PRIOR PRINTER'S NO. 3356 | PRINTER'S NO. 3634 |
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No. | 2167 | Session of 2014 |
INTRODUCED BY SWANGER, COHEN, COX, DENLINGER, GABLER, GROVE, HARPER, HEFFLEY, KORTZ, MILLARD, MURT, ROAE, SACCONE, SCHLOSSBERG, TOEPEL, TURZAI AND McNEILL, APRIL 9, 2014
AS REPORTED FROM COMMITTEE ON JUDICIARY, HOUSE OF REPRESENTATIVES, AS AMENDED, JUNE 3, 2014
AN ACT
1Amending the act of December 22, 2005 (P.L.474, No.94), entitled
2"An act providing for the notification of residents whose
3personal information data was or may have been disclosed due
4to a security system breach; and imposing penalties," further
5providing for notification of breach.
6The General Assembly of the Commonwealth of Pennsylvania
7hereby enacts as follows:
8Section 1. Section 3 of the act of December 22, 2005
9(P.L.474, No.94), known as the Breach of Personal Information
10Notification Act, is amended by adding subsections to read:
11Section 3. Notification of breach.
12* * *
13(a.1) Notification by State agency.--If a State agency is
14the subject of a breach of security of the system, the State
15agency shall provide notice of the breach of security of the
16system required under subsection (a) within seven days following
17discovery of the breach. Notification shall be provided to the
18Office of Attorney General within three business days following
1discovery of the breach. A State agency under the Governor's
2jurisdiction shall also provide notice of a breach of <-its
3security <-of the system to the Governor's Office of
4Administration within three business days following the
5discovery of the breach. Notification shall occur regardless of
6the existence of procedures and policies under section 7.
7(a.2) Notification by county, school district or
8municipality.--If a county, school district or municipality is
9the subject of a breach of security of the system, the county,
10school district or municipality shall provide notice of the
11breach of security of the system required under subsection (a)
12within seven days following discovery of the breach.
13Notification shall be provided to the district attorney in the
14county in which the breach occurred within three business days
15following discovery of the breach. Notification shall occur
16regardless of the existence of procedures and policies under
17section 7.
18(a.3) Storage policy.--
19(1) The <-Governor's Office of Administration shall
20develop a policy to govern the proper storage by State
21agencies of data which includes personally identifiable
22information. <-The As permitted by Federal or State law or
23regulation, the policy shall address identifying, collecting,
24maintaining, displaying and transferring personally
25identifiable information, using personally identifiable
26information in test environments, remediating personally
27identifiable information stored on legacy systems and other
28relevant issues. A goal of the policy shall be to reduce the
29risk of future breaches of security of the system.
30(2) In developing the policy under paragraph (1), the
1Governor's Office of Administration shall consider <-Federal
2and State law, regulation or both, similar existing policies
3in other states, best practices identified by other states
4and relevant studies and other sources as appropriate. The
5policy shall be reviewed at least annually and updated as
6necessary.
7* * *
8Section 2. This act shall take effect in 60 days.