PRINTER'S NO. 2925
No. 2006 Session of 2005
INTRODUCED BY PRESTON, FLICK, THOMAS, BAKER, BELFANTI, BOYD,
CALTAGIRONE, CLYMER, GERGELY, GRUCELA, HARHAI, HERMAN, JAMES,
JOSEPHS, MARKOSEK, McCALL, MUNDY, O'NEILL, PALLONE, PETRARCA,
PETRONE, READSHAW, REICHLEY, RUBLEY, SAINATO, SANTONI,
SIPTROTH, SHAPIRO, SOLOBAY, SURRA, TANGRETTI, E. Z. TAYLOR,
TIGUE, WALKO AND WOJNAROSKI, OCTOBER 25, 2005
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, OCTOBER 25, 2005
AN ACT
1 Providing for breach of security of identifying information and
2 for penalties.
3 The General Assembly of the Commonwealth of Pennsylvania
4 hereby enacts as follows:
5 Section 1. Short title.
6 This act shall be known and may be cited as the Breach of
7 Personal Information Data Notification Act.
8 Section 2. Definitions.
9 The following words and phrases when used in this act shall
10 have the meanings given to them in this section unless the
11 context clearly indicates otherwise:
12 "Breach of the security of a system." The unauthorized
13 access and acquisition of unencrypted and unredacted
14 computerized data that compromises the security or
15 confidentiality of personal information maintained by an
16 individual or entity as part of a database of personal
1 information regarding multiple individuals and that causes or
2 the individual or entity reasonably believes has caused or will
3 cause identity theft or other fraud to any resident of this
4 Commonwealth. Good faith acquisition of personal information by
5 an employee or agent of an individual or entity for the purposes
6 of the individual or the entity is not a breach of the security
7 of the system if the personal information is not used for a
8 purpose other than a lawful purpose of the individual or entity
9 or subject to further unauthorized disclosure.
10 "Encrypted." Transformation of data through the use of an
11 algorithmic process into a form in which there is a low
12 probability of assigning meaning without use of a confidential
13 process or key or securing the information by another method
14 that renders the data elements unreadable or unusable.
15 "Entity." The term includes corporations, business trusts,
16 estates, partnerships, limited partnerships, limited liability
17 partnerships, limited liability companies, associations,
18 organizations, joint ventures, governments, governmental
19 subdivisions, agencies or instrumentalities or any other legal
20 entity, whether for profit or not for profit.
21 "Financial institution." The term as defined in section
22 509(3) of the Gramm-Leach-Bliley Act (Public Law 106-102, 15
23 U.S.C. § 6809(3)).
24 "Individual." A natural person.
25 "Notice." All of the following methods of notification:
26 (1) Notification to major Statewide media.
27 (2) One of the following methods of notification:
28 (i) Written notice.
29 (ii) Electronic notice, if the notice provided is
30 consistent with the provisions regarding electronic
20050H2006B2925 - 2 -
1 records and signatures set forth in section 701 of the
2 Electronic Signatures in Global and National Commerce Act
3 (Public Law 106-229, 15 U.S.C. § 7001).
4 (iii) (A) Substitute notice, if the entity
5 demonstrates one of the following:
6 (I) The cost of providing notice would
7 exceed $50,000.
8 (II) The affected class of subject persons
9 to be notified exceeds $100,000.
10 (III) The entity does not have sufficient
11 contact information.
12 (B) Substitute notice shall consist of all of
13 the following:
14 (I) E-mail notice when the entity has an e-
15 mail address for the subject persons.
16 (II) Conspicuous posting of the notice on
17 the entity's Internet website, if the entity
18 maintains one.
19 "Personal information."
20 (1) The first name or first initial and last name linked
21 to any one or more of the following data elements that relate
22 to a resident of this Commonwealth, when the data elements
23 are neither encrypted or redacted:
24 (i) Social Security number.
25 (ii) Driver's license number or State identification
26 card number issued in lieu of a driver's license.
27 (iii) Financial account number, credit card number
28 or debit card number, in combination with any required
29 security code, access code or password that would permit
30 access to a resident's financial accounts.
20050H2006B2925 - 3 -
1 (2) The term does not include information that is
2 lawfully obtained from publicly available information or from
3 Federal, State or local government records lawfully made
4 available to the general public.
5 "Redact." Alteration or truncation of data so that no more
6 than the last four digits of a Social Security number, driver's
7 license number, State identification card number or account
8 number is accessible as part of the personal information.
9 Section 3. Disclosure of breach of security of computerized
10 personal information by an individual or entity.
11 (a) General rule.--An individual or entity that owns or
12 licenses computerized data that includes personal information
13 shall disclose any breach of the security of the system
14 following discovery or notification of the breach of the
15 security of the system to any resident of this Commonwealth
16 whose unencrypted and unredacted personal information was or is
17 reasonably believed to have been accessed and acquired by an
18 unauthorized person and that causes or the individual or entity
19 reasonably believes has caused or will cause identity theft or
20 other fraud to any resident of this Commonwealth. Except as
21 provided in subsection (d) or in order to take any measures
22 necessary to determine the scope of the breach and to restore
23 the reasonable integrity of the system, the disclosure shall be
24 made without unreasonable delay.
25 (b) Encrypted information.--An individual or entity must
26 disclose the breach of the security of the system if encrypted
27 information is accessed and acquired in an unencrypted form or
28 if the security breach involves a person with access to the
29 encryption key and the individual or entity reasonably believes
30 that the breach has caused or will cause identity theft or other
20050H2006B2925 - 4 -
1 fraud to any resident of this Commonwealth.
2 (c) Notification.--An individual or entity that maintains
3 computerized data that includes personal information that the
4 individual or entity does not own or license shall notify the
5 owner or licensee of the information of any breach of the
6 security of the system as soon as practicable following
7 discovery.
8 (d) Delay in notification.--Notice required by this section
9 may be delayed if a law enforcement agency determines and
10 advises the individual or entity that the notice will impede a
11 criminal or civil investigation, or jeopardize homeland or
12 national security. Notice required by this section must be made
13 without unreasonable delay after the law enforcement agency
14 determines that notification will no longer impede the
15 investigation or jeopardize national or homeland security.
16 Section 4. Procedures deemed in compliance with security breach
17 requirements.
18 (a) Information privacy or security policy.--An entity that
19 maintains its own notification procedures as part of an
20 information privacy or security policy for the treatment of
21 personal information and that are consistent with the timing
22 requirements of this act shall be deemed to be in compliance
23 with the notification requirements of this act if it notifies
24 residents of this Commonwealth in accordance with its procedures
25 in the event of a breach of security of the system.
26 (b) Compliance with Federal requirements.--
27 (1) A financial institution that complies with the
28 notification requirements prescribed by the Federal
29 Interagency Guidance on Response Programs for Unauthorized
30 Access to Customer Information and Customer Notice shall be
20050H2006B2925 - 5 -
1 deemed to be in compliance with this act.
2 (2) An entity that complies with the notification
3 requirements or procedures pursuant to the rules,
4 regulations, procedures or guidelines established by the
5 entity's primary or functional Federal regulator shall be
6 deemed to be in compliance with this act.
7 Section 5. Preemption.
8 This act deals with subject matter that is of Statewide
9 concern and it is the intent of the General Assembly that this
10 act shall supersede and preempt all rules, regulations, codes,
11 statutes or ordinances of all cities, counties, municipalities
12 and other local agencies within this Commonwealth regarding the
13 matters expressly set forth in this act.
14 Section 6. Violations.
15 (a) Unfair or deceptive act or practice.--A violation of
16 this act shall be deemed to be an unfair or deceptive act or
17 practice in violation of the act of December 17, 1968 (P.L.1224,
18 No.387), known as the Unfair Trade Practices and Consumer
19 Protection Law. Except as provided in subsection (b), the Office
20 of Attorney General shall have exclusive authority to bring an
21 action under the Unfair Trade Practices and Consumer Protection
22 Law for a violation of this act.
23 (b) Certain violations.--The primary governmental regulating
24 agency of a State-chartered or State-licensed financial
25 institution shall have exclusive authority to bring an action
26 under the Unfair Trade Practices and Consumer Protection Law for
27 a violation by a State-chartered or State-licensed financial
28 institution of this act.
29 (c) Additional penalties.--In addition to any penalties
30 provided for by the Unfair Trade Practices and Consumer
20050H2006B2925 - 6 -
1 Protection Law, the Office of Attorney General or a primary
2 governmental regulating agency may bring a civil action to
3 obtain one of the following:
4 (1) Actual damages for a violation of this act.
5 (2) A civil penalty not to exceed $150,000 per breach of
6 a security system or a series of breaches of a security
7 system that are similar in nature and discovered in a single
8 investigation.
9 Section 7. Applicability.
10 This act shall apply to the discovery or notification of a
11 breach of the security of the system that occurs on or after the
12 effective date of this act.
13 Section 20. Effective date.
14 This act shall take effect in 120 days.
J17L35MSP/20050H2006B2925 - 7 -