See other bills
under the
same topic
PRINTER'S NO. 675
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
662
Session of
2019
INTRODUCED BY MURT, RYAN, KINSEY, HILL-EVANS, SCHLOSSBERG,
MILLARD, FREEMAN, SCHWEYER, KAUFER AND SIMS, MARCH 1, 2019
REFERRED TO COMMITTEE ON JUDICIARY, MARCH 1, 2019
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94), entitled
"An act providing for the notification of residents whose
personal information data was or may have been disclosed due
to a security system breach; and imposing penalties," further
providing for notification of breach.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Section 3 of the act of December 22, 2005
(P.L.474, No.94), known as the Breach of Personal Information
Notification Act, is amended by adding subsections to read:
Section 3. Notification of breach.
* * *
(a.1) Notification by State agency .--If a State agency is
the subject of a breach of security of the system, the State
agency shall provide notice of the breach of security of the
system required under subsection (a) within seven days following
discovery of the breach. Notification shall be provided to the
Office of Attorney General within three business days following
discovery of the breach. A State agency under the Governor's
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
jurisdiction shall also provide notice of a breach of security
of the system to the Governor's Office of Administration within
three business days following the discovery of the breach.
Notification shall occur regardless of the existence of
procedures and policies under section 7.
(a.2) Notification by county, school district or
municipality.--If a county, school district or municipality is
the subject of a breach of security of the system, the county,
school district or municipality shall provide notice of the
breach of security of the system required under subsection (a)
within seven days following discovery of the breach.
Notification shall be provided to the district attorney in the
county that the breach occurred within three business days
following the discovery of the breach. Notification shall occur
regardless of the existence of procedures and policies under
section 7.
(a.3) Storage policy.--
(1) The Governor's Office of Administration shall
develop a policy to govern the proper storage by State
agencies under the Governor's jurisdiction of data that
includes personally identifiable information. As permitted by
Federal or State law or regulation, the policy shall address
identifying, collecting, maintaining, displaying and
transferring personally identifiable information, using
personally identifiable information in test environments,
remediating personally identifiable information stored on
legacy systems and other relevant issues. A goal of the
policy shall be to reduce the risk of future breaches of
security of the system.
(2) In developing the policy under paragraph (1), the
20190HB0662PN0675 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Governor's Office of Administration shall consider Federal
and State law, regulation or both, similar existing policies
in other states, best practices identified by other states
and relevant studies and other sources as appropriate. The
policy shall be reviewed at least annually and updated as
necessary.
* * *
Section 2. This act shall take effect in 60 days.
20190HB0662PN0675 - 3 -
1
2
3
4
5
6
7
8