Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 113th Congress · S. 1995 (Introduced in Senate) — To protect consumers by mitigating the vulnerability of personally identifiable information to theft through a securi... · Sec. 212

Sec. 212. Exemptions from notice to individuals

1,285 words·~6 min read·/bill/113/s/1995/is/section-212

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Section 211 shall not apply to an agency or business entity if— the United States Secret Service or the Federal Bureau of Investigation determines that notification of the security breach could be expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement investigations; or the Federal Bureau of Investigation determines that notification of the security breach could be expected to cause damage to national security.
No non-constitutional cause of action shall lie in any court against any Federal agency for acts relating to the exemption from notification under this subtitle. An agency or business entity shall be exempt from the notice requirements under section 211, if— a risk assessment conducted by the agency or business entity, in consultation with the Federal Trade Commission, concludes that there is no significant risk that a security breach has resulted in, or will result in harm to the individuals whose sensitive personally identifiable information was subject to the security breach; and the Federal Trade Commission or designated entity does not indicate within 7 business days from the receipt of written notification from an agency or business entity pursuant to subsection 212(b)(2), that the agency or business entity should not be exempt from the notice requirements of section 211.
Upon discovery of a security breach of an agency or business entity, the agency or business entity shall conduct a risk assessment to determine if there is a significant risk that the security breach resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach. It is presumed that there is no significant risk that the security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable data was subject to the security breach, if the sensitive personally identifiable information has been rendered unusable, unreadable, or indecipherable through a security technology or methodology (if the technology or methodology is generally accepted by experts in the information security field).
Any such presumption may be rebutted by facts demonstrating that the security technologies or methodologies in a specific case, have been or are reasonably likely to be compromised. It is presumed that there is a significant risk that the security breach has resulted in, or will result in, harm to individuals whose sensitive personally identifiable information was subject to the security breach if the agency or business entity failed to render such sensitive personally identifiable information indecipherable through a security technology or methodology (if the technology or methodology is generally accepted by experts in the information security field).
Not later than 1 year after the date of the enactment of this Act, and biannually thereafter, the Federal Trade Commission, after consultation with the National Institute of Standards and Technology, shall issue rules (pursuant to section 553 of title 5, United States Code) or guidance to identify security methodologies or technologies, such as encryption, which render sensitive personally identifiable information unusable, unreadable, or indecipherable, that shall, if applied to such sensitive personally identifiable information, establish a presumption that no significant risk of harm exists to individuals whose sensitive personally identifiable information was subject to a security breach.
Any such presumption may be rebutted by facts demonstrating that any such methodology or technology in a specific case has been or is reasonably likely to be compromised. In issuing rules or guidance under subclause (II), the Commission shall also consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies. Not later than 1 year after the date of the enactment of this Act, the Federal Trade Commission, after consultation with the National Institute of Standards and Technology, shall issue guidance regarding the application of the exemption in clause (i).
Without unreasonable delay, but not later than 7 days after the discovery of a security breach, unless extended by the United States Secret Service or the Federal Bureau of Investigation, the agency or business entity must notify the Federal Trade Commission and designated entity, in writing, of— the results of the risk assessment; and its decision to invoke the risk assessment exemption. It shall be a violation of this section to— fail to conduct a risk assessment in a reasonable manner, or according to standards generally accepted by experts in the field of information security; or submit results of a risk assessment that— conceal violations of law, inefficiency, or administrative error; prevent embarrassment to a business entity, organization, or agency; restrain competition; contain fraudulent or deliberately misleading information; or delay notification under section 211 for any other reason, except where the agency or business entity reasonably believes that the risk assessment exception may apply.
A business entity shall be exempt from the notice requirements of this subtitle if the business entity utilizes or participates in a security program that— effectively blocks the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions. Paragraph
(1)shall not apply to a business entity if the information subject to the security breach includes an individual's first and last name, or any other type of sensitive personally identifiable information, other than a credit card or credit card security code identified in section 3, unless that information is only a credit card number or a credit card security code. Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following— A financial institution subject to the data security requirements and standards under 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), and subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)), if the Federal functional regulator (as defined by section 509 of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6809 )) with jurisdiction over that financial institution has issued a regulation under title V of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq. ) that requires financial institutions within its jurisdiction to provide notification to individuals following a breach of security. A business entity shall be exempt from the notice requirement under section 211 if the business entity is one of the following: A business entity subject to the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1301 et seq. ), including the data breach notification requirements and implementing regulations of that Act. A business entity that— is acting as a business associate, as that term is defined under the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1301 et seq. ) and is in compliance with the requirements imposed under that Act and implementing regulations promulgated under that Act; and is subject to, and currently in compliance with, the data breach notification requirements under section 13402 or 13407 of the American Reinvestment and Recovery Act of 2009 (42 U.S.C. 17932 and 17937) and implementing regulations promulgated under such sections. Paragraph
(1)shall not apply to a business entity if the information subject to the security breach includes an individual’s first and last name, or any other type of sensitive personally identifiable information other than a health insurance policy or subscriber identification number or information regarding an individual’s medical history, mental or physical medical condition, or medical treatment or diagnosis by a health care professional as identified in section 3 unless that information is only a health insurance policy or subscriber identification number or information regarding an individual’s medical history, mental or physical medical condition, or medical treatment or diagnosis by a health care professional.
Connectionstraces to 5
Citation graph
cites case law
Sec. 212
Exemptions from notice to individuals
U.S.C.§ 6801
U.S.C.§ 6805
U.S.C.§ 6809
U.S.C.§ 1301
U.S.C.§ 17932
Cites 5Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.