Data Security:

Not Just for IT Guys Anymore

By Henry Lerner, Esq.

Companies that collect client Social Security numbers, driver’s license numbers or any information about their clients’ credit cards or financial accounts may be affected by two new state laws on data security.

The Breach of Personal Information Notification Act (BPINA), or Act 94 of 2005, became effective June 20 and applies to any “entity that maintains, stores or manages computerized data that includes personal information” on a Pennsylvania resident. Its provisions require that if there is a security breach involving such computerized personal information, the company that collects the data must notify the consumers who are affected by the breach. In addition, a vendor that maintains data for another company must notify the company that collected the information so individual consumers can be notified.

Personal information is defined as any data that links a resident’s name with his Social Security number (SSN), driver’s license number (or other state-issued ID number) or financial account number.

The second law, Act 60 of 2006, addresses the use of Social Security numbers. Act 60 makes it a summary criminal offense to “intentionally communicate or otherwise make available to the general public” any individual’s SSN and prohibits certain other uses of the SSN that might have it exposed to public view. Fines for violating this law, which goes into effect at the end of December, range from $50 to $500 for a first offense and $500 to $5000 for any subsequent offense.

More information about these new laws can be found on the PAR web site in the Issues Resource Center.  Just click on the “Data Security Resources” link for copies of the laws and a comprehensive Q&A. Additional information will be provided in The Pennsylvania REALTOR® in coming issues.