Thomas S. Markey writes:
On Feb. 19, a bill was introduced in the Pennsylvania Senate proposing to amend the Pennsylvania Breach of Personal Information Notification Act to add new breach notification requirements for state agencies and political subdivisions of the commonwealth.
Enacted in 2005, the act (73 P.S. Section 2301 et seq.) applies to commonwealth agencies; political subdivisions, which include counties, cities, boroughs, incorporated towns, townships and school districts; and persons doing business in Pennsylvania, including nonprofit organizations and financial institutions (collectively, entities). Under the act, an entity must notify Pennsylvania residents whose unencrypted and unredacted personal information stored on a computerized system was, or was reasonably believed to have been, accessed and acquired by an unauthorized person. The act requires that residents are notified of a data breach “without unreasonable delay.”
Senate Bill 308, sponsored by Pennsylvania Sen. Kristin Phillips-Hill, proposes significant changes to the definition of personal information, the timing and contents of breach notice requirements and state agencies’ obligation to develop information security policies.
Read more on The Legal Intelligencer.