Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 8818 (Introduced in House) — To provide Americans with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 109

Sec. 109. Data security and protection of covered data

510 words·~2 min read·/bill/118/hr/8818/ih/section-109·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Each covered entity or service provider shall establish, implement, and maintain reasonable data security practices to protect— the confidentiality, integrity, and availability of covered data; and covered data against unauthorized access. The data security practices required under paragraph
(1)shall be appropriate to— the size and complexity of the covered entity or service provider; the nature and scope of the relevant collecting, processing, retaining, or transferring of covered data, taking into account changing business operations with respect to covered data; the volume, nature, and sensitivity of the covered data; and the state-of-the-art (and limitations thereof) in administrative, technical, and physical safeguards for protecting covered data. The data security practices required under subsection
(a)shall include, at a minimum, the following: Routinely identifying and assessing any reasonably foreseeable internal or external risk to, or vulnerability in, each system maintained by the covered entity or service provider that collects, processes, retains, or transfers covered data, including unauthorized access to or corruption of such covered data, human vulnerabilities, access rights, and the use of service providers. Such activities shall include developing and implementing a plan for receiving and considering unsolicited reports of vulnerability by any entity and, if such a report is reasonably credible, performing a reasonable and timely investigation of such report and taking appropriate action to protect covered data against the vulnerability. Taking preventive and corrective action to mitigate any reasonably foreseeable internal or external risk to, or vulnerability of, covered data identified by the covered entity or service provider, consistent with the nature of such risk or vulnerability and the role of the covered entity or service provider in collecting, processing, retaining, or transferring the data, which may include implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software. Evaluating and making reasonable adjustments to the action described in subparagraph
(A)in light of any material changes in state-of-the-art technology, internal or external threats to covered data, and changing business operations with respect to covered data. Disposing of covered data (either by or at the direction of the covered entity) that is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, retained, or transferred, unless a permitted purpose under section 102(d) applies, except that retention and disposal of biometric information shall be governed by section 102(c)(3). Such disposal shall include destroying, permanently erasing, or otherwise modifying the covered data to make such data permanently unreadable or indecipherable and unrecoverable to ensure ongoing compliance with this section. Developing, maintaining, and adhering to a retention schedule for covered data consistent with paragraph (3). Training each employee with access to covered data on how to safeguard covered data, and updating such training as necessary. Implementing procedures to detect, respond to, and recover from data security incidents, including breaches. The Commission may, in consultation with the Secretary of Commerce, promulgate, in accordance with section 553 of title 5, United States Code, technology-neutral, process-based regulations to carry out this section.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.