Pennsylvania Data Breach Law's Amendments Will Take Effect Soon

​Recent amendments to Pennsylvania's data breach law, the Breach of Personal Information Notification Act, will take effect May 3.

Originally enacted in 2006, the law provides for the security of computerized data and requires notification to Pennsylvania residents whose personal information data was, or may have been, disclosed due to a breach of the security of an entity's system. In amending the law, the state legislature took steps similar to other states' data breach notification statutes and expanded the definition of personal information.

Forthcoming Changes

The expanded definition that will take effect May 3 includes medical and health information, and a user name or email address in combination with a password or security questions and answers that would permit access to an online account. These are in addition to the categories of personal information that all states regulate – for example, name in combination with a Social Security Number, driver license number or state identification card number, or financial account or debit/credit card number in combination with an access code, password, or security code that would allow access to the account.

The law currently requires notification when a discovery has been made that there was a security breach. As amended, the law will require notification when a determination of a breach has been made. The new standard will be more entity-friendly than the prior standard because it takes into account an entity's need to investigate whether a breach has occurred before it is obligated to provide notice. A discovery occurs when the entity has "the knowledge of or reasonable suspicion" that a breach has occurred. A determination occurs when the entity has "a verification or reasonable certainty" that a breach has occurred.

A breach of the security of the system is defined as "unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals."

The law currently applies to state agencies, but the amendments will expand the law to cover state agency contractors, as well. The amended law includes specific timelines and requirements for notification by state agencies, state agency contractors, public schools, counties, and municipalities when a determination of breach has been made.

For example, state agencies and their contractors will have seven business days to notify individuals after the breach determination, and they must also notify the Office of the Attorney General by the same deadline. Counties, public schools, and municipalities will have seven days to notify individuals and three days to notify the district attorney's office in the county in which the breach occurred. Other governmental entities are not required to notify the attorney general's office.

The amendments include provisions that require state agencies and state agency contractors to protect the personal information of the commonwealth that they maintain, store, or manage. These protective measures include encryption or other appropriate security measures to protect the information from unauthorized access or acquisition, either when being transmitted or when at rest. 

The amendments also require the development of policies and procedures to protect such data. With regard to storing personal information on behalf of the commonwealth, the amended law requires state agencies and their contractors to "develop a policy to govern reasonably proper storage of the personal information" with the goal of reducing the risk of future breaches of the security of the systems. The amendments even dictate the considerations that state agencies and their contractors must take into account when developing those policies and procedures, including best practices considered by the federal government and the commonwealth.

Entities will be allowed to provide email notice to the affected individuals when the breach involves a user name or email address in combination with a password, or a security question and answer that would permit access to an online account. Email notice will be permitted under these circumstances if the email directs the individual to promptly change his or her password and security question or answer, or to take other appropriate steps to protect the online account with the entity or other online accounts involving the same personal information.

In Compliance

Entities will be deemed to comply with Pennsylvania law if they are in compliance with the privacy rule of the federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act.

State agencies and their contractors will be deemed to comply with the Pennsylvania law if they are in compliance with the notification requirements established by their primary state or functional federal regulators.

In sum, the amendments will bring Pennsylvania's data breach notification scheme into line with other states that are seeking to hold entities responsible for the protection of consumer personal information and personal health information. It will hold state agencies and their contractors to stricter notification requirements and a higher degree of responsibility when maintaining, storing, and managing personal information.

Lauren Godfrey is an attorney with Constangy, Brooks, Smith & Prophete in Philadelphia. © 2023. All rights reserved. Reprinted with permission.