Sec. 3. Protection of information and security breach notification
817 words·~4 min read·
/bill/113/s/1927/is/section-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Each covered entity shall implement, maintain, and enforce reasonable policies and procedures to protect the confidentiality and security of, sensitive account information and sensitive personal information that is maintained or is being communicated by or on behalf of a covered entity from the unauthorized use of the information that is reasonably likely to result in substantial harm or inconvenience to the consumer to whom the information relates. Any policy or procedure implemented or maintained under paragraph
(1)shall be appropriate to— the size and complexity of the covered entity; the nature and scope of the activities of the covered entity; and the sensitivity of the consumer information to be protected. If a covered entity determines that a breach of data security has or may have occurred in relation to sensitive account information or sensitive personal information that is maintained or is being communicated by, or on behalf of, the covered entity, the covered entity shall conduct an investigation to— assess the nature and scope of the breach; identify any sensitive account information or sensitive personal information that may have been involved in the breach; and determine if the sensitive account information or sensitive personal information is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates. In determining the likelihood of misuse of sensitive account information under paragraph (1)(C), a covered entity shall consider whether any neural network or security program has detected, or is likely to detect or prevent, fraudulent transactions resulting from the breach of security. If a covered entity determines under subsection (b)(1)(C) that sensitive account information or sensitive personal information involved in a breach of data security is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates, the covered entity, or a third party acting on behalf of the covered entity, shall— notify, in the following order— the appropriate agency or authority identified in section 5; an appropriate law enforcement agency; any entity that owns, or is obligated on, a financial account to which the sensitive account information relates, if the breach involves a breach of sensitive account information; each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, if the breach involves sensitive personal information relating to 5,000 or more consumers; and all consumers to whom the sensitive account information or sensitive personal information relates; and take reasonable measures to restore the security and confidentiality of the sensitive account information or sensitive personal information involved in the breach. An entity shall be deemed to be in compliance with— in the case of a financial institution— subsection (a), and any regulations prescribed under subsection (a), if the financial institution maintains policies and procedures to protect the confidentiality and security of sensitive account information and sensitive personal information that are consistent with the policies and procedures of the financial institution that are designed to comply with the requirements of section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) and any regulations or guidance prescribed under that section that are applicable to the financial institution; and subsections
(b)and (c), and any regulations prescribed under subsections
(b)and (c), if the financial institution— maintains policies and procedures to investigate and provide notice to consumers of breaches of data security that are consistent with the policies and procedures of the financial institution that are designed to comply with the investigation and notice requirements established by regulations or guidance under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) that are applicable to the financial institution; or is an affiliate of a bank holding company that maintains policies and procedures to investigate and provide notice to consumers of breaches of data security that are consistent with the policies and procedures of a bank that is an affiliate of the financial institution, and the policies and procedures of the bank are designed to comply with the investigation and notice requirements established by any regulations or guidance under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) that are applicable to the bank; and provides for notice to the entities described under subparagraphs (B), (C), and
(D)of subsection (c)(1), if notice is provided to consumers pursuant to the policies and procedures of the financial institution described in subclause (I); and subsections (a), (b), and (c), if the entity is a covered entity for purposes of the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note), to the extent that the entity is in compliance with such regulations. For purposes of this subsection, the terms bank holding company and bank shall have the same meaning given the terms under section 2 of the Bank Holding Company Act of 1956 ( 12 U.S.C. 1841 ).
Connectionstraces to 2
Traces to 2 documents
1 reference not yet in our index
- 42 USC 1320d–2
Citation graph
cites case law
Sec. 3
Protection of information and security breach notification
Cite42 USC 1320d–2
Cites 3Cited by 0 across 0 sources