On June 28, Pennsylvania updated its data protection laws with the enactment of SB 824, revising the Breach of Personal Information Notification Act of 2005. This new legislation focuses on enhancing the security of digital data and imposes stricter requirements for notifying both consumers and authorities following a data breach. The changes reflect a broader trend towards more stringent data protection measures across various jurisdictions.
Under the updated law, organizations must notify the affected individuals and the Pennsylvania Attorney General, along with consumer reporting agencies, without unreasonable delay if a breach affects more than 500 residents. The notification to the Attorney General must include specific details such as the organization’s name, the breach date, a summary of the incident, and an estimate of the number of affected individuals both in Pennsylvania and beyond.
The new legislation also requires entities to cover the costs of providing affected individuals with free credit reporting and monitoring services for one year following the breach notification. This added requirement is designed to help mitigate the impact of breaches on consumers by offering them tools to monitor and protect their personal information.
The updated Act will take effect in 90 days, prompting businesses to swiftly adapt to the new compliance requirements. Companies dealing with breaches affecting multiple states must also consider how Pennsylvania’s regulations interact with those of other jurisdictions to ensure comprehensive compliance and effective breach management.
Reference:
