Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Pennsylvania: Bill amending Breach of Personal Information Notification Act entered into force
On September 26, 2024, Senate Bill 824 for an Act amending the Breach of Personal Information Notification Act and providing for credit reporting and monitoring (the Act) entered into force after having been approved by the Governor of Pennsylvania on June 28, 2024.
Amendment of the definition of 'personal information'
The Act amended the definition of 'personal information' by specifying that it includes medical information that is in the possession of a state agency or state agency contractor.
Amendments to the notification of the breach of the security of the system
The Act included a mandatory notice to the Attorney General when a notice of the breach of the security of the system is given to more than 500 affected individuals. The notification must contain the following information:
- the organization's name and location;
- the date of the breach of the security of the system;
- a summary of the breach incident of the security of the system;
- an estimated total number of individuals affected by the breach of the security of the system; and
- an estimated total number of individuals in Pennsylvania affected by the breach of the security of the system.
The Act also included an exclusion for entities subject to Title 40, Chapter 45 of the Pennsylvania Consolidated Statutes (relating to insurance data security).
Amendments to the notification of consumer reporting agencies
The Act lowered the threshold from 1,000 to 500 individuals, from which the entity must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
New section on credit reporting and monitoring
The Act provided new requirements for entities providing an aforementioned notification and deciding that a breach of the security of the system has occurred and reasonably believes that an individual's first name and last name or an individual's first initial and last name, as well as Social Security number, bank account number, or driver's license or state ID number, has been accessed.
Furthermore, the Act outlines that the concerned entities must:
- assume all costs and fees in providing the affected individuals, among other things, with:
- access to one independent credit report from a consumer reporting agency; and
- access to credit monitoring services for a period of 12 months following notification; and
- inform the affected individual of the availability of no-cost services upon notification in compliance with the Act.
You can read the Act here and view its legislative history here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
