PRINTER'S NO. 1169
No. 1023 Session of 2005
INTRODUCED BY PRESTON, FLICK, SHAPIRO, READSHAW, CRAHALLA, ROONEY, SAINATO, SOLOBAY, TANGRETTI, BLACKWELL, BOYD, CALTAGIRONE, GEORGE, GOOD, HALUSKA, HARRIS, HENNESSEY, HERSHEY, JAMES, JOSEPHS, KIRKLAND, LEACH, MAHER, MARKOSEK, McCALL, McGEEHAN, MUNDY, PALLONE, PETRONE, PISTELLA, STURLA, TIGUE, WALKO, WANSACZ, WHEATLEY AND YOUNGBLOOD, MARCH 16, 2005
REFERRED TO COMMITTEE ON JUDICIARY, MARCH 16, 2005
AN ACT 1 Providing for the notification of residents whose personal 2 information data was or may have been disclosed due to a 3 security system breach; and providing for penalties. 4 The General Assembly of the Commonwealth of Pennsylvania 5 hereby enacts as follows: 6 Section 1. Short title. 7 This act shall be known and may be cited as the Breach of 8 Personal Information Data Notification Act. 9 Section 2. Definitions. 10 The following words and phrases when used in this act shall 11 have the meanings given to them in this section unless the 12 context clearly indicates otherwise: 13 "Breach of the security of the system." The unauthorized 14 acquisition of computerized data that compromises the security, 15 confidentiality or integrity of personal information maintained 16 by the entity. Good faith acquisition of personal information by
1 an employee or agent of the entity for the purposes of the 2 entity is not a breach of the security of the system if the 3 personal information is not used or subject to further 4 unauthorized disclosure. 5 "Business." A sole proprietorship, partnership, corporation, 6 association or other group, however organized and whether or not 7 organized to operate at a profit, including a financial 8 institution organized, chartered or holding a license or 9 authorization certificate under the laws of this Commonwealth, 10 any other state, the United States or any other country, or the 11 parent or the subsidiary of a financial institution. The term 12 includes an entity that destroys records. 13 "Customer." An individual who provides personal information 14 to a business for the purpose of purchasing or leasing a product 15 or obtaining a service from the business. 16 "Entity." A State agency or an individual or a business 17 doing business in this Commonwealth. 18 "Individual." A natural person. 19 "Notice." 20 (1) Except as provided in paragraph (2), all of the 21 following methods of notification: 22 (i) Notification to major Statewide media. 23 (ii) One of the following methods of notification: 24 (A) Written notice. 25 (B) Electronic notice, if the notice provided is 26 consistent with the provisions regarding electronic 27 records and signatures set forth in section 701 of 28 the Electronic Signatures in Global and National 29 Commerce Act (Public Law 106-229, 15 U.S.C. § 7001). 30 (C) (I) Substitute notice, if the entity 20050H1023B1169 - 2 -
1 demonstrates one of the following: 2 (a) The cost of providing notice would 3 exceed $250,000. 4 (b) The affected class of subject 5 persons to be notified exceeds $500,000. 6 (c) The entity does not have sufficient 7 contact information. 8 (II) Substitute notice shall consist of all 9 of the following: 10 (a) E-mail notice when the entity has an 11 e-mail address for the subject persons. 12 (b) Conspicuous posting of the notice on 13 the entity's Internet website, if the entity 14 maintains one. 15 (2) Notwithstanding the provisions of paragraph (1), an 16 entity that maintains its own notification procedures as part 17 of an information security policy for the treatment of 18 personal information and is otherwise consistent with the 19 timing requirements of this act shall be deemed to be in 20 compliance with the notification requirements of this act if 21 it notifies subject persons in accordance with its policies 22 in the event of a breach of security of the system. 23 "Personal information." 24 (1) An individual's first name or first initial and last 25 name in combination with any one or more of the following 26 data elements, when either the name or data elements are not 27 encrypted: 28 (i) Social Security number. 29 (ii) Driver's license number or identification card 30 number. 20050H1023B1169 - 3 -
1 (iii) Account number, credit or debit card number, 2 in combination with any required security code, access 3 code or password that would permit access to an 4 individual's financial account. 5 (2) The term does not include publicly available 6 information that is lawfully made available to the general 7 public from Federal, State or local government records. 8 "Records." Any material, regardless of the physical form, on 9 which information is recorded or preserved by any means, 10 including in written or spoken words, graphically depicted, 11 printed or electromagnetically transmitted. The term does not 12 include publicly available directories containing information an 13 individual has voluntarily consented to have publicly 14 disseminated or listed, such as name, address or telephone 15 number. 16 "State agency." Any agency, board, commission, authority or 17 department of the Commonwealth and the General Assembly. 18 Section 3. Disclosure of owned or licensed computerized data. 19 An entity that owns or licenses computerized data that 20 includes personal information shall disclose any breach of the 21 security of the system following discovery or notification of 22 the breach in the security of the data to any resident of this 23 Commonwealth whose unencrypted personal information was or is 24 reasonably believed to have been acquired by an unauthorized 25 person. Except as provided in section 5 (relating to exception) 26 or in order to take any measures necessary to determine the 27 scope of the breach and to restore the reasonable integrity of 28 the data system, the disclosure shall be made in the most 29 expedient time possible and without unreasonable delay. 30 Section 4. Disclosure of maintained computerized data. 20050H1023B1169 - 4 -
1 An entity that maintains computerized data that includes 2 personal information that the entity does not own shall notify 3 the owner or licensee of the information of any breach of the 4 security of the data immediately following discovery, if the 5 personal information was or is reasonably believed to have been 6 acquired by an unauthorized person. 7 Section 5. Exception. 8 The notification required by this act may be delayed if a law 9 enforcement agency determines that the notification will impede 10 a criminal investigation. The notification required by this act 11 shall be made after the law enforcement agency determines that 12 it will not compromise the investigation. 13 Section 6. Violations. 14 A violation of this act shall be deemed to be a violation of 15 the act of December 17, 1968 (P.L.1224, No.387), known as the 16 Unfair Trade Practices and Consumer Protection Law. 17 Section 10. Applicability. 18 This act shall apply to the discovery or notification of a 19 breach in the security of personal information data that occurs 20 on or after the effective date of this section. 21 Section 11. Effective date. 22 This act shall take effect in 60 days. C8L35MSP/20050H1023B1169 - 5 -