Pennsylvania’s amendments to data breach notification law take effect
By and on Posted in Cybersecurity, Data Privacy

The Commonwealth of Pennsylvania has amended its Breach of Personal Information Notification Act. The amendments, available here 2024 Act 33 - PA General Assembly (state.pa.us), took effect last week, on September 26. The key provisions are as follows:

  • If notice of a breach must be given to more than 500 individuals, notice must made at the same time to the Office of the Attorney General. Notice to the Attorney General must include the following information to the extent known by the notifying entity:
    • the organization name and location;
    • the date of the breach of the security of the system;
    • a summary of the breach incident of the security of the system;
    • an estimated total number of individuals affected by the breach; and
    • an estimated number of Pennsylvania residents affected by the breach.

Entities subject to 40 Pa.C.S. Ch. 45 (relating to insurance data security) are exempt from the Attorney General notice requirements.

  • If the breach affected 500 or more individuals, the entity must report to the nationwide credit reporting agencies. The threshold for reporting to these agencies was previously 1,000 or more individuals.
  • If the breach involves an individual’s Social Security number, bank account number, or Driver's license or State ID number, the entity must provide no-cost credit monitoring services for a period of 12 months, and access to one independent credit report from a consumer reporting agency if the individual is unable to obtain one free of charge.
  • “Medical information” under the statute’s definition of “Personal Information” has been changed to “medical information in the possession of a State agency or State agency contractor.”

These amendments bring the Pennsylvania statute into line with other state data breach statutes. However, Pennsylvania’s inclusion of driver’s license, state identification number, and bank account numbers as elements of personal information that require credit monitoring is unique.

Along with the amendments to the statute, the Office of the Attorney General has established a new online reporting portal.

Businesses and governmental entities covered by the Pennsylvania legislation should continue to review and update incident response plans to reflect these and other legislative changes. Staying informed of current cybersecurity threats, identifying and addressing vulnerabilities, and confirming the adequacy of administrative, technical, and physical controls continues to be essential.

The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach. The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.

TAGS: CyberMonday, Cybersecurity, Data Breach, Data Security, Personal Data
Facebook Twitter/X Linkedin Email
  • Lauren Godfrey wearing a gray blazer over a white top, accessorized with a cross necklace and drop earrings, arms crossed, posed against a light blue and white geometric background.
    Lauren Godfrey
    Partner
    412.870.4129 |

    Lauren guides clients through data security incidents, leading initial assessments and coordinating forensic and remediation efforts to contain, investigate, and resolve issues. She helps clients develop privacy, incident ...

    More from Lauren: Full Bio | Contact Author | Blog Posts

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek