1Amending the act of December 22, 2005 (P.L.474, No.94), entitled
2"An act providing for the notification of residents whose
3personal information data was or may have been disclosed due
4to a security system breach; and imposing penalties," further
5providing for notification of breach.

6The General Assembly of the Commonwealth of Pennsylvania
7hereby enacts as follows:

8Section 1. Section 3 of the act of December 22, 2005 
9(P.L.474, No.94), known as the Breach of Personal Information
10Notification Act, is amended by adding subsections to read:

11Section 3. Notification of breach.

12* * *

13(a.1) Notification by State agency.--If a State agency is 
14the subject of a breach of security of the system, the State 
15agency shall provide notice of the breach of security of the 
16system required under subsection (a) within seven days following 
17discovery of the breach. Notification shall be provided to the 

1Office of Attorney General within three business days following 
2discovery of the breach. A State agency under the Governor's 
3jurisdiction shall also provide notice of a breach of its 
4security system to the Governor's Office of Administration 
5within three business days following the discovery of the 
6breach. Notification shall occur regardless of the existence of 
7procedures and policies under section 7.

8(a.2) Notification by county, school district or
9municipality.--If a county, school district or municipality is
10the subject of a breach of security of the system, the county,
11school district or municipality shall provide notice of the
12breach of security of the system required under subsection (a)
13within seven days following discovery of the breach.
14Notification shall be provided to the district attorney in the
15county in which the breach occurred within three business days
16following discovery of the breach. Notification shall occur
17regardless of the existence of procedures and policies under
18section 7.

<-19(a.3) Storage policy.--

20(1) The Office of Administration shall develop a policy
21to govern the proper storage by State agencies of data which
22includes personally identifiable information. The policy
23shall address identifying, collecting, maintaining,
24displaying and transferring personally identifiable
25information, using personally identifiable information in
26test environments, remediating personally identifiable
27information stored on legacy systems and other relevant
28issues. A goal of the policy shall be to reduce the risk of
29future breaches of security of the system.

30(2) In developing the policy under paragraph (1), the

1Office of Administration shall consider similar existing
2policies in other states, best practices identified by other
3states and relevant studies and other sources as appropriate.
4The policy shall be reviewed at least annually and updated as

6* * *

7Section 2. This act shall take effect in 60 days.