Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Pennsylvania - Sectoral Privacy Overview
August 2024
1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION
1.1. Overview
Like many US jurisdictions, Pennsylvania's information privacy and security guidance is a patchwork and continues to evolve. Pennsylvania constitutional and common law rights in informational privacy are well developed by a deep bedrock of case law. The Supreme Court of Pennsylvania (PA Supreme Court) has recognized a common law duty of reasonable care for the protection of personal data in a landmark decision that promises further expansion into rights of data security. Statutes prohibiting unlawful wiretapping and identity theft provide both criminal and civil causes of action, which have been used to advance private online tracking litigation (discussed below). The state's consumer protection law, the Unfair Trade Practices and Consumer Protection Law (Unfair Trade Practices Law) (under §201-1 et seq. of Chapter 4 of Title 73 of the Unconsolidated Pennsylvania Statutes (Pa. Stat.), has provided the Pennsylvania Attorney General (AG) the authority to commence enforcement actions against companies sustaining large data breaches due to inadequate cybersecurity practices. The statute also creates a private cause of action with a fee-shifting component; although to date, plaintiffs' attorneys have been unsuccessful in maintaining a data breach class action under the statute.
1.2. Constitutional Right to Privacy
The Constitution of the Commonwealth of Pennsylvania (Pennsylvania Constitution) grants individuals limited rights against state and local governments in Pennsylvania. The right to privacy is a keystone provision. Article I, §8 of the Pennsylvania Constitution provides protection against unreasonable searches and seizures. It states: 'The people shall be secure in their persons, houses, papers and possessions from unreasonable searches and seizures, and no warrant to search any place or to seize any person or things shall issue without describing them as nearly as may be, nor without probable cause, supported by oath or affirmation subscribed to by the affiant.'
In 2016, the PA Supreme Court, held: '[t]his right of privacy typically arises when the government seeks information related to persons accused of crimes or other malfeasance, and requires an assessment of the extent to which the government's demands invade the bounds of the person's subjective privacy interest, which in turn requires consideration of the extent to which the person's privacy interests are reasonable1.'
When weighing the strength of a citizen's right of privacy against a government search and seizure, Pennsylvania courts require 'a factual examination of whether (1) the person has exhibited an actual (subjective) expectation of privacy in the items to be searched or disclosed, and (2) whether society is prepared to recognize this expectation as reasonable and protectable2.'
Pennsylvania constitutional rights to privacy are not limited to government searches or persons accused of or associated with criminal activity. The PA Supreme Court has stated that the 'right to informational privacy' is a constitutional right and includes the right of an individual to control the access to, or the dissemination of, their personal information3. The PA Supreme Court has further stated that Article I, §1 of the Pennsylvania Constitution provides the basis for individual rights to informational privacy. Specifically, the PA Supreme Court has stated that Article I, §1 of the Pennsylvania Constitution provides a 'broader array of rights granted to citizens' than §8 addressing government searches and seizures4. Titled 'Inherent Rights of Mankind', Article I, §1 of the Pennsylvania Constitution states, 'All men are born and equally free and independent, and have certain inherent and indefeasible rights, among which are those of enjoying and defending life and liberty, of acquiring, possessing and protecting property and reputation, and of pursuing their own happiness.' The PA Supreme Court has reasoned that the right to happiness referenced in §1 includes a right to privacy, concluding that, '[o]ne of the pursuits of happiness is privacy5'.
As more recently stated by the PA Supreme Court, '[t]here is no longer any question that the United States Constitution and the Pennsylvania Constitution provide protections for an individual's right to privacy,' including 'the individual's interest in avoiding disclosure of personal matters6.'
The right to informational privacy guaranteed by Article I, §1 of the Pennsylvania Constitution may not be violated by the government 'unless outweighed by a public interest favoring disclosure7.' Pennsylvania's Right-to-Know Law (RTKL) (under §67.101 et seq. of Chapter 3A of Title 65 of the Pa. Stat.) grants public access to certain governmental records through the use of a Right-to-Know Request (RTKR). RTKRs are often filed with the Open Records Officer in the Office of Consumer Advocates, but they may also be directed to the agency or government office that holds the records. Under §708(b) of the RTKL, 30 exceptions that are exempt from access through a RTKR are provided. The exceptions are intended to balance an individual's right of privacy with the public's right to know how government agencies conduct business and make decisions on its behalf (§67.708 of the RTKL). 'Records in an agency's possession are presumed public unless exempt under an exception in the RTKL, a privilege, or another law.'8 '[T]he RTKL does not supersede the public nature of a record established by statute or regulation.'9
Court records are also subject to RTKRs. Litigants using pseudonyms to protect their privacy may face challenges to their anonymity under the RTKL. In Doe v. Triangle Doughnuts, LLC, the U.S. District Court for the Eastern District of Pennsylvania (Eastern District Court) recognized that while the public's 'right to know who is using their courts […] is deeply rooted in the common law and predates even the Constitution,' encroachment into a plaintiff's closely guarded privacy may under certain circumstances outweigh the necessity of having a public trial10. Balancing the need for a public trial and for allowing plaintiff to remain anonymous as Jane Doe, a transgender female, for purposes of conducting discovery and depositions instead of disclosing his or her legal name, the court held that 'the public interest for maintaining the confidentiality of the litigant's identity outweighs the need for a public judicial proceeding.' The court concluded that 'because forcing Plaintiff to reveal her identity risks putting her in danger of physical harm […], it is likely that Plaintiff would choose not to continue pursuing her claim […] [and i]t is also likely that other similarly situated litigants would also be deterred from litigating these types of claims for the same reasons.'11
RTKRs also may require careful review and balancing of state privacy rights granted under §67.708 of the RTKL, and other applicable statutes such as the Family Education Rights and Privacy Act of 1974 (FERPA)12. For instance, in West Chester University of Pa. v. Rodriguez, the Commonwealth Court of Pennsylvania noted in its remand order directed to the Pennsylvania Office of Open Records (OOR) that, 'to the extent this matter involves direct, third-party interests in nondisclosure of the requested records, it may be appropriate for the OOR to require notice to parties so interested and allow their participation pursuant to §1101(c)(2) of the RTKL.'13
1.3. Common law right to privacy
Pennsylvania also recognizes a common law right to privacy that individuals enforce against companies and other individuals by filing causes of action in civil court. The common law invasion of privacy claim is comprised of four distinct, yet interrelated torts14. Those torts are15:
- intrusion upon seclusion;
- appropriation of name or likeness;
- publicity given to private life; and
- placing a person in a false light.
Recently, the PA Supreme Court referenced a general right to privacy in their opinions. In Pennsylvania State Education Association v. Commonwealth of Pennsylvania Dept. of Community and Economic Development, the court held that the public's interest in information dissemination under the state's RTKL did not outweigh the constitutional privacy interests of public school employees and their right to privacy in their own home16. In its analysis, the PA Supreme Court confirmed that the right to informational privacy in the Pennsylvania Constitution is related to a broad array of rights and confirmed that the Pennsylvania Constitution provides even 'more rigorous and explicit protection for a person's right to privacy than does the United States Constitution.' 17
Intrusion upon seclusion
A claim for intrusion upon seclusion may be asserted when '[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy if the intrusion would be highly offensive to a reasonable person18.' The claim may be based upon a physical intrusion into a place where the plaintiff has secluded himself, the use of the defendant's senses to oversee or overhear the plaintiff's private affairs, or some other form of investigation or examination into plaintiff's private concerns19.
The cause of action cannot survive if the defendant investigated the claimant or otherwise obtained the information through legitimate means. For example, in Burger v. Blair Med. Assocs., the intrusion upon seclusion claim could not stand where the defendant obtained the claimant's medical records through executed medical release20.
Publicity given to private life
A claim for publicity given to private life may be asserted when '[o]ne who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter published is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public21.' The elements for the claim are22:
- publicity, given to;
- private facts;
- which would be highly offensive to a reasonable person; and
- is not of legitimate concern to the public.
The element of 'publicity' requires that 'the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge23.' Notably, the cause of action for publicity given to private life is separate and distinct from a cause of action for breach of physician-patient confidentiality and is governed by different statutes of limitations24.
False light
A claim for false light involves 'publicity that unreasonably places the other in a false light before the public25.' In a claim for false light, the claimant must show both 'publicity, given to private facts, which would be highly offensive to a reasonable person and which are not of legitimate concern to the public26.' A claim for false light 'will be found where a major misrepresentation of a person's character, history, activities or beliefs is made that could reasonably be expected to cause a reasonable man to take serious offense27.'
For the publicity element of a false light claim, '[i]t is enough [for the plaintiff] that the defendant has given publicity to any matter concerning the plaintiff that creates a 'highly offensive' false impression about the plaintiff28.' However, if the matter is of legitimate public concern, a claim for false light will fail and be dismissed29.
Misappropriation of name or likeness
A claim for misappropriation of name or likeness involves instances where a defendant appropriated to their own use or benefit the reputation, prestige, social, or commercial standing, public interest, or other values of the claimant's name or likeness30. In Eagle v. Morgan, the Eastern District Court held that an employer's use of a former employee's LinkedIn account constituted an invasion of privacy by appropriation of name or likeness31. In addition, the Eastern District Court noted, 'The Restatement (Second) of Torts describes a tortfeasor who has committed an invasion of privacy by appropriation of name or likeness as '[o]ne who appropriates to his own use or benefit the name or likeness of another32.''
To be liable for misappropriation of name or likeness, the defendant must have appropriated to their own use or benefit the reputation, prestige, social or commercial standing, public interest, or other values of the plaintiff's name or likeness. Until the value of the name has in some way been appropriated, there is no tort33. Thus, incidental use without the purpose of taking advantage of the value of the claimant's name or likeness is not misappropriation34. Rather, '[w]hen the publicity is given for the purpose of appropriating to the defendant's benefit the commercial or other values associated with the name or the likeness the right of privacy is invaded35.' Invasion of privacy by the appropriation of name or likeness does not require the appropriation to be done commercially36.
Right of publicity
Under Pennsylvania law, the right of publicity is a separate and distinct cause of action from invasion of privacy that is based on principles of property rights. However, because the cause of action often is confused with invasion of privacy, misappropriation of name or likeness, by litigants (and sometimes by courts), this overview touches upon the claim. Pennsylvania law recognizes both a common law and statutory claim.
The common law right of publicity grants a person an exclusive entitlement to control the commercial value of their name or likeness and to prevent others from exploiting it without permission37. A defendant invades this right by 'appropriating its valuable name or likeness, without authorization, [and using] it to the defendant's commercial advantage38.' The right of publicity protects against commercial loss caused by appropriation of a name or likeness, and thus more closely resembles a property right created to protect commercial value39. Consequently, whereas invasion of privacy by appropriation of name or likeness does not require the appropriation to be done for commercial purposes, violation of the right of publicity requires it40.
Pennsylvania law also has a statutory claim for unauthorized use of name or likeness, under §8316 of Subchapter A of Chapter 83 of Title 42 of the Pennsylvania Consolidated Statutes (Pa. C.S.). The statute creates a private cause of action, stating that, '[a]ny natural person whose name or likeness has commercial value and is used for any commercial or advertising purpose without the written consent of such natural person or the written consent of any of the parties authorized in subsection (b) may bring an action to enjoin such unauthorized use and to recover damages for any loss or injury sustained by such use' (42 Pa. C.S. §8316(a)). The person whose name has been appropriated, their parent or guardian, if a minor, or any person or entity with a written license to use the person's likeness for commercial or advertising purposes, may commence a claim under the statute (42 Pa. C.S. §8316(b)). If the person is deceased, any person, firm, or corporation with a proper written license, as detailed in the statute, to the commercial or advertising use of the person's name or likeness, also may bring an action (42 Pa. C.S. §8316(b)).
The statute defines 'name' or 'likeness' as '[a]ny attribute of a natural person that serves to identify that natural person to an ordinary, reasonable viewer or listener, including, but not limited to, name, signature, photograph, image, likeness, voice or a substantially similar imitation of one or more thereof' (42 Pa. C.S. §8316(e)). The statute defines 'commercial or advertising purpose' to include 'the public use or holding out of a natural person's name or likeness: (i) on or in connection with the offering for sale or sale of a product, merchandise, goods, services or businesses; (ii) for the purpose of advertising or promoting products, merchandise, goods or services of a business; or (iii) for the purpose of fundraising' (42 Pa. C.S. §8316(e)). The term does not include the public use or holding out of a natural person's name or likeness in a communication when the person appears as a member of the public and the person is not named or otherwise identified; the purpose is associated with a news report or news presentation having public interest; is an expressive work or an original work of fine art; it is associated with the announcement for a commercial or advertising purpose for a use permitted in 42 Pa. C.S. §§8316(e)(ii), (iii), or (iv); or is associated with the identification of a person as the author of or contributor to a written work, a performer of a recorded performance, where the written work or the performance is lawfully produced, reproduced, exhibited, or broadcast (42 Pa. C.S. §8316(e)).
The statute has a safe harbor for unknown violations. It provides that '[n]o person, firm or corporation, including their employees and agents, in the business of producing, manufacturing, publishing or disseminating material for commercial or advertising purposes by any communications medium shall be held liable under this section unless they had actual knowledge of the unauthorized use of the name or likeness of a natural person as prohibited by this section' (42 Pa. C.S. §8316(d)).
Common law right to data security
The PA Supreme Court recognized the right in the common law to have one's data kept secure. Dittman v. UPMC held that 'an employer has a legal duty to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an internet-accessible computer system41.' Although the PA Supreme Court rendered the decision in the context of an employer-employee relationship, because it relied upon longstanding principles of common law, many anticipate that the decision will apply to contexts outside the employment relationship. Unlike invasion of privacy claims, this court-recognized cause of action is based solely on underlying tort principles of duty of care.
In Dittman, former and current employees of the University of Pittsburgh Medical Center (UPMC) commenced a class action lawsuit after the UPMC sustained a data breach compromising employee personal information. Plaintiffs asserted that the UPMC failed to implement adequate security measures to protect the data, including early detection, proper encryption, and authentication protocols42. Applying the tort principle that a person who undertakes an affirmative act must exercise reasonable care, the PA Supreme Court concluded that the UPMC's collection of employee data was an affirmative act to trigger such a duty43.
Although the wrongdoing of a third-party acts as a superseding event to absolve the affirmative actor of liability, the PA Supreme Court concluded that the exception did not apply in the case before it. Instead, because the UPMC collected plaintiffs' personal data, it knew or should have known that a third party might try to hack into its alleged inadequately secured network to steal the data. Thus, 'the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [plaintiffs'] personal and financial information from that breach44.' It is important to note that Dittman was decided at the dismissal stage, where courts are required to treat the allegations in a complaint as true.
By recognizing a common law duty of care to protect data independent of any statute or regulation, Dittman represents a flagship decision in the US, and it will be interesting to see whether appellate courts in other states follow Pennsylvania's lead. The Eastern District Court, in analyzing Wawa's affirmative duty related to collecting payment card information, held that post-Dittman state law imparts an independent duty on companies to reasonably secure their payment systems.45 In that case, hackers accessed Wawa's point of sale systems, installed malware, and were able to obtain millions of customer payment card numbers. There were three litigation tracks born out of the hundreds of suits filed against Wawa; the 'Consumer Track,' the 'Employee Track,' and the 'Financial Institution Track'. In the Financial Institution Track, the Eastern District Court accepted the financial institution's argument that because Wawa accepted payment cards, they had a duty, independent of any contract, to comply with the financial institution's rules and standard for consumer data, and that additionally, Wawa was on notice of the potential security concerns related to other recent retail point of sale hacking46. However, the court noted that where parties have specifically contracted to certain data privacy and security requirements, a court – using the gist of the action doctrine – will look to the contractual nature of those requirements as superseding any common law right.47 See generally, Santoro v. Tower Health, 2024 WL 1773371, at *5 (E.D. Pa. Apr. 24, 2024) (noting certain entities that collect data have a duty to protect that information); but see Young v. Wetzel, 260 A.3d 281, 288–89 (Pa. Commw. Ct. 2021) (holding doctrine of sovereign immunity barred inmates’ negligence claim arising from data breach).
2. KEY PRIVACY LAWS
2.1. The Wiretapping and Electronic Surveillance Control Act
The Pennsylvania Wiretapping and Electronic Surveillance Control Act (Wiretapping Act) (under §5701 et seq. of Chapter 57 of Title 18 of the Pa. C.S.) restricts a person's ability to monitor another. Under the Wiretapping Act, a person is guilty of a felony of the third degree if he or she (18 Pa. C.S. §5703):
- intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, electronic, or oral communication;
- intentionally discloses or endeavors to disclose to any other person the contents of any wire, electronic, or oral communication, or evidence derived therefrom, knowing, or having reason to know that the information was obtained through the interception of a wire, electronic, or oral communication; or
- intentionally uses or endeavors to use the contents of any wire, electronic, or oral communication, or evidence derived therefrom, knowing, or having reason to know, that the information was obtained through the interception of a wire, electronic, or oral communication.
Subject to certain exceptions, it also is unlawful to manufacture, advertise, sell, or possess devices primarily designed to surreptitiously intercept wire, electronic, or oral communications (18 Pa. C.S. §5705).
Private cause of action
Although a penal statute, the Wiretapping Act also recognizes a private cause of action. It provides that '[a]ny person whose wire, electronic or oral communication is intercepted, disclosed or used in violation of this chapter shall have a civil cause of action against any person who intercepts, discloses or uses or procures any other person to intercept, disclose or use, such communication; and shall be entitled to recover from any such person' (18 Pa. C.S. §5725(a)(1)). The U.S. Court of Appeals for the Third Circuit has adopted a four-part test to establish a prima facie claim under 18 Pa. C.S. §5725. The test is whether: '(1) Plaintiff engaged in [an oral] communication; (2) Plaintiff possessed an expectation that the communication would not be intercepted; (3) Plaintiff's his expectation was justifiable under the circumstances; and (4) Defendant attempted to, or successfully intercepted the communication, or encouraged another to do so48.' Importantly, only the sender of the communication has standing to sue – the intended recipient of the communication has no standing to assert a claim under the Wiretapping Act49.
Criminal conviction under the Wiretapping Act is not a condition precedent to civil liability50. In Marks, the PA Supreme Court remarked that because 'the purpose of the damage provision [in the Wiretapping Act] is to encourage civil enforcement of the [the Wiretapping Act], all that is required to make the damage provision of the [the Wiretapping Act] operative is a determination by the [trial] court [...] that the [the Wiretapping Act] was violated51.' Consent is a defense to such a claim. The Wiretapping Act is not violated where 'all parties to the communication have given prior consent to' interception of the communication (18 Pa. C.S. §5704(4)). If all parties to a communication have not consented to the interception, there is a violation of the Wiretapping Act52. Additional defenses/exceptions to the Wiretapping Act are provided under 18 Pa. C.S. §5704.
A successful claimant may recover (18 Pa. C.S. §5725(a)(2)):
- actual damages, but not less than liquidated damages computed at the rate of $100 a day for each day of violation, or $1,000, whichever is higher;
- punitive damages; and
- reasonable attorney's fees.
In October 2022, the U.S. Court of Appeals for the Third Circuit, in Popa v. Harriet Carter Gifts, Inc., vacated a summary judgment order entered by the Pennsylvania federal district court in favor of a defendant retailer in litigation involving claims under the Wiretapping Act. Specifically, the plaintiff had visited the defendant's website and placed an item in the shopping cart. Plaintiff, however, later learned that unbeknownst to her as she was browsing the website, a third-party marketing service used by defendant had tracked her activities across the website. Plaintiff sued both entities under the Wiretapping Act and common law claims for invasion of privacy. The lower court granted summary judgment to both defendants, concluding that there had been no unlawful interception of electronic communications. The district court reasoned that because the third-party marketing service had received communications from plaintiff's browser directly, both it and the plaintiff were parties to the communications and thus there could be no unlawful interception. "By choosing to visit the website, [Plaintiff] initiated the underlying communications between her web browser, [Defendant retailer's] web server and [Defendant marketing service's] servers." 55
The Third Circuit reversed, reasoning that the 'party exception' articulated by the district court did not apply in the case before it, because such exceptions applied to law enforcement only. In 2012, the term 'intercept' under the Wiretapping Act was amended to mean the:
"Aural or other acquisition of the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device. The term shall include the point at which the contents of the communication are monitored by investigative or law enforcement officers. The term shall not include the acquisition of the contents of a communication made through any electronic, mechanical or other device or telephone instrument to an investigative or law enforcement officer, or between a person and an investigative or law enforcement officer, where the investigative or law enforcement officer poses as an actual person who is the intended recipient of the communication, provided that the Attorney General, a deputy attorney general designated in writing by the Attorney General, a district attorney or an assistant district attorney designated in writing by a district attorney of the county wherein the investigative or law enforcement officer is to receive or make the communication has reviewed the facts and is satisfied that the communication involves suspected criminal activities and has given prior approval for the communication."
See Popa, 52 F.4th at 127 (emphasis in original). Because the third-party marketing service was not associated with law enforcement, the fact that it received communications directly from plaintiff's browser did not remove the conduct outside the definition of 'intercept' to implicate liability under the statute. As the Third Circuit explained, the Pennsylvania legislature had an opportunity to adopt the expansive language for the carve out in the definition for 'intercept,' and could had a 'prototype for a direct-party exception' in the federal Wiretapping Act. See 18 U.S.C. § 2511(2)(d) ('It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception.' (emphasis added)). Yet, the legislature 'codified only a law-enforcement exception, thus limiting any direct-party exception to that context.' See Popa, 52 F.4th at 128. The decision opens the door for further online tracking litigation under the Wiretapping Act.
Since Popa, and consistent with the rash of online tracking litigation across the country, additional cases have been brought under the Wiretapping Act. Both the federal district court in Popa and, more recently, Vonbergen, have held that the statute broadly defines a 'device' to include session replay software. Vonbergen v. Liberty Mut. Ins. Co., 2023 WL 8569004, at *9 (E.D. Pa. Dec. 11, 2023) ('The Pennsylvania Wiretap Act broadly defines an electronic or medical device as 'any device or apparatus ... that can be used to intercept a wire, electronic or oral communication.''); Popa v. Harriet Carter Gifts, Inc., 426 F. Supp. 3d 108, 117 (W.D. Pa. 2019) (explaining that 'any' in front of 'device or apparatus' indicates the reference to devices or apparatuses is 'without distinction or limitation') (citing 'any, ' Oxford English Dictionary (3d ed. 2016)). Courts also have clarified that prior consent 'can be demonstrated when the person being recorded knew or should have known[ ] that the conversation was being recorded,' thus adding to the criticality of properly deployed privacy practice noticed. See Commonwealth v. Byrd, 235 A.3d 311, 319 (Pa. 2020); Popa, 52 F.4th at 132; Vonbergen, 2023 WL 8569004 at *12; see also Popa, 52 F.4th at 133 (holding the Wiretapping Act requires consent of all parties).
2.2. Identity theft
Under Chapter 41 of Title 18 of the Pa. C.S., a person commits the criminal offense of 'identity theft' of another person if he or she 'possesses or uses, through any means, identifying information of another person without the consent of that other person to further any unlawful purpose' (18 Pa. C.S. §4120(a)).
The law defines 'identifying information' as '[a]ny document, photographic, pictorial or computer image of another person, or any fact used to establish identity, including, but not limited to, a name, birth date, Social Security number, driver's license number, nondriver governmental identification number, telephone number, checking account number, savings account number, student identification number, employee or payroll number or electronic signature' (18 Pa. C.S. §4120(f)). The law defines 'document' as '[a]ny writing, including, but not limited to, birth certificate, Social Security card, driver's license, nondriver government-issued identification card, baptismal certificate, access device card, employee identification card, school identification card or other identifying information recorded by any other method, including, but not limited to, information stored on any computer, computer disc, computer printout, computer system, or part thereof, or by any other mechanical or electronic means' (18 Pa. C.S. §4120(f)).
A conviction for identity theft in which the defendant convicted of forgery, identity theft, and fraudulently obtaining public assistance, was affirmed by the Superior Court of Pennsylvania where the defendant used his brother's name and identifying information to obtain medical services and Medicaid benefits as a result of receiving open heart surgery58. The defendant admitted to using his brother's name and had signed his brother's name to various documents to obtain medical services and to obtain public assistance as an unemployed and uninsured person.
Each time a person possesses or uses identifying information in violation of 18 Pa. C.S. §4120(a), it constitutes a separate offense (18 Pa. C.S. §4120(b)). Further, the total values involved in offenses under this section committed pursuant to one scheme or course of conduct, whether from the same victim or several victims, may be aggregated in determining the grade of the offense (18 Pa. C.S. §4120(b)). The degree of felony and fine depends upon the value of any property or whether it was committed in furtherance of a criminal conspiracy (18 Pa. C.S. §4120(c)(1)). When a person commits identity theft and the victim is 60 years of age or older, a care-dependent person, as defined in §2713 of Chapter 27 of Title 18 of the Pa. C.S. (relating to neglect of care-dependent person), or an individual under 18 years of age, the grading of the offense is elevated one grade higher than the above-values specified to permit a more severe sentence (18 Pa. C.S. §4120(c)(2)).
Separately, a person commits the offense of 'falsely impersonating persons privately employed' if he or she pretends or holds himself or herself out, 'without due authority,' to anyone as an employee of any person for the purpose of gaining access to any premises (18 Pa. C.S. §4115). The offense is a misdemeanor of the second degree (18 Pa. C.S. §4115).
Private cause of action
Subchapter A of Chapter 83 of Title 42 of the Pa. C.S. also recognizes a private cause of action for identity theft, and a claimant may seek the following damages for identity theft (42 Pa. C.S. §8315):
- actual damages arising from the incident or $500, whichever is greater. Damages include loss of money, reputation, or property, whether real or personal. The court may, in its discretion, award up to three times the actual damages sustained, but not less than $500;
- reasonable attorney fees and court costs; and/or
- additional relief the court deems necessary and proper.
2.3. Unlawful dissemination of an intimate image
Pennsylvania law recognizes a private cause of action for unlawful dissemination of an intimate image in order to recover damages for any loss or injury sustained as a result of the violation (42 Pa. C.S. §8316.1(a)). The claim may be brought by the person, or guardian if the person is incompetent or a minor (42 Pa. C.S. §8316.1(b)).
Damages include (42 Pa. C.S. §8316.1(c)(1)):
- actual damages arising from the incident or $500, whichever is greater;
- loss of money, reputation, or property, whether real or personal; and
- an award, at the court's discretion, of up to three times the actual damages sustained, but not less than $500.
A court also may award reasonable attorney fees, court costs, and additional relief the court deems necessary and proper (42 Pa. C.S. §8316.1(c)(2) and (3)). A court awarding damages must consider whether the dissemination of the intimate image may cause long-term or permanent injury (42 Pa. C.S. §8316.1(c)). An award of damage under the Pa. C.S. will not limit the ability of the victim to obtain restitution from a defendant convicted of a crime under 18 Pa. C.S. §1106 (42 Pa. C.S. §8316.1(d)).
2.4. Possession of unlawful devices
Under Pennsylvania penal law, a person commits the criminal offense of possession of an unlawful device if that person, with the intent to defraud another person, either '(i) uses a device to access, read, obtain, memorize or store, temporarily or permanently, information encoded on the computer chip, magnetic strip or stripe or other storage mechanism of a payment card or possesses a device capable of doing so; or (ii) places information encoded on the computer chip, magnetic strip or stripe or other storage mechanism of a payment card onto the computer chip, magnetic strip or stripe or other storage mechanism of a different card or possesses a device capable of doing so' (18 Pa. C.S. §4121(a)(1)).
In addition, a person violates the statute if he or she 'knowingly possesses, sells or delivers a device which is designed to read and store in the device's internal memory information encoded on a computer chip, magnetic strip or stripe or other storage mechanism of a payment card other than for the purpose of processing the information to facilitate a financial transaction' (18 Pa. C.S. §4121(a)(2)). The law defines 'payment card' as a 'credit card, a charge card, a debit card or another card which is issued to an authorized card user to purchase or obtain goods, services, money or another thing of value' (18 Pa. C.S. §4121(c)).
A first offense constitutes a felony of the third degree. A second or subsequent offense constitutes a felony of the second degree (18 Pa. C.S. §4121(b)).
2.5. Privacy of social security numbers
Under the Privacy of Social Security Numbers Law (Social Security Numbers Law) (under §201 et seq. of Chapter 5 of Title 74 of the Pa. Stat.) social security numbers are entitled to confidentiality. The Social Security Numbers Law further prohibits a person or entity, or state agency or political subdivision, from (74 Pa. Stat. §201(a)):
- publicly displaying a person's Social Security number;
- printing the number on a card required to access products or services, or requiring an individual to transmit their social security number over the internet in the absence of encryption;
- requiring an individual to use their Social Security number to access an internet website unless a password or unique personal identification number or another authentication device is also required;
- printing an individual's Social Security number on any materials that are mailed to the individual unless federal or state law requires the Social Security number to be on the document to be mailed; or
- disclosing in any manner, except to the agency issuing the license, the Social Security number of an individual who applies for a recreational license.
Lawsuits for violations of the Social Security Numbers Law may be brought by the AG (74 Pa. Stat. §202). A violation of the law is deemed a summary offense and is punishable by a fine of not less than $50 and not more than $500, and for every second or subsequent violation, by a fine of not less than $500 and not more than $5,000 may be assessed (74 Pa. Stat. §201(g)). The law is also subject to criminal enforcement (74 Pa. Stat. §202). The law does not apply to financial institutions, as defined by the Gramm-Leach-Bliley Act of 1999 (GLBA), 'covered entities' under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or an entity subject to the Fair Credit Reporting Act of 1970 (74 Pa. Stat. §204).
2.6. Consumer Protection
The purpose of the Unfair Trade Practices Law is to protect the consumer public and eradicate unfair or deceptive business practices59. The PA Supreme Court has instructed that courts should construe the Unfair Trade Practices Law liberally in order to affect the legislative goal of consumer protection60. The Unfair Trade Practices Law lists 21 acts that are deemed unfair and deceptive in commerce. In recent years, the AG has used the Unfair Trade Practices Law to commence enforcement actions against companies failing to adequately protect consumer data, citing the catch-all provision in the law, which prohibits 'engaging in any other fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding' (73 Pa. Stat. §201-2(4)(xxi))61. In the aftermath of recent high-profile data breaches, such as Orbitz, Neiman Marcus, and Target, the AG has used the Unfair Trade Practices Law (together with attorneys general in other states using similar state consumer protection statutes) to commence enforcement actions against those companies and to negotiate 'Assurances of Voluntary Compliance' with them. These settlement agreements require companies sustaining the data breaches to develop and implement policies and procedures to better protect consumers' personal information62.
Private cause of action
The Unfair Trade Practices Law also creates a private cause of action. To date, plaintiffs have tried unsuccessfully to obtain class certification for private causes of action brought under 73 Pa. Stat. §201-2(4)(xxi) based on the alleged mismanagement of personal health information63.
The Unfair Trade Practices Law has a fee-shifting component which allows successful claimants and their attorneys to recoup attorneys' fees expanded in the action, even if such fees are in excess of the damages awarded. As a result, this law has attracted plaintiffs' attorneys to bring even de minimus cases in hope of obtaining significant awards for fees. For fee-shifting under the Unfair Trade Practices Law, courts look to the benefits provided to the claimants by their attorneys and have noted that 'the fee-shifting statutory provision of [the Unfair Trade Practices Law] is designed to promote its purpose of punishing and deterring unfair and deceptive business practices and to encourage experienced attorneys to litigate such cases, even where recovery is uncertain64.' Additionally, the PA Supreme Court recently held that a business' state of mind is irrelevant for a private cause of action brought under the Unfair Trade Practices Law 'catch-all' provision, effectively transforming the statute into a strict-liability one, and confirming that the Unfair Trade Practice Law should be 'construed broadly in order to comport with the legislative will to eradicate unscrupulous business practices.' 65
2.7. Invasion of Privacy
Under Chapter 75 of Title 18 of the Pa C.S., invasion of privacy is also a criminal offense. A person may be convicted of invasion of privacy if the offender, for the purpose of arousing or gratifying the sexual desire of any person, knowingly does any of the following (18 Pa. C.S. §7507.1(a)):
- views, photographs, videotapes, electronically depicts, films, or otherwise records another person without that person's knowledge and consent while that person is in a state of full or partial nudity and is in a place where that person would have a reasonable expectation of privacy;
- photographs, videotapes, electronically depicts, films, or otherwise records or personally views the intimate parts, whether or not covered by clothing, of another person without that person's knowledge and consent, and which intimate parts that person does not intend to be visible by normal public observation; and
- transfers or transmits an image obtained in violation of the first or second points above by live or recorded telephone message, electronic mail, or the internet, or by any other transfer of the medium on which the image is stored.
The law defines 'full or partial nudity' as a '[d]isplay of all or any part of the human genitals or pubic area or buttocks, or any part of the nipple of the breast of any female person, with less than a fully opaque covering' and defines 'intimate part' as any part of human genitals, pubic area, or buttocks, and the nipple of a female breast (18 Pa. C.S. §7507.1(e)). A 'place where a person would have a reasonable expectation of privacy' is defined as '[a] location where a reasonable person would believe that he could disrobe in privacy without being concerned that his undressing was being viewed, photographed or filmed by another' (18 Pa. C.S. §7507.1(e)).
The law recognizes separate violations for each victim of an offense under the same or similar circumstances, such as a scheme or course of conduct, whether at the same or different times; or if a person is a victim on multiple occasions during a separate course of conduct (18 Pa. C.S. §7507.1(a.1)). An offense for invasion of privacy constitutes a misdemeanor of the third degree; however, if there are multiple offenses, the offense constitutes a misdemeanor of the second degree (18 Pa. C.S. §7507.1(b)). There is no private cause of action under the law against a manufacturer of a device or a provider of a product or service that is used to commit a violation of 18 Pa. C.S. §7507.1 (42 Pa. C.S. §8317).
3. HEALTH DATA
3.1. Key Laws
The protection of health data under Pennsylvania law is a patchwork. Chapter 146b of Title 31 of the Pennsylvania Code (Pa. Code) governs the privacy of consumer health information (31 Pa. Code. §146b.1). However, the law applies to insurers only. Safeguards for protecting health data under 31 Pa. Code. §146b.1 are governed under §146c.1 et seq. of Chapter 146c of Title 31 of the Pa. Code, which establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of consumer information (see section 10 below). Data security of health data implicates some common law duties of care recently recognized by the PA Supreme Court under Dittman v. UPMC (see section 1.3. above). Pennsylvania also recognizes a common law right for physician-patient confidentiality separate and distinct from an invasion of privacy claim66.
In addition, Chapter 115 of Title 28 of the Pa. Code requires that medical records be stored 'in such a manner as to provide protection from loss, damage, and unauthorized access' (28 Pa. Code §115.22). All medical records must be treated as confidential (28 Pa. Code §115.27; see also §5.53 of Chapter 5 of Title 28 of the Pa. Code; and §563.9 of Chapter 563 of Title 28 of the Pa. Code). As such, '[o]nly authorized personnel' may have access to medical records, and 'written authorization of the patient' must be presented and maintained in the original record as authority for release of medical information outside the hospital (28 Pa. Code §115.27). The law treats medical records as 'the property of the hospital,' and prohibits their removal from a hospital premises, except for court purposes (28 Pa. Code §115.28). Copies of such records may be made for authorized appropriate purposes such as insurance claims, and physician review, that are consistent with the confidentiality requirements under 28 Pa. Code §115.27 (28 Pa. Code §115.28; see also §7111 of Article 1 of Chapter 15 of Title 50 of the Pa. Stat.).
3.2. Key Definitions for 31 Pa. Code §146b
31 Pa. Code. §146b has many key definitions and defines 'consumer' as an 'individual, or that individual's legal representative, who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal health information' (31 Pa. Code §146b.2). The definition also provides examples and illustrations of 'consumers' (31 Pa. Code §146b.2).
31 Pa. Code. §146b defines 'licensee' as a licensed insurer, a producer, and other persons or entity licensed or required to be licensed under Pennsylvania insurance law, including health maintenance organizations. The term licensee also includes a licensee that enrolls, insures, or otherwise provides an insurance-related service to participants that procure health insurance through a governmental health insurance program, and a non-admitted insurer that accepts business placed through a surplus lines licensee in Pennsylvania (31 Pa. Code §146b.2).
The term 'nonpublic personal health information' means either health information that identifies an individual who is the subject of the information, or health information that there is a reasonable basis to believe could be used to identify an individual (31 Pa. Code §146b.2). The term does not include 'nonpublic personal financial information' (31 Pa. Code §146b.2).
4. FINANCIAL DATA
4.1. Key Laws
Chapter 146a of Title 31 of the Pa. Code otherwise governs the privacy of consumer financial information (31 Pa. Code. §146a.1). Similar to Chapter 146b of the Pa. Code, the statute limits the definition for licensees to insurers and thus is limited in scope. Safeguards for protecting consumer financial data are governed under 31 Pa. Code §§146c.1-.11, which establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information (see section 10 of the Guidance Note below). In addition, data security of financial data implicates common law duties of care recently recognized by the PA Supreme Court under Dittman v. UPMC (see section 1.3. of the Guidance Note)67.
4.2. Key Definitions for 31 Pa. Code §146a
The law defines a 'consumer' as an 'individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal financial information, or that individual's legal representative' (31 Pa. Code §146a.2). Like the definition for consumer health data under 31 Pa. Code §146b.2, the definition of consumer under 31 Pa. Code §146a.2 provides examples and illustrations of 'consumers.'
A 'customer' is defined as a 'consumer who has a customer relationship with a licensee' (31 Pa. Code §146a.2). A 'customer relationship' is defined as a 'continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes' (31 Pa. Code §146a.2).
31 Pa. Code §146a.2 defines licensee as an insurer, a producer, or other persons or entities licensed or required to be licensed under Pennsylvania insurance law, including health maintenance organizations. The term also includes a licensee that enrolls, insures, or otherwise provides insurance-related services to participants that procure health insurance through a governmental health insurance program, and a non-admitted insurer that accepts business placed through a surplus lines licensee in Pennsylvania (31 Pa. Code §146a.2).
The term 'personally identifiable financial information' is defined to mean '(A) Information that a consumer provides to a licensee to obtain an insurance product or service from the licensee; (B) Information about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer, and/or (C) Information that the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer' (31 Pa. Code §146a.2). The term does not include publicly available information, any list, description, or other grouping of consumers derived without using any personally identifiable financial information that is not publicly available, and health information (31 Pa. Code §146a.2).
5. EMPLOYMENT DATA
The PA Supreme Court held that employers have a common law right duty of reasonable care to safeguard the sensitive personal information data of their current and former employees stored in internet-accessible information systems (see section 1.3. above)68.
There have been no subsequent significant decisions addressing the Court's specific recognition of the common law duty; although, one decision rendered by the U.S. Court of Appeals for the Third Circuit recently vacated the dismissal of a lawsuit brought by a federal employee whose personal information inadvertently was disclosed by the U.S. Department of Justice in response to a FOIA requested filed by a federal inmate (Spade v. United States, 763 Fed. App'x 294, 295 (3d Cir 2019)). However, the District Court ultimately dismissed the case as the U.S. Department of Labor determined that the plaintiff's claim was covered by the Federal Employees' Compensation Act of 1916 (FECA) and therefore prohibited any Dittman determination69.
6. ONLINE PRIVACY
While Pennsylvania does not have a law specifically addressing online privacy, 18 Pa. C.S. §4107, which addresses deceptive or fraudulent business practices, includes as an offense to knowingly make false or misleading statements in a privacy policy, published on the internet, or otherwise distributed or published, regarding the use of personal information submitted by members of the public (18 Pa. C.S. §4107(a)(10)) (see section 8 below).
7. UNSOLICITED COMMERCIAL COMMUNICATIONS
Under Pennsylvania's Unsolicited Telecommunication Advertisement Act (UTAA) (under §2250.1 et seq. of Chapter 40A of Title 73 of the Pa. Stat.) it is unlawful to send an unsolicited commercial email or facsimile (from a computer or fax machine) located in Pennsylvania, or to send email to addresses, that (73 Pa. Stat. §2250.3(a)):
- uses a third party's Internet domain name in the return electronic mail message without permission of the third party;
- includes false or misleading information in the return address portion of the electronic mail, facsimile, or wireless advertisement such that the recipient would be unable to send a reply message to the original authentic sender;
- contains false or misleading information in the subject line; or
- fails to operate a valid sender-operated return email address or toll-free telephone number that the recipient of the unsolicited documents may email or call to notify the sender not to transmit further unsolicited documents.
It also unlawful to use a covered mobile telephone messaging system to transmit an unsolicited commercial email (73 Pa. Stat. §2550.3(b)).
The UTAA also prohibits a person to (73 Pa. Stat. §2250.4):
- conspire with another person to initiate the transmission of a commercial electronic mail message, fax, or wireless advertisement that uses a third party's Internet domain name without permission of the third party or to otherwise misrepresent or obscure any information identifying the point of origin or the transmission path of a commercial electronic mail message;
- falsify or forge commercial electronic mail, fax, or wireless transmission or other routing information in any manner in connection with the transmission of unsolicited commercial electronic mail or wireless advertisement;
- assist in the transmission of a commercial electronic mail message, fax, or wireless advertisement when the person providing the assistance knows or consciously avoids knowing that the initiator of the commercial electronic mail message or fax is engaged or intends to engage in any act or practice that violates the provisions of this act;
- temporarily or permanently remove, alter, halt, or otherwise disable any computer or wireless data, programs software, or network to initiate a commercial electronic mail message, fax, or wireless advertisement; and/or
- sell, give, or otherwise distribute or possess with the intent to sell, give, or distribute software that is primarily designed or produced for the purposes of facilitating or enabling the falsification of commercial electronic mail, fax, or wireless advertisement transmissions.
A violation of the UTAA constitutes a violation of the Unfair Trade Practices Law (73 Pa. Stat. §2250.5(a)) (see section 2.6 above)). Thus, a private action brought under the statute may be based on any of twenty-one unfair practices described in the Unfair Trade Practices Law (73 Pa. Stat. §201-2(4)).
Under the UTAA, persons who provide an email service, or wireless telecommunications companies, have the discretion to block or filter the receipt or transmission of any commercial email or wireless advertisement that it reasonably believes is or may be sent in violation of the UTAA (73 Pa. Stat. §2250.6(a)(1)). Moreover, the UTAA does not prevent or limit a person who provides internet access or an email service, or a wireless telecommunications company, from (73 Pa. Stat. §2250.6(a)(2)):
- adopting a policy regarding commercial or other electronic mail, including a policy of blocking, filtering, or declining to transmit certain types of electronic mail messages;
- suspending or terminating the services or accounts of any person deemed in violation of this act; or
- enforcing such policy through technology, contract, or pursuant to any remedy available under any provision of law.
No person who provides internet access or an email service, or a wireless telecommunication company, may be held liable for any action voluntarily taken in good faith to block the receipt or transmission through its service of any commercial email which it reasonably believes is or may be sent in violation of the UTAA (73 Pa. Stat. §2250.6(b)).
Please note that most litigation in Pennsylvania for unsolicited communications is brought under the Telephone Consumer Protection Act of 1991 (TCPA), a federal statute70.
8. PRIVACY POLICIES
While Pennsylvania does not have a law specifically addressing privacy policies, the Unfair Trade Practices Law, 18 Pa. C.S. §4107, includes as an offense, under deceptive or fraudulent business practices, to knowingly make false or misleading statements in a privacy policy, published on the internet, or otherwise distributed or published, regarding the use of personal information submitted by members of the public (18 Pa. C.S. §4107(a)(10)).
A recent development in Pennsylvania case law with broad consequences for consumer litigation related to the Unfair Trade Practices Law and privacy policies, is the previously mentioned holding of the PA Supreme Court in Gregg v. Ameriprise Financial, Inc71. In Gregg, where plaintiffs brought suit for negligent misrepresentation and violation of the law's catchall provision, the Court held that 'deceptive conduct under the [Unfair Trade Practices Law] is not dependent in any respect upon proof of the actor's state of mind72.' The Court affirmed the Superior Court's holding that the test for deceptive conduct is whether the conduct has the tendency or capacity to deceive and stressed that the Unfair Trade Practices Law 'should be construed broadly in order to comport with the legislative will to eradicate unscrupulous business practices73.' With regards to privacy policies, this holding allows consumers to bring an action under Unfair Trade Practices Law for any privacy policy that has the tendency to deceive, regardless of the business entity's intent when crafting the policy. Without many other avenues for claims regarding privacy policies, claims under the Unfair Trade Practices Law will likely become more common for privacy policy language.
9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY
9.1. Standards for Safeguarding Customer Information
9.1.1. Key Provisions
The Unfair Insurance Practices Act (Insurance Act) (under §146.1 et seq. on Chapter 146 of Title 31 of the Pa. Code) sets standards for safeguarding consumer information for licensees under Chapters 146a (financial data) and 146b (health data) of Title 31 of the Pa. Code (31 Pa. Code §§146c.1-.11). The law establishes standards that licensees must adhere to (31 Pa. Code §146c.1):
- for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, under §§501, 505(b) and 507 of the GLBA (15 U.S.C. §§6801, 6805(b), and 6807);
- for ensuring the security and confidentiality of customer records and information;
- to protect against any reasonably anticipated threats or hazards to the security or integrity of the records;
- to protect against unauthorized access to or use of records or information that could result in substantial harm or inconvenience to a customer; and/or
- that apply to nonpublic personal information, including nonpublic personal financial information and nonpublic personal health information.
The Pa. Code requires that licensees (see definitions in sections 3.2. and 4.2. above) 'implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information' (31 Pa. Code §146c.3). Recognizing that a one-size-fits-all approach is unworkable, the law further provides that '[t]he administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities' (31 Pa. Code §146c.3). The information security program must be designed to (31 Pa. Code §146c.4):
- safeguard the security and confidentiality of customer information;
- protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and/or
- protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.
Furthermore, 31 Pa. Code §§146c.6 to 146c.9 provide non-exclusive illustrations and methods by which a licensee may implement an adequate comprehensive written information security program designed to satisfy required safeguards (31 Pa. Code §146c.5). The illustrated methods and procedures are:
- conducting risk assessments that (31 Pa. Code §146c.6):
- identify reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
- assesses the likelihood and potential damage of such threats, taking into consideration the sensitivity of customer information at issue; and
- assess the sufficiency of policies, procedures, information systems, and other safeguards already in place to mitigate the identified risks;
- manage and control the risk by (31 Pa. Code §146c.7):
- designing the information security program to control the identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the licensee's activities;
- training staff to implement the information security program; and
- regularly monitoring and testing key controls, systems, and procedures of the information security program based on the licensee's risk assessment;
- manage security risks created through the use of third-party service providers by (31 Pa. Code §146c.8):
- exercising 'appropriate due diligence' in selecting service providers;
- requiring service providers to implement 'appropriate measures' designed to meet the objectives of the data security standards; and
- when indicated by its risk assessment, to take appropriate steps to confirm that the service providers have satisfied its data security obligations; and
- adjusting the information security program based upon relevant changes in technology, the sensitivity of customer information, identified threats, and/or the licensee's own changing business arrangements (31 Pa. Code §146c.9).
A licensee violates Title 31 of the Pa. Code when (31 Pa. Code §146c.10(b)):
- it 'knew or reasonably should have known' of a pattern of activity, or of a practice of a service provider, that constitutes either a violation of 31 Pa. Code §146a or 31 Pa. Code §146b;
- it 'knew or reasonably should have known' of a pattern of activity, or of a practice of a service provider, that constitutes a violation of the safeguard standards; and/or
- it knew or reasonably should have known of a 'material breach' of the contract or other arrangement between the licensee and the service provider, unless the licensee took reasonable steps to cure the breach or end the violation.
Violations under 31 Pa. Code §§146c.3 and 146c.4, which address the implementation of an adequate comprehensive written information security program designed to satisfy required safeguards, are deemed by the Pennsylvania Insurance Department (Department) to be an unfair method of competition and an unfair or deceptive act or practice, and thus are subject to applicable penalties or remedies under the Insurance Act (31 Pa. Code §146c.10(a)). In addition to injunctive relief (§1171.10 of Chapter 4 of Title 40 of the Pa. Stat.), civil penalties that may be imposed by the Department under the Insurance Act are (40 Pa. Stat. §1171.11):
- for each method of competition, act, or practice defined in § 5 of the Insurance Act and in violation of the Insurance Act, which the person knew or reasonably should have known was such a violation, a penalty of not more than $5,000 for each violation but not to exceed an aggregate penalty of $50,000 in any six-month period;
- for each method of competition, act, or practice defined in § 5 of the Insurance Act and in violation of the Insurance Act, which the person did not know nor reasonably should have known was such a violation, a penalty of not more than $1,000 for each violation but not to exceed an aggregate penalty of $10,000 in any six-month period; and
- for each violation of an order issued by the Insurance Commissioner of Pennsylvania pursuant to §9 of the Insurance Act, while such order is in effect, a penalty of not more than $10,000.
9.1.2. Key Definitions
Licensee: Has the same limited definition of an insurer, as defined under 31 Pa. Code §§146a.2 and 146b.2, except that the term does not include a purchasing group or a non-admitted insurer in regard to the surplus lines business (31 Pa. Code §146c.2).
Customer: Means either a 'customer,' as defined in 31 Pa. Code §146a.2 (relating to definitions) or a 'consumer' as defined in 31 Pa. Code §146b.2 (relating to definitions).
Customer information systems: The 'electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information' (31 Pa. Code §146c.2).
Customer information: Means either 'nonpublic personal financial information,' as defined in 31 Pa. Code §146a.2, or 'nonpublic personal health information,' as defined in 31 Pa. Code §146b.2, about a customer, whether in paper, electronic, or other form that is maintained by or on behalf of the licensee (31 Pa. Code §146c.2).
Service provider: A 'person that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the licensee' (31 Pa. Code §146c.2).
9.2. The Consumer Protection Against Computer Spyware Act
Under the Consumer Protection Against Computer Spyware Act (Computer Spyware Act) (§2330.1 et seq. of Chapter 43A of Title 73 of the Pa. Stat), it is unlawful to install, or caused to be installed, computer software on a user's computer that deceptively modifies the computer's functions or acquires information. The Computer Spyware Act prohibits a person or entity from inducing a user to install software by misrepresenting that installing software is necessary for security or privacy reasons, or in order to open, view or play a particular type of content; or causing the execution of software in violation of the Computer Spyware Act (73 Pa. Stat. §2330.5).
The Computer Spyware Act further provides that a person or entity that is not an authorized user shall not cause computer software to be copied or procure the copying onto the computer of an authorized user in this Commonwealth and use the software to do any of the following acts or any other acts deemed to be deceptive (73 Pa. Stat. §2330.3):
- modify through deceptive means any of the following settings related to the computer's access to or use of the internet:
- the page that appears when an authorized user launches an internet browser or similar software program used to access and navigate the internet;
- the default provider or internet website proxy the authorized user uses to access or search the internet; and
- the authorized user's list of bookmarks used to access internet website pages;
- collect through deceptive means personally identifiable information that meets any of the following criteria:
- it is collected through the use of a keystroke-logging function that records all keystrokes made by an authorized user who uses the computer and transfers that information from the computer to another person;
- it includes all or substantially all of the Internet websites visited by an authorized user, other than Internet websites of the provider of the software, if the computer software was installed in a manner designed to conceal from all authorized users of the computer the fact that the software is being installed; and/or
- it is a data element described in paragraphs (2), (3), (4) or (5) (i) or (ii) of the definition of 'personally identifiable information' that is extracted from the authorized user's computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an authorized user;
- prevent, without the authorization of an authorized user, through deceptive means an authorized user's reasonable efforts to block the installation of or to disable software by causing software that the authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorization of an authorized user;
- misrepresent that software will be uninstalled or disabled by an authorized user's action with knowledge that the software will not be so uninstalled or disabled; and
- through deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer.
The Computer Spyware Act also prohibits a person from installing upon a computer software to engage in the following acts, 'or any other acts deemed to be deceptive' (73 Pa. Stat. §2330.4(1)):
- take control of the authorized user's computer by doing any of the following:
- transmitting or relaying commercial electronic mail or a computer virus from the authorized user's computer where the transmission or relaying is initiated by a person other than the authorized user and without the authorization of an authorized user;
- accessing or using the authorized user's modem or Internet service for the purpose of causing damage to the authorized user's computer or of causing an authorized user to incur financial charges for a service that is not authorized by an authorized user;
- using the authorized user's computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including, but not limited to, launching a denial of service attack; and
- opening a series of stand-alone messages in the authorized user's computer without the authorization of an authorized user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the internet application.
The statute also prohibits a person from installing computer software that modifies an authorized user's security or other settings protecting information in order to steal the user's personal information, or the computer's security settings of the computer for the purpose of causing damage to one or more computers (73 Pa. Stat. §2330.4(2)). The statute also prohibits a person from installing computer software that prevents an authorized user's reasonable efforts to block the installation of or to disable software by doing any of the following (73 Pa. Stat. §2330.4(3)):
- presenting the user with a fake option to decline the installation of the software;
- falsely representing that software has been disabled;
- requiring the user to access the internet to remove the software when the software frequently operates in a manner that prevents the user from accessing the internet;
- changing the name, location, or other designation information of the software for the purpose of preventing the user from locating the software to remove it;
- using randomized or deceptive file names, directory folders, formats, or registry entries, or causing installation in a computer's directory or computer memory to evade the software's detection or removal; and
- requiring that the user obtain a special code or download software from a third party to uninstall the software.
Violation of 73 Pa. Stat. §§2330.3(2) and .4(1)(i), (ii), and (iii), and .4(2) constitutes a felony of the second degree with imprisonment up to ten years and/or a fine of up to $25,000 (73 Pa. Stat. §2330.8). A private cause of action exists under the statute for providers of computer software, internet service providers, and trademark owners whose trademarks are used without authorization (73 Pa. Stat. §2330.9(a)). Relief includes injunctive relief, actual damages, or statutory damages of up to $100,000 for each violation, and costs, including attorneys' fees (73 Pa. Stat. §2330.9(b) and (d)). When considering damages, a court may increase an award to treble damages if the court finds that 'the violations have occurred with a frequency with respect to a group of victims as to constitute a pattern or practice' (73 Pa. Stat. §2330.9(c)).
10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS
10.1 The Pennsylvania Consumer Data Privacy Act (HB 1201)
Pennsylvania joined the growing number of US states enacting the National Association of Insurance Commissioners (NAIC) Model Law on Insurance Data Security (the Data Security Law). The law went into effect on December 11, 2023, and requires covered insurance companies and 'licensees' to have adequate cybersecurity programs governing the security of data. By December 11, 2024, organizations must have a written comprehensive cybersecurity program in place that is based upon periodic risk assessments.
10.1.1 Key Definitions
The Data Security Law defines an insurer as '[a]n insurance company, association, exchange, interinsurance exchange, health maintenance organization, preferred provider organization, professional health services plan corporation subject to Chapter 63 (relating to professional health services plan corporations), a hospital plan corporation subject to Chapter 61 (relating to hospital plan corporations), fraternal benefit society, beneficial association, Lloyd's insurer or health plan corporation' (45 P.S. §4502). It defines a 'licensee' as a person or organization 'that is or is required to be licensed, authorized to operate or registered under [Pennsylvania] insurance laws.' Id. An 'insurance producer' or 'producer of record' is a person that sells, solicits, or negotiates contracts of insurance (40 P.S. §310.1).
The law defines 'nonpublic information' as '[i]nformation that is stored or maintained in an electronic system, is not publicly available information and is any of the following (45 P.S. §4502):
- business-related information of a licensee that would cause a materially adverse impact to the business, operations or security of the licensee if the information is tampered with, accessed, used, or subject to unauthorized disclosure; or
- information concerning a consumer that because of a name, number, personal mark, or other identifier, can be used to identify the consumer, in combination with any one or more of the following data elements:
- social security number;
- driver's license number or nondriver identification card number;
- financial account number to include credit card number or debit card number;
- a security code, access code, or password that would permit access to a consumer's financial account; or
- biometric records;
- information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer and that relates to any of the following:
- the past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer's family;
- the provision of health care to any consumer; or
- payment for the provision of health care to any consumer.'
Note that the definition is broader than the definition for personal identifiable information under Pennsylvania's data breach notification statute.
The statute defines a 'cybersecurity event' as 'an event resulting in unauthorized access to, disruption of or misuse of an information system or nonpublic information stored on the information system' 45 P.S. §4502.
10.1.2 Requirements – Design and Implementation of an Adequate Cybersecurity Program
By December 11, 2024, organizations must have a written comprehensive cybersecurity program in place that is based upon periodic risk assessments. 45 P.S. §4512. The program's requirements are comprehensive. See generally, 45 P.S. §4513. They include administrative, technical, and physical safeguards to protect nonpublic information and the organization's information systems that are, in part, 'commensurate with the following (45 P.S. §4513(a)):
- The size and complexity of the licensee;
- The nature and scope of the licensee's activities, including the licensee's use of third-party service providers; and
- The sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control.'
They also include the establishment and maintenance of a written incident response plan 'designed to promptly respond to, and recover from any cybersecurity event. that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations' (45 P.S. §4513(e)).
The Data Security Law also requires senior corporate oversight of the cybersecurity program, including engagement of and annual reports to the organization's Board of Directors or similar level of management. 45 P.S. §4514. Annual reports must cover the following topics (45 P.S. §4514(a)):
- The overall status of the information security program and the licensee's compliance with this chapter;
- Material matters related to the information security program, addressing issues such as:
- risk assessment, risk management, and control decisions;
- third-party service provider arrangements;
- the results of testing;
- cybersecurity events;
- any violation of this chapter and management's responses to the violation; and
- recommendations for changes in the information security program.'
Organizations also must conduct adequate due diligence into the data security programs of third parties who process the organization’s nonpublic information, including vendors and even law firms (45 P.S. §4515).
10.1.3 Duties of Controllers and Data Processors
The Data Security Law also requires organizations to investigate any Cybersecurity Event it has suffered or has been suffered by a third-party vendor (45 P.S. §4517(a)). Organizations also must maintain a log 'concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the commissioner' (45 P.S. §4517(d)).
The law also requires a 5-day notification to the Pennsylvania Insurance Commissioner of the discovery of any 'Cybersecurity Event' suffered by the organization where the event a 'reasonable likelihood of materially harming a Pennsylvania resident' or the 'normal operations' of the organization (45 P.S. §4518). Specifically, the law requires a licensee to notify the commissioner as soon as possible, 'but in no event later than five business days from a determination, that a cybersecurity event involving nonpublic information that is in the possession of the licensee has occurred when either of the following criteria have been met:
- The cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this Commonwealth or any material part of the normal operations of the licensee and either:
- in the case of an insurer, this Commonwealth is the insurer's state of domicile; or
- in the case of an insurance producer, as defined in §601-A of the act of May 17, 1921 (P.L.789, No.285), known as The Insurance Department Act of 1921, this Commonwealth is the insurance producer's home state;
The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing in this Commonwealth and the cybersecurity event:
- impacts the licensee of which notice is required to be provided to a governmental body, self-regulatory agency or another supervisory body under any Federal or State law; or
- has a reasonable likelihood of materially harming a consumer residing in this Commonwealth or any material part of the normal operations of the licensee.
In case of cybersecurity events of third-party service providers:
- in the case of a cybersecurity event in a system maintained by a third-party service provider of which the licensee has become aware, the licensee shall treat the event as it would under subsection (a) unless the third-party service provider provides the notice required under subsection (a) directly to the commissioner;
- the computation of a licensee's deadlines under this section shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
The notification must include the following information (45 P.S. § 4518(b)):
- the date of the cybersecurity event;
- a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
- how the cybersecurity event was discovered;
- whether any lost, stolen, or breached information has been recovered and, if so, how this was done;
- the identity of the source of the cybersecurity event;
- whether the licensee has filed a police report or has notified any regulatory, governmental, or law enforcement agency and, if so, when the notification was provided;
- a description of the specific types of information acquired without authorization, including particular data elements such as the types of medical information, financial information, or other types of information allowing identification of the consumer;
- the period during which the information systems were compromised by the cybersecurity event;
- the number of total consumers in this Commonwealth affected by the cybersecurity event;
- the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner due under the law;
- the results of any internal review identifying a lapse in either automated controls or internal procedures or confirming that all automated controls or internal procedures were followed;
- a description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;
- a copy of the licensee's privacy policy and a statement outlining the steps that the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
- the name of a contact person familiar with the cybersecurity event and authorized to act for the licensee.
Although the deadline for reporting a cyber event under this statute is longer than the New York Department of Financial Services' 72-hour requirement (23 NYCR §500.17), it is still shorter and more comprehensive than Pennsylvania's data breach notification requirements (73 P.S. §2303(a)). Additionally, organizations must continuously update and supplement their initial and subsequent notifications to the commissioner if there are significant changes to the previously provided information about a cybersecurity event (45 P.S. §4518(c)).
10.1.4 Privacy Notice Content Requirements
For insurers, the Insurance Commissioner has the authority to enforce these requirements under Article IX of the act of May 17, 1921 (P.L.789, No.285), known as The Insurance Department Act of 1921, which includes the power 'to examine and investigate an insurer to determine whether the insurer has been or is engaged in conduct in violation of §§4512 (relating to risk assessment), 4513 (relating to information security program), 4514 (relating to corporate oversight), 4515 (relating to oversight of third-party service provider arrangements) or 4516 (relating to certification) (45 P.S. §4521(a)).
For other organizations, the commissioner has the authority to determine whether the licensee has engaged in conduct in violation of this chapter (45 P.S. §4521(b)). To that end, the Data Security Law requires each licensee subject to examination to 'keep all books, records, accounts, papers, documents and any computer or other recordings relating to compliance with this chapter in the manner and
time periods as the department, in its discretion, may require in order that the department's authorized representatives may verify and ascertain whether the company or person has complied' with the law (45 P.S. §4521(b)). In addition, the licensee's 'officers, directors, employees and agents' must 'facilitate the examination and aid in the examination insofar as it is in their power to do so,' and any refusal to do so or otherwise 'comply with any reasonable written request of the examiners shall be grounds for suspension, revocation, refusal, or nonrenewal of any license or authority held by the licensee to engage in an insurance or other business subject to the department's jurisdiction' (45 P.S. §4521(b)).
Upon determination of a violation of the Data Security Law, the Insurance Commissioner may impose a suspension or revocation of the licensee's license, authorization to operate or registration, refusal to issue or renew a license, authorization to operate or registration, and/or a cease-and-desist order (45 P.S. §4522). For each violation of this chapter that a licensee 'knew or reasonably should have known was a violation,' the commissioner may impose 'a penalty of not more than $5,000, not to exceed an aggregate penalty of $100,000 in a single calendar year' (45 P.S. §4522). For each violation of this chapter that a licensee 'did not know nor reasonably should have known was a violation,' the commissioner may impose 'a penalty of not more than $1,000, not to exceed an aggregate penalty of $20,000 in a single calendar year' (45 P.S. §4522).
10.1.5 Timeline for implementation
- December 11, 2023: The Data Security Law becomes effective. A licensee must investigate a cybersecurity event and notify the Commissioner as promptly as possible, but in no event later than five business days after determining that a cybersecurity event has occurred when certain criteria are met.
- December 11, 2024: licensees must have implemented the requirements regarding Risk Assessment, Information Security Program, and Corporate Oversight.
- December 11, 2025: licensees must have implemented the additional requirements regarding oversight of third-party service providers that maintain, process, store, or otherwise permit access to non-public information through the provision of services to the licensee, including assessment of third-party vendors.
- April 15, 2026: annual certification by domiciled insurers.
10.2 Upcoming; The Pennsylvania Consumer Data Privacy act (H.B. 1201)
House Bill (HB) 1201 for the Pennsylvania Consumer Data Privacy Act (the Act) is gaining momentum in the General Assembly of the Commonwealth of Pennsylvania. The Act would not apply to the Commonwealth or its political subdivisions, non-profit organizations, institutions of higher education, national securities associations registered under 15 U.S.C. §78o-3, financial institutions, data subject to 15 U.S.C. Ch. 94, or a covered entity or business associate (HB 1201, §11(a)). Additionally, information protected by other Federal, state, or municipal laws relating to health, human subject research, patient safety work product, state motor vehicle records, records and limitations on withholding Federal funds, farm credit systems, the price, route, or service by an air carrier, or information maintained in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party and used within the context of that role would be exempt from the Act (HB 1201, §11(b)).
10.2.1 Key Definitions (H.B. 1201, Section 2)
Roughly, the legislation defines 'consumer' as a resident of Pennsylvania not acting in a commercial or employment context. The legislation defines 'controller' as:
- a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that meets all of the following criteria:
- is organized or operated for the profit or financial benefit of its shareholders or other owners;
- collects consumers' personal information or on behalf of which consumers' personal information is collected and that, alone or jointly with others, determines the purposes and means of the processing of consumers’ personal information;
- does business in this Commonwealth;
- satisfies any of the following thresholds:
- derives at least 50% of annual revenues from selling consumers’ personal information;
- alone or in combination, annually buys or receives, sells, or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households, or devices; or
- has annual gross revenue in excess of $10,000,000;
- an entity that controls a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity under paragraph (1) and shares common branding with the sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity.
'Personal data' is defined as 'information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.' The definition includes a non-exhaustive list of examples. The term does not include publicly available information. 'Protected health information' has the same definition as in the Health Insurance Portability and Accountability Act (HIPAA), 45 CFR §160.103. 'Sensitive data' is defined as personal data that includes data that reveals:
- racial or ethnic origin;
- religious beliefs;
- mental or physical health condition or diagnosis;
- sex life or sexual orientation;
- citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
- personal data collected from a known child; or
- precise geological data.
10.2.2 Consumer Rights and Protections (H.B. 1201, Section 3)
The Act would codify consumer data privacy rights including (i) the right to confirm whether or not a controller is processing or accessing the consumer’s personal data (HB 1201, §3(a)(1)); (ii) the right to correct inaccuracies in the consumer’s personal data (HB 1201, §3(a)(2)); (iii) the right to delete personal data provided by or obtained about the consumer (HB 1201, §3(a)(3)); (iv) the right to obtain a copy of the consumer's personal data processed by the controller in a portable and technically feasible readily usable format allowing the consumer to transmit the data to another controller without hinderance (HB 1201, §3(a)(4)); and (v) the right to opt out of the processing of a consumer's personal data for the purpose of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer (HB 1201, §3(a)(5)).
Controllers would be required to respond to a consumer request without undue delay and no later than 45 days after receipt of the consumer request (HB 1201, §3(c)(1)). Upon notice to the consumer, within the initial 45-day response period, the controller may extend the response period an additional 45 days when reasonably necessary given the complexity and number of consumer's requests (HB 1201, §3(c)(1)). The Act requires information provided by the controller in response to a consumer request to be provided free of charge once per customer during a 12 month period (HB 1201, §3(c)(3)). However, if a consumer request is determined to be manifestly unfounded, excessive, or repetitive, a reasonable fee to cover administrative costs to comply with the request could be assessed (HB 1201, §3(c)(3)). Should the controller decline to take action regarding a consumer's request, the controller would have to inform the consumer and provide the justification for such denial along with appeal instruction within the initial 45-day consumer response period (HB 1201, §3(c)(2)).
Where a controller would be unable to authenticate a consumer request, the controller would not be required to comply with the request and may instead provide notice to the consumer of its inability to authenticate the request until additional information reasonably necessary to authenticate the consumer and the consumer's request is provided (HB 1201, §3(c)(4)).
Under the Act, controllers would have to establish an appeal process for consumers to utilize after a controller's refusal or denial to act on a consumer request (HB 1201, §3(d)(a)). The appeal process would have to be conspicuously available and similar to the process utilized to submit a consumer request (HB 1201, §3(d)(a)). Within 60 days of the receipt of an appeal, the controller would have to provide the consumer with a written explanation of the decision made in response to the appeal (HB 1201, §3(d)(b)). If an appeal is denied, the controller would have to provide the consumer with an online mechanism, if available, or another method through which the consumer may contact the AG to submit a complaint (HB 1201, Section 3(d)(b)).
10.2.3 Duties of Controllers and Data Processors
The Act would require Controllers to fulfill the following duties:
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary relating to the purpose for which the data is processed (HB 1201, §5(a)(1));
- refrain from processing personal data for purposes neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed unless the controller obtains the consumer's consent (HB 1201, §5(a)(2));
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue to protect the confidentiality, integrity, and accessibility of personal data (HB 1201, §5(a)(3));
- refrain from processing sensitive data without obtaining the consumer's consent or in accordance with 15 U.S.C. Ch. 91 (relating to children's online privacy protection) (HB 1201, §5(a)(4));
- refrain from processing personal data in violation of a Federal or State law that prohibits unlawful discrimination against a consumer (HB 1201, §5(a)(5));
- provide an effective mechanism for a consumer to revoke its consent and cease to process the data as soon as practicable, but not later than 15 days after receipt of the consumer's request (HB 1201, §5(a)(6));
- refrain from processing a consumer's personal data for the purpose of targeted advertising or selling the consumer's personal data without the consumer's consent where the controller has actual knowledge and willfully disregards that the consumer is younger than 16 years old (HB 1201, §5(a)(7));
- refrain from discriminating against a consumer for exercising any consumer right including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer (HB 1201, §5(a)(8));
- conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer for processing activities created or generated after July 1, 2024, and shall not apply retroactively (HB 1201, §7(a) and (f));
- take reasonable measures to ensure de-identified data cannot be associated with an individual, use de-identified data without attempting to re-identify the data, and require recipients of de-identified data to comply with the provisions of the Act (HB 1201, §8(a));
Data processors also would be assigned duties, which would include complying with the controller's instructions for data processing and assisting the controller to comply with its duties under the Act (HB 1201, §6(a). For the latter, such assistance would include (1) taking into account the nature of processing and the information available to the processor by appropriate technical and organizational measures to fulfill the controller's duty to comply with consumer requests to exercise the consumer's rights under H.B. §3(a); (2) taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's duties in relation to the security of processing the personal data in relation to the notification of a breach of security of the system of the processor, and/or (3) providing necessary information to enable a controller to conduct and document data protection assessments.
10.2.4 Privacy Notice Content Requirements
Controllers would have to establish for consumers a clear and meaningful privacy notice containing the following elements (H.B. 1201, §5(c)):
- the categories of personal data processed by the controller;
- the purpose for processing personal data;
- how the consumer may exercise its rights taking into account the means in which a consumer would normally interact with the controller, the need for secure and reliable communication for the request, and the controller's ability to verify the identity of the consumer making the request and how the consumer may appeal the controller's decision regarding a consumer request to exercise such rights. See also H.B., §5(e)(1);
- the categories of data shared with each third party and the categories of each third party with whom the controller shares data; and
- an active email address or online mechanism a consumer may use to contact the controller.
10.2.5 Enforcement Actions (H.B. 1201, Section 10)
No private right of action would exist under the Act (HB 1201, §10(b)). The AG is given exclusive authority to enforce the Act's provisions (HB 1201, §10(a)).
Businesses that would be subject to the law include those that do business in the Commonwealth and meet any of three thresholds: has an annual gross revenue exceeding $10 million; deals commercially with the personal information of at least 50,000 consumers, consumer households, or consumer devices; or derives at least 50% of annual revenues from selling consumers' personal information.
____________________________________________________________
1. Pennsylvania State Educ. Ass'n v. Commonwealth, 148 A.3d 142, 149-50 (Pa. 2016).
2. Id. at 150; see, e.g., Commonwealth v. Rekasie, 778 A.2d 624, 628 (Pa. 2001).
3. Pa. State Educ. Ass'n, 148 A.3d at 150.
4. Id.
5. Id. at 151 citing Commonwealth v. Murray, 223 A.2d 102, 109 (Pa. 1966). The Pennsylvania Supreme Court outlined, "One of the pursuits of happiness is privacy"; thus, "[t]he right to privacy is as much property of the individual as the land to which he holds title and the clothing he wears on his back."
6. In re T.R., 731 A.2d 1276, 1279 (Pa. 1999).
7. Pa. State Educ. Ass'n, 148 A.3d at 150, holding right of privacy protected from disclosure under Right To Know statute home addresses of public school employees.
8. Pa. Liquor Control Board v. Beh, 215 A.3d 1046, 2019 Pa. Commw. LEXIS 660 **, **16, 2019 WL 3209994 (Pa. Commw. 2019), citing 65 P.S. § 67.305(a); see also Governor's Office of Admin. v. Campbell, 202 A.3d 890, 896 (Pa. Commw. 2019) ('For these reasons, we conclude that the requested Commonwealth employees' counties of residence information is protected by the constitutional right of informational privacy and this right is not outweighed by the public's interest in dissemination in this case. Consequently, OOR erred in ordering the disclosure of Commonwealth employees' counties of residence under the RTKL.').
9. Beh, 215 A.3d at 2019, citing 65 P.S. § 67.306.
10. Doe v. Triangle Doughnuts, LLC, 2020 WL 3425150 *3 (E.D. Pa. June 23, 2020)..
11. Id. at *6.
12. West Chester University of Pa. v. Rodriguez, 216 A.3d 503, 2019 Pa. Commw. LEXIS 690, 2019 WL 3307901 (Pa. Commw. Ct. 2019).
13. Id. at 511.
14. E.g., Estate of Rennick v. Universal Credit Servs., LLC, 2019 U.S. Dist. LEXIS 6888 at *16, 2019 WL 196539 at *6 (E.D. Pa. Jan. 15, 2019).
15. Harris v. Easton Pub. Co., 483 A.2d 1377, 1383 (Pa. Super. Ct. 1984); see also Burger v. Blair Med. Assocs., 964 A.2d 374, 376 (Pa. 2009).
16. Pennsylvania State Education Association v. Commonwealth of Pennsylvania Dept. of Community and Economic Development, 148 A.3d 142 (Pa. 2016).
17. Id. at 151; See also Easton Area School District v. Miller, 232 A.3d 716 (Pa. 2020) (holding that school bus surveillance footage was exempt from the Right To Know Act because it was an educational record and contained personally identifiable information protected by the Pennsylvania right to privacy).
18. Harris, 483 A.2d at 1383, citing Restatement (Second) of Torts § 652B.
19. Id.
20. Burger v. Blair Med. Assocs., 964 A.2d 374, 378 (Pa. 2009).
21. Harris, 483 A.2d at 1384, citing Restatement (Second) of Torts § 652D; see also Burger, 964 A.2d at 379.
22. Harris, 483 A.2d at 1384.
23. Id.; Burger, 964 A.2d at 379, in which the "publicity" element was unsatisfied where the defendant disclosed the claimant's drug use only to the employer; Vogel v. W.T. Grant Co., 327 A.2d 133, 137 (Pa. 1974), in which the "publicity" element was unsatisfied where the defendant disclosed the claimant's private affairs to employer and three relatives; Burke v. Kubicek, 2021 WL 4307031, at *3 (Pa. Super. Ct. Sept. 22, 2021), in which the “publicity” element was unsatisfied where the matter was communicated to a small group of third parties.
24. Burger, 964 A.2d at 379.
25. Tanzosh v. InPhoto Surveillance, 2008 U.S. Dist. LEXIS 76022, *17, 2008 WL 4415693 at *6 (M.D. Pa. Sept. 26, 2008); see also Rush v. Philadelphia Newspapers, Inc., 732 A.2d 648, 654 (Pa. Super. Ct. 1999); James v. Cmty, Coll. of Allegheny Cnty., 263 A.3d 68 (Pa. Commw. Ct. 2021).
26 Id.
27. Rush, 732 A.2d at 654.
28. Tanzosh, 2008 U.S. Dist. LEXIS 76022 at *17, 2008 WL 4415693 at *6 (quoting Fogel v. Forbes, Inc., 500 F. Supp. 1081, 1087-88 (E.D. Pa. 1980)).
29. Rush, 732 A.2d at 654.
30. Eagle v. Morgan, 2013 U.S. Dist. LEXIS 34220, *20, 2013 WL 943350 at *7 (E.D. Pa. Mar. 12, 2013).
31. Id.
32. Id. (quoting Restatement (Second) of Torts § 652C).
33. AFL Phila. LLC v. Krause, 639 F. Supp. 2d 512, 530 (E.D. Pa. 2009), quoting Restatement (Second) of Torts § 652C, comment c.
34. Id., at 531.
35. Id.
36. Id.; Rose v. Triple Crown Nutrition, Inc., 2007 U.S. Dist. LEXIS 14785, 2007 WL 707348 at *3 (M.D. Pa. Mar. 2, 2007); Kelly v. Peerstar, 2020 WL 5077940, at *9 (W.D. Pa. Aug. 26, 2020).
37. Eagle v. Morgan, 2013 U.S. Dist. LEXIS 34220, *20, 2013 WL 943350 at *8 (E.D. Pa. Mar. 12, 2013); see also World Wrestling Fed. Entm't, Inc. v. Big Dog Holdings, Inc., 280 F. Supp. 2d 413, 443-44 (W.D. Pa. 2003).
38. Eagle, 2013 U.S. Dist. LEXIS 34220 at *20, 2013 WL 943350 at *8.
39. Id.
40. AFL Phila. LLC v. Krause, 639 F. Supp. 2d 512, 531 (E.D. Pa. 2009).
41. Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018).
42. Id. at 1038-39.
43. Id. at 1046-47.
44. Id. at 1047-48.
45. In re Wawa, Inc. Data Security Litigation, 2021 WL 1818494, at *5 (E.D. Pa. May 6, 2021).
46. Id.
47. Id.
48. Kine v. Security Guards, Inc., 386 F.3d 246, 257 (3d Cir. 2004).
49. Kump v. Nazareth Area Sch. Dist., 425 F. Supp. 2d 622, 633 (E.D. Pa. 2006) (student whose cell phone was confiscated by teacher and who alleged that teacher and assistant principal intercepted and replied to text messages sent to student's phone lacked standing to bring a claim section 5725 because the student had not engaged in a communication and only was intended recipient of the intercepted communications).
50. Marks v. Bell Tele. Co. of Pa., 331 A.2d 424, 430 n.6 (Pa. 1975).
51. Id.; see also Simmers v. Packer, 36 Pa. D.&C.4th 182, 185 (Pa. Ct. Comm. Pl. 1997).
52. Commonwealth v. Jung, 531 A.2d 498, 503-504 (Pa. Super. Ct. 1987).
53. Popa v. Harriet Carter Gifts, Inc., ., 52 F.4th 121, 133 (3rd Cir. 2022).
54. Id.
55. Id. at 130; Luis v. Zang, 833 F.3d 619 (6th Cir. 2016).
56. Id. at 130-31.
57. Id. at 131.
58. Commonwealth v. Green, 2009 Pa. Dist. & Centy Dec,. LEXIS 270 (Pa. Ct. Comm. P. Oct. 8, 2009), aff'd, 13 A.3d 998 (PA. Super. Ct. 2010).
59. Aberts v. Verna, 2016 Pa. Dist. & Cnty Dec. LEXIS 3028 (Pa. Ct. Comm. Pl. June 27, 2016).
60. Com., by Creamer v. Monumental Properties, Inc., 329 A.2d 812, 816 (Pa. 1974).
61. E.g., Bennett v. A.T. Masterpiece Homes at Broadsprings, LLC, 40 A.3d 145, 151-152 (Pa. Super. Ct. 2012) (describing 73 P.S. § 201-2(4)(xxi) as a "catchall" phrase).
62. See Commonwealth of Pennsylvania v. Orbitz Worldwide, LLC., Case No. 191202510 (Pa. Ct. Comm. Pl. Philadelphia Cty. December 13, 2019; Commonwealth of Pennsylvania v. The Neiman Marcus Group, LLC, Case No. 190100160 (Pa. Ct. Comm. Pl. Philadelphia Cty., Jan. 8, 2019); Commonwealth of Pennsylvania v. Target Corp., Case No. 215-MD-2017 (Pa. Commw. Ct. May 23, 2017); see also 73 P.S. § 201-5 (authorizing the Pennsylvania AG to enter into Assurances of Compliance).
63. E.g., Baum v. Keystone Mercy Health Plan, 116 A.3d 682 (Pa. Super. Dec. 9, 2014) ) aff’d 2016 WL 1658057 (Pa. Super. April 26, 2016).
64. Boehm v. Riversource Life Ins. Co., 117 A.3d 308, 336-37 (Pa. Super. Ct. 2014) appeal denied 633 Pa. 773 (Pa. 2015); see also Krebs v. United Refining Co. of Pennsylvania, 893 A.2d 776, 788 (Pa. Super. Ct. 2006), which stated "these cases hold generally that where the General Assembly has departed from the 'American Rule' (where each party is responsible for his or her own attorneys' fees and costs), by providing a fee-shifting remedy in a remedial statute, the trial court's discretionary award or denial of attorneys' fees must be made in a manner consistent with the aims and purposes of that statute."
65. Gregg v. Ameriprise Financial, Inc., 245 A.3d 637, 641 (Pa. 2021).
66. Burger v. Blair Med. Assocs., 964 A.2d 374, 379 (Pa. 2009).
67. Dittman v. UPMC, 196 A.3d 1036, 1047 (Pa. 2018).
68. Id.
69. Spade v. United States¸ 531 F.Supp.3d 901 (M.D. Pa. 2021), aff’d sub nom, Spade v. United States Dep’t of Just., 2022 WL 444259 (3d Cir. Feb. 14, 2022).
70. 47 U.S.C. § 227, et seq
71. Gregg v. Ameriprise Financial, Inc., 245 A.3d 637, 641 (Pa. 2021).
72. Id at 640.
73. Id.