Pennsylvania Data Breach Notification Law

Notification deadline: Without unreasonable delay

Enforcement: Pennsylvania Attorney General, Office of Consumer Protection

Overview

Pennsylvania requires businesses to notify affected residents "without unreasonable delay" after a breach. Recent amendments expanded the definition of personal information and added state agency notification requirements.

Who Must Be Notified

• • Affected Pennsylvania residents
• • Pennsylvania Attorney General (if 500+ residents affected)
• • Consumer reporting agencies (if 1,000+ residents affected)

Covered Data Types

Social Security number, Driver's license number, State ID card number, Financial account number with access code, Medical information, Health insurance information, Username with password

Notification Requirements

• • Written, telephonic, or electronic notice without unreasonable delay
• • Include description of breach
• • Types of personal information involved
• • Contact information for business and credit bureaus
• • Notify AG if 500+ Pennsylvania residents affected
• • Notify consumer reporting agencies if 1,000+ affected

Exemptions

• • Encrypted data (if key not compromised)
• • Good faith acquisition by employee
• • Entities in compliance with GLBA, HIPAA
• • Publicly available information

Penalties

Treated as unfair or deceptive practice. AG can seek injunctions and civil penalties. Private right of action for actual damages.