H. R. 3730
IN THE HOUSE OF REPRESENTATIVES
December 19, 2011
Mr. Donnelly of Indiana (for himself and Mr. Johnson of Ohio) introduced the following bill; which was referred to the Committee on Veterans’ Affairs
To amend title 38, United States Code, to require the Secretary of Veterans Affairs to provide notice to individuals whose sensitive personal information is involved in a data breach, and for other purposes.
This Act may be cited as the
Veterans Data Breach Timely Notification
Notification by the Secretary of Veterans Affairs of individuals whose sensitive personal information is involved in a data breach
Subchapter III of chapter 57 of title 38, United States Code is amended by inserting after section 5724 the following new section:
Data breach notification
Except as provided in subsection (d), in the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, by not later than five business days after the data breach, the Secretary shall notify the appropriate committees of Congress and each individual whose sensitive personal information is involved in the data breach is notified of the data breach. If the Secretary determines that providing such notification within five business days is not feasible due to circumstances necessary to accurately identify the individuals whose sensitive personal information is involved in the data breach or to prevent further breach or unauthorized disclosure and reasonably restore the integrity of the data system the Secretary shall provide such notification not later than 10 business days after the data breach.
Contracts for data processing or maintenance
If the Secretary enters into a contract for the performance of any Department function that requires access to sensitive personal information, the Secretary shall require as a condition of the contract that the contractor agree to provide notification of data breaches in the same manner as required of the Secretary under subsection (a).
Method and content of notification
Notification provided to an individual under subsection (a) shall be provided clearly and conspicuously by one of the following methods:
Notification by email or other electronic means, if the Secretary’s primary method of communication with the individual is by email or such other electronic means.
Regardless of the method by which notification is provided to an individual under paragraph (1), such notification shall include—
a description of the sensitive personal information involved in the data breach;
a telephone number that the individual may use, at no cost to the individual, to contact an appropriate employee of the Department to inquire about the data breach or the individual’s sensitive personal information maintained by the Department;
notice that the individual is entitled to receive, at no cost to such individual, credit protection services under section 5724 of this title;
the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and
a toll-free telephone number and website address whereby the individual may obtain information regarding identity theft.
Notification of general public
The Secretary, acting through the Office of Public Affairs of the Department, shall notify the general public concerning any data breach involving sensitive personal information by not later than five working days after the incident, unless the Secretary determines that to do so is not feasible due to circumstances necessary to accurately identify the individuals whose sensitive personal information is involved in the data breach or to prevent further breach or unauthorized disclosure and reasonably restore the integrity of the data system, such notification shall be made as soon as possible.
Appropriate committees of Congress
In this section, the term
appropriate committees of Congress means the Committee on
Veterans Affairs’ of the House of Representatives and the Committee on
Veterans’ Affairs of the Senate.
The table of sections at the beginning of such chapter is amended by inserting after the item relating to section 5724 the following new item:
5724A. Data breach notification.
The amendments made by this section shall apply with respect to a data breach occurring on or after the date that is 90 days after the date of the enactment of this Act.