Over 16 years ago, companies began implementing requirements to notify our Pennsylvania state residents if their personal information was potentially exposed to or acquired by an unauthorized person.
In November of ’22, that requirement was expanded to align with other states’ requirements. Organizations have until May 2, 2023, to be prepared. For most, this will probably mean reviewing and updating their Incident Response Plan. As you know, the ability to respond successfully to a security incident depends on deploying adequately trained employees or partners with real-world experience. Whether there is a breach or an attacker, an incident response plan assures you can mitigate the situation and restore normal business operations as quickly and efficiently as possible.
Here’s a brief snapshot of what you need to know:
- Determination of a breach
In the past, companies who were reasonably suspicious that a breach had occurred were required to notify affected individuals. Senate Bill 696 now requires determination of a breach. This means there is “a verification or reasonable certainty that a breach of the system’s security has occurred.” Too many organizations have had a suspicion but took advantage of the term “reasonable” to look the other way and err on the side of not notifying. Requiring a determination also means that a formal investigation is now necessary to definitively prove a breach, thereby closing any loophole about whether or not to notify affected individuals.
- The definition of Personal Information has been expanded to include medical information, health insurance information, or a username (or email address), in combination with a password or security question and answer that would allow access to an online account.
- Notification Requirements
Public schools, state agencies, counties, and municipalities must now provide notification of a breach within seven business days following the “determination” of the breach. State agencies must notify the Pennsylvania Office of the Attorney General at the same time. A county, public school, or municipality determining a breach must also notify their district attorney within three business days following their “determination.” Agencies must include language that ensures compliance with this in all contracts with contractors, subcontractors, and third-party agencies, which must include a time period for the state agency contractor to notify the state agency if the contractor suffers a data breach.
- Electronic Notification
Electronic notification is still permitted if the “notice directs the person (whose personal information has been materially compromised by a breach) to change their password and security question promptly; or answer, as applicable, or take other steps appropriate to protect their online account when the entity has sufficient contact information for the person.” This contact could include email or text alerts.
- Commonwealth Data
There are now specific encryption requirements for entities that maintain, store, or manage computerized data on behalf of the Commonwealth. This requires updating policies about this process that will consider existing federal government and other states’ policies and best practices.
- HIPAA Exemption
The Amendments include that covered entities and business associates subject to and in compliance with the Health Insurance Portability, and Accountability Act (“HIPAA”) are deemed compliant.
The time is now if you still need an up-to-date or thorough Incident Response Plan. If you have one, it may be time for a practice run.
Ask yourself these questions:
- Are you prepared for an incident? Do you have a thorough plan?
- Have you ever suspected or experienced a breach incident?
- How would your employees respond to a dry run occurring tomorrow?
- Do you need a professional, experienced team to review your Incident Response Plan?
Contact us today if you are ready to review Senate Bill 696 and your Incident Response Plan.
Not in Pennsylvania? Follow your state news here.