Current through Pa Acts 2024-53, 2024-56 through 2024-111
Section 2303 - Notification of the breach of the security of the system(a) General rule.--An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following determination of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Except as provided in section 4 or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.(a.1)Notification by State agency or State agency contractor.-- (1) If a State agency determines that it is the subject of a breach of the security of the system affecting personal information maintained by the State agency or State agency contractor, the State agency shall provide notice of the breach of the security of the system required under subsection (a) within seven business days following determination of the breach of the security of the system. Notification shall be provided concurrently to the Office of Attorney General.(2) A State agency contractor shall, upon discovery of the breach of the security of the system, notify the chief information security officer, or a designee, of the State agency affected by the State agency contractor's breach of the security of the system as soon as reasonably practical, but no later than the time period specified in the applicable terms of the contract between the State agency contractor and the State agency of the breach of the security of the system.(3) A State agency under the Governor's jurisdiction shall also provide notice of a breach of the security of the system to the Governor's Office of Administration within three business days following the determination of the breach of the security of the system. Notification shall occur notwithstanding the existence of procedures and policies under section 7.(4) A State agency that, after the effective date of this section, enters into a contract which involves the use of personal information with a State agency contractor shall ensure that the contract includes provisions relating to the State agency contractor's compliance with this act.(a.2) Notification by county, public school or municipality.--If a county, public school or municipality is the subject of a breach of the security of the system, the county, public school or municipality shall provide notice of the breach of the security of the system required under subsection (a) within seven business days following determination of the breach of the security of the system. Notification shall be provided to the district attorney in the county where the breach of the security of the system occurred within three business days following determination of the breach of the security of the system. Notification shall occur notwithstanding the existence of procedures and policies under section 7.(a.3) Electronic notification.--In the case of a breach of the security of the system involving personal information for a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, the entity, to the extent that it has sufficient contact information for the person, may comply with this section by providing the breach of the security of the system notification in electronic or other form that directs the person whose personal information has been materially compromised by the breach of the security of the system to promptly change the person's password and security question or answer, as applicable or to take other steps appropriate to protect the online account with the entity and other online accounts for which the person whose personal information has been materially compromised by the breach of the security of the system uses the same user name or e-mail address and password or security question or answer.(a.4) Affected individuals.--In the case of a breach of the security of the system involving personal information of an individual's user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, the State agency contractor may comply with this section by providing a list of affected residents of this Commonwealth and their valid e-mail addresses, if known, to the State agency subject of the breach of the security of the system.(b) Encrypted information.--An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.(c) Vendor notification.--A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security of the system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this act.(c.1) Notice to Attorney General.--When notice of the breach of the security of the system under this section must be given to more than 500 affected individuals in this Commonwealth, notice shall be made concurrently to the Office of Attorney General. Notice to the Attorney General shall include the following information to the extent known by the notifying entity:(1) The organization name and location.(2) The date of the breach of the security of the system.(3) A summary of the breach incident of the security of the system.(4) An estimated total number of individuals affected by the breach of the security of the system.(5) An estimated total number of individuals in this Commonwealth affected by the breach of the security of the system.(c.2) Exemption.--An entity subject to the requirements of 40 Pa.C.S. ch. 45 (relating to insurance data security) shall be exempt from the notice requirements under subsection (c.1).(d) Definitions.--As used in this section, the term "public school" means any school district, intermediate unit, charter school, cyber charter school or area career and technical school.Amended by P.L. (number not assigned at time of publication) 2024 No. 33,§ 1.1, eff. 9/26/2024.Amended by P.L. TBD 2022 No. 151, § 3, eff. 5/2/2023. 2005 , Dec. 22, P.L. 474, No. 94, §3, effective in 180 days [ 6/20/2006].