On Feb. 19, a bill was introduced in the Pennsylvania Senate proposing to amend the Pennsylvania Breach of Personal Information Notification Act to add new breach notification requirements for state agencies and political subdivisions of the commonwealth.

Enacted in 2005, the act (73 P.S. Section 2301 et seq.) applies to commonwealth agencies; political subdivisions, which include counties, cities, boroughs, incorporated towns, townships and school districts; and persons doing business in Pennsylvania, including nonprofit organizations and financial institutions (collectively, entities). Under the act, an entity must notify Pennsylvania residents whose unencrypted and unredacted personal information stored on a computerized system was, or was reasonably believed to have been, accessed and acquired by an unauthorized person. The act requires that residents are notified of a data breach “without unreasonable delay.”