Pennsylvania Amends Its Breach Notification Law

Since June 2006, the Pennsylvania Breach of Personal Information Notification Act¹ has required entities, following the discovery of a data breach, to notify Pennsylvania residents if specific types of their personal information were potentially accessed or acquired by an unauthorized person. Now, over 16 years later, the Act will be amended to put it more in line with the breach notification requirements currently imposed in the majority of other states.

Specifically, on November 3, 2022, Pennsylvania Governor Tom Wolf signed Senate Bill 696, which amends the Act in several important ways. These Amendments go into effect May 2, 2023. This article discusses some of the major Amendments to the Act and suggestions for proactively meeting its requirements.

1. Expanded Definition of "Personal Information"

The Act currently defines "personal information" to mean an individual’s first name or first initial and last name in combination with either the individual’s (i) social security number, (ii) driver’s license number or a State identification card number issued in lieu of a driver’s license, or (iii) financial account number, credit or debit card number, in combination with any required access code or password that would permit access to an individual’s financial account. The Amendments will expand this list to include (iv) medical information, (v) health insurance information, or (vi) a username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

2. Defining "Discovery" and "Determination"

The Act currently requires notification following "discovery" of a data breach. But the Amendments will change this and will instead require entities to provide notification following the "determination" of a data breach. The Amendments define "determination" as "a verification or reasonable certainty that a breach of the security of the system has occurred." Whereas "discovery" means "the knowledge of or reasonable suspicion that a breach of the security of the system has occurred." These Amendments make clear that notification is not required where there is mere suspicion of a data breach. Instead, notification will be required where there is "verification or reasonable certainty" of a data breach.

3. Amended Electronic Notification Requirements

The Act currently permits entities to provide e-mail notification if a prior business relationship exists and the entity has a valid e-mail address for the individual. The Amendments will also permit electronic notice if the "notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change the person’s password and security question or answer, as applicable or to take other steps appropriate to protect the person’s online account to the extent the entity has sufficient contact information for the person." The Amendments do not define "electronic notice," but it likely includes e-mail and other means of electronic communication, such as text messaging.

4. Notification Requirements for State Agencies, State Contractors, Counties, Public Schools and Municipalities

The Amendments set forth specific breach notification and other requirements for state agencies. State agencies, counties, public schools, and municipalities will need to provide notification of a breach within seven business days following "determination" of the breach. Notification must also be made concurrently by state agencies to the Pennsylvania Office of the Attorney General. A county, public school or municipality that is the subject of a breach must also notify their district attorney within three business days following "determination" of the breach.

State agencies will need to include language in their contracts with any "state agency contractor"—a person, business, subcontractor or third-party subcontractor that has a contract with a state agency for goods and services that requires access to personal information for the fulfillment of the contract—that ensures compliance with the Act. The contract must also establish a time period for the state agency contractor to notify the state agency if the contractor suffers a data breach. A state agency contractor, after "discovery" of the breach, must notify the state agency affected by the contractor’s breach as soon as reasonably practical but not later than the time specified in the contract.

5. New Requirements for Commonwealth Data

The Amendments set forth specific encryption requirements for entities that maintain, store or manage computerized data on behalf of the Commonwealth. This includes developing and annually reviewing and updating policies to govern the proper encryption and other appropriate security measures and transmission of data by state agencies. In developing these policies, entities are directed to take into account existing federal government and other states’ policies and best practices.

6. HIPAA Exemption

The Act currently recognizes that entities that comply with federal notification requirements are deemed in compliance with the Act. However, the Amendments specify that covered entities and business associates that are subject to and in compliance with the Health Insurance Portability and Accountability Act ("HIPAA") are also deemed in compliance with the Act.

Conclusion

These amendments likely will not significantly impact entities that have incident response plans already in compliance with most other states’ breach notification requirements. That said, before these Amendments go into effect, entities can prepare themselves by:

• Conducting data mapping to determine if they maintain, store or manage computerized data that include personal information of Pennsylvania residents covered under the expanded definition of personal information.
• Reviewing and updating their incident response plan.
• Testing their incident response plan by conducting tabletop exercises to practice their response to a suspected data breach.
• Making sure—as a best practice and defense—that contracts with vendors who manage covered personal information on behalf of another entity (including but not limited to the Commonwealth) contain requirements for securing that information and providing timely breach notification.
• For companies that maintain, store or manage covered personal information on behalf of state agencies or the Commonwealth, reviewing and updating policies for encryption, storage, and other security measures to protect that information.

To learn more about these Amendments, or to learn more about incident response planning and tabletop exercises, contact our Cybersecurity and Data Privacy Team.