Following is a brief review of the Pennsylvania laws pertaining to breach and consumer notification.
An individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements:
1. Social security number;
2. Drivers license number or state identification card number; or
3. Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the individual's financial account.
Who does it apply to?
The law applies to an entity that maintains, stores or manages computerized data that includes personal information (data owner). "Entity" means a Pennsylvania state agency, a political subdivision of the Commonwealth or an individual or a business doing business in the Commonwealth. Additionally, if personal information is maintained, stored, or managed by a vendor, and the vendor is breached, the vendor must immediately notify the data owner. The data owner will be responsible to make the determination and complete the reporting and consumer notification.
There is an exemption for a financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or entities whose primary notification requirements fall under federal regulation, or an entity that maintains its own privacy or security policy as long it meets the minimum requirements.
"Breach of the Security of the System" is the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of the Commonwealth. An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.
When considering reporting requirements, it would include, but not be limited to:
- The combination of personal information breached;
- If the data was computerized;
- If the data was encrypted or redacted;
- If the encryption key was acquired;
- If it was acquired by an unauthorized person; and
- If the incident will cause loss or injury to any resident.
In Pennsylvania, the notification may be delayed if law enforcement advises the person it will interfere with an investigation, otherwise, the notification must be made in the most expedient manner possible and without unreasonable delay. If notification is required to more than 1,000 persons, all consumer reporting agencies must be notified with specific information.