Regular Session 2015-2016 House Bill 1910 P.N. 3131

PRINTER'S NO. 3131

THE GENERAL ASSEMBLY OF PENNSYLVANIA

HOUSE BILL

No.

1910

Session of

2015

INTRODUCED BY THOMAS, SCHLOSSBERG, V. BROWN, ROZZI, A. HARRIS

AND COHEN, APRIL 8, 2016

REFERRED TO COMMITTEE ON COMMERCE, APRIL 8, 2016

AN ACT

Amending the act of December 22, 2005 (P.L.474, No.94), entitled

"An act providing for the notification of residents whose

personal information data was or may have been disclosed due

to a security system breach; and imposing penalties," further

providing for definitions.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. Section 2 of the act of December 22, 2005

(P.L.474, No.94), known as the Breach of Personal Information

Notification Act, is amended to read:

Section 2. Definitions.

The following words and phrases when used in this act shall

have the meanings given to them in this section unless the

context clearly indicates otherwise:

"Breach of the security of the system." The unauthorized

access and acquisition of computerized data that materially

compromises the security or confidentiality of personal

information maintained by the entity as part of a database of

personal information regarding multiple individuals [and that

causes or the entity reasonably believes has caused or will

cause loss or injury to any resident of this Commonwealth]. Good

faith acquisition of personal information by an employee or

agent of the entity for the purposes of the entity is not a

breach of the security of the system if the personal information

is not used for a purpose other than the lawful purpose of the

entity and is not subject to further unauthorized disclosure.

* * *

"Personal information."

(1) An individual's first name or first initial and last

name in combination with and linked to any one or more of the

following data elements when either the name or the data

elements are not encrypted or redacted:

(i) [Social Security number.] Identification

numbers, such as:

(A) Social Security number.

(B) Driver's license number.

lieu of a driver's license.

(D) Passport number.

(E) Taxpayer identification number.

(F) Patient identification number.

(G) Insurance member number.

(H) Employee identification number.

(ii) [Driver's license number or a State

identification card number issued in lieu of a driver's

license.] Other associated names, such as:

(A) Maiden name.

(B) Mother's maiden name.

20160HB1910PN3131 - 2 -

(iii) Financial account number, credit or debit card

number, alone or in combination with any required

expiration date, security code, access code or password

that would permit access to an individual's financial

account.

(iv) Electronic identifier or routing code, in

combination with any required security code, access code

or password that would permit access to an individual's

financial account.

(v) Electronic account information, such as account

name or user name.

(vi) Internet Protocol (IP) or Media Access Control

(MAC) address or other host-specific persistent static

identifier that consistently links to a particular

individual or small, well-defined group of individuals.

(vii) Biometric data, such as genetic information, a

fingerprint, facial scan, retina or iris image, voice

signature, x-ray image or other unique physical

representation or digital representation of biometric

data.

(viii) Date of birth.

(ix) Place of birth.

(x) Insurance information.

(xi) Employment information.

(xii) Educational information.

(xiii) Vehicle information, such as:

(A) Registration number.

(B) Title number.

(xiv) Contact information, such as:

(A) Telephone number.

20160HB1910PN3131 - 3 -

(B) Address.

(xv) Digitized or other electronic signature.

(2) The term does not include publicly available

information that is lawfully made available to the general

public from Federal, State or local government records.

* * *

Section 2. This act shall take effect in 60 days.

20160HB1910PN3131 - 4 -