PRINTER'S NO. 899
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
824
Session of
2023
INTRODUCED BY PENNYCUICK, DILLON, BREWSTER, DUSH, COSTA,
BOSCOLA, BROOKS AND SCHWANK, JUNE 15, 2023
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, JUNE 15, 2023
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94),
entitled, as amended, "An act providing for security of
computerized data and for the notification of residents whose
personal information data was or may have been disclosed due
to a breach of the security of the system; and imposing
penalties," further providing for notification of the breach
of the security of the system and for notification of
consumer reporting agencies; and providing for credit
reporting and monitoring.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Section 3 of the act of December 22, 2005
(P.L.474, No.94), known as the Breach of Personal Information
Notification Act, is amended by adding a subsection to read:
Section 3. Notification of the breach of the security of the
system.
* * *
(c.1) Notice to Attorney General.--When notice of the breach
of the security of the system under this section must be given
to more than 500 affected individuals in this Commonwealth,
notice shall be made concurrently to the Office of Attorney
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
General. Notice to the Attorney General shall include the
following information:
(1) The organization name and location.
(2) The date of the breach.
(3) A summary of the breach incident.
(4) An estimated total number of individuals affected by
the breach.
(5) An estimated total number of individuals in this
Commonwealth affected by the breach.
* * *
Section 2. Section 5 of the act is amended to read:
Section 5. Notification of consumer reporting agencies.
When an entity provides notification under this act to more
than [1,000] 500 persons at one time, the entity shall also
notify, without unreasonable delay, all consumer reporting
agencies that compile and maintain files on consumers on a
nationwide basis, as defined in section 603 of the Fair Credit
Reporting Act (Public Law 91-508, 15 U.S.C. ยง 1681a), of the
timing, distribution and number of notices.
Section 3. The act is amended by adding a section to read:
Section 5.4. Credit reporting and monitoring.
(a) Assumption of costs.--An entity providing notification
under section 5 shall assume all costs and fees in providing the
affected individuals:
(1) Access to an independent credit report from a
consumer reporting agency supplied once per month for a
period of six months following notification.
(2) Access to credit monitoring services for a period of
12 months following notification.
(b) Notice.--The entity shall inform the affected individual
20230SB0824PN0899 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
of the availability of no-cost services under subsection (a)
upon notification in compliance with this act.
Section 4. This act shall take effect in 60 days.
20230SB0824PN0899 - 3 -
1
2
3