State Privacy Laws - Pennsylvania Breach of Personal Information Notification Act

Posted by BAS - 16 August, 2012

header-picture

In addition to Federal privacy and breach notification laws such as HIPAA, many states have enacted privacy laws to protect residents against unauthorized access to their data and to require notification to residents if their personal data is compromised. In this article, we will review the requirements of Pennsylvania’s Breach of Personal Information Notification Act.

Pennsylvania’s Breach of Personal Information Notification Act requires certain organizations that do business in Pennsylvania to notify a Pennsylvania resident if the resident’s personal information “was or is reasonably believed to have been accessed and acquired by an unauthorized person.”

Who Must Comply?

All organizations doing business in Pennsylvania are required to comply if the organization maintains, stores or manages computerized data that includes Personal Information, which is the individual’s first and last name or first initial and last name in combination with the individual’s: 1) Social Security number, 2) Driver’s license or State Identification Card number, or 3) Financial account number, credit or debit card number in combination with the required code that would permit access to the individual’s financial account. Similar to HIPAA, entities are responsible for notification, even if the breach involves a vendor who is contracted to maintain, store or manage the personal data on behalf of the entity.

What is a Breach?

The statute defines a breach as “The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of [the] Commonwealth.” Notification to the individual is required if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption, or if the security breach involves a person with access to the encryption key.

Notice

Notice requirements vary depending on the entity’s contact information for the client, the number of individuals affected and the cost of notification.

Generally, notice to the individuals may be provided by 1) letter sent to the last known address for the individual, 2) email, if prior to the incident the entity had the individual’s email address and had a business relationship, or 3) telephone, if a) the entity can reasonably expect the individual to receive the notice, b) the notice describes the breach in general terms but in a “clear in conspicuous” manner, and c) the caller the verifies personal information but does not require the customer to provide personal information, and d) the caller provides a telephone number or website for more information.

Alternate notification is permissible if the cost of providing notice would exceed $100,000, the number of individuals affected is greater than 175,000 or the entity has insufficient contact information. An entity that chooses to utilize substitute notification must provide notice all three of the following ways: 1) email the individuals for whom they have an email address, 2) post conspicuously a notice on the entity’s website, and 3) notify statewide media.

Finally, if notification is required to more than 1,000 individuals, the entity is required to notify all national consumer reporting agencies, as defined by Section 603 of the Fair Credit Reporting Act.

Enforcement

Violation of the law is deemed an unfair or deceptive practice under the Unfair Trade Practices and Consumer Protection Law. The Office of Attorney General has exclusive authority to bring a cause of action.

Next Steps

All employers who store personal information electronically should review their states’ privacy laws to ensure compliance with any applicable standards.

Topics: MyEnroll360 Security


Recent Posts

Question of the Week - Mid-Year Enrollment for Health Coverage

read more

OCR Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information

read more

Find your QELs in MyEnroll360

read more