When Does a Data Breach Require Disclosure Under Pennsylvania’s Data Breach Notification Act?

This is part two of a three-part series about data breaches and the requirements of Pennsylvania law relating to data breach notification. Part one of this series was Doing Business in 2019? You Should Be Thinking About Data Security.

 The first post in this series made the case for why you should take data security seriously. Otherwise, you’ll need to worry about the daunting task of complying with a multitude of data breach notification laws and the public relations nightmare of being the next company that revealed its customers’ personal information.

But as the saying goes: the best-laid plans of mice and men often go awry.

In this post, I’ll provide an overview of when notification is required under Pennsylvania’s data breach notification statute, the Breach of Personal Information Notification Act, which is codified at 73 P.S. § 2301 et seq. (The final post in this series will discuss the notification requirements once a breach requiring disclosure occurs.)

When is Disclosure Required?

Disclosure of a data breach must be made any time an entity subject to compliance discovers a breach of the security of the system where a Pennsylvania resident’s unencrypted and unredacted personal information is reasonably believed to have been acquired by an unauthorized person.

Notice must also be given when encrypted personal information was accessed and acquired in unencrypted form, the breach is linked to a breach of the security of the encryption, or a person involved in the breach had access to the encryption key.

Breaking Down the Disclosure Requirement

Let’s break down the key terms of the statute.

An “entity subject to compliance” is an expansive definition that means any individual or business doing business in Pennsylvania, along with state agencies and political subdivisions, that maintains, stores, or manages computerized data that includes personal information.

“Breach of the security of the system” is defined as “the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.”

“Personal information” means an individual’s first name or first initial and last name when linked to one or more of the following unencrypted data elements:

1. Social security number;
2. Driver’s license number, or state identification number issued in lieu of a driver’s license; or
3. Financial account number, credit or debit card number, when combined with any required security code, access code, or password that would permit access to an individual’s financial account.

It’s important to note that the notification requirement is triggered upon reasonable belief that unencrypted and unredacted personal information was acquired. To determine whether this obligation has been triggered and whether similar requirements in other jurisdictions apply, you should consult with qualified information technology professionals and legal counsel.

Matt Landis is an attorney at Russell, Krafft & Gruber, LLP, in Lancaster, Pennsylvania. He received his law degree from Widener University Commonwealth School of Law and works regularly with business owners and entrepreneurs. Matt is one of the founding members of the RKG Tech Law Group.