Pennsylvania Governor Josh Shapiro recently signed into law an amendment to the state's existing data breach notification statute that will have major implications for organizations who collect, process, or store information relating to Pennsylvania residents. The amendment revises the statute's definition of personal information, expands the existing statutory obligation to provide access to additional credit reporting, requires an offer of credit monitoring for most data breaches, and introduces a requirement to provide notification to the state Attorney General and other entities. The amendment will go into effect on September 26, 2024.
New Definition of "personal information"
Before the amendment, Pennsylvania's data breach notification law defined "personal information" as an individual's first name or first initial and last name in combination with any of the following:
- Social Security number
- Driver's license number or State identification card number
- Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
The amendment expands the definition of "personal information" to include:
- Medical information in the possession of a State agency or state agency contractor
- Health insurance information
- A user's name or e-mail address, in combination with a password or security question and answer that would permit access to an online account
"Medical information" is broadly defined to include any "individually identifiable information contained in the individual's current or historical record of medical history or medical treatment or diagnosis created by a health care professional."
Expanding the definition of data elements that trigger notification enhances Pennsylvania residents' right to know when their medical, health insurance, or online account information is subject to unauthorized access and acquisition. Importantly, a breach involving medical information from a private healthcare system is exempt from the definition of "personal information." Expanding the definition of personal information to include medical information may signal a growing regulatory trend towards protecting health information following the recent HCA Healthcare and Change Healthcare breaches.
New Obligations in Pennsylvania's Data Breach Notification Statute
In addition to modifying the types of data that constitute personal information, the amendment imposes an obligation that requires entities to provide 12-months of complimentary credit monitoring if an entity experiences a data breach that leads to the acquisition of an individual's Social Security number, bank account number, or Driver's license/state ID number. Requiring credit monitoring services if a bank account number or state issued ID is a novel change, as states that require credit monitoring services typically only do so if an individual's Social Security number is affected. This is another change that signals a trend towards greater regulatory protections for individuals impacted by data breaches.
The amendment also offers Pennsylvania residents additional services if their personal information is subject to unauthorized access. Under federal law, all citizens are entitled to one free credit report every 12 months from Equifax, Experian, and TransUnion – the three largest credit reporting companies. Pennsylvania will now allow impacted residents to access one additional credit report, at the breached entity's expense if they are not eligible to receive any more credit reports for the year.
Finally, entities that experience a breach impacting 500 or more Pennsylvania residents will now need to notify the state Attorney General. This notification must include the name and location of the organization, the date of the breach, a summary of the incident, an estimated number of individuals impacted by the breach, and the estimated number of Pennsylvania residents impacted by the breach. The law also requires that notice to the Pennsylvania Attorney General be made concurrently with notice to individuals. Entities must provide notice to affected residents (and soon to the State Attorney General) without unreasonable delay. Lastly, if a breach impacts 500 or more state residents, that entity must notify the consumer reporting agencies. The previous threshold was 1,000.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.