See other bills
under the
same topic
PRINTER'S NO. 3922
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
2369
Session of
2015
INTRODUCED BY THOMAS, SEPTEMBER 26, 2016
REFERRED TO COMMITTEE ON JUDICIARY, SEPTEMBER 26, 2016
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94), entitled
"An act providing for the notification of residents whose
personal information data was or may have been disclosed due
to a security system breach; and imposing penalties,"
providing for disposal of materials containing personal
information.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The act of December 22, 2005 (P.L.474, No.94),
known as the Breach of Personal Information Notification Act, is
amended by adding a section to read:
Section 5.1. Disposal of materials containing personal
information.
(a) Method of disposal.--A business, entity or individual
shall dispose of material containing personal information in a
manner that renders the personal information unreadable,
unusable and undecipherable. Proper disposal methods include,
but are not limited to:
(1) Redaction, burning, pulverization or shredding of
paper documents so that personal information cannot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
practicably be read or reconstructed.
(2) Destruction or erasure of electronic media and other
non-paper media so that personal information cannot
practicably be read or reconstructed.
(b) Third party contracts.-- A business, entity or individual
disposing of materials containing personal information may
contract with a third party to dispose of the materials in
accordance with this section. A third party that contracts with
a business, entity or individual to dispose of materials
containing personal information shall implement and monitor
compliance with policies and procedures that prohibit
unauthorized access to, acquisition of or use of personal
information during the collection, transportation and disposal
of materials containing personal information.
(c) Penalties.--A business, entity or individual , including
a third party referenced in subsection (b), who violates this
section is subject to a civil penalty of not more than $100 for
each individual with respect to whom personal information is
disposed of in violation of this section. A civil penalty may
not, however, exceed $50,000 for each instance of improper
disposal of materials containing personal information. The
Attorney General may impose a civil penalty after notice to the
person accused of violating this section and an opportunity for
hearing. The Attorney General may file a civil action in the
appropriate court of common pleas to recover a penalty imposed
under this section.
(d) Attorney General's authority.-- In addition to the
authority to impose a civil penalty under subsection (c), the
Attorney General may bring an action in the appropriate court of
common pleas to remedy a violation of this section, seeking any
20160HB2369PN3922 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
appropriate relief.
(e) Exceptions.-- A financial institution subject to 15
U.S.C. Ch. 94 (relating to privacy) or any business, entity or
individual subject to 15 U.S.C. ยง 1681w (relating to disposal of
records) is exempt from this section.
Section 2. This act shall take effect in 60 days.
20160HB2369PN3922 - 3 -
1
2
3
4
5
6