PRIOR PRINTER'S NOS. 67, 367
PRINTER'S NO. 1005
THE GENERAL ASSEMBLY OF PENNSYLVANIA
INTRODUCED BY PILEGGI, VULAKOVICH, SCARNATI, FARNESE, WASHINGTON, ROBBINS, MENSCH, ERICKSON, FONTANA, SCHWANK, KASUNIC, RAFFERTY, ALLOWAY, TARTAGLIONE, HUGHES, YAW, WILLIAMS, BOSCOLA, GREENLEAF, FERLO, WARD, YUDICHAK, FOLMER, GORDNER, VANCE, WAUGH, BREWSTER, BRUBAKER, BAKER, TOMLINSON AND BROWNE, JANUARY 9, 2013
AS AMENDED ON THIRD CONSIDERATION, APRIL 30, 2013
1Amending the act of December 22, 2005 (P.L.474, No.94), entitled
2"An act providing for the notification of residents whose
3personal information data was or may have been disclosed due
4to a security system breach; and imposing penalties," further
5providing for notification of breach.
11Section 3. Notification of breach.
12* * *
13(a.1) Notification by State agency.--If a State agency is
14the subject of a breach of security of the system, the State
15agency shall provide notice of the breach of security of the
16system required under subsection (a) within seven days following
17discovery of the breach. Notification shall be provided to the
1Office of Attorney General within three business days following
2discovery of the breach. A State agency under the Governor's
3jurisdiction shall also provide notice of a breach of its
4security system to the Governor's Office of Administration
5within three business days following the discovery of the
6breach. Notification shall occur regardless of the existence of
7procedures and policies under section 7.
8(a.2) Notification by county, school district or
9municipality.--If a county, school district or municipality is
10the subject of a breach of security of the system, the county,
11school district or municipality shall provide notice of the
12breach of security of the system required under subsection (a)
13within seven days following discovery of the breach.
14Notification shall be provided to the district attorney in the
15county in which the breach occurred within three business days
16following discovery of the breach. Notification shall occur
17regardless of the existence of procedures and policies under
<-19(a.3) Storage policy.--
20(1) The Office of Administration shall develop a policy
21to govern the proper storage by State agencies of data which
22includes personally identifiable information. The policy
23shall address identifying, collecting, maintaining,
24displaying and transferring personally identifiable
25information, using personally identifiable information in
26test environments, remediating personally identifiable
27information stored on legacy systems and other relevant
28issues. A goal of the policy shall be to reduce the risk of
29future breaches of security of the system.
30(2) In developing the policy under paragraph (1), the
1Office of Administration shall consider similar existing
2policies in other states, best practices identified by other
3states and relevant studies and other sources as appropriate.
4The policy shall be reviewed at least annually and updated as
6* * *
7Section 2. This act shall take effect in 60 days.