73 Pa. Stat. § 2301 et seq.

S.B. 712 (signed into law Dec. 22, 2005, Act No. 94)

Effective June 20, 2006

Application. Any state agency, political subdivision, or an individual or a business (collectively, Entity) doing business in PA that maintains, stores, or manages computerized data that includes PI of PA residents.

Security Breach Definition. Unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of PI maintained by the Entity as part of a database of PI regarding multiple individuals and that causes or the Entity reasonably believes has caused or will cause loss or injury to any resident of PA.

• Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system if the PI is not used for a purpose other than the lawful purpose of the Entity and is not subject to further unauthorized disclosure.

Notification Obligation. Any Entity to which the statute applies shall provide notice of any breach of the security of the system to any individual whose principal mailing address, as reflected in the computerized data that is maintained, stored, or managed by the Entity, is in PA and whose unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person.

• An Entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption, or if the security breach involves a person with access to the encryption key.

Notification to Attorney General. There is no generally applicable attorney general notification requirement, but multiple, different, very short deadlines apply to state agencies, their contractors, counties, municipalities and schools. See § 2303.

Notification to Consumer Reporting Agencies. When an Entity provides notification under this act to more than 1,000 persons at one time, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and number of notices.

Third-Party Data Notification. An Entity that maintains, stores, or manages computerized data on behalf of another Entity shall provide notice of any breach of the security system following discovery to the Entity on whose behalf it maintains, stores or manages the data.

Timing of Notification. Except to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay.

Personal Information Definition. An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

• Social Security number;
• Driver’s license number or state identification card number issued in lieu of a driver license;
• Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
• Medical Information;
• Health Insurance Information; or
• User name or email address in combination with a password or security questions and answers that would permit access to an online account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required. Notice may be provided by any of the following methods:

• Written notice to the last known home address for the individual;
• Telephonic notice, if the customer can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms, and verifies PI but does not require the customer to provide PI, and the customer is provided with a telephone number to call or a website to visit for further information or assistance; or
• Email notice, if a prior business relationship exists and the Entity has a valid email address for the individual.

For online account credentials: Notice may be provided in electronic form that directs the individual to promptly change his or her password and security question or answer, or to take other appropriate steps to protect the online account with the entity or other online accounts involving the same login credentials.

Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $100,000, the affected class of subject persons to be notified exceeds 175,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:

• Email notice when the Entity has an email address for the subject persons;
• Conspicuous posting of the notice on the Entity’s website, if the Entity maintains one; and
• Notification to major statewide media.

Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI and is consistent with the notice requirements of this act shall be deemed to be in compliance with the notification requirements of this act if it notifies subject persons in accordance with its policies in the event of a breach of security.

Exception: Compliance with Other Laws.

• Compliance with Primary Regulator. An Entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the Entity’s primary or functional federal regulator shall be in compliance with this act.
• Federal Interagency Guidance. A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this act.

Other Key Provisions:

• Delay for Law Enforcement. Notification required may be delayed if a law enforcement agency determines and advises the Entity in writing, specifically referencing the statute, that the notification will impede a criminal or civil investigation. The required notification shall be made after the law enforcement agency determines that it will not compromise the investigation or national or homeland security.
• Attorney General Enforcement. The Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of the statute.