Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Pennsylvania: Cybersecurity

Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

Please note that this Guidance Note refers to state-wide legislation for Pennsylvania. In addition to state requirements outlined here, please note that federal cybersecurity requirements may be applicable under federal laws such as the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). For more information, please refer to the following OneTrust DataGuidance Guidance Notes:

The Breach of Personal Information Notification Act of 2005 ('the Act' ) under §2301 et seq. of Title 73 of the Pennsylvania Statutes ('P.S') is the primary cybersecurity state legislation applicable to all sectors. Pennsylvania does not have state legislation requiring the implementation of a cybersecurity framework that is applicable to all sectors, but the Supreme Court of Pennsylvania ('the Supreme Court') has held that "an employer has a legal duty to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an internet-accessible computer system." Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018). Also, Pennsylvania does require the insurance sector to implement a cybersecurity framework.

2. SCOPE OF APPLICATION

The Act applies to an 'entity' that maintains, stores or manages computerised data that includes personal information. The Act also applies to a vendor that maintains, stores or manages computerised data on behalf of another entity. 'Entity' means a Pennsylvania agency, a political subdivision of Pennsylvania or an individual or a business doing business in Pennsylvania (Section 2 and 3 of the Act).

The Act applies to 'breach[es] of the security of the system' (i.e., a security breach), which is defined as '[t]he unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.'

'Personal information' means a natural person's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted: (i) Social Security number; (ii) Driver's license number or a State identification card number issued in lieu of a driver's license; or (iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. 'Personal information' does not include publicly available information that is lawfully made available to the general public from Federal, State or local government records.

3. GENERAL REQUIREMENTS

3.1. Implementation of a cybersecurity framework

There is no legislation specifically requiring the implementation of a cybersecurity framework. However, the Supreme Court has held that "an employer has a legal duty to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an internet-accessible computer system." Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018).

Various state agencies provide recommendations and guidelines for implementing a cybersecurity framework. For example:

3.2. Notification of cybersecurity incidents

3.2.1.  In case of a cybersecurity incident, is there an obligation to notify the regulatory authority?

No.

3.2.2. If yes, please describe the process, timeline, and any other formality that needs to be adhered to.

Not applicable.

3.2.3. In case of a cybersecurity incident, are there other subjects that need to be notified?

Following the discovery of a security breach, an entity must notify affected Pennsylvania residents of the security breach in the most expedient time possible without unreasonable delay (Section 3(a) of the Act).

3.2.4. Please outline any other bodies that might be notified.

When an entity provides notification to more than 1,000 Pennsylvania residents at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and number of notices (Section 5 of the Act).

A vendor that maintains, stores or manages computerised data on behalf of another entity shall provide notice of the security breach following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity is responsible for making the determinations and discharging any remaining duties under Act, including providing notification to affected Pennsylvania residents (Section 3(c) of the Act).

For more information please refer to the Pennsylvania - Data Breach OneTrust DataGuidance Guidance Note.

3.3. Appointment of a security officer

Not applicable.

3.4. Other requirements

Not applicable.

4. REQUIREMENTS IN THE INSURANCE SECTOR

Pennsylvania has not adopted the NAIC Data Security Model Law. However, Title 31 of the Pennsylvania Code ('31 Pa. Code') governing insurance contains requirements that insurance providers licensed in Pennsylvania must follow regarding consumer health information, and standards for safeguarding customer information. (§146a.1. et seq. of the Pa. Code).

4.1. Definitions

Consumer: In regard to consumer financial information, 'Consumer' is defined as '[a]n individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal financial information, or that individual's legal representative' (§146a.2. of the Pa. Code).

In regard to consumer health information, 'consumer' is defined as '[a]n individual, or that individual's legal representative, who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal health information' (§146b.2. of the Pa. Code).

Also, a 'customer' is '[a] consumer who has a customer relationship with a licensee' (§146a.2. of the Pa. Code).

Cybersecurity event: Not applicable.

Information Security Program: A comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information (§146c.3. of the Pa. Code).

Information System: 'Customer information systems' means '[t]he electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information' (§146c.2. of the Pa. Code).

Licensee: A licensed insurer, a producer and other persons or entities licensed or required to be licensed, or authorised or required to be authorised, or registered or required to be registered under the Pa. Code or the Insurance Company Law of 1921, including health maintenance organisations holding a certificate of authority under Section 201 of the Health Care Facilities Act of 1979 (§§146a.2 & b.2. of the Pa. Code).

Non-public Information: 'Nonpublic personal financial information' means personally identifiable financial information or any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available (§146a.2 of the Pa. Code).

'Nonpublic personal health information' means health information that identifies an individual who is the subject of the information or health information that there is a reasonable basis to believe could be used to identify an individual (§146b.2. of the Pa. Code).

4.2. Information security program implementation

A licensee is required to implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards must be appropriate to the size and complexity of the licensee and the nature and scope of its activities (§146c.3. of the Pa. Code).

A licensee's information security program must safeguard the security and confidentiality of customer information, protect against any reasonably anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer (§146c.4. of the Pa. Code).

Examples of methods of development and implementation of the information security program are available at §§146c.5 through 146c.9 of the Pa. Code.

4.3. Cybersecurity incidents

Not Applicable.

However, a licensee must follow certain requirements regarding notice of its privacy policies and practices regarding non-public financial information (§§146a.11–a.16 of the Pa. Code).

A licensee must also follow certain disclosure requirements regarding nonpublic financial information (§§ 146a.21–a.33 of the Pa. Code) and nonpublic health information (§§146b.11–b.13. of the Pa. Code).

4.4. Powers / penalties

Violations of the information security program requirements (§§ 146c.3 and 146c.4 of the Pa. Code) are determined by the Commissioner of the Pennsylvania Department of Insurance ('the Department') and are considered to be an unfair method of competition and an unfair or deceptive act or practice and shall be subject to any applicable penalties or remedies contained in the Unfair Insurance Practices Act (40 P.S. §§ 1171.1–1171.15.).

A licensee has violated this chapter when the licensee knew or reasonably should have known of a pattern of activity or a practice of a service provider that constitutes either a violation of the provisions relating to privacy of consumer financial information or privacy of consumer health information, a violation of the provisions relating to safeguarding customer information, a material breach of the contract or other arrangement between the licensee and the service provider, unless the licensee took reasonable steps to cure the breach or end the violation, as applicable, and, if the steps were unsuccessful, either terminated the contract or arrangement with the service provider, or if termination is not feasible, reported the violation or breach to the Department (§ 146c.10. of the Pa. Code).

4.5. Other

Not applicable.

5. REQUIREMENTS IN THE HEALTH SECTOR

5.1. Definitions

Not applicable.

5.2. Security program / framework

Not applicable.

5.3. Incidents

Not applicable.

5.4. Penalties

Not applicable.

5.5. Other

Pennsylvania does not have one specific legislation governing the entire healthcare sector. Instead, Pennsylvania has a variety of laws governing specific health care data and specific entities that collect and maintain records containing such data:

For more information on federal cybersecurity obligations in the health sector please refer to the following OneTrust DataGuidance Guidance Note USA - HIPAA - Cybersecurity.

6. REQUIREMENTS IN THE FINANCIAL SECTOR

6.1. Definitions

Not applicable.

6.2. Security program / framework

Not applicable.

6.3. Incidents

Not applicable.

6.4. Penalties

Not applicable.

6.5. Other

Not applicable.

For more information on federal cybersecurity obligations in the final sector please refer to the following OneTrust DataGuidance Guidance Note USA - GLBA Safeguards Rule – Cybersecurity.

7. PENALTIES

Violations of the Act are considered unfair or deceptive trade practices in violation of the Unfair Trade Practices and Consumer Protection Law (73 P.S. § 201-1 et seq.) ('the Consumer Protection Law'). The Pennsylvania Attorney General has the exclusive authority to bring an action under the Act. A private cause of action does not exist for Act violations (73 P.S. § 2308.).

8. OTHER AREAS OF INTEREST

Other specific Pennsylvania privacy laws to consider include:

Kyle Black Associate
[email protected]
Buchanan Ingersoll & Rooney PC, Pittsburgh

Feedback