The Pennsylvania Senate approved a bill to require state agencies to notify victims of a data breach within a week.
Lawmakers approved Senate Bill 696, sponsored by Sen. Dan Laughlin, R-Erie, on a vote of 32-17 to require any state agency, county, school district or municipality that experiences a data breach to send notice to affected victims within seven business days of discovery.
The bill, passed Wednesday in the Senate, was amended in the Senate Communications and Technology Committee to include third-party vendors working with state and local agencies, a move inspired by a state contractor who exposed the personal information of as many as 72,000 residents as part of work on COVID-19 contract tracing.
Insight Global was awarded $23 million for the work with the Department of Health in 2020 and news investigations later revealed the company repeatedly exposed records that included names, COVID-19 diagnoses, gender, sexual orientation, phone numbers and email addresses.
“Information security is an endless battle. Accomplished hackers are smart, and they are sophisticated when it comes to technology. They enjoy the challenge of matching wits with the technicians charged with providing IT security for government, corporations and financial institutions,” Laughlin said. “That’s what makes Senate Bill 696 so important. We can only hope that the hard work of the state’s IT professionals will be effective in protecting our systems, but we must be ready to immediately respond in the event of a breach.”
Laughlin and Sen. Kirstin Phillips-Hill, R-York, pointed to a more recent breach exposed by the media of the state’s unemployment system in which hackers are diverting money from claimants’ accounts as evidence of the urgent need for SB 696.
The bill requires state agencies and contractors to notify victims of a data breach within seven days, and “notification shall be provided concurrently to the Office of Attorney General.” A state agency contractor would be required to notify the chief information officer of the state agency within seven business days, and to notify the Office of Administration within three business days.
The bill would task state agencies with amending existing contracts to include the requirements, if possible, and to include the provisions in future contracts.
Counties, schools and municipalities would be required to notify victims within a week and the proper district attorney within three days. SB 696 allows notification through email for situations in which hackers gain information that can be used to access an online account. The bill would require state employees and contractors to encrypt personal information, and would task the Office of Administration with developing and maintaining a policy for encryption, transmission and storage of personal information.
“We have seen time and time again that victims of state data breaches are the last to find out that their personal information has been compromised,” Phillips-Hill said. “If your sensitive information is stolen from a state agency or any local governmental entity, you should not find out in the press. This legislation puts in place proper protocols so victims and law enforcement officials are informed of a data breach.”
Sen. John Kane, D-Chester, said Democrats are opposing the bill “as it currently stands” because it “still needs additional amendments to make it workable for the Office of Administration and the Department of General Services.
“I want to thank Sens. Phillip-Hill and Laughlin for agreeing to work with the House on these amendments,” he said. “If amendments are made in the House, I look forward to supporting the bill on concurrence.”
View original Post