< Back to H.R. 3730 (112th Congress, 2011–2013)

Text of the Veterans Data Breach Timely Notification Act

This bill was introduced on December 19, 2011, in a previous session of Congress, but was not enacted. The text of the bill below is as of Dec 19, 2011 (Introduced).

Source: GPO

I

112th CONGRESS

1st Session

H. R. 3730

IN THE HOUSE OF REPRESENTATIVES

December 19, 2011

(for himself and Mr. Johnson of Ohio) introduced the following bill; which was referred to the Committee on Veterans’ Affairs

A BILL

To amend title 38, United States Code, to require the Secretary of Veterans Affairs to provide notice to individuals whose sensitive personal information is involved in a data breach, and for other purposes.

1.

Short title

This Act may be cited as the Veterans Data Breach Timely Notification Act.

2.

Notification by the Secretary of Veterans Affairs of individuals whose sensitive personal information is involved in a data breach

(a)

In general

Subchapter III of chapter 57 of title 38, United States Code is amended by inserting after section 5724 the following new section:

5724A.

Data breach notification

(a)

Notification requirement

Except as provided in subsection (d), in the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, by not later than five business days after the data breach, the Secretary shall notify the appropriate committees of Congress and each individual whose sensitive personal information is involved in the data breach is notified of the data breach. If the Secretary determines that providing such notification within five business days is not feasible due to circumstances necessary to accurately identify the individuals whose sensitive personal information is involved in the data breach or to prevent further breach or unauthorized disclosure and reasonably restore the integrity of the data system the Secretary shall provide such notification not later than 10 business days after the data breach.

(b)

Contracts for data processing or maintenance

If the Secretary enters into a contract for the performance of any Department function that requires access to sensitive personal information, the Secretary shall require as a condition of the contract that the contractor agree to provide notification of data breaches in the same manner as required of the Secretary under subsection (a).

(c)

Method and content of notification

(1)

Notification provided to an individual under subsection (a) shall be provided clearly and conspicuously by one of the following methods:

(A)

Written notification.

(B)

Notification by email or other electronic means, if the Secretary’s primary method of communication with the individual is by email or such other electronic means.

(2)

Regardless of the method by which notification is provided to an individual under paragraph (1), such notification shall include—

(A)

a description of the sensitive personal information involved in the data breach;

(B)

a telephone number that the individual may use, at no cost to the individual, to contact an appropriate employee of the Department to inquire about the data breach or the individual’s sensitive personal information maintained by the Department;

(C)

notice that the individual is entitled to receive, at no cost to such individual, credit protection services under section 5724 of this title;

(D)

the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and

(E)

a toll-free telephone number and website address whereby the individual may obtain information regarding identity theft.

(d)

Notification of general public

The Secretary, acting through the Office of Public Affairs of the Department, shall notify the general public concerning any data breach involving sensitive personal information by not later than five working days after the incident, unless the Secretary determines that to do so is not feasible due to circumstances necessary to accurately identify the individuals whose sensitive personal information is involved in the data breach or to prevent further breach or unauthorized disclosure and reasonably restore the integrity of the data system, such notification shall be made as soon as possible.

(e)

Appropriate committees of Congress

In this section, the term appropriate committees of Congress means the Committee on Veterans Affairs’ of the House of Representatives and the Committee on Veterans’ Affairs of the Senate.

.

(b)

Clerical amendment

The table of sections at the beginning of such chapter is amended by inserting after the item relating to section 5724 the following new item:

5724A. Data breach notification.

.

(c)

Effective date

The amendments made by this section shall apply with respect to a data breach occurring on or after the date that is 90 days after the date of the enactment of this Act.