As we wrote in November, Pennsylvania amended its data breach notification laws last year, and those changes go into effect tomorrow (May 2, 2023). Beginning tomorrow, if a breach of username/email accounts and their respective passwords occurs, companies can provide electronic notification to the impacted individual. That notice will need to tell individuals to change their passwords or take other proactive measures. The law also amends the definition of personal information. It will now include, as of tomorrow, medical and health insurance information.

Putting it Into Practice: These changes are a reminder that states are continuing to update their breach notification laws, and serve as a reminder for companies to regularly review their incident response programs.

Kathryn Smith also contributed to this article.