Sec. 3. Definitions

749 words·~3 min read·/bill/114/hr/2977/ih/section-3

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

In this Act, the following definitions shall apply: The term affiliate means persons related by common ownership or by corporate control. The term agency has the same meaning given such term in section 551 of title 5, United States Code. The term business entity means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture established to make a profit, or a nonprofit organization. The term consumer privacy and data security program means the program described in section 202(a).

The term covered entity means any business entity, other than a service provider, that collects, uses, accesses, transmits, stores, or disposes of sensitive personally identifiable information. The term designated entity means the Federal Government entity designated by the Secretary of Homeland Security under section 217(a). The term encryption — means the protection of data in electronic form, in storage or in transit, using an encryption technology that has been generally accepted by experts in the field of information security that renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and includes appropriate management and safeguards of such cryptographic keys so as to protect the integrity of the encryption.

The term identity theft means a violation of section 1028(a)(7) of title 18, United States Code. The term security breach means compromise of the privacy or security of computerized data that results in, or that there is a reasonable basis to conclude has resulted in, unauthorized access to or acquisition of sensitive personally identifiable information. The term security breach does not include— a good faith access or acquisition of sensitive personally identifiable information by a business entity, or an employee or agent of a business entity, if the sensitive personally identifiable information is not subject to further unauthorized disclosure; the release of a public record not otherwise subject to confidentiality or nondisclosure requirements; or any lawfully authorized investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the United States, a State, or a political subdivision of a State.

The term sensitive personally identifiable information means any information or compilation of information, in electronic or digital form that includes the following: A non-truncated social security number, a driver’s license number, passport number, or alien registration number or other government-issued unique identification number. A financial account number or credit or debit card number in combination with any security code, access code, or password if required for an individual to obtain credit, withdraw funds, or engage in financial transactions.

A unique electronic account identifier, including an online user name or email address, in combination with any security code, access code, password, or security question and answer, if required for an individual to obtain money, goods, services, access to digital photographs, digital videos or electronic communications, or any other thing of value. Unique biometric data, such as faceprint, fingerprint, voice print, a retina or iris image, or any other unique physical representation.

An individual's first and last name or first initial and last name in combination with any information that relates to the individual’s past, present, or future physical or mental health or condition, or to the provision of health care to or diagnosis of the individual, including health insurance information such as a health insurance policy number or subscriber identification number, or any information in an individual’s health insurance application and claims history. Information about an individual’s geographic location generated by or derived from the operation or use of an electronic communications device that is sufficient to identify the street and name of the city or town in which the device is located, excluding telephone numbers or network or Internet protocol addresses.

Password-protected digital photographs and digital videos not otherwise available to the public. The term service provider means a business entity that provides electronic data transmission, routing, intermediate and transient storage, or connections to its system or network, where the business entity providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and the business entity transmits, routes, or provides connections for sensitive personally identifiable information in a manner that sensitive personally identifiable information is undifferentiated from other types of data that such business entity transmits, routes, or provides connections.

Any such business entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage or connections.