
	
		I
		112th CONGRESS
		1st Session
		H. R. 3730
		IN THE HOUSE OF REPRESENTATIVES
		
			December 19, 2011
			Mr. Donnelly of
			 Indiana (for himself and Mr. Johnson of
			 Ohio) introduced the following bill; which was referred to the
			 Committee on Veterans’
			 Affairs
		
		A BILL
		To amend title 38, United States Code, to require the
		  Secretary of Veterans Affairs to provide notice to individuals whose sensitive
		  personal information is involved in a data breach, and for other
		  purposes.
	
	
		1.Short titleThis Act may be cited as the
			 Veterans Data Breach Timely Notification
			 Act.
		2.Notification by the
			 Secretary of Veterans Affairs of individuals whose sensitive personal
			 information is involved in a data breach
			(a)In
			 generalSubchapter III of
			 chapter 57 of title 38, United States Code is amended by inserting after
			 section 5724 the following new section:
				
					5724A.Data breach
				notification
						(a)Notification
				requirementExcept as
				provided in subsection (d), in the event of a data breach with respect to
				sensitive personal information that is processed or maintained by the
				Secretary, by not later than five business days after the data breach, the
				Secretary shall notify the appropriate committees of Congress and each
				individual whose sensitive personal information is involved in the data breach
				is notified of the data breach. If the Secretary determines that providing such
				notification within five business days is not feasible due to circumstances
				necessary to accurately identify the individuals whose sensitive personal
				information is involved in the data breach or to prevent further breach or
				unauthorized disclosure and reasonably restore the integrity of the data system
				the Secretary shall provide such notification not later than 10 business days
				after the data breach.
						(b)Contracts for
				data processing or maintenanceIf the Secretary enters into a contract for
				the performance of any Department function that requires access to sensitive
				personal information, the Secretary shall require as a condition of the
				contract that the contractor agree to provide notification of data breaches in
				the same manner as required of the Secretary under subsection (a).
						(c)Method and
				content of notification(1)Notification provided to an individual
				under subsection (a) shall be provided clearly and conspicuously by one of the
				following methods:
								(A)Written notification.
								(B)Notification by email or other
				electronic means, if the Secretary’s primary method of communication with the
				individual is by email or such other electronic means.
								(2)Regardless of the method by which
				notification is provided to an individual under paragraph (1), such
				notification shall include—
								(A)a description of the sensitive
				personal information involved in the data breach;
								(B)a telephone number that the individual
				may use, at no cost to the individual, to contact an appropriate employee of
				the Department to inquire about the data breach or the individual’s sensitive
				personal information maintained by the Department;
								(C)notice that the individual is entitled
				to receive, at no cost to such individual, credit protection services under
				section 5724 of this title;
								(D)the toll-free contact telephone
				numbers and addresses for the major credit reporting agencies; and
								(E)a toll-free telephone number and
				website address whereby the individual may obtain information regarding
				identity theft.
								(d)Notification of
				general publicThe Secretary,
				acting through the Office of Public Affairs of the Department, shall notify the
				general public concerning any data breach involving sensitive personal
				information by not later than five working days after the incident, unless the
				Secretary determines that to do so is not feasible due to circumstances
				necessary to accurately identify the individuals whose sensitive personal
				information is involved in the data breach or to prevent further breach or
				unauthorized disclosure and reasonably restore the integrity of the data
				system, such notification shall be made as soon as possible.
						(e)Appropriate
				committees of CongressIn this section, the term
				appropriate committees of Congress means the Committee on
				Veterans Affairs’ of the House of Representatives and the Committee on
				Veterans’ Affairs of the Senate.
						.
			(b)Clerical
			 amendmentThe table of sections at the beginning of such chapter
			 is amended by inserting after the item relating to section 5724 the following
			 new item:
				
					
						5724A. Data breach
				notification.
					
					.
			(c)Effective
			 dateThe amendments made by this section shall apply with respect
			 to a data breach occurring on or after the date that is 90 days after the date
			 of the enactment of this Act.
			
