Pennsylvania Bill Expands Requirements

Senate Bill 696, Amending the Breach of Personal Information Notification Act, has passed the Pennsylvania Senate and been referred to the House Committee on State Government. It has additions to what comes under personal information that is protected by this Act. As well as some important adjustments to how a data breach should be handled.

Personal Information

Under the new Bill there are some additions to what constitutes personal information:

  • Medical information;
    • Any individually indentifiable information contained in a person’s current or historical record of medical history, treatment or diagnosis created by a healthcare professional.
  • Health insurance information;
    • An individual’s policy number or subscriber identification number in combination with an access code and other medical information that permits misuse of an individual’s health insurance benefits.
  • A username or email address;
    • In combination with a password or security question and answer that would permit access to an online account.

Any entities that are subject to HIPAA privacy and security standards shall be deemed in compliance with this Act.

State Agency Contractors

Any state agency who has pre-existing contractors working with them will need to assess the current contracts. Any existing contract that does not already contain provisions regarding data breaches will need to be amended. The contracts will need to be changed to include provisions relating to what the contractors need to do in order to comply with this Act.


Any state employees and contractors who handle personal information on behalf of the Any employees or contractors who work for the State and handle information on behalf of the commonwealth will need to make some changes. Anytime that personal information is to be transferred via the internet it must be encrypted. This will stop any third parties from being able to view or modify the information. 

The Governor’s Office of Administration shall develop and maintain a policy to govern the proper encryption and transmission of personal information by State agencies. They will also be responsible for developing a policy to govern the proper storage of personal information by state agencies. This policy will address identifying, collecting, maintaining, displaying and transferring personal information in test environments.

Data Breach Response

State Agency or State Agency Contractor

If a state agency determines they have suffered a breach then they must provide notice within 7 days. Therefore, if a breach is discovered or a contractor notifies the agency of a breach they must notify the individuals within 7 days under this Act. This notice must also go to the office of the Attorney General. 

A state agency contractor shall notify the Chief Information Security Officer or other relevant designated employee. The agency must be notified by the contractor within 7 business days of the breach being discovered. 

If the state agency works under the Governor’s jurisdiction then they need to notify the Governor’s Office of Administration. This notice must be provided within 3 business days of the discovery. 

County, School or Municipality

Any county, school or municipality discovering a data breach are also addressed within this Act. They must provide notice within 7 days from the determination of the breach.

The District Attorney of the relevant county must be made aware of any breaches. Should a data breach be discovered then the DA must be notified within 3 business days

Electronic notification

If a breach has involved the username or email address, the entity is able to provide notice in electronic format. The impacted individuals should be directed to change their passwords or security questions and answers. They should also be encouraged to take any other necessary actions to secure their online accounts. 

If a state agency contractor discovers a breach involving the same information then they can provide notification by sending the affected agency a list of the affected individuals. 

Value Privacy are a company that makes privacy simple. Allow us to take a look at your privacy policies and procedures and will can tell you what needs improvement and even where your systems are at risk of a breach. We take care of creating, implementing and maintaining a system that works for you so that you can get back to doing what you do best. Contact us today to find out how we can help you.

Previous Post

Florida Privacy Bill maintains PRA

Next Post

Virginia Proposes Amendment to VCDPA