If you’ve been paying attention, Hoffman Law LLC previously advised of updates to the Pennsylvania Breach of Personal Information Notification Act” (“BPINA”) in 2022/2023 in a prior Blog post found here. This Blog post is an update to same.

NEW:

Pennsylvania Senate Bill 824 (SB 824) changed the BPINA in numerous ways, and the changes become effective on September 26, 2024. We will summarize the recent changes provided by SB 824 below, not in its entirety, but as it may apply to/impact Community Associations.

1.NOTIFICATION OF BREACH. BPINA used to require notification to credit reporting agencies when 1,000 or more PA residents were impacted in the event of a breach. SB 824 brings that number of impacted residents down to 500 or more PA residents.

2. CREDIT REPORTING/MONITORING. SB 824 requires that qualifying entities provide impacted PA residents with access to a credit report and credit monitoring services, free of charge, if the following apply:

a. there was a breach of the “security of the systems” as defined by PA law; and

b. the data accessed as a result of the breach included the individual’s name (first and last name, or first initial and last name) in combination with their SS #, bank acct. # or driver’s license/state identification card #.

If the two aforementioned requirements have both been triggered, the Ass’n must provide the impacted PA individual with access to an independent credit report from a consumer reporting agency if the individual is otherwise not able to obtain an independent credit report free of charge. The Ass’n must also provide the impacted PA individual with an offer of twelve (12) months of credit monitoring services, and advise that same is available free of cost.

3. PA Attorney General. SB 824 requires that an Ass’n notify the Pennsylvania Attorney General’s Office (PA AG) whenever it provides notice of a breach under PA law to more than 500 residents of the Commonwealth (used to be 1000!). The notification to the PA AG must be provided at the same time of the notice provided to impacted individuals, and must include the following information (if known at that time):

  • Ass’n name/location;
  • Date of breach;
  • Summary of incident that led to breach;
  • Estimated total # of impacted individuals; and
  • Estimated total # of impacted residents of PA.

Finally, we still recommend that community associations review BPINA as amended, as Act No. 33 of 2024 (June 28, 2024), which can be found here, and discuss with their counsel, managing agents, and/or any service providers that handle personal information (especially association software providers), and confirm proper insurance coverage with association insurance professionals.  As it relates to insurance, community associations should obtain adequate cyber-liability insurance to offset risk and cover a breach incident (it is noted that the cost of proper notification is tremendous, especially if the breach (now) involves notification to over 500 persons at one time (because all consumer credit reporting agencies must also be notified, as well as the Pennsylvania Attorney General’s Office).

– Edward Hoffman, Jr., Esq., CCAL

Copying Blocked