Senate passes bills aimed at ransomware, data breaches

Senate passes bills aimed at ransomware, data breaches
Jan. 19, 2022
Updated: Jan. 19, 2022 2:23 p.m.
Comments
HARRISBURG, Pa. (AP) — Pennsylvania's state Senate passed a package of legislation on Wednesday aimed at preventing data security breaches and requiring victims and law enforcement officials to be notified when they do happen.

The bills' passage comes barely two weeks after the state's unemployment compensation system acknowledged that hackers changed bank account information in some recipients' accounts, so that payments went to the hackers instead.

Both bills passed nearly along party lines and go to the House of Representatives. Democrats said they were seeking changes to make some provisions more workable for state agencies.

One bill would require the state to develop a strategy to prevent and respond to ransomware attacks. It also would bar state and local governments from using public money to pay for an extortion attempt during a ransomware attack.

It includes an exception for the governor to allow it while a disaster emergency declaration is in force.

The bill, however, does allow state agencies to buy insurance coverage for ransomware attacks. The bill also sets criminal penalties for perpetrators and allows victims to sue for damages.

The other bill would require any state agency, school district or local government agency to notify victims within seven days of determining a breach of personal information.

The bill applies to state contractors. That provision was added after the state Health Department last year fired a vendor that performed COVID-19 contact tracing because state officials said its employees exposed the private medical information of more than 70,000 residents.