PRIOR PRINTER'S NO. 859 PRINTER'S NO. 898
No. 712 Session of 2005
INTRODUCED BY WONDERLING, C. WILLIAMS, CORMAN, RAFFERTY, WOZNIAK, GORDNER, PILEGGI, KITCHEN, EARLL, VANCE, ERICKSON, M. WHITE, LEMMOND, FERLO, O'PAKE, RHOADES, BOSCOLA, GREENLEAF, BROWNE, THOMPSON, STACK AND LOGAN, JUNE 3, 2005
SENATOR WONDERLING, COMMUNICATIONS AND TECHNOLOGY, AS AMENDED, JUNE 13, 2005
AN ACT 1 Providing for the notification of residents whose personal 2 information data was or may have been disclosed due to a 3 security system breach; and imposing penalties. 4 The General Assembly of the Commonwealth of Pennsylvania 5 hereby enacts as follows: 6 Section 1. Short title. 7 This act shall be known and may be cited as the Breach of 8 Personal Information Notification Act. 9 Section 2. Definitions. 10 The following words and phrases when used in this act shall 11 have the meanings given to them in this section unless the 12 context clearly indicates otherwise: 13 "Breach of the security of the system." The unauthorized 14 ACCESS AND acquisition of computerized data that compromises the <-- 15 security or confidentiality of personal information maintained 16 by the entity as part of a database of personal information 17 regarding multiple individuals and that causes or the entity
1 reasonably believes has caused or will cause harm, <-- 2 inconvenience, loss or injury to any resident of this 3 Commonwealth. Good faith acquisition of personal information by 4 an employee or agent of the entity for the purposes of the 5 entity is not a breach of the security of the system if the 6 personal information is not used for a purpose other than the 7 lawful purpose of the entity and is not subject to further 8 unauthorized disclosure. 9 "Business." A sole proprietorship, partnership, corporation, 10 association or other group, however organized and whether or not 11 organized to operate at a profit, including a financial 12 institution organized, chartered or holding a license or 13 authorization certificate under the laws of this Commonwealth, 14 any other state, the United States or any other country, or the 15 parent or the subsidiary of a financial institution. The term 16 includes an entity that destroys records. 17 "Encryption." The use of an algorithmic process to transform 18 data into a form in which there is a low probability of 19 assigning meaning without use of a confidential process or key. 20 "Entity." A State agency, a political subdivision of the 21 Commonwealth or an individual or a business doing business in 22 this Commonwealth. 23 "Individual." A natural person. 24 "Notice." May be provided by one of the following methods of 25 notification: 26 (1) Written notice. 27 (2) Electronic notice, if the notice provided is 28 consistent with the provisions regarding electronic records 29 and signatures set forth in section 701 of the Electronic 30 Signatures in Global and National Commerce Act (Public Law 20050S0712B0898 - 2 -
1 106-229, 15 U.S.C. § 7001). 2 (3) (i) Substitute notice, if the entity demonstrates 3 one of the following: 4 (A) The cost of providing notice would exceed 5 $250,000. 6 (B) The affected class of subject persons to be 7 notified exceeds 500,000. 8 (C) The entity does not have sufficient contact 9 information. 10 (ii) Substitute notice shall consist of all of the 11 following: 12 (A) E-mail notice when the entity has an e-mail 13 address for the subject persons. 14 (B) Conspicuous posting of the notice on the 15 entity's Internet website, if the entity maintains 16 one. 17 (C) Notification to major Statewide media. 18 "Personal information." 19 (1) An individual's first name or first initial and last 20 name in combination with and linked to any one or more of the 21 following data elements, when the name and data elements are 22 not encrypted or redacted: 23 (i) Social Security number. 24 (ii) Driver's license number or a State 25 identification card number issued in lieu of a driver's 26 license. 27 (iii) Financial account number, credit or debit card 28 number, in combination with any required security code, 29 access code or password that would permit access to an 30 individual's financial account. 20050S0712B0898 - 3 -
1 (2) The term does not include publicly available 2 information that is lawfully made available to the general 3 public from Federal, State or local government records. 4 "Records." Any material, regardless of the physical form, on 5 which information is recorded or preserved by any means, 6 including in written or spoken words, graphically depicted, 7 printed or electromagnetically transmitted. The term does not 8 include publicly available directories containing information an 9 individual has voluntarily consented to have publicly 10 disseminated or listed, such as name, address or telephone 11 number. 12 "Redact." The term includes, but is not limited to, 13 alteration or truncation such that no more than the last four 14 digits of a Social Security number, driver's license number, 15 State identification card number or account number is accessible 16 as part of the data. 17 "State agency." Any agency, board, commission, authority or 18 department of the Commonwealth and the General Assembly. 19 Section 3. Disclosure of computerized data. 20 (a) General rule.--An entity that owns or licenses 21 computerized data that includes personal information shall 22 disclose any breach of the security of the system following 23 discovery or notification of the breach in OF the security of <-- 24 the data SYSTEM to any resident of this Commonwealth whose <-- 25 unencrypted and unredacted personal information was or is 26 reasonably believed to have been accessed and acquired by an 27 unauthorized person. Except as provided in section 5 or in order 28 to take any measures necessary to determine the scope of the 29 breach and to restore the reasonable integrity of the data 30 system, the disclosure shall be made in the most expedient time <-- 20050S0712B0898 - 4 -
1 possible and without unreasonable delay. 2 (b) Encrypted information.--An entity must disclose the 3 breach if encrypted information is accessed AND ACQUIRED in an <-- 4 unencrypted form, if the security breach is linked to a breach 5 of the security of the encryption or if the security breach 6 involves a person with access to the encryption key. 7 Section 4. Disclosure of maintained computerized data. 8 An entity that maintains computerized data that includes 9 personal information that the entity does not own OR LICENSE <-- 10 shall notify the owner or licensee of the information of any 11 breach of the security of the data immediately following 12 discovery, if the personal information was or is reasonably 13 believed to have been accessed and acquired by an unauthorized 14 person. 15 Section 5. Exceptions. 16 (1) The notification required by this act may be delayed <-- 17 if a law enforcement agency determines AND ADVISES THE ENTITY <-- 18 IN WRITING SPECIFICALLY REFERENCING THIS SECTION that the 19 notification will impede a criminal OR CIVIL investigation. <-- 20 The notification required by this act shall be made after the 21 law enforcement agency determines that it will not compromise 22 the investigation or national or homeland security. 23 (2) The notification required by this act is not <-- 24 required if Federal or State authorities responsible for law 25 enforcement are able to determine and provide in writing to 26 the entity as soon as practical notice that the breach is 27 unlikely to result in harm to the individuals whose personal 28 information has been acquired and accessed. 29 SECTION 6. NOTIFICATION OF CONSUMER REPORTING AGENCIES. <-- 30 WHEN AN ENTITY PROVIDES NOTIFICATION UNDER THIS ACT TO MORE 20050S0712B0898 - 5 -
1 THAN 1,000 PERSONS AT ONE TIME, THE ENTITY SHALL ALSO NOTIFY, 2 WITHOUT UNREASONABLE DELAY, ALL CONSUMER REPORTING AGENCIES THAT 3 COMPILE AND MAINTAIN FILES ON CONSUMERS ON A NATIONWIDE BASIS, 4 AS DEFINED IN SECTION 603 OF THE FAIR CREDIT REPORTING ACT 5 (PUBLIC LAW 91-508, 15 U.S.C. § 1681A), OF THE TIMING, 6 DISTRIBUTION AND NUMBER OF NOTICES. 7 Section 6 7. Preemption. <-- 8 This act deals with subject matter that is of Statewide 9 concern, and it is the intent of the General Assembly that this 10 act shall supersede and preempt all rules, regulations, codes, 11 statutes or ordinances of all cities, counties, municipalities 12 and other local agencies WITHIN THIS COMMONWEALTH regarding the <-- 13 matters expressly set forth in this act. 14 Section 7 8. Notice exemption. <-- 15 (a) Information privacy or security policy.--An entity that 16 maintains its own notification procedures as part of an 17 information privacy or security policy for the treatment of 18 personal information and is otherwise consistent with the notice <-- 19 requirements of this act shall be deemed to be in compliance 20 with the notification requirements of this act if it notifies 21 subject persons in accordance with its policies in the event of 22 a breach of security of the system. 23 (b) Compliance with Federal requirements.--A financial <-- 24 (B) COMPLIANCE WITH FEDERAL REQUIREMENTS.-- <-- 25 (1) A FINANCIAL institution that complies with the 26 notification requirements prescribed by the Federal 27 Interagency Guidance on Response Programs for Unauthorized 28 Access to Customer Information and Customer Notice is deemed 29 to be in compliance with this act. 30 (2) AN ENTITY THAT COMPLIES WITH THE NOTIFICATION <-- 20050S0712B0898 - 6 -
1 REQUIREMENTS OR PROCEDURES PURSUANT TO THE RULES, 2 REGULATIONS, PROCEDURES OR GUIDELINES ESTABLISHED BY THE 3 ENTITY'S PRIMARY OR FUNCTIONAL FEDERAL REGULATOR SHALL BE IN 4 COMPLIANCE WITH THIS ACT. 5 Section 8 9. Civil relief. <-- 6 (a) General rule.--The Office of Attorney General may bring <-- 7 a civil action against an entity that willfully or intentionally 8 violates this act. 9 (b) Additional remedies.--In addition to any other remedy 10 provided by law, a person bringing an action under this section 11 may: 12 (1) Seek injunctive relief to restrain the violator from 13 continuing the violation. 14 (2) Recover actual damages arising from the violation of 15 a failure to notify under this act. 16 (3) Seek both injunctive relief and recovery of damages 17 as provided by this subsection. 18 A WILLFUL AND KNOWING VIOLATION OF THIS ACT SHALL BE DEEMED <-- 19 TO BE AN UNFAIR OR DECEPTIVE ACT OR PRACTICE IN VIOLATION OF THE 20 ACT OF DECEMBER 17, 1968 (P.L.1224, NO.387), KNOWN AS THE UNFAIR 21 TRADE PRACTICES AND CONSUMER PROTECTION LAW. THE OFFICE OF 22 ATTORNEY GENERAL SHALL HAVE EXCLUSIVE AUTHORITY TO BRING AN 23 ACTION UNDER THE UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION 24 LAW FOR A VIOLATION OF THIS ACT. 25 Section 9 10. Applicability. <-- 26 This act shall apply to the discovery or notification of a 27 breach in the security of personal information data that occurs 28 on or after the effective date of this section. 29 Section 10 11. Effective date. <-- 30 This act shall take effect in 60 days. E25L12BIL/20050S0712B0898 - 7 -