Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 8152 (Reported in House) — To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 208

Sec. 208. Data security and protection of covered data

620 words·~3 min read·/bill/117/hr/8152/rh/section-208·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity or service provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition. The reasonable administrative, technical, and physical data security practices required under paragraph
(1)shall be appropriate to— the size and complexity of the covered entity or service provider; the nature and scope of the covered entity or the service provider’s collecting, processing, or transferring of covered data; the volume and nature of the covered data collected, processed, or transferred by the covered entity or service provider; the sensitivity of the covered data collected, processed, or transferred; the current state of the art (and limitations thereof) in administrative, technical, and physical safeguards for protecting such covered data; and the cost of available tools to improve security and reduce vulnerabilities to unauthorized access and acquisition of such covered data in relation to the risks and nature of the covered data. The data security practices of the covered entity and of the service provider required under subsection
(a)shall include, for each respective entity’s own system or systems, at a minimum, the following practices: Identifying and assessing any material internal and external risk to, and vulnerability in, the security of each system maintained by the covered entity that collects, processes, or transfers covered data, or service provider that collects, processes, or transfers covered data on behalf of the covered entity, including unauthorized access to or risks to such covered data, human vulnerabilities, access rights, and the use of service providers. With respect to large data holders, such activities shall include a plan to receive and reasonably respond to unsolicited reports of vulnerabilities by any entity or individual and by performing a reasonable investigation of such reports. Taking preventive and corrective action designed to mitigate reasonably foreseeable risks or vulnerabilities to covered data identified by the covered entity or service provider, consistent with the nature of such risk or vulnerability and the entity’s role in collecting, processing, or transferring the data. Such action may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software, among other actions. Evaluating and making reasonable adjustments to the action described in paragraph
(2)in light of any material changes in technology, internal or external threats to covered data, and the covered entity or service provider’s own changing business arrangements or operations. Disposing of covered data in accordance with a retention schedule that shall require the deletion of covered data when such data is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, or transferred, unless an individual has provided affirmative express consent to such retention. Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section. Service providers shall establish practices to delete or return covered data to a covered entity as requested at the end of the provision of services unless retention of the covered data is required by law, consistent with section 302(a)(6). Training each employee with access to covered data on how to safeguard covered data and updating such training as necessary. Designating an officer, employee, or employees to maintain and implement such practices. Implementing procedures to detect, respond to, or recover from security incidents, including breaches. The Commission may promulgate, in accordance with section 553 of title 5, United States Code, technology-neutral regulations to establish processes for complying with this section. The Commission shall consult with the National Institute of Standards and Technology in establishing such processes.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.