Today, Congressman Joe Donnelly's bill, The Veterans Data Breach Timely Notification Act, H.R. 3730, passed the House Committee on Veterans' Affairs as an amendment to H.R. 5948, The Veterans Fiduciary Reform Act. On June 27, 2012, Donnelly's bill passed the Oversight and Investigations Subcommittee by voice vote.
"In the unfortunate event of a breach of sensitive information, veterans and their families should be notified as soon as practically possible," said Donnelly. "Current law, however, gives the VA a full thirty days to notify veterans that their personal information may have been compromised. That is too long. I'm proposing that veterans be alerted within ten business days. I'm pleased that others support this common-sense change, including the American Legion and VetsFirst."
The bill would require the Department of Veterans Affairs (VA) to notify veterans of a data breach of sensitive personal information within ten business days, or, with an extension, fifteen business days. The VA could use the extension in situations where they need additional time to identify affected individuals or to prevent a further breach or unauthorized disclosure. Currently, the VA's internal policy allows them thirty days to notify those affected by a data breach.
More specifically, the Veterans Data Breach Timely Notification Act would:
Require the VA to notify individuals affected by a data breach and Congress within ten business days from the date of the incident.
Require contractors that maintain or process information containing sensitive personal information on behalf of the VA to notify individuals affected by a data breach and Congress within ten business days from the date of the incident.
Allow the ten business day notification deadline to be extended to fifteen business days if the VA requires additional time to identify affected individuals or prevent a further breach or unauthorized disclosure.