Background – 2005 Act
In December 2005, Pennsylvania enacted the Breach of Personal Information Notification Act (the “2005 BPINA”). Known as the 2005 BPINA Act, its purpose is to provide “for security of computerized data and for the notification of residents whose personal information data was or may have been disclosed due to a breach of the security of the system.”
The 2005 Act defines “personal information” as follows:
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
Social Security number;
Driver’s license number or a State identification card number issued in lieu of a driver’s license; and/or
Financial account number, credit or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account.
“Personal information” does not include publicly available information that is lawfully made available to the general public from Federal, State, or local government records or widely distributed media.
On Nov. 3, 2022, Gov. Wolf signed into law Senate Bill No. 696, known as P.L.2139, No.15., which amends the 2005 BPINA (the “2022 Amendment”) effective on May 2, 2023 (the “2005 BPINA, as amended by the 2022 Amendment is will be referred to as the “Amended BPINA”).
The 2022 Amendment adds definitions of “medical information” and “health insurance information” and expands the definition of “personal information” to include medical information, health insurance information, and “a username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” This is significant given that numerous entities contract with third party vendors to provide services such as online payment of bills, online banking and investment management, or health information portals. To access these services, an account usually must be established and log in information provided, which usually involves a username and password log information e.g., a use. “Health insurance information” is defined as “an individual’s health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits.” The Amendment defines “Medical information” is “[a]ny individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis created by a health care professional.”
The Amended BPINA applies to entities, defining an “entity” as “[a] State agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth.” A “State agency” is defined as “[a]ny agency, board, commission, authority or department of the Commonwealth and the General Assembly.” The 2022 Amendment added the definition of “State agency contractor,” which is “[a] person, business, subcontractor or third-party subcontractor that has a contract with a State agency for goods or services that requires access to personal information for the fulfillment of the contract.”
An examination of the notification requirements under the Amended BPINA is critical:
As a general rule, an entity that “maintains, stores or manages computerized data that ncludes personal information shall provide notice of any breach of the security of the system following determination of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.” Typically, “the notice shall be made without unreasonable delay” and a “resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.” The 2022 Amendment defines “determination” as “[a] verification or reasonable certainty that a breach of the security of the system has occurred.”
The 2022 Amendment provides for new notification requirements for state agencies and state agency contractors as well as counties, public schools, and municipalities. After the effective date of the 2022 Amendment, the Amended BPINA requires a state agency that enters into a contract with a state agency involving the use of personal information must ensure that the contract includes provisions relating to the State agency contractor’s compliance with the Amended BPINA.
The 2005 Act contains provisions applicable to vendors, specifically:
“A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security of the system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this act.”
The 2005 BPINA provides that notification may be made by any of the following methods:
Written notice to the last known home address for the individual.
Telephonic notice, if the individual can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information but does not require the individual to provide personal information and the individual is provided with a telephone number to call or Internet website to visit for further information or assistance.
E-mail notice, if a prior business relationship exists and the person or entity has a valid e-mail address for the individual.
The 2005 BPINA further provides that “an entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.”
The 2022 Amendment added a fourth method of notification: “Electronic Notice.” Specifically, “if the notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change the person’s password and security question or answer, as applicable, or to take other steps appropriate to protect the person’s online account to the extent the entity has sufficient contact information for the person, may comply with this section by providing the breach of the security of the system notification in electronic or other form that directs the person whose personal information has been materially compromised by the breach of the security of the system to promptly change the person’s password and security question or answer…”
Information and Storage Policies
The Amended BPINA contains provisions relating to the establishment of policies regarding data breaches, and most of these provisions relate to an entity that “maintains, stores or manages computerized data on behalf of the Commonwealth that constitutes personal information.” The Amended BPINA, however, also provides that “[a]n entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and is consistent with the notice requirements of this act shall be deemed to be in compliance with the notification requirements of this act if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.” The foregoing presupposes that an entity has a privacy or security policy. Thus, all entities that are subject to the Amended Act need to have updated policies.
Another key aspect of the 2022 Amendment concerns entities that are subject to federal regulations. Notably, any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act are deemed to be in compliance with the provisions of the Amended Act. Further, “[a]n entity, a State agency or a State agency’s contractor that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entity’s, State agency’s or State agency’s contractor’s primary State or functional Federal regulator, shall be in compliance with the [Amended BPINA] act.”
A violation of the Amended BPINA is deemed to be an unfair or deceptive act or practice in violation of the act of Dec. 17, 1968 (P.L.1224, No.387), known as the “Unfair Trade Practices and Consumer Protection Law.” The Office of Attorney General has exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of the Amended BPINA.
Pennsylvania’s Breach of Personal Notification Act, as amended effective May 2, 2023, has expanded the definition of “personal information,” making more entities subject to the Amended Act, and its notification and storage and information policies. Entities such as municipalities, banks, and other financial institutions, wealth management companies, medical and health care providers that are not subject to HIPAA, contractors, and vendors that maintain, store or manage computerized data will now need to evaluate their existing data gathering protocol and their existing notification policies and procedures (or adopt new ones) to address a data breach.