Time flies. Since about 2010, I have been counseling community associations on risks involving potential breaches of personal information and the fact that Pennsylvania has a specific statute related to such breaches, literally called the “Breach of Personal Information Notification Act” (“BPINA”). BPINA was recently amended and signed into law by Governor Wolf on November 3, 2022 (and effective in 180 days).
As a general BPINA primer, community associations qualify as “businesses” under BPINA and are covered “entities” which do business in the Commonwealth of Pennsylvania. BPINA defines “Personal information” as follows:
(1) An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
(i) Social Security number.
(ii) Driver’s license number or a State identification card number issued in lieu of a driver’s license.
(iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
(iv) Medical information. (Added as amended on 11/3/22)
(v) Health insurance information. (Added as amended on 11/3/22)
(vi) A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. (Added as amended on 11/3/22)
Most community associations do not keep social security numbers, medical information and/or health insurance information (and likely should not be if they are), but many have access to and keep records of driver’s licenses, financial accounts and credit/debit cards. Many also have portals which contain a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account (usually an association account of some kind). (Note: the last section re: email addresses and login information was added as amended on 11/3/22 so community associations should use due diligence to protect the information and comply with BPINA as amended, even if they were properly handling records of driver’s licenses, financial accounts and credit/debit cards prior to the recent BPINA amendments).
Hopefully any and all of this personal information is being properly handled and kept (maintained) offsite on properly encrypted systems run by third-party providers and/or contactors to attempt to offset and/or limit liability (I note that managing agents also keep this information as well, and there should be similar considerations/protections for maintaining such data).
BPINA has always required notification of the breach of the security of the system, but the November 3, 2022 BPINA amendments added additional notification requirements, including the following new Section 3(a.3):
(a.3) Electronic notification.–In the case of a breach of the security of the system involving personal information for a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, the entity, to the extent that it has sufficient contact information for the person, may comply with this section by providing the breach of the security of the system notification in electronic or other form that directs the person whose personal information has been materially compromised by the breach of the security of the system to promptly change the person’s password and security question or answer, as applicable or to take other steps appropriate to protect the online account with the entity and other online accounts for which the person whose personal information has been materially compromised by the breach of the security of the system uses the same user name or e-mail address and password or security question or answer.
Accordingly, community associations should be aware of not just the general (preexisting) notification requirements pertinent to a breach of personal information, but associations should also understand how to handle notification involving the breach of the security of the system involving personal information for a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account in accord with BPINA as amended.
Finally, this post was not intended to serve as a discussion of how to properly handle a breach of personal information nor was it intended to be an exhaustive review of BPINA in general and/or as amended; rather, the intent was to notify our community association clients and industry colleagues of changes in the law, so proper due diligence can be undertaken. For some reason lawyers [still] love to use a dead language – Latin – to make their points. Our question is therefore: parati estis? … or, are you ready?
To get ready, we recommend that community associations review BPINA as amended, which can be found here, discuss with their counsel, managing agents, any service providers that handle personal information (especially association software providers), and confirm proper insurance coverage with association insurance professionals. As it relates to insurance, community associations should obtain adequate cyber-liability insurance to offset risk and cover a breach incident (it is noted that the cost of proper notification is tremendous, especially if the breach involves notification to over 1,000 persons at one time (because all consumer credit reporting agencies must also be notified)).
– Edward Hoffman, Jr., Esq., CCAL