[co-author: Stephanie Kozol]*
Earlier this year, Governor Josh Shapiro signed amendments to Pennsylvania’s Breach of Personal Information Notification Act (BPINA) into law, which go into effect on September 26. As part of the implementation of these requirements, Pennsylvania Attorney General (AG) Michelle Henry announced the launch of an online portal for companies and other entities to report data breaches that impact more than 500 Pennsylvania residents. As with notification to impacted individuals, covered entities must notify the AG “without unreasonable delay.” This new requirement aligns Pennsylvania’s data breach notification law with the 35 states that have existing notice requirements for the applicable state regulator when a threshold number of state residents are impacted. Many of these states utilize a similar portal for submissions for ease of reporting.
The portal is available here. The AG’s website also provides guidance on the process to submit required information about the breach, and information about the BPINA for entities and residents.
In addition to the regulatory reporting requirement, the amendments provide protections for types of information that up until now remained unprotected under the BPINA. As with the previous version of the BPINA, notification to individuals is triggered when a data breach involves a person’s name and Social Security number, financial account number, and driver’s license or state ID number. The amendments now add protections for an individual’s name in combination with medical information in the possession of a state agency or state agency contractor, health insurance information, or a username and password that permits access to an online account as newly protected data elements that also trigger notice to individuals if impacted. However, impact to these data elements only triggers notification where the covered entity reasonably believes the unauthorized access or acquisition of the information has caused, or will cause, loss or injury to any Pennsylvania resident. Pennsylvania also joins five other states in requiring entities provide impacted individuals with 12 months of credit monitoring when an individual’s Social Security number, driver’s license number, state ID number, or bank account number is impacted.
Why It Matters
Prior to the BPINA amendments, Pennsylvania was among the 15 states that do not mandate organizations suffering a qualifying breach of consumer personal identifying information to notify the relevant state regulator. Given the new protections for additional types of information and the regulatory reporting requirements, organizations handling personal information of Pennsylvania residents should revise their incident response plans. These changes could subject organizations to increased regulatory scrutiny. Failure to comply with these new requirements may be deemed a violation of BPINA, constituting an unfair or deceptive act or practice in violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law, and subject companies to injunctive relief or monetary penalties.
The BPINA amendments add to the mosaic of breach notification laws across all 50 states, with applicability based on the impacted individual’s state of residence. While these amendments aim to align Pennsylvania law with other state data breach notification laws, they also highlight the diverse requirements that can complicate compliance in the wake of a cybersecurity incident, particularly for companies that operate in multiple jurisdictions. Engaging experienced counsel after a security incident is always a best practice to help navigate the obligations under the patchwork of state regulatory frameworks.
*Senior Government Relations Manager
