A recently passed Pennsylvania law aims to bolster consumer protections in the aftermath of data breaches. Act 33 of 2024, which is set to take effect in late September of this year, mandates stricter time limits for organizations to issue data breach notices and free provision of credit monitoring to affected individuals in the event of a data breach.
Key Provisions of Act 33 Pennsylvania Law
Under the provisions of the new law, organizations must notify the Pennsylvania Attorney General’s Office if a data breach is found to affect more than 500 residents within the state of Pennsylvania.
The notice is required to include the following details:
1) The organization name and location.
(2) The date of the breach of the security of the system.
(3) A summary of the breach incident of the security of the system.
(4) An estimated total number of individuals affected by the breach of the security of the system.
(5) An estimated total number of individuals in this Commonwealth affected by the breach of the security of the system.
Along with the reporting requirements, one of the key provisions of the law is the requirement for organizations to provide free credit reports and one year of credit monitoring to all affected consumers. The law introduces a new era of protection for consumers, requiring organizations to assume all costs and fees associated with providing affected individuals with access to credit reports and credit monitoring services.
This provision means that individuals from Pennsylvania will not have to pay for these services, which can provide peace of mind in the event of a data breach and add an additional layer of protection to help prevent identity theft and financial fraud.
The law defines personal information as an individual’s first name or first initial and last name in combination with certain sensitive data elements, such as Social Security numbers, driver’s licenses, or financial account numbers.
The law is an extension of the amendment act of December 22, 2005 (P.L.474, No.94), which states:
“An act providing for security of computerized data and for the notification of residents whose personal information data was or may have been disclosed due to a breach of the security of the system; and imposing penalties,” further providing for definitions, for notification of the breach of the security of the system and for notification of consumer reporting agencies; and providing for credit reporting and monitoring.
The Act 33 law received unanimous support in both chambers of the state legislature, reflecting the broad recognition of the need for stronger data protection measures.
Act Comes Amidst Geisinger Medical Center Data Breach Fall Out
Reports of data breach incidents across the United States have surged in recent years, with a record of 3,122 incidents reported in 2023 nationwide – a 72% increase from the previous high in 2021. According to data from the Identity Theft Resource Center, these breaches affected hundreds of millions of Americans and resulted in billions of dollars in losses.
The new law comes in the wake of high-profile breaches like the one at Pennsylvania’s Geisinger Medical Center, which potentially exposed personal information of approximately one million patients. A former employee in connection to the data breach has been arrested.
Jonathan Friesen, Geisinger chief privacy officer, stated in response to the arrest, “Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously.” He added, “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”
Disgruntled former patients of the hospital have joined in a class action lawsuit filed against Geisinger, demanding compensation. One former patient, James Wierbowski, filed a lawsuit on June 28, seeking monetary relief that could amount to more than $5 million.