Sec. 212. Exemptions
498 words·~2 min read·
/bill/113/s/1897/is/section-212A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 211 shall not apply to an agency or business entity if— the United States Secret Service or the Federal Bureau of Investigation determines that notification of the security breach could be expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement investigations; or the Federal Bureau of Investigation determines that notification of the security breach could be expected to cause damage to the national security.
No non-constitutional cause of action shall lie in any court against any Federal agency for acts relating to the exemption from notification for law enforcement or national security purposes under this title. An agency or business entity shall be exempt from the notice requirements under section 211, if— a risk assessment conducted by the agency or business entity concludes that, based upon the information available, there is no significant risk that a security breach has resulted in, or will result in, identity theft, economic loss or harm, or physical harm to the individuals whose sensitive personally identifiable information was subject to the security breach; without unreasonable delay, but not later than 45 days after the discovery of a security breach, unless extended by the Federal Trade Commission, the agency or business entity notifies the Federal Trade Commission, in writing, of— the results of the risk assessment; and its decision to invoke the risk assessment exemption; and the Federal Trade Commission does not indicate, in writing, within 10 business days from receipt of the decision, that notice should be given.
For purposes of paragraph (1)— the encryption of sensitive personally identifiable information described in paragraph (1)(A)(i) shall establish a rebuttable presumption that no significant risk exists; and the rendering of sensitive personally identifiable information described in paragraph (1)(A)(ii) unusable, unreadable, or indecipherable through data security technology or methodology that is generally accepted by experts in the field of information security, such as redaction or access controls shall establish a rebuttable presumption that no significant risk exists.
It shall be a violation of this section to— fail to conduct the risk assessment in a reasonable manner, or according to standards generally accepted by experts in the field of information security; or submit the results of a risk assessment that contains fraudulent or deliberately misleading information. A business entity will be exempt from the notice requirement under section 211 if the business entity utilizes or participates in a security program that— effectively blocks the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions.
The exemption in paragraph
(1)does not apply if the information subject to the security breach includes an individual's first and last name, or any other type of sensitive personally identifiable information as defined in section 3, unless that information is only a credit card number or credit card security code.