|Posted:||February 25, 2016 12:34 PM|
|From:||Representative W. Curtis Thomas|
|To:||All House members|
|Subject:||Cybersecurity breach notification update|
|In the near future, I plan to introduce legislation that would set a 30 day timeframe in Pennsylvania’s Breach of Personal Information Notification Act (P.L. 474, No. 94 of 2005) and that would require notice of breach be provided to Pennsylvania Office of Attorney General.
In 2005, Pennsylvania enacted the Breach of Personal Information Notification Act to address breaches in the management of computerized personal information by an unauthorized user. At the time, it was believed that this new law would protect citizens by requiring any entity that stores this data to alert the individual of the breach “without unreasonable delay.”
Last session, following reports of breaches in cybersecurity that filled national headlines, I sponsored House Resolution (HR 778) that called on the Joint State Government Commission to take a closer look at Pennsylvania’s laws surrounding this issue. One of the recommendations was to modernize Act 94 of 2005, because we were now 10 years out from its initial enactment and technology has changed and advanced.
This proposed legislation is based on one of the Commission’s recommendations and is meant to address what they suggested was a “generic phrase” by making changes to the language. These changes will not only provide Commonwealth offices and agencies with flexibility, but also clarify when notification must be provided to consumers.
The Commonwealth and its agencies regularly collects and possesses, through various state programs and routine administrative activities, sensitive personal information about residents of Pennsylvania. As the Commission points out in its 2015 report on Cybersecurity, while Pennsylvania has not yet experienced a major breach, state offices and agencies, like all entities that electronically collect and store personal data, the question becomes not whether a breach will occur, but when. This legislation is one step toward increasing Pennsylvania’s diligence in regard to cybersecurity and ensuring that consumers are notified as quickly as possible, so that they can protect their online personal data.
Please join me in co-sponsoring this legislation.
Introduced as HB1911