On June 28, Pennsylvania enacted SB 824 (the “Act”), amending a previous bill from 2005 entitled the Breach of Personal Information Notification Act, which addresses the security of computerized data, mandates notification for consumers if their personal information may have been exposed due to a security breach, and imposes penalties. The Act enhances requirements for notifying individuals of security breaches, outlines obligations for notifying consumer reporting agencies, and provides for credit reporting and monitoring services in the event of data breaches.

The Act specifically requires an entity to provide a notice to the attorney general (AG), along with the affected individuals, if a security breach affects more than 500 individuals in the state. The notification to the AG must include, when known, the name and location of the organization, the date of the security breach, a summary of the incident, and an estimate of the total number of individuals both within the state and overall, who are affected by the breach. However, there is an exemption stipulating that entities that are already subject to the requirements of 40 PA.C.S. CH. 45, which pertains to insurance data security, are exempt from these notification obligations.

Further, under the Act, entities are required to notify affected individuals of a data breach and are responsible for covering costs related to providing credit reporting and monitoring services to those individuals. Specifically, the entity must provide access to an independent credit report from a consumer reporting agency free of charge, unless the individual is already entitled to receive a free credit report under federal law. Additionally, the entity must provide free access to credit monitoring services for 12 months following the notification of the breach.

The Act also specifies that an entity must satisfy these requirements if it determines that a security breach has occurred and there is a reasonable belief that personal information, including an individual’s name, in combination with their Social Security number, bank account number, or driver’s license/state ID number, has been accessed.