What is the name of the law?
The law is called the "Data Breach Notification Act" and it supercedes all similar state laws.
Who does the law apply to?
The law applies to any agency or business entity engaged in interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information.
What is "sensitive personally identifiable information"?
Sensitive personally identifiable information is defined similarly to many states, and takes the form of one of the following:
How soon must the notification occur?
The notification must occur without reasonable delay. Reasonable delay includes time to determine the scope of the breach, prevent further disclosures, restore the integrity of the data system, and provide notice to law enforcement (if required).
This time may be delayed if a Federal law enforcement agency determines that such notification would impede a criminal investigation.
What about exceptions?
Notification requirements can be avoided if a risk assessment is performed and concludes that there is no significant risk of harm to the individual whose sensitive personally identifiable information was involved in the breach. However, the results of this risk assessment have to be passed by the Secret Service, who can require that notification be given anyway.
According to the law, "no significant risk of harm" can be presumed if the data was encrypted or otherwise protected by effective industry practices or standards.
Where can I get more information about the law?
The actual law can be found at:
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:s139is.txt.pdf
The law is called the "Data Breach Notification Act" and it supercedes all similar state laws.
Who does the law apply to?
The law applies to any agency or business entity engaged in interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information.
What is "sensitive personally identifiable information"?
Sensitive personally identifiable information is defined similarly to many states, and takes the form of one of the following:
- First and Last Name or First Initial and Last Name plus one of the following:
- Social Security Number
- Driiver's License Number
- Passport Number
- Alien Registration Number
- First and Last Name or First Initial and Last Name plus one of the following:
- Home address or telephone number
- Mother's maiden name (if so identified)
- Month, day, and year of birth
- First and Last Name or First Initial and Last Name plus biometric data
- First and Last Name or First Initial and Last Name plus account credentials (e.g. username and password) that could be used to obtain monney, goods, or services.
- First and Last Name or First Initial and Last Name plus financial account number, credit card number, or debit card number along with the access code, PIN, or password.
How soon must the notification occur?
The notification must occur without reasonable delay. Reasonable delay includes time to determine the scope of the breach, prevent further disclosures, restore the integrity of the data system, and provide notice to law enforcement (if required).
This time may be delayed if a Federal law enforcement agency determines that such notification would impede a criminal investigation.
What about exceptions?
Notification requirements can be avoided if a risk assessment is performed and concludes that there is no significant risk of harm to the individual whose sensitive personally identifiable information was involved in the breach. However, the results of this risk assessment have to be passed by the Secret Service, who can require that notification be given anyway.
According to the law, "no significant risk of harm" can be presumed if the data was encrypted or otherwise protected by effective industry practices or standards.
Where can I get more information about the law?
The actual law can be found at:
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:s139is.txt.pdf
Leave a comment