[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3731 Introduced in House (IH)]

113th CONGRESS
  1st Session
                                H. R. 3731

  To require an Exchange established under the Patient Protection and 
  Affordable Care Act to notify individuals in the case that personal 
   information of such individuals is known to have been acquired or 
    accessed as a result of a breach of the security of any system 
                      maintained by the Exchange.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           December 12, 2013

Mrs. Black (for herself and Mr. Meehan) introduced the following bill; 
       which was referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
  To require an Exchange established under the Patient Protection and 
  Affordable Care Act to notify individuals in the case that personal 
   information of such individuals is known to have been acquired or 
    accessed as a result of a breach of the security of any system 
                      maintained by the Exchange.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Exchange Data Breach 
Notification Act of 2013''.

SEC. 2. NOTIFICATION TO INDIVIDUALS OF PERSONAL INFORMATION BEING 
              ACQUIRED OR ACCESSED AS A RESULT OF A BREACH OF SYSTEM 
              SECURITY.

    After the discovery of a breach of security of any system 
maintained by an Exchange established pursuant to section 1321(c) of 
the Patient Protection and Affordable Care Act (Public Law 111-148), 
the Exchange shall, in accordance with the requirements of the Health 
Breach Notification Rule issued by the Federal Trade Commission (16 
C.F.R. 318), provide notice of such breach to each individual whose 
personal information (including any non health-related personal 
information) is known to have been acquired or accessed as a result of 
such breach of security. A violation of this section shall be treated 
as a violation of a rule defining an unfair or deceptive act or 
practice prescribed under section 18 of the Federal Trade Commission 
Act (15 U.S.C. 57a).
                                 <all>