Pennsylvania’s Breach Notification Law

Executive Summary – Pennsylvania’s Cyber Breach Notification Law

pennsylvania cyber breach notification law

Definition of Personal Information:
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

  • Social Security number.
  • Driver’s license number or a State identification card number issued in lieu of a driver’s license.
  • Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
  • Note: Does not include publicly available information that is lawfully made available to the general public from Federal, State or local government records.

    Definition of a breach:
    The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident.

    Breach notification:
    An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably
    believed to have been accessed and acquired by an unauthorized person. The notice shall be made without unreasonable delay. A resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.

    A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data.

    When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

    Note: Loss of encrypted data does not require notification.

    Reference Document
    Breach Notification Laws by State

    Search

    Sign Up for Our Newsletter

    Thank you for your interest in our newsletter! Fill in the form below to receive periodic updates on internet and website security, free cybersecurity posters, WordPress news, and more!

    "*" indicates required fields

    Name*

    Your privacy is important to us. We do not share your information with anyone. You can opt out of our newsletter at any time.

    Stay up to date with technology, scams, WordPress, and more. Follow CourseVector on Facebook today!