Skip to agency navigation
Skip to main content

Official Website

of the Commonwealth of Pennsylvania

    The .gov means its official.

    Local, state, and federal government websites often end in .gov. Commonwealth of Pennsylvania government websites and email systems use "pennsylvania.gov" or "pa.gov" at the end of the address. Before sharing sensitive or personal information, make sure you're on an official state website. 
    Reporting Requirements

    Submit a Cybersecurity Event Notification Report

    Submit a Cybersecurity Event Notification

    A "cybersecurity event" is an event resulting in unauthorized access to, disruption of or misuse of an information system or nonpublic information stored on the information system. The term does not include: 

    • The unauthorized acquisition of encrypted nonpublic information if the encryption, process or key is not also acquired, released, or used without authorization. 
    • An event where the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.  

    This Act requires, among other things, that a licensee investigate a cybersecurity event and notify the Commissioner as promptly as possible, but in no event later than five business days after determining that a cybersecurity event has occurred when certain criteria are met. If a cybersecurity event is not reported within 5 business days, the Licensee could face additional Department oversight, examinations, or even loss of license.  

    Submit a Notification of Cybersecurity Event to the Commissioner


    Cybersecurity Event Examples

    Below are common examples of cybersecurity events that would require a licensee to notify the Department. These breach examples include, but are not limited to:

    • Theft  
    • Phishing  
    • Hacking   
    • Stolen/Lost Equipment  
    • DNS/Ransomware   
    • Improper Disclosure  
    • Improper Disposal  
    • Lost During Move  
    • Unauthorized Access  
    • Compromised Computer/Equipment  
    It is important to note that this list is not exhaustive and other circumstances not included on the list above may qualify as a Cybersecurity event and require the commissioner's notification. If you are unsure or have questions, please reach out via email toRA-INdatasecurity@pa.gov.
     

    Important Terminology

    Licensees should be aware of the following terms used in cybersecurity event notifications.
    • Incident Response Plan: a written document that guides IT professionals on how to respond and recover from a serious security incident. 
    • Unauthorized access: when someone connects to a system without permission, using someone else's account or other methods. 
    • Information system: a collection of components working together to collect, process, store, and share information for decision-making, coordination, and analysis. 
    • Non-public information: stored electronically, not publicly available, and includes business-related information that could harm the licensee if tampered with, consumer information that can identify them, and health-related information. 

    Additional Information

    Additional information can be found on the Department's Laws and Regulations - Guide to Act 2 2023.

    Questions

    Questions concerning the Act or a Cybersecurity event notification can be sent to RA-INdatasecurity@pa.gov.