In an Age of Hackers, PA Senate Addresses Data Breach Security

By Melissa Daniels | PA Independent

HARRISBURG — Digitized government data is no stranger to security breaches, but residents may at least be able to count on swift notification when their information is at risk.

The Pennsylvania Senate unanimously passed a bill Wednesday requiring state agencies to notify affected residents of a data breach within a week. The law now says the state must notify them “as soon as possible.”

The legislation, sponsored by Senate Majority Leader Dominic Pileggi, R-Delaware, comes after several data breaches at state agencies jeopardized the information of thousands of residents. In those cases, thefts of state-owned computers exposed the personal information of as many as 400,000 people, including 17,800 Social Security numbers.

Affected residents were not told about the problems for several weeks.

Pileggi said data theft is “a growing concern,” according to a statement after the vote.

“There’s no good reason to delay public notification after a data breach,” Pileggi said. “Potentially affected residents should know what happened as soon as possible when personal information is stolen so they can take steps to protect themselves from identity theft.”

In addition to the seven-day notification requirement, the bill requires state and local agencies involved in a beach to notify the state Office of Administration or local district attorney within three days. Those agencies would decide whether the situation warrants further criminal investigation.

The legislation also requires OA to develop a data storage policy for personal information, one that aims to reduce the risk of data breaches.

A similar bill passed the Senate this past session, but the House failed to take it up. This session, Steve Miskin, House Republican caucus spokesman, said the House will consider the bill.

Misken added Pileggi has communicated with House Majority Leader Mike Turzai, R-Allegheny, about the bill, and the caucus agrees with “the goal of protecting the rights and privacy of people.”

In September 2012, a data breach at the South Carolina Department of Revenue exposed the Social Security numbers of about 3.8 million residents and 3.3 million bank account numbers. The breach was the result of a phishing scam encased in an email opened by an employee.

A research report from Boston-based security firm Rapid7 found individual records at government agencies are increasingly exposed.

In 2010, breaches exposed a total of 1.5 million personal records. Through the first five months of 2012, that figure was 9.6 million.

“Government agencies are facing an increase in data breaches as a result of cyber attacks, weaknesses in federal information security controls, and poor best practices for protecting data on portable devices,” the report concluded.

Categorically, most of these breaches happened as a result of unintended disclosure, such as an email sent to the wrong recipient, or accidentally uploading information. From 2009 through May 2012, 78 out of 268 cases linked back to unintended disclosure.

Lost or discarded portable devices such as laptops, hard drives or smartphones were the next most common cause of data breaches (51 incidents), followed by physical loss of non-electronic records (46 incidents) and hacking (40 incidents).

That last category, though, is a rising concern, according to the Rapid7 report. Between Jan. 1, 2012 and May 31, 2012, government agencies reported more hacking incidents than any other category, and a year-over-year comparison shows a nearly 50 percent increase from 2009 to 2011.

“It’s important to note that the hacking category contains many breaches where the number of records exposed was reported as unknown,” the Rapid7 report read. “This makes it impossible to accurately measure the damage.”

Contact Melissa Daniels at melissa@paindependent.com