PRINTER'S NO. 40
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
33
Session of
2017
INTRODUCED BY THOMAS, SCHLOSSBERG, ROZZI, DRISCOLL, BIZZARRO,
V. BROWN AND SOLOMON, JANUARY 23, 2017
REFERRED TO COMMITTEE ON COMMERCE, JANUARY 23, 2017
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94), entitled
"An act providing for the notification of residents whose
personal information data was or may have been disclosed due
to a security system breach; and imposing penalties," further
providing for notification of breach.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Section 3 of the act of December 22, 2005
(P.L.474, No.94), known as the Breach of Personal Information
Notification Act, is amended to read:
Section 3. Notification of breach.
(a) General rule.--An entity that maintains, stores or
manages computerized data that includes personal information
shall provide notice of any breach of the security of the system
following discovery of the breach of the security of the system
to any resident of this Commonwealth whose unencrypted and
unredacted personal information was or is reasonably believed to
have been accessed and acquired by an unauthorized person.
Notice shall also be provided to the Attorney General and the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Cybersecurity Coordinator. Except as provided in section 4 or in
order to take any measures necessary to determine the scope of
the breach and to restore the reasonable integrity of the data
system, the notice shall be made [without unreasonable delay] no
later than 30 days after discovery of the breach. For the
purpose of this section, a resident of this Commonwealth may be
determined to be an individual whose principal mailing address,
as reflected in the computerized data which is maintained,
stored or managed by the entity, is in this Commonwealth.
(b) Encrypted information.--An entity must provide notice of
the breach if encrypted information is accessed and acquired in
an unencrypted form, if the security breach is linked to a
breach of the security of the encryption or if the security
breach involves a person with access to the encryption key.
(c) Vendor notification.--A vendor that maintains, stores or
manages computerized data on behalf of another entity shall
provide notice of any breach of the security system following
discovery by the vendor to the entity on whose behalf the vendor
maintains, stores or manages the data. The entity shall be
responsible for making the determinations and discharging any
remaining duties under this act.
Section 2. This act shall take effect in 60 days.
20170HB0033PN0040 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22