[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6163 Introduced in House (IH)]








109th CONGRESS
  2d Session
                                H. R. 6163

   To amend title 44, United States Code, to strengthen requirements 
   related to security breaches of data involving the disclosure of 
                    sensitive personal information.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 25, 2006

  Mr. Tom Davis of Virginia (for himself, Ms. Pryce of Ohio, and Mr. 
   Sweeney) introduced the following bill; which was referred to the 
                     Committee on Government Reform

_______________________________________________________________________

                                 A BILL


 
   To amend title 44, United States Code, to strengthen requirements 
   related to security breaches of data involving the disclosure of 
                    sensitive personal information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Agency Data Breach 
Protection Act''.

SEC. 2. FEDERAL AGENCY DATA BREACH NOTIFICATION REQUIREMENTS.

    (a) Authority of Director of Office of Management and Budget To 
Establish Data Breach Policies.--Section 3543(a) of title 44, United 
States Code, is amended--
            (1) by striking ``and'' at the end of paragraph (7);
            (2) by striking the period and inserting ``; and'' at the 
        end of paragraph (8); and
            (3) by adding at the end the following:
            ``(9) establishing policies, procedures, and standards for 
        agencies to follow in the event of a breach of data security 
        involving the disclosure of sensitive personal information and 
        for which harm to an individual could reasonably be expected to 
        result, specifically including--
                    ``(A) a requirement for timely notice to be 
                provided to those individuals whose sensitive personal 
                information could be compromised as a result of such 
                breach, except no notice shall be required if the 
                breach does not create a reasonable risk of identity 
                theft, fraud, or other unlawful conduct regarding such 
                individual;
                    ``(B) guidance on determining how timely notice is 
                to be provided; and
                    ``(C) guidance regarding whether additional special 
                actions are necessary and appropriate, including data 
                breach analysis, fraud resolution services, identity 
                theft insurance, and credit protection or monitoring 
                services.''.
    (b) Authority of Chief Information Officer To Enforce Data Breach 
Policies and Develop and Maintain Inventories.--Section 3544(a)(3) of 
title 44, United States Code, is amended--
            (1) by inserting after ``authority to ensure compliance 
        with'' the following: ``and, to the extent determined necessary 
        and explicitly authorized by the head of the agency, to 
        enforce'';
            (2) by striking ``and'' at the end of subparagraph (D);
            (3) by inserting ``and'' at the end of subparagraph (E); 
        and
            (4) by adding at the end the following:
                    ``(F) developing and maintaining an inventory of 
                all personal computers, laptops, or any other hardware 
                containing sensitive personal information;''.
    (c) Inclusion of Data Breach Notification in Agency Information 
Security Programs.--Section 3544(b) of title 44, United States Code, is 
amended--
            (1) by striking ``and'' at the end of paragraph (7);
            (2) by striking the period and inserting ``; and'' at the 
        end of paragraph (8); and
            (3) by adding at the end the following:
            ``(9) procedures for notifying individuals whose sensitive 
        personal information is compromised consistent with policies, 
        procedures, and standards established under section 3543(a)(9) 
        of this title.''.
    (d) Authority of Agency Chief Human Capital Officers To Assess 
Federal Personal Property.--Section 1402(a) of title 5, United States 
Code, is amended--
            (1) by striking ``, and'' at the end of paragraph (5) and 
        inserting a semicolon;
            (2) by striking the period and inserting ``; and'' at the 
        end of paragraph (6); and
            (3) by adding at the end the following:
            ``(7) prescribing policies and procedures for exit 
        interviews of employees, including a full accounting of all 
        Federal personal property that was assigned to the employee 
        during the course of employment.''.
    (e) Sensitive Personal Information Definition.--Section 3542(b) of 
title 44, United States Code, is amended by adding at the end the 
following new paragraph:
            ``(4) The term `sensitive personal information', with 
        respect to an individual, means any information about the 
        individual maintained by an agency, including--
                    ``(A) education, financial transactions, medical 
                history, and criminal or employment history;
                    ``(B) information that can be used to distinguish 
                or trace the individual's identity, including name, 
                social security number, date and place of birth, 
                mother's maiden name, or biometric records; or
                    ``(C) any other personal information that is linked 
                or linkable to the individual.''.
                                 <all>