Sec. 2. Breach notification standards
492 words·~2 min read·
/bill/115/hr/6743/ih/section-2A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 501 of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 ) is amended— in subsection (b)(3) by striking the period at the end and inserting , including through the provision of a breach notice in the event of unauthorized access that is reasonably likely to result in identity theft, fraud, or economic loss. ; and by adding at the end the following: Each agency or authority required to establish standards described under subsection (b)(3) with respect to the provision of a breach notice shall establish the standards with respect to such notice that are contained in the interpretive guidance issued by the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision titled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice , published March 29, 2005 (70 Fed. Reg. 15736), and for a financial institution that is not a bank, such standards shall be applied to the institution as if the institution was a bank to the extent appropriate and practicable.
Notwithstanding section 505(a)(6), with respect to an entity engaged in providing insurance, the standards under subsection
(b)shall be enforced— with respect to any such standards related to data security safeguards, by— the State insurance authority of the State in which the entity is domiciled; or in the case of an insurance agent, agency, or brokerage, the State insurance authority of the State in which such agent, agency, or brokerage has its principal place of business; and with respect to any such standards related to notification of the breach of data security, by the State insurance authority of any State in which customers of the entity are affected by such a breach of data security. Notwithstanding subsection (b), an assuming insurer that experiences a breach of data security shall only be required to notify the State insurance authority of the State in which the assuming insurer is domiciled. For purposes of this paragraph, the term assuming insurer means an entity engaged in providing insurance that acquires an insurance obligation or risk from another entity engaged in providing insurance pursuant to a reinsurance agreement. In carrying out subsection
(b)with respect to an entity engaged in providing insurance, a State insurance authority shall establish the standards for safeguarding customer information maintained by entities engaged in activities described in section 4(k)(4)(B) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(4)(k)(4)(B)) that are the same as the standards contained in the interagency guidelines issued by the Comptroller of the Currency, the Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision titled Interagency Guidelines Establishing Standards for Safeguarding Customer Information , published February 1, 2001 (66 Fed. Reg. 8633), and such standards shall be applied as if the entity engaged in providing insurance was a bank to the extent appropriate and practicable. .
Connectionstraces to 2
Traces to 2 documents
2 references not yet in our index
- 70 FR 15736
- 66 FR 8633
Citation graph
cites case law
Cites 4Cited by 0 across 0 sources