Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 113th Congress · S. 1897 (Introduced in Senate) — To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance cri... · Sec. 202

Sec. 202. Requirements for a personal data privacy and security program

935 words·~4 min read·/bill/113/s/1897/is/section-202

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A business entity subject to this subtitle shall comply with the following safeguards and any other administrative, technical, or physical safeguards identified by the Federal Trade Commission in a rulemaking process pursuant to section 553 of title 5, United States Code, for the protection of sensitive personally identifiable information: A business entity shall implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities.
The personal data privacy and security program shall be designed to— ensure the privacy, security, and confidentiality of sensitive personally identifying information; protect against any anticipated vulnerabilities to the privacy, security, or integrity of sensitive personally identifying information; and protect against unauthorized access to use of sensitive personally identifying information that could create a significant risk of harm or fraud to any individual. A business entity shall— identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information or systems containing sensitive personally identifiable information; assess the likelihood of and potential damage from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; assess the sufficiency of its policies, technologies, and safeguards in place to control and minimize risks from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; and assess the vulnerability of sensitive personally identifiable information during destruction and disposal of such information, including through the disposal or retirement of hardware.
Each business entity shall— design its personal data privacy and security program to control the risks identified under paragraph (3); adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of the activities of the business entity that— control access to systems and facilities containing sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals; detect, record, and preserve information relevant to actual and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access; protect sensitive personally identifiable information during use, transmission, storage, and disposal by encryption, redaction, or access controls that are widely accepted as an effective industry practice or industry standard, or other reasonable means (including as directed for disposal of records under section 628 of the Fair Credit Reporting Act ( 15 U.S.C. 1681w ) and the implementing regulations of such Act as set forth in section 682 of title 16, Code of Federal Regulations); ensure that sensitive personally identifiable information is properly destroyed and disposed of, including during the destruction of computers, diskettes, and other electronic media that contain sensitive personally identifiable information; trace access to records containing sensitive personally identifiable information so that the business entity can determine who accessed or acquired such sensitive personally identifiable information pertaining to specific individuals; and ensure that no third party or customer of the business entity is authorized to access or acquire sensitive personally identifiable information without the business entity first performing sufficient due diligence to ascertain, with reasonable certainty, that such information is being sought for a valid legal purpose; and establish a plan and procedures for minimizing the amount of sensitive personally identifiable information maintained by such business entity, which shall provide for the retention of sensitive personally identifiable information only as reasonably needed for the business purposes of such business entity or as necessary to comply with any legal obligation.
Each business entity subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the data security program of the business entity. Each business entity subject to this subtitle shall take steps to ensure regular testing of key controls, systems, and procedures of the personal data privacy and security program to detect, prevent, and respond to attacks or intrusions, or other system failures. The frequency and nature of the tests required under paragraph
(1)shall be determined by the risk assessment of the business entity under subsection (a)(3). In the event a business entity subject to this subtitle engages a person or entity not subject to this subtitle (other than a service provider) to receive sensitive personally identifiable information in performing services or functions (other than the services or functions provided by a service provider) on behalf of and under the instruction of such business entity, such business entity shall— exercise appropriate due diligence in selecting the person or entity for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain a person or entity that is capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and require the person or entity by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing entities subject to section 201, this section, and subtitle B. Each business entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its data privacy and security program in light of any relevant changes in— technology; the sensitivity of personally identifiable information; internal or external threats to personally identifiable information; and the changing business arrangements of the business entity, such as— mergers and acquisitions; alliances and joint ventures; outsourcing arrangements; bankruptcy; and changes to sensitive personally identifiable information systems. Not later than 1 year after the date of enactment of this Act, a business entity subject to the provisions of this subtitle shall implement a data privacy and security program pursuant to this subtitle.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 202
Requirements for a personal data privacy and security program
U.S.C.§ 1681w
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.