THE PENNSYLVANIA STATE ASSOCIATION OF BOROUGHS

Cyber Security

Quick Links

Gramm-Leach-Bliley Act (effective November 12, 1999)

The Gramm-Leach-Bliley Act changed the rules for services banks can offer but it also required financial institutions offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers. Firms must allow their customers the option to “opt-out” if they do not want their sensitive information shared.

https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
https://www.ftc.gov/business-guidance/resources/how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act#exceptions
https://www.fdic.gov/resources/supervision-and-examinations/consumer-compliance-examination-manual/documents/8/viii-1-1.pdf
https://www.govinfo.gov/content/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf

Financial Institution: A “financial institution” is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

UC Department

The UC department accepts quarterly payments like any product/service being sold. The UC then works directly with the State to pay any claims, to which the state then pays the claimant. The UC does not pay the customer (borough) directly. So money is not being exchanged between the customer directly. Additionally there are a number of exceptions that allow the skipping of the annual notice, which boil down to if they are all necessary to provide the service, which in the case of the UC they are. To be cautious we can add a privacy policy notice on all newsletters going out.

MRT Department

The MRT department is still under determination as of 4/2024, the unofficial determination is that PSAB is not a “financial institution” as defined by the bill.

PA Breach of Personal Information Notification Act (BOPINA) (effective May 2, 2023)

An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.

The act was designed only to protect computerized/electronic form, not physical (paper).

Breach of Personal Information Notification Act

Data Breach Response: A Guide for Business

Personally Identifiable Information (PII)

An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted (Section 2 "Personal information." (1)):

  • (i) Social Security number.
  • (ii) Driver’s license number or a State identification card number issued in lieu of a driver’s license.
  • (iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
  • (iv) (NEW 2023) Medical information: Any individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis created by a healthcare professional.
  • (v) (NEW 2023) Health insurance information: An individual’s health insurance policy number or subscriber number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits.
  • (vi) (NEW 2023) Username or e-mail address, in combination with a password or security question that would permit access to an online account

Notifications

Triggers

“Breach of the security of the system” means: unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals, and that causes (or the entity reasonably believes has caused or will cause) loss or injury to any PA resident.

Notification may also be avoided if you can build a case that there is no cause for substantial harm to the consumers. So for example, lets say an email with PII was forwarded to someone that shouldn’t have access to it. If you can prove that the one person who got the email didn’t forward it (disseminate) anywhere, then a risk/harm analysis and written testament from recipient might be enough to avoid a notification trigger.

Another scenario is if an email with PII is sent internally to the wrong employee/department. If we can prove nothing malicious was done, no notification is required and would be considered a “good-faith” acquisition.

Acquisition is required by unauthorized person in order to trigger a breach, not just access. Not true for other (43) states though, sometimes access is enough.

  • Notification triggered by any “unauthorized access” (CT, FL, NJ, PR)
  • Notification only if determined that incident “reasonably likely to cause substantial harm to consumers” (43 states, including PA)
    • Or, “material compromise” (AZ)
    • Or, notification unless determined that misuse of personal information has not occurred and is not likely to occur (CO)
    • Or, notification required if misuse of personal information for identity theft or fraud purposes has occurred, or is reasonably likely to occur (UT)

Timeframe

Private Sector: Except as provided in Section 4 or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay.

  • Section 4 Exceptions: The notification required by this act may be delayed if a law enforcement agency determines and advises the entity in writing specifically referencing this section that the notification will impede a criminal or civil investigation. The notification required by this act shall be made after the law enforcement agency determines that it will not compromise the investigation or national or homeland security.

Public Sector (county, public school, or municipality): Must provide notice to individuals within seven business days following the determination of a breach and must provide notice to the District Attorney in the county where the breach occurred within three business days following the determination of a breach.

“Public school” is defined as any school district, intermediate unit, charter school, cyber charter school, or area career and technical school.

Notification may be delayed “in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.”

Recipients

  • Most states require notice to credit reporting agencies
  • Most states require that notice be provided to the state’s Attorney General or another state regulator if notice is given to more than 500 or 1,000 residents of the state
  • Each affected individual. Additionally, when an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and number of notices
  • McNees Wallace & Nurick LLC mentioned at Fall 2023 Conference that 3rd party custodians of data’s only responsibility is to notify the owners of the data (the clients). The owners of the data would be responsible to notify the individuals. (This was verbal, I don’t have a document to reference regarding this yet – GEM)

Notice Content

Avoid using the term “breach” until it’s absolutely confirmed. Call it an incident, security incident, etc., until proven otherwise. Unless it’s “determined” according to the given definition, notification may not be required.

With that said, PA doesn’t specify what goes into the notification letter. If you just say bare minimum and it doesn’t inform well enough, they may not count it. Here is some suggestions of information you might want to include in the notice:

  • Description of the incident
  • When the incident occurred, if known
  • What information was believed to be compromised
  • How the thieves have used the information, if known
  • If there was a delay to the notification and why (i.e. police investigation)
  • What actions you have taken to remedy the situation
  • The toll-free telephone numbers and addresses of the major credit reporting agencies
  • What actions you are taking to protect individuals, such as offering free credit monitoring services

There is a Model Letter on Data Breach Response: A Guide for Business

Security Obligations

“Entities who maintain, store, or manage computerized data on behalf of the Commonwealth that constitutes Personal Information must utilize encryption, or other appropriate security measures, to reasonably protect the transmission of Personal Information over the internet from being viewed or modified by an unauthorized third party.” This may include information managed for the state such as the UC.

  • The same entities must develop and maintain:
    • a policy to govern the encryption or other security measures; and
    • a policy for data storage and retention.
  • Encryption: An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.
  • Employees: “Good faith” acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure.

Other Definitions

  • Determination: A verification or reasonable certainty that a breach of the security of the system has occurred.
  • Discovery: The knowledge of or a reasonable suspicion that a breach of the system has occurred.

Related Laws

  1. 50 U.S. state data breach notification laws
  2. Federal laws (industry specific)
    a. HIPAA/HITECH Act (Health care providers/insurers)
    b. Privacy Act and Federal Information Security Management Act (Public sector)
    c. Gramm-Leach-Bliley Act (Financial institutions)
  3. Approximately 109 foreign data privacy laws and
    regulations
    a. GDPR and Privacy Shield (EU)
    b. PIPEDA (Canada)
  4. Contractual requirements

Reference

This was updated based on the Cyber Security Update presentation by McNees Wallace & Nurick during the 2023 Fall Conference. Questions can be sent to Sandy Garfinkel at sgarfinkel@mcneeslaw.com.