To amend title 38, United States Code, to require the Secretary of Veterans Affairs to provide notice to individuals whose sensitive personal information is involved in a data breach, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Veterans Data Breach Timely Notification Act''.
SEC. 2. NOTIFICATION BY THE SECRETARY OF VETERANS AFFAIRS OF INDIVIDUALS WHOSE SENSITIVE PERSONAL INFORMATION IS INVOLVED IN A DATA BREACH.
(a) In General.--Subchapter III of chapter 57 of title 38, United States Code is amended by inserting after section 5724 the following new section: ``Sec. 5724A. Data breach notification ``(a) Notification Requirement.--Except as provided in subsection (d), in the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, by not later than five business days after the data breach, the Secretary shall notify the appropriate committees of Congress and each individual whose sensitive personal information is involved in the data breach is notified of the data breach. If the Secretary determines that providing such notification within five business days is not feasible due to circumstances necessary to accurately identify the individuals whose sensitive personal information is involved in the data breach or to prevent further breach or unauthorized disclosure and reasonably restore the integrity of the data system the Secretary shall provide such notification not later than 10 business...