Sec. 3. Federal data breach response guidelines
418 words·~2 min read·
/bill/113/s/2521/is/section-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Subchapter II of chapter 35 of title 44, United States Code, as added by this Act, is amended by adding at the end the following: The Director, in consultation with the Secretary, shall establish and oversee policies and procedures for agencies to follow in the event of a breach of information security involving the disclosure of personally identifiable information, including requirements for— timely notice to affected individuals based on a determination of the level of risk and consistent with law enforcement and national security considerations; timely reporting to the Federal information security incident center established under section 3556 or other Federal cybersecurity center, as designated by the Director; timely notice to committees of Congress with jurisdiction over cybersecurity; and such additional actions as the Director may determine necessary and appropriate, including the provision of risk mitigation measures to affected individuals.
In carrying out subsection (a), the Director shall consider recommendations made by the Government Accountability Office, including recommendations in the December 2013 Government Accountability Office report entitled Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent (GAO–14–34). The head of each agency shall ensure that actions taken in response to a breach of information security involving the disclosure of personally identifiable information under the authority or control of the agency comply with policies and procedures established under subsection (a).
Except as provided in paragraph (2), the policies and procedures established under subsection
(a)shall require that the notice to affected individuals required under subsection (a)(1) be made without unreasonable delay and with consideration of the likely risk of harm and the level of impact, but not later than 60 days after the date on which the head of an agency discovers the breach of information security involving the disclosure of personally identifiable information. The Attorney General, the head of an element of the intelligence community (as such term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)), or the Secretary may delay the notice to affected individuals under subsection (a)(1) for not more than 180 days, if the notice would disrupt a law enforcement investigation, endanger national security, or hamper security remediation actions from the breach of information security involving the disclosure of personally identifiable information. . The table of sections for subchapter II for chapter 35 of title 44, United States Code, as added by this Act, is amended by inserting after the item relating to section 3558 the following: 3559. Privacy breach requirements. .
Connectionstraces to 1
Traces to 1 document
U.S. Code
Citation graph
cites case law
Sec. 3
Federal data breach response guidelines
Cites 1Cited by 0 across 0 sources