In an age in which our lenders, doctors, lawyers, accountants, and others no longer keep our personal data in paper files, in which vast mountains of confidential information can be easily stored on a small computer disk or portable drive, the consequences of even a single security breach can mean devastation to the credit and finances of thousands. For this reason and because the United States Congress had failed to enact legislation to address the problem on a nationwide basis, in 2005 Pennsylvania joined the growing list of states to enact security breach notification legislation. The legislation, entitled the Breach of Personal Information Notification Act (the “Act”), went into effect on June 20, 2006, and is codified at 73 P.S. §§ 2301, et seq. The effects of the Act are far-reaching indeed.
The Act’s requirements extend to any business organization, whether for-profit or not-for-profit, and any state agency or local political subdivision, that “maintains, stores or manages computerized data that includes personal information.” The requirements likewise apply to entities that destroy records. The Act also extends beyond Pennsylvania’s borders to organizations chartered or licensed to operate under the laws of other states or of the United States or any other country, to the extent that a security breach involves the personal information of a Pennsylvania resident, thus setting up the possibility that large multi-state financial institutions could be simultaneously subject to numerous and conflicting notification requirements of different states with respect to a single security breach.
The notification requirements of the Act are triggered when there is a breach of the security of a computerized data system “to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.” The Act does not define the term “reasonably believes,” and thus leaves room for interpreting whether a business acts appropriately in not notifying individuals upon the belief or hope that personal information has not been accessed or acquired.
For purposes of this notification requirement, “personal information” is defined to mean an individual’s “first name or first initial and last name in combination with and linked to” the individual’s unencrypted or unredacted social security number, driver’s license number or other state identification card number, or any financial account number, credit or debit card number in combination with any security code, access code or password that would permit access to the individual’s financial account. Under the Act, “encryption” means “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” The Act does not specify what level of probability is “low probability.” The Act defines “redaction” to mean “alteration or truncation such that no more than the last four digits of a social security number, driver’s license number” or other identification or account number is accessible as part of the data. The unwritten but implicit consequence of defining “personal information” to include only data that is not encrypted or redacted is that if the information is either encrypted or redacted, then the business which experiences the security breach is under no obligation to report the breach to the individuals whose information was improperly accessed or acquired. The term “personal information” does not include “publicly available information that is lawfully made available” from government records.
Once a breach of personal information has been established, the business is required to provide notice to the individuals whose information has been compromised, by written notice to the last known home address, or by telephonic notice if the customer can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner and meets other requirements designed to not further compromise the customer’s personal information, or by e-mail notification if a prior business relationship exists and the business has a valid e-mail address for the individual. The Act permits “substitute notice” consisting of e-mail notice, conspicuous posting of the notice on the business web site and notification to major statewide media, if the cost of providing the otherwise required notice would exceed $100,000 or the affected class of people to be notified exceeds 175,000 or the business does not have sufficient contact information.
Generally, notice of a security breach must be made “without unreasonable delay,” yet another undefined term. However, the notification required by the Act “may be delayed if a law enforcement agency determines and advises the entity in writing…that the notification will impede a criminal or civil investigation.” In such a case, the notification must be made only after the law enforcement agency determines that notification “will not compromise the investigation or national or homeland security.”
Further, when a business provides notification under the Act to more than 1000 persons at a time, the business must also notify all consumer reporting agencies that compile and maintain files on a nationwide basis, of the timing, distribution and number of notices sent.
The Act makes special provision for businesses that maintain their own notification procedures as part of an information privacy or security policy. Such businesses are permitted to follow their own notification policies so long as those policies are “consistent” with the notification requirements of the Act. Similarly, entities that comply with any notification requirements provided by industry-specific federal guidelines or federal regulators shall be deemed to be in compliance with the notification requirements of the Act even if the federally mandated notification requirements are different from those of the Act. This exception not only relieves federally regulated businesses from having to comply with inconsistent legal requirements; it also minimizes the chances that the Act might be declared preempted by inconsistent federal law.
The Act provides that any violation of the Act is deemed an unfair or deceptive act or practice in violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law (the “UTPCPL”). However, while most violations of the UTPCPL can be redressed through private civil actions brought by the aggrieved consumer, a violation of the notification requirements of the Act can be enforced only by the Office of the Pennsylvania Attorney General, which may seek either injunctive relief to require proper notification or prevent future violations, or civil penalties in the event of willful violations of the Act.
Like the new technologies which necessitated the enactment of the Breach of Personal Information and Security Act, the laws governing information technology are continually changing. Business owners who are not fully versed in their obligations to protect the security of their customers’ personal information are well advised to consult with their legal counsel.