Sec. 4. Protection of information and security breach notification

2,187 words·~10 min read·/bill/114/hr/2205/ih/section-4

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Each covered entity shall develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards that are reasonably designed to achieve the objectives in paragraph (2). The objectives of this subsection are to— ensure the security and confidentiality of sensitive financial account information and sensitive personal information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized acquisition of such information that could result in substantial harm to the individuals to whom such information relates.

A covered entity’s information security program under paragraph

(1)shall be appropriate to— the size and complexity of the covered entity; the nature and scope of the activities of the covered entity; and the sensitivity of the consumer information to be protected. In order to develop, implement, maintain, and enforce its information security program, a covered entity shall— designate an employee or employees to coordinate the information security program; identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of sensitive financial account information and sensitive personal information and assess the sufficiency of any safeguards in place to control these risks, including consideration of risks in each relevant area of the covered entity’s operations, including— employee training and management; information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and detecting, preventing, and responding to attacks, intrusions, or other systems failures; design and implement information safeguards to control the risks identified in its risk assessment, and regularly assess the effectiveness of the safeguards’ key controls, systems, and procedures; oversee third-party service providers by— taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate safeguards for the sensitive financial account information or sensitive personal information at issue; requiring third-party service providers by contract to implement and maintain such safeguards; and reasonably oversee or obtain an assessment of the third-party service provider’s compliance with contractual obligations, where appropriate in light of the covered entity’s risk assessment; and evaluate and adjust the information security program in light of the results of the risk assessments and testing and monitoring required by subparagraphs

(C)and

(D)and any material changes to the covered entity’s operations or business arrangements, or any other circumstances that the covered entity knows or has reason to know may have a material impact on its information security program. Each covered entity shall— consider whether the following security measures are appropriate for the covered entity and, if so, adopt those measures that the covered entity concludes are appropriate— access controls on information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing sensitive financial account information or sensitive personal information to unauthorized individuals who may seek to obtain this information through fraudulent means; access restrictions at physical locations containing sensitive financial account information or sensitive personal information, such as buildings, computer facilities, and records storage facilities, to permit access only to authorized individuals; encryption of electronic sensitive financial account information or sensitive personal information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; procedures designed to ensure that information system modifications are consistent with the covered entity’s information security program; dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for, or access to, sensitive financial account information or sensitive personal information; monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; response programs that specify actions to be taken when the covered entity suspects or detects that unauthorized individuals have gained access to information systems; and measures to protect against destruction, loss, or damage of sensitive financial account information or sensitive personal information due to potential environmental hazards, such as fire and water damage or technological failures; develop, implement, and maintain appropriate measures to properly dispose of sensitive financial account information and sensitive personal information; and train staff to implement the covered entity’s information security program. If a covered entity has a board of directors, the covered entity’s board of directors or an appropriate committee of the board shall— approve the covered entity’s written information security program; and oversee the development, implementation, and maintenance of the covered entity’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. If a covered entity has a board of directors, the covered entity shall report to its board or an appropriate committee of the board at least annually, including describing— the overall status of the information security program and the covered entity’s compliance with this Act; and material matters related to its program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations and management’s responses, and recommendations for changes in the information security program. If a covered entity believes that a breach of data security has or may have occurred in relation to sensitive financial account information or sensitive personal information that is maintained, communicated, or otherwise handled by, or on behalf of, the covered entity, the covered entity shall conduct an investigation to— assess the nature and scope of the incident; identify any sensitive financial account information or sensitive personal information that may have been involved in the incident; determine if the sensitive financial account information or sensitive personal information has been acquired without authorization; and take reasonable measures to restore the security and confidentiality of the systems compromised in the breach. If a covered entity determines under subsection

(b)that the unauthorized acquisition of sensitive financial account information or sensitive personal information involved in a breach of data security is reasonably likely to cause substantial harm to the consumers to whom the information relates, the covered entity, or a third party acting on behalf of the covered entity, shall— notify, without unreasonable delay— an appropriate Federal law enforcement agency; the appropriate agency or authority identified in section 5; any relevant payment card network, if the breach involves a breach of payment card numbers; each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, if the breach involves sensitive personal information or sensitive financial account information relating to 5,000 or more consumers; and all consumers to whom the sensitive financial account information or sensitive personal information relates; provide notice to consumers by— written notification sent to the postal address of the consumer in the records of the covered entity; telephonic notification to the number of the consumer in the records of the covered entity; e-mail notification to the consumer (or via other electronic means) in the records of the covered entity; or substitute notification in print and to broadcast media where the individual whose personal information was acquired resides, if providing written or e-mail notification is not feasible due to— lack of sufficient contact information for the consumers that must be notified; excessive cost to the covered entity; or exigent circumstances; and provide notice that includes— a description of the type of sensitive financial account information or sensitive personal information involved in the breach of data security; a general description of the actions taken by the covered entity to restore the security and confidentiality of the sensitive financial account information or sensitive personal information involved in the breach of data security; and a summary of rights of victims of identity theft prepared under section 609(d) of the Fair Credit Reporting Act ( 15 U.S.C. 1681g(d) ), if the breach of data security involves sensitive personal information. A covered entity may delay any notification described under paragraph

(1)if such delay is requested by a law enforcement agency. A financial institution shall have no obligation under this Act for a breach of security at another covered entity involving sensitive financial account information relating to an account owned by the financial institution. In the event of a breach of security of a system maintained by a third-party service provider that has been contracted to maintain, store, or process data in electronic form containing sensitive financial account information or sensitive personal information on behalf of a covered entity who owns or possesses such data, such third-party service provider shall— notify the covered entity; and notify consumers if it is agreed in writing that the third-party service provider will provide such notification on behalf of the covered entity. If a carrier becomes aware of a breach of security involving data in electronic form containing sensitive financial account information or sensitive personal information that is owned or licensed by a covered entity that connects to or uses a system or network provided by the carrier for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, such carrier shall notify the covered entity who initiated such connection, transmission, routing, or storage of the data containing sensitive financial account information or sensitive personal information, if such covered entity can be reasonably identified. If a service provider is acting solely as a third-party service provider for purposes of this subsection, the service provider has no other notification obligations under this section. Upon receiving notification from a service provider under paragraph (1), a covered entity shall provide notification as required under this section. If a covered entity that is not a financial institution experiences a breach of security involving sensitive financial account information, a financial institution that issues an account to which the sensitive financial account information relates may communicate with the account holder regarding the breach, including— an explanation that the financial institution was not breached, and that the breach occurred at a third-party that had access to the consumer’s sensitive financial account information; or identify the covered entity that experienced the breach after the covered entity has provided notice consistent with this Act. An entity shall be deemed to be in compliance with— in the case of a financial institution— subsection (a), and any regulations prescribed under subsection (a), if the financial institution maintains policies and procedures to protect the confidentiality and security of sensitive financial account information and sensitive personal information that are consistent with the policies and procedures of the financial institution that are designed to comply with the requirements of section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) and any regulations or guidance prescribed under that section that are applicable to the financial institution; and subsections

(b)and (c), and any regulations prescribed under subsections

(b)and (c), if the financial institution— maintains policies and procedures to investigate and provide notice to consumers of breaches of data security that are consistent with the policies and procedures of the financial institution that are designed to comply with the investigation and notice requirements established by regulations or guidance under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) that are applicable to the financial institution; is an affiliate of a bank holding company that maintains policies and procedures to investigate and provide notice to consumers of breaches of data security that are consistent with the policies and procedures of a bank that is an affiliate of the financial institution, and the policies and procedures of the bank are designed to comply with the investigation and notice requirements established by any regulations or guidance under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) that are applicable to the bank; or is an affiliate of a savings and loan holding company that maintains policies and procedures to investigate and provide notice to consumers of data breaches of data security that are consistent with the policies and procedures of a savings association that is an affiliate of the financial institution; and the policies and procedures of the savings association are designed to comply with the investigation and notice requirements established by any regulations or guidelines under section 501(b) of the Gramm-Leach-Bliley Act (15 U.S. 6801(b)) that are applicable to savings associations; and provides for notice to the entities described under clauses (ii), (iii), and

(iv)of subsection (c)(1)(A), if notice is provided to consumers pursuant to the policies and procedures of the financial institution described in subclause (I); and subsections (a), (b), and (c)— if the entity is a covered entity for purposes of the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note), to the extent that the entity is in compliance with such regulations; or if the entity is in compliance with sections 13402 and 13407 of the HITECH Act (42 U.S.C. 17932 and 17937). In this subsection— the terms bank holding company and bank have the meanings given the terms in section 2 of the Bank Holding Company Act of 1956 ( 12 U.S.C. 1841 ); the term savings and loan holding company has the meaning given the term in section 10 of the Home Owners’ Loan Act ( 12 U.S.C. 1467a ); and the term savings association has the meaning given the term in section 2 of the Home Owners’ Loan Act ( 12 U.S.C. 1462 ).

Connectionstraces to 6

Traces to 6 documents

U.S. Code