Sec. 2. Requirements for information security
490 words·~2 min read·
/bill/113/s/1976/is/section-2A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require each covered entity that owns or possesses data containing personal information, or contracts to have any third-party entity maintain such data for such covered entity, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information taking into consideration— the size of, and the nature, scope, and complexity of the activities engaged in by such covered entity; the current state of the art in administrative, technical, and physical safeguards for protecting such information; the cost of implementing the safeguards under subparagraph (B); and the impact on small businesses and nonprofits.
The regulations shall require the policies and procedures to include the following: A security policy with respect to the collection, use, sale, other dissemination, and maintenance of personal information. The identification of an officer or other individual as the point of contact with responsibility for the management of information security. A process for identifying and assessing any reasonably foreseeable vulnerabilities in each system maintained by the covered entity that contains such personal information, which shall include regular monitoring for a breach of security of each such system.
A process for taking preventive and corrective action to mitigate any vulnerabilities identified in the process required by subparagraph (C), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software. A process for disposing of data in electronic form containing personal information by destroying, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or indecipherable.
A standard method or methods for the destruction of paper documents and other non-electronic data containing personal information. A financial institution that is subject to title V of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq. ) and is in compliance with information security requirements under that Act shall be deemed in compliance with this section. A person who is subject to, and in compliance with, the information security requirements of section 13401 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 ) or of section 1173(d) of title XI, part C of the Social Security Act ( 42 U.S.C. 1320d–2(d) ) shall be deemed in compliance with this section with respect to any data governed by section 13401 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 ) or by the Health Insurance Portability and Accountability Act of 1996 Security Rule (45 C.F.R. 160.103 and Part 164).
Nothing in this section shall apply to a service provider for any electronic communication by a third party to the extent that the service provider is engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication.
Connectionstraces to 2
2 references not yet in our index
- 42 USC 1320d–2(d)
- 45 CFR 160.103
Citation graph
cites case law
Sec. 2
Requirements for information security
Cite42 USC 1320d–2(d)
Cite45 CFR 160.103
Cites 4Cited by 0 across 0 sources