PRINTER'S NO. 1169
No. 1023 Session of 2005
INTRODUCED BY PRESTON, FLICK, SHAPIRO, READSHAW, CRAHALLA,
ROONEY, SAINATO, SOLOBAY, TANGRETTI, BLACKWELL, BOYD,
CALTAGIRONE, GEORGE, GOOD, HALUSKA, HARRIS, HENNESSEY,
HERSHEY, JAMES, JOSEPHS, KIRKLAND, LEACH, MAHER, MARKOSEK,
McCALL, McGEEHAN, MUNDY, PALLONE, PETRONE, PISTELLA, STURLA,
TIGUE, WALKO, WANSACZ, WHEATLEY AND YOUNGBLOOD,
MARCH 16, 2005
REFERRED TO COMMITTEE ON JUDICIARY, MARCH 16, 2005
AN ACT
1 Providing for the notification of residents whose personal
2 information data was or may have been disclosed due to a
3 security system breach; and providing for penalties.
4 The General Assembly of the Commonwealth of Pennsylvania
5 hereby enacts as follows:
6 Section 1. Short title.
7 This act shall be known and may be cited as the Breach of
8 Personal Information Data Notification Act.
9 Section 2. Definitions.
10 The following words and phrases when used in this act shall
11 have the meanings given to them in this section unless the
12 context clearly indicates otherwise:
13 "Breach of the security of the system." The unauthorized
14 acquisition of computerized data that compromises the security,
15 confidentiality or integrity of personal information maintained
16 by the entity. Good faith acquisition of personal information by
1 an employee or agent of the entity for the purposes of the
2 entity is not a breach of the security of the system if the
3 personal information is not used or subject to further
4 unauthorized disclosure.
5 "Business." A sole proprietorship, partnership, corporation,
6 association or other group, however organized and whether or not
7 organized to operate at a profit, including a financial
8 institution organized, chartered or holding a license or
9 authorization certificate under the laws of this Commonwealth,
10 any other state, the United States or any other country, or the
11 parent or the subsidiary of a financial institution. The term
12 includes an entity that destroys records.
13 "Customer." An individual who provides personal information
14 to a business for the purpose of purchasing or leasing a product
15 or obtaining a service from the business.
16 "Entity." A State agency or an individual or a business
17 doing business in this Commonwealth.
18 "Individual." A natural person.
19 "Notice."
20 (1) Except as provided in paragraph (2), all of the
21 following methods of notification:
22 (i) Notification to major Statewide media.
23 (ii) One of the following methods of notification:
24 (A) Written notice.
25 (B) Electronic notice, if the notice provided is
26 consistent with the provisions regarding electronic
27 records and signatures set forth in section 701 of
28 the Electronic Signatures in Global and National
29 Commerce Act (Public Law 106-229, 15 U.S.C. § 7001).
30 (C) (I) Substitute notice, if the entity
20050H1023B1169 - 2 -
1 demonstrates one of the following:
2 (a) The cost of providing notice would
3 exceed $250,000.
4 (b) The affected class of subject
5 persons to be notified exceeds $500,000.
6 (c) The entity does not have sufficient
7 contact information.
8 (II) Substitute notice shall consist of all
9 of the following:
10 (a) E-mail notice when the entity has an
11 e-mail address for the subject persons.
12 (b) Conspicuous posting of the notice on
13 the entity's Internet website, if the entity
14 maintains one.
15 (2) Notwithstanding the provisions of paragraph (1), an
16 entity that maintains its own notification procedures as part
17 of an information security policy for the treatment of
18 personal information and is otherwise consistent with the
19 timing requirements of this act shall be deemed to be in
20 compliance with the notification requirements of this act if
21 it notifies subject persons in accordance with its policies
22 in the event of a breach of security of the system.
23 "Personal information."
24 (1) An individual's first name or first initial and last
25 name in combination with any one or more of the following
26 data elements, when either the name or data elements are not
27 encrypted:
28 (i) Social Security number.
29 (ii) Driver's license number or identification card
30 number.
20050H1023B1169 - 3 -
1 (iii) Account number, credit or debit card number,
2 in combination with any required security code, access
3 code or password that would permit access to an
4 individual's financial account.
5 (2) The term does not include publicly available
6 information that is lawfully made available to the general
7 public from Federal, State or local government records.
8 "Records." Any material, regardless of the physical form, on
9 which information is recorded or preserved by any means,
10 including in written or spoken words, graphically depicted,
11 printed or electromagnetically transmitted. The term does not
12 include publicly available directories containing information an
13 individual has voluntarily consented to have publicly
14 disseminated or listed, such as name, address or telephone
15 number.
16 "State agency." Any agency, board, commission, authority or
17 department of the Commonwealth and the General Assembly.
18 Section 3. Disclosure of owned or licensed computerized data.
19 An entity that owns or licenses computerized data that
20 includes personal information shall disclose any breach of the
21 security of the system following discovery or notification of
22 the breach in the security of the data to any resident of this
23 Commonwealth whose unencrypted personal information was or is
24 reasonably believed to have been acquired by an unauthorized
25 person. Except as provided in section 5 (relating to exception)
26 or in order to take any measures necessary to determine the
27 scope of the breach and to restore the reasonable integrity of
28 the data system, the disclosure shall be made in the most
29 expedient time possible and without unreasonable delay.
30 Section 4. Disclosure of maintained computerized data.
20050H1023B1169 - 4 -
1 An entity that maintains computerized data that includes
2 personal information that the entity does not own shall notify
3 the owner or licensee of the information of any breach of the
4 security of the data immediately following discovery, if the
5 personal information was or is reasonably believed to have been
6 acquired by an unauthorized person.
7 Section 5. Exception.
8 The notification required by this act may be delayed if a law
9 enforcement agency determines that the notification will impede
10 a criminal investigation. The notification required by this act
11 shall be made after the law enforcement agency determines that
12 it will not compromise the investigation.
13 Section 6. Violations.
14 A violation of this act shall be deemed to be a violation of
15 the act of December 17, 1968 (P.L.1224, No.387), known as the
16 Unfair Trade Practices and Consumer Protection Law.
17 Section 10. Applicability.
18 This act shall apply to the discovery or notification of a
19 breach in the security of personal information data that occurs
20 on or after the effective date of this section.
21 Section 11. Effective date.
22 This act shall take effect in 60 days.
C8L35MSP/20050H1023B1169 - 5 -