Pennsylvania Statutes 73 § 2301 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“BREACH OF THE SECURITY OF THE SYSTEM.” The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure."
When is notice required?
Notice is required for any affected resident "except...in order to take any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay." Law enforcement may delay the reporting and if an entity determines that over 1,000 residents are affected then consumer credit agencies must be notified as well.
What are the penalties for non-compliance?
Violations have their own section of the law, § 2308, which reads as follows:
"A violation of this act shall be deemed to be an unfair or deceptive act or practice in violation of the act of December 17, 1968 (P.L. 1224, No. 387), known as the Unfair Trade Practices and Consumer Protection Law. The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of this act."