On June 11, 2024, Senate Bill 824 for an Act amending the Breach of Personal Information Notification Act and providing for credit reporting and monitoring was laid on the table before the House of Representatives after passing its first consideration in the House on the same date. On October 4, 2023, the bill passed its final consideration in the Senate.

Amendment of the definition of personal information

The bill amends the definition of 'personal information' as follows:

• an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
  • Social Security number;
  • driver's license number or a state identification card number issued in lieu of a driver's license;
  • financial account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account;
  • medical information in the possession of a state agency or state agency contractor;
  • health insurance information; and
  • a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
• the term does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

Amendments to the notification of the breach of the security of the system

The bill includes a mandatory notice to the Attorney General when a notice of the breach of the security of the system is given to more than 500 affected individuals. The notification must contain the following information:

• the organization's name and location;
• the date of the breach of the security of the system;
• a summary of the breach incident of the security of the system;
• an estimated total number of individuals affected by the breach of the security of the system; and
• an estimated total number of individuals in Pennsylvania affected by the breach of the security of the system.

The bill also includes an exclusion for entities subject to Title 40, Chapter 45 of the Pennsylvania Consolidated Statutes (relating to insurance data security).

Amendments to the notification of consumer reporting agencies

The bill lowers the threshold from 1,000 to 500 individuals from which the entity must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

New section on credit reporting and monitoring

The bill provides new requirements for entities providing an aforementioned notification and deciding that a breach of the security of the system has occurred and reasonably believes that an individual's first name and last name or an individual's first initial and last name, as well as Social Security number, bank account number, or driver's license or state ID Number, has been accessed.

Furthermore, the bill outlines that the concerned entities must:

• assume all costs and fees in providing the affected individuals, among other things, with:
  • access to one independent credit report from a consumer reporting agency; and
  • access to credit monitoring services for a period of 12 months following notification; and
• inform the affected individual of the availability of no-cost services upon notification in compliance with the bill.

The bill is set to enter into effect 90 days after its enactment.

You can read the bill here and track its progress here.

Update: June 25, 2024

Bill passes second consideration in House

On June 24, 2024, the bill passed second consideration in the House. 

You can read the bill here and track its progress here.

Update: June 26, 2024

Bill passes third consideration in House

On June 25, 2024, the bill passed third consideration and final passage in the House. 

You can read the bill here and track its progress here.

Update: August 12, 2024

Bill approved by Governor

On June 28, 2024, the bill was approved by the Governor of Pennsylvania. The Act is set to enter into effect 90 days after its enactment.

You can read the Act here and view its legislative history here.

Update: September 27, 2024

Act entered into effect

On September 26, 2024, the Act entered into effect.

You can read the Act here and view its legislative history here.