Pennsylvania Data Breach Notification Law
Pennsylvania businesses have a little more than a month to comply with new data privacy regulations. On May 3, 2023, amendments to the Pennsylvania's Breach of Personal Information Notification Act (BOPINA) will take effect—and they’re a long time in the making. Mondaq says these amendments are the first updates to the BOPINA since they were enacted in 2005 “as part of the wave of adoption of model breach notification laws around the United States[,]” with many of these states “substantially broaden[ing] the scope of their breach notification requirements.”
Pennsylvania, however, “continues to take a more measured approach” to data privacy regulation, though BOPINA’s newest amendments take fairly big steps.
The most substantial of these amendments include updated definitions and notification requirements. Here’s what’s covered and how to comply:
Definition of “Personal Information”
Under the BOPINA, when a covered organization has been subject to a breach of the security of their organizational systems, that covered organization is required to notify “residents whose personal information data was—or may have been—disclosed.”
Under the BOPINA, “personal information” is defined as:
“An individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State identification card number issued in lieu of a driver's license.
(iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.”
The BOPINA Amendments expand this definition to include:
(iv) Medical information, which is defined as "[a]ny individually identifiable information contained in the individual's current or historical record of medical history or medical treatment or diagnosis created by a healthcare professional."
(v) Health insurance information, which is defined as "[a]n individual's health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual's health insurance benefits."
(vi) A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
According to Mondaq, the addition of “medical information” and “health insurance information” will impose notification requirements to entities that are not already subject to the Health Insurance Portability and Accountability Act of 1996 (HIPPA), which will help “fill the gap” of entities required to report a breach of these medically related information sources “in the absence of action at the federal level.”
Electronic Notification
The BOPINA Amendments will permit notifications required under the Act to be made electronically if the breach involves the login information referenced under the newly-added (vi). In these instances, the websites can direct the online user to change their credentials on that site and any other site where they use those login credentials.
Notification Timelines
Under BOPINA, notifications were required to be issued “without unreasonable delay" following discovery of the breach. According to Mondaq, this “had been interpreted widely to 'start the clock' only after both a reasonable forensic investigation had been completed to determine the scope and nature of the incident and a legal determination had been made that breach notifications were required to be issued.”
The amendments reinforce this interpretation, as notifications will not be required without unreasonable delay following "determination of the breach[,]" which has been defined under the BOPINA Amendments as the "verification or reasonable certainty that a breach of the security of the system has occurred."
Notification Requirements for States Agency Contractors
Under the BOPINA Amendments, state agencies are required to issue a notification to all affected individuals and to the Office of Attorney General within 7 days of the "determination of the breach[.]" Municipalities, on the other hand, will have 3 days following this determination to notify the district attorney of the county of the breach.
"State agency contractors" however, are required to issue a notification to the chief information security officer, or a designee, of the State agency upon "discovery" of a data breach.
State agency contractors are defined as "[a] person, business, subcontractor or third party subcontractor that has a contract with a State agency for goods or services that requires access to personal information for the fulfillment of the contract." Discovery is defined under the amendments as “knowledge of or reasonable suspicion" of a breach, rather than the "verification or reasonable certainty,” timeline outlined for other entities.
As such, those who contract with state agencies have a shorter timeline for issuing a notification than all other covered organizations, including the state agencies themselves.
Proactive Data Security Requirements
According to Mondaq, most state breach notification laws are seen as “reactive,” rather than “proactive,” as they typically prescribe only the actions needed in response to an incident. However, under the BOPINA Amendments, any entity that “maintains, stores or manages computerized data on behalf of the Commonwealth," which encompasses state government contractors but also any entity, including municipalities, that have access to Commonwealth data and systems, will be required to:
“Utilize encryption, or other appropriate security measures, to reasonably protect the transmission of personal information over the Internet from being viewed or modified by an unauthorized third party.”
Develop and maintain policies to govern the encryption, or other appropriate security measures and “reasonably proper storage of the personal information.”
Review and update these policies on, at least, an annual basis.
Preparing for Enactment:
Although these BOPINA Amendments have not yet taken effect, they have been approved and are certain to become law on May 3. As such, all covered organizations should begin a review of their policies and procedures against the new legislative requirements to ensure that, upon the effective date, their organization is in compliance.