Sec. 201. Purpose and applicability of data privacy and security program
453 words·~2 min read·
/bill/113/s/1897/is/section-201A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The purpose of this subtitle is to ensure standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information. A business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons is subject to the requirements for a data privacy and security program under section 202 for protecting sensitive personally identifiable information.
Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following: Financial institutions— subject to the data security requirements and standards under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ); and subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6805(a) ). Covered entities subject to the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1301 et seq. ), including the data security requirements and implementing regulations of that Act.
A business entity shall be deemed in compliance with this Act if the business entity— is acting as a business associate, as that term is defined under the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1301 et seq. ) and is in compliance with the requirements imposed under that Act and implementing regulations promulgated under that Act; and is subject to, and currently in compliance, with the privacy and data security requirements under sections 13401 and 13404 of division A of the American Reinvestment and Recovery Act of 2009 (42 U.S.C. 17931 and 17934) and implementing regulations promulgated under such sections.
A service provider for any electronic communication by a third party, to the extent that the service provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication. Public records not otherwise subject to a confidentiality or nondisclosure requirement, or information obtained from a public record, including information obtained from a news report or periodical. A business entity shall be deemed in compliance with the privacy and security program requirements under section 202 if the business entity complies with or provides protection equal to industry standards or standards widely accepted as an effective industry practice, as identified by the Federal Trade Commission, that are applicable to the type of sensitive personally identifiable information involved in the ordinary course of business of such business entity.
Nothing in this subsection shall be construed to permit, and nothing does permit, the Federal Trade Commission to issue regulations requiring, or according greater legal status to, the implementation of or application of a specific technology or technological specifications for meeting the requirements of this title.
Connectionstraces to 4
Citation graph
cites case law
Sec. 201
Purpose and applicability of data privacy and security program
Cites 4Cited by 0 across 0 sources