Pennsylvania Amends Data Breach Notification Law

Pennsylvania Amends Data Breach Notification Law

On June 28, 2024, Pennsylvania Governor Josh Shapiro enacted Senate Bill 824, which introduces significant changes to the state’s personal data breach notification regulations. This new law updates the Breach of Personal Information Notification Act (PA Notification Act) and it will take effect on September 26, 2024.

Expanded Definition of Personal Information.

The definition of “personal information” has been narrowed. Previously, it included: Social Security numbers, Driver’s license or state ID numbers, Financial account details or credit/debit card numbers combined with security codes, Medical and health insurance information, and Usernames or email addresses with passwords.

Under SB 824, “personal information” now specifically refers to “medical information in the possession of a State agency or State agency contractor,” aligning with other parts of the law. The definition of medical information itself remains unchanged.

Notification Requirements.

If a Pennsylvania state agency or its contractor experiences a data breach, they must notify affected individuals within 7 business days and also inform the Pennsylvania Office of Attorney General immediately.

Vendors who handle data on behalf of others must notify the affected entity of any data breach. The responsibility for further notifications lies with the entity that maintains the data.

New Notification Obligations for Entities.

Organizations must now notify consumer reporting agencies when a breach affects 500 or more individuals, down from the previous threshold of 1,000. This notice must include details about the breach, including the number of affected individuals.

When notifying more than 500 Pennsylvania residents, organizations must also inform the Pennsylvania Office of Attorney General. This notification must include the organization’s name, the breach date, a summary of the incident, and estimates of the total number of affected individuals and those in Pennsylvania.

Credit Monitoring Services.

Entities responsible for breaches involving Social Security numbers, bank account details, driver’s license numbers, or state ID numbers must cover the costs of providing affected individuals with access to credit reports and credit monitoring services for 12 months. Organizations should review their cyber insurance policies to ensure coverage for these new obligations.

Organizations should update their data breach response plans to align with these new requirements. This includes adjusting notification procedures, preparing for the new thresholds for informing consumer reporting agencies and the Attorney General. By staying informed and proactive, organizations can better manage their compliance with Pennsylvania’s updated data breach notification laws and mitigate the impact of potential breaches.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.