

117 HR 3911 IH: To amend the Gramm-Leach-Bliley Act to establish procedures for disclosures by financial institutions of nonpublic personal information, and for other purposes.
U.S. House of Representatives
2021-06-15
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



I117th CONGRESS1st SessionH. R. 3911IN THE HOUSE OF REPRESENTATIVESJune 15, 2021Mr. Lynch introduced the following bill; which was referred to the Committee on Financial ServicesA BILLTo amend the Gramm-Leach-Bliley Act to establish procedures for disclosures by financial institutions of nonpublic personal information, and for other purposes.1.Data breaches(a)In generalTitle V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by inserting after section 502 the following:502A.Data breaches(a)In generalA financial institution shall submit to the Director of the Bureau of Consumer Financial Protection a report if the financial institution discloses nonpublic personal information of a consumer in violation of this subtitle. Such report shall—(1)be submitted not later than 72 hours after the financial institution discovers such violation;(2)identify the name and contact information of an individual who can provide more information to the Bureau about the violation;(3)describe the nature of the violation, including (if possible) the categories and approximate number of consumers affected and the categories and approximate number of records of nonpublic personal information affected;(4)describe the likely consequences of the violation; and(5)describe the measures taken or proposed to be taken by the financial institution to address the violation, including, where appropriate, measures to mitigate its possible adverse effects.(b)Bureau determination(1)In generalUpon receipt of a report under subsection (a), the Director of the Bureau of Consumer Financial Protection shall assess whether any violation described in such report poses a high risk of harm to consumers affected by such a violation, and if so, require the financial institution to disclose the violation to such consumers.(2)RequirementsThe disclosure required under paragraph (1) shall—(A)describe the nature of the violation, including (if possible) the categories and approximate number of consumers affected and the categories and approximate number of records of nonpublic personal information affected;(B)identify the name and contact information of an individual who can provide more information to consumers about the violation;(C)describe the likely consequences of the of the violation; and(D)describe of the measures taken or proposed to be taken by the financial institution to address the violation, including, where appropriate, measures to mitigate its possible adverse effects.(3)Disclosure not requiredA financial institution is not required to disclose a violation under paragraph (1) if—(A)the financial institution has implemented appropriate measures to ensure that the the nonpublic personal information affected by the violation would not be usable by a third party; and(B)the Director of the Bureau of Consumer Financial Protection has determined that the financial institution has taken action to prevent harm to consumers as a result of the violation.(c)RulemakingNot later than the end of the 1-year period beginning on the date of enactment of this section, the Director of the Bureau of Consumer Financial Protection and the Federal agencies described under section 505(a) shall, jointly, issue rules to carry out this section..