Breach of Personal Information Notification Act (“BPINA”)

BPINA defines a breach as the unauthorized access and acquisition  of computerized data that materially compromises the security or confidentiality of personal information maintained by an entity as part of a database of personal information and that causes or the entity reasonably believes has caused or will cause loss or injury to a Pennsylvania resident.

Personal information consists of two components:

1. An individual’s first name or first initial and last name
   
   and

2. Any one or more of the following, not made publicly available:

• Social Security number;
• driver’s license number and/or state identification card number;
• financial account numbers;
• medical information in the possession of a State agency or State agency contractor;
• health insurance information; or
• user name or email address with password or security question and answer to allow access to an online account

Any entity who maintains, stores, or manages consumers’ personal information and has reason to believe this personal information was accessed and acquired in a readable form by an unauthorized person must notify the affected Pennsylvania resident without unreasonable delay.

Entities must notify the Attorney General when more than 500 Pennsylvania residents are affected by a breach. Notice must be made to the Attorney General at the same time the entity notifies the affected individuals. The Attorney General notice must include:

• the name and location of the breached organization;
• the date of the breach;
• summary of the breach;
• total number of impacted individuals; and
• total number of impacted Pennsylvania individuals.

When an entity provides notification to more than 500 persons, the entity must also notify consumer reporting agencies without unreasonable delay.

State Agency or State Agency Contractor Breach:

• Affected Individuals must be notified within seven (7) business days;
• Office of Attorney General must be notified within seven (7) business days;

Governor’s Office must be notified within three (3) business days if the state agency is under the Governor’s jurisdiction.

County, Public School, or Municipality Breach:

• Affected Individuals must be notified within seven (7) business days;
• District Attorney in county where breach occurred must be notified within three (3) business days.

Under BPINA, any one of the following forms of notification to individuals whose personal information has been compromised is sufficient:

• written notice to the individual’s last known address;
• telephonic notice, given in a conspicuous and reasonable manner; or
• email notice, which may include instructions to reset an individual’s log-in information.

In limited circumstances, substitute notice is sufficient. The compromised entity must demonstrate to the Pennsylvania Office of Attorney General that:

• the cost of providing regular notice would exceed $100,000;
• the affected class of persons exceeds 175,000; or
• the entity or business does not have sufficient contact information.

Where substitute notice is used, it must consist of all of the following, as applicable:

• email notice when the entity has an email address for the affected individual;
• conspicuous posting on the entity’s web site; and
• notification to major statewide media.

Entities must make access to an independent credit report from a consumer reporting agency and credit monitoring services for a period of twelve (12) months available if an individuals’ Social Security number, driver’s license number, state ID number, or bank account number was impacted in the breach.

A violation of BPINA constitutes an unfair or deceptive act or practice in violation with the Pennsylvania Unfair Trade Practice and Consumer Protection Law, which means the Attorney General may seek injunctive relief, restitution, and penalties against any business entity for violating the law.