“We have to let our clients know their personal information may have been accessed.”
“Did you know your data was hacked.”
These are phrases that no organization ever wants to hear from their IT department or vendor. However, after the initial shock of that statement, you must be able to regroup and determine what needs to be done to comply with the myriad of laws and regulations surrounding data breach notifications. In the state of Pennsylvania, the Breach of Personal Information Notification Act (Act 94) enacted on December 22, 2005, (Breach Notification Act) describes what a reportable event is, how to report the event, and how consumers need to be notified of the event.
What Determines a Reportable Event?
A reportable event happens when Personally Identifiable Information (PII) has been or could have been accessed by an unauthorized individual(s). A security breach definition is unauthorized access and acquisition of computerized data that materially compromises the security of confidentiality of PII maintained by the entity as part of a database of PII regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to individuals.
PII includes multiple items that can identify an individual such as name, address, credit card information, bank account information, driver’s license, identification card, passport information, phone numbers, etc. However, per definition of PII from the Breach Notification Act, a reportable event happens when an individual’s first name/first initial and last name is accessed in combination with and linked to any one of the following data elements when the data elements are not encrypted/redacted:
-Social security number
-Driver license number or state identification card number
-Account number or credit/debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account.
Many agencies will elect to not collect a donor’s PII, and most use third party vendors to process credit and debit card transactions. They also usually shred checks after they have cleared the bank account if they get them back. However, if your organization collects information with respect to clients you help (i.e. human service agencies, health care facilities, etc.), you will want to make sure that you have any PII secure and encrypted at all times.
Refer to our previous blogs on issues regarding security and encryption issues and best practices:
/wp-content/blog/dont-let-your-data-be-a-ransomware-hostage
/wp-content/blog/choosing-the-right-firewall-for-your-organization
/wp-content/blog/cloud-storage-an-overview-and-the-security-risks
/wp-content/blog/cybersecurity-update-protecting-your-network-from-ransomware
In addition to the requirements noted in the Breach Notification Act, some entities will also have to follow requirements outlined in HIPPA (Health Insurance Portability and Accountability Act) for healthcare related entities, FERPA (Family Educational Rights and Privacy Act) for colleges and universities), and PCI DSS (Payment Card Industry Data Security Standard) for any entity that processes credit card payments.
Notification of a Reportable Event
If you find out that your “hack” resulted in a reportable event, you now must determine how to report that event to the appropriate individuals affected by the event. According to the PA Breach Notification Act an Entity shall provide notice of any breach of the security of the system following discovery of the breach of security of the system to any individual whose unencrypted and unredacted PII was, or is reasonably believed to have been accessed and acquired by an unauthorized person.
Please note that it states “following discovery of the breach” in the Breach Notification Act; therefore, you will not be penalized if someone breaks into your database and you do not find out. However, if in the example provided in this article, your IT department has notified you that there has been a breach of your security, you must send a notification out. The notification shall be made without unreasonable delay, which has been clarified in a later House Bill to be within 45 days of the discovery.
The Breach Notification Act also requires that if the breach affected more than 1,000 individuals at one time, the entity shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. Therefore, if you have a large data breach in which all of your client records have been compromised, not only do you have to notify each individual, you must also notify the credit rating agencies as well, and this usually then is made public.
Specific Notification
There are a few ways in which you can notify the individuals affected by a data breach. Notices can be sent via mail to the last known home address for that individual. The individual can be contacted by telephone if the customer can be reasonably expected to receive the notification and the notice is given in a clear and conspicuous manner. Finally, the notification can be sent via email, if a prior business relationship exists and the entity has a valid email address for the individual. We have all (or most of us) have received a breach notification from an organization such as Equifax or Target, where some of our PII has been compromised. Most companies choose to mail this type of notification.
House Bill No. 1846 of 2017 (Amendment), which amended the Breach Notification Act, further provided definitions for notification of a breach and for notice of exemptions as well as the specifics of what needs to be included in the breach notification to residents of Pennsylvania. Each notification must include the following:
-The date, estimated date, or date range of the breach of the security of the system
-Whether the notification was delayed as a result of a law enforcement investigation
-A list of the type of PII that were or are believed to have been subject to the breach
-A general description of the breach of the security system
-Toll-free telephone numbers and addresses of consumer reporting agencies if the breach of the security system exposed social security numbers or a government issued identification card number
-The name and contact information of the reporting agency that was notified
The entity providing notification may include information about what the entity has done to protect affected individuals, offer advice on what steps affected individuals may take to protect their information, and what steps the individual whose information has been breached may take to protect themselves.
A security breach can be a scary ordeal at any organization, but having a plan in place to respond to a hack can make dealing with the aftermath much easier and result in a quicker recovery of normal operations. Many agencies mistakenly believe they do not have anything of value for hackers; however, you would be surprised to know that hackers are indiscriminate and equal opportunists in who they target. If you believe something is not right with your systems and network, always bring it to the attention of your IT team and/or IT contractor to ensure that your organization’s infrastructure is still secure.