| PRINTER'S NO. 67 |
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No. | 114 | Session of 2013 |
INTRODUCED BY PILEGGI, VULAKOVICH, SCARNATI, FARNESE, WASHINGTON, ROBBINS, MENSCH, ERICKSON, FONTANA, SCHWANK, KASUNIC, RAFFERTY, ALLOWAY, TARTAGLIONE, HUGHES, YAW, WILLIAMS, BOSCOLA, GREENLEAF, FERLO, WARD, YUDICHAK, FOLMER, GORDNER, VANCE, WAUGH, BREWSTER, BRUBAKER AND BAKER, JANUARY 9, 2013
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, JANUARY 9, 2013
AN ACT
1Amending the act of December 22, 2005 (P.L.474, No.94), entitled
2"An act providing for the notification of residents whose
3personal information data was or may have been disclosed due
4to a security system breach; and imposing penalties," further
5providing for notification of breach; and providing for
6investigation of breach involving a State agency, for
7investigation of breach involving a county, school district
8or municipality and for individuals responsible for breach.
9The General Assembly of the Commonwealth of Pennsylvania
10hereby enacts as follows:
11Section 1. Section 3 of the act of December 22, 2005
12(P.L.474, No.94), known as the Breach of Personal Information
13Notification Act, is amended by adding subsections to read:
14Section 3. Notification of breach.
15* * *
16(a.1) Notification by State agency.--If a State agency is
17the subject of a breach of security of the system, the State
18agency shall provide notice of the breach of security of the
19system required under subsection (a) within seven days following
1discovery of the breach. Notification shall be provided to the
2Office of Attorney General within three business days following
3discovery of the breach. Notification shall occur regardless of
4the existence of procedures and policies under section 7.
5(a.2) Notification by county, school district or
6municipality.--If a county, school district or municipality is
7the subject of a breach of security of the system, the county,
8school district or municipality shall provide notice of the
9breach of security of the system required under subsection (a)
10within seven days following discovery of the breach.
11Notification shall be provided to the district attorney in the
12county in which the breach occurred within three business days
13following discovery of the breach. Notification shall occur
14regardless of the existence of procedures and policies under
15section 7.
16* * *
17Section 2. The act is amended by adding sections to read:
18Section 3.1. Investigation of breach involving a State agency.
19(a) Investigation.--Upon receipt of notification under
20section 3(a.1), the Office of Attorney General shall investigate
21the breach. The investigation shall include a review of
22procedures, a determination of the cause of the breach and
23recommendations to the agency relating to prevention of similar
24breaches in the future.
25(b) Cost.--The cost of the investigation shall be paid by
26the agency in which the breach occurred.
27Section 3.2. Investigation of breach involving a county, school
28district or municipality.
29(a) Investigation.--Upon receipt of notification under
30section 3(a.2), the district attorney shall investigate the
1breach. The investigation shall include a review of procedures,
2a determination of the cause of the breach and recommendations
3to the county, school district or municipality relating to
4prevention of similar breaches in the future.
5(b) Cost.--The cost of the investigation under section
63(a.2) shall be paid by the county, school district or
7municipality where the breach occurred.
8(c) Attorney General.--If the district attorney determines
9that the breach of security of the system warrants an
10investigation by the Office of Attorney General, the district
11attorney may request that the Attorney General join or take over
12the investigation.
13Section 3.3. Individuals responsible for breach.
14Notwithstanding any other provision of this act, if a breach
15of security of the system was caused by an intentional act or
16misuse of the system or intentional unauthorized access to the
17system, an individual determined by a court to be responsible
18for the breach may be ordered by the court to pay for the cost
19of the investigation and the cost of repairing and restoring the
20system.
21Section 3. This act shall take effect in 60 days.