Sec. 2. Notification of information security breach
1,222 words·~6 min read·
/bill/115/hr/3975/ih/section-2·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
A covered entity that collects, uses, accesses, transmits, stores, or disposes of unsecured sensitive personally identifiable information in electronic or digital form shall, in the case of a breach of such information that is discovered by the covered entity, notify— appropriate Federal agencies; each individual whose unsecured sensitive personally identifiable information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach; the attorney general of each State in which an individual described in subparagraph
(B)resides; and if there are 500 or more individuals described in subparagraph
(B)who reside in a State or other jurisdiction, prominent media outlets serving such State or other jurisdiction. A third party that collects, uses, accesses, transmits, stores, or disposes of unsecured sensitive personally identifiable information in electronic or digital form that is owned or licensed by a covered entity shall, following the discovery of a breach of such information, notify the covered entity of such breach. Such notification shall include the identification of each individual whose unsecured sensitive personally identifiable information has been, or is reasonably believed by the third party to have been, accessed, acquired, or disclosed during such breach and the information described in paragraphs (1), (2), and
(4)of subsection
(d)with respect to such breach. The covered entity shall make the notifications required by paragraph
(1)with respect to such breach. If there are 500 or more individuals described in subparagraph
(A)with respect to a breach, the third party shall provide the notification required by such subparagraph to the Commission and the Federal Bureau of Investigation, as well as to the covered entity. Notification by the third party under this subparagraph does not relieve the covered entity of the requirement to notify the Commission and the Federal Bureau of Investigation under paragraph (1)(A). All notifications required under subsection
(a)shall be made in the most expedient time possible and without unreasonable delay, but in no case later than 30 calendar days after the discovery of a breach by the covered entity involved (or by the third party involved in the case of a notification required under subsection (a)(2)(A)). Notwithstanding paragraph (1), if there are 500 or more individuals to which a covered entity is required to provide notification of a breach under subsection (a)(1)(B), the covered entity shall notify the Commission and the Federal Bureau of Investigation of such breach as required under subsection (a)(1)(A) not later than 48 hours after the discovery of such breach by the covered entity. Notwithstanding paragraph (1), a third party subject to subsection (a)(2)(B) with respect to a breach shall make the notifications required by such subsection not later than 48 hours after discovery of the breach by the third party. The covered entity involved (or the third party involved in the case of a notification required under subsection (a)(2)) shall have the burden of demonstrating that all notifications were made as required under subsection (a), including evidence demonstrating the necessity of any delay. For purposes of this section, a breach shall be treated as discovered by a covered entity or, in the case of a breach described in subsection (a)(2), by a third party, as of the first day on which such breach is known to such covered entity or third party, respectively (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such covered entity or third party, respectively) or should reasonably have been known to such covered entity or third party (or person) to have occurred. Notification required to be provided to an individual under subsection (a)(1)(B) with respect to a breach shall be provided in the following form: Written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available. In the case in which there is insufficient or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written or (if specified by the individual) electronic notification to the individual, a substitute form of notification shall be provided, including, in the case that there are 500 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a minimum of 30 days on the homepage of the website of the covered entity involved. Such a website posting shall include a toll-free telephone number that an individual can call to learn whether or not the individual’s unsecured sensitive personally identifiable information is possibly included in the breach. In any case considered by the covered entity involved to require urgency because of possible imminent misuse of unsecured sensitive personally identifiable information, the covered entity, in addition to notification as required by paragraphs
(1)and (2), may provide information to individuals by telephone or other means, as appropriate. Each notification of a breach under subsection (a)(1) shall include, to the extent possible, the following: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. A description of the types of unsecured sensitive personally identifiable information that were involved in the breach. The steps individuals should take to protect themselves from potential harm resulting from the breach. A brief description of what the entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, a website, and a postal address. The Commission shall make available to the public on the website of the Commission a list that identifies each covered entity that is required to notify 500 or more individuals of a breach under subsection (a)(1)(B), except to the extent notification with respect to such breach is subject to a delay for law enforcement or national security purposes under subsection (f). If the Director of the Federal Bureau of Investigation determines that the notifications required under subparagraphs (B), (C), and
(D)of subsection (a)(1) would impede a criminal investigation or national security activity, the time period for such notifications shall be extended 30 days upon written notice from the Director to the covered entity that experienced the breach and to the Commission. If the time period for notification required under subparagraphs (B), (C), and
(D)of subsection (a)(1) is extended pursuant to paragraph (1), a covered entity shall provide the notification within such time period unless the Director of the Federal Bureau of Investigation provides written notice to the covered entity and to the Commission that further extension of the time period is necessary. The Director may extend the time period for additional periods of up to 30 days each. No cause of action for which jurisdiction is based under section 1346(b) of title 28, United States Code, shall lie against any Federal law enforcement agency for acts relating to the extension of the deadline for notification for law enforcement or national security purposes under this subsection.