On May 2, 2023, Pennsylvania’s expanded Breach of Personal Information Notification Act (SB 696, Act of November 3, 2022, PL 2139, No. 151) goes into effect. If your PA organization maintains a database of personal information about your customers or constituents, you may be liable for reporting and communicating compromised data or cyber-attacks in an expeditious manner, even if you weren’t previously required to do so. How can your company prepare for this new law?
Expanded definition of personal information
First things first – what is personal information? Personal information includes an individual’s first name or first initial and last name linked with one or more of the following unencrypted or unredacted data elements:
● Social Security number;
● Driver’s license or State ID card number; or
● Banking or financial account information with security code or login credentials.
Within the context of this law, personal information excludes “publicly available information that is lawfully made available to the general public from Federal, State or local government records or widely distributed media.” The expanded definition of personal information in PA now also will include:
● Medical information (history of medical treatment, conditions, diagnoses);
● Health insurance information; and
● Login credentials (username/email address and password or security question) to an online account.
This type of information is found in the records of many organizations, such as those that offer online content access or childcare with emergency contact information.
Does the PA Breach of Information Notification Act apply to you?
Individuals, organizations, and agencies that meet the definition of “covered entity” and “business associates” that help covered entities engage in healthcare activities and functions are already subject to HIPAA. These organizations are specifically mentioned in the expanded law as compliant with it.
However, state agencies, municipalities, and schools that maintain the information noted above are now also required to notify of data breaches, as well as vendor partners who support personal information management. Notably, vendors that maintain, store, or manage computerized data on behalf of another entity must provide notice of any security breach to the entity. The entity remains responsible for discharging any other reporting obligations under the act.
What actions and notifications are required?
In addition to properly storing and encrypting data, organizations must take the following steps in notifying affected individuals as well as certain state and federal agencies of a breach according to these timelines:
Notification of data breach by all entities covered under the Act
● To the individual via written, telephonic, or in limited circumstances via email notice in a timely manner. (Substitute notice is permissible due to financial burden.)
● To relative consumer reporting agencies when impact is more than 1,000 persons at one time, without unreasonable delay, as defined in section 603 of the Fair Credit Reporting Act (Public Law 91-508, 15 USC § 1681a), of the timing, distribution, and number of notices; and
Notification of data breach by State agency or State agency contractor
● To the Office of Attorney General within seven (7) business days; and
● If agency is under the Governor’s jurisdiction, to the Governor’s Office of Administration within three (3) business days.
Notification by county, public school, or municipality
● To the district attorney in the county where the breach occurred within three (3) business days.
How can you prepare to abide by the expanded Act?
To avoid a violation of this act, i.e., allowing the Office of Attorney General to have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law, it’s important for organizations to review this updated act now.
While cyber-attacks and security breaches cannot always be stopped, having plans in place to prevent and respond to them are critical to be able to abide by the expanded law, as well as offer legal protection should you be in violation.
Prepare your organization to comply with the expanded PA Breach of Personal Information Notification Act when you:
● Conduct an audit – utilize internal or external support to identify potential security gaps in an effort to prevent attacks and breaches
● Review and update your policies – establish protocols for who is responsible for what in case of a data breach; ensure each individual knows their roles and reporting obligations
● Practice – consider doing a data breach drill and give each person an opportunity to familiarize themselves with their responsibilities; create communication templates that can be used for those affected by a breach, as well as to appropriate state and federal offices
● Consult with legal counsel – if you’re unsure of your legal obligations, be sure to connect with internal or external attorneys to clarify questions and responsibilities