Please wait while the document is loaded.

HOUSE AMENDED
A05644
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
696
Session of
2021
INTRODUCED BY LAUGHLIN, BARTOLOTTA, STEFANO, J. WARD, HAYWOOD
AND BROOKS, MAY 19, 2021
AS REPORTED FROM COMMITTEE ON STATE GOVERNMENT, HOUSE OF
REPRESENTATIVES, AS AMENDED, JUNE 15, 2022
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94), entitled
"An act providing for the notification of residents whose
personal information data was or may have been disclosed due
to a security system breach; and imposing penalties," further
providing for title of act, for definitions and for
notification of breach; prohibiting employees of the
Commonwealth from using nonsecured Internet connections;
providing for Commonwealth data storage policy and for
entities subject to the Health Insurance Portability and
Accountability Act of 1996; and further providing for notice
exemption and for applicability.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The title of the act of December 22, 2005
(P.L.474, No.94), known as the Breach of Personal Information
Notification Act, is amended to read:
AN ACT
Providing for security of computerized data and for the
notification of residents whose personal information data was
or may have been disclosed due to a [security system] breach
of the security of the system ; and imposing penalties.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Section 2. The definition of definitions of "notice" and
"personal information" in section 2 of the act is are amended
and the section is amended by adding definitions to read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
* * *
"Determination." A verification or reasonable certainty that
a breach of the security of the system has occurred.
"Discovery." The knowledge of or reasonable suspicion that a
breach of the security of the system has occurred.
* * *
"Health insurance information." An individual's health
insurance policy number or subscriber identification number in
combination with access code or other medical information that
permits misuse of an individual's health insurance benefits.
* * *
"Medical information." Any individually identifiable
information contained in the individual's current or historical
record of medical history or medical treatment or diagnosis
created by a health care professional.
* * *
"Notice." May be provided by any of the following methods of
notification:
(1) Written notice to the last known home address for
the individual.
(2) Telephonic notice, if the [customer] individual can
be reasonably expected to receive it and the notice is given
in a clear and conspicuous manner, describes the incident in
A05644 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
general terms and verifies personal information but does not
require the [customer] individual to provide personal
information and the [customer] individual is provided with a
telephone number to call or Internet website to visit for
further information or assistance.
(3) E-mail notice, if a prior business relationship
exists and the person or entity has a valid e-mail address
for the individual.
(3.1) Electronic notice, if the notice directs the
person whose personal information has been materially
compromised by a breach of the security of the system to
promptly change the person's password and security question
or answer, as applicable or to take other steps appropriate
to protect the person's online account to the extent the
entity has sufficient contact information for the person.
(4) (i) Substitute notice, if the entity demonstrates
one of the following:
(A) The cost of providing notice would exceed
$100,000.
(B) The affected class of subject persons to be
notified exceeds 175,000.
(C) The entity does not have sufficient contact
information.
(ii) Substitute notice shall consist of all of the
following:
(A) E-mail notice when the entity has an e-mail
address for the subject persons.
(B) Conspicuous posting of the notice on the
entity's Internet website if the entity maintains
one.
A05644 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(C) Notification to major Statewide media.
"Personal information."
(1) An individual's first name or first initial and last
name in combination with and linked to any one or more of the
following data elements when the data elements are not
encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State
identification card number issued in lieu of a driver's
license.
(iii) Financial account number, credit or debit card
number, in combination with any required security code,
access code or password that would permit access to an
individual's financial account.
(iv) Medical information.
(v) Health insurance information.
(vi) A user name or e-mail address, in combination
with a password or security question and answer that
would permit access to an online account.
(2) The term does not include publicly available
information that is lawfully made available to the general
public from Federal, State or local government records OR
WIDELY DISTRIBUTED MEDIA.
* * *
"State agency contractor." A person that has a contract with
a State agency for goods or services and a third-party
subcontractor that provides goods or services for the
fulfillment of the contract.
"STATE AGENCY CONTRACTOR." A PERSON OR BUSINESS THAT HAS A
CONTRACT WITH A STATE AGENCY FOR GOODS OR SERVICES AND A THIRD-
A05644 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
PARTY SUBCONTRACTOR THAT PROVIDES THE GOODS OR SERVICES FOR THE
FULFILLMENT OF THE CONTRACT OR A PERSON OR BUSINESS THAT IS A
SUBCONTRACTOR PROVIDING GOODS OR SERVICES TO ONE OR MORE STATE
AGENCIES, THE PERFORMANCE OF WHICH WILL REQUIRE ACCESS TO
PERSONAL INFORMATION. "State agency contractor." A person,
business, subcontractor or third party subcontractor that has a
contract with a State agency for goods or services that requires
access to personal information for the fulfillment of the
contract.
Section 3. Section 3 of the act is amended 3 heading, (a)
and (c) of the act are amended and the section is amended by
adding subsections to read:
Section 3. Notification of the breach of the security of the
system.
* * *
(a) General rule.--An entity that maintains, stores or
manages computerized data that includes personal information
shall provide notice of any breach of the security of the system
following [discovery] determination of the breach of the
security of the system to any resident of this Commonwealth
whose unencrypted and unredacted personal information was or is
reasonably believed to have been accessed and acquired by an
unauthorized person. Except as provided in section 4 or in order
to take any measures necessary to determine the scope of the
breach and to restore the reasonable integrity of the data
system, the notice shall be made without unreasonable delay. For
the purpose of this section, a resident of this Commonwealth may
be determined to be an individual whose principal mailing
address, as reflected in the computerized data which is
maintained, stored or managed by the entity, is in this
A05644 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Commonwealth.
(a.1) Notification by State agency or State agency
contractor.--
(1) If a State agency determines that it is the subject
of a breach affecting personal information of the
Commonwealth maintained by the State or State agency
contractor, the State agency shall provide notice of the
breach required under subsection (a) within seven days
following determination of the breach or notification by a
State agency contractor as provided under paragraph (2) .
Notification shall be provided concurrently to the Office of
Attorney General.
(2) (1) (1) If a State agency determines that it is the
subject of a breach of the security of the system affecting
personal information maintained by the State agency or State
agency contractor, the State agency shall provide notice of
the breach of the security of the system required under
subsection (a) within seven business days following
determination of the breach of the security of the system.
Notification shall be provided concurrently to the Office of
Attorney General.
(2) A State agency contractor shall , upon discovery of
the breach of the security of the system, notify the chief
information security officer, or a designee, of the State
agency for whom the work is performed of a affected by the
State agency contractor's breach of the security of the
system within seven business days following determination
DISCOVERY as soon as reasonably practical, but no later than
the time period specified in the applicable terms of the
contract between the State agency contractor and the State
A05644 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
agency of the breach of the security of the system .
(3) (2) (3) A State agency under the Governor's
jurisdiction shall also provide notice of a breach of the
security of the system to the Governor's Office of
Administration AND THE OFFICE OF ATTORNEY GENERAL within
three business days following the determination of the breach
of the security of the system . Notification shall occur
notwithstanding the existence of procedures and policies
under section 7.
(4) (3) A State agency that, on the effective date of
this section, has an existing contract with a State agency
contractor shall use reasonable efforts to amend the contract
to include provisions relating to the State agency
contractor's compliance with this act unless the existing
contract already contains breach of the security of the
system notification requirements .
(5) (4) (4) A State agency that, after the effective
date of this section, enters into a contract WHICH INVOLVES
THE USE OF PERSONAL INFORMATION with a State agency
contractor shall ensure that the contract includes provisions
relating to the State agency contractor's compliance with
this act.
(a.2) Notification by county, school district PUBLIC SCHOOL
or municipality.--If a county, school district PUBLIC SCHOOL or
municipality is the subject of a breach of the security of the
system, the county, school district PUBLIC SCHOOL or
municipality shall provide notice of the breach of the security
of the system required under subsection (a) within seven
business days following determination of the breach of the
security of the system . Notification shall be provided to the
A05644 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
district attorney in the county where the breach of the security
of the system occurred within three business days following
determination of the breach of the security of the system .
Notification shall occur notwithstanding the existence of
procedures and policies under section 7.
(a.3) Electronic notification.--In the case of a breach of
the security of the system involving personal information for a
user name or e-mail address in combination with a password or
security question and answer that would permit access to an
online account, the State agency, county, school district PUBLIC
SCHOOL or municipality entity , to the extent that it has
sufficient contact information for the person, may comply with
this section by providing the breach of the security of the
system notification in electronic or other form that directs the
person whose personal information has been breached materially
compromised by the breach of the security of the system to
promptly change the person's password and security question or
answer, as applicable or to take other steps appropriate to
protect the online account with the State agency, county, school
district PUBLIC SCHOOL or municipality entity and other online
accounts for which the person whose personal information has
been breached materially compromised by the breach of the
security of the system uses the same user name or e-mail address
and password or security question or answer.
(a.4) Affected individuals.--In the case of a breach of the
security of the system involving personal information for a user
of an individual's user name or e-mail address in combination
with a password or security question and answer that would
permit access to an online account, the State agency contractor
may comply with this section by providing a list of affected
A05644 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
residents of this Commonwealth and their valid e-mail address ,
if known, to the State agency subject of the breach of the
security of the system.
* * *
(c) Vendor notification.--A vendor that maintains, stores or
manages computerized data on behalf of another entity shall
provide notice of any breach of the security of the system
following discovery by the vendor to the entity on whose behalf
the vendor maintains, stores or manages the data. The entity
shall be responsible for making the determinations and
discharging any remaining duties under this act.
(D) DEFINITIONS.--AS USED IN THIS SECTION, THE TERM "PUBLIC
SCHOOL" MEANS ANY SCHOOL DISTRICT, INTERMEDIATE UNIT, CHARTER
SCHOOL, CYBER CHARTER SCHOOL OR AREA CAREER AND TECHNICAL
SCHOOL.
Section 4. The act is amended by adding sections to read:
Section 5.1. Encryption required.
(a) General rule.-- State employees and State agency
contractor employees shall, while working with personal
information on behalf of the Commonwealth or otherwise
conducting official business on behalf of the Commonwealth,
utilize encryption , OR OTHER APPROPRIATE SECURITY MEASURES, to
protect the transmission of personal information over the
Internet from being viewed or modified by an unauthorized third
party IN ACCORDANCE WITH THE GOVERNOR'S OFFICE OF ADMINISTRATION
POLICY UNDER SUBSECTION (B) .
(b) Transmission policy.--The Governor's Office of
Administration shall develop and maintain a policy to govern the
proper encryption and transmission OF DATA, WHICH INCLUDES
PERSONAL INFORMATION, by State agencies under the Governor's
A05644 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
jurisdiction of data which includes personal information .
(C) CONSIDERATIONS.--IN DEVELOPING THE POLICY, THE
GOVERNOR'S OFFICE OF ADMINISTRATION SHALL CONSIDER SIMILAR
EXISTING FEDERAL AND OTHER POLICIES IN OTHER STATES, BEST
PRACTICES IDENTIFIED BY OTHER STATES AND RELEVANT STUDIES AND
OTHER SOURCES AS APPROPRIATE.
(D) REVIEW AND UPDATE.--THE POLICY SHALL BE REVIEWED AT
LEAST ANNUALLY AND UPDATED AS NECESSARY.
Section 5.2. Commonwealth policy.
(a) Storage policy.-- The Governor's Office of Administration
shall develop a policy to govern the proper storage by State
agencies under the Governor's jurisdiction of data which
includes personal information. The policy shall address
identifying, collecting, maintaining, displaying and
transferring personal information, using personal information in
test environments, remediating personal information stored on
legacy systems and other relevant issues. A goal of the policy
shall be to reduce the risk of future breaches of the security
of the system.
(b) Considerations.--In developing the policy, the
Governor's Office of Administration shall consider similar
existing Federal and other policies in other states, best
practices identified by other states and relevant studies and
other sources as appropriate.
(c) Review and update.--The policy shall be reviewed at
least annually and updated as necessary.
(a) General rule.-- An entity that maintains, stores or
manages computerized
data on behalf of the Commonwealth that
constitutes personal information shall utilize encryption , or
other appropriate security measures, to reasonably protect the
A05644 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
transmission of personal information over the Internet from
being viewed or modified by an unauthorized third party.
(b) Transmission policy.-- An entity that maintains, stores
or manages computerized
data on behalf of the Commonwealth that
constitutes personal information shall develop and maintain a
policy to govern the proper encryption or other appropriate
security measures and transmission of data by State agencies.
(c) Considerations.--In developing the policy, an entity
shall reasonably consider similar existing Federal policies and
other policies, best practices identified by other states and
relevant studies and other sources as appropriate in accordance
with best practices as established by the Federal Government and
the Commonwealth.
(d) Review and update.--The policy shall be reviewed at
least annually and updated as necessary.
Section 5.2. Data storage policy.
(a) Storage policy.--An entity that maintains, stores or
manages computerized data on behalf of the Commonwealth that
constitutes personal information
shall develop a policy to
govern reasonably proper storage of the personal information. A
goal of the policy shall be to reduce the risk of future
breaches of the security of the system.
(b) Considerations.--In developing the policy, an entity
shall reasonably consider similar
existing Federal policies and
other policies, best
practices identified by other states and
relevant studies and
other sources as appropriate in accordance
with best practices as established by the Federal Government and
the Commonwealth.
(c) Review and update.--The policy shall be reviewed at
least annually and updated as necessary.
A05644 - 11 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Section 5.3. Entities subject to the Health Insurance
Portability and Accountability Act of 1996.
Any covered entity or business associate that is subject to
and in compliance with the privacy and security standards for
the protection of electronic personal health information
established under the Health Insurance Portability and
Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936)
and the Health Information Technology for Economic and Clinical
Health Act (Public Law 111-5, 123 Stat. 226-279 and 467-496)
shall be deemed to be in compliance with the provisions of this
act.
Section 5. Section 7(b)(2) of the act is amended to read:
Sections 7(b)(2) and 29 of the act are amended to read:
Section 7. Notice exemption.
* * *
(b) Compliance with Federal requirements.--
* * *
(2) An entity, a State agency or State agency
contractor , OR A STATE AGENCY'S CONTRACTOR, that complies
with the notification requirements or procedures pursuant to
the rules, regulations, procedures or guidelines established
by the entity's State agency or State agency contractor's ,
STATE AGENCY'S, OR STATE AGENCY'S CONTRACTOR'S, primary State
or functional Federal regulator shall be in compliance with
this act.
Section 29. Applicability.
This act shall apply to the [discovery] determination or
notification of a breach [in] of the security of [personal
information data] the system that occurs on or after the
effective date of this section.
A05644 - 12 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Section 6. This act shall take effect in 120 180 days.
A05644 - 13 -
1