[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5838 Introduced in House (IH)]








109th CONGRESS
  2d Session
                                H. R. 5838

   To amend title 44, United States Code, to strengthen requirements 
   related to security breaches of data involving the disclosure of 
                    sensitive personal information.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 19, 2006

 Mr. Tom Davis of Virginia (for himself, Ms. Pryce of Ohio, Mr. Buyer, 
    Mr. Bradley of New Hampshire, and Ms. Corrine Brown of Florida) 
 introduced the following bill; which was referred to the Committee on 
                           Government Reform

_______________________________________________________________________

                                 A BILL


 
   To amend title 44, United States Code, to strengthen requirements 
   related to security breaches of data involving the disclosure of 
                    sensitive personal information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Agency Data Breach 
Notification Act''.

SEC. 2. FEDERAL AGENCY DATA BREACH NOTIFICATION REQUIREMENTS.

     (a) Authority of Director of Office of Management and Budget to 
Establish Data Breach Policies.--Section 3543(a) of title 44, United 
States Code, is amended--
            (1) by striking ``and'' at the end of paragraph (7);
            (2) by striking the period and inserting ``; and'' at the 
        end of paragraph (8); and
            (3) by adding at the end the following:
            ``(9) establishing policies, procedures, and standards for 
        agencies to follow in the event of a breach of data security 
        involving the disclosure of sensitive personal information in 
        violation of section 552a of title 5, including a requirement 
        for timely notice to be given to those individuals whose 
        sensitive personal information could be compromised as a result 
        of such breach, except no notice shall be required if the 
        breach does not create a reasonable risk of identity theft, 
        fraud, or other unlawful conduct regarding such individual.''.
    (b) Authority of Chief Information Officer to Enforce Data Breach 
Policies.--Section 3544(a)(3) of title 44, United States Code, is 
amended by inserting after ``authority to ensure compliance with'' the 
following: ``and, to the extent determined necessary and explicitly 
authorized by the head of the agency, to enforce''.
    (c) Inclusion of Data Breach Notification in Agency Information 
Security Programs.--Section 3544(b) of title 44, United States Code, is 
amended--
            (1) by striking ``and'' at the end of paragraph (7);
            (2) by striking the period and inserting ``; and'' at the 
        end of paragraph (8); and
            (3) by adding at the end the following:
            ``(9) procedures for notifying individuals whose sensitive 
        personal information is compromised consistent with policies, 
        procedures, and standards established under section 3543(a)(9) 
        of this title.''.
    (d) Sensitive Personal Information Definition.--Section 3542(b) of 
title 44, United States Code, is amended by adding at the end the 
following new paragraph:
            ``(4) The term `sensitive personal information' means any 
        information contained in a record, as defined in section 
        552a(4) of title 5.''.
                                 <all>