Disclosure Requirements and Penalties Under Pennsylvania’s Data Breach Notification Act

February 22, 2019

This is the final installment in a three-part series about data breaches and the requirements of Pennsylvania law relating to data breach notification. The previous posts in this series are: Doing Business in 2019? You Should Be Thinking About Data Security; and When Does a Data Breach Require Disclosure Under Pennsylvania’s Data Breach Notification Act?.

After determining that a data breach has occurred which triggers notification under the Pennsylvania Breach of Personal Information Notification Act, the next steps are to comply with the applicable notification requirements.

Notification Requirements

If a breach requiring notification has occurred, notice in a clear and conspicuous manner may be made by any of the following methods:

  1. Written notice to the individual’s last known home address;
  2. Telephone notice if the individual can reasonably be expected to receive it; or
  3. Email notice, if a prior business relationship exists.

Notice must be given “without unreasonable delay”, subject to a delay requested by law enforcement. Built into the reasonableness requirement for timing is an entity’s ability to take measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

Potential Penalties

Failure to comply with the Breach of Personal Information Notification Act is a violation of the Unfair Trade Practices and Consumer Protection Law, which allows the Pennsylvania Attorney General to seek an injunction, restitution, and civil penalties of up to $3,000 for each willful violation.

Additional Things to Prepare For

In addition to these legal requirements, make sure you also take practical steps to prepare for any customer questions or backlash. Make sure your employees know about the breach and what to say if a customer asks them. Consider getting out in front by issuing statements that not only satisfy the letter of the law, but also emphasize what you’ve done to protect them. In many cases you can prevent an unfortunate situation from becoming worse by thinking through the public relations aspects of a breach at the same time you handle the legal requirements.

Think your business has suffered from a data breach? You should immediately consult with your IT professionals to get as much information about the breach as you can and to prevent further information from being compromised. Then contact your legal counsel to determine your notification obligations under Pennsylvania law and other applicable laws.

Matt Landis is an attorney at Russell, Krafft & Gruber, LLP, in Lancaster, Pennsylvania. He received his law degree from Widener University Commonwealth School of Law and works regularly with business owners and entrepreneurs. Matt is one of the founding members of the RKG Tech Law Group.