Specter - Leahy Privacy Bill - Notification
Personal Data Privacy and Security Act of 2005 (Reported in Senate)
SEC. 321. NOTICE TO INDIVIDUALS.
(a) In General- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach of such information notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired.
(b) Obligation of Owner or Licensee-
(1) NOTICE TO OWNER OR LICENSEE- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information.
(2) NOTICE BY OWNER, LICENSEE OR OTHER DESIGNATED THIRD PARTY- Nothing in this subtitle shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a).
(3) BUSINESS ENTITY RELIEVED FROM GIVING NOTICE- A business entity obligated to give notice under subsection (a) shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification.
(c) Timeliness of Notification-
(1) IN GENERAL- All notifications required under this section shall be made without unreasonable delay following the discovery by the agency or business entity of a security breach.
(2) REASONABLE DELAY- Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data system and provide notice to law enforcement when required.
(3) BURDEN OF PROOF- The agency, business entity, owner, or licensee required to provide notification under this section shall have the burden of demonstrating that all notifications were made as required under this subtitle, including evidence demonstrating the necessity of any delay.
(d) Delay of Notification Authorized for Law Enforcement Purposes-
(1) IN GENERAL- If a Federal law enforcement agency determines that the notification required under this section would impede a criminal investigation, such notification shall be delayed upon written notice from such Federal law enforcement agency to the agency or business entity that experienced the breach.
(2) EXTENDED DELAY OF NOTIFICATION- If the notification required under subsection (a) is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement delay was invoked unless a Federal law enforcement agency provides written notification that further delay is necessary.
(3) LAW ENFORCEMENT IMMUNITY- No cause of action shall lie in any court against any law enforcement agency for acts relating to the delay of notification for law enforcement purposes under this Act.
SEC. 322. EXEMPTIONS.
(a) Exemption for National Security and Law Enforcement-
(1) IN GENERAL- Section 321 shall not apply to an agency if the agency certifies, in writing, that notification of the security breach as required by section 321 reasonably could be expected to--
(A) cause damage to the national security; or
(B) hinder a law enforcement investigation or the ability of the agency to conduct law enforcement investigations.
(2) LIMITS ON CERTIFICATIONS- An agency may not execute a certification under paragraph (1) to--
(A) conceal violations of law, inefficiency, or administrative error;
(B) prevent embarrassment to a business entity, organization, or agency; or
(C) restrain competition.
(3) NOTICE- In every case in which an agency issues a certification under paragraph (1), the certification, accompanied by a description of the factual basis for the certification, shall be immediately provided to the United States Secret Service.
(b) Safe Harbor- An agency or business entity will be exempt from the notice requirements under section 321, if--
(1) a risk assessment concludes that there is no significant risk that the security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach;
(2) without unreasonable delay, but not later than 45 days after the discovery of a security breach, unless extended by the United States Secret Service, the agency or business entity notifies the United States Secret Service, in writing, of--
(A) the results of the risk assessment; and
(B) its decision to invoke the risk assessment exemption; and
(3) the United States Secret Service does not indicate, in writing, within 10 days from receipt of the decision, that notice should be given.
(c) Financial Fraud Prevention Exemption-
(1) IN GENERAL- A business entity will be exempt from the notice requirement under section 321 if the business entity utilizes or participates in a security program that--
(A) is designed to block the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and
(B) provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions.
(2) LIMITATION- The exemption by this subsection does not apply if the information subject to the security breach includes sensitive personally identifiable information in addition to the sensitive personally identifiable information identified in section 3.