DataBreaches.Net

Amendment to PA data breach notification statute passes, requires notification within 7 days of discovery

Posted on by Dissent

By a vote of 49-0, the Pennsylvania Senate passed Senate Bill 114, amending the state’s data breach notification law.

Section 1. Section 3 of the act of December 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, is amended by adding subsections to read:

Section 3. Notification of breach.
(a.1) Notification by State agency.–If a State agency is the subject of a breach of security of the system, the State agency shall provide notice of the breach of security of the system required under subsection (a) within seven days following discovery of the breach. Notification shall be provided to the Office of Attorney General within three business days following discovery of the breach. A State agency under the Governor’s jurisdiction shall also provide notice of a breach of its security system to the Governor’s Office of Administration within three business days following the discovery of the breach. Notification shall occur regardless of the existence of procedures and policies under section 7.

(a.2) Notification by county, school district or municipality.–If a county, school district or municipality is the subject of a breach of security of the system, the county, school district or municipality shall provide notice of the breach of security of the system required under subsection (a) within seven days following discovery of the breach. Notification shall be provided to the district attorney in the county in which the breach occurred within three business days following discovery of the breach. Notification shall occur regardless of the existence of procedures and policies under section 7.

(A.3) STORAGE POLICY.–
(1) THE OFFICE OF ADMINISTRATION SHALL DEVELOP A POLICY TO GOVERN THE PROPER STORAGE BY STATE AGENCIES OF DATA WHICH INCLUDES PERSONALLY IDENTIFIABLE INFORMATION. THE POLICY SHALL ADDRESS IDENTIFYING, COLLECTING, MAINTAINING, DISPLAYING AND TRANSFERRING PERSONALLY IDENTIFIABLE INFORMATION, USING PERSONALLY IDENTIFIABLE INFORMATION IN TEST ENVIRONMENTS, REMEDIATING PERSONALLY IDENTIFIABLE INFORMATION STORED ON LEGACY SYSTEMS AND OTHER RELEVANT ISSUES. A GOAL OF THE POLICY SHALL BE TO REDUCE THE RISK OF FUTURE BREACHES OF SECURITY OF THE SYSTEM.
(2) IN DEVELOPING THE POLICY UNDER PARAGRAPH (1), THE OFFICE OF ADMINISTRATION SHALL CONSIDER SIMILAR EXISTING POLICIES IN OTHER STATES, BEST PRACTICES IDENTIFIED BY OTHER STATES AND RELEVANT STUDIES AND OTHER SOURCES AS APPROPRIATE. THE POLICY SHALL BE REVIEWED AT LEAST ANNUALLY AND UPDATED AS NECESSARY.

Section 2. This act shall take effect in 60 days.

h/t, Law360.com