January 28, 2023

Volume XIII, Number 28

Advertisement

January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

Municipalities: Note the 2022 Amendments to the Breach of Personal Information Notification Act

The Breach of Personal Information Notification Act (the “Act”) was created to require entities that store and maintain “personal information” to provide certain notification following the discovery of any sort of data breach to any resident of the Commonwealth. An entity is defined as “a State agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth.” 73 P.S. § 2302.

On November 3, 2022, the Governor signed PA Senate Bill 696, also known as Act 151 of 2022  (“Act 151”) which made sweeping amendments in response to issues brought to light by the COVID-19 pandemic, such as the failure to address certain subsets of personal information. The Act was therefore amended to include the following under “personal information”:

“Medical information,” which is defined as “[a]ny individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis created by a healthcare professional”;

“Health insurance information,” which is defined as “[a]n individual’s health insurance policy number or subscriber number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits”; and

“Username or e-mail address, in combination with a password or security question that would permit access to an online account.”

Act 151 also expands the requirements for entities to report such breaches. An entity that maintains, stores, or manages computerized data of personal information must notify individuals about a breach without unreasonable delay; however, if a state agency, county, municipality, or public school (“local agencies”) suffers a breach they must send notice of the breach within seven business days following determination of the breach, and they must also concurrently notify the Office of the Attorney General. It is important to note that Act 151 requires these local agencies to act only upon an official determination, which is newly defined as “a verification or reasonable certainty that a breach of the security of the system has occurred.” A contractor of any local agency must notify the agency upon any discovery of a breach.

One of the biggest challenges for local agencies will be complying with Section 4 of the Act by requiring all entities that maintain, store, or manage computerized data to utilize encryption to protect personal data. This may require a systems upgrade or software purchases for smaller local agencies.  And agencies should carefully vet vendors to ensure they are familiar with these requirements and able to meet them.

©2023 Strassburger McKenna Gutnick & GefskyNational Law Review, Volume XII, Number 343
Advertisement
Advertisement
Advertisement

About this Author

Elizabeth C. Rubenstein Pittsburgh Property Attorney Strassburger
Associate

Elizabeth C. Rubenstein​ is an associate attorney with a focus on the public sector, zoning, and land use law. She advises and represents municipalities, nonprofits, businesses, and quasi-governmental organizations in the Greater Pittsburgh area on issues of municipal and real estate law.

Elizabeth’s experience in the public sector brings a depth of practical and legal knowledge to her practice. As a Right-to-Know Officer for the Allegheny County Health Department, she investigated and litigated numerous matters, and understands the real world...

412‑281‑5423
Advertisement
Advertisement
Advertisement