Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword or section
Like this
1Activity
P. 1
Data Security and Breach Notification Act

Data Security and Breach Notification Act

Ratings: (0)|Views: 35|Likes:
Published by s_kline
S. 1207 Sens. Pryor and Rockefeller
S. 1207 Sens. Pryor and Rockefeller

More info:

Published by: s_kline on Jun 20, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/20/2011

pdf

text

original

 
II
[STAFF WORKING DRAFT]
J
UNE
15, 2011
112
TH
CONGRESS1
ST
S
ESSION
 
S. ——
To protect consumers by requiring reasonable security policies and proceduresto protect data containing personal information, and to provide for na-tionwide notice in the event of a security breach.
IN THE SENATE OF THE UNITED STATES
J
UNE
——, 2011Mr. P
RYOR
(for himself and Mr. R
OCKEFELLER
) introduced the following bill; which was read twice and referred to the Committee on————————————
A BILL
To protect consumers by requiring reasonable security poli-cies and procedures to protect data containing personalinformation, and to provide for nationwide notice in theevent of a security breach.
 Be it enacted by the Senate and House of Representa-
1
tives of the United States of America in Congress assembled,
2
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
 
2
S —— IS
SECTION 1. SHORT TITLE.
1
This Act may be cited as the ‘‘Data Security and
2
Breach Notification Act of 2011’’.
3
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
4
(a) G
ENERAL
S
ECURITY
P
OLICIES AND
P
ROCE
-
5
DURES
.—
6
(1) R
EGULATIONS
.—Not later than 1 year after
7
the date of enactment of this Act, the Commission
8
shall promulgate regulations under section 553 of 
9
title 5, United States Code, to require every covered
10
entity that owns or possesses data containing per-
11
sonal information, or contracts to have any third
12
party entity maintain such data for such covered en-
13
tity, to establish and implement policies and proce-
14
dures regarding information security practices for
15
the treatment and protection of personal information
16
taking into consideration—
17
(A) the size of, and the nature, scope, and
18
complexity of the activities engaged in by, such
19
covered entity;
20
(B) the current state of the art in adminis-
21
trative, technical, and physical safeguards for
22
protecting such information; and
23
(C) the cost of implementing such safe-
24
guards.
25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
 
3
S —— IS
(2) R
EQUIREMENTS
.—Such regulations shall
1
require the policies and procedures to include the
2
following:
3
(A) A security policy with respect to the
4
collection, use, sale, other dissemination, and
5
maintenance of such personal information.
6
(B) The identification of an officer or
7
other individual as the point of contact with re-
8
sponsibility for the management of information
9
security.
10
(C) A process for identifying and assessing
11
any reasonably foreseeable vulnerabilities in the
12
system or systems maintained by such covered
13
entity that contains such data, which shall in-
14
clude regular monitoring for a breach of secu-
15
rity of such system or systems.
16
(D) A process for taking preventive and
17
corrective action to mitigate against any 
18
 vulnerabilities identified in the process required
19
 by subparagraph (C), which may include imple-
20
menting any changes to security practices and
21
the architecture, installation, or implementation
22
of network or operating software.
23
(E) A process for disposing of data in elec-
24
tronic form containing personal information by 
25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->