State Regulatory Developments

PA Amends Data Breach Notification Law

Pennsylvania recently enacted a new law which amends the state’s existing data breach notification law to expand upon and clarify existing requirements.

Pennsylvania enacted its original Breach of Personal Information Notification Act in 2005.  The statute require that entities which maintain computerized personal data must send notice to Pennsylvania residents if their personal data is disclosed or taken due to a security system breach.

The new law makes a number of changes, including:

  • Expanding the type of personal data covered by the statute to include a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account, as well as health insurance and medical information;
  • Allowing the required notice to be provided electronically, if the notice directs the person whose personal information has been compromised to promptly change their password or security question and answer, or take other steps to protect the person’s online account;
  • Stating that the notification requirement is triggered when an entity has verification or a reasonable certainty that there has been a breach of system security;
  • Adding provisions which apply when the system breached belongs to a state or local government agency, and requiring entities which maintain data on behalf of the state to encrypt data transmitted over the internet and develop data storage policies to reduce the risk of system breaches; and
  • Making other technical amendments and clarifications to terms and provisions in the existing statute.

The amendments will take effect on May 2, 2023, which is 180 days from enactment.