PRIOR PRINTER'S NOS. 899, 1100
PRINTER'S NO. 1151
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
824
Session of
2023
INTRODUCED BY PENNYCUICK, DILLON, BREWSTER, DUSH, COSTA,
BOSCOLA, BROOKS, SCHWANK, CAPPELLETTI, CULVER AND MILLER,
JUNE 15, 2023
AS AMENDED ON THIRD CONSIDERATION, OCTOBER 3, 2023
AN ACT
Amending the act of December 22, 2005 (P.L.474, No.94),
entitled, as amended, "An act providing for security of
computerized data and for the notification of residents whose
personal information data was or may have been disclosed due
to a breach of the security of the system; and imposing
penalties," further providing for definitions, for
notification of the breach of the security of the system and
for notification of consumer reporting agencies; and
providing for credit reporting and monitoring.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The definition of "personal information" in
section 2 of the act of December 22, 2005 (P.L.474, No.94),
known as the Breach of Personal Information Notification Act,
amended November 3, 2022 (P.L.2139, No.151), is amended to read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
* * *
"Personal information."
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
(1) An individual's first name or first initial and last
name in combination with and linked to any one or more of the
following data elements when the data elements are not
encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State
identification card number issued in lieu of a driver's
license.
(iii) Financial account number, credit or debit card
number, in combination with any required security code,
access code or password that would permit access to an
individual's financial account.
(iv) Medical information in the possession of a
State agency or State agency contractor.
(v) Health insurance information.
(vi) A user name or e-mail address, in combination
with a password or security question and answer that
would permit access to an online account.
(2) The term does not include publicly available
information that is lawfully made available to the general
public from Federal, State or local government records or
widely distributed media.
* * *
Section 1.1. Section 3 of the act is amended by adding a
subsection SUBSECTIONS to read:
Section 3. Notification of the breach of the security of the
system.
* * *
(c.1) Notice to Attorney General.--When notice of the breach
of the security of the system under this section must be given
20230SB0824PN1151 - 2 -
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
to more than 500 affected individuals in this Commonwealth,
notice shall be made concurrently to the Office of Attorney
General. Notice to the Attorney General shall include the
following information to the extent known by the notifying
entity :
(1) The organization name and location.
(2) The date of the breach of the security of the
system .
(3) A summary of the breach incident of the security of
the system .
(4) An estimated total number of individuals affected by
the breach of the security of the system .
(5) An estimated total number of individuals in this
Commonwealth affected by the breach of the security of the
system .
(C.2) EXEMPTION.--AN ENTITY SUBJECT TO THE REQUIREMENTS OF
40 PA.C.S. CH. 45 (RELATING TO INSURANCE DATA SECURITY) SHALL BE
EXEMPT FROM THE NOTICE REQUIREMENTS UNDER SUBSECTION (C.1).
* * *
Section 2. Section 5 of the act is amended to read:
Section 5. Notification of consumer reporting agencies.
When an entity provides notification under this act to more
than [1,000] 500 persons at one time, the entity shall also
notify, without unreasonable delay, all consumer reporting
agencies that compile and maintain files on consumers on a
nationwide basis, as defined in section 603 of the Fair Credit
Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a), of the
timing, distribution and number of notices.
Section 3. The act is amended by adding a section to read:
Section 5.4. Credit reporting and monitoring.
20230SB0824PN1151 - 3 -
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(a) Assumption of costs.--An entity that provides
notification under section 5 and meets the requirements of
subsection (b) shall assume all costs and fees in providing the
affected individuals:
(1) Access to one independent credit report from a
consumer reporting agency if the individual is not eligible
to obtain an independent credit report from a consumer
reporting agency for free under 15 U.S.C. § 1681 (relating to
congressional findings and statement of purpose).
(2) Access to credit monitoring services for a period of
12 months following notification. An entity may satisfy the
requirements of this paragraph by providing notice to the
individual of the availability of monitoring services for a
period of 12 months at no cost to the individual.
(b) Data subject to credit reporting and monitoring.--
Notwithstanding any other provision of law, an entity shall be
subject to the requirements of this section if that entity makes
a determination that a breach of the security of the system has
occurred and reasonably believes that an individual's first name
and last name or an individual's first initial and last name, in
combination with any of the following information, has been
accessed:
(1) Social Security number.
(2) Bank account number.
(3) Driver's license or State ID number.
(c) Notice.--The entity shall inform the affected individual
of the availability of no-cost services under subsection (a)
upon notification in compliance with this act.
Section 4. This act shall take effect in 90 days.
20230SB0824PN1151 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29