On June 28, 2024, Senate Bill 824 was enacted, amending Pennsylvania’s data breach notification law (73 Pa. Stat. Ann. § 2301, et seq.). The amendments go into effect September 26, 2024.
Among other things, the amendments:
- Require notification to the Attorney General if notification must be given to more than 500 individuals;
- Require the notice to the Attorney General include:
- The organization name and location;
- The date of the breach;
- A summary of the incident;
- An estimated number of individuals affected;
- An estimated number of individuals in Pennsylvania affected.
- Reduce the threshold for reporting an incident to consumer reporting agencies from more than 1,000 affected individuals to more than 500;
- Require entities that are required to report the incident to consumer reporting agencies to assume the costs of providing the affected individuals with:
- Access to one credit report if the individual is not eligible for a free report;
- Access to credit monitoring services for one year.
For a chart comparing the state comprehensive data privacy laws, visit RMAI’s Privacy and Data Security Resource Center (login required).
RMAI strongly recommends that its members share this Member Alert with those in their organization who are responsible for their operations, compliance, and legal matters.
RMAI previously issued Member Alerts for other states’ comprehensive privacy laws enacted in 2023 and 2024.
This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.