Page:United States Statutes at Large Volume 120.djvu/3488

 PUBLIC LAW 109–461—DEC. 22, 2006

120 STAT. 3457

‘‘(c) PROVISION OF CREDIT PROTECTION SERVICES.—Any amount collected by the Secretary under subsection (b) shall be deposited in or credited to the Department account from which the contractor was paid and shall remain available for obligation without fiscal year limitation exclusively for the purpose of providing credit protection services pursuant to section 5724(b) of this title. ‘‘§ 5726. Reports and notice to Congress on data breaches ‘‘(a) QUARTERLY REPORTS.—(1) Not later than 30 days after the last day of a fiscal quarter, the Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report on any data breach with respect to sensitive personal information processed or maintained by the Department that occurred during that quarter. ‘‘(2) Each report submitted under paragraph (1) shall identify, for each data breach covered by the report— ‘‘(A) the Administration and facility of the Department responsible for processing or maintaining the sensitive personal information involved in the data breach; and ‘‘(B) the status of any remedial or corrective action with respect to the data breach. ‘‘(b) NOTIFICATION OF SIGNIFICANT DATA BREACHES.—(1) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that the Secretary determines is significant, the Secretary shall provide notice of such breach to the Committees on Veterans’ Affairs of the Senate and House of Representatives. ‘‘(2) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that is the sensitive personal information of a member of the Army, Navy, Air Force, or Marine Corps or a civilian officer or employee of the Department of Defense that the Secretary determines is significant under paragraph (1), the Secretary shall provide the notice required under paragraph (1) to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives in addition to the Committees on Veterans’ Affairs of the Senate and House of Representatives. ‘‘(3) Notice under paragraphs (1) and (2) shall be provided promptly following the discovery of such a data breach and the implementation of any measures necessary to determine the scope of the breach, prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system. ‘‘§ 5727. Definitions ‘‘In this subchapter: ‘‘(1) AVAILABILITY.—The term ‘availability’ means ensuring timely and reliable access to and use of information. ‘‘(2) CONFIDENTIALITY.—The term ‘confidentiality’ means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. ‘‘(3) CONTROL TECHNIQUES.—The term ‘control techniques’ means methods for guiding and controlling the operations of information systems to ensure adherence to the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

VerDate 14-DEC-2004

12:05 Jul 13, 2007

Jkt 059194

PO 00003

Frm 00260

Fmt 6580

Sfmt 6581

E:\PUBLAW\PUBL003.109

APPS06

PsN: PUBL003

�