Breach of Personal Information Act
On December 22, 2005, Pennsylvania joined a number of other states which seek to protect consumers from security breaches involving unauthorized distribution of personal information. This new law, which took effect on June 20, 2006, is called the Breach of Personal Information Notification Act, and it can be found at 73 P.S. § 2301 et seq.. Simply put, the Act seeks to force businesses to promptly notify residents of the Commonwealth when any of their personal information has fallen into the wrong hands, or when the security of its records is breached.
The new law is broadly drafted, touching every single entity doing business in the Commonwealth, whether for-profit or non-profit, whether multinational or a sole proprietorship. A “business” is defined in the Act as “a sole proprietorship, partnership, corporation, association or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered or holding a license or authorization certificate under the laws of this Commonwealth, any other state, the United States or any other country, or the parent or the subsidiary of a financial institution. The term includes an entity that destroys records.”
By its terms, the Act seeks to protect “personal information,” which is defined as an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
- Social Security number
- Driver’s license number or a State identification card number issued in lieu of a driver’s license
- Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
The definition of personal information does not include publicly available information that is lawfully made available to the general public from Federal, State or local government records.
Two words in the above definition of “personal information” are further defined by the Act: “encryption” and “redact.” Encryption, as defined in the Act, is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. “Redact” includes, but is not limited to, alteration or truncation such that no more than the last four digits of a Social Security number, driver’s license number, State identification card number or account number is accessible as part of the data.
A further definition is important to understand the meaning of the Act. “Breach of the security of the system” is defined as the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.
The definition sections of the Act leaves open the question of whether the theft of a handwritten client list with names, Social Security numbers, account numbers, and security codes would fail to trigger the Act because the list was not “computerized data.” One is also left to ponder the effect of the word “materially.” This is because there is an unavoidably some subjectivity in such wording, such that the notice provisions could conceivably be ignored if the security or confidentiality of the personal information is deemed not to be “materially” compromised. Only time, and the eventual litigation over these issues, will allow a business’ true obligations under this law to be comfortably understood.
With these definitions in mind, we turn to the heart of the Act – the notice requirement. The Act provides that an entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. The notice must be made without unreasonable delay unless a law enforcement agency determines that the notice will impede an investigation or will compromise national or homeland security. A vendor that maintains the data on behalf of another entity must provide notice of any breach of its systems to entity for which it stores the records, which entity then has the obligation to provide the required notice.
One last definition, then, is crucial. What is the required notice?
The Act requires that notice be provided by any of the following methods:
- written notice to the last known home address for the individual;
- telephonic notice, if the customer can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information but does not require the customer to provide personal information and the customer is provided with a telephone number to call or Internet website to visit for further information or assistance;
- e-mail notice, if a prior business relationship exists and the person or entity has a valid e-mail address for the individual; or
- substitute notice, if the entity demonstrates that the cost of providing notice would exceed $100,000, or the affected class of subject persons to be notified exceeds 175,000.
Or if the entity does not have sufficient contact information, substitute notice consists of
- e-mail notice when the entity has an e-mail address for the subject persons,
- conspicuous posting of the notice on the entity’s Internet website if the entity maintains one, and
- notification to major Statewide media.
The penalties for violating the Act are potentially severe. A violation is deemed to be an unfair or deceptive act or practice in violation of Unfair Trade Practices and Consumer Protection Law. Only the Attorney General has the authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of the Act. 73 P.S. § 2308. If the Attorney General seeks an injunction which is then violated, or if an entity breaches terms of an assurance of voluntary compliance, under the UTPCPL the entity must pay a civil penalty to the Commonwealth of not more than five thousand dollars ($5,000.00) for each violation. If the court finds that an entity is willfully violating the Act, the Attorney General may seek a civil penalty of not exceeding one thousand dollars ($1,000.00) per violation, and where the victim of the willful violation of the Act is sixty years of age or older, the civil penalty sought can be up to three thousand dollars ($3,000.00) per violation. 73 P.S. § 201-8.
Only time will tell what the real effect of the Breach of Personal Information Notification Act will be. However, any person or entity maintaining the personal information of Pennsylvania residents will be wise to become familiar with the requirements of the Act, and should prepare plans for how to deal with a potential breach of security.
Levi S. Wolf, Esquire is a partner in the Pottstown law firm of Wolf, Baldwin & Associates, P.C. The firm represents many types of business clients, from sole proprietorships to medium-sized businesses. Mr. Wolf can be reached at 610-323-7436, or by e-mail to [email protected].