On February 19, 2019, a bill was introduced in the Pennsylvania Senate proposing to amend the Pennsylvania Breach of Personal Information Notification Act (the “Act”) to add new breach notification requirements for state agencies and political subdivisions of the Commonwealth.
Enacted in 2005, the Act (73 P.S. § 2301 et seq.) applies to Commonwealth agencies; political subdivisions, which include counties, cities, boroughs, incorporated towns, townships, and school districts; and persons doing business in Pennsylvania, including non-profit organizations and financial institutions (collectively, “entities”). Under the Act, an entity must notify Pennsylvania residents whose unencrypted and unredacted personal information stored on a computerized system was, or was reasonably believed to have been, accessed and acquired by an unauthorized person. The Act requires that residents are notified of a data breach “without unreasonable delay.”
Senate Bill 308, sponsored by Pennsylvania Senator Kristin Phillips-Hill, proposes significant changes to the definition of personal information, the timing and contents of breach notice requirements, and state agencies’ obligation to develop information security policies.
The Definition of Personal Information
The Act presently defines “personal information” as an individual’s first name (or first initial) and last name in combination with the individual’s (1) Social Security number; (2) driver’s license or state identification card number; or (3) financial account, credit card, or debit card number along with any security code, access code, or password permitting access to the individual’s financial account.
SB 308 expands the definition of personal information to add:
- health insurance and medical information;
- educational records;
- information regarding income, socioeconomic status, or food purchases;
- information regarding religious or other beliefs;
- unique biometric information including fingerprints;
- geolocation data;
- data collected through automated license plate recognition systems; and
- a user name or email address combined with a password or other information permitting access to an online account.
The proposed bill defines “health insurance information” as an individual’s policy or subscriber identification number; a unique identifier used by an insurer to identify an individual; or information in an individual’s application and claims history, including appeals records. “Medical information” is information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. SB 308 does not further define the other additional categories of data that would be considered “personal information” if the legislation is enacted.
As SB 308 is drafted, these additional categories of data need not be linked to an individual’s name. The bill, however, clearly intends to protect “personal information” and could be interpreted as requiring a nexus between the categories of personal information and a person’s name. The bill may also aim to regulate data from which an individual’s identity can be inferred. For example, in some circumstances, food purchase information—as well as medical records, geolocation data, and other types of information—could be used to identify an individual person even if the person’s name is not included with the data.
SB 308 therefore broadens the definition of personal information but creates some uncertainty about how the definition could be interpreted.
Data Breach Notification Requirements
The Act currently requires entities to notify residents of a data breach without unreasonable delay. SB 308, if enacted, will impose new breach response requirements on state agencies, political subdivisions of the Commonwealth, and persons doing business in Pennsylvania. Breach notification requirements would be triggered by the “detection of the breach of the security of [a] system.”
State agencies would be required to report a security breach to the head of the agency within two hours and to the Governor’s Office of Administration and the Office of Attorney General within four hours of detecting the breach.
Political subdivisions of the Commonwealth would be required to report a security breach to the head of the political subdivision within two hours and to the district attorney of the county in which the political subdivision is located within three business days of detecting the breach.
Persons doing business in Pennsylvania would be required to report a security breach to the district attorney of the county in which the business is located within three business days and to notify individuals affected by the breach within fourteen days of detecting the breach. The obligation to notify affected individuals would not apply to state agencies or political subdivisions of the Commonwealth.
The proposed security breach notification timelines may raise more questions than they answer. An important question is what “detection” of a security breach means because entities must understand when the clock begins to run on their breach notice deadlines. As a practical matter, there is usually a delay between when organizations suspect that something is wrong, and when they know they have been hacked. Gathering enough information to conclude that a bad actor acquired unencrypted and unredacted personal information can take days or weeks and often requires hiring a third-party forensic IT firm. If “detection” of a security breach is equated with “suspicion” of a security breach, the breach notification timelines will likely prove unrealistic—especially considering the proposed content requirements for breach notices, as discussed below.
Various aspects of the bill, such as the scope of certain categories of personal information and the breach notice deadlines, may be clarified as the bill undergoes consideration in the General Assembly.
Required Contents of Breach Notices & Mandatory Policies for State Agencies
Unlike the Act, SB 308 sets forth mandatory content requirements for breach notices. Among other mandates, a breach notice under SB 308 would have to include the name and contact information of the entity providing the notice; the dates of the notice and of the breach; the types of personal information believed to have been compromised; a general description of the incident; the contact information of the major credit reporting agencies; a description of the steps taken to protect the individuals whose personal information was compromised; and advice on the steps that affected individuals may take to further protect their personal information. SB 308 also requires reporting entities to offer free credit reports, credit protection, and identity theft protection for twelve months to each individual affected by the security breach. The notice must be written in plain language, contain certain headings, and call attention to the nature and significance of the notice.
As noted above, entities may struggle to meet the breach notice deadlines while also providing sufficient information about the breach.
SB 308 further requires state agencies, the Court Administrator of Pennsylvania, and the administrators of the legislative caucuses of the Senate and House of Representatives to develop policies governing the safe and proper storage of computerized data containing personal information with the goal of reducing the risk of future security breaches. Political subdivisions of the Commonwealth are not subject to this requirement, although developing such policies is a best practice for any organization that collects personal information. Among other requirements, the policies must address the collection, protection, and use of personal information and how to remediate the negative effects of a security breach. Policies must be reviewed at least annually.
Enforcement and Civil Penalties
The Act vests the Office of Attorney General with the exclusive authority to bring civil actions for violations of the Act. Neither the Act nor SB 308 allow individuals to file private lawsuits for alleged violations.
A violation of the Act, however, automatically constitutes a violation of the Unfair Trade Practices and Consumer Protection Law (“UTPCPL”) (73 P.S. § 201-1 et seq.). Under the UTPCPL, the Attorney General may recover civil penalties of up to $1,000 per violation, or if the victim is age sixty or older, up to $3,000 per violation. Accordingly, an entity that fails to meet the breach notification timelines or content requirements, or an agency that fails to maintain adequate policies, may be subject to significant penalties.
In summary, SB 308 joins a wave of proposed legislation following enactment of tougher data protection laws in the European Union and California. State agencies, municipalities, and school districts collect and store troves of personal information and must continue to monitor the impact of legislative developments on their data security practices.
Reprinted with permission from the April 4, 2019 edition of The Legal Intelligencer © 2019 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.