Cybersecurity Coordinator. Except as provided in section 4 or in
order to take any measures necessary to determine the scope of
the breach and to restore the reasonable integrity of the data
system, the notice shall be made [without unreasonable delay] no
later than 30 days after discovery of the breach. For the
purpose of this section, a resident of this Commonwealth may be
determined to be an individual whose principal mailing address,
as reflected in the computerized data which is maintained,
stored or managed by the entity, is in this Commonwealth.
* * *
Section 4. The act is amended by adding a section to read:
Section 5.1. Disposal of materials containing personal
information.
(a) Method of disposal.--A person shall dispose of material
containing personal information in a manner that renders the
personal information unreadable, unusable and undecipherable.
Proper disposal methods include, but are not limited to:
(1) Redaction, burning, pulverization or shredding of
paper documents so that personal information cannot
practicably be read or reconstructed.
(2) Destruction or erasure of electronic media and other
nonpaper media so that personal information cannot
practicably be read or reconstructed.
(b) Third party contracts.-- A person disposing of materials
containing personal information may contract with a third party
to dispose of the materials in accordance with this section. A
third party that contracts with a person to dispose of materials
containing personal information shall implement and monitor
compliance with policies and procedures that prohibit
unauthorized access to, acquisition of or use of personal
20190HB0245PN0214 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30