See other bills
under the
same topic
HOUSE AMENDED
PRIOR PRINTER'S NOS. 775, 793, 1330
PRINTER'S NO. 1779
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
696
Session of
2021
INTRODUCED BY LAUGHLIN, BARTOLOTTA, STEFANO, J. WARD, HAYWOOD
AND BROOKS, MAY 19, 2021
AS REPORTED FROM COMMITTEE ON STATE GOVERNMENT, HOUSE OF
REPRESENTATIVES, AS AMENDED, JUNE 15, 2022
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94), entitled
"An act providing for the notification of residents whose
personal information data was or may have been disclosed due
to a security system breach; and imposing penalties," further
providing for title of act, for definitions and for
notification of breach; prohibiting employees of the
Commonwealth from using nonsecured Internet connections;
providing for Commonwealth policy and for entities subject to
the Health Insurance Portability and Accountability Act of
1996; and further providing for notice exemption.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The title of the act of December 22, 2005
(P.L.474, No.94), known as the Breach of Personal Information
Notification Act, is amended to read:
AN ACT
Providing for security of computerized data and for the
notification of residents whose personal information data was
or may have been disclosed due to a [security system] breach
of the security system; and imposing penalties.
Section 2. The definition of "personal information" in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
section 2 of the act is amended and the section is amended by
adding definitions to read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
* * *
"Health insurance information." An individual's health
insurance policy number or subscriber identification number in
combination with access code or other medical information that
permits misuse of an individual's health insurance benefits.
* * *
"Medical information." Any individually identifiable
information contained in the individual's current or historical
record of medical history or medical treatment or diagnosis
created by a health care professional.
* * *
"Personal information."
(1) An individual's first name or first initial and last
name in combination with and linked to any one or more of the
following data elements when the data elements are not
encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State
identification card number issued in lieu of a driver's
license.
(iii) Financial account number, credit or debit card
number, in combination with any required security code,
access code or password that would permit access to an
individual's financial account.
20210SB0696PN1779 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(iv) Medical information.
(v) Health insurance information.
(vi) A user name or e-mail address, in combination
with a password or security question and answer that
would permit access to an online account.
(2) The term does not include publicly available
information that is lawfully made available to the general
public from Federal, State or local government records OR
WIDELY DISTRIBUTED MEDIA.
* * *
"State agency contractor." A person that has a contract with
a State agency for goods or services and a third-party
subcontractor that provides goods or services for the
fulfillment of the contract.
"STATE AGENCY CONTRACTOR." A PERSON OR BUSINESS THAT HAS A
CONTRACT WITH A STATE AGENCY FOR GOODS OR SERVICES AND A THIRD-
PARTY SUBCONTRACTOR THAT PROVIDES THE GOODS OR SERVICES FOR THE
FULFILLMENT OF THE CONTRACT OR A PERSON OR BUSINESS THAT IS A
SUBCONTRACTOR PROVIDING GOODS OR SERVICES TO ONE OR MORE STATE
AGENCIES, THE PERFORMANCE OF WHICH WILL REQUIRE ACCESS TO
PERSONAL INFORMATION.
Section 3. Section 3 of the act is amended by adding
subsections to read:
Section 3. Notification of breach.
* * *
(a.1) Notification by State agency or State agency
contractor.--
(1) If a State agency determines that it is the subject
of a breach affecting personal information of the
Commonwealth maintained by the State or State agency
20210SB0696PN1779 - 3 -
<--
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
contractor, the State agency shall provide notice of the
breach required under subsection (a) within seven days
following determination of the breach or notification by a
State agency contractor as provided under paragraph (2) .
Notification shall be provided concurrently to the Office of
Attorney General.
(2) (1) A State agency contractor shall notify the chief
information security officer, or a designee, of the State
agency for whom the work is performed of a breach of the
security of the system within seven business days following
determination DISCOVERY of the breach.
(3) (2) A State agency under the Governor's jurisdiction
shall also provide notice of a breach of the security of the
system to the Governor's Office of Administration AND THE
OFFICE OF ATTORNEY GENERAL within three business days
following the determination of the breach. Notification shall
occur notwithstanding the existence of procedures and
policies under section 7.
(4) (3) A State agency that, on the effective date of
this section, has an existing contract with a State agency
contractor shall use reasonable efforts to amend the contract
to include provisions relating to the State agency
contractor's compliance with this act unless the existing
contract already contains breach of the security of the
system notification requirements .
(5) (4) A State agency that, after the effective date of
this section, enters into a contract WHICH INVOLVES THE USE
OF PERSONAL INFORMATION with a State agency contractor shall
ensure that the contract includes provisions relating to the
State agency contractor's compliance with this act.
20210SB0696PN1779 - 4 -
<--
<--
<--
<--
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(a.2) Notification by county, school district PUBLIC SCHOOL
or municipality.--If a county, school district PUBLIC SCHOOL or
municipality is the subject of a breach of the security of the
system, the county, school district PUBLIC SCHOOL or
municipality shall provide notice of the breach of the security
of the system required under subsection (a) within seven days
following determination of the breach. Notification shall be
provided to the district attorney in the county where the breach
occurred within three business days following determination of
the breach. Notification shall occur notwithstanding the
existence of procedures and policies under section 7.
(a.3) Electronic notification.--In the case of a breach of
the security of the system involving personal information for a
user name or e-mail address in combination with a password or
security question and answer that would permit access to an
online account, the State agency, county, school district PUBLIC
SCHOOL or municipality, to the extent that it has sufficient
contact information for the person, may comply with this section
by providing the breach of the security of the system
notification in electronic or other form that directs the person
whose personal information has been breached to promptly change
the person's password and security question or answer, as
applicable or to take other steps appropriate to protect the
online account with the State agency, county, school district
PUBLIC SCHOOL or municipality and other online accounts for
which the person whose personal information has been breached
uses the same user name or e-mail address and password or
security question or answer.
(a.4) Affected individuals.--In the case of a breach of the
security of the system involving personal information for a user
20210SB0696PN1779 - 5 -
<--
<--
<--<--
<--<--
<--<--
<--<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name or e-mail address in combination with a password or
security question and answer that would permit access to an
online account, the State agency contractor may comply with this
section by providing a list of affected residents of this
Commonwealth, if known, to the State agency subject of the
breach of the security of the system.
* * *
(D) DEFINITIONS.--AS USED IN THIS SECTION, THE TERM "PUBLIC
SCHOOL" MEANS ANY SCHOOL DISTRICT, INTERMEDIATE UNIT, CHARTER
SCHOOL, CYBER CHARTER SCHOOL OR AREA CAREER AND TECHNICAL
SCHOOL.
Section 4. The act is amended by adding sections to read:
Section 5.1. Encryption required.
(a) General rule.-- State employees and State agency
contractor employees shall, while working with personal
information on behalf of the Commonwealth or otherwise
conducting official business on behalf of the Commonwealth,
utilize encryption , OR OTHER APPROPRIATE SECURITY MEASURES, to
protect the transmission of personal information over the
Internet from being viewed or modified by an unauthorized third
party IN ACCORDANCE WITH THE GOVERNOR'S OFFICE OF ADMINISTRATION
POLICY UNDER SUBSECTION (B) .
(b) Transmission policy.--The Governor's Office of
Administration shall develop and maintain a policy to govern the
proper encryption and transmission OF DATA, WHICH INCLUDES
PERSONAL INFORMATION, by State agencies under the Governor's
jurisdiction of data which includes personal information .
(C) CONSIDERATIONS.--IN DEVELOPING THE POLICY, THE
GOVERNOR'S OFFICE OF ADMINISTRATION SHALL CONSIDER SIMILAR
EXISTING FEDERAL AND OTHER POLICIES IN OTHER STATES, BEST
20210SB0696PN1779 - 6 -
<--
<--
<--
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
PRACTICES IDENTIFIED BY OTHER STATES AND RELEVANT STUDIES AND
OTHER SOURCES AS APPROPRIATE.
(D) REVIEW AND UPDATE.--THE POLICY SHALL BE REVIEWED AT
LEAST ANNUALLY AND UPDATED AS NECESSARY.
Section 5.2. Commonwealth policy.
(a) Storage policy.-- The Governor's Office of Administration
shall develop a policy to govern the proper storage by State
agencies under the Governor's jurisdiction of data which
includes personal information. The policy shall address
identifying, collecting, maintaining, displaying and
transferring personal information, using personal information in
test environments, remediating personal information stored on
legacy systems and other relevant issues. A goal of the policy
shall be to reduce the risk of future breaches of the security
of the system.
(b) Considerations.--In developing the policy, the
Governor's Office of Administration shall consider similar
existing Federal and other policies in other states, best
practices identified by other states and relevant studies and
other sources as appropriate.
(c) Review and update.--The policy shall be reviewed at
least annually and updated as necessary.
Section 5.3. Entities subject to the Health Insurance
Portability and Accountability Act of 1996.
Any covered entity or business associate that is subject to
and in compliance with the privacy and security standards for
the protection of electronic personal health information
established under the Health Insurance Portability and
Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936)
and the Health Information Technology for Economic and Clinical
20210SB0696PN1779 - 7 -
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Health Act (Public Law 111-5, 123 Stat. 226-279 and 467-496)
shall be deemed to be in compliance with the provisions of this
act.
Section 5. Section 7(b)(2) of the act is amended to read:
Section 7. Notice exemption.
* * *
(b) Compliance with Federal requirements.--
* * *
(2) An entity, a State agency or State agency
contractor , OR A STATE AGENCY'S CONTRACTOR, that complies
with the notification requirements or procedures pursuant to
the rules, regulations, procedures or guidelines established
by the entity's State agency or State agency contractor's ,
STATE AGENCY'S, OR STATE AGENCY'S CONTRACTOR'S, primary or
functional Federal regulator shall be in compliance with this
act.
Section 6. This act shall take effect in 120 days.
20210SB0696PN1779 - 8 -
<--<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17