|Posted:||February 25, 2016 12:41 PM|
|From:||Representative W. Curtis Thomas|
|To:||All House members|
|Subject:||Update definition of personal information data in PA Breach of Personal Information Notification Act|
|In the near future, I plan to introduce legislation that would expand the definition of Personal Information in Pennsylvania’s Breach of Personal Information Notification Act (P.L. 474, No. 94 of 2005) to bring Pennsylvania in line with how the federal government and some other states define personal information.
Last session, following reports of breaches in cybersecurity that filled national headlines, I sponsored House Resolution 778 that called on the Joint State Government Commission to take a closer look at Pennsylvania’s laws surrounding this issue. One of the recommendations from the Commission was to “modernize” the 2005 law to reflect a more modern understanding of cybersecurity.
In 2005, Pennsylvania enacted the Breach of Personal Information Notification Act to address breaches in the management of computerized personal information by an unauthorized user. Current law defines personal information as “An individual’s first name or first initial and last name in combination with and linked to any one of more of the following data elements when the data elements are not encrypted or redacted: Social Security number; driver’s license number or a state identification card number; or financial account number, credit or debit card, in combination with any required security code, access code or password.”
My proposed legislation, which is based on a Commission recommendation and follows the National Institute of Standards and Technology (NIST), more broadly defines personal information to include information that could be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records, as well as information that is linked or linkable to an individual, such as medical, educational, financial and employment information. This includes such new additions as passport numbers, taxpayer identification numbers, insurance member numbers, an alias, electronic account information, Internet Protocol or Media Access Control address, biometric data (such as a fingerprint, facial scan, or voice signature, for example) and digitized or other electronic signatures.
The Commonwealth and its agencies regularly collects and possesses, through various state programs and routine administrative activities, sensitive personal information about residents of Pennsylvania. This legislation is one step toward increasing Pennsylvania’s diligence in regard to cybersecurity and protecting Pennsylvanians.
Please join me in co-sponsoring this legislation.
Introduced as HB1910