2
(2) a non-truncated social security number, driver’s license number, passport number, or
alien registration number or other government-issued unique identification number;
(3) unique biometric data such as a finger print, voice print, a retina or iris image, or any
other unique physical representation;
(4) a unique account identifier, including a financial account number or credit or debit card
number, electronic identification number, user name, or routing code;
(5) a user name or electronic mail address, in combination with a password or security
question and answer that would permit access to an online account; or
(6) any combination of the following data elements:
(A) an individual’s first and last name or first initial and last name;
(B) a unique account identifier, including a financial account number or credit or
debit card number, electronic identification number, user name, or routing code; or
(C) any security code, access code, or password, or source code that could be used
to generate such codes or passwords.
(7) MODIFIED DEFINITION BY RULEMAKING— The Commission may, by rule
promulgated under section 553 of title 5, United States Code, amend the definition of
`sensitive personally identifiable information' to the extent that such amendment will not
unreasonably impede interstate commerce, and will accomplish the purposes of this title. In
amending the definition, the Commission may determine—
(A) that any particular combinations of information are sensitive personally
identifiable information, or
(B) that any particular piece of information, on its own, is sensitive personally
identifiable information.
SEC. 101. NOTICE TO INDIVIDUALS.
(a) IN GENERAL.—Any business entity engaged in or affecting interstate commerce, that uses,
accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about
more than 10,000 individuals during any 12-month period shall, following the discovery of a security
breach of such information, notify any individual whose sensitive personally identifiable information
has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable
risk of harm or fraud to such individual.
(b) OBLIGATIONS OF AND TO OWNER OR LICENSEE.—
(1) NOTICE TO OWNER OR LICENSEE.—Any business entity engaged in or affecting
interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive
personally identifiable information that the business entity does not own or license shall notify
the owner or licensee of the information following the discovery of a security breach involving
such information, unless there is no reasonable risk of harm or fraud to such owner or licensee.
(2) NOTICE BY OWNER, LICENSEE OR OTHER DESIGNATED THIRD PARTY.—
Nothing in this title shall prevent or abrogate an agreement between a business entity required
to give notice under this section and a designated third party, including an owner or licensee of
the sensitive personally identifiable information subject to the security breach, to provide the
notifications required under subsection (a).