Pennsylvania
Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: Yes
2005 Pa. Laws 474 (unofficially consolidated in 73 P.S. §§ 2301–2329 (West 2019))
Scope of this Summary:
Notification requirements applicable to entities that conduct business in the state and maintain, store, or manage covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if the covered entity reasonably believes that the breach has not and will not cause loss or injury to any Pennsylvania resident.
Breach Defined
Unauthorized access and acquisition that materially compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.
Form of Covered Info
Electronic only
Covered Information
Personal information means an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements:
- Social Security number;
- driver's license number or a state identification card number issued in lieu of a driver's license;
- financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- medical information in the possession of a State agency or State agency contractor.
- health insurance information; or
- a username or email address, in combination with a password or security question and answer that would permit access to an online account.
Consumer Notice Timing
Must be made without unreasonable delay, taking any necessary measures to determine the scope of the breach and to reasonably restore the integrity of the system.
Consumer Notice Method
- By written notice (to the last-known home address), by telephone notice (if the consumer can be reasonably expected to receive it), or by email notice (if a prior business relationship exists and the entity has a valid email address). Substitute notice is available if certain criteria are satisfied
- Effective May 2, 2023, a covered entity may comply with notice requirements by providing notice in electronic or another form that directs the person whose personal information has been materially compromised to promptly change their password and security question or answer if the breach involves either.
Consumer Notice Content
The Pennsylvania statute requires that if credit monitoring services are provided to the affected individual, the services will be provided free for 12 months.
Delayed Notice
Notification may be delayed if law enforcement determines and advises the covered entity in writing specifically referencing this section that notification will impede a criminal or civil investigation.
Government Notice
When notice of the breach of the security must be given to more than 500 affected individuals in this Commonwealth, notice shall be made concurrently to the Office of Attorney General. Notice must provide the organization name and location, date of the breach, a summary of the breach incident and an estimated total number of Pennsylvania individuals affected by the breach.
An entity subject to requirements relating to insurance data security shall be exempt from this notice requirement.
Consumer Reporting Agency Notice
If more than 500 residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and number of consumer notices.
If it is determined that the individuals first name or first initial and last name, in combination with either their Social Security number, bank account number or Drivers License or State ID number, an entity shall provide access to free credit monitoring services for a period of 12 months following notification.
Exceptions for Other Laws
Effective May 2, 2023, any covered entity that is subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act of 1996 or Health Information Technology for Economic and Clinical Health (HITECH) Act are deemed in compliance with the statute (§ 5.3, S.B. 696).
Third-Party Notice
If you maintain, store, or manage covered info on behalf of another entity, you must notify it following discovery of a breach.
Private Right of Action
The Pennsylvania statute does not provide for a private right of action.
Potential Penalties
Violations may result in civil penalties.