New Data Breach Requirements for Public Schools: Cybersecurity the Focus of Act 151 of 2022

By William J. Zee & Megan E. Bomba

November 4, 2022

The obligation of public agencies to properly inform those whose personal information is disclosed in a data breach were expanded with the enactment of Act 151 of 2022.

The new law establishes definitions for key cybersecurity terms, and details the manner through which a public agency must notify Pennsylvania residents of the disclosure of personal information. The Act defines a Pennsylvania resident as anyone whose principal mailing address lies within the Commonwealth. Required communication to an individual subject to a data breach can include written, telephonic, or email notification.

Should a data breach occur at a public school, the school is required to give notice to affected individuals within seven business days following the determination of the breach. If the breach occurs through a third-party vendor, the vendor must notify the public school, but the school is required to independently determine that a data breach has occurred and follow through with its attendant duties regarding the breach.

The Act establishes additional requirements for public entities that maintain personal information, including the responsibility to reasonably protect the transmission of personal information over the internet through encryption or other appropriate security measures. In addition, public entities must create reasonably proper methods of storing personal information to prevent a future data breach. The Act specifically calls for public entities to develop transmission and storage policies aligned with the requirements of the law that are to be reviewed annually and updated as needed.

Should you have any questions about Act 151 of 2022 or any other cybersecurity questions, please do not hesitate to contact William J. Zee or any of the attorneys in the Appel, Yost & Zee Education Law Group.