To amend title 44, United States Code, to strengthen requirements related to security breaches of data involving the disclosure of sensitive personal information.
Mr. COLEMAN introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs
To amend title 44, United States Code, to strengthen requirements related to security breaches of data involving the disclosure of sensitive personal information.
(a) Authority of Director of Office of Management and Budget To Establish Data Breach Policies- Section 3543(a) of title 44, United States Code, is amended--
(1) by striking `and' at the end of paragraph (7);
(2) by striking the period and inserting `; and' at the end of paragraph (8); and
(3) by adding at the end the following:
`(9) establishing policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of sensitive personal information and for which harm to an individual could reasonably be expected to result, specifically including--
`(A) a requirement for timely notice to be provided to those individuals whose sensitive personal information could be compromised as a result of such breach, except no notice shall be required if the breach does not create a reasonable risk of identity theft, fraud, or other unlawful conduct regarding such individual;
`(B) guidance on determining how timely notice is to be provided; and
`(C) guidance regarding whether additional special actions are necessary and appropriate, including data breach analysis, fraud resolution services, identity theft insurance, and credit protection or monitoring services.'.
(b) Authority of Chief Information Officer To Enforce Data Breach Policies and Develop and Maintain Inventories- Section 3544(a)(3) of title 44, United States Code, is amended--
(1) by inserting after `authority to ensure compliance with' the following: `and, to the extent determined necessary and explicitly authorized by the head of the agency, to enforce';
(2) by striking `and' at the end of subparagraph (D);
(3) by inserting `and' at the end of subparagraph (E); and
(4) by adding at the end the following:
`(F) developing and maintaining an inventory of all personal computers, laptops, or any other hardware containing sensitive personal information;'.
(c) Inclusion of Data Breach Notification in Agency Information Security Programs- Section 3544(b) of title 44, United States Code, is amended--
(1) by striking `and' at the end of paragraph (7);
(2) by striking the period and inserting `; and' at the end of paragraph (8); and
(3) by adding at the end the following:
`(9) procedures for notifying individuals whose sensitive personal information is compromised consistent with policies, procedures, and standards established under section 3543(a)(9) of this title.'.
(d) Authority of Agency Chief Human Capital Officers To Assess Federal Personal Property- Section 1402(a) of title 5, United States Code, is amended--
(1) by striking `, and' at the end of paragraph (5) and inserting a semicolon;
(2) by striking the period and inserting `; and' at the end of paragraph (6); and
(3) by adding at the end the following:
`(7) prescribing policies and procedures for exit interviews of employees, including a full accounting of all Federal personal property that was assigned to the employee during the course of employment.'.
(e) Sensitive Personal Information Definition- Section 3542(b) of title 44, United States Code, is amended by adding at the end the following:
`(4) The term `sensitive personal information', with respect to an individual, means any information about the individual maintained by an agency, including--
`(A) education, financial transactions, medical history, and criminal or employment history;
`(B) information that can be used to distinguish or trace the individual's identity, including name, social security number, date and place of birth, mother's maiden name, or biometric records; or
`(C) any other personal information that is linked or linkable to the individual.'.
U.S. Congress - Text of S.1558 as Introduced in Senate Federal Agency Data Breach Protection Act
