Sec. 502. Notification of information security breach
895 words·~4 min read·
/bill/113/hr/1468/ih/section-502A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
A covered entity that owns or licenses data in electronic form containing personal information shall give notice of any breach of the security of the system following discovery by the covered entity of the breach of the security of the system to each individual who is a citizen or resident of the United States whose personal information was or that the covered entity reasonably believes to have been accessed and acquired by an unauthorized person and that the covered entity reasonably believes has caused or will cause, identity theft or other financial harm.
A covered entity shall notify the Secret Service or the Federal Bureau of Investigation of the fact that a breach of security has occurred if the number of individuals whose personal information the covered entity reasonably believes to have been accessed and acquired by an unauthorized person exceeds 10,000. In the event of a breach of security of a system maintained by a third-party entity that has been contracted to maintain, store, or process data in electronic form containing personal information on behalf of a covered entity who owns or possesses such data, such third-party entity shall notify such covered entity of the breach of security.
Upon receiving notification from a third party under subparagraph (A), a covered entity shall provide notification as required under subsection (a). A service provider shall not be considered a third-party agent for purposes of this paragraph. If a service provider becomes aware of a breach of security involving data in electronic form containing personal information that is owned or possessed by a covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, such service provider shall notify the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.
Upon receiving notification from a service provider under subparagraph (A), a covered entity shall provide notification as required under subsection (a). Unless subject to a delay authorized under paragraph (2), a notification required under subsection
(a)with respect to a security breach shall be made as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached. If a Federal law enforcement agency determines that the notification required under subsection
(a)would impede a civil or criminal investigation, such notification shall be delayed upon the written request of the law enforcement agency for any period which the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay or extend the period set forth in the original request made under this subparagraph by a subsequent request if further delay is necessary. If a Federal national security agency or homeland security agency determines that the notification required under this section would threaten national or homeland security, such notification may be delayed upon the written request of the national security agency or homeland security agency for any period which the national security agency or homeland security agency determines is reasonably necessary. A Federal national security agency or homeland security agency may revoke such delay or extend the period set forth in the original request made under this subparagraph by a subsequent written request if further delay is necessary. A covered entity required to provide notification to an individual under subsection
(a)shall be in compliance with such requirement if the covered entity provides such notice by one of the following methods: Written notification, sent to the postal address of the individual in the records of the covered entity. Telephone. Email or other electronic means. Regardless of the method by which notification is provided to an individual under subparagraph
(A)with respect to a security breach, such notification, to the extent practicable, shall include— the date, estimated date, or estimated date range of the breach of security; a description of the personal information that was accessed and acquired, or reasonably believed to have been accessed and acquired, by an unauthorized person as a part of the security breach; and information that the individual can use to contact the covered entity to inquire about— the breach of security; or the information the covered entity maintained about that individual. A covered entity required to provide notification to an individual under subsection
(a)may provide substitute notification in lieu of the direct notification required by paragraph
(1)if such direct notification is not feasible due to— excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity; or lack of sufficient contact information for the individual required to be notified. Such substitute notification shall include at least one of the following: A conspicuous notice on the Internet website of the covered entity (if such covered entity maintains such a website). Notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside. Except as provided in section 503(b), a covered entity who is in compliance with any other Federal law that requires such covered entity to provide notification to individuals following a breach of security shall be deemed to be in compliance with this section.