Security Breach Notice Policy in the State of Pennslyvania

February 08, 2022 | 4 minutes read
Security Breach Notice Policy in the State of Pennslyvania

73 Pa. Stat. § 2301, also known as the Breach of Personal Information Notification Act, is a data breach notification law that was passed in the U.S. state of Pennsylvania in 2006. Pennsylvania’s Breach of Personal Information Notification Act represents the primary legal framework governing data breach incidents within the state. With this being said, the law establishes the requirements that business entities and organizations within the state of Pennsylvania must adhere to in the event that a security breach takes place. Moreover, 73 Pa. Stat. § 2301 also sets forth the penalties and sanctions that can be imposed against those who are found to be in violation of the law.

How is a security breach defined under Pennsylvania’s Breach Act?

Under Pennsylvania’s Breach of Personal Information Notification Act, a security breach is defined as “the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.” On the contrary, the “good-faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure.”

What are data breach notification requirements?

Much like other data breach notification legislation that has been passed at the U.S. state level, Pennsylvania’s Breach of Personal Information Notification Act mandates that business entities and organizations within the state provide data breach notifications to all affected individuals and parties in the event that a data breach occurs. These notifications must be provided to consumers without unreasonable delay, and must detail the scope and severity of the breach, as well as the categories of personal information that were compromised as a result of the breach, among other pertinent information. What’s more, the law also requires that entities also provide notice to the three major credit reporting agencies within the U.S. in instances where a security breach affects more than 1000 consumers within Pennsylvania.

What categories of personal information are covered under the Act?

Under Pennsylvania’s Breach of Personal Information Notification Act, the following categories of personal information are protected in the event that a data breach occurs, in combination with a Pennsylvania resident’s first and last name or first initial and last name, permitting this information has not been redacted or encrypted:

What are the penalties for violating the Act?

In terms of the enforcement of Pennsylvania’s Breach of Personal Information Notification Act, the provisions established in the law are enforced by the Pennsylvania Attorney General. To this point, business entities and organizations that are found to be in violation of the law are subject to numerous penalties and sanctions. Such punishments include civil penalties and relief. Furthermore, “individuals or entities found to be acting in a manner deemed to be an unfair or deceptive act or practice will be considered to be in violation of this legislation, known as the Unfair Trade Practices and Consumer Protection Law. The Office of the Attorney General will have the exclusive right to prosecute violations of this act. No limitations are outlined to the extent of penalties for these breaches.”

The enactment of Pennsylvania’s Breach of Personal Information Notification Act in 2006 provided residents of the state with legal protection in the event that a data breach or related incident occurs. As the U.S. has yet to pass a national comprehensive data privacy law such as the EU’s General Data Protection Regulation or GDPR, state-based legislation such as Pennsylvania’s Breach of Personal Information Notification Act stands as the foremost means by which the average American citizen can seek relief and assistance when their personal information has been compromised or improperly disclosed following a security breach. As such, lawmakers at both the federal and state level will have to make data security and personal privacy a priority moving forward, or risk having the personal information of American citizens being jeopardized.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Arizona’s Proposed New Law on Public Records Requests
March 13, 2023 | 7 minutes read
Arizona’s Proposed New Law on Public Records Requests

A Bit of History The date February 14th might stand out to most of us, and if you haven’t figured out why, it’s because it is the anniversary of Arizona’s Statehood. Over 100 years ago, Arizona became the 48th state to be admitted into the United States. Since governance is as old as human history, […]

Learn More »