Pittsburgh, PA
TEQ Magazine
(By Ember Holmes)
Earlier this year, Pennsylvania’s Breach of Personal Information Notification Act (BPINA), underwent its first major update since it was signed into law in June 2006.
The Amended BPINA1, which went into effect on May 2, 2023, affects all Pennsylvania entities that store information belonging to Pennsylvania residents, but has the most significant impact on state agencies and entities that contract with state agencies.
BPINA was designed to set security parameters and standards for entities that maintain, store or manage computerized data containing the Personal Information (as defined below) of Pennsylvania residents. BPINA sets forth specific requirements for notifying residents of security system breaches. The Amended BPINA creates new definitions for previously undefined terms in BPINA, amends existing term definitions, and bolsters notification and security requirements for state agencies, state agency contractors, counties, public schools, and municipalities.
As a state agency, the Pennsylvania Department of Environmental Protection (PADEP) will be subject to this higher level of scrutiny with regard to its handling of personal information. In addition, any entity that contracts with the PADEP or maintains data on behalf of the PADEP or any other state agency is also subject to these more stringent requirements and should be familiar with the updates as applicable to their notification, reporting and encryption practices.
Expanded Definition of “Personal Information” and Related Notification Requirements
- The original BPINA definition of “Personal Information” included: (i) Social Security numbers; (ii) driver’s license numbers or state identification card numbers issued in lieu of driver’s licenses; and (iii) financial account numbers and credit or debit card numbers, in combination with any required access codes or passwords that would permit access to an individual’s account.