Understanding Pennsylvania's Updated Data Breach Notification Law
Earlier this year, Governor Josh Shapiro signed amendments to Pennsylvania’s Breach of Personal Information Notification Act (BPINA). These changes, effective from September 26, include the launch of an online portal for companies to report data breaches affecting over 500 Pennsylvania residents. Companies must notify the Attorney General (AG) Michelle Henry without "unreasonable delay," aligning Pennsylvania with 35 other states that have similar requirements.
What the Amendments Mean for Businesses
The AG’s website offers guidance on submitting information about breaches and details about BPINA for entities and residents. The amendments extend protections to previously unprotected information types. Previously, a notification was required when breaches involved a person's name alongside a Social Security number, financial account number, or driver’s license/state ID number. Now, protections expand to include breaches involving medical information, health insurance details, or online account access credentials. However, notification is only necessary if the entity believes unauthorized access will cause loss or injury to a resident.
Credit Monitoring Requirements
Additionally, Pennsylvania joins five other states in mandating companies to provide 12 months of credit monitoring to affected individuals when sensitive information like Social Security numbers or bank account numbers is compromised.
Why These Changes Are Important
Before these amendments, Pennsylvania was one of 15 states not requiring notification to the state regulator after a data breach. With these new protections and reporting requirements, businesses handling personal data of Pennsylvania residents must update their incident response plans. Non-compliance could lead to violations under BPINA, subjecting companies to penalties under the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Navigating Complex Compliance Challenges
The BPINA amendments contribute to the complex landscape of breach notification laws across the U.S., which vary based on the individual's state of residence. Although these changes aim to synchronize Pennsylvania with other states, they underscore the diverse compliance requirements companies face, especially those operating in multiple regions. Engaging experienced legal counsel after a security incident is advisable to navigate these intricate obligations effectively.
