In the wake of the Equifax data breach – potentially exposing the personal information of an estimated 143 million American consumers – much has been written about steps that should be taken to prevent the misuse of any exposed information. This massive data breach by a company tasked specifically to protect the sensitive credit information of consumers raises another issue that is just as important. What are the obligations of Equifax in this situation? What are the obligations of any company that experiences a data breach? What if it is your company?
The Equifax data breach may finally prod Congress to pass legislation to address the ramifications of security breaches of this nature. In the absence of federal legislation on the subject, however, many states – including Pennsylvania – have enacted security breach notification legislation. In Pennsylvania, the law is called the Breach of Personal Information Notification Act (the “Act”) and it has been in effect since 2006.
The Act applies to any business organization, whether for-profit or not-for-profit, and any state agency or local political subdivision, that “maintains, stores or manages computerized data that includes personal information.” As the name implies, the Act mandates notification in the event of a breach of the security of a computerized data system “to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.” The Act defines “personal information” to include an individual’s “first name or first initial and last name in combination with and linked to” the individual’s unencrypted or unredacted social security number, driver’s license number or other state identification card number, or any financial account number, credit or debit card number in combination with any security code, access code or password that would permit access to the individual’s financial account.”
The Act requires that an entity provide notice of a security breach “without unreasonable delay,” but does permit delay of notification if a law enforcement agency advises the entity that the notification will impede a criminal or civil investigation. In addition, and somewhat ironically, when a business provides notification under the Act to more than 1,000 persons at a time, the business must also notify all consumer reporting agencies that compile and maintain files on a nationwide basis (including Equifax), of the timing, distribution and number of notices sent.
Failure to comply with the Act subjects an entity to enforcement actions of the Pennsylvania Attorney General’s office, which may seek either injunctive relief to require proper notification or prevent future violations, or civil penalties in the event of willful violations of the Act.
An entity that maintains computerized data that includes personal information should consider crafting a formal Data Breach Response protocol that includes compliance with the Act as well as other acts to restore security; establish a response team and communication channels; examine insurance issues; and consider customer relations considerations. The Business Group at Stock and Leader is poised to advise businesses and other entities that maintain person information with Breach of Personal Information Notification Act compliance and assist entities in establishing a more comprehensive Data Breach Response plan.