Keystone State Tweaks its Data Breach Notification Law Again
Monday, July 22, 2024
Pennsylvania data breach notification law amended
Print Mail Download info_icon_img/>i

In what may become an annual tradition, Pennsylvania has amended its breach notification law. The new provisions will take effect on September 26, 2024. As a reminder, Pennsylvania changed its law last year to expand the definition of “personal information” and to create exemptions for HIPAA-regulated entities.

The changes this year are more extensive, bringing the law into closer alignment with other state data breach notification laws. There are several changes to note:

  • Thresholds: If a breach impacts more than 500 Pennsylvania residents, the Attorney General must be notified. Companies must send such notice concurrently with individual notices. If the breach impacts 500 individuals, then notice must be made to credit reporting agencies (the previous threshold was 1,000). 
  • AG Notice Contents: Beginning in September, Pennsylvania will join many other states in requiring companies to include specific content in the notice to the AG. This includes the organization’s name and location, as well as the date of the breach and a summary of the incident. The notice must also include an estimate of the total number of impacted individuals, and number of impacted Pennsylvania residents.
  • Credit Monitoring: If the breach involves social security numbers, bank account numbers, or drivers’ license/state ID numbers, then companies will need to provide 12 months credit monitoring. Additionally, companies will need in these circumstances to give impacted individuals access to a free credit report, if they could not otherwise get free access. 
  • Personal Information: As a reminder, the 2023 amendments added “medical information” to the definition of personal information, that, if breached, would trigger a duty to notify. That definition is now narrowed to be only medical information held by a state agency or its contractor.

Putting It Into Practice: Pennsylvania amended law serves as reminder to review incident response plans. To the extent they list with specificity timing or content requirements, ensure that they address these new developments.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Public Notices

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

Provisional Regulations on Combating Unfair Competition in the Online Sphere: A Step Toward a Healthier Digital Economy
by: China Law Practice
CFPB Proposes Interpretive Rule Characterizing Earned Wage Access Products as Loans
by: A.J. S. Dhaliwal , Mehul N. Madia
The NLRB Must Apply Its Prior Standard for Protected Employee Outbursts and Abusive Speech
by: Amanda E. Beckwith , Keahn N. Morris
New Florida Law Overhauls Consumer Finance Loan Interest Rate Requirements
by: A.J. S. Dhaliwal , Mehul N. Madia
Pennsylvania Amends Data Protection Requirements with Revised Breach Notification Act
by: A.J. S. Dhaliwal , Mehul N. Madia
SCOTUS Punts on EMTALA Preemption Question
by: Arushi Pandya , Amy J. Dilcher
Supreme Court Holds That the Eighth Amendment Does Not Prevent Enforcement of Local Camping Bans, Authorizing a Significant Shift in Local Policies on Homelessness
by: Alexander L. Merritt , Kathryn C. Kafka
Federal Circuit Provides Insight on Induced Infringement Claims in Amarin Pharma Inc. v. Hikma Pharmaceuticals USA Inc.
by: Julian Ellis

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins