying customers is so that they can take steps to protect themselves.”

California law does not specify how quickly a company must report a breach of nonmedical information, although it says efforts should be “expeditious.” The law also is silent on any penalty.

The attorney general's website shows records of only prosecution for similar circumstances in recent years. Then-Attorney General Kamala Harris sued Kaiser Foundation Health Plan Inc. in 2014—under the state's unfair competition law—for waiting three months to tell employees that a USB drive found for sale in a thrift store contained more than 20,000 employee records. Kaiser paid $150,000 to settle the lawsuit.

California does allow a private right of action for residents who can prove that they were injured by a violation of the breach notification statute. But proving actual damages can be difficult, Givens said.

“Connecting the dots between your identity theft and a specific breach is very difficult to do,” she said.

Khosrowshahi said forensic examiners found no evidence that hackers downloaded trip location histories, credit card numbers, bank account numbers, Social Security numbers or birth dates.

The delayed breach response marked at least the second time Uber failed to tell regulators about a cyberattack. New York Attorney General Eric Schneiderman in January 2016 said Uber had agreed to pay $20,000 to resolve claims the company failed to timely notify regulators about a breach that affected drivers.

Read more: