HARRISBURG, Pa -- Pennsylvania's Attorney General wants people in the Commonwealth to know what their rights are in the event of a data breach.
Josh Shapiro recently filed on behalf of 13,500 Uber drivers in the commonwealth involved in a data breach.
"The investigation was going on and on and on, Uber was not being as cooperative as we had thought they might be in the beginning of this and we thought at lawsuit at this juncture was necessary," said Shapiro.
The AG says Uber broke two laws in Pennsylvania.
One relates to unfair trade practices and the other is the Breach of Personal Information Notification Act.
The AG says "The law here says they have to notify us within a "reasonable period of time." Well, Uber knew about this data breach for more than a year. In fact, they covered it up for a year. I don't think anyone in their right mind would think covering up a data breach for over a year is "reasonable."
While it may seem like a bunch of legal jargon, Shaprio explains why he thinks Pennsylvanians should pay attention to this lawsuit.
"It's important for you to be notified so that you can then go and monitor your credit."
Under PA law, the penalty is $1,000 for each violation of not notifying a consumer of a data breach.
With a possibility of 13,500 violations, that's 13.5 million dollars in fines Uber may have to pay.
Don't expect all that money to go back into your pocket.
Shapiro said, "Part of what happens when we do these lawsuits is the money comes back in and it has to be used for this kind of work."
The AG believes the Uber lawsuit is a message to other companies to invest in infrastructure to protect consumer's data.
He says another example of this is his investigation into Equifax.
That breach impacted more than 5 million Pennsylvanians.
"If you go look at Equifax's SEC filings, you'll find for every dollar they earn, 36 cents went into profit. Which is great, good companies should make a profit, that's wonderful. But you know what I didn't see? I didn't see money going back into the infrastructure of that company to protect our data. So many take a few pennies off of that profit and put it into protecting our information," said the AG.
As for Equifax, the attorney general says 48 states including PA are still looking into why the breach occurred, when it occurred and what happened to your information when it was stolen.
Pennsylvania House Bill 1846 was recently introduced by state Rep. Brian Ellis out of Butler county.
If passed, the bill would require companies to give noticed to people impacted within 30 days of a breach.
Companies would also have to explain what information was comprised and give a toll-free number for victims to call.
The bill also includes a section that states the companies would also need to come up with a plan to safeguard and discard personal consumer information.
Uber did responds to our request for a comment on the lawsuit, sending us this statement: “Since starting on this job three months ago, I’ve spoken with various state and federal regulators in connection with the data breach pledging Uber’s cooperation, and I personally reached out to Attorney General Shapiro and his team in the same spirit a few weeks ago. While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers. I’ve been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts.” - Statement from Chief Legal Officer, Tony West.