Pennsylvania Data Breach Notification Law 2022: Requirements & Legislation
In the event of a data breach, your business may need to respond to those affected. States differ in the kind of data that necessitates notification, as well as the timing, form, and remaining conditions of said notification. For businesses with customers in multiple states, this means they must track and comply with numerous sets of requirements. For businesses operating in Pennsylvania, the data breach notification process remains somewhat moderate. Learn why, below.
Here Are the Basics of the Pennsylvania Data Breach Notification Law:
Defining Breach of System
As per Business Privacy Law, a "Breach of System" is defined as:
"The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes, has caused or will cause loss or injury to any resident of this Commonwealth. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure."
Pennsylvania requires customer notification “without unreasonable delay” when a data breach affects more than 1,000 residents. States are increasingly moving toward specific time limits for notification, the most common being 45 days after confirmation of breach. It is important to note that these rules also apply to companies that maintain or control personal information, such as database vendors. Additional information regarding privacy laws for all 50 states can be found here.
Defining Personal Information
Pennsylvania defines “personal information” as a person’s name, combined with a social security, driver’s license, state ID, credit card, or financial account number. Several states have expanded the definition of personal information to include medical or health insurance information, biometric data such as fingerprint or iris scans, and DNA profiles. It should be noted that publicly available "made available to the general public from Federal, State, or local government records" is excluded. Pennsylvania only requires notification when the breach “materially compromises” security or confidentiality. Data that has been encrypted, and is not accessible, is excluded. As a general rule:
"An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following the discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person."
Notifying the State
Many states require notice to the Attorney General (AG), or to a state agency, such as a consumer protection organization. Pennsylvania does not have this requirement. Instead, any breach effecting more than 1,000 residents must be relayed to all nationwide credit reporting agencies (CRAs). Like most states, Pennsylvania permits written, telephonic, or email notice to affected consumers. If the breach is unusually large (over 100,000 consumers) or expensive, substitute notice is permitted, which can take the form of a media or online post. And for companies who do business or have employees outside the state, they are required to report in those states as well.
Civil and Criminal Consequences
In the event of a notification violation, action can be initiated by the Attorney General under state “deceptive trade practices” statutes. It is generally held that companies promise to keep data confidential, and any breach is a release from that promise. Pennsylvania does allow for restrictive, potentially expensive, injunctions against businesses. Pennsylvania also gives the AG explicit right to seek restitution. Pennsylvania, like many states, provides an encryption safe harbor: if the acquired data was encrypted or redacted, notification is not required. This does not apply if the encryption key was compromised, or if those with access to said key were involved in the breach.
Operating in Pennsylvania
Any business operating in Pennsylvania should remain attentive to relevant legislature, as data breach regulations are constantly being amended and modified. For the latest information on data breaches, privacyrights.org provides a running list by type, organization affected and geographic location. Remember, there are many ways to mitigate the risk factors associated with data breaches:
Develop an information security program, and provide routine training
Designate a security officer to maintain the security plan
Perform an annual risk assessment
Establish a means for detecting and preventing security failures
Implement offboarding procedures to prevent terminated employees from accessing information
Encrypt traffic in transit and at rest that contains PII
Patch firewalls, application, and operating systems on a regular basis
Use secure password and/or token devices
Use cloud-based services that offer advanced protection and automatic web-traffic validation
Leverage "https". Hypertext Transfer Protocol (HTTP) Secure allows for secure communication over a computer network by providing bidirectional encryption. This protects against eavesdropping or tampering with information by a malicious third party.
For more information on Pennsylvania's data breach notification law or for assistance with operational compliance, or proactive security strategies, contact iCorps for more information. As more businesses move to the cloud, it's important to ask your cloud provider the tough questions when it comes to data security. Learn more with a free IT consultation.