Sec. 211. Notice to individuals; protection
1,048 words·~5 min read·
/bill/115/s/2124/is/section-211A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Except as provided in section 212, a covered entity shall, following the discovery of a security breach of sensitive personally identifiable information held by that covered entity or any third-party entity contracted to maintain or process data in electronic form containing sensitive personally identifiable information for that covered entity— notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired; and provide 5 years of appropriate identity theft prevention and mitigation services, if any, to any individual notified under paragraph (1), upon request of the individual and at no cost to the individual, under which the individual shall not be— automatically enrolled, without the consent of the individual, into a fee-based identity theft prevention and mitigation service at the end of the 5-year period; or required to seek arbitration of any claim arising from the identity theft prevention and mitigation service described in subparagraph (A).
In the event of a breach of security of a system maintained by a third-party entity that has been contracted to maintain or process data in electronic form containing sensitive personally identifiable information on behalf of a covered entity who owns or possesses such data, the third-party entity shall notify the covered entity of the breach of security. Upon receiving notification from the third-party entity, such covered entity shall provide the notification and identify theft prevention and mitigation service required under subsection (a).
Nothing in this subtitle shall prevent or abrogate an agreement between a covered entity required to give notice under this section and a third-party entity that has been contracted to maintain or process data in electronic form containing sensitive personally identifiable information for a covered entity, to provide the notifications required under subsection (a)(1) or the identity theft prevention and mitigation service required under subsection (a)(2). If a service provider becomes aware of a security breach containing sensitive personally identifiable information that is owned or possessed by a covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall be required to promptly notify the covered entity who initiated such connection, transmission, routing, or storage of the security breach if the covered entity can be reasonably identified.
Upon receiving such notification from a service provider, the covered entity shall be required to provide the notification and identity theft prevention and mitigation service required under subsection (a). All notifications and identity theft prevention and mitigation services required under this section shall be made as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach. Reasonable delay under this subsection may include any reasonable time necessary to determine the scope of the security breach, prevent further disclosures, and provide notice to law enforcement when required.
Except as provided in subsection (d), delay of notification or provision of identity theft prevention and mitigation service shall not exceed 7 days following the discovery of a security breach. The covered entity required to provide notice and identity theft prevention and mitigation service under this subtitle shall, upon the request of the Attorney General of the United States or the Federal Trade Commission provide records or other evidence of the notifications and identity theft prevention and mitigation service required under this subtitle, including to the extent applicable, the reasons for any delay of notification or provision of identity theft prevention and mitigation service.
If a Federal law enforcement agency or intelligence agency determines that the notification or provision of identity theft prevention and mitigation service required under this section would impede a criminal investigation, or national security activity, such notification or provision of identity theft prevention and mitigation service, as the case may be, shall be delayed upon written notice from a Federal law enforcement agency or intelligence agency to the covered entity that experienced the security breach.
The notification from a Federal law enforcement agency or intelligence agency shall specify in writing the period of delay requested for law enforcement or national security purposes. If the notification or provision of identity theft prevention and mitigation service required under subsection
(a)is delayed pursuant to paragraph (1), a covered entity shall give notice or identity theft prevention and mitigation service, as the case may be, 15 days after the day such law enforcement or national security delay was invoked unless a Federal law enforcement or intelligence agency provides written notification that further delay is necessary. No nonconstitutional cause of action shall lie in any court against any agency for acts relating to the delay of notification for law enforcement or national security purposes under this subtitle. Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following: Financial institutions— subject to and in compliance with the data security requirements and standards under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ); and subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6805(a) ). An entity that is subject to and in compliance with the data breach notification of the following, with respect to data that is subject to such requirements: Section 13401 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 ). Part 160 or 164 of title 45, Code of Federal Regulations (or any successor regulations). The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note). In the case of a business entity, the applicable data breach notification requirements of part 1 of subtitle D of title XIII of division A of the American Reinvestment and Recovery Act of 2009 ( 42 U.S.C. 17931 et seq.), if such business entity is acting as a covered entity, a business associate, or a vendor of personal health records, as those terms are defined in section 13400 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17921 ). In the case of a third-party service provider, section 13407 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17937 ).
Connectionstraces to 5
Traces to 5 documents
U.S. Code
- Protection of nonpublic personal information§ 6801
- Enforcement§ 6805
- Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions§ 17931
- Definitions§ 17921
- Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities§ 17937
1 reference not yet in our index
- 42 USC 1320d–2
Citation graph
cites case law
Sec. 211
Notice to individuals; protection
Cite42 USC 1320d–2
Cites 6Cited by 0 across 0 sources