As data breaches continue to rise and evolve, organizations must make it a priority within their cyber preparedness efforts to monitor changes to individual state notification laws around the country. While many state data breach notification statutes contain similar components, there are important differences that rule out a one-size-fits-all approach. Additionally, states are responding with increasingly frequent and divergent changes to their statutes, adding to compliance challenges.
Indiana and Pennsylvania recently passed legislation amending their data breach notification laws, which are currently in effect in Indiana and are scheduled to take effect on September 26, 2024, in Pennsylvania. A high-level summary of these amendments is below.
1. | Indiana: As of July 1, 2024, the list of personal information subject to breach notification requirements under Indiana law now includes age verification information collected by adult-oriented website operators or their designees. |
2. | Pennsylvania: Beginning September 26, 2024, the following key changes will take effect: |
• | The definition of "personal information" will only apply to medical information in the possession of a State agency or State agency contractor. (Previously, the law defined "personal information" to include medical information, without any qualifiers.) |
• | Entities that are required to notify more than 500 affected Pennsylvania residents of a breach must notify the Pennsylvania Office of the Attorney General at the same time. (Entities covered by Pennsylvania's insurance data security law are exempt from complying with this requirement.) |
• | Entities that are required to notify more than 500 individuals of a breach at one time must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. (Previously, the threshold number of affected individuals necessary to trigger this requirement was 1,000.) |
• | If an entity must notify more than 500 individuals at one time, it must assume all costs and fees of providing affected individuals with access to: (1) one independent credit report from a consumer reporting agency for individuals not eligible to obtain a free independent credit report from a consumer reporting agency under 15 U.S.C. § 1681; and (2) credit monitoring services for 12 months after notification of the breach. |
• | An entity must provide the above access if it determines that a breach has occurred and it reasonably believes that an individual's first name and last name or first initial and last name, in combination with any of the following information, has been accessed: (1) Social Security number; (2) bank account number; or (3) driver's license or state ID number. |
Companies that suffer a breach affecting Indiana or Pennsylvania residents will want to keep in mind these changes as those in Indiana went into effect earlier this month, while the updates to Pennsylvania's law will take effect mere weeks from now.