Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 8152 (Introduced in House) — To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 208

Sec. 208. Data security and protection of covered data

593 words·~3 min read·/bill/117/hr/8152/ih/section-208

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition. The reasonable administrative, technical, and physical data security practices required under paragraph
(1)shall be appropriate to— the size and complexity of the covered entity or service provider; the nature and scope of the covered entity or the service provider’s collecting, processing, or transferring of covered data; the volume and nature of the covered data collected, processed, or transferred by the covered entity or service provider; the sensitivity of the covered data collected, processed, or transferred; the current state of the art in administrative, technical, and physical safeguards for protecting such covered data; and the cost of available tools to improve security and reduce vulnerabilities to unauthorized access and acquisition of such covered data in relation to the risks and nature of the covered data. The data security practices required under subsection
(a)shall include, at a minimum, the following practices: Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained by the covered entity that collects, processes, or transfers covered data, or service provider that collects, processes, or transfers covered data on behalf of the covered entity, including unauthorized access to or risks to such covered data, human vulnerabilities, access rights, and the use of service providers. With respect to large data holders, such activities shall include a plan to receive and respond to unsolicited reports of vulnerabilities by any entity or individual. Taking preventive and corrective action designed to mitigate any reasonably foreseeable risks or vulnerabilities to covered data identified by the covered entity or service provider, consistent with the nature of such risk or vulnerability, which may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software, among other actions. Evaluating and making reasonable adjustments to the safeguards described in paragraph
(2)in light of any material changes in technology, internal or external threats to covered data, and the covered entity or service provider’s own changing business arrangements or operations. Disposing of covered data that is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, or transferred, unless an individual has provided affirmative express consent to such retention. Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section. Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary. Designating an officer, employee, or employees to maintain and implement such practices. Implementing procedures to detect, respond to, or recover from security incidents or breaches. The Commission may promulgate in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes for complying with this section. A covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 et seq. ) or the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 et seq. ), and is in compliance with the information security requirements of such Act as determined by the enforcement authority in such Act, shall be deemed to be in compliance with the requirements of this section with respect to any data covered by such information security requirements.
Connectionstraces to 2
Citation graph
cites case law
Sec. 208
Data security and protection of covered data
U.S.C.§ 6801
U.S.C.§ 17931
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.