PRINTER'S NO. 2220
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1945
Session of
2021
INTRODUCED BY PISCIOTTANO, DELLOSO, FRANKEL, N. NELSON, KINSEY,
RYAN, SANCHEZ, O'MARA, SCHLOSSBERG, CIRESI, DRISCOLL,
PASHINSKI AND D. WILLIAMS, SEPTEMBER 30, 2021
REFERRED TO COMMITTEE ON COMMERCE, SEPTEMBER 30, 2021
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94), entitled
"An act providing for the notification of residents whose
personal information data was or may have been disclosed due
to a security system breach; and imposing penalties," further
providing for definitions.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The definition of "personal information" in
section 2 of the act of December 22, 2005 (P.L.474, No.94),
known as the Breach of Personal Information Notification Act, is
amended and the section is amended by adding definitions to
read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Biometric information." I dentifying an individual's
physiological, biological or behavioral characteristics
including an individual's deoxyribonucleic acid (DNA), that can
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
be used, singly or in combination with each other or with other
individually identifiable data, to establish individual
identity. Biometric information includes:
(1) imagery of the iris, retina, fingerprint, face,
hand, palm, vein patterns and voice recordings that an
identifier template, such as a faceprint, a minutiae template
or a voiceprint, can be extracted;
(2) keystroke patterns or rhythms;
(3) gait patterns or rhythms; and
(4) sleep, health or exercise data that contains
individually identifiable information.
* * *
"Individually identifiable." Biometric information or
medical information that includes or contains an element of
personal information sufficient to allow identification of an
individual, including an individual's name, address, electronic
mail address, telephone number, Social Security number or other
information that, alone or in combination with other publicly
available information, reveals an individual's identity.
* * *
"Personal information."
(1) An individual's first name or first initial and last
name in combination with and linked to any one or more of the
following data elements when the data elements are not
encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State
identification card number issued in lieu of a driver's
license.
(iii) Financial account number, credit or debit card
20210HB1945PN2220 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
number, in combination with any required security code,
access code or password that would permit access to an
individual's financial account.
(iv) Biometric information.
(v) Medical information, including individually
identifiable information, in electronic or physical form,
in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company or
contractor regarding a patient's medical history, mental
or physical condition or treatment.
(2) The term does not include publicly available
information that is lawfully made available to the general
public from Federal, State or local government records.
* * *
Section 2. This act shall take effect in 60 days.
20210HB1945PN2220 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15