jurisdiction shall also provide notice of a breach of security
of the system to the Governor's Office of Administration within
three business days following the discovery of the breach.
Notification shall occur regardless of the existence of
procedures and policies under section 7.
(a.2) Notification by county, school district or
municipality.--If a county, school district or municipality is
the subject of a breach of security of the system, the county,
school district or municipality shall provide notice of the
breach of security of the system required under subsection (a)
within seven days following discovery of the breach.
Notification shall be provided to the district attorney in the
county in which the breach occurred within three business days
following discovery of the breach. Notification shall occur
regardless of the existence of procedures and policies under
section 7.
(a.3) Storage policy.--
(1) The Governor's Office of Administration shall
develop a policy to govern the proper storage by State
agencies under the Governor's jurisdiction of data which
includes personally identifiable information. As permitted by
Federal or State law or regulation, the policy shall address
identifying, collecting, maintaining, displaying and
transferring personally identifiable information, using
personally identifiable information in test environments,
remediating personally identifiable information stored on
legacy systems and other relevant issues. A goal of the
policy shall be to reduce the risk of future breaches of
security of the system.
(2) In developing the policy under paragraph (1), the
20150HB0668PN0794 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30