Sec. 4. Implementing regulations
478 words·~2 min read·
/bill/113/s/1927/is/section-4A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Notwithstanding any other provision of law, and except as provided in section 6, the agencies and authorities identified in section 5, with respect to the covered entities that are subject to the respective enforcement authority of the agencies and authorities, shall prescribe regulations to implement this Act. Each agency and authority required to prescribe regulations under subsection
(a)shall consult and coordinate with each other agency and authority identified in section 5 so that, to the extent possible, the regulations prescribed by each agency and authority are consistent and comparable. The regulations required under subsection
(a)shall— prescribe the methods by which a covered entity shall notify a consumer of a breach of data security under section 3; and allow a covered entity to provide the notice by— written, telephonic, or e-mail notification; or substitute notification, if providing written, telephonic, or e-mail notification is not feasible due to— lack of sufficient contact information for the consumers that must be notified; or excessive cost to the covered entity. The regulations required under subsection
(a)shall— prescribe the content that shall be included in a notice of a breach of data security that is required to be provided to consumers under section 3; and require the notice to include— a description of the type of sensitive account information or sensitive personal information involved in the breach of data security; a general description of the actions taken by the covered entity to restore the security and confidentiality of the sensitive account information or sensitive personal information involved in the breach of data security; and the summary of rights of victims of identity theft prepared by the Commission under section 609(d) of the Fair Credit Reporting Act ( 15 U.S.C. 1681g(d) ), if the breach of data security involves sensitive personal information. The regulations required under subsection
(a)shall establish standards for when a covered entity shall provide any notice required under section 3. The regulations required under subsection
(a)shall allow a covered entity to delay providing notice of a breach of data security to consumers under section 3 if a law enforcement agency requests such a delay in writing. The regulations required under subsection
(a)shall— require any party that maintains or communicates sensitive account information or sensitive personal information on behalf of a covered entity to provide notice to that covered entity if the party determines that a breach of data security has, or may have, occurred with respect to the sensitive account information or sensitive personal information; and ensure that there is only 1 notification responsibility with respect to a breach of data security. The regulations required under subsection
(a)shall— be issued in final form not later than 6 months after the date of enactment of this Act; and take effect not later than 6 months after the date on which they are issued in final form.
Connectionstraces to 1
Traces to 1 document
U.S. Code
Citation graph
cites case law
Sec. 4
Implementing regulations
Cites 1Cited by 0 across 0 sources