Pennsylvania’s Governor recently approved amendments to the Commonwealth’s data breach notification law, which represent a significant overhaul to the law. As detailed below, the amended law makes a number of material changes, including adding a regulator notification requirement, lowering the threshold of impacted Pennsylvania residents triggering a notification requirement to the consumer reporting agencies, slightly tweaking the definition of “personal information,” and adding a requirement to offer credit monitoring and to pay for a credit report for impacted individuals who are not able to obtain one for free. The amended law goes into effect on September 26, 2024.
Regulatory Notice. The amended data breach notification law now requires companies to notify the Commonwealth’s Attorney General when more than 500 residents of Pennsylvania are impacted in a data breach. Notice to the Attorney General must be provided at the same time the company notifies the impacted individuals, and include the company’s name, location, date of breach, summary of incident, estimated number of impacted individuals and the estimated number of impacted Pennsylvania residents. Similar to other state data breach notification laws, there are exceptions to the regulator notice requirement, including for those companies that are subject to the Commonwealth’s insurance data security law.
Consumer Reporting Agency Notice. Now, companies must notify the three major consumer reporting agencies if more than 500 residents of Pennsylvania are impacted by the data breach; previously the threshold was 1,000.
Personal Information. The new law narrows the definition of “personal information” that may trigger a notification requirement, which may be a welcomed by hospitals, health insurance organizations, and other companies handling medical information of Pennsylvania residents. Now, “medical information” alone is no longer considered personal information, only medical information in possession of a State agency or State agency contractor.
Credit Monitoring. Pennsylvania now requires companies to offer credit monitoring to impacted individuals, joining a handful of other states – California, Connecticut, Delaware, Massachusetts, and Washington, D.C. Companies must offer credit monitoring for at least 12 months if an individuals’ Social Security number, driver’s license number, state ID number, or bank account number is impacted in the breach. The last data element – bank account number – is unique, as the other states typically trigger a credit monitoring requirement only if Social Security number and/or driver’s license number/state ID number are impacted.
Free Credit Reports. Here is where it the new law gets really interesting. In what appears to be a first of its kind, Pennsylvania requires companies to assume all costs and fees associated with providing one independent credit report to each impacted individual, if the individual is not eligible to obtain an independent credit report from a consumer reporting agency for free (federal law gives individuals the right to obtain a free credit report every 12 months from each of the three major credit bureaus). Currently, many states require companies to explain how to procure a free credit report from credit reporting agencies, but Pennsylvania will actually obligate companies to pay for the credit report if a free report is not available to the impacted individual. This new requirement raises a number of questions that are not directly addressed in the regulation. For example:
- How will companies validate whether the impacted individual is not in fact eligible for a free credit report and what reasonable steps must the company take to validate eligibility? While it seems reasonable that companies will (and arguably should) take some steps to validate eligibility, the extent of probing may be difficult, and may feel intrusive to impacted individuals (who already feel as though they’ve been harmed by the company).
- How long must companies extend the free credit report offer? The law is silent on this issue, but we may see companies align the timeline to offer a free credit report with the timeline for enrolling in credit monitoring (90 days has become the norm/industry standard).
- How will companies pay for the credit report? Similar to offering credit monitoring codes, it would not be surprising to see companies leverage third party notification and call center vendors, who typically are able to provide credit monitoring codes to impacted individuals and help individuals with the enrollment process. Impacted individuals, however, may purchase their own credit report and expect reimbursement from the company on the backend, which may present some practical challenges for the company (i.e., cutting checks to each individual).