Pennsylvania Amends its Breach of Personal Information Notification Act

Pennsylvania’s Breach of Personal Information Notification Act provides for the security of computerized data and for notification of residents whose personal information data was or may have been disclosed due to a breach of the system’s security. The amendments, effective May 2, 2023, expand the “personal information” category by reducing the notification time, adding reporting requirements for state agencies and state contacts, imposing a new encryption policy for state-related entities, and providing definitions for key terms.

What is Personal Information?

The Law defines Personal Information as an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

• Social Security Number
• Driver’s license number or state identification card number
• Financial account number, credit or debit card number in combination with any required security code, access code, or password
• Medical information
• Health insurance information
• Usernames and email addresses in combination with a password or security question and answer to the security question

The term does not include publicly available information that is lawfully made available to the general public from Federal, State, or local government records or widely distributed media. When the protected information is listed with a Commonwealth resident’s first name or first initial and last name, the notification requirement is triggered as defined under the Act.

Who Must Provide Notification?

All entities that maintain, store or manage computerized data that includes personal information must provide notice of any security system breach where personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.

An entity is further defined by the Act as a State agency or political subdivision of the Commonwealth or an individual or a business doing business in the Commonwealth.

What Are the Notification Requirements?

1. Written notice to the last known address for the individual.
2. Telephonic notice, if the individual can be reasonably expected to receive it and the notice is given clearly and conspicuously, describes the incident in general terms and verifies personal information but does not require the individual to provide personal information, and the individual is provided with a telephone number to call or an Internet website to visit for further information or assistance.
3. E-mail notice, if a prior business relationship exists and the person or business has a valid e-mail address for the individual.
4. Electronic notice, if the notice directs the person whose personal information has been materially compromised by the breach to promptly change the person’s password and security question or answer, or to take other appropriate steps to protect the person’s online account to the extent the business has sufficient contact information for the person.
5. Substitute notice includes email, conspicuous posting of the notice on the business’ Internet website, or notification to major statewide media.
6. Substitute notice is allowed if the business demonstrates one of the following:
   a. The cost of providing notice would exceed $100,000.00.
   b. The affected class of subject persons to be notified exceeds 175,000.
   c. The business does not have sufficient contact information.

What is the Timing Requirement of the Notice?

The notice must be made without unreasonable delay. A State agency, county, public school, or municipality must provide notice within seven business days following the determination of the breach of the security of the system.

Determination is defined as “A verification or reasonable certainty that a breach of the security system has occurred.”

Overlapping Compliance

Any covered entity or business associate that is subject to and in compliance with the privacy and security standards established under the Health Insurance Portability and Accountability Act (HICPA) shall be deemed to be in compliance with the provisions of the Act.

A business that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and is consistent with the notice requirements of the Act shall be deemed to be in compliance with the notification requirements of the Act if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

Next Steps

State agencies and their vendors are required to notify individuals whose Personal Information is compromised because of a breach within seven business days of becoming reasonably certain that a breach occurred. Concurrently the State agencies and their vendors must notify the Office of the Attorney General.

Newly added and defined definitions in the Act show that regulators understand the discovery and determination of a breach will not occur simultaneously and often will require professional review.

Businesses should update their incident response plans to comport with the new Act changes and evaluate personal information utilized, shared, and maintained by the entity.

If a company is unsure of its potential liability and requirement to notify or needs assistance with notification compliance, the lawyers in the Corporate department at The Lynch Law Group can assist with compliance.

The Lynch Law Group’s Corporate Practice

Eric A. Thomas, Esq. is a United States Military Veteran who is enthusiastic about efficient business operations. As a member of the Corporate Group, Eric advises business owners on a wide range of corporate and commercial matters, including the design and implementation of effective compliance policies. Please contact Eric at 724-776-8000 or ethomas@lynchlaw-group.com to schedule a time to discuss your business needs.