Responding to Data Breaches

Author: Mark A. Denlinger

Originally published in October 2018

Copyright © 2018 Knox McLaughlin Gornall & Sennett, P.C.

6 Common Data Breach Risks - Internal and External

  1. Malicious employees or careless employees
  2. Hackers/phishing/criminal activities
  3. Mobile devices
  4. Cloud computing
  5. Vendors/third-parties
  6. Competitors (“industrial espionage”)

Best Practices for Data Breach Prevention

  1. Develop and implement appropriate policies to identify and limit access to and disclosure of sensitive data
  2. Provide training and written guidance to employees with access to sensitive data: Limit employees’ ability to install software, and Limit internet access or access to websites that may contain malware
  3. Ensure encryption of data and devices containing data
  4. Adhere to appropriate security standards/frameworks
  5. Conduct periodic audits to ensure compliance with security standards
  6. Require strong passwords, changed frequently, and multi-factor authentication
  7. Implement appropriate bring-your-own-device (“BYOD”) policies
  8. Install software updates regularly
  9. Execute appropriate agreements with vendors to protect data
  10. Purchase appropriate cyber insurance

U.S. Data Breach Notification Laws & Obligations

All 50 states have enacted data privacy laws requiring businesses to safeguard certain types of employee and consumer information and to notify affected individuals in case of a data security breach.

State laws vary but generally focus on several key areas:

  • Scope of covered personally identifiable information (“PII”)
  • Triggers for notification obligations
  • Recipients of notice
  • Content of notice
  • Timing of notice
  • Enforcement

Federal laws and regulatory schemes apply to certain industries, such as healthcare (i.e., HIPAA) and financial services (i.e., Gramm-Leach-Bliley), but there is no uniform federally imposed standard for data breach notification.

Contractual obligations may separately exist with customers, vendors and/or employees, and potential common law obligations may exist, which may differ from state to state.

State Law Requirements for Data Breach Notification

Definition of “PII”

Typically, PII = a first name or first initial plus last name, and any one of the following:

  • Social Security number;
  • Drivers’ license or state identification card number; or
  • Account number, credit/debit card number combined with security code, access code, PIN or password needed to access account

In some states, it may also include:

  • Biometric data (fingerprint, etc.) – DE, IL, IA, MD, NE, NM, NC, WI & WY
  • Medical information – CA, FL, IL, MO, OR, RI & WY
  • Digital signature – NC & ND
  • Health insurance information/policy number – CA, DE, FL, IL, MD, MO, OR, RI & WY

State laws establish a trigger/event for notification obligations:

  • Notification by access
  • Risk of harm analysis
  • Electronic vs. paper records

Details specific recipients of the notice of the breach:

  • Affected individuals
  • State attorney general
  • Consumer reporting agencies/credit bureaus
  • Other state agencies, e.g, US Secretary of Health and Human Services (HIPAA)

Details on content/wording of the breach notice:

  • Some states require specific information; other states do not
  • California: requires specific headings, content specific in statute, including, the type of PII subject to the breach, the date the breach occurred, and a general description of breach incident
  • Massachusetts: notification shall not include the nature of the breach or unauthorized acquisition or the number of MA residents affected by the breach or unauthorized access or use

Timing of the breach notice

Common requirement in most statutes: “most expedient time possible and without unreasonable delay.” Some state statutes have specific timing requirement, and timing of notice may be delayed if requested by law enforcement.

Enforcement

  • Attorney General actions
  • Private right to action granted in some states

Relevant Pennsylvania Laws on Personal Data Security & Privacy

Breach of Personal Information Notification Act (73 P.S. §2301, et. seq.)

Effective June 20, 2006, the Act extends to any entity that maintains, stores or manages computerized data that includes personal information. “Entity” is broadly defined to include a Pennsylvania state agency or political subdivision, an individual or business doing business in Pennsylvania. "Personal Information” is an individual’s first name or initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

  • Social Security number;
  • Driver’s license number or a state ID card number; or
  • Financial account number, credit card or debit card number, in combination with an required access code, security code (PIN) or password that permits access to the financial account

A covered entity must give notice of a breach of the security of its system. “Breach of the security of the system” refers to the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes, or the entity reasonably believes has caused or will cause, loss or injury to any Pennsylvania resident. Access to and use of the data by entity employees in the scope of employment and for the proper business purposes of the covered entity are not considered breaches of the security system.

Each Pennsylvania resident whose unencrypted or un-redacted personal information was, or was reasonably believed to have been, accessed by an unauthorized person should be given notice of the breach. When a covered entity provides notice to more than 1,000 people at one time, then the entity must also notify all consumer reporting agencies.

Except for delays requested to meet the needs of law enforcement or in order to take necessary measures to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made “without unreasonable delay” to each affected Pennsylvania resident. Residency may be determined by the person’s principal mailing address, as reflected in the covered entity’s computerized data.

The notice may be provided by any of the following methods:

  • Written notice to the last known home address
  • Telephonic notice, if the person can be reasonably expected to receive it and the notice is given in a “clear and conspicuous manner,” describes the incident in general terms and verifies personal information of customer, and the customer is provided with a telephone number or Internet website to get further details/information
  • Email notice, if a prior business relationship exists and the person or entity has a valid email address for the individual

A substitute form of notice is permissible if the covered entity demonstrates one of the following:

  • The cost of providing notice would exceed $100,000;
  • The affected class of subject persons to be notified exceeds 175,000 people; or
  • The covered entity does not have sufficient contact information

The form of the substitute notice shall consist of the following:

  • Email notice when the covered entity has an email address for the affected persons;
  • Conspicuous posting of the notice on the covered entity’s Internet website if the entity maintains one; and
  • Notification to major statewide media

A violation of the Act is deemed to be an unfair or deceptive practice in violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law.

Enforcement is by the Pennsylvania Attorney General. There is no private right of action under the Act. However, private claims under other causes of action are possible and not prohibited. Also, as noted above, other states have similar breach notification laws protecting the residents of those jurisdictions, and the covered entity must comply with those as well.

It should be noted that the Act is not limited to the covered entity only and also applies to vendors and third parties that handle or store the personal information for the covered entity. If a covered entity uses a record-destroying company and the records destroying company experiences a breach, then the record-destroying company must notify the covered entity, and it may also have to provide its own notices as per the Act.

Confidentiality of Social Security Numbers (74 P.S. §201, et. seq.)

Effective December 26, 2006. Generally, a person or entity (including a state agency) shall not do any of the following:

  • Publicly post or publicly display in any manner an individual's Social Security number (“SSN”)
  • “Publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public
  • Print an individual's SSN on any card required for the person to access products or services provided by the covered party/entity
  • Require an individual to transmit his or her SSN over the Internet unless the connection is secure or the SSN is encrypted
  • Require an individual to use his or her SSN to access an Internet website unless a password or unique personal identification number or other authentication device is also required to access the website
  • Print an individual's SSN on any materials that are mailed to the individual unless federal or state law requires the SSN to be on the document to be mailed
  • However, SSNs may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of the SSN
  • SSN that is permitted to be mailed in this manner may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened
  • Disclose in any manner, except to the agency issuing the license, the SSN of an individual who applies for a recreational license (i.e., Fish and Game licenses)

Exceptions to General Rule

A person/entity that has used (prior to 12/26/2006) an individual's SSN in a manner inconsistent with the Act may continue to do so in that manner if all of the following conditions are met:

  • The use of the SSN is continuous (i.e., if the use is stopped for any reason, then Act applies); and
  • The individual is provided an annual disclosure (commencing in 2007) that informs the individual that he or she has the right to stop the use of his or her SSN in the prohibited manner

The Act shall not prevent the collection, use or release of a SSN as required by federal or state law or the use of a SSN for internal verification, administrative purposes or for law enforcement investigations.

The Act does not apply to a document that originated with or is filed with, recorded in or is maintained by any court component or part of the Pennsylvania unified judicial system. The Act does not apply to any document that: (a) is required by law to be open to the public; and (b) originates with or is filed, recorded or maintained by any government agency, instrumentality or taxing authority.

Exemptions for Financial Institutions and Healthcare Entities – The Act does not apply to:

  • A financial institution, as defined by section 509(3) of the Gramm-Leach-Bliley Act (Public Law 106-102, 15 U.S.C. § 6809(3)) or regulations adopted by agencies as designated by section 504(a) of the Gramm- Leach-Bliley Act
  • A covered entity, as defined by regulations promulgated at 45 CFR Pts. 160 (relating to general administrative requirements) and 164 (relating to security and privacy) pursuant to Subtitle F of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936)
  • An entity subject to the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681 et seq.)

Penalties & Enforcement

Violations shall be deemed a summary offense and shall be punishable by a fine of not less than $50 and not more than $500 (and, for every second or subsequent violation, by a fine of not less than $500 and not more than $5,000). District attorneys are authorized to investigate and institute criminal proceedings under the Act, and PA Attorney General is also authorized to investigate and institute criminal proceedings under the Act.

Best Practices for Responding to a Data Breach

  1. Investigate/remediate the breach
  2. Identify applicable data breach notification laws and regulations
  3. Notify appropriate law enforcement authorities
  4. Notify appropriate regulators/consumer protection agencies, consistent with applicable laws and regulations
  5. Identify location of individuals whose information has been compromised
  6. Determine whether a “breach” has occurred as defined by applicable laws and regulations
  7. Determine appropriate notification requirements: (a) Who should be notified; (b) When to notify; and (c) Contents of notice
  8. Follow-up on risk mitigation steps, and address and prepare for liability and risk exposures, including fines and penalties, civil litigation, Federal agency enforcement actions (i.e., HHS, FTC), and/or attorney general enforcement actions.

Author: Mark A. Denlinger

Originally published in October 2018

Copyright © 2018 Knox McLaughlin Gornall & Sennett, P.C.