The General Assembly has approved Sen. Dan Laughlin’s legislation, Senate Bill 696, that would require state agencies and their contractors, as well as local governments, to notify victims of a data breach involving personally identifiable information within one week of such a breach being determined.
“As we are now all well aware, information security is an endless battle,” said Laughlin (R-49). “Pennsylvania state government has seen prime examples of that with the Insight Global data breach that exposed COVID-19 contact tracing data and the personal information of some 72,000 Pennsylvanians, and the more recent data breach that impacted many unemployment compensation claimants who had bank account information changed within their accounts allowing criminals to steal their jobless benefits.”
In addition to requiring any state agency, county, municipality, public school or state agency contractor to provide notice of a breach to affected victims within seven business days of determination, SB 696 requires the state’s Attorney General to be notified concurrently of the breach that occurs in a state agency. A county’s district attorney would be notified within three business days if the breach occurred in a county, school district or municipality.
“Accomplished hackers are smart, and they are sophisticated when it comes to technology. They enjoy the challenge of matching wits with the technicians charged with providing IT security for government, corporations and financial institutions,” Laughlin said. “That’s what makes Senate Bill 696 so important. We can only hope that the hard work of the state’s IT professionals will be effective in protecting our systems, but we must be ready to immediately respond in the event of a breach.”
“It is understandable that any agency victimized by a data breach would be embarrassed and reluctant to publicly report the incident, but it is certainly much more important to immediately inform citizens about the theft of their personal information so that they can take steps to protect their assets,” said Laughlin. “Pennsylvania’s recent experience with data breaches clearly shows the need for the state to act quickly to protect its citizens when a data breach occurs.”
The bill will head to the governor for his consideration.