Pennsylvania

In plain terms. Pennsylvania protects residents through its Breach of Personal Information Notification Act and governs state IT through executive order and Department of General Services procurement.

Who it applies to. State agencies and their IT vendors; the breach law also reaches businesses and agencies that maintain personal information of Pennsylvania residents.

What it requires. The Breach of Personal Information Notification Act (as amended in 2022) requires notifying affected individuals after a breach of personal information, with specific obligations for state agencies and their contractors. An executive order establishes enterprise information-technology governance for the commonwealth.

Why it matters. Vendors handling Pennsylvania residents' personal data — especially under state contracts — must meet the breach-notification requirements, which the 2022 amendments strengthened for government contractors.

Citation. Pennsylvania Breach of Personal Information Notification Act (2022 amendments); Pa. Executive Order 2016-06 (Enterprise Information Technology Governance); procurement under 62 Pa. Cons. Stat. § 101 et seq.

In plain terms. Pennsylvania's security expectations for vendors are set in its IT security policies.

Who it applies to. State agencies and their IT and service-organization vendors.

What it requires. The state Information Security Policy sets baseline security requirements, and the policy on computing services provided by service organizations governs how outside providers must protect commonwealth data.

Why it matters. Service providers should expect to meet Pennsylvania's information-security policy and the specific requirements for service organizations.

Citation. Pennsylvania ITP-SEC000 (Information Security Policy) and ITP-SEC040 (Computing Services Provided By Service Organizations).