|73 Pa. Stat. § 2301 et seq. |
S.B. 712 (signed into law Dec. 22, 2005, Act No. 94)
Effective June 20, 2006
Application. Any state agency, political subdivision, or an individual or a business (collectively, Entity) doing business in PA that maintains, stores or manages computerized data that includes PI of PA residents.
Security Breach Definition. Unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of PI maintained by the Entity as part of a database of PI regarding multiple individuals and that causes or the Entity reasonably believes has caused or will cause loss or injury to any resident of PA.
- The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining PI, whether or not the Entity conducts business in PA.
Notification Obligation. Any Entity to which the statute applies shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the Entity, is in PA whose unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person.
- Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system if the PI is not used for a purpose other than the lawful purpose of the Entity and is not subject to further unauthorized disclosure.
Notification to Consumer Reporting Agencies. When an Entity provides notification under this act to more than 1,000 persons at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and number of notices.
- An Entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption.
Third-Party Data Notification. An Entity that maintains, stores or manages computerized data on behalf of another Entity shall provide notice of any breach of the security system following discovery to the Entity on whose behalf it maintains, stores or manages the data.
Timing of Notification. Except in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay.
Personal Information Definition. An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- Social Security Number;
- Driver license number or state identification card number issued in lieu of a driver license; or
- Account number or credit card number or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account.
Notice Required. Notice may be provided by any of the following methods:
Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $100,000, the affected class of subject persons to be notified exceeds 175,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
- Written notice to the last known home address for the individual;
- Telephonic notice, if the customer can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies PI but does not require the customer to provide PI, and the customer is provided with a telephone number to call or Internet Web site to visit for further information or assistance; or
- Email notice, if a prior business relationship exists and the Entity has a valid email address for the individual.
Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI and is consistent with the notice requirements of this act shall be deemed to be in compliance with the notification requirements of this act if it notifies subject persons in accordance with its policies in the event of a breach of security.
- Email notice when the Entity has an email address for the subject persons;
- Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and
- Notification to major statewide media.
Exception: Compliance with Other Laws
Other Key Provisions:
- Compliance with Primary Regulator. An Entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the Entity’s primary or functional federal regulator shall be in compliance with this act.
- Federal Interagency Guidance. A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this act.
- Delay for Law Enforcement. Notification required may be delayed if a law enforcement agency determines and advises the Entity in writing, specifically referencing the statute, that the notification will impede a criminal or civil investigation. The required notification shall be made after the law enforcement agency determines that it will not compromise the investigation or national or homeland security.
- AG Enforcement. The AG shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of the statute.