{"id":4124,"date":"2025-01-21T11:45:27","date_gmt":"2025-01-21T16:45:27","guid":{"rendered":"https:\/\/www2.law.temple.edu\/10q\/?p=4124"},"modified":"2025-01-21T11:45:27","modified_gmt":"2025-01-21T16:45:27","slug":"amendments-expand-pennsylvanias-data-breach-notification-law","status":"publish","type":"post","link":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/","title":{"rendered":"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law"},"content":{"rendered":"

January 21, 2025<\/p>\n

Businesses suffering a data breach affecting Pennsylvania residents may have new compliance obligations pursuant to a recent amendment to the Commonwealth’s data breach notification law. Earlier this year, Pennsylvania lawmakers enacted a bill amending the state’s Breach of Personal Information Notification Act (BPINA). Those changes came into effect on September 26 (the September Amendments) and represent the second update to BPINA in two years. The September Amendments contain several significant changes to the law, including imposing new obligations and reporting requirements on companies that have experienced a breach.<\/p>\n

REQUIRED NOTICE TO THE ATTORNEY GENERAL<\/strong><\/p>\n

Unlike the data breach reporting laws of many other states, BPINA had previously not imposed any requirement that the state Attorney General be notified in the event of a breach. That changed when the September Amendments came into effect\u2014the AG must now be notified of any breach affecting more than 500 Pennsylvania residents. The notification must include certain information, including a summary of the breach incident and an estimate of the total number of impacted individuals.<\/p>\n

The September Amendments do not specify how a breached entity must notify the AG. However, in response to the changes and in preparation for the new notice requirement, the AG’s office announced the release of an online portal<\/a> via which companies could report breaches.<\/p>\n

The September Amendments also updated the threshold for providing notification to consumer reporting agencies\u2014entities like Equifax, Experian, and Transunion\u2014from 1,000 to 500 people.<\/p>\n

CREDIT MONITORING<\/strong><\/p>\n

The September Amendments also impose a new requirement that, under certain circumstances, breached entities provide one year of credit monitoring services to impacted individuals. Companies must offer credit monitoring to individuals whose first and last names were exposed in combination with either: (1) their social security number, (2) their bank account number and\/or (3) their driver’s license or state ID number.<\/p>\n

While every state has a data breach notification law, Pennsylvania is only the sixth jurisdiction to require credit monitoring, joining California, Connecticut, Delaware, Massachusetts, and DC. These other laws only require credit monitoring in circumstances where social security numbers or, in California, Connecticut, and DC, certain other government-issued ID numbers are included in the breach. Pennsylvania is the first to require credit monitoring based on the exposure of bank account numbers.<\/p>\n

Overall, the September Amendments represent a set of significant updates to BPINA. While state AG notification is a fairly common requirement among data breach notification laws, an obligation to offer credit monitoring is not. Companies handling Pennsylvanians’ personal information, particularly those handling information covered by the credit monitoring requirement, should carefully evaluate how these changes may impact their obligations in the event of a data breach.<\/p>\n

The article in its original form can be found here<\/a>.<\/p>\n

 <\/p>\n

Benjamin Mishkin<\/em><\/a> (LAW \u201912) is a member at Cozen O\u2019Connor representing clients in artificial intelligence and technology, privacy, and data security matters as well as privacy litigation. <\/em>Daniel Kilburn<\/em><\/a> (LAW \u201923) is an associate at Cozen O\u2019Connor representing clients in artificial intelligence and technology, privacy, and data security matters.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

January 21, 2025
\nBenjamin Mishkin (LAW \u201912) and Daniel Kilburn (LAW \u201923) outline the recent amendment to the Commonwealth’s data breach notification law and the new obligations imposed on businesses that suffer a data breach involving Pennsylvania residents.<\/p>\n","protected":false},"author":33,"featured_media":4125,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,52,2002,22],"tags":[2558,2902,2903,106,676,2904,2285,246,474],"coauthors":[2900,2901],"class_list":["post-4124","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-alumni-authored","category-compliance","category-consumer-protection","category-corporate-responsibility","tag-attorney-general","tag-bpina","tag-breach-of-personal-information-notification-act","tag-compliance","tag-consumer-protection","tag-credit-monitoring","tag-data-breach-notification","tag-pennsylvania","tag-reporting","masonry-post","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"yoast_head":"\nAmendments Expand Pennsylvania\u2019s Data Breach Notification Law - The Temple 10-Q<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law - The Temple 10-Q\" \/>\n<meta property=\"og:description\" content=\"January 21, 2025 Benjamin Mishkin (LAW \u201912) and Daniel Kilburn (LAW \u201923) outline the recent amendment to the Commonwealth's data breach notification law and the new obligations imposed on businesses that suffer a data breach involving Pennsylvania residents.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/\" \/>\n<meta property=\"og:site_name\" content=\"The Temple 10-Q\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-21T16:45:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Benjamin Mishkin (LAW \u201912), Daniel Kilburn (LAW \u201923)\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Benjamin Mishkin (LAW \u201912), Daniel Kilburn (LAW \u201923)\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/\"},\"author\":{\"name\":\"Erica Maier\",\"@id\":\"https:\/\/law.temple.edu\/10q\/#\/schema\/person\/d88f9d6c1e573914b328a9fc287d495a\"},\"headline\":\"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law\",\"datePublished\":\"2025-01-21T16:45:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/\"},\"wordCount\":507,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg\",\"keywords\":[\"Attorney General\",\"BPINA\",\"Breach of Personal Information Notification Act\",\"Compliance\",\"Consumer Protection\",\"Credit Monitoring\",\"Data Breach Notification\",\"Pennsylvania\",\"Reporting\"],\"articleSection\":[\"Alumni Authored\",\"Compliance\",\"Consumer Protection\",\"Corporate Responsibility\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/\",\"url\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/\",\"name\":\"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law - The Temple 10-Q\",\"isPartOf\":{\"@id\":\"https:\/\/law.temple.edu\/10q\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg\",\"datePublished\":\"2025-01-21T16:45:27+00:00\",\"author\":{\"@id\":\"https:\/\/law.temple.edu\/10q\/#\/schema\/person\/d88f9d6c1e573914b328a9fc287d495a\"},\"breadcrumb\":{\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#primaryimage\",\"url\":\"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg\",\"contentUrl\":\"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg\",\"width\":1280,\"height\":853},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/law.temple.edu\/10q\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/law.temple.edu\/10q\/#website\",\"url\":\"https:\/\/law.temple.edu\/10q\/\",\"name\":\"The Temple 10-Q\",\"description\":\"Temple's Business Law Magazine\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/law.temple.edu\/10q\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/law.temple.edu\/10q\/#\/schema\/person\/d88f9d6c1e573914b328a9fc287d495a\",\"name\":\"Erica Maier\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/287d6d70b5641c5fca2014a2642c81f4173a498c7b1d1dafac589e1a9dc74e18?s=96&d=mm&r=g5e523333d61dc7fabb86b49c5ffcbaee\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/287d6d70b5641c5fca2014a2642c81f4173a498c7b1d1dafac589e1a9dc74e18?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/287d6d70b5641c5fca2014a2642c81f4173a498c7b1d1dafac589e1a9dc74e18?s=96&d=mm&r=g\",\"caption\":\"Erica Maier\"},\"url\":\"https:\/\/law.temple.edu\/10q\/author\/emaier\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law - The Temple 10-Q","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/","og_locale":"en_US","og_type":"article","og_title":"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law - The Temple 10-Q","og_description":"January 21, 2025 Benjamin Mishkin (LAW \u201912) and Daniel Kilburn (LAW \u201923) outline the recent amendment to the Commonwealth's data breach notification law and the new obligations imposed on businesses that suffer a data breach involving Pennsylvania residents.","og_url":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/","og_site_name":"The Temple 10-Q","article_published_time":"2025-01-21T16:45:27+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg","type":"image\/jpeg"}],"author":"Benjamin Mishkin (LAW \u201912), Daniel Kilburn (LAW \u201923)","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Benjamin Mishkin (LAW \u201912), Daniel Kilburn (LAW \u201923)","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#article","isPartOf":{"@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/"},"author":{"name":"Erica Maier","@id":"https:\/\/law.temple.edu\/10q\/#\/schema\/person\/d88f9d6c1e573914b328a9fc287d495a"},"headline":"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law","datePublished":"2025-01-21T16:45:27+00:00","mainEntityOfPage":{"@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/"},"wordCount":507,"commentCount":0,"image":{"@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#primaryimage"},"thumbnailUrl":"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg","keywords":["Attorney General","BPINA","Breach of Personal Information Notification Act","Compliance","Consumer Protection","Credit Monitoring","Data Breach Notification","Pennsylvania","Reporting"],"articleSection":["Alumni Authored","Compliance","Consumer Protection","Corporate Responsibility"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/","url":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/","name":"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law - The Temple 10-Q","isPartOf":{"@id":"https:\/\/law.temple.edu\/10q\/#website"},"primaryImageOfPage":{"@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#primaryimage"},"image":{"@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#primaryimage"},"thumbnailUrl":"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg","datePublished":"2025-01-21T16:45:27+00:00","author":{"@id":"https:\/\/law.temple.edu\/10q\/#\/schema\/person\/d88f9d6c1e573914b328a9fc287d495a"},"breadcrumb":{"@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#primaryimage","url":"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg","contentUrl":"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg","width":1280,"height":853},{"@type":"BreadcrumbList","@id":"https:\/\/law.temple.edu\/10q\/amendments-expand-pennsylvanias-data-breach-notification-law\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/law.temple.edu\/10q\/"},{"@type":"ListItem","position":2,"name":"Amendments Expand Pennsylvania\u2019s Data Breach Notification Law"}]},{"@type":"WebSite","@id":"https:\/\/law.temple.edu\/10q\/#website","url":"https:\/\/law.temple.edu\/10q\/","name":"The Temple 10-Q","description":"Temple's Business Law Magazine","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/law.temple.edu\/10q\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/law.temple.edu\/10q\/#\/schema\/person\/d88f9d6c1e573914b328a9fc287d495a","name":"Erica Maier","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/287d6d70b5641c5fca2014a2642c81f4173a498c7b1d1dafac589e1a9dc74e18?s=96&d=mm&r=g5e523333d61dc7fabb86b49c5ffcbaee","url":"https:\/\/secure.gravatar.com\/avatar\/287d6d70b5641c5fca2014a2642c81f4173a498c7b1d1dafac589e1a9dc74e18?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/287d6d70b5641c5fca2014a2642c81f4173a498c7b1d1dafac589e1a9dc74e18?s=96&d=mm&r=g","caption":"Erica Maier"},"url":"https:\/\/law.temple.edu\/10q\/author\/emaier\/"}]}},"jetpack_featured_media_url":"https:\/\/law.temple.edu\/10q\/wp-content\/uploads\/sites\/12\/2025\/01\/Mishkin_Kilburn_Image-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/posts\/4124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/users\/33"}],"replies":[{"embeddable":true,"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/comments?post=4124"}],"version-history":[{"count":0,"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/posts\/4124\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/media\/4125"}],"wp:attachment":[{"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/media?parent=4124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/categories?post=4124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/tags?post=4124"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/law.temple.edu\/10q\/wp-json\/wp\/v2\/coauthors?post=4124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}