Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 119th Congress · H.R. 8014 (Introduced in House) — To provide for individual rights relating to privacy of personal information, to establish privacy and security requi... · Sec. 212

Sec. 212. Information security requirements

415 words·~2 min read·/bill/119/hr/8014/ih/section-212·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity shall establish and implement reasonable information security policies, practices, and procedures for the protection of personal information collected, processed, maintained, or disclosed by such covered entity, taking into consideration— the nature, scope, and complexity of the activities engaged in by such covered entity; the sensitivity of any personal information at issue; the current state of the art in administrative, technical, and physical safeguards for protecting such information; and the cost of implementing such administrative, technical, and physical safeguards. The policies, practices, and procedures required by subsection
(a)shall include the following: A written security policy with respect to collecting, processing, maintaining, and disclosing of personal information. Such policy shall be made publicly available in a prominent location on an ongoing basis, except that the publicly available version is not required to contain information that would compromise a purpose described in section 109(a)(1). A process for identifying and assessing reasonably foreseeable security vulnerabilities in the system or systems used by such covered entity that contain personal information, which shall include regular monitoring for vulnerabilities or data breaches involving such system or systems. A process for taking action designed to mitigate against vulnerabilities identified in the process required by paragraph (2), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software, or for regularly testing or otherwise monitoring the effectiveness of the existing safeguards. A process for determining if personal information is no longer needed and disposing of personal information by shredding, permanently erasing, or otherwise modifying the medium on which such personal information is maintained to make such personal information permanently unreadable or indecipherable. A process for overseeing persons who have access to personal information, including through network-connected devices. A process for employee training and supervision for implementation of the policies, practices, and procedures required by this section. A written plan or protocol for internal and public response in the event of a data breach or data-sharing abuse. The Director, in consultation with the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology, shall promulgate regulations to implement this section. The Director, in consultation with the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the Small Business Administration, the Minority Business Development Agency, and small businesses, shall develop policy templates, toolkits, tip sheets, configuration guidelines for commonly used hardware and software, interactive tools, and other materials to assist small businesses with complying with this section.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.