Pennsylvania revised its data breach notification regulation, limiting the meaning of personal information, including the need to alert the state Attorney General, and the provision of credit monitoring services to victims of data breaches victims in specific conditions. Senate Bill 824 modified the Breach of Personal Information Notification Act and state Governor Josh Shapiro approved the bill on June 28, 2024. The revised legislation becomes effective on September 26, 2024.
The law calls for companies that keep computerized information that consists of personal data to send notifications to the impacted persons in case of an exposure of their unencrypted and unredacted personal data, or if personal data is fairly thought to have been viewed or stolen by an unauthorized person. Notifications should be sent without unreasonable delay, however, there is no set period for sending those notifications except if the breach happens at a state agency contractor or Pennsylvania state agency, whereby the breach notifications should be sent within 7 days of discovering a data breach.
Personal information is described as a person’s name along with any of these data: state ID card number, driver’s license number, Social Security number, financial account /debit card/credit card number together with data that would permit account access, health data, medical insurance data, or an email address/username and password combo that would allow online account access. The revision changes the expression “medical information” to medical data held by a state agency or a state agency contractor.
Besides sending personal notifications, entities currently need to inform the Pennsylvania Attorney General as well that personal notifications are mailed when the breach calls for notification to over 500 people in the Commonwealth, with exceptions for several insurance providers. The Attorney General must be advised concerning the date of the data breach, the known or approximated number of impacted persons, the known or approximated number of impacted Pennsylvania locals, and an overview of the breach’s occurrence.
Organizations that experienced a breach governed by the Breach of Personal Information Notification Act needed to alert consumer reporting bureaus regarding the breach when it impacted over 1,000 people. The limit for notification is lowered to 500 people. The most crucial change for Pennsylvania citizens is the legal need for a breached entity to give credit monitoring services for a year, depending on specific conditions.
Credit monitoring services should be offered when a consumer reporting agency needs to be informed by law and when the breach includes a person’s Social Security number, bank account number, state ID number, or driver’s license number. The services should include access to a credit report provided by a consumer reporting agency when the person is not qualified to get a free credit report and access to credit monitoring services for one year from sending the notification. When the person is qualified to get those services at no cost for one year, it is an appropriate option to notify them of the provision of those complimentary services.