Pennsylvania’s Breach Notification Law
Executive Summary – Pennsylvania’s Cyber Breach Notification Law
Definition of Personal Information:
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
- Social Security number.
- Driver’s license number or a State identification card number issued in lieu of a driver’s license.
- Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
Note: Does not include publicly available information that is lawfully made available to the general public from Federal, State or local government records.
Definition of a breach:
The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident.
An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably
believed to have been accessed and acquired by an unauthorized person. The notice shall be made without unreasonable delay. A resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.
A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data.
When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Note: Loss of encrypted data does not require notification.