X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Security breach legislation has arrived in Pennsylvania. We have seen repeated news reports describing how computerized data containing personal information is lost, misplaced or stolen. We fear that the computer disk falling off the overnight delivery truck will be the one with our personal information on it. Prospects are uncertain about enactment of federal legislation that may someday succeed in pre-empting the more than 20 state security breach statutes that have already been enacted. For now, companies that maintain computerized personal data need to develop multistate reviews to assemble the mosaic of state law notice requirements for breaches of security. Now, we can add another state to the mosaic. Here in Pennsylvania, our General Assembly has acted and the governor signed on Dec. 22 Pennsylvania’s Breach of Personal Information Notification Act. The act (unless pre-empted) will become effective in 180 days, or on June 20. The act establishes procedures and criteria governing the disclosure of a security breach to customers. The scope of the act’s security breach disclosure procedure is very broad. Any “business” organization is impacted, whether profit or nonprofit, that “maintains, stores or manages computerized data that includes personal information.” Also covered is any entity that “destroys records.” State agencies and local political subdivisions are covered too. Obviously, many types of industries and organizations will find themselves within the confines of the act. The act’s security breach disclosure provisions are triggered when computerized personal information is compromised. Personal information is defined as the individual’s first name (or first initial) and last name linked with one or more of the following data elements that are “not encrypted or redacted:” the person’s Social Security number, driver’s license number or the credit or debt card account number in combination with any required access code. “Redact” means truncation such that no more than the last four digits of a card or identification number is accessible. “Encryption” means the use of an “algorithmic process” that creates a “low probability of assigning meaning without use of a confidential process or key.” Thus, if the information that is compromised has either been redacted or encrypted, and there is no way for the holder of the compromised information to unlock these protections, there is no personal information by definition that can be the subject of a security breach, and no disclosure requirement is triggered. Finally, “publicly available information that is lawfully made available to the general public from federal, state or local government records” is not within the definition of personal information. The key to the law is determining when and if a security breach has occurred. The breach occurs upon “unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this commonwealth.” There are several issues to consider when applying this standard. First, a reminder that a breach occurs only when the personal information has not been redacted (truncated) or secured by encryption. Second, presumably, when and if that disk full of computerized data falls off the truck, and lands on a curbside, there has not yet been “unauthorized access and acquisition,” of the data. Third, at what point the compromise of security is “material” is not easy to determine. Fourth, at what point a breach of security can be “reasonably believed” to be threatening enough to cause loss or injury may also be a tricky legal conclusion heavily dependent on the particular facts. Once a breach has been determined to have occurred, the entity that “maintains, stores or manages” the computerized data that includes personal information must provide notice of any breach of security. The notice must go to any resident of Pennsylvania whose “unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.” Again, the notice requirement arises only if encrypted information is accessed in an unencrypted form. The disclosure must be made “without unreasonable delay,” subject to the apparently required prior approval of a law enforcement agency, as discussed below. The entity may take time to determine the scope of the breach and may also take time to restore the “reasonable integrity of the data system” before providing the notice. The notice must go to all residents, which is defined to be individuals whose “principal mailing address” as reflected in the data is within Pennsylvania. Security breach notifications may be made by written notice, telephonic notice or via e-mail if a prior business relationship exists and the entity has a valid e-mail address. The telephone method of notice, which seems unique among the various state laws already on the books, works only if the individual can be “reasonably expected to receive it.” Does leaving a message on the individual’s message machine work? The telephone form of notice must be given in a “clear and conspicuous manner,” describing the incident in general terms, and must provide a phone number or Web site to visit for more information. One wonders if a recorded telephone call is sufficient to comply with the act. Finally, a substitute form of notice may be delivered by e-mail, but only if the public entity or business demonstrates that the cost of otherwise providing the notice would exceed $100,000 or the class of subject persons to be notified exceeds 175,000, or the business entity does not have sufficient contact information. Such substitute notice would be an e-mail notice together with a conspicuous posting of the notice on the entity’s website and notification to statewide media. These broadly phrased security-breach-notice concepts leave much of the triggering analysis and notice mechanics open to interpretation. Should the disclosure be made if the personal information was lost but there is no direct evidence that any unauthorized person has had access to the information? How fast must the disclosure be made, within days or weeks? The act permits a delay in making the security-breach disclosure if a law enforcement agency determines and advises in writing that the notification “will impede a criminal or civil investigation.” The act then states that the notification shall be made after the law enforcement agency determines that the notification will not compromise “the investigation or national or homeland security.” Conceivably, then, before any notification goes out, the entity should consult with an appropriate law enforcement entity and receive approval, although the act does not directly state that. In addition to any other notification to individuals, if the entity provides notification to more than 1,000 persons at a time, the entity must also notify “without unreasonable delay” all consumer-reporting agencies that compile information on a national basis. This information must include the timing, distribution and number of the notices. Finally, if a vendor “maintains, stores or manages computerized data on behalf of another entity,” which could include a payroll company, such vendor has its own security breach disclosure requirement under the act. Following discovery of a security breach as defined by the act, the vendor must provide notice to the entity on whose behalf the vendor is maintaining the data. Thereafter, the entity (and not the vendor) is responsible for making the determinations and disclosures under the act. Interestingly, the act carves out from the statutory security breach disclosure requirement any entity that “maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information.” Such internal procedures must be “consistent with the requirements of this act.” One downside here is that an entity that does not fully comply with its own procedures could easily hang itself in an enforcement action. Also, a financial institution that complies with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with the act. A similar safe harbor is created for other entities governed by guidelines established by the entity’s “primary or functional federal regulator.” Finally, the act pre-empts any county or local laws that address security breach notification. Any violation of the act’s security breach disclosure provisions is deemed an “unfair or deceptive act or practice” under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL). There appears to be no private right of action for a act violation because the act appears clear on this point: “The office of the attorney general shall have exclusive authority to bring an action [under UTPCPL] . . . for a violation of this act.” However, the attorney general has an active Bureau of Consumer Protection to whom a complaint could be directed. The attorney general may seek injunctive relief under the UTPCPL. A company can enter into an “assurance of voluntary compliance” with the attorney general after receipt of such a complaint, and such an agreement might include payment of costs and damages if individuals have been damaged. An early version of the act limited liability to only willful and knowing violations. That restriction was removed in the legislative process. So, conceivably even a negligent violation of the act can trigger an attorney general request for injunctive relief under the UTPCPL. However, civil penalties under the UTPCPL are only obtainable by the attorney general for a “willful” violation of the UTPCPL, and presumably this limitation on civil penalty liability remains the law for act violations. The act takes effect June 20 and only applies to breaches of security that occur on or after the effective date. For now, entities doing business in Pennsylvania should prepare procedures to deal with the security breach provisions of the act. For example, a business should improve safeguards of personal information so the act is never triggered. Monitoring third-party vendors that transport or maintain personal information is vital, and perhaps one can even contract with those third parties for coverage of the cost of delivering a massive security breach disclosure. Most of all, let’s hope that those overnight shipments of computerized records all arrive safely. LEONARD A. BERNSTEIN chairs the national Consumer Financial Services Group of reed Smith and is resident in the firm’s Philadelphia office. He is a former chair of the Philadelphia bar Association’s Business Law Section, is a member of the Governing Committee of the Conference on Consumer Finance Law, and is a member of the American College of Consumer Financial Services Attorneys. He can be reached at 215-851-8143 or via email at [email protected]

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.