On June 28, 2024 Pennsylvania’s Governor, Josh Shapiro, signed into law SB 824, amending the state’s Breach of Personal Information Notification Act (P.L. 474, No. 94).
This amended law will have an impact on any organization that collects, processes, or stores information about Pennsylvania residents, with key changes including a new definition of personal information, a requirement to offer more access to credit reporting; a mandate to provide credit monitoring for most data breaches; and a need to notify the state Attorney General and other entities about data breaches.
Below we include some key changes:
Previously, Pennsylvania law defined "personal information" as an individual's first name or initial and last name, combined with any of the following: social Security number, driver's license or state identification card number, financial account, credit, or debit card number with the necessary security code, access code, or password.
Under the amended law, the definition now includes medical information held by a state agency or contractor, health insurance information, or a user’s name or email address combined with a password or security question and answer that allows access to an online account.
Private sector organizations will not be required to notify Pennsylvania residents about breaches involving their medical information unless the data was held by a state agency or its contractor at the time of the breach.
Organizations must now notify the Pennsylvania Attorney General's Office if they report a data breach to more than 500 Pennsylvania residents. This notification must be given at the same time as the notice to individuals and must include specific information. Organizations in the insurance industry are exempt from this requirement.
In the event of a data breach, organizations must provide affected Pennsylvania residents with free access to a credit report and credit monitoring services if certain conditions are met. This includes offering one free independent credit report and 12 months of credit monitoring services at no cost to the individual. Pennsylvania is the first state to require this for breaches involving driver's license numbers and/or bank account numbers.
Previously, Pennsylvania law required entities to notify consumer reporting agencies if they notified 1,000 or more residents about a breach. The amended law lowers this threshold to 500 residents.
The proposed changes will come into effect starting September 26, 2024, meaning that affected organizations will have to start preparing sooner rather than later for the amended version of Pennsylvania’s Data Breach Notification Law.