M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

Pennsylvania Data Breach Notification Laws

When a Pennsylvania business experiences a harmful data breach, it must notify affected Pennsylvania residents as soon as possible by mail, telephone, or email. If the security breach affects more than 175,000 people, or the cost of notification exceeds $100,000, public service announcements can be used instead. When a breach affects 1,000 or more people, you must report it to all consumer-reporting agencies.

Name of Law / Statute

Breach of Personal Information Notification Act

Definition of Protected Information

Standard PI definition (see below)

Who Is Subject to Law?

Any business that maintains, stores, or manages residents' PI

Notification of Consumers?

Yes, but only if breaches "materially compromise the security, confidentiality, or integrity of" PI

By what means?

Written, phone, or electronic (depending on prior relationship); if >1,000 residents, must notify consumer reporting agencies

Substitute Notice Threshold?

If cost of notice >$250,000 or involves >500k residents

Notification of authorities / regulators required?


By what means?


Regulatory Fines


Credit monitoring requirement?


Private lawsuits allowed?


Private damages cap?


Regulatory actions allowed?


HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted (unless encryption was compromised) or redacted

Link to complete law

Pennsylvania's data breach law

Read the full text of Pennsylvania’s data breach law.

70% of businesses raise prices or cut hiring when sued