In December 2005, Pennsylvania enacted the Breach of Personal Information Notification Act (the “2005 BPINA”). Known as the 2005 BPINA Act, its purpose is to provide “for security of computerized data and for the notification of residents whose personal information data was or may have been disclosed due to a breach of the security of the system.”
The 2005 Act defines “personal information” as follows:
“Personal information” does not include publicly available information that is lawfully made available to the general public from Federal, State, or local government records or widely distributed media.
On Nov. 3, 2022, Gov. Wolf signed into law Senate Bill No. 696, known as P.L.2139, No.15., which amends the 2005 BPINA (the “2022 Amendment”) effective on May 2, 2023 (the “2005 BPINA, as amended by the 2022 Amendment is will be referred to as the “Amended BPINA”).
The 2022 Amendment adds definitions of “medical information” and “health insurance information” and expands the definition of “personal information” to include medical information, health insurance information, and “a username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” This is significant given that numerous entities contract with third party vendors to provide services such as online payment of bills, online banking and investment management, or health information portals. To access these services, an account usually must be established and log in information provided, which usually involves a username and password log information e.g., a use. “Health insurance information” is defined as “an individual’s health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits.” The Amendment defines “Medical information” is “[a]ny individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment or diagnosis created by a health care professional.”
The Amended BPINA applies to entities, defining an “entity” as “[a] State agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth.” A “State agency” is defined as “[a]ny agency, board, commission, authority or department of the Commonwealth and the General Assembly.” The 2022 Amendment added the definition of “State agency contractor,” which is “[a] person, business, subcontractor or third-party subcontractor that has a contract with a State agency for goods or services that requires access to personal information for the fulfillment of the contract.”
An examination of the notification requirements under the Amended BPINA is critical:
“A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security of the system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this act.”
The Amended BPINA contains provisions relating to the establishment of policies regarding data breaches, and most of these provisions relate to an entity that “maintains, stores or manages computerized data on behalf of the Commonwealth that constitutes personal information.” The Amended BPINA, however, also provides that “[a]n entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and is consistent with the notice requirements of this act shall be deemed to be in compliance with the notification requirements of this act if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.” The foregoing presupposes that an entity has a privacy or security policy. Thus, all entities that are subject to the Amended Act need to have updated policies.
Another key aspect of the 2022 Amendment concerns entities that are subject to federal regulations. Notably, any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act are deemed to be in compliance with the provisions of the Amended Act. Further, “[a]n entity, a State agency or a State agency’s contractor that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entity’s, State agency’s or State agency’s contractor’s primary State or functional Federal regulator, shall be in compliance with the [Amended BPINA] act.”
A violation of the Amended BPINA is deemed to be an unfair or deceptive act or practice in violation of the act of Dec. 17, 1968 (P.L.1224, No.387), known as the “Unfair Trade Practices and Consumer Protection Law.” The Office of Attorney General has exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of the Amended BPINA.
Pennsylvania’s Breach of Personal Notification Act, as amended effective May 2, 2023, has expanded the definition of “personal information,” making more entities subject to the Amended Act, and its notification and storage and information policies. Entities such as municipalities, banks, and other financial institutions, wealth management companies, medical and health care providers that are not subject to HIPAA, contractors, and vendors that maintain, store or manage computerized data will now need to evaluate their existing data gathering protocol and their existing notification policies and procedures (or adopt new ones) to address a data breach.