HARRISBURG, Pa. (WHTM) — The Pennsylvania Senate has advanced a bill that would require state agencies to notify data breach victims within one week.
According to the office of Rep. Kristin Phillips-Hill, Senate Bill 696 would require any state agency, county, school district, or municipality that experiences a data breach to provide notice of the breach to affected victims within seven days of the breach’s discovery.
The legislation was amended to include third-party vendors that conduct business with state and local agencies.
The proposed legislation comes following the Insight Global data breach that impacted at least 72,000 Pennsylvanians.
Employees of Insight Global, who were tasked with the state’s contract tracing, used unauthorized Google accounts — readily viewable online — to store names, phone numbers, email addresses, COVID-19 exposure status, sexual orientations, and other information about residents who had been reached for contact tracing. The company’s contract with the state required it to safeguard people’s data and was later terminated by the state.
“We have seen time and time again that victims of state data breaches are the last to find out that their personal information has been compromised,” Phillips-Hill said. “If your sensitive information is stolen from a state agency or any local governmental entity, you should not find out in the press. This legislation puts in place proper protocols so victims and law enforcement officials are informed of a data breach.”
Get daily news, weather, and breaking news alerts straight to your inbox! Sign up for the abc27 newsletters here
The measure would also require the state’s Attorney General to be notified within three business days of the breach that occurs in a state agency. A county’s district attorney would be notified within three business days if the breach occurred in a county, school district or municipality.
The legislation now advances to the House of Representatives for further consideration.
The Associated Press contributed to this report