A recently passed Pennsylvania law aims to bolster consumer protections in the aftermath of data breaches. Act 33 of 2024, which is set to take effect in late September of this year, mandates stricter time limits for organizations to issue data breach notices and free provision of credit monitoring to affected individuals in the event of a data breach.

Key Provisions of Act 33 Pennsylvania Law

Under the provisions of the new law, organizations must notify the Pennsylvania Attorney General's Office if a data breach is found to affect more than 500 residents within the state of Pennsylvania. [caption id="attachment_80831" align="alignnone" width="2800"] Source: www.legis.state.pa.us[/caption] The notice is required to include the following details:

1) The organization name and location. (2) The date of the breach of the security of the system. (3) A summary of the breach incident of the security of the system. (4) An estimated total number of individuals affected by the breach of the security of the system. (5) An estimated total number of individuals in this Commonwealth affected by the breach of the security of the system.

Along with the reporting requirements, one of the key provisions of the law is the requirement for organizations to provide free credit reports and one year of credit monitoring to all affected consumers. The law introduces a new era of protection for consumers, requiring organizations to assume all costs and fees associated with providing affected individuals with access to credit reports and credit monitoring services. This provision means that individuals from Pennsylvania will not have to pay for these services, which can provide peace of mind in the event of a data breach and add an additional layer of protection to help prevent identity theft and financial fraud. The law defines personal information as an individual's first name or first initial and last name in combination with certain sensitive data elements, such as Social Security numbers, driver's licenses, or financial account numbers. The law is an extension of the amendment act of December 22, 2005 (P.L.474, No.94), which states:

"An act providing for security of computerized data and for the notification of residents whose personal information data was or may have been disclosed due to a breach of the security of the system; and imposing penalties," further providing for definitions, for notification of the breach of the security of the system and for notification of consumer reporting agencies; and providing for credit reporting and monitoring.

The Act 33 law received unanimous support in both chambers of the state legislature, reflecting the broad recognition of the need for stronger data protection measures.

Act Comes Amidst Geisinger Medical Center Data Breach Fall Out

Reports of data breach incidents across the United States have surged in recent years, with a record of 3,122 incidents reported in 2023 nationwide – a 72% increase from the previous high in 2021. According to data from the Identity Theft Resource Center, these breaches affected hundreds of millions of Americans and resulted in billions of dollars in losses. The new law comes in the wake of high-profile breaches like the one at Pennsylvania's Geisinger Medical Center, which potentially exposed personal information of approximately one million patients. A former employee in connection to the data breach has been arrested. Jonathan Friesen, Geisinger chief privacy officer, stated in response to the arrest, “Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously.” He added, “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.” Disgruntled former patients of the hospital have joined in a class action lawsuit filed against Geisinger, demanding compensation. One former patient, James Wierbowski, filed a lawsuit on June 28, seeking monetary relief that could amount to more than $5 million.

Australia’s eSafety Commissioner has given key online industry players six months to develop "enforceable codes" to shield children from exposure to pornography and other harmful content. The codes will aim to prevent young children from encountering explicit material that is deemed unsuitable for their age. They will also seek to empower Australian internet users with options to manage their exposure to various online materials. While the primary focus is on pornography, the codes will also cover other high-impact content, including themes of suicide, self-harm, and disordered eating. The regulations will apply to app stores, apps, websites (including porn sites), search engines, social media, hosting services, ISPs, messaging platforms, multiplayer games, online dating services, and device providers. The European Union calls these large digital platforms “gatekeepers.”

Why 'Enforceable Codes' are Important

eSafety Commissioner Julie Inman Grant noted the pervasive and invasive nature of online pornography. She said children often encounter explicit material accidentally and at younger ages than before.

“Our own research shows that while the average age when Australian children first encounter pornography is around 13, a third of these children are actually seeing this content younger and often by accident,”  - eSafety Commissioner Julie Inman Grant

She clarified that these measures focus on preventing young children’s unintentional exposure to explicit content that revolves around such a sensitive topic. Social media plays a significant role in unintentional exposure, with 60% of young people encountering pornography on platforms like TikTok, Instagram, and Snapchat, according to Inman Grant. “The last thing anyone wants is children seeing violent or extreme pornography without guidance, context or the appropriate maturity levels because they may think that a video showing a man aggressively choking a woman during sex on a porn site is what consent, sex and healthy relationships should look like,” she added. Parents and caregivers are crucial in protecting children, but the industry must also implement effective barriers, Inman Grant stressed. These could include age verification, default safety settings, parental controls, and tools to filter or blur unwanted sexual content. Such measures should apply across all technology layers, from connected devices to app stores, messaging services, social media platforms, and search engines, providing multi-layered protection, the eSafety Commissioner said.

Draft Due Oct. 3, Final Versions by Dec. 19

Industry bodies are required to submit a preliminary draft of the codes by October 3, with final versions due at the end of the year on December 19. Public consultations in the process of defining "enforceable codes" is also a requirement from the eSafety commissioner. eSafety has released a Position Paper to help industry develop these codes and clarify expectations.

“We want industry to succeed here and we will work with them to help them come up with codes that provide meaningful protections for children.” - eSafety Commissioner Julie Inman Grant

eSafety Commissioner Can Set Rules if Efforts Fail

But if any code falls short, then the eSafety commissioner can set the rules for them, under the Online Safety Act provisions. eSafety has also published an Age Assurance Tech Trends Paper examining recent developments in age verification technology to provide additional context. These new codes will complement existing protections under the Online Safety Act, including the Restricted Access System Declaration, Basic Online Safety Expectations Determination, and initial industry codes addressing illegal content like online child sexual abuse material. Additionally, the codes align with broader initiatives such as the Government’s Age Assurance Trial, Privacy Act reforms, the statutory review of the Online Safety Act, and efforts under the National Plan to End Violence Against Women and Children 2022-2032. Last year, the eSafety commissioner had also issued notices to online platforms like Twitter, Meta, and others concerning their approaches to combatting online child abuse. This was followed by a similar action from Inman Grant against online hate over social media platforms.