Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Pennsylvania: Data Protection in the Financial Sector

sankai / Signature collection / istockphoto.com

1. Governing Texts

1.1. Legislation

Pennsylvania's financial privacy and safeguards laws are specifically targeted towards insurers. The privacy of consumer financial information used by insurers is protected under Chapter 146a of Title 31 of the Pennsylvania Code ('Pa. Code') ('Privacy of Consumer Financial Information Law'). The safeguarding of consumer financial information used by insurers is protected under Chapter 146c of Title 31 of the Pa Code ('the Standards for Safeguarding Law'). Both Chapters 146(a) and 146(c) of the Pa. Code are largely based on the National Association of Insurance Commissioners ('NAIC') Privacy of Consumer Financial and Health Information Regulation 672 ('the NAIC Model Regulation'). The NAIC Model Regulation was originally created to satisfy the minimum standards for financial information privacy in the Gramm-Leach-Bliley Act of 1999 (GLBA).1 Therefore many of the requirements of the Pennsylvania’s financial privacy law can be met by compliance with the GLBA.

As such, the:

  • privacy of consumer financial information used by insurers is protected under the Privacy of Consumer Financial Information Law; and
  • safeguarding of consumer financial information used by insurers is protected under the Standards for Safeguarding Law.

1.2. Supervisory authorities

The Insurance Commissioner of the Commonwealth ('the Insurance Commissioner') is the relevant supervisory authority.

2. Personal and Financial Data Management

2.1. Legal basis for processing

Not applicable.

2.2. Privacy notices and policies

Insurers under the Privacy of Consumer Financial Information Law are required to 'provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship' (Pa. Code §146a.12(a)(1)). Insurers that use a federal model privacy form to populate their privacy notice will be found to be compliant with the requirements of the law (Pa. Code §146a.3(a)). Similar to the GLBA, insurers are required to provide an initial notice of their privacy policies and practices and an annual notice of their privacy policies and practices.

2.3. Data security and risk management

Similar to the GLBA, an insurer is required to 'implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information' (Pa. Code §146c.3). The information security program should do the following (Pa. Code §146c.4.):

  • safeguard the security and confidentiality of customer information;
  • protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and
  • protect against unauthorised access to or use of the information that could result in substantial harm or inconvenience to any customer.

2.4. Data retention/record keeping

There are no specific record retention requirements specified under Pennsylvanian law.

Pennsylvania Insurance Department's guidance states that the general requirement for retention of records is seven years from the execution of the record, unless otherwise specified. Please note that this guidance is specific to the insurance sector. Furthermore, under §6135(a) of Subchapter D of Part II of Part I of Title 7 of the Pennsylvania Consolidated Statues ('Pa. Cons. Stat.'), known as the Pennsylvania Mortgage Licensing Act, mortgage lenders must retain specified records for a minimum of four years.

3. Financial Reporting and Money Laundering

Under §5111 of Subchapter A of Chapter 51 of Article E of Part II of Title 18 of the Pa. Cons. Stat., a person commits a felony of the first degree if the person conducts a financial transaction under any of the following circumstances:

  • with knowledge that the property involved, including stolen or illegally obtained property, represents the proceeds of unlawful activity, the person acts with the intent to promote the carrying on of the unlawful activity;
  • with knowledge that the property involved, including stolen or illegally obtained property, represents the proceeds of unlawful activity and that the transaction is designed in whole or in part to conceal or disguise the nature, location, source, ownership or control of the proceeds of unlawful activity; or
  • to avoid a transaction reporting requirement under state or Federal law.

4. Banking Secrecy and Confidentiality

There is no legislation that specifically addresses this issue.

5. Insurance

See section 2 on Personal and Financial Data Management.

6. Payment Services

Pennsylvania has a money transmitter statute in the Money Transmission Business Licensing Law (Act of Nov. 3, 2016, P.L. 1002, No. 129), although there are no privacy-related requirements.

7. Data Transfers and Outsourcing

There are no sector specific requirements in relation to the transfer of personal data by financial institutions or their use of third parties/cloud computing.

8. Breach Notification

General data breach notification laws apply to financial institutions in Pennsylvania. To the extent a financial institution complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, the financial institution will be found in compliance with the Unfair Trade Practices and Consumer Protection Law.

For more information on breach notification please see Pennsylvania - Data Breach.

9. Fintech

There are no sector specific requirements for financial institutions when using Fintech.

10. Enforcement

Violations of Chapters 146a and 146c of the Pa. Code are considered to be an unfair method of competition and an unfair or deceptive act or practice and are subject to any applicable penalties or remedies contained in the Unfair Insurance Practices Act ('UIPA'). For each act of unfair method of competition or an unfair or deceptive act or practice as defined by UIPA, which the person knew or reasonably should have known was such a violation, the court may impose a penalty of not more than $5,000 for each violation, which is not to exceed an aggregate penalty of $50,000 in any six month period.

11. Additional Areas of Interest

Not applicable.


  1. NAIC Privacy of Consumer Financial and Health Information Model Regulation: Frequently Asked Questions, Jan. 2001.


Philip N. Yannella Partner
[email protected]
Ballard Spahr, Philadelphia

Feedback