On June 28, 2024, Senate Bill 824 for an Act amending the Breach of Personal Information Notification Act and providing for credit reporting and monitoring was approved by the Governor of Pennsylvania.

Amendment of the definition of personal information

The Act amends the definition of 'personal information' as follows:

• an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
  • Social Security number;
  • driver's license number or a state identification card number issued in lieu of a driver's license;
  • financial account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account;
  • medical information in the possession of a state agency or state agency contractor;
  • health insurance information; and
  • a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
• the term does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

Amendments to the notification of the breach of the security of the system

The Act includes a mandatory notice to the Attorney General when a notice of the breach of the security of the system is given to more than 500 affected individuals. The notification must contain the following information:

• the organization's name and location;
• the date of the breach of the security of the system;
• a summary of the breach incident of the security of the system;
• an estimated total number of individuals affected by the breach of the security of the system; and
• an estimated total number of individuals in Pennsylvania affected by the breach of the security of the system.

The Act also includes an exclusion for entities subject to Title 40, Chapter 45 of the Pennsylvania Consolidated Statutes (relating to insurance data security).

Amendments to the notification of consumer reporting agencies

The Act lowers the threshold from 1,000 to 500 individuals, from which the entity must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

New section on credit reporting and monitoring

The Act provides new requirements for entities providing an aforementioned notification and deciding that a breach of the security of the system has occurred and reasonably believes that an individual's first name and last name or an individual's first initial and last name, as well as Social Security number, bank account number, or driver's license or state ID Number, has been accessed.

Furthermore, the Act outlines that the concerned entities must:

• assume all costs and fees in providing the affected individuals, among other things, with:
  • access to one independent credit report from a consumer reporting agency; and
  • access to credit monitoring services for a period of 12 months following notification; and
• inform the affected individual of the availability of no-cost services upon notification in compliance with the Act.

Entry into force

The Act is set to enter into effect 90 days after its enactment.

You can read the Act here and view its legislative history here.