The Pennsylvania Breach of Personal Information Notification Act applies to the data elements below when there is an associated name (first initial or first name and last name) in combination with any of the following:
- Social Security number
- Driver’s license number or a state identification card number issued in lieu of a driver’s license
- Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
If the Privacy Office has determined a security breach to be notifiable, it will provide guidance on next steps, including reporting obligations for other applicable state breach laws.
P-cards are not considered to be notifiable; however the department should notify its local financial officer about the detected P-card(s) so they can close the account(s).
Financial account numbers may be handled differently per Penn State practice. This is very dependent on other data components which may accompany the bank account number. Please check with the Privacy Office if bank account numbers are detected to determine whether the data is notifiable.
Corporate bank account numbers do not require notification.