Pennsylvania Data Breach Notification Laws: Reporting Rules & Timelines (2026)
Pennsylvania's data breach notification requirements received a significant update in 2024 when Governor Josh Shapiro signed Act 33 of 2024 into law on July 28, 2024, effective September 26, 2024. The amended Breach of Personal Information Notification Act (BPINA), codified at 73 Pa. Stat. 2301 et seq., now requires Attorney General notification, mandates 12-month credit monitoring for certain breaches, and broadens the types of data that trigger notification.
This guide covers the full scope of Pennsylvania's breach notification requirements as amended, including what personal information triggers the law, who must be notified, the timeline, enforcement penalties, exemptions, and how the law connects to the state's [broader data privacy framework](/us-laws/data-privacy-laws/pennsylvania-data-privacy-laws).
Who Must Comply With Pennsylvania's Breach Notification Law
BPINA applies to any entity that maintains, stores, or manages computerized data that includes personal information. The law covers both public entities (state agencies, counties, municipalities, school districts) and private entities (corporations, partnerships, sole proprietors, and any other form of business).
The law distinguishes between entities that maintain their own data and those that maintain data on behalf of another entity. A third-party vendor that discovers a breach of data it maintains for another entity must notify the data owner. The data owner then carries the primary obligation to notify affected consumers and regulators.
Out-of-state businesses that maintain personal information belonging to Pennsylvania residents are subject to the law.
What Qualifies as a Breach of Security
Under BPINA, a breach of the security of the system means the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals.
The "materially compromises" threshold means that not every unauthorized access automatically triggers notification. The entity must determine whether the breach actually affected the security or confidentiality of the data.
Good Faith Exception
A good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system, provided the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.
The Encryption Safe Harbor
BPINA provides a safe harbor for encrypted data, but with an important caveat. Encrypted data is exempt from notification requirements unless the encryption key or process was accessed or acquired during the breach, or the breach was committed by a person who had access to the encryption key. If either condition applies, the safe harbor does not protect the entity and full notification is required.
What Personal Information Triggers the Law
The 2024 amendment expanded BPINA's definition of personal information. Under the current law, personal information means an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the elements are not encrypted or redacted:
- Social Security number
- Driver's license number or state identification card number
- Financial account number, credit or debit card number, in combination with any required security code, access code, or password
- Health insurance information (policy number or subscriber ID in combination with an access code or medical information permitting misuse of health insurance benefits) (added by Act 33)
- Medical information in the possession of a state agency or state agency contractor (narrowed to government entities by Act 33)
- Username or email address in combination with a password or security question and answer that would permit access to an online account (added by Act 33)
The health insurance and online account credential additions align Pennsylvania with the growing trend of states broadening their breach notification triggers beyond the traditional SSN/DL/financial account trio.
Note: The medical information trigger was narrowed by Act 33 to apply only when the information is in the possession of a state agency or state agency contractor. Private sector entities are not required to notify for breaches of medical information unless they are government contractors.
Notification Timeline
Pennsylvania does not impose a fixed deadline measured in days. BPINA requires notification "without unreasonable delay." Delays are permitted when:
- Consistent with the legitimate needs of law enforcement
- Necessary to take any measures to determine the scope of the breach and to restore the reasonable integrity of the data system
Law enforcement may request a delay by providing the entity with a written request. The entity may delay notification during the period specified by law enforcement.
Who Must Be Notified
Affected Individuals
Every Pennsylvania resident whose personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person must receive notification. The notice must include:
- A description of the incident in general terms
- The type of personal information subject to the breach
- Steps the entity has taken to address the breach
- Contact information for the entity providing notice
- Contact information for major credit reporting agencies
Attorney General
Under the 2024 amendment, the Pennsylvania Attorney General must be notified without unreasonable delay when a breach affects more than 500 Pennsylvania residents. The AG launched an online reporting portal on September 26, 2024, to streamline the reporting process.
Consumer Reporting Agencies
When a breach affects more than 1,000 Pennsylvania residents, the entity must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The notification must include the timing, distribution, and content of the consumer notice.
12-Month Credit Monitoring Requirement
One of the most significant additions in Act 33 is the mandatory credit monitoring provision. When a breach involves any of the following data elements, the entity must offer affected individuals:
- Access to an independent credit report from a consumer reporting agency
- 12 months of credit monitoring services
This requirement is triggered when the breach involves:
- Social Security numbers
- Driver's license numbers or state ID numbers
- Bank account numbers
Pennsylvania is notable for extending the credit monitoring trigger beyond Social Security numbers. Most states that require credit monitoring only mandate it for SSN breaches. Pennsylvania's requirement covers driver's licenses and bank accounts as well, significantly expanding the number of breaches that trigger this obligation.
Methods of Notification
Businesses can provide notification through:
- Written notice sent to the individual's last known home address
- Email notice if the individual has consented to receive electronic communications (may include instructions to reset login information)
- Telephone notice given in a conspicuous and reasonable manner
Substitute Notice
Substitute notice is available if the entity demonstrates to the Attorney General that:
- The cost of providing direct notice would exceed $100,000, or
- The affected class exceeds 175,000 persons, or
- The entity does not have sufficient contact information
Pennsylvania's substitute notice thresholds ($100,000 and 175,000 persons) are lower than many states, making substitute notice available in a broader range of circumstances.
Substitute notice must include: email notice (where available), conspicuous posting on the entity's website, and notification to major statewide media.
Enforcement and Penalties
Consumer Protection Law Enforcement
Violations of BPINA constitute unfair or deceptive acts or practices under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL). This classification gives the Attorney General broad enforcement authority, including:
- Injunctive relief to stop ongoing violations
- Civil penalties
- Restitution for affected consumers
Attorney General Authority
The Pennsylvania Attorney General's Bureau of Consumer Protection is the primary enforcement agency. The AG can investigate complaints, issue subpoenas, and bring civil actions.
Private Right of Action
The UTPCPL provides a private right of action that allows consumers to bring civil suits for unfair or deceptive practices. Because BPINA violations are classified as UTPCPL violations, affected individuals may have the ability to pursue private claims for breach notification failures, though the scope of this right in the data breach context is evolving through case law.
Exemptions
HIPAA Compliance Exemption
Covered entities and business associates subject to and in compliance with HIPAA's breach notification requirements are deemed to be in compliance with BPINA, provided they also comply with the AG notification requirement.
Financial Institution Exemption
Financial institutions subject to and in compliance with the Gramm-Leach-Bliley Act's interagency guidance on breach notification are exempt from BPINA's separate notification requirements, provided they comply with the AG notification requirement.
Own Policy Exemption
Entities that maintain their own notification procedures as part of an information privacy or security policy are deemed to be in compliance, provided those procedures are at least as thorough as BPINA's requirements and the entity follows its own procedures.
What Changed Under Act 33 of 2024 (Summary)
For businesses already familiar with Pennsylvania's earlier breach notification law, here are the key changes effective September 26, 2024:
| Feature | Before Act 33 | After Act 33 |
|---|---|---|
| AG notification | Not required | Required at 500+ affected residents |
| Credit monitoring | Not required | 12 months for SSN, DL, state ID, bank account breaches |
| Health insurance data | Not covered | Covered as personal information |
| Online credentials | Not covered | Username/email + password triggers notification |
| Medical information | All entities | Narrowed to state agencies and contractors only |
| Reporting method | No standard process | Online AG reporting portal |
More Pennsylvania Laws
- Pennsylvania Recording Laws
- Pennsylvania Recording Laws
- Pennsylvania Recording Laws
- Pennsylvania Data Privacy Laws
- Pennsylvania Data Privacy Laws
- Pennsylvania Recording Laws
- Pennsylvania Recording Laws
- Pennsylvania Recording Laws
Sources and References
This article draws from the following official Pennsylvania government sources:
- BPINA Original Text (Act 94 of 2005) - Original Breach of Personal Information Notification Act
- Act 33 of 2024 (Amendments) - 2024 amendments adding AG notification and credit monitoring
- Act 33 of 2024 (Full Text) - Complete text of the amending legislation
- PA Attorney General: BPINA Information - AG guidance and online reporting portal
- PA Attorney General: Report a Data Breach - Breach reporting portal
This article provides general legal information about Pennsylvania data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Pennsylvania for guidance specific to your situation.
Sources and References
- BPINA - Act 94 of 2005 (Original Text)(legis.state.pa.us).gov
- Act 33 of 2024 - BPINA Amendments(legis.state.pa.us).gov
- Act 33 of 2024 Full Text(legis.state.pa.us).gov
- PA Attorney General - BPINA Information(attorneygeneral.gov).gov
- PA Attorney General - Report a Data Breach(attorneygeneral.gov).gov