Pennsylvania’s Updated Breach Notification Law Requires Credit Monitoring Services for Breach Victims
Pennsylvania has updated its data breach notification law, narrowing the definition of personal information, adding the requirement to notify the state Attorney General, and requiring credit monitoring services to be provided to data breach victims in certain circumstances. The Breach of Personal Information Notification Act was amended by Senate Bill 824 and was signed into law by state Governor Josh Shapiro on June 28, 2024. The amended law takes effect on September 26, 2024.
The law requires organizations that maintain computerized data that includes personal information to issue notifications to the affected individuals in the event of a breach of their unencrypted and unredacted personal information, or if personal information is reasonably believed to have been accessed or obtained by an unauthorized individual. Notifications must be sent without unreasonable delay, but there is no fixed time frame for issuing those notifications unless the breach occurs at a Pennsylvania state agency or state agency contractor, in which case the notifications must be issued within 7 days of the determination of a data breach.
Personal information is defined as an individual’s name combined with any of the following: Social Security number, driver’s license number, state identification card number, financial account /credit card/debit card number along with information that would allow the account to be accessed, medical information, health insurance information, or a username/email address and password combination that would allow the online account to be accessed. The amendment changes the term “medical information” to “medical information in the possession of a state agency or state agency contractor.”
In addition to issuing individual notifications, entities are now required to notify the Pennsylvania Attorney General at the same time that individual notifications are sent if the breach requires notification to more than 500 individuals in the Commonwealth, with exemptions for certain insurance companies. The Attorney General should be informed about the date of the breach, the known or estimated number of affected individuals, the known or estimated number of affected Pennsylvania residents, and a summary of the breach incident.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Previously, entities that suffered a breach subject to the Breach of Personal Information Notification Act were required to notify consumer reporting agencies about the breach if it affected more than 1,000 individuals. The threshold for notification has now been reduced to 500 individuals. The most important change for Pennsylvania residents is the legal requirement for a breached entity to provide credit monitoring services for 12 months, under certain circumstances.
Credit monitoring services must be provided if a consumer reporting agency is required to be notified by law and if the breach involved an individual’s Social Security number, bank account number, driver’s license number, or state identification number. The services must include access to an independent credit report from a consumer reporting agency if the individual is not eligible to obtain a free credit report and access to credit monitoring services for 12 months from the date of notification. If the individual is eligible to receive those services free of charge for 12 months, it is an acceptable alternative to advise them of the availability of those free services.
