Pennsylvania Senate OKs Bill Specifying Breach Reporting Deadline for Agencies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Lorraine McCarthy


PHILADELPHIA--State and local government agencies in Pennsylvania would be required to notify members of the public of data breaches involving their personal information within seven days after the breach is discovered under legislation (S.B. 114) that received unanimous approval in the Pennsylvania Senate May 1.

Within three business days after learning of a data security breach, state agencies would have to notify the Office of Attorney General. Counties, school districts, and municipalities would be required to alert the district attorney in the county in which the breach occurred.

Current law requires government agencies to provide notice to the public and law enforcement “without unreasonable delay.’’

“There's no good reason to delay public notification after a data breach,’’ state Senate Majority Leader Dominic Pileggi (R), who sponsored the bill, said in a May 1 statement. “Potentially affected residents should know what happened as soon as possible when personal information is stolen so they can take steps to protect themselves from identity theft.’’

Pileggi said he drafted the measure in response to what he considered to be unreasonable delays in the reporting of thefts of state-owned computers containing personal information in recent years.

In two cases involving the Pennsylvania Department of Public Welfare, the public was not notified until three weeks after the thefts, Pileggi said. In the third case, the Department of Aging took two weeks to notify the public.

The measure would also require the Office of Administration to develop and implement a policy to govern the proper storage of data that include personally identifiable information. The policy would have to take into account best practices from other states, with the goal of reducing the risk of any future data breaches.

The bill will be considered next by the state House of Representatives.


S.B. 114, as amended by the Senate, is available at