The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
State Data Breach Notification Statue
Covered Entities: A state agency, political subdivision of Pennsylvania, or an individual or business doing business in Pennsylvania.
Consumer Notification: Notification must be provided to any Pennsylvania resident whose “unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired” without authorization.
Regulatory Notification: May be required for state agencies and political subdivisions.
Notification Timeline: Notification must be provided “without unreasonable delay” after determination of a breach.
Data Format: Electronic.
Citations: 73 P.S. §§ 2301–23
- Breach: Unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information, and that causes or the entity reasonably believes has caused or will cause loss or injury to a Pennsylvania resident.
- Personal information (PI): An individual’s first name / first initial and last name in combination with one or more of the following data elements:
- Social Security number;
- Driver’s license or state identification number;
- Financial account or payment card number, plus any security code, access code, or password that would permit access to a financial account;
- Medical information;
- Health insurance information; or
- Username or e-mail address plus a password or security question and answer that would permit access to an online account.
- Medical Information: Any individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis.
- Health Insurance Information: An individual’s health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits.
- Encryption: Notification is not required where the potentially impacted PI is encrypted, so long as the PI is not accessed and acquired in unencrypted form or the “breach” is linked to a breach of the security of the encryption or access to the encryption key.
- Good Faith: Notification is not required where the potentially impacted PI is acquired in good faith by an employee or agent for the purposes of the entity if the PI is not used other than for a lawful purpose of the entity and is not subject to further disclosure.
- Risk of Harm: Notification is not required where the unauthorized access and acquisition does not cause, and is not reasonably believed has caused or will cause loss or injury to any Pennsylvania resident.
- Law Enforcement Delay: Notification may be delayed if a law agency determines and advises the entity, in writing and with specific reference to this law, that the notification will impede a criminal or civil investigation.
- Timing: Notification must be provided “without unreasonable delay,” subject to measures necessary to determine the scope of the “breach” and restore the reasonable integrity of the system.
- Format: N/A
- Telephone notice must include:
- A general description of the breach incident;
- Types of PI that were impacted; and
- A webpage or phone number the individual can contact for additional information
- Electronic notice must include:
- Notice directing the individual to promptly change their password and security question or answer; or
- Other steps appropriate to protect the online account
- Telephone notice must include:
- Method: Notification may be provided by any of the following: (1) written notice to the last known home address; (2) telephone, if reasonably expected to be received and clear and conspicuous; (3) e-mail notice based on a prior relationship; (4) electronic notice; or (4) substitute notice.
An entity may provide substitute notice if (1) the cost of direct notice would exceed $100,000; (2) the notification population exceeds 175,000; or (3) the entity does not have sufficient contact information. It must include (1) e-mail notice, where an e-mail address is available; (2) conspicuous posting on the entity’s website; and (3) notice to major statewide media.
May be required for state agencies and political subdivisions.
Credit Reporting Agencies Notice:
Notification must be provided to all nationwide consumer reporting agencies if the notification population exceeds 1,000 Pennsylvania residents.
A vendor that maintains, stores or manages computerized data on behalf of another entity must notify the entity of a “breach” following discovery.
Any covered entity or business associate subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act will be deemed to have complied with relevant provisions.