Please wait while the document is loaded.

A01100
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
824
Session of
2023
INTRODUCED BY PENNYCUICK, DILLON, BREWSTER, DUSH, COSTA,
BOSCOLA, BROOKS AND SCHWANK, JUNE 15, 2023
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, JUNE 15, 2023
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94),
entitled, as amended, "An act providing for security of
computerized data and for the notification of residents whose
personal information data was or may have been disclosed due
to a breach of the security of the system; and imposing
penalties," further providing for definitions, for
notification of the breach of the security of the system and
for notification of consumer reporting agencies; and
providing for credit reporting and monitoring.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Section 3 of the act of December 22, 2005
(P.L.474, No.94), known as the Breach of Personal Information
Notification Act, is amended by adding a subsection to read:
Section 1. The definition of "personal information" in
section 2 of the act of December 22, 2005 (P.L.474, No.94),
known as the Breach of Personal Information Notification Act,
amended November 3, 2022 (P.L.2139, No.151), is amended to read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
context clearly indicates otherwise:
* * *
"Personal information."
(1) An individual's first name or first initial and last
name in combination with and linked to any one or more of the
following data elements when the data elements are not
encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State
identification card number issued in lieu of a driver's
license.
(iii) Financial account number, credit or debit card
number, in combination with any required security code,
access code or password that would permit access to an
individual's financial account.
(iv) Medical information in the possession of a
State agency or State agency contractor.
(v) Health insurance information.
(vi) A user name or e-mail address, in combination
with a password or security question and answer that
would permit access to an online account.
(2) The term does not include publicly available
information that is lawfully made available to the general
public from Federal, State or local government records or
widely distributed media.
* * *
Section 1.1. Section 3 of the act is amended by adding a
subsection to read:
Section 3. Notification of the breach of the security of the
system.
A01100 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
* * *
(c.1) Notice to Attorney General.--When notice of the breach
of the security of the system under this section must be given
to more than 500 affected individuals in this Commonwealth,
notice shall be made concurrently to the Office of Attorney
General. Notice to the Attorney General shall include the
following information:
(1) The organization name and location.
(2) The date of the breach.
(3) A summary of the breach incident.
(4) An estimated total number of individuals affected by
the breach.
(5) An estimated total number of individuals in this
Commonwealth affected by the breach.
* * *
Section 2. Section 5 of the act is amended to read:
Section 5. Notification of consumer reporting agencies.
When an entity provides notification under this act to more
than [1,000] 500 persons at one time, the entity shall also
notify, without unreasonable delay, all consumer reporting
agencies that compile and maintain files on consumers on a
nationwide basis, as defined in section 603 of the Fair Credit
Reporting Act (Public Law 91-508, 15 U.S.C. ยง 1681a), of the
timing, distribution and number of notices.
Section 3. The act is amended by adding a section to read:
Section 5.4. Credit reporting and monitoring.
(a) Assumption of costs.--An entity providing notification
under section 5 shall assume all costs and fees in providing the
affected individuals:
(1) Access to an independent credit report from a
A01100 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
consumer reporting agency supplied once per month for a
period of six months following notification.
(2) Access to credit monitoring services for a period of
12 months following notification.
(b) Notice.--The entity shall inform the affected individual
of the availability of no-cost services under subsection (a)
upon notification in compliance with this act.
Section 4. This act shall take effect in 60 days.
A01100 - 4 -
1
2
3
4
5
6
7
8