A recent update to Pennsylvania’s Breach of Personal Information Notification Act (BPINA) included the announcement of a new portal created and hosted by the PA Attorney General’s Office, designed to make reporting breaches easier and more efficient for covered entities. Starting September 26, those required to report a data breach can access the portal, which will prompt the user through a few reporting questions such as information regarding the breach details, personal information, and an upload of any pertinent documents related to the breach for the PA Attorney General’s Office to review.
There are no changes to the “who” has to report, which as previously shared, includes PA individuals, public and private organizations, agencies and respective vendor parties of these covered entities that maintain a database of personal information about customers or constituents.
Also going into effect on September 26, Governor Shapiro made additional amendments to the BPINA, including reporting requirements for when a data breach affects more than 500 Pennsylvanians. In addition, if the breach involves the person’s name and Social Security Number, bank account number, or driver’s license or state ID number, companies must provide impacted individuals with 12 months of credit monitoring and access to a credit report.
Violations of the BPINA can result in penalties under the Pennsylvania Unfair Trade Practice and Consumer Protection Law. It’s important for covered entities to comply with BPINA and take steps to avoid legal action against them.
Please contact our Corporate, Business & Banking team if you’re unsure of your legal obligations and to clarify questions and responsibilities.