In House - The FindLaw Corporate Counsel Blog

Executive Liability for Hiding Data Breaches

As data breaches go, Uber probably set the standard for doing too little too late.

The company recently revealed that hackers got personal information on 57 million riders and drivers -- last year. But instead of alerting Uber users at the time, the company paid the hackers $100,000 to destroy the data and keep it quiet.

The U.S. Senate is now considering a bill to require companies to disclose such breaches within 30 days. But with too many hacks to count, it seems like that horse left the barn a while ago.

Criminal Consequences

According to reports, 48 states already require companies to report hacks. But under the Senate bill, executives would could face up to five years in prison for non-compliance.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Senator Bill Nelson said.

The proposed bill directs the Federal Trade Commission to set security protocols for businesses to better protect customer data. CNN reported the bill intends to "incentivize businesses" to make stolen data unreadable.

Senator Richard Blumenthal, a co-sponsor of the bill, introduced a similar bill for data brokers earlier this year. That followed the Equifax breach, which impacted some 143 million consumers in the United States.

Equifax, Yahoo, and More

The pending legislation puts the focus on company officials, including executives and lawyers. John Kelley, chief legal officer at Equifax, faced scrutiny because he approved executive stocks sales right before the company disclosed the data breach.

Last year, Yahoo disclosed 1.5 billion accounts were hacked. The company reportedly knew about it two years earlier.

General counsel Ronald Bell took the fall for it. He resigned after a report concluded his legal team had enough information to investigate but did not take action.

Related Resources: