[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 555 Introduced in House (IH)]

114th CONGRESS
  1st Session
                                H. R. 555

  To require an Exchange established under the Patient Protection and 
  Affordable Care Act to notify individuals in the case that personal 
   information of such individuals is known to have been acquired or 
    accessed as a result of a breach of the security of any system 
          maintained by the Exchange, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            January 27, 2015

Mrs. Black (for herself and Mr. Meehan) introduced the following bill; 
       which was referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
  To require an Exchange established under the Patient Protection and 
  Affordable Care Act to notify individuals in the case that personal 
   information of such individuals is known to have been acquired or 
    accessed as a result of a breach of the security of any system 
          maintained by the Exchange, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Exchange Data Breach 
Notification Act of 2015''.

SEC. 2. NOTIFICATION TO INDIVIDUALS OF PERSONAL INFORMATION BEING 
              ACQUIRED OR ACCESSED AS A RESULT OF A BREACH OF SYSTEM 
              SECURITY.

    After the discovery of a breach of security of any system 
maintained by an Exchange established pursuant to section 1321(c) of 
the Patient Protection and Affordable Care Act (Public Law 111-148), 
the Exchange shall, as soon as possible but in no instance later than 
the timeframe established under the requirements of the Health Breach 
Notification Rule issued by the Federal Trade Commission (16 C.F.R. 
318), provide notice of such breach to each individual whose personal 
information (including any non health-related personal information) is 
known to have been acquired or accessed as a result of such breach of 
security. A violation of this section shall be treated as a violation 
of a rule defining an unfair or deceptive act or practice prescribed 
under section 18 of the Federal Trade Commission Act (15 U.S.C. 57a).
                                 <all>