On December 22, 2005, Governor Rendell signed Senate Bill 712 ─ The Breach of Personal Information Notification Act (the "Act") and noted that the "new law will ensure that personal information is protected in the event that it is stolen" and that it "will provide a strong line of defense in the event personal information is stolen." The Act has important implications for all entities which maintain, store or manage personal information of residents of Pennsylvania on computers. The Act takes effect June 20, 2006.
The Act broadly applies to any "sole proprietorship, partnership, corporation, association or other group" whether for profit or not for profit, including Pennsylvania governmental agencies and subdivisions, financial institutions and entities that "destroy records" that maintain, store or manage computerized data with personal information.
The Act defines personal information to include an individual's first name or first initial and last name in combination with and linked with any of the following data elements when the data elements are not encrypted or redacted: "(i) social security number; (ii) drivers license number of a state identification card . . . (iii) financial account number, credit or debit card number, in combination with any required security code, access code or password."
The Act defines a "breach" as an "unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as a part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth."
Timing of Notice
Notice to any resident of the Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person must be provided without "unreasonable delay" following discovery of the breach.
Methods of Providing Notice
Notice can be provided in the following manners: (i) written; (ii) telephonically subject to certain requirements; and (iii) via email if a prior business relationship exists and the entity has a valid email address. Substitute notice is available if the cost of notice using one of the recommended methods exceeds $100,000 or the number of individuals affected exceeds 175,000 or the entity simply does not have adequate contact information for notice.
If the notification is to be provided to more than 1,000 persons at one time, the entity also must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution and number of such notices.
Notification may be delayed if a law enforcement agency determines that notice "will impede a criminal or civil investigation"
Penalties for Violations of the Act
A violation of the Act constitutes a violation of the Unfair Trade Practices and Consumer Protection Act for which the Pennsylvania Attorney General's office will have exclusive jurisdiction.
TAX ADVICE DISCLAIMER: Any federal tax advice contained in this communication (including attachments) was not intended or written to be used, and it may not be used, by you for the purpose of (1) avoiding any penalty that may be imposed by the Internal Revenue Service or (2) promoting, marketing or recommending to another party any transaction or matter addressed herein. If you would like such advice, please contact us.