Search Our Website:
BIPC Logo

On June 28, 2024, Pennsylvania enacted significant amendments to its Breach of Personal Information Notification Act (BPINA), following the adoption of Senate Bill 824. These changes, which will become effective on September 26, 2024, represent significant new requirements for organizations that handle certain personal information of Pennsylvania residents and are subject to BPINA. Private and public organizations of all sizes must take note of these new legal obligations, as they introduce changes to notification requirements, definitions, and thresholds that could impact compliance, liability, and incident response strategies with respect to Pennsylvania residents.

Executive Summary

At a high level, the amendments to BPINA impose the following new requirements:

  • Required notification to the PA Attorney General’s office for any data breach affecting more than 500 individuals;
  • Obligation to provide credit reports and monitoring to impacted individuals if certain types of personal information are compromised;
  • Reporting of data breaches via a newly-created online portal on the Attorney General’s website;
  • Required reporting of compromised medical information limited to state agencies and contractors;
  • Reduced threshold to report to credit agencies from 1000 impacted individuals to 500 impacted individuals.

Notification to Attorney General

A significant change by the Senate Bill 824 amendments is the new requirement (already in effect in many other states) for organizations to notify the Pennsylvania Attorney General’s Office whenever they provide notice of a data breach affecting more than 500 residents of the Commonwealth. This notification must be submitted concurrently with the notice sent to affected individuals and must include specific information, including:

  1. The name and location of the breached organization;
  2. The date of the breach as defined by Pennsylvania law;
  3. A summary of the breach;
  4. The total number of impacted individuals; and
  5. The total number of impacted residents of Pennsylvania.

Online Reporting Portal

In anticipation of the new requirements, Pennsylvania Attorney General Michelle Henry announced the launch of an online portal designed to streamline the process for companies required to report data breaches affecting more than 500 Pennsylvania residents. This portal, set to go live on September 26, 2024, will facilitate the reporting process and provide entities with essential information about BPINA. The portal can be accessed via the Office of the Attorney General’s website, where entities will be guided through a step-by-step process to submit required notification information.

Obligation to Provide Credit Reports and Monitoring

Pennsylvania will now require organizations to provide affected Pennsylvania residents with access to credit reports and credit monitoring services for twelve months at no cost if:

  • There has been a breach of security as defined by Pennsylvania law; and
  • The accessed data included an individual's name (first and last, or first initial and last) along with their Social Security number, bank account number, or driver’s license/state ID number.

Organizations must ensure that they are prepared to offer impacted individuals access to one independent credit report from a consumer reporting agency if the individual does not qualify for a free report under federal law (15 U.S.C. § 1681). This new obligation reflects the increasing pressure on legislatures to do something about the pervasiveness of consumer identity theft accomplished through data breaches.

It is noteworthy that the inclusion of bank account numbers as a triggering element for credit monitoring is somewhat atypical when compared to other states, which primarily focus on Social Security numbers and specific government-issued identification numbers. It is also inconsistent with the requirement that compromise of a bank account number is required to be reported only if linked to a password or other information needed to access the account.

Accessed vs. Acquired Information

The amendments expand the definition of “breach of security” to include unauthorized access to personal information regardless of whether it can be shown that the bad actor “acquired the information. Prior to the amendments, Pennsylvania law required notification if personal information was accessed and acquired. The new, broader definition of a breach of security (similar to many other states) requires organizations to notify affected individuals and authorities even when data is only accessed. This change acknowledges the pervasive threat of ransomware attacks and other cybersecurity threats: data can be compromised without being exfiltrated and threat actors have sophisticated means to conceal technical evidence of their actions. This change heightens compliance and liability considerations, emphasizing the need for organizations to adopt robust cybersecurity measures and a comprehensive incident response plan to address the complexities of unauthorized data access.

Reduced Threshold for Notice to Credit Reporting Agencies

Senate Bill 824 lowers the threshold for notifying consumer reporting agencies. Previously, organizations were required to notify these agencies only when providing notice to 1,000 or more residents. The amended law now mandates that any organization notifying 500 or more individuals must also inform consumer reporting agencies as defined by Section 603 of the Fair Credit Reporting Act (FCRA).

Amended Definition of Reportable Medical Information

The recent changes narrow the definition of medical information to “medical information in the possession of a State agency or State agency contractor.” Prior to the amendment, any organization was required to provide notification of a breach of medical information. This new qualification effectively exempts private sector organizations from the obligation to notify Pennsylvania residents of breaches involving their medical information unless the organization is a State agency contractor (i.e., the contractor requires access to personal information for the fulfillment of the contract). This alteration in the definition of medical information may create confusion for private sector entities (including nonprofit entities) that handle medical data but are not state agencies or state agency contractors. Organizations must be diligent in understanding their responsibilities under BPINA, especially in the context of potential data breaches that may involve protected health information (PHI). However, entities subject to the Health Insurance Portability and Accountability Act (HIPAA) are still obligated to report to the Department of Health and Human Services’ Office of Civil Rights breaches involving PHI.

Notification Timelines

BPINA does not change the timelines for notification. Most private entities that maintain, store or manage computerized personal information and believe that an unauthorized person has accessed this information must notify the affected Pennsylvania residents without unreasonable delay after determining with reasonable certainty that a data breach has occurred. While “without unreasonable delay” is undefined and likely will be determined on a case-by-case basis, it is generally viewed as not exceeding 60 days following determination of the breach. Vendors are required to notify the entity on whose behalf they manage personal information following discovery of circumstances raising a “reasonable suspicion” that a breach has occurred.

For public entities, the law stipulates quick and specific notification timelines for state agencies, state agency contractors, counties, public schools, and municipalities.

Acceptable Forms of Notification

Also unchanged are the acceptable forms of notification to individuals whose personal information has been compromised:

  1. Written notice to the individual’s last known address;
  2. Telephonic notice, provided in a conspicuous and reasonable manner; or
  3. Email notice if there is a prior business relationship.

Electronic notice to change access credentials may be used if an online account is compromised. Substitute notice may be allowed if the cost of regular notice would exceed $100,000, more than 175,000 individuals are affected, and e-mail addresses are not available. Substitute notice requires a combination of email (if an email address is available), conspicuous posting on the entity’s website, and notifications to major statewide media outlets.

Violations of BPINA

Violations of BPINA are classified as unfair or deceptive acts under the Pennsylvania Unfair Trade Practice and Consumer Protection Law. This classification empowers the Attorney General to seek injunctive relief, restitution, and penalties against any business entity found in violation of the law. Organizations must be vigilant in their compliance efforts to avoid potential legal repercussions stemming from breaches of personal information.

Conclusion

As Pennsylvania’s data breach notification laws continue to evolve, organizations must proactively update their incident response plans and compliance strategies to align with the new requirements established by Senate Bill 824. The amendments to BPINA underscore the importance of timely and transparent communication with both affected individuals and regulatory authorities, as well as the need for enhanced consumer protections in the event of data breaches. Legal counsel should be engaged to navigate the complexities of the amended law, ensuring that organizations are adequately prepared to respond to potential data security incidents.

Facing a cybersecurity incident? Contact Buchanan’s Incident Response Team at cyber@bipc.com.

Buchanan’s Cybersecurity and Data Privacy attorneys regularly advise clients on all facets of cybersecurity, from advising on incident response plans and delivering tabletop exercises to responding to complex ransomware attacks to defending against class action litigation. See what Buchanan can do for you: https://www.bipc.com/cybersecurity-and-data-protection

For further details on Senate Bill 824, please refer to the official document available at the Pennsylvania General Assembly’s website: Senate Bill 824.

A special thanks to Komal Jain, Associate in Buchanan’s Labor, Employment, Benefits and Immigration section, for her contribution to this article.