Media Center

Amendments to Pennsylvania’s Data Breach Notification Law Expand Notification Obligations, Bring New Scrutiny for Municipalities and Government Contractors

February 21, 2023

Reprinted with permission from the February 21, 2023 edition of The Legal Intelligencer © 2023 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Amendments to Pennsylvania’s Breach of Personal Information Notification Act (BOPINA) will take effect May 3, 2023.  These are the first updates to Pennsylvania’s breach notification law since it was enacted in 2005 as part of the wave of adoption of model breach notification laws around the United States.  While many states since have substantially broadened the scope of their breach notification requirements, Pennsylvania’s legislature continues to take a more measured approach with the amendments passed in November 2022.

Some these BOPINA amendments modestly expand the circumstances under which notice must be provided to Pennsylvania residents in the wake of a data security incident.

But the most substantial new changes will require attention from Pennsylvania municipalities and from businesses that contract with those municipalities or directly with the Commonwealth, as the amendments impose new notice requirements and stricter deadlines on these entities.

Expansion of the definition of “personal information” and new triggers for notifications

Three new categories of data will now trigger notification obligations under BOPINA.  The 2005 law defined personal information as “An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

(i)  Social Security number.

(ii)  Driver’s license number or a State identification card number issued in lieu of a driver’s license.

(iii)  Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.

The three new categories of personal information included in the amended law are:

(iv)  Medical information; defined as, “Any individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis created by a health care professional.”

(v)  Health insurance information, defined as, “An individual’s health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits.”

(vi)  A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

Entities subject to HIPAA are accustomed to issuing notifications following breaches that permit unauthorized access to protected health information.  And HIPAA “covered entities” and “business associates” are deemed to comply with BOPINA if they comply with HIPAA.

But the additions of medical information and health insurance information to BOPINA will now impose notification requirements even if the entity suffering the breach is not subject to HIPAA as a covered entity or business associate.  In making additional entities subject to HIPAA-like requirements, Pennsylvania follows the trend of state governments bolstering breach notification requirements by gap-filling in the absence of action at the federal level.

The third category of data newly defined to constitute “personal information” under the BOPINA amendments creates a new notification obligation where there has been unauthorized access to a user name or email address and accompanying password that permit access to an online account.  At least 15 other states also require notification for breaches of such data.  The addition of this new category reckons with the habit of online users to recycle login credentials from website to website, and the accompanying cybersecurity threat of “credential stuffing” – hackers stealing databases of credentials from one site and running scripts to test those credentials against banking or other websites where access may permit online fraud.

Accompanying this change, the amended BOPINA also will permit a new form of electronic notification where the breach involves user login credentials: in such circumstances, websites will be permitted to direct the user to promptly change their password and login credentials on the site and on any other online accounts on which the user may have recycled the same user name, e-mail address, and password or security question and answer.

New timeline for notifications

BOPINA had previously required notifications be issued “without unreasonable delay” following the “discovery” of the breach.  This provision of the Act had been interpreted widely to ‘start the clock’ only after both a reasonable forensic investigation had been completed to determine the scope and nature of the incident and a legal determination had been made that breach notifications were required to be issued.

The amendments to BOPINA reinforce this widespread understanding by now requiring notification without unreasonable delay following “determination of the breach” and defining “determination” as the “verification or reasonable certainty that a breach of the security of the system has occurred.”

Separately, BOPINA now defines “discovery” as the “knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  As addressed below, the new distinction between “determination” and “discovery” under the amended BOPINA is part of the imposition of new obligations on state government contractors.

New notification requirements for municipalities and state government contractors

The amendments now require that “state agency contractors” must make special notifications upon “discovery” of a data breach.  Because “discovery” is defined as “knowledge of or reasonable suspicion” of a breach rather than “verification or reasonable certainty”, state agency contractors are now required to issue notifications more quickly than other entities under BOPINA.  State agency contractors are defined as “A person, business, subcontractor or third party subcontractor that has a contract with a State agency for goods or services that requires access to personal information for the fulfillment of the contract.”  Upon reasonable suspicion of a breach, these contractors must:

notify the chief information security officer, or a designee, of the State agency affected by the State agency contractor’s breach of the security of the system as soon as reasonably practical, but no later than the time period specified in the applicable terms of the contract between the State agency contractor and the State agency of the breach of the security of the system.

State agencies, themselves, also are subject to new requirements to issue notifications within 7 days of the “determination of the breach” to all affected individuals and to the Office of Attorney General.  Agencies also are now required to push down compliance with BOPINA by making such compliance an element of any contract that involves the use of personal information by a state agency contractor.

Pennsylvania municipalities will now find themselves facing a shorter timeline to issue notifications, as the BOPINA amendments require “a county, public school or municipality” that suffers a breach to provide notice to all affected individuals within 7 business days following “determination of the breach.”  Even before then, municipalities will now be required to notify the district attorney of the county in which the breach occurred within 3 business days of determination of the breach.

New data security requirements for state government contractors and other entities with access to Commonwealth systems and data

I have always described BOPINA and other state breach notification laws as “reactive” rather than “proactive” laws, in that notification laws dictate what entities need to do only after suffering a data breach.  These laws usually do not proscribe what data can be collected or how that data needs to be secured to prevent a breach from occurring.

That changes in Pennsylvania under the amended BOPINA, which for the first time imposes proactive requirements to protect data and systems belonging to the Commonwealth.  These new provisions apply to any “entity that maintains, stores or manages computerized data on behalf of the Commonwealth,” which encompasses state government contractors but also any entity, including municipalities, that have access to Commonwealth data and systems.

Such entities will now be required to:

  • utilize encryption, or other appropriate security measures, to reasonably protect the transmission of personal information over the Internet from being viewed or modified by an unauthorized third party
  • develop and maintain a policy to govern the proper encryption or other appropriate security measures and transmission of data by State agencies
  • develop a policy to govern reasonably proper storage of the personal information and reduce the risk of future breaches of the security of the system.
  • review and update the policies at least annually and otherwise as necessary

Paper records remain unaddressed

Finally, it is worthwhile to take note of what has not changed in the amended version of BOPINA.  The amendments reinforce that Pennsylvania’s breach notification requirements apply only in circumstances involving the compromise of electronically stored information, stating that BOPINA provides “for security of computerized data” and for notification to Pennsylvania residents whose personal information is disclosed due to a breach of the security of computerized system.  While 8 states (Alaska, Hawaii, Iowa, Massachusetts, North Carolina, South Carolina, Washington, and Wisconsin) have amended their breach notification laws to encompass paper records, the loss or theft of boxes of paper records containing personal information of Pennsylvania residents still does not give rise to a notification obligation (unless the records are covered by HIPAA or other federal notification requirements).

Devin Chwastyk is a member of McNees Wallace & Nurick LLC and the Chair of the firm’s Privacy & Data Security Group. For more than 15 years, he has counseled businesses on compliance with emerging privacy laws, represented parties in data breach litigation, and helped clients respond to data security incidents.