PRINTER'S NO. 859
No. 712 Session of 2005
INTRODUCED BY WONDERLING, C. WILLIAMS, CORMAN, RAFFERTY,
WOZNIAK, GORDNER, PILEGGI, KITCHEN, EARLL, VANCE, ERICKSON,
M. WHITE, LEMMOND, FERLO, O'PAKE, RHOADES, BOSCOLA,
GREENLEAF, BROWNE, THOMPSON AND STACK, JUNE 3, 2005
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, JUNE 3, 2005
AN ACT
1 Providing for the notification of residents whose personal
2 information data was or may have been disclosed due to a
3 security system breach; and imposing penalties.
4 The General Assembly of the Commonwealth of Pennsylvania
5 hereby enacts as follows:
6 Section 1. Short title.
7 This act shall be known and may be cited as the Breach of
8 Personal Information Notification Act.
9 Section 2. Definitions.
10 The following words and phrases when used in this act shall
11 have the meanings given to them in this section unless the
12 context clearly indicates otherwise:
13 "Breach of the security of the system." The unauthorized
14 acquisition of computerized data that compromises the security
15 or confidentiality of personal information maintained by the
16 entity as part of a database of personal information regarding
17 multiple individuals and that causes or the entity reasonably
1 believes has caused or will cause harm, inconvenience, loss or
2 injury to any resident of this Commonwealth. Good faith
3 acquisition of personal information by an employee or agent of
4 the entity for the purposes of the entity is not a breach of the
5 security of the system if the personal information is not used
6 for a purpose other than the lawful purpose of the entity and is
7 not subject to further unauthorized disclosure.
8 "Business." A sole proprietorship, partnership, corporation,
9 association or other group, however organized and whether or not
10 organized to operate at a profit, including a financial
11 institution organized, chartered or holding a license or
12 authorization certificate under the laws of this Commonwealth,
13 any other state, the United States or any other country, or the
14 parent or the subsidiary of a financial institution. The term
15 includes an entity that destroys records.
16 "Encryption." The use of an algorithmic process to transform
17 data into a form in which there is a low probability of
18 assigning meaning without use of a confidential process or key.
19 "Entity." A State agency, a political subdivision of the
20 Commonwealth or an individual or a business doing business in
21 this Commonwealth.
22 "Individual." A natural person.
23 "Notice." May be provided by one of the following methods of
24 notification:
25 (1) Written notice.
26 (2) Electronic notice, if the notice provided is
27 consistent with the provisions regarding electronic records
28 and signatures set forth in section 701 of the Electronic
29 Signatures in Global and National Commerce Act (Public Law
30 106-229, 15 U.S.C. § 7001).
20050S0712B0859 - 2 -
1 (3) (i) Substitute notice, if the entity demonstrates
2 one of the following:
3 (A) The cost of providing notice would exceed
4 $250,000.
5 (B) The affected class of subject persons to be
6 notified exceeds 500,000.
7 (C) The entity does not have sufficient contact
8 information.
9 (ii) Substitute notice shall consist of all of the
10 following:
11 (A) E-mail notice when the entity has an e-mail
12 address for the subject persons.
13 (B) Conspicuous posting of the notice on the
14 entity's Internet website, if the entity maintains
15 one.
16 (C) Notification to major Statewide media.
17 "Personal information."
18 (1) An individual's first name or first initial and last
19 name in combination with and linked to any one or more of the
20 following data elements, when the name and data elements are
21 not encrypted or redacted:
22 (i) Social Security number.
23 (ii) Driver's license number or a State
24 identification card number issued in lieu of a driver's
25 license.
26 (iii) Financial account number, credit or debit card
27 number, in combination with any required security code,
28 access code or password that would permit access to an
29 individual's financial account.
30 (2) The term does not include publicly available
20050S0712B0859 - 3 -
1 information that is lawfully made available to the general
2 public from Federal, State or local government records.
3 "Records." Any material, regardless of the physical form, on
4 which information is recorded or preserved by any means,
5 including in written or spoken words, graphically depicted,
6 printed or electromagnetically transmitted. The term does not
7 include publicly available directories containing information an
8 individual has voluntarily consented to have publicly
9 disseminated or listed, such as name, address or telephone
10 number.
11 "Redact." The term includes, but is not limited to,
12 alteration or truncation such that no more than the last four
13 digits of a Social Security number, driver's license number,
14 State identification card number or account number is accessible
15 as part of the data.
16 "State agency." Any agency, board, commission, authority or
17 department of the Commonwealth and the General Assembly.
18 Section 3. Disclosure of computerized data.
19 (a) General rule.--An entity that owns or licenses
20 computerized data that includes personal information shall
21 disclose any breach of the security of the system following
22 discovery or notification of the breach in the security of the
23 data to any resident of this Commonwealth whose unencrypted and
24 unredacted personal information was or is reasonably believed to
25 have been accessed and acquired by an unauthorized person.
26 Except as provided in section 5 or in order to take any measures
27 necessary to determine the scope of the breach and to restore
28 the reasonable integrity of the data system, the disclosure
29 shall be made in the most expedient time possible and without
30 unreasonable delay.
20050S0712B0859 - 4 -
1 (b) Encrypted information.--An entity must disclose the
2 breach if encrypted information is accessed in an unencrypted
3 form, if the security breach is linked to a breach of the
4 security of the encryption or if the security breach involves a
5 person with access to the encryption key.
6 Section 4. Disclosure of maintained computerized data.
7 An entity that maintains computerized data that includes
8 personal information that the entity does not own shall notify
9 the owner or licensee of the information of any breach of the
10 security of the data immediately following discovery, if the
11 personal information was or is reasonably believed to have been
12 accessed and acquired by an unauthorized person.
13 Section 5. Exceptions.
14 (1) The notification required by this act may be delayed
15 if a law enforcement agency determines that the notification
16 will impede a criminal investigation. The notification
17 required by this act shall be made after the law enforcement
18 agency determines that it will not compromise the
19 investigation or national or homeland security.
20 (2) The notification required by this act is not
21 required if Federal or State authorities responsible for law
22 enforcement are able to determine and provide in writing to
23 the entity as soon as practical notice that the breach is
24 unlikely to result in harm to the individuals whose personal
25 information has been acquired and accessed.
26 Section 6. Preemption.
27 This act deals with subject matter that is of Statewide
28 concern, and it is the intent of the General Assembly that this
29 act shall supersede and preempt all rules, regulations, codes,
30 statutes or ordinances of all cities, counties, municipalities
20050S0712B0859 - 5 -
1 and other local agencies regarding the matters expressly set
2 forth in this act.
3 Section 7. Notice exemption.
4 (a) Information privacy or security policy.--An entity that
5 maintains its own notification procedures as part of an
6 information privacy or security policy for the treatment of
7 personal information and is otherwise consistent with the notice
8 requirements of this act shall be deemed to be in compliance
9 with the notification requirements of this act if it notifies
10 subject persons in accordance with its policies in the event of
11 a breach of security of the system.
12 (b) Compliance with Federal requirements.--A financial
13 institution that complies with the notification requirements
14 prescribed by the Federal Interagency Guidance on Response
15 Programs for Unauthorized Access to Customer Information and
16 Customer Notice is deemed to be in compliance with this act.
17 Section 8. Civil relief.
18 (a) General rule.--The Office of Attorney General may bring
19 a civil action against an entity that willfully or intentionally
20 violates this act.
21 (b) Additional remedies.--In addition to any other remedy
22 provided by law, a person bringing an action under this section
23 may:
24 (1) Seek injunctive relief to restrain the violator from
25 continuing the violation.
26 (2) Recover actual damages arising from the violation of
27 a failure to notify under this act.
28 (3) Seek both injunctive relief and recovery of damages
29 as provided by this subsection.
30 Section 9. Applicability.
20050S0712B0859 - 6 -
1 This act shall apply to the discovery or notification of a
2 breach in the security of personal information data that occurs
3 on or after the effective date of this section.
4 Section 10. Effective date.
5 This act shall take effect in 60 days.
E25L12BIL/20050S0712B0859 - 7 -