cfr_sections
Data license: Public Domain (U.S. Government data) · Data source: Federal Register API & Regulations.gov API
9 rows where part_number = 75 and title_number = 38 sorted by section_id
This data as json, CSV (advanced)
| section_id ▼ | title_number | title_name | chapter | subchapter | part_number | part_name | subpart | subpart_name | section_number | section_heading | agency | authority | source_citation | amendment_citations | full_text |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 38:38:2.0.1.1.32.2.364.1 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.111 Purpose and scope. | VA | This subpart implements provisions of 38 U.S.C. 5724 and 5727, which are set forth in Title IX of the Veterans Benefits, Health Care, and Information Technology Act of 2006. It only concerns actions to address a data breach regarding sensitive personal information that is processed or maintained by VA. This subpart does not supersede the requirements imposed by other laws, such as the Privacy Act of 1974, the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Reporting Act, and implementing regulations of such Acts. | |||||
| 38:38:2.0.1.1.32.2.364.2 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.112 Definitions and terms. | VA | For purposes of this subpart: Confidentiality means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. Data breach means the loss or theft of, or other unauthorized access to, other than an unauthorized access incidental to the scope of employment, data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Data breach analysis means the process used to determine if a data breach has resulted in the misuse of sensitive personal information. Fraud resolution services means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft. Identity theft has the meaning given such term under section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a). Identity theft insurance means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual. Individual means a single human being who is a citizen of the United States, an alien admitted to permanent residence in the United States, a present or former member of the Armed Forces, or any dependent of a present or former member of the Armed Forces. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether automated or manual. Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Logical data access means the ability of a person to translate the data for misuse. This can lead to inappropriate access to lost, stolen or improperly obtained data.… | |||||
| 38:38:2.0.1.1.32.2.364.3 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.113 Data breach. | VA | Consistent with the definition of data breach in § 75.112 of this subpart, a data breach occurs under this subpart if there is a loss or theft of, or other unauthorized access to, other than an unauthorized access incidental to the scope of employment, data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. The term “unauthorized access” used in the definition of “data breach” includes access to an electronic information system and includes, but is not limited to, viewing, obtaining, or using data containing sensitive personal information in any form or in any VA information system. The phrase “unauthorized access incidental to the scope of employment” includes instances when employees of contractors and other entities need access to VA sensitive information in order to perform a contract or agreement with VA but incidentally obtain access to other VA sensitive information. Accordingly, an unauthorized access, other than an unauthorized access incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data, constitutes a data breach. In addition to these circumstances, VA also interprets data breach to include circumstances in which a user misuses sensitive personal information to which he or she has authorized access. The following circumstances do not constitute a data breach and, consequently, are not subject to the provisions of this subpart: (a) An unauthorized access to data containing sensitive personal information that was determined by the Secretary to be incidental to the scope of employment, such as an inadvertent unauthorized viewing of sensitive personal information by a VA employee or a person acting on behalf of VA. (b) A loss, theft, or other unauthorized access to data containing sensitive personal information that the Secretary determined … | |||||
| 38:38:2.0.1.1.32.2.364.4 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.114 Accelerated response. | VA | (a) The Secretary, in the exercise of his or her discretion, may provide notice to records subjects of a data breach and/or offer them other credit protection services prior to the completion of a risk analysis if: (1) The Secretary determines, based on the information available to the agency when it learns of the data breach, that there is an immediate, substantial risk of identity theft of the individuals whose data was the subject of the data breach, and providing timely notice may enable the record subjects to promptly take steps to protect themselves, and/or the offer of other credit protection services will assist in timely mitigation of possible harm to individuals from the data breach; or (2) Private entities would be required to provide notice under Federal law if they experienced a data breach involving the same or similar information. (3) In situations described in paragraphs (a)(1) or (a)(2) of this section, the Secretary may provide notice of the breach prior to completion of a risk analysis, and subsequently advise individuals whether the agency will offer additional credit protection services upon completion, and consideration of the results, of the risk analysis, if the Secretary directs that one be completed. (b) In determining whether to promptly notify individuals and/or offer them other credit protection services under paragraph (a)(1) of this section, the Secretary shall make the decision based upon the totality of the circumstances and information available to the Secretary at the time of the decision, including whether providing notice and offering other credit protection services would be likely to assist record subjects in preventing, or mitigating the results of, identity theft based on the compromised VA sensitive personal information. The Secretary's exercise of this discretion will be based on good cause, including consideration of the following factors: (1) The nature and content of the lost, stolen or improperly accessed data, e.g., the data elements involved, such as name, soc… | |||||
| 38:38:2.0.1.1.32.2.364.5 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.115 Risk analysis. | VA | If a data breach involving sensitive personal information that is processed or maintained by VA occurs and the Secretary has not determined under § 75.114 that an accelerated response is appropriate, the Secretary shall ensure that, as soon as possible after the data breach, a non-VA entity with relevant expertise in data breach assessment and risk analysis or VA's Office of Inspector General conducts an independent risk analysis of the data breach. The preparation of the risk analysis may include data mining if necessary for the development of relevant information. The risk analysis shall include a finding with supporting rationale concerning whether the circumstances create a reasonable risk that sensitive personal information potentially may be misused. If the risk analysis concludes that the data breach presents a reasonable risk for the potential misuse of sensitive personal information, the risk analysis must also contain operational recommendations for responding to the data breach. Each risk analysis, regardless of findings and operational recommendations, shall also address all relevant information concerning the data breach, including the following: (a) Nature of the event (loss, theft, unauthorized access). (b) Description of the event, including: (1) Date of occurrence; (2) Data elements involved, including any personally identifiable information, such as full name, social security number, date of birth, home address, account number, disability code; (3) Number of individuals affected or potentially affected; (4) Individuals or groups affected or potentially affected; (5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; (6) Time the data has been out of VA control; (7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); and (8) Known misuses of data containing sensitive personal information, if an… | |||||
| 38:38:2.0.1.1.32.2.364.6 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.116 Secretary determination. | VA | (a) Upon receipt of a risk analysis prepared under this subpart, the Secretary will consider the findings and other information contained in the risk analysis to determine whether the data breach caused a reasonable risk for the potential misuse of sensitive personal information. If the Secretary finds that such a reasonable risk does not exist, the Secretary will take no further action under this subpart. However, if the Secretary finds that such a reasonable risk exists, the Secretary will take responsive action as specified in this subpart based on the potential harms to individuals subject to a data breach. (b) In determining whether the data breach resulted in a reasonable risk for the potential misuse of the compromised sensitive personal information, the Secretary shall consider all factors that the Secretary, in his or her discretion, considers relevant to the decision, including: (1) The likelihood that the sensitive personal information will be or has been made accessible to and usable by unauthorized persons; (2) Known misuses, if any, of the same or similar sensitive personal information; (3) Any assessment of the potential harm to the affected individuals provided in the risk analysis; (4) Whether the credit protection services that VA may offer under 38 U.S.C. 5724 may assist record subjects in avoiding or mitigating the results of identity theft based on the VA sensitive personal information that had been compromised; (5) Whether private entities are required under Federal law to offer credit protection services to individuals if the same or similar data of the private entities had been similarly compromised; and (6) The recommendations, if any, concerning the offer of, or benefits to be derived from, credit protection services in this case that are in the risk analysis report. | |||||
| 38:38:2.0.1.1.32.2.364.7 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.117 Notification. | VA | (a) With respect to individuals found under this subpart by the Secretary to be subject to a reasonable risk for the potential misuse of any sensitive personal information, the Secretary will promptly provide written notification by first-class mail to the individual (or the next of kin if the individual is deceased) at the last known address of the individual. The notification may be sent in one or more mailings as information is available and will include the following: (1) A brief description of what happened, including the date[s] of the data breach and of its discovery if known; (2) To the extent possible, a description of the types of personal information that were involved in the data breach (e.g., full name, Social Security number, date of birth, home address, account number, disability code); (3) A brief description of what the agency is doing to investigate the breach, to mitigate losses, and to protect against any further breach of the data; (4) Contact procedures for those wishing to ask questions or learn additional information, which will include a toll-free telephone number, an e-mail address, Web site, and/or postal address; (5) Steps individuals should take to protect themselves from the risk of identity theft, including steps to obtain fraud alerts (alerts of any key changes to such reports and on demand personal access to credit reports and scores), if appropriate, and instruction for obtaining other credit protection services offered under this subpart; and (6) A statement whether the information was encrypted or protected by other means, when determined such information would be beneficial and would not compromise the security of the system. (b) In those instances where there is insufficient, or out-of-date contact information that precludes direct written notification to an individual subject to a data breach, a substitute form of notice may be provided, such as a conspicuous posting on the home page of VA's Web site and notification in major print and broadcast media, including major… | |||||
| 38:38:2.0.1.1.32.2.364.8 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.118 Other credit protection services. | VA | (a) With respect to individuals found under this subpart by the Secretary to be subject to a reasonable risk for the potential misuse of any sensitive personal information under this subpart, the Secretary may offer one or more of the following as warranted based on considerations specified in paragraph (b) of this section: (1) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (2) Data breach analysis; (3) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; and/or (4) One year of identity theft insurance with $20,000.00 coverage at $0 deductible. (b) Consistent with the requirements of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq. ) as interpreted and applied by the Federal Trade Commission, the notice to the individual offering other credit protection services will explain how the individual may obtain the services, including the information required to be submitted by the individual to obtain the services, and the time period within which the individual must act to take advantage of the credit protection services offered. (c) In determining whether any or all of the credit protection services specified in paragraph (a) of this section will be offered to individuals subject to a data breach, the Secretary will consider the following: (1) The data elements involved; (2) The number of individuals affected or potentially affected; (3) The likelihood the sensitive personal information will be or has been made accessible to and usable by unauthorized persons; (4) The risk of potential harm to the affected individuals; and (5) The ability to mitigate the risk of harm. (c) The Secretary will take action to obtain data mining and data breach analyses services, as appropriate, to obtain information relevant for making determinations under this subpart. | |||||
| 38:38:2.0.1.1.32.2.364.9 | 38 | Pensions, Bonuses, and Veterans' Relief | I | 75 | PART 75—INFORMATION SECURITY MATTERS | B | Subpart B—Data Breaches | § 75.119 Finality of Secretary determination. | VA | A determination made by the Secretary under this subpart will be a final agency decision. |
Advanced export
JSON shape: default, array, newline-delimited, object
CREATE TABLE cfr_sections (
section_id TEXT PRIMARY KEY,
title_number INTEGER,
title_name TEXT,
chapter TEXT,
subchapter TEXT,
part_number TEXT,
part_name TEXT,
subpart TEXT,
subpart_name TEXT,
section_number TEXT,
section_heading TEXT,
agency TEXT,
authority TEXT,
source_citation TEXT,
amendment_citations TEXT,
full_text TEXT
);
CREATE INDEX idx_cfr_title ON cfr_sections(title_number);
CREATE INDEX idx_cfr_part ON cfr_sections(part_number);
CREATE INDEX idx_cfr_agency ON cfr_sections(agency);