Pennsylvania residents are unprotected against modern data breaches.  Over the last fourteen years much has changed with technology.  The first Apple iPhone was released in 2007, Ransomware became a common word in 2011, and Microsoft Windows 10 was released in 2015.  The one thing that hasn’t changed since 2006, is you guessed it, Pennsylvania’s Breach of Personal Information Notification Act.

If we were to rewind to 2007, data breaches were occurring but were typically targeted attacks or due to the physical loss of hard drives or paper copies, in addition the average Internet Connection speed was only 3.67 Mbps, whereas today my iPhone downloads at faster than 60Mbps over a cellular connection.

It can be assumed that how we access data and the amount of data that is stored has dramatically grown since 2007, so why haven’t PA’s breach laws?

In the current form an individual’s first name or first initial and last name has to be compromised with either the individual’s social security number, driver’s license number, or financial account number, credit or debit card number, in combination with security code, access code, or password to access that financial account.

An individual’s biometric data, their user accounts, passport ID numbers, passwords and other data is not protected, and this leaves Pennsylvania citizens at risk due to the lack of disclosure requirements for businesses that collect and store this data on Pennsylvania citizens.

Often in my experience, breaches occur that contain data which has been encrypted in old or an insecure encryption method.  Again, the current PA Breach law states that an entity must only provide notice of the breach if the encrypted information is accessed and acquired in unencrypted form, or if the breach is linked to a breach of the security of the encryption or involves a person with access.  It does not outline what a breach of the security of the encryption is but is commonly believed to be the decryption key was breached as well.

The law needs to require businesses that perform business in Pennsylvania or contains identifiable information of Pennsylvania citizens to report breaches and potential breaches to a government office, like the Attorney General.  A time requirement of roughly 30 days upon discovery of the breach should also be added so citizens can be informed with when their information has been breached timely.  This should be in addition to the current notice methods.

In my belief there is a lot more that can be done to protect Pennsylvanians, and I believe that this is a fair and balanced starting point that both sides of the aisle can agree on and pass quickly.

October is Cyber Security Awareness Month, and it is time for Pennsylvania legislators and the executive branch to unite on realistic and effective reforms to protect the citizens of the Commonwealth.  The simple changes outlined above can bring Pennsylvania’s Breach Notification Law in line with the basic data security protections the citizens deserve.  So, I ask our legislators, will you please protect our personal identifiable information?