Last month I had a business client come into my office concerned about a data breach. A disgruntled former employee hacked into the company server. While it appears this employee did not enter into any sensitive areas on the server, my client wanted to know what his responsibilities were with regarding to notifying customers of this unauthorized intrusion. After quickly moving for an injunction to prohibit further intrusions, we sat down with our client to review his data breach policy. Not surprisingly, he did not have one.
Every data breach policy has to be created with an eye towards the sector your business operates. For example, HIPPA notification requirements with regard to "protected health information" are different from the requirements for a web based business.
In Pennsylvania we have the Breach of Personal Information Notification Act. This law has been on the books since June 2006 and is currently in the process of being amended as it relates to municipalities and school districts. This applies to any business organization (for-profit or non-profit) that maintains or stores computerized data that includes personal information. The impact of this Act is far reaching because it applies to businesses of other states whose customers are Pennsylvania residents.
Notification requirements are triggered when there is a breach of a computer data system where any "resident of Pennsylvania's unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person." I won't bore you with the details of the intricacies of how all these seemingly simple to understand words have definitions that go on for pages. Suffice to say even the definition "reasonably believed" is complicated. The key take away however is that the notification requirements are NOT triggered if the information is encrypted or redacted. Failure to comply will prove costly as the Act provides that a violation is deemed to be a violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Circling back to my client who contacted me last month, his records were encrypted and thus Pennsylvania's Breach of Personal Information Notification Act did not apply. However, we reviewed and updated his data breach policy to bring it into compliance with the existing laws that affected his business. At Danziger Shapiro & Leavitt we understand the global environment that affects your business and are here to assist you navigate the complicated web of laws and regulations that need to be complied with in this new electronic world. Please feel free to contact any of our attorneys for a free consultation to discuss any concern that is affecting your business.