On June 28, 2024, Pennsylvania enacted amendments to its Breach of Personal Information Notification Act (“BPINA”). These amendments contain a number of significant changes, including clarifying a key definition, adding a new notification obligation to the Attorney General, requiring organizations to provide credit monitoring services, and reducing the threshold to notify consumer reporting agencies. These amendments—which take effect today, September 26, 2024—bring Pennsylvania in line with many other states that have taken steps to strengthen their respective data breach notification laws.
Key Changes Coming to the BPINA
Introducing New Obligation to Notify Attorney General
In addition to the pre-existing requirement to notify impacted individuals, organizations must now notify the Attorney General “without unreasonable delay” if a data breach affects more than 500 Pennsylvania residents. This new requirement aligns Pennsylvania’s BPINA with over thirty states that have existing requirements to notify applicable state regulators once a threshold number of residents are impacted by a data breach. Pennsylvania has also lowered its threshold for entities to notify consumer reporting agencies (“CRAs”): while it previously required notification of CRAs for data breaches that affected more than 1,000 state residents, that threshold is now breaches affecting more than 500 residents.
In order to help implement this new reporting requirement, Attorney General Michelle Henry recently announced the launch of an online portal for organizations to report data breaches impacting more than 500 state residents. The website also provides helpful information about the BPINA and guidance on the new process to submit information about the data breach.
Requirement to Provide Complimentary Credit Monitoring
While providing credit monitoring after a data breach has become standard practice for many entities, with these amendments Pennsylvania is only the fourth state—following Connecticut, Delaware, and Massachusetts as well as D.C.—to require entities to provide complimentary credit monitoring to impacted individuals. Notably, Pennsylvania is the first state to expand the credit monitoring requirement beyond Social Security Numbers, requiring entities to provide impacted individuals with 12 months of credit monitoring when a breach involves not just an individual’s Social Security number, but also a driver’s license number, state ID number, or bank account number.
Narrowed Definition of “Personal Information”
Like several states, Pennsylvania previously defined “Personal Information” to include an individual’s first name or first initial with last name in combination with one or more of the following: Social Security number, driver’s license or identification card number, financial account number (with access code), medical information, health insurance information, or a username and password. Pennsylvania has not changed the number of items in the list but has narrowed the definition of medical information considerably.
As amended, the law clarifies the “medical information” element to be limited to “medical information in the possession of a state agency or state agency contractor.” Thus, the list of items that are Personal Information when combined with a name now reads as follows (amended text is italicized):
- Social Security number.
- Driver’s license number or a State identification card number issued in lieu of a driver’s license.
- Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
- Medical information in the possession of a State agency or State agency contractor.
- Health insurance information.
- A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
- This amendment exempts private organizations from the notification requirement for breaches involving medical information unless a state agency or state agency contractor possessed such information at the time of the breach.
- As before, when unencrypted Personal Information is accessed or acquired by an unauthorized party, notice to individuals, and potentially the Attorney General, is required in instances where the entity reasonably believes that the unauthorized access or acquisition of the information has caused, or will cause, loss or injury to any Pennsylvania resident.
Next Steps
As a reminder, this change doesn’t just affect entities located in Pennsylvania. Any business that maintains data about Pennsylvania residents could be affected if it experiences a reportable data breach. Businesses should be aware of these changes for their incident response procedures.