Data Breach Notification Law Update: Utah and Pennsylvania
For businesses subject to data breach notification requirements in Utah and Pennsylvania, a series of significant amendments will soon go into effect in both states. Below is a summary of those amendments.
Amendments to Utah Data Breach Response Law
The Governor of Utah signed S.B. 127 into law on March 23, 2023, amending state data breach disclosure requirements and creating a new state "cyber center" tasked with receiving and managing breach disclosures,[1] collaborating with state and federal agencies in the development of cybersecurity incident response measures,[2] and developing a statewide strategic cybersecurity plan by June 2024,[3] along with other duties. The amendments take effect in early May.
Noteworthy aspects of the amendments include:
- Required reporting of a "system security breach" to both the Office of the Attorney General and the newly created Utah Cyber Center when an investigation of the breach "reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur."[4] Where 1,000 or more Utah residents are affected by such a breach, covered entities also must notify consumer-reporting agencies. [5] These new notification requirements will go into effect in early May 2023. Presently, Utah's data breach notification statute has no requirement to notify government agencies or consumer reporting agencies.
- The creation of the Utah Cyber Center, which is responsible for, among other things, developing "incident response plans to coordinate federal, state, local, and private sector activities and manage the risks associated with an attack or malfunction of critical information technology systems within the state."[6]
- A requirement that governmental entities notify the Utah Cyber Center "as soon as practicable" when the entity becomes aware of a system security breach.[7] Once notified, the Cyber Center will be tasked with providing assistance to the government entity in responding to the breach, which may include conducting "all or part" of the breach investigation, assisting law enforcement, determining the scope of the breach, and so forth. Notably, it is unclear whether there is an obligation for governmental entities to notify Utah residents when a breach that may involve personal information is discovered.
Amendments to Pennsylvania's Data Breach Law
A number of significant amendments to Pennsylvania's data breach law are set to go into effect on May 3, 2023. Notably, an expanded definition of "personal information" will include medical and health insurance information, and a user name or email address in combination with a password or security questions and answers that would permit access to an online account.[8]
The amendments also modify the point at which a covered entity is required to provide notice of a data breach. [9] Under current law, a breach notification is required following discovery of a breach. Once the amended law goes into effect in May, companies will be required to issue a breach notice following a determination of a breach.[10] This modification is not merely semantic. The amendments define both "Discovery" and "Determination." "Determination" is "[a] verification or reasonable certainty that a breach of the security of the system has occurred," while "Discovery" is "[t]he knowledge of or reasonable suspicion that a breach of the security of the system has occurred." In shifting from "Discovery" to "Determination," the law does not require companies to notify of a data breach until they are at least reasonably certain a breach has occurred. Notably, Pennsylvania law does not require notification of a data breach to the state attorney general or other government entity, and the recent amendments do not add such a requirement.
Additionally, the amendments impose breach notification requirements on state agencies and their contractors. Upon "discovery" (as now defined) of a breach, a state agency contractor must notify the Chief Information Security Officer (CISO) of the customer state agency "as soon as reasonably practical, but no later than the time period specified in the applicable terms of the contract between the State agency contractor and the State agency…."[11]
Looking Ahead
State data breach laws continue to expand across the country, complicating obligations for companies that collect personal information from individuals nationwide. DWT's Privacy and Security team regularly counsels clients on compliance with evolving data breach notification laws—both proactively and following a potential data breach—and other data privacy and security requirements. We will continue to monitor these developments.
[1] Section 63A-16-510(5)(f).
[2] Section 63A-16-510(4)(d).
[3] Section 63A-16-510(5)(a).
[4] Section 13-44-202(1)(c).
[5] Section 13-44-202(1)(d).
[6] Section 63A-16-510(5)(g).
[7] Section 63A-16-511(2).
[8] Breach of Personal Information Notification Act, P.L.474, No.94. See https://www.legis.state.pa.us/cfdocs/legis/li/uconsCheck.cfm?yr=2022&sessInd=0&act=151.
[9] Id. at Section 3.
[10] Id. at Section 2.
[11] Id. at Section 3(a.1)(2).