Pennsylvania Updates State Data Breach Notification Law
July 8, 2024
On June 28, 2024, Pennsylvania enacted significant changes to its existing Breach of Personal Information Notification Act, with the adoption of Pennsylvania Senate Bill 824 (Senate Bill 824). Senate Bill 824 marks the second amendment to the Pennsylvania data breach notification law in the last two years, following amendments which went into effect on May 2, 2023. These newest updates to the law, which will become enforceable on September 26, 2024, create several new legal obligations for organizations that maintain data related to residents of Pennsylvania, as well as changing certain legal thresholds and definitions which will impact entities subject to Pennsylvania law.
Regulatory notice changes
Senate Bill 824 creates a new legal requirement that an organization must notify the Pennsylvania Attorney General’s Office whenever it provides notice of a breach under Pennsylvania law to more than 500 residents of the state. The notification to the Attorney General must be provided concurrently with the notice provided to individuals, and must include the following information (if known at the time of notice):
- The organization name and location
- The date of the breach, as defined by Pennsylvania law
- A summary of the incident
- The estimated total number of impacted individuals, and
- The estimated total number of impacted residents of Pennsylvania
Any entity subject to the requirements of the Pennsylvania laws regulating data security for the insurance industry is exempt from the above requirement to notify the Attorney General. There is no mention in Senate Bill 824 whether the Attorney General notification will be submitted via an electronic form or letter via email.
Obligation to Provide Credit Report/Credit Monitoring
Another new addition to the breach notification law requires that organizations also provide certain impacted Pennsylvania residents with access to a credit report and credit monitoring services, free of any cost to the individual. These requirements only apply when an organization determines that:
- there was a breach of the security of the systems as defined by Pennsylvania law; and
- the data accessed as a result of the breach included the individual’s name (first and last name, or first initial and last name) in combination with their Social Security number, bank account number or driver’s license/state identification card number.
If these requirements are satisfied, the organization must provide the impacted individual with “access to one independent credit report from a consumer reporting agency if the individual is not eligible to obtain an independent credit report from a consumer reporting agency for free under 15 U.S.C. § 1681”. Furthermore, the organization must also provide the individual with an offer of 12 months of credit monitoring services and inform them that the credit monitoring services are available at no cost to the individual. The inclusion of bank account number as an element of PII that requires credit monitoring is unusual and contrary to the guidance in other states such as California which only require that credit monitoring be offered in breaches involving Social Security numbers or certain types of government identification such as driver’s license, California identification card numbers, tax identification number, passport number, military identification number, or other unique identification number issued on a government document.
Reduced Threshold for Notice to Credit Reporting Agencies
Pennsylvania’s data breach notification law previously required that any organization providing notice to 1,000 or more state residents must also provide notice to the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. However, Senate Bill 824 reduces that threshold number, thus requiring any organization that is providing notice to 500 or more individuals to also notify the credit reporting agencies as defined by section 603 of the Fair Credit Reporting Act.
Modified Definition of Personal Information
Lastly, Senate Bill 824 modifies the data breach notification statute’s definition of personal information, specifically as it relates to medical information. In the amendments implemented in May of 2023, Pennsylvania expanded the list of data elements identified as personal information, including the addition of medical information as personal information protected under the law. Senate Bill 824 will further narrow the definition of medical information to read “Medical information in the possession of a State agency or State agency contractor” (statutory changes in bold). This substantial qualification of what constitutes “medical information” appears to exempt private sector organizations from the legal requirement to provide notice to Pennsylvania residents of a breach involving their medical information, unless the data was in possession of a State agency or State agency contractor at the time of the breach. The amendment does not change the obligation of entities that are subject to HIPAA to report a data breach involving protected health information.
As state data breach notification laws in Pennsylvania and across the nation continue to evolve, it is important that organizations continue to update incident response plans, evaluate potential risk, and work with counsel to ensure compliance in the event of a data security incident.
Senate Bill 824 is available here: Senate Bill 824 is available here:
*Eckert Seaman’s prior Data Security & Privacy Alert related to the 2023 Amendments to Pennsylvania’s data breach notification law is available here: https://www.eckertseamans.com/legal-updates/pennsylvania-amends-its-breach-of-personal-information-notification-act
Sources: Pennsylvania Senate Bill No. 824, 2023-2024, Printers No. 1151; 43 Pa. C.S. § 2301 et seq.
Click here to view a downloadable PDF of the legal update.
This Cybersecurity, Data Protection & Privacy Alert is intended to keep readers current on developments in the law. It is not intended to be legal advice. If you have any questions, please contact Matthew H. Meade at 412-566-6983 or mmeade@eckertseamans.com; Laura Decker at 215-851-6623 or ldecker@eckertseamans.com, or any other attorney at Eckert Seamans with whom you have been working.
Share This Post
Authors
