| |
| PRIOR PRINTER'S NO. 167 | PRINTER'S NO. 1568 |
|
| |
| THE GENERAL ASSEMBLY OF PENNSYLVANIA |
| |
| SENATE BILL |
|
| |
| |
| INTRODUCED BY PILEGGI, SCARNATI, ORIE, COSTA, ERICKSON, BROWNE, FOLMER, PICCOLA, YAW, SMUCKER, RAFFERTY, D. WHITE, PIPPY, ALLOWAY, WARD, BOSCOLA, FARNESE, WILLIAMS, BRUBAKER, WASHINGTON, TOMLINSON, GORDNER, WAUGH, MENSCH, GREENLEAF, EARLL, BAKER, KITCHEN, ROBBINS AND WOZNIAK, JANUARY 20, 2011 |
| |
| |
| AS AMENDED ON SECOND CONSIDERATION, SEPTEMBER 20, 2011 |
| |
| |
| |
| AN ACT |
| |
1 | Amending the act of December 22, 2005 (P.L.474, No.94), entitled |
2 | "An act providing for the notification of residents whose |
3 | personal information data was or may have been disclosed due |
4 | to a security system breach; and imposing penalties," further |
5 | providing for notification of breach; and providing for | <-- |
6 | investigation of breach involving a State agency, for |
7 | investigation of breach involving a county, school district |
8 | or municipality and for individuals responsible for breach. |
9 | The General Assembly of the Commonwealth of Pennsylvania |
10 | hereby enacts as follows: |
11 | Section 1. Section 3 of the act of December 22, 2005 |
12 | (P.L.474, No.94), known as the Breach of Personal Information |
13 | Notification Act, is amended by adding a subsection subsections | <-- |
14 | to read: |
15 | Section 3. Notification of breach. |
16 | * * * |
17 | (a.1) Notification by government entity State agency.--If a | <-- |
18 | State agency or political subdivision is the subject of a breach | <-- |
19 | of security of the system, the State agency or political | <-- |
|
1 | subdivision shall provide notice of the breach of security of |
2 | the system required under subsection (a) within seven days |
3 | following discovery of the breach. Notification shall be |
4 | provided to the Office of Attorney General within three business |
5 | days following discovery of the breach. Notification shall occur |
6 | regardless of the existence of procedures and policies under |
7 | section 7. |
8 | (a.2) Notification by county, school district or | <-- |
9 | municipality.--If a county, school district or municipality is |
10 | the subject of a breach of security of the system, the county, |
11 | school district or municipality shall provide notice of the |
12 | breach of security of the system required under subsection (a) |
13 | within seven days following discovery of the breach. |
14 | Notification shall be provided to the district attorney in the |
15 | county in which the breach occurred within three business days |
16 | following discovery of the breach. Notification shall occur |
17 | regardless of the existence of procedures and policies under |
18 | section 7. |
19 | * * * |
20 | Section 2. The act is amended by adding a section sections | <-- |
21 | to read: |
22 | Section 3.1. Investigation of breach involving a government | <-- |
23 | entity State agency. | <-- |
24 | (a) Investigation.--Upon receipt of notification under |
25 | section 3(a.1), the Office of Attorney General shall investigate |
26 | the breach. The investigation shall include a review of |
27 | procedures, a determination of the cause of the breach and |
28 | recommendations to the agency relating to prevention of similar |
29 | breaches in the future. |
30 | (b) Cost.--The cost of the investigation shall be paid by |
|
1 | the agency in which the breach occurred. |
2 | Section 3.2. Investigation of breach involving a county, school | <-- |
3 | district or municipality. |
4 | (a) Investigation.--Upon receipt of notification under |
5 | section 3(a.2), the district attorney shall investigate the |
6 | breach. The investigation shall include a review of procedures, |
7 | a determination of the cause of the breach and recommendations |
8 | to the county, school district or municipality relating to |
9 | prevention of similar breaches in the future. |
10 | (b) Cost.--The cost of the investigation under section |
11 | 3(a.2) shall be paid by the county, school district or |
12 | municipality where the breach occurred. |
13 | (c) Attorney General.--If the district attorney determines |
14 | that the breach of security of the system warrants an |
15 | investigation by the Office of Attorney General, the district |
16 | attorney may request that the Attorney General join or take over |
17 | the investigation. |
18 | Section 3.3. Individuals responsible for breach. |
19 | Notwithstanding any other provision of this act, if a breach |
20 | of security of the system was caused by an intentional act or |
21 | misuse of the system or intentional unauthorized access to the |
22 | system, an individual determined by a court to be responsible |
23 | for the breach may be ordered by the court to pay for the cost |
24 | of the investigation and the cost of repairing and restoring the |
25 | system. |
26 | Section 3. This act shall take effect in 60 days. |
|