Pennsylvania's amended breach notification law now in effect
Act 151, amending Pennsylvania’s breach notification law, went into effect on May 2, 2023. Act 151 was previously signed into law on November 3, 2022. The revised law broadens the definition of “personal information” while enacting new notification requirements that will directly impact breached entities, specifically calling out new requirements for public schools.
Pennsylvania’s breach notification law expands the definition of “personal information” to include medical information, health insurance information, and a username or password in combination with a password or security question and answer.
The revised law now requires notice to residents upon the “determination” of a breach (formerly required upon the “discovery” of a breach). Pennsylvania draws the below distinction between “determination” and “discovery” which will now require entities to take action earlier on in the investigative stages, which may include expedited notice of a breach to residents of the Commonwealth.
"Determination." A verification or reasonable certainty that a breach of the security of the system has occurred.
"Discovery." The knowledge of or reasonable suspicion that a breach of the security of the system has occurred.
Most importantly for public schools (defined by Pennsylvania as any school district, intermediate unit, charter school, cyber charter school or area career and technical school), upon the determination of a breach, public schools are required to provide notice to impacted residents within seven business days. Additionally, notice must be provided to the district attorney in the county where the breach occurred within three business days.
The revised law also enacts new notification requirements for state agencies as well, requiring notice to impacted residents and the attorney general within seven days of a determination of a breach. Further - the law carves out an additional notice requirement to the governor’s office and to the agency’s chief information officer.
Lastly, in the event electronic notice is provided to residents who had their name, email address and security question and answer compromised, such notice shall direct the resident to promptly change their password and security question or answer, or take other steps appropriate to protect their online account.
Pennsylvania’s new law drastically changes the manner in which entities that collect data on Pennsylvania residents respond to a breach.
If your organization needs assistance analyzing the above revisions or any other state breach notification statute, contact any of the members of McDonald Hopkins’ national data privacy and cybersecurity practice. For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates.