Kyle Black, associate in the firm's Litigation section and Cybersecurity and Data Privacy practice group, was quoted in Law360 article "Pennsylvania Legislation To Watch In 2023: A Midyear Review." Kyle commented on Act 2 of 2023, which requires insurers in Pennsylvania to follow additional procedures for protecting customers' personal information from cyberattacks.
"If an insurer is doing business in one of the states that has already adopted the model law, then theoretically, an insurer should not have a lot of extra work to be in compliance with Act 2," said Kyle Black, an associate in the cybersecurity and data privacy practice group at Buchanan Ingersoll & Rooney PC.
Black noted that not following the law could still have major consequences for an insurer, including losing the ability to do business in the Keystone State. "A failure to comply with Act 2 can be a major issue for insurers because a failure to comply with all of Act 2's requirements may result in the suspension, revocation or nonrenewal of an insurer's license or authorization to operate in Pennsylvania," Black said. "A failure to comply with Act 2 can also result in additional fines or penalties."
[...] Black said failure to follow the data security, investigation and notification requirements set forth in the act could bolster consumers' claims of negligence or failure to protect private information if there were a data breach.