Cybersecurity, Data Privacy and AI
Cybersecurity, Data Breach, Ransomware, Artificial Intelligence: Privacy, Prevention, Response, Mitigation, Litigation
Pittsburgh, Pennsylvania 24/7 Cybersecurity Lawyer HOTLINE: 1-833-511-2243 | databreach@hh-law.com
Date Breach and Cyber Attack Prevention, Response, Insurance, Notifications, Litigation
In any cyber incident, data breach, hack, or unwanted email intrusion, Incident Response (IR) time is of the essence. The Business and Cybersecurity Litigation lawyers at Houston Harbaugh, P.C., are here to assist in addressing the cybersecurity issues facing companies today. A comprehensive set of issues must be addressed to aid companies in minimizing the risk of cybersecurity breaches and to aid companies not if, but when, a data breach occurs. The Federal Trade Commission (FTC) has a Data Breach Response Guide which is an excellent source of information on prevention and response. Click here to see the FTC Data Breach Response Guide. When a business suffers an intrusion or breach, time is certainly of the essence to capture the state of the company’s data; to consult immediately with IT professionals regarding activity logs and audit logs, and to prepare for a claim or litigation.
Breach Response – Insurance Coverage Analysis
Ransomware, e-mail spoofing, text and phone call spoofing, e-mail intrusion, phishing, and other schemes are running rampant in the business world. Sophisticated companies are falling prey to wire fraud schemes and ransom attacks at an alarming rate. These victims frequently turn to their insurance carriers but the maze of seeking insurer indemnity and defense for these matters is complex. Our firm can help work through that maze on both the technical side of the investigation and the mitigation side, including the analysis of insurance coverage options. Our litigation lawyers are well equipped to handle IR and to tackle both the initiation of, or defense of, litigation related to these cyber security breaches and losses.
UAS/UAV – Drone Law and Cyber Threats
There are now new security threats from the use of Unmanned Aerial Systems (UAS/UAV) Drones and a growing body of law regarding these potential security threats and intrusions. Houston Harbaugh drone lawyers offer commercial drone operators, contractors, design professionals, manufacturers, individuals, and municipal governments a full-service approach to drone-related regulatory, investigatory, and litigation issues. See our UAS/UAV Drone Law page here or contact Attorney Corey Bauer at 412-288-2216 or bauerca@hh-law.com for additional information or legal assistance in this area.
Data Breach Response – Notification Requirements
Data breaches are one of the biggest risks facing companies today. Companies must take action to prepare for the worst and to react quickly when it happens on both the technical side and the legal side. Every state has mandatory notification laws. Our firm can counsel on corporate structure issues, insurance coverage, employment law, HIPAA and personal and health care data issues, and protection of data through proper technology infrastructure, technology rules and policies, corporate and employment policies, and litigation if necessary. Cybersecurity takes a team to protect companies and their data through security programs, security awareness training, annual security audits, and Incident Response. A cyber incident or intrusion of any kind (or which results in a breach of Personally Identifiable Information (PII)) may trigger certain legal reporting requirements. Click here for (Westlaw’s link): All states notification laws and the Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act. A link to the actual Pennsylvania statute can be found here.
Cybersecurity Incident Response Notice Requirements – Pennsylvania:
Here is a summary of the Pennsylvania Notification Act:
Enacted in 2006, Pennsylvania’s data breach notification law requires entities doing business in Pennsylvania that maintain, store, or manage computerized personal information of Pennsylvania residents to notify affected individuals of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
Notice must be made without unreasonable delay, and this includes municipal entities.
If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Breached third parties must notify relevant data owners or licensees.
Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
Entities that maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are entities that comply with relevant notification requirements of federal regulators.
Our firm can help guide you through these reporting requirements but it is best to be prepared in advance. We can help you prepare preemptively and can refer you to highly-regarded technical teams for up-front assistance.
Data breaches are the ultimate sneak attack. A company’s computer systems can be breached for weeks, months, and even years without the breach being detected. Once detected, what action must the company take? A team that includes attorneys, company executives, law enforcement, IT, and human resource management should be in place and prepared to address the various problems that arise. These problems include legal issues —regulatory compliance, protection of intellectual property, recovery of losses, and litigation —technical issues, notification issues, customer relations, public relations, and insurance issues.
2022 Amendment to Breach of Personal Information Notification (BPIN) Act
Important amendments to Pennsylvania’s data breach law – the Breach of Personal Information Notification Act (the “Act”) took effect in May of 2023. This is an important update to Pennsylvania data privacy laws as the legislature attempts to provide additional data protections to the Commonwealth’s citizens.
The Act requires notification to Pennsylvania residents whose personal information data was or may have been disclosed due to a breach of the security of a company’s or other entity’s system. Similar to other states’ data breach notification statutes, the amendment expanded the definition of “personal information.” This expanded definition includes medical and health information, and a user name or email address in combination with a password or security questions and answers that would permit access to an online account.
These items now included in the definition of personal information are in addition to the categories of personal information that all states regulate – such as names in conjunction with driver’s license and social security numbers.
The Act defines a “breach of the security of the system” as “unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals . . ..”
As it stands today, the Act requires notification when a “discovery” has been made that there was a security breach. Beginning May 3, the Act will require notification when a “determination” of a breach has been made. According to the definitions included in the Act and amendment, a “discovery” occurs when the entity has “[t]he knowledge of or reasonable suspicion” that a breach has occurred, while a “determination” occurs when the entity has “[a] verification or reasonable certainty” that a breach has occurred. This is clearly a more “entity-friendly” version of the act, as the company is able to verify a breach before performing notifications.
As an additional improvement to the process of coordinating data reach responses, entities will now be allowed to provide email notice to affected data subjects when the breach involves a user name or email address, in combination with a password or a security question and answer, that could be used to allow access to an online account. An email notice will be permitted under these circumstances if the email directs the individual to promptly change his or her information or to take other appropriate steps to protect the individuals online accounts.
In summary, the new amendment is an improvement for both companies and Pennsylvania citizens. The notification process is improved, as well as the fact that companies can now verify a breach before notification requirements set in. For more information on the Pennsylvania BPINA please contact Houston Harbaugh attorney Corey A. Bauer at bauerca@hh-law.com or 412-288-2216.
Houston Harbaugh Cybersecurity and Data Breach Lawyers
Houston & Harbaugh cybersecurity attorneys have presented both regionally and nationally the following topics: “The Potential Consequences of Data Breach on Compromise or Infringement of Intellectual Property” and “Protecting Your Business in the Digital Age”. To read more about this topic and to see legal resources regarding Cybersecurity and Data Breach Response, please see this website’s Resource Library. Pittsburgh, Pennsylvania Cybersecurity and Data Breach Lawyers | Incident Response | BPIN.
Listen to a Houston Harbaugh podcast regarding the real-world Kaseya ransomware attack:
Contact Our Pennsylvania Cybersecurity Attorneys Today:
Houston Harbaugh can help your company take action to minimize the threat of data breaches and to guide you through IR. For immediate help on data breach or ransomware response, contact HH Shareholder Henry Sneath by email now to databreach@hh-law.com or call: 1-833-511-2243.
Pittsburgh, Pennsylvania Cybersecurity and Data Breach Lawyers | Incident Response | BPIN