PRINTER'S NO. 2348
No. 1795 Session of 2005
INTRODUCED BY BAKER, CLYMER, CAPPELLI, PICKETT, BALDWIN, BARRAR,
BOYD, CALTAGIRONE, CAUSER, CRAHALLA, CREIGHTON, DENLINGER,
DeWEESE, GANNON, GEIST, GEORGE, GILLESPIE, GINGRICH, GOOD,
GOODMAN, GRUCELA, HARPER, HERMAN, HESS, JOSEPHS, KOTIK,
FLICK, MANDERINO, MANN, McCALL, McGEEHAN, McILHATTAN, MUNDY,
PETRARCA, PYLE, RAYMOND, REICHLEY, SAINATO, SATHER, SAYLOR,
SHAPIRO, B. SMITH, STABACK, R. STEVENSON, STURLA,
E. Z. TAYLOR, THOMAS, TIGUE, WHEATLEY AND WOJNAROSKI,
JUNE 28, 2005
REFERRED TO COMMITTEE ON COMMERCE, JUNE 28, 2005
AN ACT
1 Providing for the notification of residents whose personal
2 information data was or may have been disclosed due to a
3 security system breach; and imposing penalties.
4 The General Assembly of the Commonwealth of Pennsylvania
5 hereby enacts as follows:
6 Section 1. Short title.
7 This act shall be known and may be cited as the Breach of
8 Personal Information Notification Act.
9 Section 2. Definitions.
10 The following words and phrases when used in this act shall
11 have the meanings given to them in this section unless the
12 context clearly indicates otherwise:
13 "Breach of the security of the system." The unauthorized
14 access and acquisition of computerized data that compromises the
15 security or confidentiality of personal information maintained
1 by the entity as part of a database of personal information
2 regarding multiple individuals and that causes or the entity
3 reasonably believes has caused or will cause loss or injury to
4 any resident of this Commonwealth. Good faith acquisition of
5 personal information by an employee or agent of the entity for
6 the purposes of the entity is not a breach of the security of
7 the system if the personal information is not used for a purpose
8 other than the lawful purpose of the entity and is not subject
9 to further unauthorized disclosure.
10 "Business." A sole proprietorship, partnership, corporation,
11 association or other group, however organized and whether or not
12 organized to operate at a profit, including a financial
13 institution organized, chartered or holding a license or
14 authorization certificate under the laws of this Commonwealth,
15 any other state, the United States or any other country, or the
16 parent or the subsidiary of a financial institution. The term
17 includes an entity that destroys records.
18 "Encryption." The use of an algorithmic process to transform
19 data into a form in which there is a low probability of
20 assigning meaning without use of a confidential process or key.
21 "Entity." A State agency, a political subdivision of the
22 Commonwealth or an individual or a business doing business in
23 this Commonwealth.
24 "Individual." A natural person.
25 "Notice." May be provided by one of the following methods of
26 notification:
27 (1) Written notice.
28 (2) Electronic notice, if the notice provided is
29 consistent with the provisions regarding electronic records
30 and signatures set forth in section 701 of the Electronic
20050H1795B2348 - 2 -
1 Signatures in Global and National Commerce Act (Public Law
2 106-229, 15 U.S.C. § 7001).
3 (3) (i) Substitute notice, if the entity demonstrates
4 one of the following:
5 (A) The cost of providing notice would exceed
6 $250,000.
7 (B) The affected class of subject persons to be
8 notified exceeds 500,000.
9 (C) The entity does not have sufficient contact
10 information.
11 (ii) Substitute notice shall consist of all of the
12 following:
13 (A) E-mail notice when the entity has an e-mail
14 address for the subject persons.
15 (B) Conspicuous posting of the notice on the
16 entity's Internet website, if the entity maintains
17 one.
18 (C) Notification to major Statewide media.
19 "Personal information."
20 (1) An individual's first name or first initial and last
21 name in combination with and linked to any one or more of the
22 following data elements, when the name and data elements are
23 not encrypted or redacted:
24 (i) Social Security number.
25 (ii) Driver's license number or a State
26 identification card number issued in lieu of a driver's
27 license.
28 (iii) Financial account number, credit or debit card
29 number, in combination with any required security code,
30 access code or password that would permit access to an
20050H1795B2348 - 3 -
1 individual's financial account.
2 (2) The term does not include publicly available
3 information that is lawfully made available to the general
4 public from Federal, State or local government records.
5 "Records." Any material, regardless of the physical form, on
6 which information is recorded or preserved by any means,
7 including in written or spoken words, graphically depicted,
8 printed or electromagnetically transmitted. The term does not
9 include publicly available directories containing information an
10 individual has voluntarily consented to have publicly
11 disseminated or listed, such as name, address or telephone
12 number.
13 "Redact." The term includes, but is not limited to,
14 alteration or truncation such that no more than the last four
15 digits of a Social Security number, driver's license number,
16 State identification card number or account number is accessible
17 as part of the data.
18 "State agency." Any agency, board, commission, authority or
19 department of the Commonwealth and the General Assembly.
20 Section 3. Disclosure of computerized data.
21 (a) General rule.--An entity that owns or licenses
22 computerized data that includes personal information shall
23 disclose any breach of the security of the system following
24 discovery or notification of the breach of the security of the
25 system to any resident of this Commonwealth whose unencrypted
26 and unredacted personal information was or is reasonably
27 believed to have been accessed and acquired by an unauthorized
28 person. Except as provided in section 5 or in order to take any
29 measures necessary to determine the scope of the breach and to
30 restore the reasonable integrity of the data system, the
20050H1795B2348 - 4 -
1 disclosure shall be made without unreasonable delay.
2 (b) Encrypted information.--An entity must disclose the
3 breach if encrypted information is accessed and acquired in an
4 unencrypted form, if the security breach is linked to a breach
5 of the security of the encryption or if the security breach
6 involves a person with access to the encryption key.
7 Section 4. Disclosure of maintained computerized data.
8 An entity that maintains computerized data that includes
9 personal information that the entity does not own or license
10 shall notify the owner or licensee of the information of any
11 breach of the security of the data immediately following
12 discovery, if the personal information was or is reasonably
13 believed to have been accessed and acquired by an unauthorized
14 person.
15 Section 5. Exceptions.
16 The notification required by this act may be delayed if a law
17 enforcement agency determines and advises the entity in writing
18 specifically referencing this section that the notification will
19 impede a criminal or civil investigation. The notification
20 required by this act shall be made after the law enforcement
21 agency determines that it will not compromise the investigation
22 or national or homeland security.
23 Section 6. Notification of consumer reporting agencies.
24 When an entity provides notification under this act to more
25 than 1,000 persons at one time, the entity shall also notify,
26 without unreasonable delay, all consumer reporting agencies that
27 compile and maintain files on consumers on a nationwide basis,
28 as defined in section 603 of the Fair Credit Reporting Act
29 (Public Law 91-508, 15 U.S.C. § 1681a), of the timing,
30 distribution and number of notices.
20050H1795B2348 - 5 -
1 Section 7. Preemption.
2 This act deals with subject matter that is of Statewide
3 concern, and it is the intent of the General Assembly that this
4 act shall supersede and preempt all rules, regulations, codes,
5 statutes or ordinances of all cities, counties, municipalities
6 and other local agencies within this Commonwealth regarding the
7 matters expressly set forth in this act.
8 Section 8. Notice exemption.
9 (a) Information privacy or security policy.--An entity that
10 maintains its own notification procedures as part of an
11 information privacy or security policy for the treatment of
12 personal information and is consistent with the notice
13 requirements of this act shall be deemed to be in compliance
14 with the notification requirements of this act if it notifies
15 subject persons in accordance with its policies in the event of
16 a breach of security of the system.
17 (b) Compliance with Federal requirements.--
18 (1) A financial institution that complies with the
19 notification requirements prescribed by the Federal
20 Interagency Guidance on Response Programs for Unauthorized
21 Access to Customer Information and Customer Notice is deemed
22 to be in compliance with this act.
23 (2) An entity that complies with the notification
24 requirements or procedures pursuant to the rules,
25 regulations, procedures or guidelines established by the
26 entity's primary or functional Federal regulator shall be in
27 compliance with this act.
28 Section 9. Civil relief.
29 A willful and knowing violation of this act shall be deemed
30 to be an unfair or deceptive act or practice in violation of the
20050H1795B2348 - 6 -
1 act of December 17, 1968 (P.L.1224, No.387), known as the Unfair
2 Trade Practices and Consumer Protection Law. The Office of
3 Attorney General shall have exclusive authority to bring an
4 action under the Unfair Trade Practices and Consumer Protection
5 Law for a violation of this act.
6 Section 10. Applicability.
7 This act shall apply to the discovery or notification of a
8 breach in the security of personal information data that occurs
9 on or after the effective date of this section.
10 Section 11. Effective date.
11 This act shall take effect in 60 days.
F21L12SFL/20050H1795B2348 - 7 -