Bill > HB997

This bill updates Pennsylvania's Breach of Personal Information Notification Act to expand and clarify requirements for protecting personal data and responding to security breaches. The bill broadens the definition of "personal information" to include more types of identifying data such as passport numbers, medical information, biometric data, and taxpayer identification numbers. It requires businesses to implement reasonable procedures to prevent unauthorized access to personal information and establishes new notification requirements when a data breach occurs, including allowing notification through written, telephonic, email, or substitute methods. The bill also creates new civil relief provisions that allow residents to sue for damages up to $5,000 per violation and enables the Attorney General to pursue civil penalties of up to $10,000 per violation. Notably, the bill provides a three-year statute of limitations for bringing actions, allows for potential treble damages in cases of repeated violations, and ensures that arbitration clauses cannot prevent legal action. The legislation aims to provide stronger protections for consumers' personal data and create more accountability for businesses that experience data security breaches, with the provisions taking effect 60 days after enactment.

Budget and Finance, Business and Industry

https://www.legis.state.pa.us/cfdocs/billinfo/bill_history.cfm?syear=2025&sind=0&body=H&type=B&bn=997