Pennsylvania Amends Data Breach Notification Law

Editor's Note: This article was originally published on the Maurice Wutscher blog and is republished here with permission 
Alexander / AdobeStock

Pennsylvania Gov. Josh Shapiro recently approved Senate Bill 824, which amends Pennsylvania’s data breach notification law, 73 Pa. Stat. Ann. § 2301, et seq.

The amendments will go into effect Sept. 26, 2024.

Among other things, the amendments:

–  Require concurrent notification to the Attorney General if notification must be given to more than 500 individuals

–  Require the notice to the Attorney General include:

  • The organization name and location
  • The date of the breach
  • A summary of the incident
  • An estimated number of individuals affected
  • An estimated number of individuals in Pennsylvania affected

–  Reduce the threshold for reporting an incident to consumer reporting agencies from more than 1,000 affected individuals to more than 500

–  Require entities that are required to report the incident to consumer reporting agencies to assume the costs of providing the affected individuals with:

  • Access to one credit report if an individual is not eligible for a free report
  • Access to credit monitoring services for one year