| PRINTER'S NO. 3356 |
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No. | 2167 | Session of 2014 |
INTRODUCED BY SWANGER, COHEN, COX, DENLINGER, GABLER, GROVE, HARPER, HEFFLEY, KORTZ, MILLARD, MURT, ROAE, SACCONE, SCHLOSSBERG, TOEPEL AND TURZAI, APRIL 9, 2014
REFERRED TO COMMITTEE ON COMMERCE, APRIL 9, 2014
AN ACT
1Amending the act of December 22, 2005 (P.L.474, No.94), entitled
2"An act providing for the notification of residents whose
3personal information data was or may have been disclosed due
4to a security system breach; and imposing penalties," further
5providing for notification of breach.
6The General Assembly of the Commonwealth of Pennsylvania
7hereby enacts as follows:
8Section 1. Section 3 of the act of December 22, 2005
9(P.L.474, No.94), known as the Breach of Personal Information
10Notification Act, is amended by adding subsections to read:
11Section 3. Notification of breach.
12* * *
13(a.1) Notification by State agency.--If a State agency is
14the subject of a breach of security of the system, the State
15agency shall provide notice of the breach of security of the
16system required under subsection (a) within seven days following
17discovery of the breach. Notification shall be provided to the
18Office of Attorney General within three business days following
19discovery of the breach. A State agency under the Governor's
1jurisdiction shall also provide notice of a breach of its
2security system to the Governor's Office of Administration
3within three business days following the discovery of the
4breach. Notification shall occur regardless of the existence of
5procedures and policies under section 7.
6(a.2) Notification by county, school district or
7municipality.--If a county, school district or municipality is
8the subject of a breach of security of the system, the county,
9school district or municipality shall provide notice of the
10breach of security of the system required under subsection (a)
11within seven days following discovery of the breach.
12Notification shall be provided to the district attorney in the
13county in which the breach occurred within three business days
14following discovery of the breach. Notification shall occur
15regardless of the existence of procedures and policies under
16section 7.
17(a.3) Storage policy.--
18(1) The Office of Administration shall develop a policy
19to govern the proper storage by State agencies of data which
20includes personally identifiable information. The policy
21shall address identifying, collecting, maintaining,
22displaying and transferring personally identifiable
23information, using personally identifiable information in
24test environments, remediating personally identifiable
25information stored on legacy systems and other relevant
26issues. A goal of the policy shall be to reduce the risk of
27future breaches of security of the system.
28(2) In developing the policy under paragraph (1), the
29Office of Administration shall consider similar existing
30policies in other states, best practices identified by other
1states and relevant studies and other sources as appropriate.
2The policy shall be reviewed at least annually and updated as
3necessary.
4* * *
5Section 2. This act shall take effect in 60 days.