This is the final installment in a three-part series about data breaches and the requirements of Pennsylvania law relating to data breach notification. The previous posts in this series are: Doing Business in 2019? You Should Be Thinking About Data Security; and When Does a Data Breach Require Disclosure Under Pennsylvania’s Data Breach Notification Act?.

After determining that a data breach has occurred which triggers notification under the Pennsylvania Breach of Personal Information Notification Act, the next steps are to comply with the applicable notification requirements.

Notification Requirements

If a breach requiring notification has occurred, notice in a clear and conspicuous manner may be made by any of the following methods:

  1. Written notice to the individual’s last known home address;
  2. Telephone notice if the individual can reasonably be expected to receive it; or
  3. Email notice, if a prior business relationship exists.

Notice must be given “without unreasonable delay”, subject to a delay requested by law enforcement. Built into the reasonableness requirement for timing is an entity’s ability to take measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

Potential Penalties

Failure to comply with the Breach of Personal Information Notification Act is a violation of the Unfair Trade Practices and Consumer Protection Law, which allows the Pennsylvania Attorney General to seek an injunction, restitution, and civil penalties of up to $3,000 for each willful violation.

Additional Things to Prepare For

In addition to these legal requirements, make sure you also take practical steps to prepare for any customer questions or backlash. Make sure your employees know about the breach and what to say if a customer asks them. Consider getting out in front by issuing statements that not only satisfy the letter of the law, but also emphasize what you’ve done to protect them. In many cases you can prevent an unfortunate situation from becoming worse by thinking through the public relations aspects of a breach at the same time you handle the legal requirements.

Think your business has suffered from a data breach? You should immediately consult with your IT professionals to get as much information about the breach as you can and to prevent further information from being compromised. Then contact your legal counsel to determine your notification obligations under Pennsylvania law and other applicable laws.

Matt Landis is an attorney at Russell, Krafft & Gruber, LLP, in Lancaster, Pennsylvania. He received his law degree from Widener University Commonwealth School of Law and works regularly with business owners and entrepreneurs. Matt is one of the founding members of the RKG Tech Law Group.

This is part two of a three-part series about data breaches and the requirements of Pennsylvania law relating to data breach notification. Part one of this series was Doing Business in 2019? You Should Be Thinking About Data Security.

 The first post in this series made the case for why you should take data security seriously. Otherwise, you’ll need to worry about the daunting task of complying with a multitude of data breach notification laws and the public relations nightmare of being the next company that revealed its customers’ personal information.

But as the saying goes: the best-laid plans of mice and men often go awry. Continue Reading When Does a Data Breach Require Disclosure Under Pennsylvania’s Data Breach Notification Act?

This is part one of a three-part series about data breaches and the requirements of Pennsylvania law relating to data breach notification.

If the events of the past few years are any indication, the scale and frequency of data breaches will only increase in 2019. According to Experian’s 2019 Data Breach Industry Forecast, in the first half of 2018, the number of records compromised exceeded the total number of breached records for all of 2017.

In the event of a data breach, legal compliance obligations can be daunting, particularly if your business stores personally identifiable information for residents of other states. All 50 states have data breach notification laws, each of which is slightly different. And do you store information about residents of the EU? Then you may need to worry about how the GDPR applies. Continue Reading Doing Business in 2019? You Should Be Thinking About Data Security

Siri’s been around since 2010, but despite my borderline obsession with Apple products and services, my use of Siri has been limited until fairly recently. I think my increased usage is likely due to several factors, including Siri’s recent improvements, a Series 4 Apple Watch that allows Siri to speak back to me, and voice assistant technology reaching a tipping point for widespread adoption, particularly with the Amazon Alexa and Google Home product ecosystems. Continue Reading Hey Siri, Remind Me To…

Back in July, Matt Landis updated us on several of the stories confirming Lancaster’s technology sector continued to thrive in 2018. As we close out the year, let’s look at a few more that made the news in our area during the second half of the year!

We are looking forward to another great year for Lancaster’s technology sector. Best wishes for a safe, happy, and healthy 2019 from all of us here at #RKGTechLaw!

Brandon Harter is litigator and technology guru at Russell, Krafft & Gruber, LLP, in Lancaster, Pennsylvania. He received his law degree from William & Mary Law School and advises clients on issues of Civil Litigation & Dispute ResolutionMunicipal Law, and chairs the firm’s Tech Law Group.

A few months ago I wrote about the Third Circuit Court of Appeal’s avoidance of ruling on whether employers have a duty to protect their employees’ personal information. We now have an answer to that question (at least in this Commonwealth) from Pennsylvania’s Supreme Court: Yes, yes it does.

On the eve of Thanksgiving the Pennsylvania Supreme Court released its decision in Dittman v. UPMC. This lawsuit was brought by employees of the University of Pittsburgh Medical Center over a data breach that leaked the employees’ names, birth dates, social security numbers, and bank account information. But the existence of a duty by UPMC to protect this personal information remained in doubt. The Court ended this debate by ruling:

an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.

For employees, this is a decision that should be heralded as an important protection against identity theft. After all, what choice does an employee have but to give personal data to their employer? That the employer must protect that information is just common sense. Continue Reading PA Supreme Court Finds Employers Must Protect Their Employees’ Personal Data

When a Stranger Decides to Destroy Your Life (Gizmodo)

This article has been on my mind quite a bit lately, as it highlights some of the worst that social media and the internet has to offer. If you think “it can’t happen to me or my business”, I’d suggest you read this article and consider how you might change your behavior online.

Having worked with clients who are victims of online harassment, unfortunately the circumstances in this article hit close to home. If you are the victim of harassing conduct online, I suggest reaching out to an attorney well-versed in these issues sooner rather than later to discuss your options and develop a plan to minimize the impact on your life and business.

Lancaster Virtual Reality Lounge opening on North Queen Street this November (LancasterOnline)

The name says it all: Lancaster Virtual Reality Lounge will offer a virtual reality arcade experience in downtown Lancaster beginning in November 2018, offering over 200 games and activities to try. Continue Reading Legal Links – September 2018: When a Stranger Decides to Destroy Your Life

This post is part of our ongoing series exploring the impact of technology on legal issues.  For an introduction to the series and a collection of the posts in the series, check out this post.

Bing. Bing. Bing. Bing.  That would be the sound of a text message showing up on my phone, watch, iPad, and computer all at the same time.  Don’t worry, I actually have the sound turned off on all but one of those devices, so I don’t drive myself and everyone around me insane.  I love the convenience of it.  No matter which device I am using, I can easily respond to a text or call without having to figure out where the heck I left my phone. And because my fiancé has sworn off all things Apple, I never have to worry about him seeing any surprises I’m planning.

But we’re not like most couples.  Most couples I know have the same type of phone and if it is an iPhone, they often share the same Apple ID.  Sure, this is convenient for a number of reasons.  But what happens when a couple decides to separate and forgets that their ex has access to all of their text messages?  Or can see their emails?  Sadly, I’ve had more than one client who discovered their spouse was unfaithful because the spouse forgot their devices were linked.  I’ve had clients who can’t figure out how their ex found out about someone they were talking to months after separating even though they were never seen together publicly and most communication was limited to texting.  If you shared an account or had your texts or calls going to another device that you do not have exclusive control over, you need to be mindful that your ex may still have access to what you assume are private calls or text messages. Continue Reading Electronic Devices and Divorce

This post is part of our ongoing series exploring the impact of technology on legal issues.  For an introduction to the series and a collection of the posts in the series, check out this post.

“Thank you.  We have received your automatic payment.”  “Sign up for automatic bill pay to reduce your student loan interest rate.”  “Ensure your payments are never late!  Sign up to automatically pay your bill.”  “Reminder, monthly payment scheduled.”

Those email subject lines are taken directly from my personal email account.  I receive regular inquiries trying to persuade me to switch to automatic payments for all of my monthly bills.  Clearly from some of the subject lines you can see that I do have some bills (the small ones) set for automatic bill pay and flatly refuse to set up others.  Why?  Well in my law school days it was more to prevent an inadvertent overdraft than anything else.  However, now, it is more to prevent a mess in the event of my death.  Horribly morbid.  I know.  But I have a very good reason. Continue Reading Automatic Bill Pay: Blessing or Curse?

This post is part of our ongoing series exploring the impact of technology on legal issues. For an introduction to the series and a collection of the posts in the series, check out this post.

Lawyers often get a bad rap for being resistant to change and behind the times with technology. To combat this issue, states are beginning to require technology training as a part of continuing legal education to maintain a law license.

Many more states have already implemented technology-based requirements directly into their ethical rules. For example, Pennsylvania lawyers are required by the Rules of Professional Conduct to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

At Russell, Krafft & Gruber, technology is more than just an ethical requirement. We see technology as an essential tool to help us provide our clients with the best legal representation.

Here are just a few ways that our firm uses technology: Continue Reading The Cutting Edge: Keeping up with Technology