Pennsylvania’s amendments to data breach notification law take effect

Lauren Godfrey
Constangy, Brooks, Smith & Prophete, LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Constangy, Brooks, Smith & Prophete, LLP

[co-author: Edwin Jones]

The Commonwealth of Pennsylvania has amended its Breach of Personal Information Notification Act. The amendments, available here 2024 Act 33 - PA General Assembly (state.pa.us), took effect last week, on September 26. The key provisions are as follows:

  • If notice of a breach must be given to more than 500 individuals, notice must made at the same time to the Office of the Attorney General. Notice to the Attorney General must include the following information to the extent known by the notifying entity:
    • the organization name and location;
    • the date of the breach of the security of the system;
    • a summary of the breach incident of the security of the system;
    • an estimated total number of individuals affected by the breach; and
    • an estimated number of Pennsylvania residents affected by the breach.

Entities subject to 40 Pa.C.S. Ch. 45 (relating to insurance data security) are exempt from the Attorney General notice requirements.

  • If the breach affected 500 or more individuals, the entity must report to the nationwide credit reporting agencies. The threshold for reporting to these agencies was previously 1,000 or more individuals.
  • If the breach involves an individual’s Social Security number, bank account number, or Driver's license or State ID number, the entity must provide no-cost credit monitoring services for a period of 12 months, and access to one independent credit report from a consumer reporting agency if the individual is unable to obtain one free of charge.
  • “Medical information” under the statute’s definition of “Personal Information” has been changed to “medical information in the possession of a State agency or State agency contractor.”

These amendments bring the Pennsylvania statute into line with other state data breach statutes. However, Pennsylvania’s inclusion of driver’s license, state identification number, and bank account numbers as elements of personal information that require credit monitoring is unique.

Along with the amendments to the statute, the Office of the Attorney General has established a new online reporting portal.

Businesses and governmental entities covered by the Pennsylvania legislation should continue to review and update incident response plans to reflect these and other legislative changes. Staying informed of current cybersecurity threats, identifying and addressing vulnerabilities, and confirming the adequacy of administrative, technical, and physical controls continues to be essential.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Constangy, Brooks, Smith & Prophete, LLP

Written by:

Constangy, Brooks, Smith & Prophete, LLP
Constangy, Brooks, Smith & Prophete, LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Constangy, Brooks, Smith & Prophete, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide