By Mark Sanborn
Senior Product and Regulatory Counsel
Effective September 26, 2024, Pennsylvania has updated its Breach of Personal Information Notification Act (73 Pa. Stat. § 2303), introducing new obligations for businesses that experience data breaches. Under the revised law, businesses must now notify the Pennsylvania Attorney General in cases where a breach impacts over 500 Pennsylvania residents. This notification must be provided concurrently with any notices sent to the affected individuals. Specifically, the Attorney General must be informed of the business’s name, the date of the breach, a summary of the incident, and the estimated number of affected individuals both overall and within Pennsylvania. Importantly, businesses should expect that these reports may be made publicly available. To simplify the notification process, the Pennsylvania Attorney General has launched an online portal where businesses can submit breach reports: www.attorneygeneral.gov/report-breach.
Additional updates to the law include a reduced threshold for reporting breaches to credit reporting agencies. Now, businesses must report a breach affecting 500 or more individuals, down from the previous threshold of 1,000. Furthermore, if a breach involves the exposure of first and last names in combination with certain sensitive personal information—Social Security numbers, bank account numbers, or driver’s license/ID numbers—and impacts 500 or more individuals, businesses are required to provide 12 months of complimentary credit monitoring services to all affected individuals. In cases where an affected individual cannot obtain a free credit report, businesses must also offer access to a free report.
ComplyAuto Privacy customers have access to a Data Breach Reporting Wizard in which dealers can answer a few simple questions about an actual or hypothetical security incident to see their potential state and federal reporting requirements. The Wizard has been updated to reflect the updated Attorney General reporting requirements for Pennsylvania.