Pennsylvania's Amended Data Breach Law Upends Standard Framework
Pennsylvania recently amended their data breach notification law in a way that turns the status quo on its head. The law, Senate Bill 824, adds an obligation to provide regulatory notice and tweaks the definition of personal information before it gets wild: adding novel credit monitoring requirements and an obligation to pay for credit reports. The new law takes effect on Sept. 26, 2024. But there are a lot of open questions that need to be answered before then on what companies need to do to comply, especially with the requirements surrounding credit reports.
Life Before Senate Bill 824
Before Senate Bill 824 became law, Pennsylvania had a conventional data breach law. Companies were required to notify individuals of a breach affecting relatively standard data elements: (1) login credentials or (2) name plus Social Security numbers, driver’s license numbers, financial account numbers, medical information, or health insurance details. There were exceptions for some companies that complied with certain state/federal regulatory requirements governing notice. Private companies did not need to provide regulatory notice (the same cannot be said for state agencies/contractors), but those companies were required to notify the consumer reporting agencies if more than 1,000 people were affected by the breach.
Everything changed on June 28, 2024.
Senate Bill 824 Upends the Standard Framework
Pennsylvania overhauled its breach notification law when Governor Josh Shapiro signed Senate Bill 824 into law on June 28, 2024. The new law makes changes touching on five topics: (1) regulatory notice, (2) consumer reporting agency notice, (3) personal information, (4) credit monitoring, and (5) credit reports.
Regulatory Notice
Joining the growing majority of jurisdictions, the law adds a requirement that companies notify the commonwealth’s attorney general of certain breaches. This notice is required when a company notifies more than 500 people in Pennsylvania based on commonwealth law. If regulatory notice is needed, the company must notify the attorney general at the same time the company notifies individuals, and the regulatory notice must include the following details (to the extent known):
- Organization’s name and location
- Date of breach
- Summary of incident
- Estimated number of impacted individuals (and how many are Pennsylvania residents)
There are a few exceptions to this reporting obligation. A company meeting the 500-person threshold does not need to notify the attorney general if they are subject to the commonwealth’s insurance data security law. Pennsylvania also does not require regulatory notice (or individual notice) if a (1) company complies with its regulator’s notification rules or (2) financial institution fulfills its obligations under the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
Consumer Reporting Agency Notice
The law lowered the threshold for notifying the consumer reporting agencies. That notice will be required for any incident affecting more than 500 people (down from the 1,000 person threshold under the old law). This is a relatively low threshold compared to most other states, but not significantly so.
Personal Information
In a surprise twist, the new law actually narrows the definition of information that can trigger notifications. Medical information is no longer sufficient—it must be “medical information in the possession of a State agency or State agency contractor.” [Yes, the commonwealth refers to “state agencies.”] This drastically limits the scope of health information and comes as a welcome reprieve to hospitals, insurance companies, and others who may handle health data.
Credit Monitoring
Here is where the law starts to get funky. Pennsylvania joins five other states (California, Connecticut, Delaware, Massachusetts, and Washington, D.C.) in requiring credit monitoring. Under the new law, companies must provide 12 months of credit monitoring to individuals who had their name plus a Social Security number, driver’s license number, state ID number, or bank account number impacted in the breach. Yes, you read that right—the list includes bank account number. This is novel; no other state requires credit monitoring for breaches involving financial details, and even the FTC does not recommend credit monitoring when such information is lost or exposed in a breach. It is unclear how credit monitoring, which helps prevent identity theft, will be useful for someone who merely had their name and bank account details impacted in a breach.
Free Credit Reports
The law breaks even more new ground by requiring the company that suffered the breach to potentially pay for individuals to obtain a credit report. Now, many states require a company’s notification letter explain the ability for consumers to get a free credit report from the credit reporting agencies. But those requirements just inform individuals of their federal right to get a free credit report once every twelve months from each credit reporting agency—a right that the credit reporting agencies elected to expand by allowing individuals to request a free report every week from each agency.
Pennsylvania’s twist is that the company that suffered a breach must inform individuals that, if they have exhausted their free credit reports, the company will pay for one report. This raises all types of questions:
- Can a company try to verify the individual is ineligible for a free report from the credit reporting agencies? Likely yes. Allowing companies to conduct reasonable verification steps is a reasonable interpretation of the law given that it does not prohibit verification and validating eligibility is a practical measure to deter abuse.
- How can a company verify an individual is ineligible for a free credit report? Limit verification efforts to reasonable measures, such as requiring a verbal or digital attestation. Companies should avoid steps that are likely to be time or resource intensive because, given that a consumer can get free reports every week from the reporting agencies, a delay of a few days could undermine the requirement that a company pay for a report when the consumer is ineligible.
- How long does a company need to guarantee payment for a credit report (e.g., can a consumer request payment years down the road)? Use the deadline for activating credit monitoring. Although the law is silent on how long the right to a free credit report persists, the requirement that the company pay for a credit report is analogous to the obligation that they offer credit monitoring. For credit monitoring, the industry norm is to provide a code that expires a few months after being sent to the consumer. It makes sense to use that same time frame for the company’s obligation to pay for a credit report.
- How will a company pay (or reimburse the individual) for the credit report? Consider purchasing codes directly from the credit reporting agencies. The problem with paying the individual directly is that it adds delay and, as noted above, that undermines the law’s guarantee: By the time the check arrives, the individual is likely eligible again for the report each credit reporting agency provides for free each week.
And, while not necessary for operationalizing the law, one has to wonder: Why did the Pennsylvania Legislature think someone may need more than three credit reports in a week? Who will check their credit report with a single agency more than once in a week? How will a free credit report help someone who only had their financial information impacted?
In sum, there is meaningful ambiguity regarding what is required for credit reports. But, so long as a company makes a good faith effort at compliance, the legal risk is small because there is no private right of action—only the attorney general enforces the law.
Next Steps
Companies should update their incident response procedures to account for these revisions before they take effect on Sept. 26, 2024. While most of the changes involve just copying over new requirements, companies will have to make judgment calls on what is required when it comes to providing credit reports. We will be monitoring whether the attorney general issues guidance on this issue in the near future.