Pennsylvania on data breach – shoot first, ask questions later
Blaine Kimrey of Lathrop & Gage LLP has a commentary on a breach notification law that passed the PA Senate. As noted previously on this blog, the bill extends existing data breach notification responsibilities to state agencies, but also requires notification of those affected within seven days. Kimrey writes:
After a series of embarrassing governmental data breaches, the Pennsylvania Senate has overreacted, imposing a seven-day notice requirement on governmental entities faced with data breaches. While governmental entities certainly should be held to the same data breach standards as private industry, this seven-day requirement simply goes too far and ensures that in responding to data breaches, Pennsylvania agencies will fail.
You can read his full commentary on Lexology. The bill is now in the House, where it was referred to the Judiciary Committee. The Governor’s office had informed me that if the bill passes, the Governor will likely sign it.