HB Ad Slot
HB Mobile Ad Slot
Keystone State Tweaks its Data Breach Notification Law Again
Monday, July 22, 2024

In what may become an annual tradition, Pennsylvania has amended its breach notification law. The new provisions will take effect on September 26, 2024. As a reminder, Pennsylvania changed its law last year to expand the definition of “personal information” and to create exemptions for HIPAA-regulated entities.

The changes this year are more extensive, bringing the law into closer alignment with other state data breach notification laws. There are several changes to note:

  • Thresholds: If a breach impacts more than 500 Pennsylvania residents, the Attorney General must be notified. Companies must send such notice concurrently with individual notices. If the breach impacts 500 individuals, then notice must be made to credit reporting agencies (the previous threshold was 1,000). 
  • AG Notice Contents: Beginning in September, Pennsylvania will join many other states in requiring companies to include specific content in the notice to the AG. This includes the organization’s name and location, as well as the date of the breach and a summary of the incident. The notice must also include an estimate of the total number of impacted individuals, and number of impacted Pennsylvania residents.
  • Credit Monitoring: If the breach involves social security numbers, bank account numbers, or drivers’ license/state ID numbers, then companies will need to provide 12 months credit monitoring. Additionally, companies will need in these circumstances to give impacted individuals access to a free credit report, if they could not otherwise get free access. 
  • Personal Information: As a reminder, the 2023 amendments added “medical information” to the definition of personal information, that, if breached, would trigger a duty to notify. That definition is now narrowed to be only medical information held by a state agency or its contractor.

Putting It Into Practice: Pennsylvania amended law serves as reminder to review incident response plans. To the extent they list with specificity timing or content requirements, ensure that they address these new developments.

Listen to this post

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins