ARTICLE
22 July 2024

Pennsylvania Amends Data Protection Requirements With Revised Breach Notification Act

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
On June 28, Pennsylvania took a significant step to enhance its data protection framework by updating the Breach of Personal Information Notification Act through the enactment of SB 824.
United States Pennsylvania Technology
A.J. Dhaliwal,Mehul Madia, and Skylar Stoudt
Your Author LinkedIn Connections
A.J. Dhaliwal’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with readers working within the Aerospace & Defence industries
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Cannabis & Hemp topic(s)

Listen to this post

On June 28, Pennsylvania took a significant step to enhance its data protection framework by updating the Breach of Personal Information Notification Act through the enactment of SB 824. This new legislation revises the older 2005 law and places a stronger emphasis on the security of digital data. It also introduces more stringent guidelines for notifying consumers and relevant authorities following a data breach.

Under the new law, if a data breach affects more than 500 Pennsylvania residents, entities are required to notify both the impacted individuals and the Pennsylvania Attorney General, as well as consumer reporting agencies, without unreasonable delay. The information provided to the Pennsylvania AG must include the organization's name and location, the date on which the breach occurred, a brief summary of the incident, and an estimate of the number of affected individuals, both within the state and beyond.

Additionally, the Act mandates that entities bear the expenses related to providing affected individuals with free credit reporting and monitoring services for one year following the breach notification.

The legislation specifies that these obligations are triggered when an entity identifies a security breach and reasonably believes that personal information, such as a person's name in conjunction with Social Security numbers, bank account numbers, or driver's license/state ID numbers, have been accessed without authorization.

The law is slated to take effect in 90 days.

Putting It Into Practice: Pennsylvania's updates to its Breach of Personal Information Notification Act reflect a broader trend among states and federal agencies to address the evolving challenges of data security (see our previous posts on data breach legislation here and here). Businesses subject to the law are now tasked with adapting to these changes swiftly to ensure compliance. In addition, companies facing a breach that spans multiple states must be mindful of how this law, its triggers, and its notification requirements compare to other jurisdictions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of A.J. Dhaliwal
A.J. Dhaliwal
Photo of Mehul Madia
Mehul Madia
Photo of Skylar Stoudt
Skylar Stoudt
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More