In January of 2017, the National Conference of State Legislatures (NCSL) published a list of the top 10 issues that will be before state legislatures across the nation this year. While we’re just over a quarter of the way through the two-year 2017-2018 legislative session, it’s worth a look to see what our own elected officials are doing to address each of the issues. The next topic up for consideration: fending off cyberattacks.
Cyberattacks are a growing threat in the United States and around the world. Hackers have targeted individuals, companies and governments by gaining access to personal and sensitive information. Improving cybersecurity is a vital and necessary next step that policymakers must consider in order to fend off future attacks and maintain the public trust.
The Wolf administration began the Commonwealth’s venture toward tackling cybersecurity by signing Executive Order 2016-06, “Enterprise Information Technology Governance.” The order gave the Office of Administration (OA) the authority to develop an integrated information technology strategy to improve efficiencies, streamline data collection and sharing, and enhance the security of the state.
Earlier this month, Rep. Seth Grove (R-York) introduced H.B. 1704, which would codify the Office of Information Technology under the OA, created by E.O. 2016-06, and consolidate all of the executive branch’s information technology services, funding and oversight. The bill also specifically addresses cybersecurity: (1) state agencies would be required to adopt new standards that must at least match industry best practices; (2) a two-year schedule would be developed to test cybersecurity capabilities; and (3) a new cybersecurity committee would be established to discuss emerging threats and issue a report including policy recommendations. Sen. Ryan Aument (R-Lancaster) circulated a co-sponsorship memo in the Senate that would accomplish the same objectives.
Furthermore, H.B. 32 (Thomas, D-Philadelphia) would establish a Cybersecurity Innovation and Excellence Commission that would be a centralized entity through which cybersecurity measures would be streamlined. The proposal is based off of a similar Commission that was created in Maryland in 2011.
In 2015, the Joint State Government Commission issued a report titled “Cybersecurity in Pennsylvania.” One of their recommendations was to update the definition of “personal information” in Act 94 of 2005, Pennsylvania’s Breach of Personal Information Notification Act, to reflect a more modern understanding of cybersecurity. This year, Rep. Curtis Thomas (D-Philadelphia) introduced H.B. 33, which would do just that. The definition would be defined more broadly to include information that could be used to distinguish or trace an individual’s identify as well as information linked to an individual. This includes things such as passport numbers, taxpayer identification numbers, electronic account information and digitized or other electronic signatures. As a result, these entities that are holders of such information would have to comply with the law and notify citizens when there is a breach.
Along the same lines as H.B. 33, S.B. 308 (Vulakovich, R-Allegheny) would update the Breach of Personal Information Act by requiring that a breach of personal information be reported to affected individuals within seven days. It would also require the Attorney General to be made aware of the breach and agencies to notify the OA within three days following the breach. The legislation would also require the OA keep a policy for the storage and transmission of personal information.
As hackers get more skilled, policies surrounding cybersecurity have to keep up to fend them off and maintain citizens’ belief in the safety of their personal information. It’s essential that the state uses its resources to secure and protect the government and its citizens from this new type of threat. Stay tuned to this blog and follow us on Twitter @BuchananLobbyists for updates on this important topic.