Sec. 202. Requirements for consumer privacy and data security program
1,079 words·~5 min read·
/bill/115/s/2124/is/section-202A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
A covered entity subject to this subtitle shall comply with the following safeguards and any other administrative, technical, or physical safeguards identified by the Federal Trade Commission for the protection of sensitive personally identifiable information: A covered entity shall implement a comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.
The consumer privacy and data security program shall be designed to— ensure the privacy and security of sensitive personally identifying information; protect against any anticipated vulnerabilities to the privacy and security of sensitive personally identifying information; and protect against unauthorized access, destruction, acquisition, disclosure, or use of sensitive personally identifying information. A covered entity shall— identify reasonably foreseeable internal and external vulnerabilities and internal and external threats that could result in unauthorized access, destruction, acquisition, disclosure, or use of sensitive personally identifiable information or of systems containing sensitive personally identifiable information; assess the likelihood of and potential damage from unauthorized access, destruction, acquisition, disclosure, or use of sensitive personally identifiable information; assess the sufficiency of its technical, physical, and administrative controls in place to control and minimize risks from unauthorized access, destruction, acquisition, disclosure, or use of sensitive personally identifiable information; and assess the vulnerability of sensitive personally identifiable information during destruction and disposal of such information, including through the disposal or retirement of hardware.
Each covered entity shall— design its consumer privacy and data security program to control the risks identified under paragraph (3); adopt measures commensurate with the sensitivity of the data as well as the size, complexity, nature, and scope of the activities of the covered entity that— controls access to sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals; detect, record, and preserve information relevant to actual and attempted fraudulent, unlawful, or unauthorized access, acquisition, disclosure, or use of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access; protect sensitive personally identifiable information during use, transmission, storage, and disposal by encryption, redaction, disclosure limitation methodologies, or access controls, that are widely accepted as an effective industry practice or industry standard, or other reasonable means; ensure that sensitive personally identifiable information is properly destroyed and disposed of, including during the destruction of computers and other electronic media that contain sensitive personally identifiable information; and ensure that no third party is authorized to access or acquire sensitive personally identifiable information in its possession without the covered entity first performing sufficient due diligence to ascertain, with reasonable certainty, that such information is being sought for a valid legal purpose; and establish a plan and procedures for minimizing the amount of sensitive personally identifiable information maintained by the covered entity and the length of time such information is retained, which shall provide for the retention of sensitive personally identifiable information only as reasonably needed for the business purposes of such business entity or as necessary to comply with any legal obligation and only as long as so needed.
Nothing in this subsection shall be construed to permit, and nothing does permit, the Federal Trade Commission to issue regulations requiring, or according greater legal status to, the implementation of or application of a specific technology or technological specifications for meeting the requirements of this title. Covered entities subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the consumer privacy and data security program of the covered entity.
Covered entities subject to this subtitle shall take steps to ensure regular testing of key technical, physical, and administrative controls for information and information systems of the consumer privacy and data security program to detect, prevent, and respond to attacks or intrusions, or other system failures. The frequency and nature of the tests required under paragraph
(1)shall be determined by the risk assessment of the covered entity under subsection (a)(3). In the event a covered entity subject to this subtitle engages a person or entity not subject to this subtitle (other than a service provider) to receive sensitive personally identifiable information in performing services or functions (other than the services or functions provided by a service provider) on behalf of and under the instruction of such covered entity, the covered entity shall— exercise appropriate due diligence in selecting the person or entity for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain a person or entity that is capable of maintaining appropriate controls for the privacy and security of the sensitive personally identifiable information at issue; and require the person or entity by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing subtitle A. Each covered entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its consumer privacy and data security program in light of any relevant changes in— technology; internal or external threats and vulnerabilities to sensitive personally identifiable information; and the changing business arrangements of the covered entity, such as— mergers and acquisitions; alliances and joint ventures; outsourcing arrangements; bankruptcy; and changes to sensitive personally identifiable information systems. Not less frequently than once every calendar year, a covered entity shall provide, upon request of a United States resident and at no cost to that individual, notice to that individual of what sensitive personally identifiable information of that individual is maintained or shared by the covered entity. In this subsection, the terms consumer and file have the meanings given the terms in section 603 of the Fair Credit Reporting Act ( 15 U.S.C. 1681a ). Upon the request of a consumer, a covered entity that is a consumer reporting agency that compiles or maintains a file on the consumer and has received appropriate proof of the identity of the requester shall place or lift a credit freeze in the file of the consumer without charge to the consumer. Not later than 1 year after the date of enactment of this Act, the Federal Trade Commission shall issue regulations in accordance with section 553 of title 5, United States Code, to implement subsections
(a)through (g). Not later than 1 year after the date on which the Federal Trade Commission issues the final regulations required under subsection (h), a covered entity subject to the provisions of this subtitle shall implement a consumer privacy and data security program pursuant to this subtitle.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 202
Requirements for consumer privacy and data security program
Cites 1Cited by 0 across 0 sources