PRIOR PRINTER'S NO. 67
PRINTER'S NO. 367
THE GENERAL ASSEMBLY OF PENNSYLVANIA
INTRODUCED BY PILEGGI, VULAKOVICH, SCARNATI, FARNESE, WASHINGTON, ROBBINS, MENSCH, ERICKSON, FONTANA, SCHWANK, KASUNIC, RAFFERTY, ALLOWAY, TARTAGLIONE, HUGHES, YAW, WILLIAMS, BOSCOLA, GREENLEAF, FERLO, WARD, YUDICHAK, FOLMER, GORDNER, VANCE, WAUGH, BREWSTER, BRUBAKER, BAKER, TOMLINSON AND BROWNE, JANUARY 9, 2013
SENATOR VULAKOVICH, COMMUNICATIONS AND TECHNOLOGY, AS AMENDED, FEBRUARY 6, 2013
1Amending the act of December 22, 2005 (P.L.474, No.94), entitled
2"An act providing for the notification of residents whose
3personal information data was or may have been disclosed due
4to a security system breach; and imposing penalties," further
5providing for notification of breach<-; and providing for
6investigation of breach involving a State agency, for
7investigation of breach involving a county, school district
8or municipality and for individuals responsible for breach.
14Section 3. Notification of breach.
15* * *
1system required under subsection (a) within seven days following
2discovery of the breach. Notification shall be provided to the
3Office of Attorney General within three business days following
4discovery of the breach. <-A State agency under the Governor's
5jurisdiction shall also provide notice of a breach of its
6security system to the Governor's Office of Administration
7within three business days following the discovery of the
8breach. Notification shall occur regardless of the existence of
9procedures and policies under section 7.
10(a.2) Notification by county, school district or
11municipality.--If a county, school district or municipality is
12the subject of a breach of security of the system, the county,
13school district or municipality shall provide notice of the
14breach of security of the system required under subsection (a)
15within seven days following discovery of the breach.
16Notification shall be provided to the district attorney in the
17county in which the breach occurred within three business days
18following discovery of the breach. Notification shall occur
19regardless of the existence of procedures and policies under
21* * *
<-22Section 2. The act is amended by adding sections to read:
23Section 3.1. Investigation of breach involving a State agency.
24(a) Investigation.--Upon receipt of notification under
25section 3(a.1), the Office of Attorney General shall investigate
26the breach. The investigation shall include a review of
27procedures, a determination of the cause of the breach and
28recommendations to the agency relating to prevention of similar
29breaches in the future.
30(b) Cost.--The cost of the investigation shall be paid by
1the agency in which the breach occurred.
4(a) Investigation.--Upon receipt of notification under
5section 3(a.2), the district attorney shall investigate the
6breach. The investigation shall include a review of procedures,
7a determination of the cause of the breach and recommendations
8to the county, school district or municipality relating to
9prevention of similar breaches in the future.
13(c) Attorney General.--If the district attorney determines
14that the breach of security of the system warrants an
15investigation by the Office of Attorney General, the district
16attorney may request that the Attorney General join or take over
18Section 3.3. Individuals responsible for breach.
19Notwithstanding any other provision of this act, if a breach
20of security of the system was caused by an intentional act or
21misuse of the system or intentional unauthorized access to the
22system, an individual determined by a court to be responsible
23for the breach may be ordered by the court to pay for the cost
24of the investigation and the cost of repairing and restoring the
26Section <-3 2. This act shall take effect in 60 days.