Many ask what a business should do when uncovering a suspected data breach in Pennsylvania. Unfortunately, the answer can be quite complex depending on the business, the nature of the suspected breach, and the data involved. The legal consequences of a data breach, not to mention the business consequences, can be startling to the unwary.
Foremost, response to a data breach should start before the data breach even begins. A business should have a data security assessment conducted by a qualified cybersecurity attorney to create a baseline and to create a data breach action plan—see The Unwitting Cybersecurity Trap: The Risks of Relying on Technology Consultants article for why simply having a tech firm perform these tasks might not be good enough and might create even more problems for the business. The data breach response plan typically outlines who must be contacted, what forensic information should be collected, risk profiles depending on the data, an inventory of data types, data storage locations, backups, and other action items. With a data breach response plan, the business can contact the data breach attorney and start implementing the data breach response plan when a data breach occurs.
OK, let’s just say you are not in this ideal situation, are a Pennsylvanian business, and have no data breach response plan.
Pennsylvania Requirements After a Data Breach
Foremost, a patchwork of laws, regulations, and industry standards govern data breaches. Laws and regulations might issue from federal authorities or from state authorities. There is also a difference between criminal and civil obligations. Typically, a business must comply with applicable federal and state data breach requirements. This is why data breaches are a legal issue, not just a technical issue.
For example, in Pennsylvania, the general data breach law is 73 P.S. §§ 2301 et seq. (Other states may have different, state-specific data breach reporting laws.) Essentially, the Pennsylvania law specifies that a business must generally provide notification to individuals if a breach of personal information occurs without unreasonable delay.
First, Pennsylvania defines personal information as
- first name (or initial) and last name along with
- social security number,
- driver’s license number (or state ID), or
- bank information along with the access code or similar codes.
Second, the business must provide notification. The business may also need to notify credit reporting agencies under some circumstances. 73 P.S. § 2305. However, the use of encryption or data redaction may modify the general notification rules. Having an internally defined and maintained data breach notification plan might also limit the effect of the general state requirements in some cases. 73 P.S. § 2307
Finally, the required notifications must issue “without unreasonable delay.” 73 P.S. § 2303. Unfortunately, the statute does not define “unreasonable delay” and, to the best of my knowledge, no court has yet analyzed that requirement.
While the notification requirements seem straight-forward, what the requirements mean is defined legally. This can be a real “gotcha” for some businesses. That is, for example, it is not your personal opinion regarding “unreasonable delay,” what you think sufficient notification means, or whether you need to notify credit reporting agencies (and which ones). These are legal questions, and thus, legal standards apply. What needs to be done requires a legal analysis of the circumstances (and this is usually far easier and far more complete when done ahead of time).
Penalties for Failure to Follow the Data Breach Reporting Law
Failure to follow the data breach reporting law may, at minimum, result in a legal action by the Attorney General. Interestingly, the attorney general’s action falls under unfair and deceptive trade practices. In other words, data security is an implied duty of the business and failure to protect data is viewed as a deceptive or unfair trade practice. Thus, not only does your business potentially suffer the stigma of a data breach, but it may also be sued by the Commonwealth for unfair and deceptive trade practices. (This is yet another reason why a business should contact a data breach lawyer before a breach occurs to begin setting up a legally defensible due diligence plan and to check insurance contract coverage.) There also could be civil liability from vendors, subcontractors, banks, credit card companies, etc.
Pennsylvania Computer Crimes Law
Computer crimes laws relate to data breaches but are not the same. Pennsylvania has several computer crimes laws. See 18 Pa. C.S. 7601 §§ et seq.
The Pennsylvania Computer Crimes laws may sound like an easy-out for unwary businesses—with a business mistakenly assuming that you just call the police, and the police will “handle it.” But data breach reporting requirements and the criminal prosecution of alleged computer crimes are distinct obligations. Furthermore, data breach reporting and computer crimes prosecution may require coordination with law enforcement but may require protections for the business from government overreaching or government errors. See 73 P.S. § 2304 (requiring cooperation with law enforcement but providing no statutorily defined protections for the business). Again, all is not as simple as it seems.
Summary of the Pennsylvania Data Breach Reporting Law
The above provides general information about Pennsylvania data breach reporting laws. Pennsylvania, as most states, has had a data breach reporting law for over a decade. But Pennsylvania law is not the only law that a Pennsylvania business needs to consider.
As noted, there is an even more complex series of general and industry-specific federal laws that may apply. And even those federal laws may have Pennsylvania-specific permutations. For example, the federal Third Circuit covering Pennsylvania currently recognizes that the FTC may regulate data breaches as “unfair and deceptive” trade practices. See FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015) or
Cybersecurity as an Unfair Practice: FTC Enforcement under Section 5 of the FTC Act. Other states, even under federal law, might not have such requirements causing confusion. Special data reporting may be required in medical and banking data breaches or in other industries. A data breach might also trigger contractual, professional licensure, or vendor obligations (requiring notification of contractors or subcontractors).
Often forgotten, Pennsylvania businesses may need to comply with out-of-state reporting requirements under some circumstances depending on the business’ customers.
Navigating data breach reporting can be daunting and is fraught with traps for the unwary.