H1846B2588A05720 MSP:JMT 02/05/18 #90 A05720
AMENDMENTS TO HOUSE BILL NO. 1846
Sponsor: REPRESENTATIVE ELLIS
Printer's No. 2588
Amend Bill, page 1, line 5, by striking out "and" and
inserting a comma
Amend Bill, page 1, lines 5 and 6, by striking out ";
providing for notification; further providing" and inserting
and
Amend Bill, page 1, lines 7 and 8, by striking out ";
providing for safeguarding of personal information; and further
providing for civil relief"
Amend Bill, page 2, lines 1 through 15, by striking out all
of said lines and inserting
"Breach of the security of the system." The unauthorized
[access and acquisition of computerized data that materially
compromises] access and acquisition of unencrypted data, or
encrypted data with the confidential process or key required to
decrypt the data, that is likely to compromise the security or
confidentiality of personal information maintained by the entity
as part of a database of personal information regarding multiple
individuals and that causes or the entity reasonably believes
has caused or will cause loss or injury to any resident of this
Commonwealth. Good faith acquisition of personal information by
an employee or agent of the entity for the purposes of the
entity is not a breach of the security of the system if the
personal information is not used for a purpose other than the
lawful purpose of the entity and is not subject to further
unauthorized disclosure.
Amend Bill, page 2, by inserting between lines 18 and 19
"Discovery." The final determination that a breach of the
security of the system has occurred, including, but not limited
to, the final determination regarding material compromise of
security and reasonable causation of loss or injury.
2018/90MSP/HB1846A05720 - 1 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
* * *
Amend Bill, page 2, lines 20 through 23, by striking out ",
a" in line 20, all of lines 21 and 22 and "claims history,
including appeals records" in line 23
Amend Bill, page 2, line 26, by striking out "mental or
physical" and inserting
medical
Amend Bill, page 2, line 27, by inserting after "diagnosis"
provided
Amend Bill, page 4, lines 4 through 9, by striking out
"Information that is under the" in line 4 and all of lines 5
through 9 and inserting
As follows:
(1) An individual's first name or first initial and last
name in combination with and linked to any one or more of the
following data elements when the elements are not encrypted or
redacted:
Amend Bill, page 5, line 25, by inserting a bracket before
"(1)"
Amend Bill, page 5, line 27, by striking out "EITHER THE NAME
OR"
Amend Bill, page 5, line 28, by inserting a bracket after
"REDACTED:"
Amend Bill, page 5, lines 29 and 30; page 6, lines 1 through
15; by striking out "] IDENTIFICATION" in line 29, all of line
30 on page 5 and all of lines 1 through 15 on page 6 and
inserting
(ii) Driver's license number or a State
identification card number issued in lieu of a driver's
license.] The following identification numbers:
(A) Social Security number.
(B) Driver's license number.
(C) State identification card number issued in
2018/90MSP/HB1846A05720 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
lieu of a driver's license.
(D) Passport number.
(E) Taxpayer identification number.
(F) Medical Information.
(G) Health insurance information.
Amend Bill, page 6, line 17, by striking out "ALONE OR"
Amend Bill, page 6, lines 21 through 30; page 7, lines 1
through 18; by striking out all of said lines on said pages and
inserting
(iv) Biometric data, meaning data gathered by
measurement of the human body, including fingerprints,
voice prints, eyes, retinas or irises, that is used by
the owner or licensee to uniquely authenticate the
identity of a person when the individual accesses a
system or account.
Amend Bill, page 7, line 21, by inserting a bracket before
the period after "records"
Amend Bill, page 7, line 21, by inserting after "records."
] or from another publicly available source, including
news reports, periodicals, public social media posts or other
widely distributed media.
Amend Bill, page 7, line 23, by striking out "3(a)" and
inserting
3
Amend Bill, page 7, lines 23 and 24, by striking out "and the
section is amended by adding subsections"
Amend Bill, page 7, line 26, by inserting a bracket before
"maintains,"
Amend Bill, page 7, line 27, by inserting after "manages"
] owns or licenses
Amend Bill, page 8, line 6, by inserting a bracket before
"without"
Amend Bill, page 8, line 6, by inserting after "delay."
] within 45 days of discovery of the breach of the security
2018/90MSP/HB1846A05720 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
of the system by the owner or licensee.
Amend Bill, page 8, line 11, by striking out all of said line
and inserting
[(b) Encrypted information.--An entity must provide notice
of the breach if encrypted information is accessed and acquired
in an unencrypted form, if the security breach is linked to a
breach of the security of the encryption or if the security
breach involves a person with access to the encryption key.]
(c) Vendor notification.--A vendor that maintains, stores or
manages computerized data on behalf of [another entity] an owner
or licensee of personal information shall provide notice of any
breach of the security system following discovery by the vendor
to the [entity] owner or licensee on whose behalf the vendor
maintains, stores or manages the data. The [entity] owner or
licensee shall be responsible for making the determinations and
discharging any remaining duties under this act.
Amend Bill, page 8, line 21, by inserting after "of" where it
occurs the second time
personal
Amend Bill, page 8, line 28, by striking out "an" and
inserting
a government-issued
Amend Bill, page 9, lines 9 and 10, by striking out "learning
of the breach of the security of the" in line 9 and all of line
10 and inserting
discovery of the breach of the security of the system by
the owner or licensee.
Amend Bill, page 9, line 12, by striking out "Notice" and
inserting
When notice
Amend Bill, page 9, line 13, by inserting after "section"
must be given to more than 1,000 affected individuals in
this Commonwealth, the notice
Amend Bill, page 9, line 13, by inserting after "bureau"
not less than five days prior to the notice to affected
individuals under subsection (d)
Amend Bill, page 9, lines 15 and 16, by striking out all of
2018/90MSP/HB1846A05720 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
line 15 and "(i) The" in line 16
Amend Bill, page 9, by inserting between lines 17 and 18
(3) Notice under this subsection must include, no later
than the time notice is given to the residents of this
Commonwealth, the following:
Amend Bill, page 9, line 18, by striking out "(ii)" and
inserting
(i)
Amend Bill, page 9, line 20, by striking out "(iii)" and
inserting
(ii)
Amend Bill, page 9, lines 22 and 23, by striking out all of
said lines
Amend Bill, page 10, lines 10 through 15, by striking out all
of said lines
Amend Bill, page 10, line 16, by striking out "4" and
inserting
3
Amend Bill, page 13, lines 3 through 11, by striking out all
of said lines
Amend Bill, page 13, line 12, by striking out "6" and
inserting
4
2018/90MSP/HB1846A05720 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23