Pennsylvania’s Breach Notification Law

Date: February 22, 2019 | Categories: , ,

Executive Summary – Pennsylvania’s Cyber Breach Notification Law

pennsylvania cyber breach notification law

Definition of Personal Information:
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

  • Social Security number.
  • Driver’s license number or a State identification card number issued in lieu of a driver’s license.
  • Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
  • Note: Does not include publicly available information that is lawfully made available to the general public from Federal, State or local government records.

    Definition of a breach:
    The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident.

    Breach notification:
    An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably
    believed to have been accessed and acquired by an unauthorized person. The notice shall be made without unreasonable delay. A resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.

    A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data.

    When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

    Note: Loss of encrypted data does not require notification.

    Reference Document
    Breach Notification Laws by State

    Contact Us to Get Started

    "Your passport to all things web."

    1 Abbey Lane
    Camp Hill, PA 17011
    Phone: (717) 516-6955

    CourseVector Terms & Conditions
    Design and hosting by CourseVector. All rights reserved. Copyright 2020.

    To contact us after hours please use the panic button.
    Fees may be incurred depending on reason for support.