Pennsylvania Makes Significant Changes to Its Data Breach Notification Law

Benjamin Wanger, Elana Weinblatt
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

BakerHostetler

On June 28, 2024, Pennsylvania Governor Josh Shapiro signed an amendment to Pennsylvania’s Breach of Personal Information Notification Act into law. The amended law, which includes significant changes to the Keystone State’s data breach notification law, goes into effect on September 26, 2024. Below, we discuss the major changes set forth in the amended law.

Modification to the Definition of “Personal Information”

Pennsylvania law previously defined “personal information” as an individual’s first name or first initial with last name in combination with one or more of the following:

  • Social Security number
  • Driver’s license or identification card number
  • Account number or credit or debit card number, in combination with a linked security or access code or the password of an individual’s financial account

The amended law brings the following data elements within the definition of “personal information” as well:

  • Medical information in the possession of a state agency or state agency contractor
  • Health insurance information
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account

It is worth emphasizing that the language exempts private sector organizations from the legal requirement to notify Pennsylvania residents of a breach involving their medical information, unless the data was possessed by a state agency or state agency contractor at the time of the breach.

Requirement to Provide Notification to the Pennsylvania Attorney General Required

The amended law also creates a new obligation for organizations to notify the Pennsylvania Attorney General’s Office whenever they provide notice of a data breach to more than 500 Pennsylvania residents. The notification to the attorney general must be provided concurrently with the notice to individuals and must include the following information:

  • The organization’s name and location
  • The date of the breach
  • A summary of the breach incident
  • The estimated total number of individuals affected by the breach
  • The estimated total number of Pennsylvania residents affected by the breach

Any entity subject to the requirements of the Pennsylvania laws regulating data security for the insurance industry is exempt from the above requirement to notify the attorney general.

The amended law does not address whether the attorney general notification must be submitted via an online portal or letter.

Requirement to Offer Complimentary Credit Monitoring

Another feature of the amended law is that in the event of a data breach, entities are required to provide impacted Pennsylvania residents with complimentary access to a credit report and credit monitoring services. These requirements apply when an entity determines that:

  • there was a data breach (as defined by Pennsylvania law); and
  • the data accessed in connection with the breach included the individual’s name (first and last name, or first initial and last name) in combination with their Social Security number, bank account number or driver’s license/state identification card number.

If these requirements are satisfied, the organization must provide the impacted individual with “access to one independent credit report from a consumer reporting agency if the individual is not eligible to obtain an independent credit report from a consumer reporting agency for free under 15 U.S.C. § 1681.” Furthermore, the organization must also provide the individual with an offer of 12 months of credit monitoring services and inform them that the credit monitoring services are available at no cost to the individual.

Notably, although several states require entities to offer complimentary credit monitoring services to state residents whose Social Security number were contained in files involved in a data breach, Pennsylvania is the first state to require that such services be offered to residents whose driver’s license number and/or bank account numbers were contained in the files.

Reduced Threshold for Notice to Credit Reporting Agencies

Pennsylvania law previously required entities providing notice to 1,000 or more state residents to also notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The amended law, however, reduces that threshold to 500 or more state residents.

Like many states before it, Pennsylvania will expand obligations of organizations that are responding to cybersecurity and data security incidents. It is important for organizations to stay up to date on amendments to data breach notification laws to help ensure legal compliance.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide