Sec. 301. Executive responsibility
916 words·~4 min read·
/bill/117/hr/8152/rh/section-301·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Beginning 1 year after the date of enactment of this Act, an executive officer of a large data holder shall annually certify, in good faith, to the Commission, in a manner specified by the Commission by regulation under section 553 of title 5, United States Code, that the entity maintains— internal controls reasonably designed to comply with this Act; and internal reporting structures to ensure that such certifying executive officer is involved in and responsible for the decisions that impact the compliance by the large data holder with this Act. A certification submitted under subsection
(a)shall be based on a review of the effectiveness of the internal controls and reporting structures of the large data holder that is conducted by the certifying executive officer not more than 90 days before the submission of the certification. A certification submitted under subsection
(a)is made in good faith if the certifying officer had, after a reasonable investigation, reasonable ground to believe and did believe, at the time that certification was submitted, that the statements therein were true and that there was no omission to state a material fact required to be stated therein or necessary to make the statements therein not misleading. A covered entity or service provider that have more than 15 employees, shall designate— 1 or more qualified employees as privacy officers; and 1 or more qualified employees (in addition to any employee designated under subparagraph (A)) as data security officers. An employee who is designated by a covered entity or a service provider as a privacy officer or a data security officer pursuant to paragraph
(1)shall, at a minimum— implement a data privacy program and data security program to safeguard the privacy and security of covered data in compliance with the requirements of this Act; and facilitate the covered entity or service provider’s ongoing compliance with this Act. A large data holder shall designate at least 1 of the officers described in paragraph
(1)to report directly to the highest official at the large data holder as a privacy protection officer who shall, in addition to the requirements in paragraph (2), either directly or through a supervised designee or designees— establish processes to periodically review and update the privacy and security policies, practices, and procedures of the large data holder, as necessary; conduct biennial and comprehensive audits to ensure the policies, practices, and procedures of the large data holder ensure the large data holder is in compliance with this Act and ensure such audits are accessible to the Commission upon request; develop a program to educate and train employees about compliance requirements of this Act; maintain updated, accurate, clear, and understandable records of all material privacy and data security practices undertaken by the large data holder; and serve as the point of contact between the large data holder and enforcement authorities. Not later than 1 year after the date of enactment of this Act or 1 year after the date on which a covered entity first meets the definition of large data holder, whichever is earlier, and biennially thereafter, each covered entity that is a large data holder shall conduct a privacy impact assessment that weighs the benefits of the large data holder’s covered data collecting, processing, and transfer practices against the potential adverse consequences of such practices, including substantial privacy risks, to individual privacy. A privacy impact assessment required under paragraph
(1)shall be— reasonable and appropriate in scope given— the nature of the covered data collected, processed, and transferred by the large data holder; the volume of the covered data collected, processed, and transferred by the large data holder; and the potential material risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the large data holder; documented in written form and maintained by the large data holder unless rendered out of date by a subsequent assessment conducted under paragraph (1); and approved by the privacy protection officer designated in subsection (c)(3) of the large data holder, as applicable. In assessing the privacy risks, including substantial privacy risks, the large data holder must include reviews of the means by which technologies, including blockchain and distributed ledger technologies and other emerging technologies, are used to secure covered data. Not later than 1 year after the date of enactment of this Act and biennially thereafter, each covered entity that is not large data holder and does not meet the requirements for covered entities under section 209 shall conduct a privacy impact assessment. Such assessment shall weigh the benefits of the covered entity’s covered data collecting, processing, and transfer practices that may cause a substantial privacy risk against the potential material adverse consequences of such practices to individual privacy. A privacy impact assessment required under paragraph
(1)shall be— reasonable and appropriate in scope given— the nature of the covered data collected, processed, and transferred by the covered entity; the volume of the covered data collected, processed, and transferred by the covered entity; and the potential risks posed to the privacy of individuals by the collecting, processing, and transfer of covered data by the covered entity; and documented in written form and maintained by the covered entity unless rendered out of date by a subsequent assessment conducted under paragraph (1). In assessing the privacy risks, including substantial privacy risks, the covered entity may include reviews of the means by which technologies, including blockchain and distributed ledger technologies and other emerging technologies, are used to secure covered data.