AN ACT

 

1Amending the act of December 22, 2005 (P.L.474, No.94), entitled
2"An act providing for the notification of residents whose
3personal information data was or may have been disclosed due
4to a security system breach; and imposing penalties," further
5providing for notification of breach.

6The General Assembly of the Commonwealth of Pennsylvania
7hereby enacts as follows:

8Section 1. Section 3 of the act of December 22, 2005 
9(P.L.474, No.94), known as the Breach of Personal Information
10Notification Act, is amended by adding subsections to read:

11Section 3. Notification of breach.

12* * *

13(a.1) Notification by State agency.--If a State agency is 
14the subject of a breach of security of the system, the State 
15agency shall provide notice of the breach of security of the 
16system required under subsection (a) within seven days following 
17discovery of the breach. Notification shall be provided to the 
18Office of Attorney General within three business days following
 

1discovery of the breach. A State agency under the Governor's 
2jurisdiction shall also provide notice of a breach of <-its 
3security <-of the system to the Governor's Office of 
4Administration within three business days following the 
5discovery of the breach. Notification shall occur regardless of 
6the existence of procedures and policies under section 7.

7(a.2) Notification by county, school district or
8municipality.--If a county, school district or municipality is
9the subject of a breach of security of the system, the county,
10school district or municipality shall provide notice of the
11breach of security of the system required under subsection (a)
12within seven days following discovery of the breach.
13Notification shall be provided to the district attorney in the
14county in which the breach occurred within three business days
15following discovery of the breach. Notification shall occur
16regardless of the existence of procedures and policies under
17section 7.

18(a.3) Storage policy.--

19(1) The <-Governor's Office of Administration shall
20develop a policy to govern the proper storage by State
21agencies of data which includes personally identifiable
22information. <-The As permitted by Federal or State law or
23regulation, the policy shall address identifying, collecting,
24maintaining, displaying and transferring personally
25identifiable information, using personally identifiable
26information in test environments, remediating personally
27identifiable information stored on legacy systems and other
28relevant issues. A goal of the policy shall be to reduce the
29risk of future breaches of security of the system.

30(2) In developing the policy under paragraph (1), the
 

1Governor's Office of Administration shall consider <-Federal 
2and State law, regulation or both, similar existing policies
3in other states, best practices identified by other states
4and relevant studies and other sources as appropriate. The
5policy shall be reviewed at least annually and updated as
6necessary.

7* * *

8Section 2. This act shall take effect in 60 days.