2023 is going to bring big changes to Pennsylvania’s Breach of Personal Information Notification Act. Although the revisions to the law do not go into effect until May 2, 2023, now is the time for Pennsylvania entities to ensure that they are in compliance before the effective date.

What Has Changed?

Expanded Definition of “Personal Information.” Following the trend started by other states, Pennsylvania’s updated breach notification law has an expanded definition of “personal information.” Previously, the definition of “personal information” under Pennsylvania law only included an individual’s first name or first initial and last name in combination with a Social Security number, driver’s license number, or a state identification card number and/or financial account number (e.g., credit or debit card number) in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Soon, in addition to those data elements, the law’s definition of “personal information” will include medical information, health insurance information and user name/email address in combination with a password or security question and answer that would permit access to an online account.

Electronic Notice Permitted in Certain Circumstances. Although Pennsylvania’s breach notification law currently permits email notice if a prior business relationship exists and a valid email address for the individual requiring notification is available, electronic notice will also be allowed if the “notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change the person’s password and security question or answer, as applicable, or to take other steps appropriate to protect the person’s online account to the extent the entity has sufficient contact information for the person.”

Short Breach Notification Deadlines and Regulatory Notice Required for State Agencies, Counties, Municipalities and Public Schools. Two of the more significant changes that will go into effect in May 2023 are the timelines state entities will need to follow for breach notification and new regulatory notice requirements. Under the revised law, state agencies will need to provide notification to individuals and to the Pennsylvania Office of the Attorney General within seven business days following the determination of a breach. In addition, if a state agency is under the governor’s jurisdiction, then it must also provide notice of a breach to the governor’s Office of Administration within three business days following the determination of a breach. Similarly, Pennsylvania counties, public schools and municipalities that experience a breach are required to provide notification to individuals within seven business days following the determination of a breach. They also have to provide notification of the incident to the district attorney in the county where the incident occurred within three business days following determination of a breach.

New State Agency Contractor Requirements. Not only was Pennsylvania’s breach notification law revised to impose new requirements on state agencies but there are also provisions that specifically address state agency contractors. Once this revised law goes into effect in May 2023, state agencies will need to include language in their agreements with contractors that addresses the updated provisions of the law, including the establishment of a timeline for notification of a breach by the contractor to the state agency.

Specific Encryption, Data Storage and Notification Requirements for State Agencies and Their Contractors. The revised data breach notification law now includes requirements for data encryption and storage for entities that maintain, store or manage computerized personal information on behalf of the Commonwealth.

Explicit Deference to HIPAA for Covered Entities and Business Associates Expanded. Although the current law contains language that states that entities complying with federal notification requirements are deemed to be in compliance with Pennsylvania’s law, the updated law now explicitly states that covered entities and business associates that are regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) and are acting in accordance with HIPAA are deemed to be in compliance with the law.

What Should Pennsylvania Businesses and Organizations Do Now?

Review and Revise Policies and Procedures. Now is the time to review your organization’s policies and procedures to ensure that they comply with the new provisions of Pennsylvania’s data breach law, especially if you are a state entity or have a contract with a state entity.

Identify Data in Your Possession. With the expanded definition of personal information, organizations should conduct an inventory or data mapping of the information in their possession.

State Entities and Contractors Need to Pay Attention to New Requirements for Data Encryption and Storage. Any entity that maintains, stores or manages computerized personal information on behalf of the Commonwealth needs to confirm that their data encryption and storage practices align with the new provisions of the law. Conduct a Data Breach Tabletop Exercise. It is always best practice to conduct a data breach tabletop exercise to test out your incident response plan and identify areas for growth and improvement.