PRINTER'S NO. 1362
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
1048
Session of
2015
INTRODUCED BY VULAKOVICH, SCARNATI, AUMENT, BROWNE, COSTA,
FARNESE, FOLMER, FONTANA, GORDNER, GREENLEAF, HAYWOOD,
HUGHES, PILEGGI, RAFFERTY, SCAVELLO, SCHWANK, STEFANO, VOGEL
AND WARD, OCTOBER 26, 2015
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, OCTOBER 26, 2015
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94), entitled
"An act providing for the notification of residents whose
personal information data was or may have been disclosed due
to a security system breach; and imposing penalties," further
providing for title of act, for definitions and for
notification of breach; prohibiting employees of the
Commonwealth from using nonsecured Internet connections; and
providing for Commonwealth policy.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The title of the act of December 22, 2005
(P.L.474, No.94), known as the Breach of Personal Information
Notification Act, is amended to read:
AN ACT
Providing for security of computerized data and for the
notification of residents whose personal information data was
or may have been disclosed due to a security system breach;
and imposing penalties.
Section 2. The definition of "personal information" in
section 2 of the act is amended to read:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
* * *
"Personal information."
(1) An individual's first name or first initial and last
name in combination with and linked to any one or more of the
following data elements when the data elements are not
encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State
identification card number issued in lieu of a driver's
license.
(iii) Financial account number, credit or debit card
number, in combination with any required security code,
access code or password that would permit access to an
individual's financial account.
(iv) Medical information.
(v) Health insurance information.
(vi) A user name or e-mail address, in combination
with a password or security question and answer that
would permit access to an online account.
(2) The term does not include publicly available
information that is lawfully made available to the general
public from Federal, State or local government records.
* * *
Section 3. Section 3 of the act is amended by adding
subsections to read:
Section 3. Notification of breach.
20150SB1048PN1362 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
* * *
(a.1) Notification by State agency .--If a State agency is
the subject of a breach of security of the system, the State
agency shall provide notice of the breach of security of the
system required under subsection (a) within seven days following
discovery of the breach. Notification shall be provided to the
Office of Attorney General within three business days following
discovery of the breach. A State agency under the Governor's
jurisdiction shall also provide notice of a breach of security
of the system to the Governor's Office of Administration within
three business days following the discovery of the breach.
Notification shall occur regardless of the existence of
procedures and policies under section 7.
(a.2) Notification by county, school district or
municipality.--If a county, school district or municipality is
the subject of a breach of security of the system, the county,
school district or municipality shall provide notice of the
breach of security of the system required under subsection (a)
within seven days following discovery of the breach.
Notification shall be provided to the district attorney in the
county in which the breach occurred within three business days
following discovery of the breach. Notification shall occur
regardless of the existence of procedures and policies under
section 7.
* * *
Section 4. The act is amended by adding sections to read:
Section 5.1. Encryption required.
(a) General rule.--Employees and contractors of the
Commonwealth shall, while performing the employee's or
contractor's duties or otherwise conducting official business on
20150SB1048PN1362 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
behalf of the Commonwealth, utilize encryption to protect the
transmission of personal information over the Internet from
being viewed or modified by a third party.
(b) Transmission policy.--The Governor's Office of
Administration shall develop and maintain a policy to govern the
proper encryption and transmission by State agencies under the
Governor's jurisdiction of data which includes personal
information.
Section 5.2. Commonwealth policy.
(a) Storage policy.-- The Governor's Office of Administration
shall develop a policy to govern the proper storage by State
agencies under the Governor's jurisdiction of data which
includes personal information. The policy shall address
identifying, collecting, maintaining, displaying and
transferring personally identifiable information, using
personally identifiable information in test environments,
remediating personally identifiable information stored on legacy
systems and other relevant issues. A goal of the policy shall be
to reduce the risk of future breaches of security of the system.
(b) Considerations.--In developing the policy, the
Governor's Office of Administration shall consider similar
existing policies in other states, best practices identified by
other states and relevant studies and other sources as
appropriate.
(c) Review and update.--The policy shall be reviewed at
least annually and updated as necessary.
Section 5. This act shall take effect in 60 days.
20150SB1048PN1362 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27