[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3911 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 3911

    To amend the Gramm-Leach-Bliley Act to establish procedures for 
      disclosures by financial institutions of nonpublic personal 
                  information, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             June 15, 2021

  Mr. Lynch introduced the following bill; which was referred to the 
                    Committee on Financial Services

_______________________________________________________________________

                                 A BILL


 
    To amend the Gramm-Leach-Bliley Act to establish procedures for 
      disclosures by financial institutions of nonpublic personal 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. DATA BREACHES.

    (a) In General.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 
6801 et seq.) is amended by inserting after section 502 the following:

``SEC. 502A. DATA BREACHES.

    ``(a) In General.--A financial institution shall submit to the 
Director of the Bureau of Consumer Financial Protection a report if the 
financial institution discloses nonpublic personal information of a 
consumer in violation of this subtitle. Such report shall--
            ``(1) be submitted not later than 72 hours after the 
        financial institution discovers such violation;
            ``(2) identify the name and contact information of an 
        individual who can provide more information to the Bureau about 
        the violation;
            ``(3) describe the nature of the violation, including (if 
        possible) the categories and approximate number of consumers 
        affected and the categories and approximate number of records 
        of nonpublic personal information affected;
            ``(4) describe the likely consequences of the violation; 
        and
            ``(5) describe the measures taken or proposed to be taken 
        by the financial institution to address the violation, 
        including, where appropriate, measures to mitigate its possible 
        adverse effects.
    ``(b) Bureau Determination.--
            ``(1) In general.--Upon receipt of a report under 
        subsection (a), the Director of the Bureau of Consumer 
        Financial Protection shall assess whether any violation 
        described in such report poses a high risk of harm to consumers 
        affected by such a violation, and if so, require the financial 
        institution to disclose the violation to such consumers.
            ``(2) Requirements.--The disclosure required under 
        paragraph (1) shall--
                    ``(A) describe the nature of the violation, 
                including (if possible) the categories and approximate 
                number of consumers affected and the categories and 
                approximate number of records of nonpublic personal 
                information affected;
                    ``(B) identify the name and contact information of 
                an individual who can provide more information to 
                consumers about the violation;
                    ``(C) describe the likely consequences of the of 
                the violation; and
                    ``(D) describe of the measures taken or proposed to 
                be taken by the financial institution to address the 
                violation, including, where appropriate, measures to 
                mitigate its possible adverse effects.
            ``(3) Disclosure not required.--A financial institution is 
        not required to disclose a violation under paragraph (1) if--
                    ``(A) the financial institution has implemented 
                appropriate measures to ensure that the the nonpublic 
                personal information affected by the violation would 
                not be usable by a third party; and
                    ``(B) the Director of the Bureau of Consumer 
                Financial Protection has determined that the financial 
                institution has taken action to prevent harm to 
                consumers as a result of the violation.
    ``(c) Rulemaking.--Not later than the end of the 1-year period 
beginning on the date of enactment of this section, the Director of the 
Bureau of Consumer Financial Protection and the Federal agencies 
described under section 505(a) shall, jointly, issue rules to carry out 
this section.''.
                                 <all>