Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Pennsylvania residents.
Definition also includes (i) medical information; (ii) health insurance information; and (vi) a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
“Security Breach” means unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by a covered entity as part of a database of personal information regarding multiple individuals and that causes, or according to the covered entity’s reasonable belief has caused or will cause, loss or injury to any resident of Pennsylvania.
“Encryption” means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
“Redacted” means altered or truncated so that no more than the last four digits of a social security number, driver’s license number, state identification card number, account number, or financial account number is accessible as part of the data.
"Health insurance information" means an individual's health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual's health insurance benefits.
"Medical information" means any individually identifiable information contained in the individual's current or historical record of medical history or medical treatment or diagnosis created by a health care professional.
Covered Entities* / Third Party Recipients
Subject to statute:
Any individual or business that maintains, stores, or manages computerized data that contains personal information of Pennsylvania residents.
A vendor that maintains, stores, or manages computerized data on behalf of a covered entity must provide notice of any breach of the security system following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written, telephonic, or e-mail notice (if a prior business relationship exists) must be provided to victims of a security breach without unreasonable delay, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $100,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information.
- Notice not required if the covered entity responsible for the data concludes that the breach did not cause, or in its reasonable belief has not caused or is not likely to cause, loss or injury to any resident of Pennsylvania.
- Notice only required if security breach materially compromises the security, confidentiality, or integrity of personal information.
Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Safe harbor is not available if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.
Exemption for good faith acquisition by an employee or agent of a covered entity for the purposes of the covered entity so long as personal information is not used for an unlawful purpose or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the Pennsylvania statute if it maintains and complies with its own notification procedures as part of an information privacy or security policy and whose procedures are consistent with the timing requirements of the Pennsylvania statute.
A covered entity that complies with the notification requirements imposed by its primary or functional federal regulator is deemed in compliance with the Pennsylvania statute.
Financial institutions that comply with federal interagency guidelines are deemed in compliance with the Pennsylvania statute.
Notification to Regulator / Waiver
A determination of no likelihood of harm: Does not require notification to attorney general.
Violation of the statute constitutes an unfair or deceptive act in violation of the Unfair Trade Practices and Consumer Protection Law.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute