Pennsylvania

State Data Breach Notification Statue

Highlights

Covered Entities: A state agency, political subdivision of Pennsylvania, or an individual or business doing business in Pennsylvania.

Consumer Notification: Notification must be provided to any Pennsylvania resident whose “unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired” without authorization.

Regulatory Notification: Notification must be provided to the Pennsylvania Attorney General if a breach involves personal information for more than 500 Pennsylvania residents.

Notification Timeline: Notification must be provided “without unreasonable delay” after determination of a breach.

Data Format: Electronic.

Citations: 73 P.S. §§ 2301–23

More Details

Definitions:

  • Breach: Unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information, and that causes or the entity reasonably believes has caused or will cause loss or injury to a Pennsylvania resident.
  • Personal information (PI):
    • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
      • Social Security number;
      • Driver’s license or state identification number;
      • Financial account or payment card number, plus any security code, access code, or password that would permit access to a financial account;
      • Medical information in the possession of a state agency or state agency contractor;
      • Health insurance information; or
      • Username or e-mail address plus a password or security question and answer that would permit access to an online account.
  • Medical Information: Any individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis, in the possession of a state agency or state agency contractor.
  • Health Insurance Information: An individual’s health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits.

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI is encrypted, so long as the PI is not accessed and acquired in unencrypted form or the “breach” is linked to a breach of the security of the encryption or access to the encryption key.
  • Good Faith: Notification may not be required if the unauthorized access and acquisition does not cause, and the entity does not reasonably believe will cause loss or injury to any resident.
  • Risk of Harm: Notification may not be required where the unauthorized access and acquisition does not cause, and is not reasonably believed has caused or will cause loss or injury to any Pennsylvania resident.
  • Law Enforcement Delay: Notification may be delayed if a law agency determines and advises the entity, in writing and with specific reference to 73 P.S. § 2304, that the notification will impede a criminal or civil investigation.

Direct Notice:

  • Timing: Notification must be provided “without unreasonable delay,” subject to measures necessary to determine the scope of the “breach” and restore the reasonable integrity of the system.
  • Format: N/A
  • Content:
    • Telephone notice must be given in a clear and conspicuous manner, and include (1) a general incident description, (2) the types of PI impacted, and (3) a webpage or phone number that the individual can contact for more information.:
    • Electronic notice must direct the individual to promptly change their password and security question/answer, and provide other steps appropriate to protect the online account.
  • Method: Notification may be provided by any of the following: (1) written notice to the last known home address; (2) telephone, subject to the requirements above; (3) e-mail notice if a prior relationship exists; (4) electronic notice, subject to the requirements above or (4) substitute notice.

Substitute Notice:

An entity may provide substitute notice if (1) the cost of direct notice would exceed $100,000; (2) the notification population exceeds 175,000; or (3) the entity does not have sufficient contact information. It must include (1) e-mail notice, where an e-mail address is available; (2) conspicuous posting on the entity’s website; and (3) notice to major statewide media.

Remediation Services:

The entity must offer 12 months of remediation services, including access to one credit report and access to credit monitoring services, if a breach impacts Social Security numbers, bank account numbers, driver’s license numbers, or state identification card numbers.

Regulatory Notice:

The entity must concurrently notify the Attorney General when notice of the breach of security must be given to more than 500 Pennsylvania residents. The notification must include:

  • The organization name and location.
  • The date of the breach of the security of the system.
  • A summary of the breach incident of the security of the system.
  • An estimated total number of individuals affected by the breach of the security of the system.
  • An estimated total number of individuals in this Commonwealth affected by the breach of the security of the system.

An entity subject to the requirements of 40 Pa.C.S. Ch. 45 (relating to insurance data security) may be exempt from the requirement to notify the Attorney General.

Credit Reporting Agencies Notice:

Notification must be provided to all nationwide consumer reporting agencies if the notification population exceeds 1,000 Pennsylvania residents.

Third-Party Notice:

A vendor that maintains, stores or manages computerized data on behalf of another entity must notify the entity of a “breach” following discovery.

HIPAA:

Any covered entity or business associate subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act will be deemed to be in compliance with the act.

Private Action:

N/A

Associated Regulations:

N/A

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek