Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 115th Congress · S. 2187 (Introduced in Senate) — To establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis... · Sec. 142

Sec. 142. Notice to individuals

2,975 words·~14 min read·/bill/115/s/2187/is/section-142

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity that owns or possesses data in electronic form containing personally identifiable information, following the discovery of a breach of security of the system maintained by the covered entity that contains such information, shall notify— each individual who is a citizen or resident of the United States and whose personally identifiable information has been, or is reasonably believed to have been, acquired or accessed from the covered entity as a result of the breach of security; and the Commission, unless the covered entity has notified the designated entity under section 143.
In the event of a breach of security of a system maintained by a third party that has been contracted to maintain or process data in electronic form containing personally identifiable information on behalf of a covered entity who owns or possesses such data, the third party shall notify the covered entity of the breach of security. If a service provider becomes aware of a breach of security of data in electronic form containing personally identifiable information that is owned or possessed by another covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall notify of the breach of security only the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.
If a covered entity is required to provide notification to more than 5,000 individuals under subsection (a)(1), the covered entity also shall notify each major credit reporting agency of the timing and distribution of the notices, except when the only personally identifiable information that is the subject of the breach of security is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.
Such notice shall be given to each credit reporting agency without unreasonable delay and, if it will not delay notice to the affected individuals, prior to the distribution of notices to the affected individuals. All notifications required under this section shall be made without unreasonable delay following the discovery by the covered entity of a security breach. Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, prevent further disclosures, restore the reasonable integrity of the data system, and provide notice to law enforcement when required.
Except as provided in subsection (d), delay of notification shall not exceed 60 days following the discovery of the security breach, unless the covered entity requests an extension of time and the Commission determines in writing that additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, restore the reasonable integrity of the data system, or to provide notice to the designated entity. If the Commission approves the request for delay, the covered entity may delay the period for notification for additional periods of up to 30 days.
The covered entity, third party, or service provider required to provide notice under this title shall, upon the request of the Commission provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification. Except as provided in paragraph (2), a covered entity shall be in compliance with the notification requirement under subsection (a)(1) if— the covered entity provides conspicuous and clearly identified notification— in writing; or by e-mail or other electronic means if— the covered entity's primary method of communication with the individual is by e-mail or such other electronic means; or the individual has consented to receive notification by e-mail or such other electronic means and such notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act ( 15 U.S.C. 7001 ); and the method of notification selected under clause
(i)can reasonably be expected to reach the intended individual. Each method of notification under subparagraph
(A)shall include the following: The date, estimated date, or estimated date range of the breach of security. A description of the personally identifiable information that was or is reasonably believed to have been acquired or accessed as a result of the breach of security. A telephone number that an individual can use at no cost to the individual to contact the covered entity to inquire about the breach of security or the information the covered entity maintained about that individual. Notice that the individual may be entitled to consumer credit reports under subsection (e)(1). Instructions how an individual can request consumer credit reports under subsection (e)(1). A telephone number, that an individual can use at no cost to the individual, and an address to contact each major credit reporting agency. A telephone number, that an individual can use at no cost to the individual, and an Internet website address to obtain information regarding identity theft from the Commission. A covered entity required to provide notification to individuals under subsection (a)(1) may provide notification under this paragraph instead of paragraph
(1)of this subsection if— notification under paragraph
(1)is not feasible due to lack of sufficient contact information for the individual required to be notified; or the covered entity owns or possesses data in electronic form containing personally identifiable information of fewer than 10,000 individuals and direct notification is not feasible due to excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity, as determined in accordance with the regulations issued by the Commission under paragraph (3)(A). Notification under this paragraph shall include the following: Conspicuous and clearly identified notification by e-mail to the extent the covered entity has an e-mail address for an individual who is entitled to notification under subsection (a)(1). Conspicuous and clearly identified notification on the Internet website of the covered entity if the covered entity maintains an Internet website. Notification to print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personally identifiable information was acquired or accessed reside. Each method of notification under this paragraph shall include the following: The date, estimated date, or estimated date range of the breach of security. A description of the types of personally identifiable information that were or are reasonably believed to have been acquired or accessed as a result of the breach of security. Notice that an individual may be entitled to consumer credit reports under subsection (e)(1). Instructions how an individual can request consumer credit reports under subsection (e)(1). A telephone number that an individual can use at no cost to the individual to learn whether the individual's personally identifiable information is included in the breach of security. A telephone number, that an individual can use at no cost to the individual, and an address to contact each major credit reporting agency. A telephone number, that an individual can use at no cost to the individual, and an Internet website address to obtain information from the Commission regarding identity theft. Not later than 1 year after the date of enactment of this Act, the Commission shall prescribe criteria for determining circumstances under which notification may be provided under paragraph (2), including criteria for determining whether providing notification under paragraph
(1)is not feasible due to excessive costs to the covered entity required to provide such notification relative to the resources of such covered entity. The regulations required by clause
(i)may also identify other circumstances in which notification under paragraph
(2)would be appropriate, including circumstances under which the cost of providing direct notification exceeds the benefits to individuals. The Commission, in consultation with the Administrator of the Small Business Administration, shall publish and otherwise make available general guidance with respect to compliance with this subsection. The guidance required by clause
(i)shall include the following: A description of written or e-mail notification that complies with paragraph (1). Guidance on the content of notification under paragraph (2), including the extent of notification to print and broadcast media that complies with subparagraph (B)(iii) of such paragraph. Subject to the provisions of this subsection, not later than 60 days after the date of a request by an individual who received notification under subsection (a)(1) and quarterly thereafter for 2 years, a covered entity required to provide notification under such subsection to such individual shall provide, or arrange for the provision of, to such individual at no cost to such individual, consumer credit reports from at least 1 major credit reporting agency. Paragraph
(1)shall not apply if the only personally identifiable information that is the subject of the breach of security is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code. Not later than 1 year after the date of enactment of this Act, the Commission shall prescribe the following: Criteria for determining the circumstances under which a covered entity required to provide notification under subsection (a)(1) must provide or arrange for the provision of free consumer credit reports under this subsection. A simple process under which a covered entity that is a small business concern or small nonprofit organization may request a full or a partial waiver or a modified or an alternative means of complying with this subsection if providing free consumer credit reports is not feasible due to excessive costs relative to the resources of such covered entity and relative to the level of harm, to affected individuals, caused by the breach of security. In this subsection: The term small business concern has the meaning given such term under section 3 of the Small Business Act ( 15 U.S.C. 632 ). The term small nonprofit organization has the meaning the Commission shall give such term for purposes of this subsection. If the United States Secret Service or the Federal Bureau of Investigation determines that notification under this section would impede a criminal investigation or a national security activity, such notification shall be delayed upon written notice from the United States Secret Service or the Federal Bureau of Investigation to the covered entity that experienced the breach of security. The notification from the United States Secret Service or the Federal Bureau of Investigation shall specify the period of delay requested for national security or law enforcement purposes. If the notification required under subsection (a)(1) is delayed pursuant to paragraph (1), a covered entity shall give notice not more than 30 days after the day such law enforcement or national security delay was invoked unless a Federal law enforcement or intelligence agency provides written notification that further delay is necessary. If the United States Secret Service instructs a covered entity to delay notification under this section beyond the 30-day period set forth in subparagraph
(A)(referred to in this clause as subsequent delay ), the United States Secret Service shall submit written justification for the subsequent delay to the Secretary of Homeland Security before the subsequent delay begins. If the Federal Bureau of Investigation instructs a covered entity to delay notification under this section beyond the 30-day period set forth in subparagraph
(A)(referred to in this clause as subsequent delay ), the Federal Bureau of Investigation shall submit written justification for the subsequent delay to the Attorney General before the subsequent delay begins. No cause of action shall lie in any court against any Federal agency for acts relating to the delay of notification for national security or law enforcement purposes under this subtitle. A covered entity shall be exempt from the requirements under this section if, following a breach of security, the covered entity reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. Not later than 1 year after the date of enactment of this Act, the Commission, after consultation with the Director of the National Institute of Standards and Technology, shall issue guidance regarding the application of the exemption under paragraph (1). A covered entity shall be exempt from the notice requirements under this section if— a determination is made— by the United States Secret Service or the Federal Bureau of Investigation that notification of the breach of security could be reasonably expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement or intelligence investigations; or by the Federal Bureau of Investigation that notification of the breach of security could be reasonably expected to cause damage to the national security; and the United States Secret Service or the Federal Bureau of Investigation, as the case may be, provides written notice of its determination under subparagraph
(A)to the covered entity. If the United States Secret Service invokes an exemption under paragraph (1), the United States Secret Service shall submit written justification for invoking the exemption to the Secretary of Homeland Security before the exemption is invoked. If the Federal Bureau of Investigation invokes an exemption under paragraph (1), the Federal Bureau of Investigation shall submit written justification for invoking the exemption to the Attorney General before the exemption is invoked. No cause of action shall lie in any court against any Federal agency for acts relating to the exemption from notification for national security or law enforcement purposes under this subtitle. Not later than 540 days after the date of enactment of this Act, and upon request by Congress thereafter, the United States Secret Service and the Federal Bureau of Investigation shall submit to Congress a report on the number and nature of breaches of security subject to the exemptions for national security and law enforcement purposes under this subsection. A covered entity shall be exempt from the notice requirements under this section if the covered entity utilizes or participates in a security program that— effectively blocks the use of the personally identifiable information to initiate an unauthorized financial transaction before it is charged to the account of the individual; and provides notice to each affected individual after a breach of security that resulted in attempted fraud or an attempted unauthorized transaction. An exemption under paragraph
(1)shall not apply if— the breach of security includes personally identifiable information, other than a credit card number or credit card security code, of any type; or the breach of security includes both the individual's credit card number and the individual's first and last name. A covered financial institution shall be deemed in compliance with this section if— the Federal functional regulator with jurisdiction over the covered financial institution has issued a standard by regulation or guideline under title V of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq.) that— requires financial institutions within its jurisdiction to provide notification to individuals following a breach of security; and provides protections substantially similar to, or greater than, those required under this Act; and the covered financial institution is in compliance with the standard under subparagraph (A). In this subsection: The term covered financial institution means a financial institution that is subject to— the data security requirements of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq.); any implementing standard issued by regulation or guideline issued under that Act; and the jurisdiction of a Federal functional regulator under that Act. The term Federal functional regulator has the meaning given the term in section 509 of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6809 ). The term financial institution has the meaning given the term in section 509 of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6809 ). To the extent that a covered entity under this section acts as a covered entity or a business associate under section 13402 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17932 ), has the obligation to provide notification to individuals following a breach of security under that Act or its implementing regulations, and is in compliance with that obligation, the covered entity shall be deemed in compliance with this section. To the extent that a covered entity under this section acts as a vendor of personal health records, a third party service provider, or other entity subject to section 13407 of the Health Information Technology for Economical and Clinical Health Act ( 42 U.S.C. 17937 ), has the obligation to provide notification to individuals following a breach of security under that Act or its implementing regulations, and is in compliance with that obligation, the covered entity shall be deemed in compliance with this section. Nothing in this subtitle may be construed in any way to give effect to the sunset provision under section 13407(g)(2) of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17937(g)(2) ) or to otherwise limit or affect the applicability, under section 13407 of that Act, of the requirement to provide notification to individuals following a breach of security for vendors of personal health records and each entity described in clause (ii), (iii), or
(iv)of section 13424(b)(1)(A) of that Act ( 42 U.S.C. 17953(b)(1)(A) ). If the Commission, upon receiving notification of any breach of security that is reported to the Commission, finds that notification of the breach of security via the Commission's Internet website would be in the public interest or for the protection of consumers, the Commission shall place such a notice in a clear and conspicuous location on its Internet website. Not later than 1 year after the date of enactment of this Act, the Commission shall conduct a study on the feasibility and advisability of requiring notification provided pursuant to subsection (d)(1) to be provided in a language in addition to English to individuals known to speak only such other language.
Connectionstraces to 7
Citation graph
cites case law
Sec. 142
Notice to individuals
U.S.C.§ 7001
U.S.C.§ 632
U.S.C.§ 6801
U.S.C.§ 6809
U.S.C.§ 17932
U.S.C.§ 17937
U.S.C.§ 17953
Cites 7Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.