Reporting a Data Breach

At its simplest, the Act says that any entity that has a database of personal information that has been breached has an obligation to notify the individuals whose data was compromised. In order to understand whether this applies to your business, your data, and your data breach, we need to unpack a few things.

The Act governs all “entities” that maintain, store or manage computerized data that includes Personal Information. The entity can be a government agency, a political subdivision such as a town or county, a business doing business in Pennsylvania or even a natural person who is a resident of Pennsylvania. There are therefore 3 criteria determining whether you are covered by the Act:

1. Do you maintain, store or manage data? Though not defined, the plain meaning of this phrase is broad enough to cover just about any computer-based writing or reading of data, whether the system is local or cloud-based. It even covers companies whose business is to destroy documents.
2. Are the data computerized? The Act does not cover paper records that might be broken into or stolen. Whether it covers digital records stored, say, on disk is not clear – perhaps they only become “computerized” when attached to a computer?
3. Lastly, do the data include personal information? Only “Personal Information” is protected by the Act, and it has a very specific definition. Personal Information is a first name (or initial) and a last name in combination with or linked to an unencrypted or unredacted social security number, driver’s license number or credit or debit card number together with an access code.

This definition of Personal Information is actually quite narrow. It does not include business, medical, financial, legal, family, location and other information we might ordinarily think of as private or confidential.

An individual’s name can be either in combination with or linked to one of the three protected types of information. This not only includes information resident in a single database, but information linked to the name by means of a foreign key in a database or a URL to an endpoint containing the information.

Lastly, the linked-to data must be unencrypted or unredacted to be Personal Information. If the information is protected by an “algorithmic process” which creates a “low probability of assigning meaning without use of a confidential process or key” it is not Personal Information, and there is therefore no reporting requirement under the Act.

The conclusion here is that, even if you have a website, an email account, a database or a business application that has been hacked or breached, you are not subject to the Act if you are not dealing in Personal Information.

But the analysis doesn’t end there. Once you have detected a breach or an intrusion, you will need to consult with your attorney to see whether your business nevertheless has reporting or other obligations. You might have reporting requirements under federal law, such as the Healthcare Insurance Portability and Accountability Act (or HIPAA), the HITECH Act related to medical records, or the Graham Leach Blily Act. You may also be bound by rules made by the Federal Reserve, the FDIC, the Federal Trade Commission or other federal agency rules. Depending on whose data was compromised, you may also have obligations under the European General Data Protection Regulation (or GDPR) or the California Consumer Privacy Act (CCPA). Lastly, you may have contractual notice obligations pursuant to confidentiality and trade secrets protection agreements you have signed.

If you Personal Information has been compromised, the next question is whether a Breach has occurred.

The Act defines a Breach as “the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.“

This run-on sentence has 5 conjunctions in it that serve to further limit the scope of the Act.

• First, the Personal Information must have been accessed and and acquired without authorization. If it is merely accessed and not acquired – say, viewed rather than downloaded – the Act is not invoked. An intrusion without acquisition is not a Breach as defined by the Act, and therefore not subject to its reporting requirements.
• Requirements number 2 and 5, that the data compromise must be “material” and that it be “reasonably believed” to cause loss or injury are both heavily fact-based inquires, and something to be explored with the lawyer whom you are working with on the incident.
• Requirement 3, that the compromised Personal Information be maintained as part of a database of multiple individuals’ Personal Information further limits the scope of the Act. Compromise of a single record – say, a single email or text file – which contains or is linked to the Personal Information of an individual, would presumably not be a Breach subject to notification requirements.
• Lastly, in requirement 5, we understand that it is only the Personal Information of Pennsylvania residents that the Act is interested in. A resident of PA is any individual whose principal mailing address – based on the computerized data itself – is in the Commonwealth of PA.

Even though the Act ultimately defines breach in a fairly narrow way, the business that is subject to a cyberattack should not assume that its notification obligations end there. For example, the GDPR defines breaches broadly to include data destruction, loss, alteration, disclosure or access. If you are collecting data on European citizens or even citizens of other states within the United States, you’ll want to think more broadly about what constitutes a breach of a data system.

The Act carves out two exceptions that exempt entities from strict compliance.

First, if a firm “maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information” that are “consistent with the requirements of the act,” it may follow its own notification policies. It is unclear how a business would safely conclude that it needn’t risk enforcement of the Act based on its own assessment of what is “consistent” with the Act.

Finally, a financial institution that complies with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with the Act. A similar safe harbor is created for other entities governed by guidelines established by the entity’s “primary or functional federal regulator” – say, Health and Human Services, in the case of HIPAA compliant organizations.

If your cybersecurity incident fulfills all of the requirements of the Act so far, you must provide notification of the breach.

Notice must happen “without unreasonable” delay, taking into account any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

Notice may also be delayed “if a law enforcement agency determines and advises the entity in writing specifically referencing this section that the notification will impede a criminal or civil investigation.” Whether this means that the business has a duty to first inform law enforcement of the breach is not clear, and the Act imposes no such duty, but a conservative attorney might have the business pass the breach by at least local or State law enforcement before making its notifications.

Having determined the need to notify, the only remaining questions are what form the notification will take and who must be notified.

If the cost of notifying the individuals whose records were breached will exceed $150,000, or if the number of records exceeds 175,000, or if the entity has insufficient contact information for the individuals to notify them in writing, by phone or via email, the entity may provide substitute notice.

Such substitute notice would be an email notice together with a conspicuous posting of the notice on the entity’s website and notification to state-wide media.

If substitute notice is not warranted, you must notify each Pennsylvania resident whose data was accessed and acquired. The notice can be made by email, phone or written letter to the individual’s Pennsylvania address.

If notification is made to 1,000 individuals or more at one time, notice must also be sent to all consumer reporting agencies, such as Equifax, Transunion and Experian.

With notices having been sent, your business’s obligations under the Pennsylvania Breach of Personal Information Act are fulfilled.

Responding promptly and pro-actively to a data breach requires that the business have a technical and legal “playbook” or procedures manual for the inevitable data breach. It would include the above analysis, but go well beyond it. Scrambling to understand legal requirements and technical remediation after the fact is not a good strategy. Indeed, the best strategy is to engineer your IT systems and policies so as to minimize the risk that such a playbook would ever be used.