Pennsylvania Breach of Personal Information Notification Act
73 P.S. § 2301 – § 2329
SUMMARY:
EFFECTIVE. June 20, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person or business that maintains, stores, or manages computerized data that includes Personal Information.
WHAT IS A BREACH. The unauthorized acquisition of and access to computerized data that materially compromises the security or confidentiality of Personal Information maintained by a person or business which causes or is reasonably likely to cause loss or injury to a Pennsylvania resident. A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used unlawfully or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements, when the data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Pennsylvania residents affected. If more than 1,000 Pennsylvania residents are involved in a breach, the person or business shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618ap), of the date of the timing, distribution, and number of notices.
EXCEPTION. This Section does not apply to the following:
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Pennsylvania residents are notified by the person or business in accordance with its policies.
-
A financial institution that complies with the notice requirements required by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, is considered in compliance with this Section.
-
A person or business that complies with the notification requirements or rules established by their primary or functional Federal regulator is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business discovers a security breach. The disclosure shall be made without unreasonable delay, consistent with measures necessary to determine the scope of the breach, and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation and requested by law enforcement in writing. In that instance, notification will be made following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by any of the following methods:
-
Written.
-
Telephonic (if the customer is reasonably expected to receive it, notice is provided clearly, and a telephone number or website if provided to obtain further information and assistance).
-
Electronic (if a prior business relationship exists, and a valid Email address is available).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $100,000, the affected class of persons to be notified exceeds 175,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains, stores, or manages computerized data that includes Personal Information that it does not own, then the person or business shall notify the owner of the breach upon discovery. The person or business that owns the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Violations of this Section shall be enforced under the Unfair Trade Practices and Consumer Protection Law. The State Attorney General shall have exclusive authority for enforcement.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
S.B. 712 – Signed into law on 12/22/2005, Effective 6/20/2006.
For more information, see here: https://govt.westlaw.com/pac/Browse/Home/Pennsylvania/UnofficialPurdonsPennsylvaniaStatutes?guid=N9B3F41908C4F11DA86FC8D90DD1949D4&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)
AND
https://www.legis.state.pa.us/WU01/LI/LI/US/HTM/2005/0/0094..HTM
AND
https://www.legis.state.pa.us/cfdocs/legis/CH/PUBLIC/ucons_pivot_pge.cfm?session=2005&session_ind=0&act_nbr=0094.&pl_nbr=0474
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.