On November 3, 2022, Governor Wolf approved Senate Bill 696, now Act 151 of 2022, which amends Pennsylvania’s Breach of Personal Information Notification Act. These changes apply directly to public school entities and will require updates to applicable policies and procedures.
The Act now requires notification to residents of the Commonwealth upon the determination, rather than the current general rule requiring such notification upon the discovery, of a security breach where the individual’s unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. A determination of such a breach is defined as a “verification or reasonable certainty” that a breach has occurred.
The Act expands the definition of personal information to include medical information, health insurance information and a username or email address in combination with a password or security question and answer that would permit access to an online account. The Act also now specifically includes school districts, intermediate units, charter schools and area career and technical centers within the definition of a public school subject to the Act’s requirements.
Most notably, the Act requires that public schools provide the necessary notices to impacted persons within seven business days following the determination that a breach has occurred. Further, the school entity must also notify the district attorney in the county where the breach occurred within three business days following the determination.
The Act also expands upon and clarifies the required content of any electronic notice to an impacted individual. Such notice must direct the person to promptly change their password and security question or answer, as applicable, and take other appropriate steps to protect their online account.
The Act includes heightened requirements for State Agency Contractors, a new term in the Act defined to include a person, business, subcontractor or third-party subcontractor that has a contract with a state agency for goods or services that requires access to personal information to perform under the contract. These heightened requirements include additional notification requirements, encryption measures and data storage policies. Further, all contracts with State Agency Contractors must include provisions ensuring the contractor’s compliance with the Act.
In sum, these mandated notifications, required timelines and definitional changes will require updates to school policies and procedures prior to the Act’s effective date, May 2, 2023. School entities performing under a contract with PDE or another state agency that requires access to personal information may have additional compliance requirements.
For questions about these changes and assistance with implementation, please reach out to the School Law Group at Stock and Leader.