Earlier this year, Governor Josh Shapiro signed amendments to Pennsylvania’s Breach of Personal Information Notification Act (BPINA) into law, which go into effect on September 26. As part of the implementation of these requirements, Pennsylvania Attorney General (AG) Michelle Henry announced the launch of an online portal for companies and other entities to report data breaches that impact more than 500 Pennsylvania residents. As with notification to impacted individuals, covered entities must notify the AG “without unreasonable delay.” This new requirement aligns Pennsylvania’s data breach notification law with the 35 states that have existing notice requirements for the applicable state regulator when a threshold number of state residents are impacted. Many of these states utilize a similar portal for submissions for ease of reporting.

The portal is available here. The AG’s website also provides guidance on the process to submit required information about the breach, and information about the BPINA for entities and residents.

In addition to the regulatory reporting requirement, the amendments provide protections for types of information that up until now remained unprotected under the BPINA. As with the previous version of the BPINA, notification to individuals is triggered when a data breach involves a person’s name and Social Security number, financial account number, and driver’s license or state ID number. The amendments now add protections for an individual’s name in combination with medical information in the possession of a state agency or state agency contractor, health insurance information, or a username and password that permits access to an online account as newly protected data elements that also trigger notice to individuals if impacted. However, impact to these data elements only triggers notification where the covered entity reasonably believes the unauthorized access and acquisition of the information has caused, or will cause, loss or injury to any Pennsylvania resident. Pennsylvania also joins five other states in requiring entities provide impacted individuals with 12 months of credit monitoring when an individual’s Social Security number, driver’s license number, state ID number, or bank account number is impacted.

Why It Matters

Prior to the BPINA amendments, Pennsylvania was among the 15 states that do not mandate organizations suffering a qualifying breach of consumer personal identifying information to notify the relevant state regulator. Given the new protections for additional types of information and the regulatory reporting requirements, organizations handling personal information of Pennsylvania residents should revise their incident response plans. These changes could subject organizations to increased regulatory scrutiny. Failure to comply with these new requirements may be deemed a violation of BPINA, constituting an unfair or deceptive act or practice in violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law, and subject companies to injunctive relief or monetary penalties.

The BPINA amendments add to the mosaic of breach notification laws across all 50 states, with applicability based on the impacted individual’s state of residence. While these amendments aim to align Pennsylvania law with other state data breach notification laws, they also highlight the diverse requirements that can complicate compliance in the wake of a cybersecurity incident, particularly for companies that operate in multiple jurisdictions. Engaging experienced counsel after a security incident is always a best practice to help navigate the obligations under the patchwork of state regulatory frameworks.


Troutman Pepper State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
Clay Friedman – Co-leader
Clayton is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice, multidisciplinary teams with decades of experience crafting effective strategies to help deter or mitigate the risk of enforcement actions and litigation.
Judy Jagdmann
Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006.
Stephen Piepgrass
Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries.
Michael Yaghi
Michael is a partner in the firm’s State Attorneys General and Regulatory Investigations, Strategy + Enforcement (RISE) Practice Groups, nationwide teams that advise clients on consumer protection enforcement matters and other regulatory issues.
Samuel E. “Gene” Fishel
Gene is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) practice, based in the Richmond office. He brings extensive regulatory experience, having most recently served as senior assistant attorney general and chief of the Computer Crime Section in the Office of the Attorney General of Virginia, and as special assistant U.S. attorney in the Eastern District of Virginia for 20 years.
Chuck Slemp
Chuck advises clients on a wide range of complex issues that frequently involve government actions, including investigations, inquiries, regulatory matters, and litigation. With a distinguished background in the law and public service, he served as chief deputy attorney general of Virginia before joining the firm. In addition to overseeing the Department of Law and Division of Debt Collection, Chuck managed a team of attorneys who handle complex litigation and investigations. He also directed the attorney general’s legislative affairs and represented the attorney general in various capacities.
Tim Bado
Tim is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, where he represents corporations and individuals facing potential civil and criminal exposure. Tim’s experience in government investigations, enforcement actions, and white-collar litigation spans a number of industries, including financial services, pharmaceutical, health care, and government contracting, among others.
Chris Carlson
Chris Carlson represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Blake R. Christopher
Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries.
Natalia Jacobo
Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice. She focuses her practice on two primary areas: government contracting and state attorney general work.
Namrata Kang
Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Susan Nikdel
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes.
Whitney Shephard
Whitney is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation.
Trey Smith
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice. He focuses his practice on helping financial institutions and consumer facing companies navigate regulatory investigations and resulting litigation.
Daniel Waltz
Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.
Stephanie Kozol
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.