ARTICLE
23 July 2024

Keystone State Tweaks Its Data Breach Notification Law Again

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore
In what may become an annual tradition, Pennsylvania has amended its breach notification law. The new provisions will take effect on September 26, 2024.
United States Privacy
Photo of Liisa M. Thomas
Photo of Tracy Chau
Photo of Kathryn Smith
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Listen to this post

In what may become an annual tradition, Pennsylvania has amended its breach notification law. The new provisions will take effect on September 26, 2024. As a reminder, Pennsylvania changed its law last year to expand the definition of "personal information" and to create exemptions for HIPAA-regulated entities.

The changes this year are more extensive, bringing the law into closer alignment with other state data breach notification laws. There are several changes to note:

  • Thresholds: If a breach impacts more than 500 Pennsylvania residents, the Attorney General must be notified. Companies must send such notice concurrently with individual notices. If the breach impacts 500 individuals, then notice must be made to credit reporting agencies (the previous threshold was 1,000).
  • AG Notice Contents: Beginning in September, Pennsylvania will join many other states in requiring companies to include specific content in the notice to the AG. This includes the organization's name and location, as well as the date of the breach and a summary of the incident. The notice must also include an estimate of the total number of impacted individuals, and number of impacted Pennsylvania residents.
  • Credit Monitoring: If the breach involves social security numbers, bank account numbers, or drivers' license/state ID numbers, then companies will need to provide 12 months credit monitoring. Additionally, companies will need in these circumstances to give impacted individuals access to a free credit report, if they could not otherwise get free access.
  • Personal Information: As a reminder, the 2023 amendments added "medical information" to the definition of personal information, that, if breached, would trigger a duty to notify. That definition is now narrowed to be only medical information held by a state agency or its contractor.

Putting It Into Practice: Pennsylvania amended law serves as reminder to review incident response plans. To the extent they list with specificity timing or content requirements, ensure that they address these new developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Tracy Chau
Tracy Chau
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More