[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3730 Introduced in House (IH)]

112th CONGRESS
  1st Session
                                H. R. 3730

  To amend title 38, United States Code, to require the Secretary of 
   Veterans Affairs to provide notice to individuals whose sensitive 
   personal information is involved in a data breach, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           December 19, 2011

     Mr. Donnelly of Indiana (for himself and Mr. Johnson of Ohio) 
 introduced the following bill; which was referred to the Committee on 
                           Veterans' Affairs

_______________________________________________________________________

                                 A BILL


 
  To amend title 38, United States Code, to require the Secretary of 
   Veterans Affairs to provide notice to individuals whose sensitive 
   personal information is involved in a data breach, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Veterans Data Breach Timely 
Notification Act''.

SEC. 2. NOTIFICATION BY THE SECRETARY OF VETERANS AFFAIRS OF 
              INDIVIDUALS WHOSE SENSITIVE PERSONAL INFORMATION IS 
              INVOLVED IN A DATA BREACH.

    (a) In General.--Subchapter III of chapter 57 of title 38, United 
States Code is amended by inserting after section 5724 the following 
new section:
``Sec. 5724A. Data breach notification
    ``(a) Notification Requirement.--Except as provided in subsection 
(d), in the event of a data breach with respect to sensitive personal 
information that is processed or maintained by the Secretary, by not 
later than five business days after the data breach, the Secretary 
shall notify the appropriate committees of Congress and each individual 
whose sensitive personal information is involved in the data breach is 
notified of the data breach. If the Secretary determines that providing 
such notification within five business days is not feasible due to 
circumstances necessary to accurately identify the individuals whose 
sensitive personal information is involved in the data breach or to 
prevent further breach or unauthorized disclosure and reasonably 
restore the integrity of the data system the Secretary shall provide 
such notification not later than 10 business days after the data 
breach.
    ``(b) Contracts for Data Processing or Maintenance.--If the 
Secretary enters into a contract for the performance of any Department 
function that requires access to sensitive personal information, the 
Secretary shall require as a condition of the contract that the 
contractor agree to provide notification of data breaches in the same 
manner as required of the Secretary under subsection (a).
    ``(c) Method and Content of Notification.--(1) Notification 
provided to an individual under subsection (a) shall be provided 
clearly and conspicuously by one of the following methods:
            ``(A) Written notification.
            ``(B) Notification by email or other electronic means, if 
        the Secretary's primary method of communication with the 
        individual is by email or such other electronic means.
    ``(2) Regardless of the method by which notification is provided to 
an individual under paragraph (1), such notification shall include--
            ``(A) a description of the sensitive personal information 
        involved in the data breach;
            ``(B) a telephone number that the individual may use, at no 
        cost to the individual, to contact an appropriate employee of 
        the Department to inquire about the data breach or the 
        individual's sensitive personal information maintained by the 
        Department;
            ``(C) notice that the individual is entitled to receive, at 
        no cost to such individual, credit protection services under 
        section 5724 of this title;
            ``(D) the toll-free contact telephone numbers and addresses 
        for the major credit reporting agencies; and
            ``(E) a toll-free telephone number and website address 
        whereby the individual may obtain information regarding 
        identity theft.
    ``(d) Notification of General Public.--The Secretary, acting 
through the Office of Public Affairs of the Department, shall notify 
the general public concerning any data breach involving sensitive 
personal information by not later than five working days after the 
incident, unless the Secretary determines that to do so is not feasible 
due to circumstances necessary to accurately identify the individuals 
whose sensitive personal information is involved in the data breach or 
to prevent further breach or unauthorized disclosure and reasonably 
restore the integrity of the data system, such notification shall be 
made as soon as possible.
    ``(e) Appropriate Committees of Congress.--In this section, the 
term `appropriate committees of Congress' means the Committee on 
Veterans Affairs' of the House of Representatives and the Committee on 
Veterans' Affairs of the Senate.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
such chapter is amended by inserting after the item relating to section 
5724 the following new item:

``5724A. Data breach notification.''.
    (c) Effective Date.--The amendments made by this section shall 
apply with respect to a data breach occurring on or after the date that 
is 90 days after the date of the enactment of this Act.
                                 <all>