Sec. 211. Notice to individuals
825 words·~4 min read·
/bill/115/hr/4081/ih/section-211A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Except as provided in section 212, a covered entity shall, following the discovery of a security breach of such information, notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired. In the event of a breach of security of a system maintained by a third-party entity that has been contracted to maintain or process data in electronic form containing sensitive personally identifiable information on behalf of a covered entity who owns or possesses such data, the third-party entity shall notify the covered entity of the breach of security.
Upon receiving notification from the third-party entity, such covered entity shall provide the notification required under subsection (a). Nothing in this subtitle shall prevent or abrogate an agreement between a covered entity required to give notice under this section and a third-party entity that has been contracted to maintain or process data in electronic form containing sensitive personally identifiable information for a covered entity, to provide the notifications required under subsection (a).
If a service provider becomes aware of a security breach containing sensitive personally identifiable information that is owned or possessed by a covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall be required to promptly notify the covered entity who initiated such connection, transmission, routing, or storage of the security breach if the covered entity can be reasonably identified.
Upon receiving such notification from a service provider, the covered entity shall be required to provide the notification required under subsection (a). All notifications required under this section shall be made as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach. Reasonable delay under this subsection may include any reasonable time necessary to determine the scope of the security breach, prevent further disclosures, and provide notice to law enforcement when required.
Except as provided in subsection (d), delay of notification shall not exceed 30 days following the discovery of a security breach. The covered entity required to provide notice under this subtitle shall, upon the request of the Attorney General of the United States or the Federal Trade Commission provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification. If a Federal law enforcement agency or intelligence agency determines that the notification required under this section would impede a criminal investigation, or national security activity, such notification shall be delayed upon written notice from a Federal law enforcement agency or intelligence agency to the covered entity that experienced the security breach.
The notification from a Federal law enforcement agency or intelligence agency shall specify in writing the period of delay requested for law enforcement or national security purposes. If the notification required under subsection
(a)is delayed pursuant to paragraph (1), a covered entity shall give notice 15 days after the day such law enforcement or national security delay was invoked unless a Federal law enforcement or intelligence agency provides written notification that further delay is necessary. No nonconstitutional cause of action shall lie in any court against any agency for acts relating to the delay of notification for law enforcement or national security purposes under this subtitle. Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following: Financial institutions— subject to and in compliance with the data security requirements and standards under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ); and subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6805(a) ). An entity that is subject to and in compliance with the data breach notification of the following, with respect to data that is subject to such requirements: Section 13401 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 ). Part 160 or 164 of title 45, Code of Federal Regulations (or any successor regulations). The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note). In the case of a business entity, the applicable data breach notification requirements of part 1 of subtitle D of title XIII of division A of the American Reinvestment and Recovery Act of 2009 ( 42 U.S.C. 17931 et seq.), if such business entity is acting as a covered entity, a business associate, or a vendor of personal health records, as those terms are defined in section 13400 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17921 ). In the case of a third-party service provider, section 13407 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17937 ).
Connectionstraces to 5
Traces to 5 documents
U.S. Code
- Protection of nonpublic personal information§ 6801
- Enforcement§ 6805
- Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions§ 17931
- Definitions§ 17921
- Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities§ 17937
1 reference not yet in our index
- 42 USC 1320d–2
Citation graph
cites case law
Sec. 211
Notice to individuals
Cite42 USC 1320d–2
Cites 6Cited by 0 across 0 sources