PENNSYLVANIA PRIVACY LAWS

Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- Constitutes an unfair trade practice

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If any state residents are affected by a breach, the breached Organization must give notice without delay to each affected individual.
  • When notification is made to more than 1,000 persons at one time, the breached Organization must report to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Heightened disclosure requirements may apply to entities dealing with Social Security Numbers.
  • There are specific additional requirements for licensees under the “Insurance Company Law of 1921” that addresses how a licensed insurer should handle and protect nonpublic personal financial information as defined under the law.
  • Vendors must notify Organizations without delay after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • A violation of the Breach of Personal Information Notification Act shall be deemed to be unfair or deceptive act or practice under the Unfair Trade Practices and Consumer Protection Law, of which the Offices of Attorney General shall have exclusive authority to bring an action for violation.
Statutes and Laws
  • 73 Pa. Stat. §§ 2301 – 2308 & 2329  Breach of Personal Information Notification Act

    73 Pa. Stat. §§ 2330.1 – 2330.9 Consumer Protection Against Computer Spyware Act

    31 Pa. Code § 146 Unfair Insurance Practices

    31 Pa. Code § 146b Privacy of Consumer Health information

    31 Pa. Code § 146c Standards for Safeguarding Customer Information

BAck to map