On June 28, 2024, Governor Josh Shapiro of Pennsylvania approved several notable amendments to the Commonwealth’s data breach notification law (SB 824). In summary, the revised statute:
- adds a regulator notification requirement;
- lowers the threshold of affected Pennsylvania residents triggering a notification requirement to the consumer reporting agencies (“CRAs”);
- amends the definition of “personal information” with respect to relevant “medical information” that would trigger notice, and
- adds a novel requirement to pay for a consumer disclosure for affected individuals who are not able to obtain one for free, as well as mandates the provision of credit monitoring when certain personal information is accessed as a result of the breach.
Regulator Notice
As of September 26, 2024, the effective date, entities will be required to notify the Attorney General when more than 500 Commonwealth residents are affected by a data breach. Regulator notice must be provided at the same time the entity notifies the affected individuals. The notice to the Attorney General must include the entity’s name and location, date of breach, an incident summary, an estimated total number of affected individuals, and the estimated number of affected Pennsylvania residents. An exception to the regulator notice requirement is provided for entities that are subject to Pennsylvania’s insurance data security law. Additionally, entities must now also notify the three major CRAs if more than 500 Pennsylvania residents are affected by the data breach; the previous threshold was 1,000.
Credit Monitoring
With respect to credit monitoring, Pennsylvania now requires entities to offer at least 12 months of monitoring to affected individuals if their Social Security number, bank account number, driver’s license number, or state ID number was accessed in the breach.
Credit Report Payment Provision
Pennsylvania’s legislature added a unique “Assumption of costs” provision that requires notifying entities to assume all costs and fees in providing the affected individuals:
[a]ccess to one independent credit report from a consumer reporting agency if the individual is not eligible to obtain an independent credit report from a consumer reporting agency for free under 15 U.S.C. § 1681 relating to congressional findings and statement of purpose).
The federal Fair Credit Reporting Act (“FCRA”) provides individuals the right to obtain a free credit report once during any 12-month period from each of the three major CRAs.[1] While many states’ data breach notification laws already require entities to provide information to affected individuals regarding their right to obtain free credit reports, Pennsylvania will now require entities to pay for a credit report if the individual is ineligible to request a free version. It is as yet unclear how entities will be able to determine whether an affected individual is “not eligible” to obtain a free credit report under the FCRA, or how entities will be able to operationalize the process of paying for credit reports for ineligible affected individuals.
Medical Information
Lastly, the new law redefines the phrase “personal information” to narrow its scope with respect to “medical information.” Going forward, only medical information “in the possession of a State agency or State agency contractor” will trigger a notification requirement under Pennsylvania law.
[1] See 15 U.S. Code § 1681j(a)(1)(A) (“Free Annual Disclosure” provision).
