Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

PENNSYLVANIA DATA PRIVACY REGULATIONS

Did You Know?

 
  • Comprehensive information requirements for notifications;
  • Limited methods of notification delivery;
  • Data owners are responsible for breach reporting and notifications;
  • Notification may be required to consumer reporting agencies;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

Who Me?

 

Pennsylvania breach and notification laws may apply if you are:

  • An entity that maintains, stores or manages computerized data that includes PII;
  • A vendor that maintains, stores or manages on behalf of another entity.

 There are exemptions.

What is PII?

 

PII relevant to a breach in Pennsylvania include a person's name plus one of the following:

  • Social Security Number;
  • Driver license or identification number;
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account.

LAWS

APPLICABLE LAW

Title 73: Trade and Commerce

Chapter 43: Breach of Personal Information Notification Act

Sections 2301 to 2329.

PENALTIES

COMPLIANCE PENALTIES

In Pennsylvania, a violation of the act shall be deemed to be an unfair or deceptive act or practice in violation of the Unfair Trade Practices and Consumer Protection Law. Only the state attorney general may enforce these laws.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted or redacted;
  • If the encryption key was acquired;
  • If it was acquired by an unauthorized person;
  • If the incident will cause loss or injury to any resident.

TIME LIMITS

Notification may be delayed if law enforcement advises the person it will interfere with an investigation, otherwise, the notification must be made in the most expedient manner possible and without unreasonable delay.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Notification may be required to the consumer reporting agencies.

Disclosure may only be made by written notice, telephone or electronically, with stipulations. A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $100,000 or the persons to be notified exceeds 175,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR