73 Pa. Stat. § 2302

Current through Pa Acts 2024-53, 2024-56 through 2024-92
Section 2302 - Definitions

The following words and phrases when used in this act shall have the meanings given to them in this section unless the context clearly indicates otherwise:

"Breach of the security of the system." The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure.

"Business." A sole proprietorship, partnership, corporation, association or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered or holding a license or authorization certificate under the laws of this Commonwealth, any other state, the United States or any other country, or the parent or the subsidiary of a financial institution. The term includes an entity that destroys records.

"Determination." A verification or reasonable certainty that a breach of the security of the system has occurred.

"Discovery." The knowledge of or reasonable suspicion that a breach of the security of the system has occurred.

"Encryption." The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

"Entity." A State agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth.

"Health insurance information." An individual's health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual's health insurance benefits.

"Individual." A natural person.

"Medical information." Any individually identifiable information contained in the individual's current or historical record of medical history or medical treatment or diagnosis created by a health care professional.

"Notice." May be provided by any of the following methods of notification:

(1) Written notice to the last known home address for the individual.
(2) Telephonic notice, if the individual can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information but does not require the individual to provide personal information and the individual is provided with a telephone number to call or internet website to visit for further information or assistance.
(3) E-mail notice, if a prior business relationship exists and the person or entity has a valid e-mail address for the individual.
(3.1) Electronic notice, if the notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change the person's password and security question or answer, as applicable or to take other steps appropriate to protect the person's online account to the extent the entity has sufficient contact information for the person.
(4)
(i) Substitute notice, if the entity demonstrates one of the following:
(A) The cost of providing notice would exceed $100,000.
(B) The affected class of subject persons to be notified exceeds 175,000.
(C) The entity does not have sufficient contact information.
(ii) Substitute notice shall consist of all of the following:
(A) E-mail notice when the entity has an e-mail address for the subject persons.
(B) Conspicuous posting of the notice on the entity's Internet website if the entity maintains one.
(C) Notification to major Statewide media.

"Personal information."

(1) An individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
(i) Social Security number.
(ii) Driver's license number or a State identification card number issued in lieu of a driver's license.
(iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.
(iv) Medical information in the possession of a State agency or State agency contractor.
(v) Health insurance information.
(vi) A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
(2) The term does not include publicly available information that is lawfully made available to the general public from Federal, State or local government records or widely distributed media.

"Records." Any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed or electromagnetically transmitted. The term does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address or telephone number.

"Redact." The term includes, but is not limited to, alteration or truncation such that no more than the last four digits of a Social Security number, driver's license number, State identification card number or account number is accessible as part of the data.

"State agency." Any agency, board, commission, authority or department of the Commonwealth and the General Assembly.

"State agency contractor." A person, business, subcontractor or third party subcontractor that has a contract with a State agency for goods or services that requires access to personal information for the fulfillment of the contract.

73 P.S. § 2302

Amended by P.L. (number not assigned at time of publication) 2024 No. 33,§ 1, eff. 9/26/2024.
Amended by P.L. TBD 2022 No. 151, § 2, eff. 5/2/2023.
2005 , Dec. 22, P.L. 474, No. 94, § 2, effective in 180 days [ 6/20/2006].