Pennsylvania 20 Year Old Data Breach Notification Law Gets a Makeover
Mark your calendar, Effective Thursday September 26, 2024 amended Pennsylvania’s (PA) Breach of Personal Information Notification Act goes into law.
PA was one of the first states to enact a Data Breach Notification Law in 2006, however this law which was once a leader in the nation has fallen woefully behind. According to PrivacyPlan’s Data Breach Statute Scoring the PA law ranked 45th compared to the other 50 states .
PA has now updated its law to bring it inline with the vast majority of Data Breach Laws and has taken the lead in mandatory free month credit monitoring service.
Requirement to Offer Complimentary Credit Monitoring
The single most important amended law is that in the event of a data breach, entities are required to provide impacted Pennsylvania residents with complimentary access to a credit report and 12 months of free credit monitoring services. These requirements apply when an entity determines that:
- there was a data breach (as defined by Pennsylvania law); and
- the data accessed in connection with the breach included the individual’s name (first and last name, or first initial and last name) in combination with their Social Security number, bank account number or driver’s license/state identification card number.
Notably, although several states require entities to offer complimentary credit monitoring services to state residents whose Social Security number were contained in files involved in a data breach, Pennsylvania is the first state to require that such services be offered to residents whose driver’s license number and/or bank account numbers were contained in the files.
Modification to the Definition of “Personal Information”
Pennsylvania law has defined “personal information” as an individual’s first name or first initial with last name in combination with one or more of the following:
- Social Security number
- Driver’s license or identification card number
- Account number or credit or debit card number, in combination with a linked security or access code or the password of an individual’s financial account
The amended law adds the following data elements to the definition of “personal information” as well:
- Medical information in the possession of a state agency or state agency contractor
- Health insurance information
- A username or email address, in combination with a password or security question and answer that would permit access to an online account
Requirement to Provide Notification to the Pennsylvania Attorney General Required
The amended law also creates a new obligation for organizations to notify the Pennsylvania Attorney General’s Office whenever they provide notice of a data breach to more than 500 Pennsylvania residents. The notification to the attorney general must be provided concurrently with the notice to individuals and must include the following information:
- The organization’s name and location
- The date of the breach
- A summary of the breach incident
- The estimated total number of individuals affected by the breach
- The estimated total number of Pennsylvania residents affected by the breach
Reduced Threshold for Notice to Credit Reporting Agencies
Pennsylvania law previously required entities providing notice to 1,000 or more state residents to also notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The amended law, however, reduces that threshold to 500 or more state residents.
Like many states before it, Pennsylvania will expand obligations of organizations that are responding to cybersecurity and data security incidents. It is important for organizations to stay up to date on amendments to data breach notification laws to help ensure legal compliance.