SPONSORED POST
In 2022/2023, we previously advised of updates to the Pennsylvania Breach of Personal Information Notification Act” (“BPINA”) in a Hoffman Law LLC Blog post found here. Pennsylvania Senate Bill 824 (SB 824) recently changed the BPINA in numerous ways, and the changes became effective on September 26, 2024. We will summarize the changes provided by SB 824 below, not in its entirety, but as it may apply to/impact community associations.
1.NOTIFICATION OF BREACH. BPINA used to require notification to credit reporting agencies when 1,000 or more PA residents were impacted in the event of a breach. SB 824 brings that number of impacted residents down to 500 or more PA residents.
2. CREDIT REPORTING/MONITORING. SB 824 requires that qualifying entities provide impacted PA residents with access to a credit report and credit monitoring services, free of charge, if the following apply:
a. there was a breach of the “security of the systems” as defined by PA law; and
b. the data accessed as a result of the breach included the individual’s name (first and last name, or first initial and last name) in combination with their SS #, bank acct. # or driver’s license/state identification card #.
If the two aforementioned requirements have both been triggered, the Association must provide the impacted PA individual with access to an independent credit report from a consumer reporting agency if the individual is otherwise not able to obtain an independent credit report free of charge. The Association must also provide the impacted PA individual with an offer of twelve (12) months of credit monitoring services, and advise that same is available free of cost.
3. PA Attorney General. SB 824 requires that an Ass’n notify the Pennsylvania Attorney General’s Office (PA AG) whenever it provides notice of a breach under PA law to more than 500 residents of the Commonwealth (used to be 1000!). The notification to the PA AG must be provided at the same time of the notice provided to impacted individuals, and must include the following information (if known at that time):
-
- Association name/location;
-
- Date of breach;
-
- Summary of incident that led to breach;
-
- Estimated total # of impacted individuals; and
-
- Estimated total # of impacted residents of PA.
Finally, we still recommend that community associations review BPINA as amended, as Act No. 33 of 2024 (June 28, 2024), which can be found here, and discuss with their counsel, managing agents, and/or any service providers that handle personal information (especially association software providers), and confirm proper insurance coverage with association insurance professionals. As it relates to insurance, community associations should obtain adequate cyber-liability insurance to offset risk and cover a breach incident (it is noted that the cost of proper notification is tremendous, especially if the breach (now) involves notification to over 500 persons at one time (because all consumer credit reporting agencies must also be notified, as well as the Pennsylvania Attorney General’s Office).
(The content in this post was originally posted on the Hoffman Law LLC Blog, here).
ABOUT THE AUTHOR
Edward Hoffman, Jr., Esq., CCAL, is the Founder and Managing Member of Hoffman Law LLC, a community association law firm with multiple offices in Pennsylvania. Ed is a Fellow of the College of Community Association Lawyers (CCAL), the current Chair of CAI’s Pennsylvania Legislative Action Committee and is a member of the chapter’s Pocono Mountains Regional Council. Ed is a prolific author and well-received speaker on association topics and has been published and presented on association law and related topics both regionally and nationally, including eleven articles published in CAI’s national flagship magazine, Common Ground, and having presented ten times at CAI’s national Community Association Law Seminar. Ed is also the founder and host of the Association Nation™ Podcast. Email: ed@hoffmanhoalaw.com. Website: www.hoffmanhoalaw.com. Blog: http://pahoalaw.blog.
SPONSORED POST