Pennsylvania

Information Covered / Important Definitions

Information covered:

Personal information of Pennsylvania residents.

Definition also includes (i) medical information in the possession of a State Agency or State agency contractor; (ii) health insurance information; and (vi) a username or email address, in combination with a password or security question and answer that would permit access to an online account.

Important definitions:

“Security Breach” means unauthorized access of computerized data that materially compromises the security or confidentiality of personal information maintained by a covered entity as part of a database of personal information regarding multiple individuals and that causes, or according to the covered entity’s reasonable belief has caused or will cause, loss or injury to any resident of Pennsylvania.

“Encryption” means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

“Redacted” means altered or truncated so that no more than the last four digits of a social security number, driver’s license number, state identification card number, account number, or financial account number is accessible as part of the data.

"Health insurance information" means an individual's health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual's health insurance benefits.

"Medical information" means any individually identifiable information, contained in the individual's current or historical record of medical history or medical treatment or diagnosis, created by a health care professional, in the possession of a State agency or State agency contractor.

Covered Entities* / Third Party Recipients

Subject to statute:

Any individual or business that maintains, stores, or manages computerized data that contains personal information of Pennsylvania residents.

Vendors:

A vendor that maintains, stores, or manages computerized data on behalf of a covered entity must provide notice of any breach of the security system following discovery of the breach.

Notice Procedures & Timing / Other Obligations

Written, telephonic, or e-mail notice (if a prior business relationship exists) must be provided to victims of a security breach without unreasonable delay, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).

• Substitute notice is available by means prescribed in the statute if costs to exceed $100,000, affected class exceeds 175,000 persons, or covered entity has insufficient contact information.
• Notice not required if the covered entity responsible for the data concludes that the breach did not cause, or in its reasonable belief has not caused or is not likely to cause, loss or injury to any resident of Pennsylvania.
• Notice only required if security breach materially compromises the security, confidentiality, or integrity of personal information.

Other Obligations:

Any covered entity, required to notify more than 500 residents of a security breach, is also required to simultaneously notify the PA Attorney General and provide the organization name, location, date and summary of breach, and estimates of total PA residents and total overall individuals affected. All reports to the PA Attorney General must be made via the new online portal, accessible from the Attorney General’s website.

Any covered entity that must notify more than 500 persons at one time of a security breach is also required to notify, without unreasonable delay, consumer reporting agencies.

Credit Reporting and Monitoring

Any covered entity that determines a breach which includes an individual’s name and their Social Security number, drivers’ license/state ID number, or bank account number, must provide, free of charge, to those affected: (1) credit monitoring for twelve (12) months; and (2) access to one independent credit report from a consumer reporting agency, if the individual is not eligible to obtain an independent credit report from a consumer reporting agency for free. The entity must inform affected individuals of the no-cost services.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.

Safe harbor is not available if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.

Other exemptions:

Exemption for good faith acquisition by an employee or agent of a covered entity for the purposes of the covered entity so long as personal information is not used for an unlawful purpose or subject to further unauthorized disclosure.

A covered entity is deemed in compliance with the Pennsylvania statute if it maintains and complies with its own notification procedures as part of an information privacy or security policy and whose procedures are consistent with the timing requirements of the Pennsylvania statute.

A covered entity that complies with the notification requirements imposed by its primary or functional federal regulator is deemed in compliance with the Pennsylvania statute.

Financial institutions that comply with federal interagency guidelines are deemed in compliance with the Pennsylvania statute.

A covered entity that is subject to HIPAA is exempt from Pennsylvania’s statute.

There is an exemption for covered entities and business associates subject to HIPAA.

Notification to Regulator / Waiver

A determination of no likelihood of harm: Does not require notification to attorney general.

Penalties

Violation of the statute constitutes an unfair or deceptive act in violation of the Unfair Trade Practices and Consumer Protection Law.

Private Cause of Action / Enforcement

Private Cause of Action: No.

Enforcement by attorney general only.

^*Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Subscribe To Viewpoints