{"id":272,"date":"2019-05-21T15:24:56","date_gmt":"2019-05-21T19:24:56","guid":{"rendered":"https:\/\/pbacyber.com\/?p=272"},"modified":"2019-05-21T16:11:56","modified_gmt":"2019-05-21T20:11:56","slug":"b-308-proposes-14-day-data-breach-notice-requirement-for-pennsylvania-businesses","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2019\/05\/21\/b-308-proposes-14-day-data-breach-notice-requirement-for-pennsylvania-businesses\/","title":{"rendered":"SB 308 Proposes 14-Day Data Breach Notice Requirement for Pennsylvania Businesses"},"content":{"rendered":"<p><span style=\"display: inline !important; float: none; background-color: transparent; color: #000000; font-family: 'Open Sans',Arial,sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">By Thomas S. Markey and Chase J. Wright, <\/span><a href=\"https:\/\/www.mcneeslaw.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">McNees Wallace &amp; Nurick LLC<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>In today\u2019s tech-reliant business environment, companies increasingly maintain and store records electronically. With the luxury of going paperless comes the risks surrounding a potential data breach. If such a breach occurs and certain personal information is compromised, all U.S. states require some action be taken by the organization that was breached. Pennsylvania recently joined a handful of states taking steps toward amending their data breach notification laws.<\/p>\n<p>&nbsp;<\/p>\n<p>The General Assembly enacted the Pennsylvania Breach of Personal Information Notification Act in 2005, which applies to state agencies and other government bodies, as well as to individuals and companies doing business in Pennsylvania, including corporations, non-profit organizations, and financial institutions, among other entities.<\/p>\n<p>&nbsp;<\/p>\n<p>To update provisions of the act, Senate Bill 308 was introduced in the Pennsylvania Senate in early 2019. If adopted by the legislature, SB 308 will amend the Act to provide a broader definition of personal information, mandate strict breach notification deadlines, and impose content requirements for data breach notices. This article discusses some of the biggest impacts that the bill would have on businesses in Pennsylvania\u2014such as requiring that notice of a data breach be given to the government within <strong>three business days<\/strong> and to affected individuals within <strong>14 calendar days<\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><u>The Expansion of \u201cPersonal Information\u201d<\/u><\/strong><\/p>\n<p>Whether a data breach notification is required depends on whether personal information is compromised.\u00a0 The act presently defines \u201cpersonal information\u201d as an individual\u2019s first name (or first initial) and last name in combination with the individual\u2019s (1) Social Security number; (2) driver\u2019s license or state identification card number; or (3)\u00a0financial account, credit card, or debit card number along with any security code, access code, or password permitting access to the individual\u2019s financial account. This definition is fairly consistent with other states\u2019 definitions of personal information.<\/p>\n<p>&nbsp;<\/p>\n<p>The proposed bill expands the definition of personal information to add:<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>health insurance and medical information;<\/li>\n<li>educational records;<\/li>\n<li>information regarding income, socioeconomic status, or food purchases;<\/li>\n<li>information regarding religious or other beliefs;<\/li>\n<li>unique biometric information including fingerprints;<\/li>\n<li>geolocation data;<\/li>\n<li>data collected through automated license plate recognition systems; and<\/li>\n<li>a user name or email address combined with a password or other information permitting access to an online account.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Some of these terms are further defined under the bill. Nevertheless, as the bill is currently drafted, these new categories need not be connected to an individual\u2019s actual name. The bill clearly intends, however, to protect \u201cpersonal information\u201d and could be interpreted to require a link between the categories of personal information and a person\u2019s name.<\/p>\n<p>&nbsp;<\/p>\n<p>The bill may also aim to regulate data from which an individual\u2019s identity can be inferred.\u00a0 For example, in some circumstances, food purchase information\u2014as well as medical records, geolocation data, and other types of information\u2014could be used to identify an individual person even if the person\u2019s name is not included with the data. The bill, therefore, broadens the definition of personal information but creates some uncertainty about how the term could be interpreted.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><u>New Data Breach Notification Deadlines <\/u><\/strong><\/p>\n<p>The act requires that businesses affected by a data breach notify Pennsylvania residents whose unencrypted and unredacted personal information stored on a computerized system was, or was reasonably believed to have been, accessed and acquired by an unauthorized person. Upon discovery of a data security breach, the compromised business must notify residents of the data breach \u201cwithout unreasonable delay.\u201d<\/p>\n<p>&nbsp;<\/p>\n<p>If enacted, SB 308 will replace this flexible standard with new data breach notification deadlines. Companies would be required to report a security breach to the district attorney of the county in which the organization is located within three business days and to notify individuals affected by the breach within fourteen calendar days of detecting the breach. State agencies and political subdivisions of the Commonwealth would also have new reporting requirements. These are significant proposed changes in the law.<\/p>\n<p>&nbsp;<\/p>\n<p>Additionally, under the proposed bill, a company\u2019s notification obligation is triggered by the \u201cdetection of the breach of the security of [a] system.\u201d The bill lacks clarity, however, on what \u201cdetection\u201d of a security breach means and, thus, when the clock begins to run on breach notice deadlines. Gathering enough information to conclude that unencrypted and unredacted personal information was breached can take days or weeks and often requires hiring a third-party forensic IT firm, which may make the above timelines unrealistic.<\/p>\n<p>&nbsp;<\/p>\n<p>Further, where a business is \u201clocated\u201d for the purpose of notifying district attorneys is open for interpretation. This requirement may refer to the business\u2019s headquarters or principal place of business, but these locations may be outside Pennsylvania. It could also be interpreted that a business with operations throughout the Commonwealth must notify the district attorney for all 67 counties in Pennsylvania.<\/p>\n<p>&nbsp;<\/p>\n<p>The boundaries of \u201cpersonal information\u201d and ambiguities relating to the notice requirements are aspects of the bill that may be clarified as it undergoes consideration in the General Assembly.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><u>Breach Notice Content Requirements and Enforcement<\/u><\/strong><\/p>\n<p>Unlike the act, which does not set forth the required content for a breach notice, SB 308 mandates the content that must be included in every breach notice.<\/p>\n<p>&nbsp;<\/p>\n<p>Among other requirements, a breach notice under SB 308 would have to include the name and contact information of the entity providing the notice; the dates of the notice of the breach; the types of personal information believed to have been compromised; a general description of the incident; the contact information of the major credit reporting agencies; a description of the steps taken to protect the individuals whose personal information was compromised; and advice on the steps that affected individuals may take to further protect their personal information. The bill also requires that the business affected by a data breach offer free credit reports, credit protection, and identity theft protection for twelve months to each individual whose personal information was accessed.<\/p>\n<p>&nbsp;<\/p>\n<p>As noted above, businesses may struggle to meet the breach notice deadlines while gathering enough information to adhere to the breach notice content requirements.<\/p>\n<p>&nbsp;<\/p>\n<p>Nevertheless, the act and the proposed bill must be taken seriously by businesses operating throughout the commonwealth, as a violation of the Act automatically constitutes a violation of the Unfair Trade Practices and Consumer Protection Law (UTPCPL) and may result in additional fines and penalties. Although the act and SB 308 do not allow individuals to file private lawsuits, under the UTPCPL, the attorney general or district attorney may recover civil penalties of up to $1,000 per violation, or if the victim is age sixty or older, up to $3,000 per violation. Accordingly, a business that fails to meet the breach notification timelines or content requirements may be subject to significant penalties.<\/p>\n<p>&nbsp;<\/p>\n<p>In summary, SB 308 shows that data protection is on the minds of Pennsylvania legislators and highlights the importance of proactively preparing for data security incidents.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p><em><a href=\"https:\/\/www.mcneeslaw.com\/people\/thomas-s-markey\/\" target=\"_blank\" rel=\"noopener noreferrer\">Thomas S. Markey<\/a><span style=\"text-align: left; color: #000000; text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: 'Open Sans',Arial,sans-serif; font-size: 14px; font-variant: normal; font-weight: 400; text-decoration: none; word-spacing: 0px; display: inline !important; white-space: normal; orphans: 2; float: none; -webkit-text-stroke-width: 0px; background-color: transparent;\"> practices in the Privacy &amp; Data Security Group at McNees Wallace &amp; Nurick LLC and is a member of the International Association of Privacy Professionals and the Pennsylvania Bar Association Cybersecurity &amp; Data Privacy Committee.<\/span><\/em><\/p>\n<p>&nbsp;<\/p>\n<p><em><span style=\"text-align: left; color: #333333; text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: 'Roboto',sans-serif; font-size: 16px; font-variant: normal; font-weight: 400; text-decoration: none; word-spacing: 0px; display: inline !important; white-space: normal; orphans: 2; float: none; -webkit-text-stroke-width: 0px; background-color: transparent;\"><a href=\"https:\/\/www.mcneeslaw.com\/people\/chase-wright\/\" target=\"_blank\" rel=\"noopener noreferrer\">Chase Wright<\/a> practices in the Privacy &amp; Data Security and Corporate &amp; Tax Groups at McNees Wallace &amp; Nurick LLC<\/span>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Thomas S. Markey and Chase J. Wright, McNees Wallace &amp; Nurick LLC &nbsp; In today\u2019s tech-reliant business environment, companies increasingly maintain and store records electronically. With the luxury of going paperless comes the risks surrounding a potential data breach. If such a breach occurs and certain personal information is compromised, all U.S. states require <br \/><a class=\"read-more-button\" href=\"https:\/\/pbacyber.com\/index.php\/2019\/05\/21\/b-308-proposes-14-day-data-breach-notice-requirement-for-pennsylvania-businesses\/\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,23],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/272"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=272"}],"version-history":[{"count":5,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/272\/revisions"}],"predecessor-version":[{"id":279,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/272\/revisions\/279"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}