In today’s tech-reliant business environment, companies increasingly maintain and store records electronically. With the luxury of going paperless comes the risks surrounding a potential data breach. If such a breach occurs and certain personal information is compromised, all U.S. states require some action be taken by the organization that was breached. Pennsylvania recently joined a handful of states taking steps toward amending their data breach notification laws.
The General Assembly enacted the Pennsylvania Breach of Personal Information Notification Act (the “Act”) in 2005, which applies to state agencies and other government bodies, as well as to individuals and companies doing business in Pennsylvania, including corporations, non-profit organizations, and financial institutions, among other entities.
To update provisions of the Act, Senate Bill 308 was introduced in the Pennsylvania Senate in early 2019. If adopted by the legislature, SB 308 will amend the Act to provide a broader definition of personal information, mandate strict breach notification deadlines, and impose content requirements for data breach notices. This article discusses some of the biggest impacts that the bill would have on businesses in Pennsylvania—such as requiring that notice of a data breach be given to the government within three business days and to affected individuals within fourteen calendar days.
The Expansion of “Personal Information”
Whether a data breach notification is required depends on whether personal information is compromised. The Act presently defines “personal information” as an individual’s first name (or first initial) and last name in combination with the individual’s (1) Social Security number; (2) driver’s license or state identification card number; or (3) financial account, credit card, or debit card number along with any security code, access code, or password permitting access to the individual’s financial account. This definition is fairly consistent with other states’ definitions of personal information.
The proposed bill expands the definition of personal information to add:
health insurance and medical information;
information regarding income, socioeconomic status, or food purchases;
information regarding religious or other beliefs;
unique biometric information including fingerprints;
data collected through automated license plate recognition systems; and
a user name or email address combined with a password or other information permitting access to an online account.
Some of these terms are further defined under the bill. Nevertheless, as the bill is currently drafted, these new categories need not be connected to an individual’s actual name. The bill clearly intends, however, to protect “personal information” and could be interpreted to require a link between the categories of personal information and a person’s name.
The bill may also aim to regulate data from which an individual’s identity can be inferred. For example, in some circumstances, food purchase information—as well as medical records, geolocation data, and other types of information—could be used to identify an individual person even if the person’s name is not included with the data. The bill, therefore, broadens the definition of personal information but creates some uncertainty about how the term could be interpreted.
New Data Breach Notification Deadlines
The Act requires that businesses affected by a data breach notify Pennsylvania residents whose unencrypted and unredacted personal information stored on a computerized system was, or was reasonably believed to have been, accessed and acquired by an unauthorized person. Upon discovery of a data security breach, the compromised business must notify residents of the data breach “without unreasonable delay.”
If enacted, SB 308 will replace this flexible standard with new data breach notification deadlines. Companies would be required to report a security breach to the district attorney of the county in which the organization is located within three business days and to notify individuals affected by the breach within fourteen calendar days of detecting the breach. State agencies and political subdivisions of the Commonwealth would also have new reporting requirements. These are significant proposed changes in the law.
Additionally, under the proposed bill, a company’s notification obligation is triggered by the “detection of the breach of the security of [a] system.” The bill lacks clarity, however, on what “detection” of a security breach means and, thus, when the clock begins to run on breach notice deadlines. Gathering enough information to conclude that unencrypted and unredacted personal information was breached can take days or weeks and often requires hiring a third-party forensic IT firm, which may make the above timelines unrealistic.
Further, where a business is “located” for the purpose of notifying district attorneys is open for interpretation. This requirement may refer to the business’s headquarters or principal place of business, but these locations may be outside Pennsylvania. It could also be interpreted that a business with operations throughout the Commonwealth must notify the district attorney for all 67 counties in Pennsylvania.
The boundaries of “personal information” and ambiguities relating to the notice requirements are aspects of the bill that may be clarified as it undergoes consideration in the General Assembly.
Breach Notice Content Requirements and Enforcement
Unlike the Act, which does not set forth the required content for a breach notice, SB 308 mandates the content that must be included in every breach notice.
Among other requirements, a breach notice under SB 308 would have to include the name and contact information of the entity providing the notice; the dates of the notice of the breach; the types of personal information believed to have been compromised; a general description of the incident; the contact information of the major credit reporting agencies; a description of the steps taken to protect the individuals whose personal information was compromised; and advice on the steps that affected individuals may take to further protect their personal information. The bill also requires that the business affected by a data breach offer free credit reports, credit protection, and identity theft protection for twelve months to each individual whose personal information was accessed.
As noted above, businesses may struggle to meet the breach notice deadlines while gathering enough information to adhere to the breach notice content requirements.
Nevertheless, the Act and the proposed bill must be taken seriously by businesses operating throughout the Commonwealth, as a violation of the Act automatically constitutes a violation of the Unfair Trade Practices and Consumer Protection Law (“UTPCPL”) and may result in additional fines and penalties. Although the Act and SB 308 do not allow individuals to file private lawsuits, under the UTPCPL, the attorney general or district attorney may recover civil penalties of up to $1,000 per violation, or if the victim is age sixty or older, up to $3,000 per violation. Accordingly, a business that fails to meet the breach notification timelines or content requirements may be subject to significant penalties.
In summary, SB 308 shows that data protection is on the minds of Pennsylvania legislators and highlights the importance of proactively preparing for data security incidents. The McNees Privacy & Data Security team will continue monitoring SB 308 as it progresses through the Pennsylvania legislature, along with other legislative developments affecting data privacy in the U.S. and abroad.