Pennsylvania
Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: No
2005 Pa. Laws 474 (unofficially consolidated in 73 P.S. §§ 2301–2329 (West 2019))
Scope of this Summary:
Notification requirements applicable to entities that conduct business in the state and maintain, store, or manage covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if the covered entity reasonably believes that the breach has not and will not cause loss or injury to any Pennsylvania resident.
Breach Defined
Unauthorized access and acquisition that materially compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.
Form of Covered Info
Electronic only
Covered Information
Personal information means an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements:
- Social Security number;
- driver's license number or a state identification card number issued in lieu of a driver's license;
- financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- medical information;
- health insurance information; or
- a username or email address, in combination with a password or security question and answer that would permit access to an online account.
- Personal information, or a username or email address in combination with a password or security question and answer that would permit access to an online account.
Consumer Notice Timing
Must be made without unreasonable delay, taking any necessary measures to determine the scope of the breach and to reasonably restore the integrity of the system.
Consumer Notice Method
- By written notice (to the last-known home address), by telephone notice (if the consumer can be reasonably expected to receive it), or by email notice (if a prior business relationship exists and the entity has a valid email address). Substitute notice is available if certain criteria are satisfied
- Effective May 2, 2023, a covered entity may comply with notice requirements by providing notice in electronic or another form that directs the person whose personal information has been materially compromised to promptly change their password and security question or answer if the breach involves either.
Consumer Notice Content
The Pennsylvania statute does not set out specific content requirements for the notice to affected persons.
Delayed Notice
Notification may be delayed if law enforcement determines and advises the covered entity in writing specifically referencing this section that notification will impede a criminal or civil investigation.
Government Notice
The Pennsylvania statute does not require notice to any government or regulatory agencies.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and number of consumer notices.
Exceptions for Other Laws
Effective May 2, 2023, any covered entity that is subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act of 1996 or Health Information Technology for Economic and Clinical Health (HITECH) Act are deemed in compliance with the statute (§ 5.3, S.B. 696).
Third-Party Notice
If you maintain, store, or manage covered info on behalf of another entity, you must notify it following discovery of a breach.
Private Right of Action
The Pennsylvania statute does not provide for a private right of action.
Potential Penalties
Violations may result in civil penalties.