Pennsylvania

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: Yes

2005 Pa. Laws 474 (unofficially consolidated in 73 P.S. §§ 2301–2329 (West 2019))

Scope of this Summary:

Notification requirements applicable to entities that conduct business in the state and maintain, store, or manage covered info. Some types of businesses may be exempt from some or all of these requirements, and non­-commercial entities may be subject to different requirements.

Risk of Harm Threshold

Notification not required if the covered entity reasonably believes that the breach has not and will not cause loss or injury to any Pennsylvania resident.

Breach Defined

Unauthorized access and acquisition that materially compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.

Form of Covered Info

Electronic only

Covered Information

Personal information means an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements:

  • Social Security number;
  • driver's license number or a state identification card number issued in lieu of a driver's license;
  • financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
  • medical information in the possession of a State agency or State agency contractor.
  • health insurance information; or
  • a username or email address, in combination with a password or security question and answer that would permit access to an online account.

Consumer Notice Timing

Must be made without unreasonable delay, taking any necessary measures to determine the scope of the breach and to reasonably restore the integrity of the system.

Consumer Notice Method

  • By written notice (to the last-known home address), by telephone notice (if the consumer can be reasonably expected to receive it), or by email notice (if a prior business relationship exists and the entity has a valid email address). Substitute notice is available if certain criteria are satisfied
  • Effective May 2, 2023, a covered entity may comply with notice requirements by providing notice in electronic or another form that directs the person whose personal information has been materially compromised to promptly change their password and security question or answer if the breach involves either.

Consumer Notice Content

The Pennsylvania statute requires that if credit monitoring services are provided to the affected individual, the services will be provided free for 12 months.

Delayed Notice

Notification may be delayed if law enforcement determines and advises the covered entity in writing specifically referencing this section that notification will impede a criminal or civil investigation.

Government Notice

When notice of the breach of the security must be given to more than 500 affected individuals in this Commonwealth, notice shall be made concurrently to the Office of Attorney General. Notice must provide the organization name and location, date of the breach, a summary of the breach incident and an estimated total number of Pennsylvania individuals affected by the breach.

An entity subject to requirements relating to insurance data security shall be exempt from this notice requirement.

Consumer Reporting Agency Notice

If more than 500 residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and number of consumer notices.

If it is determined that the individuals first name or first initial and last name,  in combination with either their Social Security number, bank account number or Drivers License or State ID number, an entity shall provide access to free credit monitoring services for a period of 12 months following notification.

Exceptions for Other Laws

Effective May 2, 2023, any covered entity that is subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act of 1996 or Health Information Technology for Economic and Clinical Health (HITECH) Act are deemed in compliance with the statute (§ 5.3, S.B. 696).

Third-Party Notice

If you maintain, store, or manage covered info on behalf of another entity, you must notify it following discovery of a breach.

Private Right of Action

The Pennsylvania statute does not provide for a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on September 26, 2024