Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 115th Congress · H.R. 4081 (Introduced in House) — To ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to prov... · Sec. 202

Sec. 202. Requirements for consumer privacy and data security program

897 words·~4 min read·/bill/115/hr/4081/ih/section-202

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity subject to this subtitle shall comply with the following safeguards and any other administrative, technical, or physical safeguards identified by the Federal Trade Commission in a rulemaking process pursuant to section 553 of title 5, United States Code, for the protection of sensitive personally identifiable information: A covered entity shall implement a comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.
The consumer privacy and data security program shall be designed to— ensure the privacy and security of sensitive personally identifying information; protect against any anticipated vulnerabilities to the privacy and security of sensitive personally identifying information; and protect against unauthorized access, acquisition, disclosure, or use of sensitive personally identifying information. A covered entity shall— identify reasonably foreseeable internal and external vulnerabilities and internal and external threats that could result in unauthorized access, disclosure, or use of sensitive personally identifiable information or of systems containing sensitive personally identifiable information; assess the likelihood of and potential damage from unauthorized access, acquisition, disclosure, or use of sensitive personally identifiable information; assess the sufficiency of its technical, physical, and administrative controls in place to control and minimize risks from unauthorized access, acquisition, disclosure, or use of sensitive personally identifiable information; and assess the vulnerability of sensitive personally identifiable information during destruction and disposal of such information, including through the disposal or retirement of hardware.
Each covered entity shall— design its consumer privacy and data security program to control the risks identified under paragraph (3); adopt measures commensurate with the sensitivity of the data as well as the size, complexity, nature, and scope of the activities of the covered entity that— controls access to sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals; detect, record, and preserve information relevant to actual and attempted fraudulent, unlawful, or unauthorized access, acquisition, disclosure, or use of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access; protect sensitive personally identifiable information during use, transmission, storage, and disposal by encryption, redaction, disclosure limitation methodologies, or access controls, that are widely accepted as an effective industry practice or industry standard, or other reasonable means; ensure that sensitive personally identifiable information is properly destroyed and disposed of, including during the destruction of computers and other electronic media that contain sensitive personally identifiable information; and ensure that no third party is authorized to access or acquire sensitive personally identifiable information in its possession without the covered entity first performing sufficient due diligence to ascertain, with reasonable certainty, that such information is being sought for a valid legal purpose; and establish a plan and procedures for minimizing the amount of sensitive personally identifiable information maintained by the covered entity, which shall provide for the retention of sensitive personally identifiable information only as reasonably needed for the business purposes of such business entity or as necessary to comply with any legal obligation.
Nothing in this subsection shall be construed to permit, and nothing does permit, the Federal Trade Commission to issue regulations requiring, or according greater legal status to, the implementation of or application of a specific technology or technological specifications for meeting the requirements of this title. Covered entities subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the consumer privacy and data security program of the covered entity.
Covered entities subject to this subtitle shall take steps to ensure regular testing of key technical, physical, and administrative controls for information and information systems of the consumer privacy and data security program to detect, prevent, and respond to attacks or intrusions, or other system failures. The frequency and nature of the tests required under paragraph
(1)shall be determined by the risk assessment of the covered entity under subsection (a)(3). In the event a covered entity subject to this subtitle engages a person or entity not subject to this subtitle (other than a service provider) to receive sensitive personally identifiable information in performing services or functions (other than the services or functions provided by a service provider) on behalf of and under the instruction of such covered entity, the covered entity shall— exercise appropriate due diligence in selecting the person or entity for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain a person or entity that is capable of maintaining appropriate controls for the privacy and security of the sensitive personally identifiable information at issue; and require the person or entity by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing subtitle A. Each covered entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its consumer privacy and data security program in light of any relevant changes in— technology; internal or external threats and vulnerabilities to sensitive personally identifiable information; and the changing business arrangements of the covered entity, such as— mergers and acquisitions; alliances and joint ventures; outsourcing arrangements; bankruptcy; and changes to sensitive personally identifiable information systems. Not later than 1 year after the date of enactment of this Act, a covered entity subject to the provisions of this subtitle shall implement a consumer privacy and data security program pursuant to this subtitle.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.