skip to main content

H.R. 3911: To amend the Gramm-Leach-Bliley Act to establish procedures for disclosures by financial institutions of nonpublic personal information, and for other purposes.


The text of the bill below is as of Jun 15, 2021 (Introduced).


I

117th CONGRESS

1st Session

H. R. 3911

IN THE HOUSE OF REPRESENTATIVES

June 15, 2021

introduced the following bill; which was referred to the Committee on Financial Services

A BILL

To amend the Gramm-Leach-Bliley Act to establish procedures for disclosures by financial institutions of nonpublic personal information, and for other purposes.

1.

Data breaches

(a)

In general

Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by inserting after section 502 the following:

502A.

Data breaches

(a)

In general

A financial institution shall submit to the Director of the Bureau of Consumer Financial Protection a report if the financial institution discloses nonpublic personal information of a consumer in violation of this subtitle. Such report shall—

(1)

be submitted not later than 72 hours after the financial institution discovers such violation;

(2)

identify the name and contact information of an individual who can provide more information to the Bureau about the violation;

(3)

describe the nature of the violation, including (if possible) the categories and approximate number of consumers affected and the categories and approximate number of records of nonpublic personal information affected;

(4)

describe the likely consequences of the violation; and

(5)

describe the measures taken or proposed to be taken by the financial institution to address the violation, including, where appropriate, measures to mitigate its possible adverse effects.

(b)

Bureau determination

(1)

In general

Upon receipt of a report under subsection (a), the Director of the Bureau of Consumer Financial Protection shall assess whether any violation described in such report poses a high risk of harm to consumers affected by such a violation, and if so, require the financial institution to disclose the violation to such consumers.

(2)

Requirements

The disclosure required under paragraph (1) shall—

(A)

describe the nature of the violation, including (if possible) the categories and approximate number of consumers affected and the categories and approximate number of records of nonpublic personal information affected;

(B)

identify the name and contact information of an individual who can provide more information to consumers about the violation;

(C)

describe the likely consequences of the of the violation; and

(D)

describe of the measures taken or proposed to be taken by the financial institution to address the violation, including, where appropriate, measures to mitigate its possible adverse effects.

(3)

Disclosure not required

A financial institution is not required to disclose a violation under paragraph (1) if—

(A)

the financial institution has implemented appropriate measures to ensure that the the nonpublic personal information affected by the violation would not be usable by a third party; and

(B)

the Director of the Bureau of Consumer Financial Protection has determined that the financial institution has taken action to prevent harm to consumers as a result of the violation.

(c)

Rulemaking

Not later than the end of the 1-year period beginning on the date of enactment of this section, the Director of the Bureau of Consumer Financial Protection and the Federal agencies described under section 505(a) shall, jointly, issue rules to carry out this section.

.