"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Attorney General Josh Shapiro said in a statement. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."
The law Uber is charged with violating is the Pennsylvania Breach of Personal Information Notification Act. This requires companies to notify people who are impacted by any breach of data within a reasonable amount of time. It's difficult to argue that thirteen months, which is the amount of time between the October 2016 leak and November 2017 disclosure, is "reasonable". The law allows Shapiro to seek up to $13.5 million in penalties from Uber.
You can bet that Pennsylvania won't be the last state to file suit against Uber; as many as 43 others are investigating Uber's failure to disclose the hack. You can bet that this isn't the last we'll hear about this data breach.
Update: We've heard from Uber on the suit. They gave us the following statement: "While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber's desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."