An encompassing Pennsylvania law known as Act 33 of 2024 has been rolled out to fortify consumer protections in the wake of data breaches. With a slated commencement date in late September of the current year, the law imposes more stringent timelines for organizations to furnish data breach notifications and mandates the offering of complimentary credit monitoring services to impacted individuals in the event of a data breach.
The crucial stipulations of Act 33 of Pennsylvania Law necessitate that organizations intimate the Pennsylvania Attorney General’s Office if a data breach impacts more than 500 residents within the state. The data breach disclosure must encompass vital details like the organization’s name and location, the breach date, a succinct summary of the incident, an estimated count of affected individuals, including a breakdown for Pennsylvania residents specifically.
Introducing a new era of consumer protection, the law mandates organizations to dispense free credit reports and a one-year credit monitoring service to all affected consumers at no cost. Consequently, Pennsylvanians will not be burdened with expenses for these services, offering them a sense of security amidst data breaches and an additional defense mechanism to thwart identity theft and financial fraud.
The law explicitly defines personal information as an individual’s first name or initial, coupled with sensitive data elements such as Social Security numbers, driver’s licenses, or financial account numbers. It can be regarded as an extension of the amendment act passed on December 22, 2005, emphasizing the security of computerized data and the notification process for residents whose personal information has been compromised due to system security breaches.
Act 33 garnered unanimous approval in both chambers of the state legislature, indicating widespread acknowledgment of the imperativeness for enhanced data protection protocols. This legislative stride comes within the backdrop of escalating reports of data breaches nationally, with a staggering 3,122 incidents logged in 2023, reflecting a colossal 72% surge compared to the preceding high in 2021. These breaches affected multitudes of Americans and led to substantial financial losses.
The enactment of the law coincides with the repercussions of the data breach at Geisinger Medical Center in Pennsylvania, which potentially exposed personal information of nearly one million patients. Subsequently, an ex-employee linked to the breach has been apprehended. Geisinger’s Chief Privacy Officer, Jonathan Friesen, emphasized the institution’s dedication to safeguarding patient privacy and affirmed their cooperation with authorities in the investigation.
In response to the breach, former patients initiated a class action lawsuit against Geisinger, seeking redress for the breach’s adverse ramifications. Notable plaintiff James Wierbowski filed a lawsuit demanding compensation exceeding $5 million, underlining the gravity of data breaches and the subsequent legal recourse sought by affected parties.
In essence, Act 33’s implementation underscores Pennsylvania’s commitment to fortify consumer safeguards in the digital sphere, underpinning a proactive approach to mitigating data breach impacts and upholding individuals’ privacy rights.