


110 HR 2124 IH: Federal Agency Data Breach Protection

U.S. House of Representatives
2007-05-03
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		110th CONGRESS
		1st Session
		H. R. 2124
		IN THE HOUSE OF REPRESENTATIVES
		
			May 3, 2007
			Mr. Tom Davis of
			 Virginia introduced the following bill; which was referred to the
			 Committee on Oversight and Government
			 Reform
		
		A BILL
		To amend title 44, United States Code, to strengthen
		  requirements related to security breaches of data involving the disclosure of
		  sensitive personal information.
	
	
		1.Short titleThis Act may be cited as the
			 Federal Agency Data Breach Protection
			 Act.
		2.Federal agency
			 data breach notification requirements
			(a)Authority of
			 director of Office of Management and Budget To establish data breach
			 policiesSection 3543(a) of title 44, United States Code, is
			 amended—
				(1)by striking
			 and at the end of paragraph (7);
				(2)by
			 striking the period and inserting ; and at the end of paragraph
			 (8); and
				(3)by
			 adding at the end the following:
					
						(9)establishing policies, procedures, and
				standards for agencies to follow in the event of a breach of data security
				involving the disclosure of sensitive personal information and for which harm
				to an individual could reasonably be expected to result, specifically
				including—
							(A)a requirement for
				timely notice to be provided to those individuals whose sensitive personal
				information could be compromised as a result of such breach, except no notice
				shall be required if the breach does not create a reasonable risk of identity
				theft, fraud, or other unlawful conduct regarding such individual;
							(B)guidance on
				determining how timely notice is to be provided; and
							(C)guidance regarding
				whether additional special actions are necessary and appropriate, including
				data breach analysis, fraud resolution services, identity theft insurance, and
				credit protection or monitoring
				services.
							.
				(b)Authority of
			 chief information officer To enforce data breach policies and develop and
			 maintain inventoriesSection 3544(a)(3) of title 44, United
			 States Code, is amended—
				(1)by inserting after
			 authority to ensure compliance with the following: and,
			 to the extent determined necessary and explicitly authorized by the head of the
			 agency, to enforce;
				(2)by striking
			 and at the end of subparagraph (D);
				(3)by inserting
			 and at the end of subparagraph (E); and
				(4)by adding at the
			 end the following:
					
						(F)developing and
				maintaining an inventory of all personal computers, laptops, or any other
				hardware containing sensitive personal
				information;
						.
				(c)Inclusion of
			 data breach notification in agency information security
			 programsSection 3544(b) of title 44, United States Code, is
			 amended—
				(1)by striking
			 and at the end of paragraph (7);
				(2)by striking the
			 period and inserting ; and at the end of paragraph (8);
			 and
				(3)by adding at the
			 end the following:
					
						(9)procedures for
				notifying individuals whose sensitive personal information is compromised
				consistent with policies, procedures, and standards established under section
				3543(a)(9) of this
				title.
						.
				(d)Authority of
			 agency chief human capital officers To assess federal personal
			 propertySection 1402(a) of title 5, United States Code, is
			 amended—
				(1)by striking
			 , and at the end of paragraph (5) and inserting a
			 semicolon;
				(2)by striking the
			 period and inserting ; and at the end of paragraph (6);
			 and
				(3)by adding at the
			 end the following:
					
						(7)prescribing
				policies and procedures for exit interviews of employees, including a full
				accounting of all Federal personal property that was assigned to the employee
				during the course of
				employment.
						.
				(e)Sensitive
			 personal information definitionSection 3542(b) of title 44,
			 United States Code, is amended by adding at the end the following new
			 paragraph:
				
					(4)The term
				sensitive personal information, with respect to an individual,
				means any information about the individual maintained by an agency,
				including—
						(A)education,
				financial transactions, medical history, and criminal or employment
				history;
						(B)information that
				can be used to distinguish or trace the individual’s identity, including name,
				social security number, date and place of birth, mother’s maiden name, or
				biometric records; or
						(C)any other personal
				information that is linked or linkable to the
				individual.
						.
			
