The following editorial appeared in the Pittsburgh Post-Gazette. It does not necessarily reflect the opinion of The Tribune-Democrat.
It’s a shame there has to be a law that underscores the obvious, but a proposal wending its way through the state Legislature would codify what should have already been common practice – to let residents know in a timely fashion if there has been a data breach of their personal information.
The Senate Communications and Technology Committee voted unanimously recently to strengthen the Pennsylvania Breach of Personal Information Act. It would require state agencies, counties, school districts and municipalities to notify those affected by a data breach within seven days of the discovery. The state attorney general’s office, or the county district attorney in the case of local issues, must be notified within three business days.
An amendment to the bill also requires that third-party contractors working for the state provide notification of data breaches, and that their contracts include acknowledgement of the requirement.
The move comes on the heels of the controversy surrounding a contractor for the state Department of Health, Atlanta-based Insight Global, which was hired last July to conduct contact tracing of those who tested positive for the coronavirus. In February, it was reported that the company had stored residents’ personal information on unprotected Google spreadsheets.
Health Department officials said security protocols were disregarded by some Insight employees, resulting in the leak of information such as a person’s name, age, gender, sexual orientation and COVID-19 diagnosis. More than 70,000 people were affected by the data breach.
Weeks passed before the Health Department or Insight made any move to inform residents of the data breach. A class-action lawsuit alleges that Insight employees knew of the unsecured spreadsheets as early as November and Health Department officials found out in February.
Tightening the law that protects residents’ personal information clearly is needed.
