[BreachExchange] Senate passes bills aimed at ransomware, data breaches

[Terrell Byrd]

https://apnews.com/article/technology-congress-pennsylvania-432de39affb45babd018744e023b4dfa

HARRISBURG, Pa. (AP) — Pennsylvania’s state Senate passed a package of
legislation on Wednesday aimed at preventing data security breaches and
requiring victims and law enforcement officials to be notified when they do
happen.

The bills’ passage comes barely two weeks after the state’s unemployment
compensation system acknowledged that hackers changed bank account
information in some recipients’ accounts, so that payments went to the
hackers instead.

Both bills passed nearly along party lines and go to the House of
Representatives. Democrats said they were seeking changes to make some
provisions more workable for state agencies.

One bill would require the state to develop a strategy to prevent and
respond to ransomware attacks. It also would bar state and local
governments from using public money to pay for an extortion attempt during
a ransomware attack.

It includes an exception for the governor to allow it while a disaster
emergency declaration is in force.

The bill, however, does allow state agencies to buy insurance coverage for
ransomware attacks. The bill also sets criminal penalties for perpetrators
and allows victims to sue for damages.

The other bill would require any state agency, school district or local
government agency to notify victims within seven days of determining a
breach of personal information.

The bill applies to state contractors. That provision was added after the
state Health Department last year fired a vendor that performed COVID-19
contact tracing because state officials said its employees exposed the
private medical information of more than 70,000 residents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220120/dec7a62e/attachment.html>