PRIOR PRINTER'S NO. 775
PRINTER'S NO. 793
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
696
Session of
2021
INTRODUCED BY LAUGHLIN, BARTOLOTTA, STEFANO, J. WARD, HAYWOOD
AND BROOKS, MAY 19, 2021
SENATOR PHILLIPS-HILL, COMMUNICATIONS AND TECHNOLOGY, AS
AMENDED, MAY 24, 2021
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94), entitled
"An act providing for the notification of residents whose
personal information data was or may have been disclosed due
to a security system breach; and imposing penalties," further
providing for title of act, for definitions and for
notification of breach; prohibiting employees of the
Commonwealth from using nonsecured Internet connections; and
providing for Commonwealth policy and for entities subject to
the Health Insurance Portability and Accountability Act of
1996.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The title of the act of December 22, 2005
(P.L.474, No.94), known as the Breach of Personal Information
Notification Act, is amended to read:
AN ACT
Providing for security of computerized data and for the
notification of residents whose personal information data was
or may have been disclosed due to a security system breach;
and imposing penalties.
Section 2. The definition of "personal information" in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
section 2 of the act is amended and the section is amended by
adding definitions to read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
* * *
"Health insurance information." An individual's health
insurance policy number or subscriber identification number or
any medical information in an individual's insurance application
and claims history, including any appeals records.
* * *
"Medical information." Any individually identifiable
information contained in or derived from the individual's
current or historical record of medical history or medical
treatment or diagnosis created by a health care professional.
* * *
"Personal information."
(1) An individual's first name or first initial and last
name in combination with and linked to any one or more of the
following data elements when the data elements are not
encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State
identification card number issued in lieu of a driver's
license.
(iii) Financial account number, credit or debit card
number, in combination with any required security code,
access code or password that would permit access to an
individual's financial account.
20210SB0696PN0793 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(iv) Medical information.
(v) Health insurance information.
(vi) A user name or e-mail address, in combination
with a password or security question and answer that
would permit access to an online account.
(2) The term does not include publicly available
information that is lawfully made available to the general
public from Federal, State or local government records.
* * *
"STATE AGENCY CONTRACTOR." A PERSON THAT HAS A CONTRACT WITH
A STATE AGENCY FOR GOODS OR SERVICES AND A THIRD-PARTY
CONTRACTOR TO THE CONTRACT.
Section 3. Section 3 of the act is amended by adding
subsections to read:
Section 3. Notification of breach.
* * *
(a.1) Notification by State agency .--If a State agency is
(A.1) NOTIFICATION BY STATE AGENCY OR STATE AGENCY
CONTRACTOR.--
(1) IF A STATE AGENCY OR STATE AGENCY CONTRACTOR IS the
subject of a breach of security of the system, the State
agency OR STATE AGENCY CONTRACTOR shall provide notice of the
breach of security of the system required under subsection
(a) within seven days following discovery of the breach.
Notification shall be provided to the Office of Attorney
General within three business days following discovery of the
breach. A State agency under the Governor's DISCOVERY OF THE
BREACH.
(2) A STATE AGENCY UNDER THE GOVERNOR'S jurisdiction
shall also provide notice of a breach of security of the
20210SB0696PN0793 - 3 -
<--
<--
<--
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
system to the Governor's Office of Administration within
three business days following the discovery of the breach.
Notification shall occur notwithstanding the existence of
procedures and policies under section 7.
(3) A STATE AGENCY THAT, ON THE EFFECTIVE DATE OF THIS
SECTION, HAS AN EXISTING CONTRACT WITH A STATE AGENCY
CONTRACTOR SHALL USE REASONABLE EFFORTS TO AMEND THE CONTRACT
TO INCLUDE PROVISIONS RELATING TO THE STATE AGENCY
CONTRACTOR'S COMPLIANCE WITH THIS ACT.
(4) A STATE AGENCY THAT, AFTER THE EFFECTIVE DATE OF
THIS SECTION, ENTERS INTO A CONTRACT WITH A STATE AGENCY
CONTRACTOR SHALL ENSURE THAT THE CONTRACT INCLUDES PROVISIONS
RELATING TO THE STATE AGENCY CONTRACTOR'S COMPLIANCE WITH
THIS ACT.
(a.2) Notification by county, school district or
municipality.--If a county, school district or municipality is
the subject of a breach of security of the system, the county,
school district or municipality shall provide notice of the
breach of security of the system required under subsection (a)
within seven days following discovery of the breach.
Notification shall be provided to the district attorney in the
county in which the breach occurred within three business days
following discovery of the breach. Notification shall occur
notwithstanding the existence of procedures and policies under
section 7.
(a.3) Electronic notification.--In the case of a breach of
the security of the system involving personal information
defined in section 2 for a user name or e-mail address in
combination with a password or security question and answer that
would permit access to an online account, the person or business
20210SB0696PN0793 - 4 -
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
ENTITY OR STATE AGENCY CONTRACTOR may comply with this section
by providing the security breach notification in electronic or
other form that directs the person whose personal information
has been breached to promptly change the person's password and
security question or answer, as applicable, or to take other
steps appropriate to protect the online account with the person
or business ENTITY OR STATE AGENCY CONTRACTOR and all other
online accounts for which the person whose personal information
has been breached uses the same user name or e-mail address and
password or security question or answer.
* * *
Section 4. The act is amended by adding sections to read:
Section 5.1. Encryption required.
(a) General rule.-- Employees and contractors of the
Commonwealth STATE EMPLOYEES AND STATE AGENCY CONTRACTOR
EMPLOYEES shall, while working with personal information on
behalf of the Commonwealth or otherwise conducting official
business on behalf of the Commonwealth, utilize encryption to
protect the transmission of personal information over the
Internet from being viewed or modified by a third party.
(b) Transmission policy.--The Governor's Office of
Administration shall develop and maintain a policy to govern the
proper encryption and transmission by State agencies under the
Governor's jurisdiction of data which includes personal
information.
Section 5.2. Commonwealth policy.
(a) Storage policy.-- The Governor's Office of Administration
shall develop a policy to govern the proper storage by State
agencies under the Governor's jurisdiction of data which
includes personal information. The policy shall address
20210SB0696PN0793 - 5 -
<--
<--
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
identifying, collecting, maintaining, displaying and
transferring personally identifiable information, using
personally identifiable information in test environments,
remediating personally identifiable information stored on legacy
systems and other relevant issues. A goal of the policy shall be
to reduce the risk of future breaches of security of the system.
(b) Considerations.--In developing the policy, the
Governor's Office of Administration shall consider similar
existing policies in other states, best practices identified by
other states and relevant studies and other sources as
appropriate.
(c) Review and update.--The policy shall be reviewed at
least annually and updated as necessary.
Section 5.3. Entities subject to the Health Insurance
Portability and Accountability Act of 1996.
Any covered entity or business associate that is subject to
and in compliance with the privacy and security standards for
the protection of electronic health information established
under the Health Insurance Portability and Accountability Act of
1996 (Public Law 104-191, 110 Stat. 1936) and the Health
Information Technology for Economic and Clinical Health Act
(Public Law 111-5, 123 Stat. 226-279 and 467-496) shall be
deemed to be in compliance with the provisions of this act.
Section 5. This act shall take effect in 60 days.
20210SB0696PN0793 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24