← All US breach laws·PA

Pennsylvania data breach notification law

Pennsylvania's data breach notification requirements under 73 Pa. C.S. §§2301 to 2330 (Breach of Personal Information Notification Act). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
73 Pa. C.S. §§2301 to 2330
Enforcer
Pennsylvania Attorney General — Bureau of Consumer Protection
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
Without unreasonable delay, but no later than 30 days after determination of breach (effective May 2, 2023)
Notify the state regulator
Yes — if more than 500 PA residents are affected, written notice to the AG within 30 days
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification required when the breach materially compromises the security or confidentiality of PI and is reasonably believed to have caused or will cause loss or injury
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Pennsylvania law

First name/initial + last name with SSN, DL/state ID, financial account + access code, medical info, health-insurance info, OR username/email + password/security Q&A (expanded 2023)

Penalties and enforcement

Up to $1,000 per violation under Unfair Trade Practices and Consumer Protection Law
Enforced by: Pennsylvania Attorney General — Bureau of Consumer Protection. Official regulator page →

Common pitfalls

PA's 2023 amendments tightened the deadline to 30 days and added credentials to PI — many vendor runbooks still cite the older 'without unreasonable delay' standard

Frequently asked questions

How long do I have to notify Pennsylvania residents after a data breach?
Without unreasonable delay, but no later than 30 days after determination of breach (effective May 2, 2023)
Do I have to notify the Pennsylvania Attorney General?
Yes — if more than 500 PA residents are affected, written notice to the AG within 30 days
Does Pennsylvania require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from Pennsylvania's breach notification requirement?
Yes — Pennsylvania has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Pennsylvania residents sue me directly for a data breach?
No — Pennsylvania's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Pennsylvania law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, medical info, health-insurance info, OR username/email + password/security Q&A (expanded 2023)
What are the penalties for failing to comply with Pennsylvania's breach notification law?
Up to $1,000 per violation under Unfair Trade Practices and Consumer Protection Law

Related state breach laws

Oklahoma (OK)
24 Okla. Stat. §§161 to 166
Oregon (OR)
Ore. Rev. Stat. §§646A.600 to 646A.628
Rhode Island (RI)
R.I. Gen. Laws §§11-49.3-1 to 11-49.3-6
South Carolina (SC)
S.C. Code §39-1-90

Pre-empt the Pennsylvania breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Pennsylvania's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit