PRIOR PRINTER'S NOS. 3356, 3634 | PRINTER'S NO. 3711 |
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No. | 2167 | Session of 2014 |
INTRODUCED BY SWANGER, COHEN, COX, DENLINGER, GABLER, GROVE, HARPER, HEFFLEY, KORTZ, MILLARD, MURT, ROAE, SACCONE, SCHLOSSBERG, TOEPEL, TURZAI AND McNEILL, APRIL 9, 2014
AS AMENDED, ON SECOND CONSIDERATION, HOUSE OF REPRESENTATIVES, JUNE 10, 2014
AN ACT
1Amending the act of December 22, 2005 (P.L.474, No.94), entitled
2"An act providing for the notification of residents whose
3personal information data was or may have been disclosed due
4to a security system breach; and imposing penalties," further
5providing for notification of breach.
6The General Assembly of the Commonwealth of Pennsylvania
7hereby enacts as follows:
8Section 1. Section 3 of the act of December 22, 2005
9(P.L.474, No.94), known as the Breach of Personal Information
10Notification Act, is amended by adding subsections to read:
11Section 3. Notification of breach.
12* * *
13(a.1) Notification by State agency.--If a State agency is
14the subject of a breach of security of the system, the State
15agency shall provide notice of the breach of security of the
16system required under subsection (a) within seven days following
17discovery of the breach. Notification shall be provided to the
18Office of Attorney General within three business days following
1discovery of the breach. A State agency under the Governor's
2jurisdiction shall also provide notice of a breach of security
3of the system to the Governor's Office of Administration within
4three business days following the discovery of the breach.
5Notification shall occur regardless of the existence of
6procedures and policies under section 7.
7(a.2) Notification by county, school district or
8municipality.--If a county, school district or municipality is
9the subject of a breach of security of the system, the county,
10school district or municipality shall provide notice of the
11breach of security of the system required under subsection (a)
12within seven days following discovery of the breach.
13Notification shall be provided to the district attorney in the
14county in which the breach occurred within three business days
15following discovery of the breach. Notification shall occur
16regardless of the existence of procedures and policies under
17section 7.
18(a.3) Storage policy.--
19(1) The Governor's Office of Administration shall
20develop a policy to govern the proper storage by State
21agencies <-under the Governor's jurisdiction of data which
22includes personally identifiable information. As permitted by
23Federal or State law or regulation, the policy shall address
24identifying, collecting, maintaining, displaying and
25transferring personally identifiable information, using
26personally identifiable information in test environments,
27remediating personally identifiable information stored on
28legacy systems and other relevant issues. A goal of the
29policy shall be to reduce the risk of future breaches of
30security of the system.
1(2) In developing the policy under paragraph (1), the
2Governor's Office of Administration shall consider Federal
3and State law, regulation or both, similar existing policies
4in other states, best practices identified by other states
5and relevant studies and other sources as appropriate. The
6policy shall be reviewed at least annually and updated as
7necessary.
8* * *
9Section 2. This act shall take effect in 60 days.