Back in 2007, the theft of several state computers jeopardized the personal information of as many as 400,000 Pennsylvanians.
Desktop computers from the Department of Public Welfare were taken from offices in Harrisburg and Philadelphia. Then, a laptop issued to the Department of Aging was stolen from a private residence.
There’s no telling what someone might do with stolen data. But state law says agencies must at least notify residents of the theft “without unreasonable delay.”
In these cases, it took up to three weeks for agencies to notify Pennsylvanians the breach had occurred. To Senate Majority Leader Dominic Pileggi, R-Delaware, that’s not fast enough.
Since 2008, Pileggi has introduced legislation that would require state and local agencies to notify residents of any data breach within a week.
The Senate unanimously passed some version of the bill in three separate sessions, most recently in 2011. But the House has never taken it up.
With the rise of digital data storage, Pileggi said the need for stronger notification rules runs deep.
“People need to have disclosure of that loss as soon as possible to protect themselves from identity theft,” Pileggi said. “I think more and more people understand that, and my proposal is a very straightforward, common sense proposal.”
Pileggi told other lawmakers in a co-sponsorship memo the need for his legislation is underscored by the rise of cyber attacks. One of the largest government data breaches happened in late 2012 in South Carolina, where nearly 4 million residents had their Social Security numbers exposed after tax data kept in the Department of Revenue system was stolen.
Hackers also pulled nearly 800,000 Medicaid records from servers with Utah Health Department information, which also contained information of minors in the state’s children’s insurance program.
Pileggi said he has not had a conversation with leaders in the House about SB 114. It already has passed out of the Senate Communications and Technology Committee.
Steve Miskin, spokesman for House Majority Leader Mike Turzai, R-Allegheny, said he did not know if the legislation would wind up on the House agenda, though he said notification of data breaches should occur “as immediately as possible.”
Miskin could not give a specific reason why the House did not take up the bill last time it was passed by the Senate. In the 2007-2008 and 2009-2010 sessions, the House had a Democrat majority.
Back when the DPW thefts occurred in Harrisburg in August 2007, The Philadelphia Inquirer reported the computers carried the names and Social Security numbers of 1,819 residents who were receiving mental health care through the state’s medical assistance program. It also cited department officials who said much of the information was identified by codes, not names, or was password protected.
A few months later, in December, DPW issued a news release saying they were notifying 86 clients whose personal information was stored on a computer stolen from a DPW office in Philadelphia.
Since that time, DPW has changed its own internal procedure. That includes a data breach checklist, and using sample notification letters to quickly reach residents.
Contact Melissa Daniels at firstname.lastname@example.org.