The Breach of Personal Information Notification Act (the “Act”) was created to require entities that store and maintain “personal information” to provide certain notification following the discovery of any sort of data breach to any resident of the Commonwealth. An entity is defined as “a State agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth.” 73 P.S. § 2302.
On November 3, 2022, the Governor signed PA Senate Bill 696, also known as Act 151 of 2022 (“Act 151”) which made sweeping amendments in response to issues brought to light by the COVID-19 pandemic, such as the failure to address certain subsets of personal information. The Act was therefore amended to include the following under “personal information”:
“Medical information,” which is defined as “[a]ny individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis created by a healthcare professional”;
“Health insurance information,” which is defined as “[a]n individual’s health insurance policy number or subscriber number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits”; and
“Username or e-mail address, in combination with a password or security question that would permit access to an online account.”
Act 151 also expands the requirements for entities to report such breaches. An entity that maintains, stores, or manages computerized data of personal information must notify individuals about a breach without unreasonable delay; however, if a state agency, county, municipality, or public school (“local agencies”) suffers a breach they must send notice of the breach within seven business days following determination of the breach, and they must also concurrently notify the Office of the Attorney General. It is important to note that Act 151 requires these local agencies to act only upon an official determination, which is newly defined as “a verification or reasonable certainty that a breach of the security of the system has occurred.” A contractor of any local agency must notify the agency upon any discovery of a breach.
One of the biggest challenges for local agencies will be complying with Section 4 of the Act by requiring all entities that maintain, store, or manage computerized data to utilize encryption to protect personal data. This may require a systems upgrade or software purchases for smaller local agencies. And agencies should carefully vet vendors to ensure they are familiar with these requirements and able to meet them.