What Are Pennsylvania's Data Breach Notification Requirements?
Last spring New Mexico passed a state-level data breach notification law, making South Dakota and Alabama the last two states without comparable statutes. States differ in the kind of data that necessitates notification, as well as the timing, form, and remaining conditions of said notification. For businesses with customers in multiple states, this means they must track and comply with numerous sets of requirements.
When it comes to data breach notification, Pennsylvania rests somewhere in the middle: stricter than some, laxer than others. Regardless, there are potentially costly legal consequences.
The basics of the Pennsylvania law
As per Business Privacy Law, a "Breach of System" is defined as:
"The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes, or the entity reasonably believes, has caused or will cause loss or injury to any resident of this Commonwealth. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure."
Pennsylvania is one of 24 states that require customer notification, “without unreasonable delay,” when a data breach affects more than 1,000 residents. States are increasingly moving toward specific time limits for notification, the most common being 45 days after confirmation of breach. It is important to note that these rules also apply to companies that maintain or control personal information, such as database vendors.
Related content: 5 Pennsylvania Data Breaches in 2017 & How to Avoid Them in 2018
Defining personal information
Pennsylvania defines “personal information” as a person’s name, combined with a social security, driver’s license, state ID, credit card, or financial account number. Several states have expanded the definition of personal information to include medical or health insurance information, biometric data such as fingerprint or iris scans, and DNA profiles.
It should be noted that publicly available information is excluded:
"The term does not include publicly available information that is lawfully made available to the general public from Federal, State, or local government records."
Pennsylvania only requires notification when the breach “materially compromises” security or confidentiality.
Data that has been encrypted, and is not accessible, is excluded. As a general rule:
"An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Except as provided in section 4 or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without reasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth."
Related content: What is Philadelphia Ransomware?
Notifying the state
Many states require notice to the Attorney General (AG), or to a state agency, such as a consumer protection organization. Pennsylvania does not have this requirement. Instead, any breach must be relayed to all nationwide credit reporting agencies (CRAs).
A number of states, including California, New Hampshire, and Massachusetts, now post breach-related information on state websites. Once more, Pennsylvania does not have this requirement.
Like most states, Pennsylvania permits written, telephonic, or email notice to affected consumers. If the breach is unusually large (over 100,000 consumers) or expensive, substitute notice is permitted, which can take the form of a media or online post. And for companies who do business or have employees outside the state, they are required to report in those states as well.
Some states prescribe content for notifications, often including a description of the breach, required fees for CRAs, and applicable headings. Pennsylvania does not receive specified content.
Civil and criminal consequences
In the event of a notification violation, action can be initiated by the Attorney General under state “deceptive trade practices” statutes. It is generally held that companies promise to keep data confidential, and any breach is a release from that promise.
Pennsylvania does allow for restrictive, potentially expensive, injunctions against businesses. Pennsylvania also gives the AG explicit right to seek restitution.
Related Content: Philadelphia Hotel Among Those Impacted By Data Breach
Encryption safe harbor
Pennsylvania, like many states, provides an encryption safe harbor: if the acquired data was encrypted or redacted, notification is not required. This does not apply if the encryption key was compromised, or if those with access to said key were involved in the breach.
Operating in Pennsylvania
Any business operating in Pennsylvania should remain attentive to relevant legislature, as data breach regulations are constantly being amended and modified. For the latest information on data breaches, privacyrights.org provides a running list by type, organization affected, and geographic location.
Remember, there are many ways to mitigate the risk factors associated with data breaches:
- Implement automatic system patches for all applications and core operating systems.
- Keep your anti-virus software up to date.
- Use cloud-based services that offer advanced protection including data encryption and automatic web-traffic validation.
- Encrypt all devices and information, to protect both sensitive user and client data.
- Leverage "https". Hypertext Transfer Protocol (HTTP) Secure allows for secure communication over a computer network by providing bidirectional encryption. This protects against eavesdropping or tampering with information by a malicious third party.
For assistance with operational compliance, or proactive security strategies, contact iCorps for more information.
As more businesses move to the cloud, it's important to ask your cloud provider the tough questions when it comes to data security. Check out this eBook for the top 7 questions to ask.