| Update Applicable to: | Effective date |
| All covered employers in Pennsylvania | September 26, 2024 |
What happened?
On June 28, 2024, Pennsylvania Governor Josh Shapiro signed an amendment to the state’s Breach of Personal Information Notification Act into law. These changes aim to enhance the protection of personal information and ensure timely and transparent communication in the event of a data breach.
What are the details?
Key Bites for Employers:
- Modification of the definition of personal information: the amendment includes medical information, health insurance information, and username or email address in combination with a password/security question and answers as part of the personal information definition.
- Modification of the definition of Medical Information: now includes any identifiable information contained in a current historical record.
- Requirement Notice: if there is a breach of information of 500 or more Pennsylvania residents, the organization must notify the Pennsylvania Attorney General’s Office in the form and manner provided in the law. The insurance industry and private employers (in some cases) are exempt from this requirement.
- Complementary Credit Monitoring Offer: If a data breach occurs, entities must offer affected Pennsylvania residents’ free access to a credit report and credit monitoring services.
- Notice to Credit Reporting Agencies reduced: the threshold has been reduced from 1000 to 500 or more state residents to also notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Business Considerations
- Employers should review and update their data protection policies to ensure compliance with the new requirements.
- Employers should notify the AG in case of a data breach in the form and manner provided in the law. Although it does not state how the notification should be done, whether online or by letter, the best practice is to do both.
- Employers should implement robust security measures to protect the newly included types of personal information, such as medical and health insurance data, to prevent unauthorized access and breaches.
- Employers should train employees on the new data breach notification requirements and the importance of protecting personal information to minimize the risk of breaches, as well as how to manage breaches and the adequate steps to report and fix them.
- Employers should regularly audit their data security practices and systems to identify and address potential vulnerabilities that could lead to data breaches.
Source References
- PA 2024 Act 33 (Act 33)
- Pennsylvania amends Data Breach Notice Law: Enhanced protections for residents (McDonald Hopkins LLC)
- Pennsylvania Makes Significant Changes to Its Data Breach Notification Law (Baker & Hostetler LLP)
- Pennsylvania Amends Data Breach Notification Law (Alston & Bird)
Resources
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Pennsylvania PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.
