voice prints, eyes, retinas or irises, that is used by
the owner or licensee to uniquely authenticate the
identity of a person when the individual accesses a
system or account.
(2) The term does not include publicly available
information that is lawfully made available to the general
public from Federal, State or local government records[.] or
from another publicly available source, including news
reports, periodicals, public social media posts or other
widely distributed media.
* * *
Section 2. Section 3 of the act is amended to read:
Section 3. Notification of breach.
(a) General rule.--An entity that [maintains, stores or
manages] owns or licenses computerized data that includes
personal information shall provide notice of any breach of the
security of the system following discovery of the breach of the
security of the system [to any resident of this Commonwealth
whose unencrypted and unredacted personal information was or is
reasonably believed to have been accessed and acquired by an
unauthorized person]. Except as provided in section 4 or in
order to take any measures necessary to determine the scope of
the breach and to restore the reasonable integrity of the data
system, the notice shall be made [without unreasonable delay.]
within 45 days of discovery of the breach of the security of the
system by the owner or licensee. For the purpose of this
section, a resident of this Commonwealth may be determined to be
an individual whose principal mailing address, as reflected in
the computerized data which is maintained, stored or managed by
the entity, is in this Commonwealth.
20190HB1181PN1367 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30