Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 113th Congress · S. 1897 (Introduced in Senate) — To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance cri... · Sec. 211

Sec. 211. Notice to individuals

962 words·~4 min read·/bill/113/s/1897/is/section-211

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Except as provided in section 212, any agency, or business entity engaged in interstate commerce, other than a service provider, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach of such information, notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired. Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information.
Nothing in this subtitle shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a). A business entity obligated to give notice under subsection
(a)shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification. If a service provider becomes aware of a security breach of data in electronic form containing sensitive personal information that is owned or possessed by another business entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall be required to notify the business entity who initiated such connection, transmission, routing, or storage of the security breach if the business entity can be reasonably identified. Upon receiving such notification from a service provider, the business entity shall be required to provide the notification required under subsection (a). All notifications required under this section shall be made without unreasonable delay following the discovery by the agency or business entity of a security breach. Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment described in section 202(a)(3), and restore the reasonable integrity of the data system and provide notice to law enforcement when required. Except as provided in subsection (d), delay of notification shall not exceed 60 days following the discovery of the security breach, unless the business entity or agency requests an extension of time and the Federal Trade Commission determines in writing that additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, or to provide notice to the designated entity. If the Federal Trade Commission approves the request for delay, the agency or business entity may delay the time period for notification for additional periods of up to 30 days. The agency, business entity, owner, or licensee required to provide notice under this subtitle shall, upon the request of the Attorney General or the Federal Trade Commission provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification. If the United States Secret Service or the Federal Bureau of Investigation determines that the notification required under this section would impede a criminal investigation, or national security activity, such notification shall be delayed upon written notice from the United States Secret Service or the Federal Bureau of Investigation to the agency or business entity that experienced the breach. The notification from the United States Secret Service or the Federal Bureau of Investigation shall specify in writing the period of delay requested for law enforcement or national security purposes. If the notification required under subsection
(a)is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement or national security delay was invoked unless a Federal law enforcement or intelligence agency provides written notification that further delay is necessary. No non-constitutional cause of action shall lie in any court against any agency for acts relating to the delay of notification for law enforcement or national security purposes under this subtitle. Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following: Financial institutions— subject to the data security requirements and standards under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ); and subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6805(a) ). Covered entities subject to the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1301 et seq. ), including the data security requirements and implementing regulations of that Act. A business entity shall be deemed in compliance with this Act if the business entity— is acting as a covered entity and as a business associate, as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1301 et seq. ) and is in compliance with the requirements imposed under that Act and implementing regulations promulgated under that Act; and is subject to, and currently in compliance, with the data breach notification, privacy and data security requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act, ( 42 U.S.C. 17932 ) and implementing regulations promulgated thereunder; or is acting as a vendor of personal health records and third party service provider, subject to the Health Information Technology for Economic and Clinical Health (HITECH) Act (42 U.S.C. 17937), including the data breach notification requirements and implementing regulations of that Act.
Connectionstraces to 5
Citation graph
cites case law
Sec. 211
Notice to individuals
U.S.C.§ 6801
U.S.C.§ 6805
U.S.C.§ 1301
U.S.C.§ 17932
U.S.C.§ 17937
Cites 5Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.