Senate advances bill to require timely notification to victims when data breach occurs within state agencies

HARRISBURG – The Senate advanced a measure that will require state agencies to notify victims of a data breach within one week.

Under Senate Bill 696, sponsored by Senator Dan Laughlin (R-Erie), any state agency, county, school district or municipality that experiences a data breach would be required to provide notice of the breach to affected victims within seven days of discovery.

The legislation was amended by the Senate Communications and Technology Committee, chaired by Senator Kristin Phillips-Hill (R-York), to include third-party vendors that conduct business with state and local agencies. The provision was added after a data breach that impacted 72,000 Pennsylvania victims when a third-party vendor based in Atlanta, Ga. tasked with COVID-19 contact tracing – Insight Global – had personal health care records on a publicly accessible website. Compromised records included names, COVID-19 diagnoses, gender, sexual orientation, phone numbers and email addresses.

“We have seen time and time again that victims of state data breaches are the last to find out that their personal information has been compromised,” Phillips-Hill said. “If your sensitive information is stolen from a state agency or any local governmental entity, you should not find out in the press. This legislation puts in place proper protocols so victims and law enforcement officials are informed of a data breach.”

“Information security is an endless battle. Accomplished hackers are smart, and they are sophisticated when it comes to technology. They enjoy the challenge of matching wits with the technicians charged with providing IT security for government, corporations and financial institutions,” Laughlin said. “That’s what makes Senate Bill 696 so important. We can only hope that the hard work of the state’s IT professionals will be effective in protecting our systems, but we must be ready to immediately respond in the event of a breach.”

The measure would also require the state’s Attorney General to be notified within three business days of the breach that occurs in a state agency. A county’s district attorney would be notified within three business days if the breach occurred in a county, school district or municipality.

The latest state data breach is impacting many unemployment compensation claimants who had bank account information changed within their accounts. This led to unemployment compensation claims being paid out to unknown criminals. To date, the impact and timing of the data breach is unknown.

The legislation advances to the House of Representatives for further consideration.


Chloe Mandara (Phillips-Hill)

Dawn Fidler (Laughlin)

Back to Top