Pennsylvania Data Breach Laws
It’s necessary to know current data breach laws, who they affect, and what a business is responsible for. A managed IT service can help you stay compliant.
According to Forbes, over 4 billion records were exposed because of data breaches in the early part of 2019. Protecting data and following current laws if data is comprised should be a top priority for every type of business. A breach is defined as unauthorized access to information or material that compromises confidentiality or security. Even after implementing the best security measures, data breaches can still occur. The following is what a business needs to know about PA data breach laws.
What Does the Law Include?
The law is officially called the “Breach of Personal Information Notification Act.” This involves any unauthorized access to computerized personal information and data. The following types of information are included in the law:
- The last name of an individual and the first name or first initial
- Social Security numbers
- Driver’s license or some state identification number
- Debit and credit card numbers
- Password, security, and access codes to a person’s financial accounts
Who Does it Affect?
The law affects any type of business that stores and manages the personal information that belongs to a Pennsylvania resident. According to McNees, a bill was introduced in 2019 to amend this particular notification act. This specifically affects several types of businesses and organizations, including health care, educational institutions, as well as any organization that keeps the types of records listed in the previous section. It is important to note that the law only covers electronic information. It also does not apply to information or data that has been encrypted.
How Long Does a Business Have to Act?
In general, Pennsylvania residents should be notified without any unreasonable delay when a breach has occurred. There are a few exceptions that may affect the timing of notification. These exceptions would include the following:
- A delay might be necessary when meeting the needs of law enforcement during an investigation. In this case, law enforcement must notify the business or organization in writing that notification will impede a civil or criminal investigation.
- There may be delays in the notification if measures are being taken to determine how extensive the breach is.
What is Business Responsible For?
The National Conference of State Legislatures lists several pending updates and proposals to the Breach of Personal Information Notification Act in Pennsylvania. There are several aspects of the law that are currently in effect that organizations should be aware of. When carrying out the process of notification, a business would determine a person’s residency based on their primary mailing address. The actual notification can be carried out in a few different ways. This might include a written notice to the individual’s home address or by telephone. If the notification is given by phone, there should be a reasonable expectation that the person will receive the call. A person may also be notified by email if a prior business relationship has existed.
When the breach affects over 175,000 individuals, or the cost to notify individuals will be more than $100,000, it’s legal to use a public service announcement instead of personal notification. This may also be acceptable if the organization that has been breached does not have adequate contact information to reach each individual. If a breach affects at least 1,000 individuals or more, the business is responsible for reporting the breach to all consumer reporting groups and agencies. Violations regarding notifications may result in a company suffering from a variety of civil penalties.
How Can Menark Technologies Help Keep You Compliant?
Both preventing a data breach and then staying compliant with all laws if one has occurred necessarily for any organization. Menark Technologies can provide complete managed IT services for your company. They offer expert IT consulting, cloud services, security management, data backup, and recovery. Contact Menark Technologies for more information regarding how they can keep your data safe and your business compliant.