Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 113th Congress · S. 1995 (Introduced in Senate) — To protect consumers by mitigating the vulnerability of personally identifiable information to theft through a securi... · Sec. 211

Sec. 211. Notice to individuals

656 words·~3 min read·/bill/113/s/1995/is/section-211

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Except as provided in section 212, any agency, or business entity engaged in interstate commerce other than a service provider, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information that experiences a security breach of such information, shall, following the discovery of such security breach of such information, notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired.
Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information. Nothing in this subtitle shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a).
A business entity obligated to give notice under subsection
(a)shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification. If a service provider becomes aware of a security breach containing sensitive personally identifiable information that is owned or possessed by another business entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall be required to notify the business entity who initiated such connection, transmission, routing, or storage of the security breach if the business entity can be reasonably identified. Upon receiving such notification from a service provider, the business entity shall be required to provide the notification required under subsection (a). All notifications required under this section shall be made without unreasonable delay following the discovery by the agency or business entity of a security breach. Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, conduct the risk assessment described in section 212(b)(1), and provide notice to law enforcement when required. The agency, business entity, owner, or licensee required to provide notice under this subtitle shall, upon the request of the Attorney General, the Federal Trade Commission, or the attorney general of a State or any State or local law enforcement agency authorized by the attorney general of the State or by State statute to prosecute violations of consumer protection law, provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification. If a Federal law enforcement agency or member of the intelligence community determines that the notification required under this section would impede any lawfully authorized criminal investigation or authorized investigative, protective, or intelligence activities that are carried out by or on behalf of any element of the intelligence community and conducted in accordance with the United States laws, authorities, and regulations governing such intelligence activities, such notification shall be delayed upon written notice from such Federal law enforcement agency or member of the intelligence community to the agency or business entity that experienced the breach. The notification shall specify in writing the period of delay required. If the notification required under subsection
(a)is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement delay was invoked unless a Federal law enforcement or member of the intelligence community provides written notification that further delay is necessary. No non-constitutional cause of action shall lie in any court against an agency for acts relating to the delay of notification for law enforcement or intelligence purposes under this subtitle.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.