Important amendments to Pennsylvania’s data breach law – the Breach of Personal Information Notification Act (the “Act”) – will take effect May 3, 2023. This is an important update to Pennsylvania data privacy laws as the legislature attempts to provide additional data protections to the Commonwealth’s citizens.

The Act requires notification to Pennsylvania residents whose personal information data was or may have been disclosed due to a breach of the security of a company’s or other entity’s system. Similar to other states’ data breach notification statutes, the amendment (in November) expanded the definition of “personal information.” This expanded definition includes medical and health information, and a user name or email address in combination with a password or security questions and answers that would permit access to an online account.

These items now included in the definition of personal information are in addition to the categories of personal information that all states regulate – such as names in conjunction with driver’s license and social security numbers.

The Act defines a “breach of the security of the system” as “unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals . . ..”

As it stands today, the Act requires notification when a “discovery” has been made that there was a security breach. Beginning May 3, the Act will require notification when a “determination” of a breach has been made. According to the definitions included in the Act and amendment, a “discovery” occurs when the entity has “[t]he knowledge of or reasonable suspicion” that a breach has occurred, while a “determination” occurs when the entity has “[a] verification or reasonable certainty” that a breach has occurred. This is clearly a more “entity-friendly” version of the act, as the company is able to verify a breach before performing notifications.

As an additional improvement to the process of coordinating data reach responses, entities will now be allowed to provide email notice to affected data subjects when the breach involves a user name or email address, in combination with a password or a security question and answer, that could be used to allow access to an online account. An email notice will be permitted under these circumstances if the email directs the individual to promptly change his or her information or to take other appropriate steps to protect the individuals online accounts.

In summary, the new amendment is an improvement for both companies and Pennsylvania citizens. The notification process is improved, as well as the fact that companies can now verify a breach before notification requirements set in.