ARTICLE
19 September 2024

New Data Breach Notification Obligations For PA – And A New Reporting Portal

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Pennsylvania AG Michelle Henry announced yesterday the launch of an online portal for businesses to report data breaches to the AG's office.
United States Pennsylvania Privacy

Pennsylvania AG Michelle Henry announced yesterday the launch of an online portal for businesses to report data breaches to the AG's office. The portal launch comes before Pennsylvania's new breach amendments take effect on September 26, 2024. One of the amendments will require businesses to report to the AG Office any breach that impacts more than 500 Pennsylvania residents. Businesses can provide notice to the AG using the new online portal. The law also includes specific reporting content; this content is built into the online portal. The AG's website provides step-by-step instructions for submission.

As a reminder, from September 26, if a breach involves social security numbers, bank account numbers, or drivers' license/state ID numbers, then businesses will need to provide 12 months credit monitoring under the law as revised. Businesses will also have to provide impacted individuals with access to a free credit report, if they could not otherwise get free access. And similar to other states, the threshold for notify credit reporting agencies will be if the breach impacts 500 or more Pennsylvania residents.

Putting it into Practice: There are a growing number of states authorities that have web portals for submitting notices of breaches. For those who keep a running list, this new portal will get added to it. Given the frequency of updates in this area, companies who do keep this information in an appendix to their incident response plan will want to have a process in place to confirm that the list is current at the time of the incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More