Security Breach Notice Policy in the State of Pennslyvania
February 08, 2022 | 4 minutes read
73 Pa. Stat. § 2301, also known as the Breach of Personal Information Notification Act, is a data breach notification law that was passed in the U.S. state of Pennsylvania in 2006. Pennsylvania’s Breach of Personal Information Notification Act represents the primary legal framework governing data breach incidents within the state. With this being said, the law establishes the requirements that business entities and organizations within the state of Pennsylvania must adhere to in the event that a security breach takes place. Moreover, 73 Pa. Stat. § 2301 also sets forth the penalties and sanctions that can be imposed against those who are found to be in violation of the law.
How is a security breach defined under Pennsylvania’s Breach Act?
Under Pennsylvania’s Breach of Personal Information Notification Act, a security breach is defined as “the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.” On the contrary, the “good-faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure.”
What are data breach notification requirements?
Much like other data breach notification legislation that has been passed at the U.S. state level, Pennsylvania’s Breach of Personal Information Notification Act mandates that business entities and organizations within the state provide data breach notifications to all affected individuals and parties in the event that a data breach occurs. These notifications must be provided to consumers without unreasonable delay, and must detail the scope and severity of the breach, as well as the categories of personal information that were compromised as a result of the breach, among other pertinent information. What’s more, the law also requires that entities also provide notice to the three major credit reporting agencies within the U.S. in instances where a security breach affects more than 1000 consumers within Pennsylvania.
What categories of personal information are covered under the Act?
Under Pennsylvania’s Breach of Personal Information Notification Act, the following categories of personal information are protected in the event that a data breach occurs, in combination with a Pennsylvania resident’s first and last name or first initial and last name, permitting this information has not been redacted or encrypted:
- Social security numbers.
- Driver’s license numbers and state identification card numbers.
- Financial account numbers.
- Credit and debit card numbers, as well as any required security codes or access codes that could be used to grant access to an individual’s financial account.
What are the penalties for violating the Act?
In terms of the enforcement of Pennsylvania’s Breach of Personal Information Notification Act, the provisions established in the law are enforced by the Pennsylvania Attorney General. To this point, business entities and organizations that are found to be in violation of the law are subject to numerous penalties and sanctions. Such punishments include civil penalties and relief. Furthermore, “individuals or entities found to be acting in a manner deemed to be an unfair or deceptive act or practice will be considered to be in violation of this legislation, known as the Unfair Trade Practices and Consumer Protection Law. The Office of the Attorney General will have the exclusive right to prosecute violations of this act. No limitations are outlined to the extent of penalties for these breaches.”
The enactment of Pennsylvania’s Breach of Personal Information Notification Act in 2006 provided residents of the state with legal protection in the event that a data breach or related incident occurs. As the U.S. has yet to pass a national comprehensive data privacy law such as the EU’s General Data Protection Regulation or GDPR, state-based legislation such as Pennsylvania’s Breach of Personal Information Notification Act stands as the foremost means by which the average American citizen can seek relief and assistance when their personal information has been compromised or improperly disclosed following a security breach. As such, lawmakers at both the federal and state level will have to make data security and personal privacy a priority moving forward, or risk having the personal information of American citizens being jeopardized.