The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.  

The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice. 

Back To Map
Rapid Response Hotline 877.382.2724

Pennsylvania

State Data Breach Notification Statue

Highlights

Covered Entities: A state agency, political subdivision of Pennsylvania, or an individual or business doing business in Pennsylvania.

Consumer Notification: Notification must be provided to any Pennsylvania resident whose “unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired” without authorization.

Regulatory Notification: Notification must be provided to the Pennsylvania Attorney General if 500 or more individuals are required to be notified of a breach.

Notification Timeline: Notification must be provided “without unreasonable delay” after determination of a breach.

Data Format: Electronic.

Citations: 73 P.S. §§ 2301–23

More Details

Definitions:

  • Breach: Unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information, and that causes or the entity reasonably believes has caused or will cause loss or injury to a Pennsylvania resident.
  • Personal information (PI):
    • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
      • Social Security number;
      • Driver’s license or state identification number;
      • Financial account or payment card number, plus any security code, access code, or password that would permit access to a financial account;
      • Medical information in the possession of a State agency or State agency contractor; or
      • Health insurance information.
    • Username or e-mail address plus a password or security question and answer that would permit access to an online account.
  • Medical Information: Any individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis.
  • Health Insurance Information: An individual’s health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits.

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI is encrypted, so long as the PI is not accessed and acquired in unencrypted form or the “breach” is linked to a breach of the security of the encryption or access to the encryption key.
  • Good Faith: Notification is not required where the potentially impacted PI is acquired in good faith by an employee or agent for the purposes of the entity if the PI is not used other than for a lawful purpose of the entity and is not subject to further disclosure.
  • Risk of Harm: Notification is not required where the unauthorized access and acquisition does not cause, and is not reasonably believed has caused or will cause loss or injury to any Pennsylvania resident.
  • Law Enforcement Delay: Notification may be delayed if a law agency determines and advises the entity, in writing and with specific reference to this law, that the notification will impede a criminal or civil investigation.

Direct Notice:

  • Timing: Notification must be provided “without unreasonable delay,” subject to measures necessary to determine the scope of the “breach” and restore the reasonable integrity of the system.
  • Format: N/A
  • Content:
    • Telephone notice must include:
      • A general description of the breach incident;
      • Types of PI that were impacted; and
      • A webpage or phone number the individual can contact for additional information
    • Electronic notice must include: 
      • Notice directing the individual to promptly change their password and security question or answer; or
      • Other steps appropriate to protect the online account
  • Method: Notification may be provided by any of the following: (1) written notice to the last known home address; (2) telephone, if reasonably expected to be received and clear and conspicuous; (3) e-mail notice based on a prior relationship; (4) electronic notice; or (4) substitute notice.

Substitute Notice:

An entity may provide substitute notice if (1) the cost of direct notice would exceed $100,000; (2) the notification population exceeds 175,000; or (3) the entity does not have sufficient contact information. It must include (1) e-mail notice, where an e-mail address is available; (2) conspicuous posting on the entity’s website; and (3) notice to major statewide media.

Remediation Services:

The entity must offer 12 months of remediation services if a breach impacts Social Security numbers, bank account numbers, driver’s license numbers, or identification card numbers.

Regulatory Notice:

The entity must concurrently notify the Office of the Attorney General when notice of the breach of security must be given to more than 500 residents. Notice to the Attorney General shall include the following information to the extent known by the notifying entity:

  • the organization name and location;
  • the date of the breach of the security of the system;
  • a summary of the breach incident of the security of the system;
  • an estimated total number of individuals affected by the breach; and
  • an estimated number of Pennsylvania residents affected by the breach.

Credit Reporting Agencies Notice:

Notification must be provided to all nationwide consumer reporting agencies if the notification population exceeds 1,000 Pennsylvania residents.

Third-Party Notice:

A vendor that maintains, stores or manages computerized data on behalf of another entity must notify the entity of a “breach” following discovery.

HIPAA:

Any covered entity or business associate subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act will be deemed to have complied with relevant provisions.

Private Action:

N/A

Associated Regulations:

N/A

Back to Page