Amended PA Breach of Personal Information Notification Act Effective

Pennsylvania’s amendment to its Breach of Personal Information Notification Act recently became effective. 

The amendment notably requires entities to give notice of a security breach to the state attorney general when the entity is required to give notice of such a breach to more than 500 affected individuals.  To the extent known by the entity, the notice to the attorney general must include the entity name and location, date of the breach, a summary of the breach incident, and an estimated total number of affected individuals and Pennsylvania residents.

The amendment also lowers the threshold that triggers notification to consumer reporting agencies (CRAs) from 1,000 persons to 500 persons.  In addition, entities that are required to notify CRAs are required to assume all costs and fees in providing the affected individuals with (1) access to one independent credit report from a CRA (if the individual is not eligible to obtain one for free under 15 U.S.C. § 1681) and (2) access to credit monitoring services for a period of 12 months following notification.  An entity is also required to provide these free services for certain breaches regardless of the number of affected individuals.