Editorial Notes
References in Text
Section 230(b)(1) of the Homeland Security Act of 2002, referred to in subsec. (h)(3)(A), is section 230(b)(1) of title II of Pub. L. 107–296, as added by Pub. L. 114–113, div. N, title II, § 223(a)(6), Dec. 18, 2015, 129 Stat. 2964, which was redesignated section 2213(b)(1) of Pub. L. 107–296 by section 2(g)(2)(I) of Pub. L. 115–278, Nov. 16, 2018, 132 Stat. 4178, and is classified to section 663(b)(1) of Title 6, Domestic Security.
The Homeland Security Act of 2002, referred to in subsec. (l)(1), is Pub. L. 107–296, Nov. 25, 2002, 116 Stat. 2135. Title XXII of the Act is classified generally to subchapter XVIII (§ 651 et seq.) of chapter 1 of Title 6, Domestic Security. For complete classification of this Act to the Code, see Short Title note set out under section 101 of Title 6 and Tables.
Prior Provisions
Provisions similar to this section were contained in sections 3533 and 3543 of this title prior to repeal by Pub. L. 113–283.
Amendments
2021—Subsec. (b)(7) to (9). Pub. L. 116–283, § 1705(1), added pars. (7) and (8) and redesignated former par. (7) as (9).
Subsec. (l). Pub. L. 116–283, § 1705(2), added subsec. (l).
2019—Subsecs. (j), (k). Pub. L. 116–92 added subsec. (j) and redesignated former subsec. (j) as (k).
2018—Subsec. (a)(5). Pub. L. 115–390 inserted “and section 1326 of title 41” after “compliance with the requirements of this subchapter”.
2015—Subsec. (b)(6)(B). Pub. L. 114–113, § 224(e), inserted “, operating, and maintaining” after “deploying”.
Subsecs. (h) to (j). Pub. L. 114–113, § 229(a), added subsecs. (h) to (j).
Statutory Notes and Related Subsidiaries
Change of Name
Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019.
No TikTok on Government Devices
Pub. L. 117–328, div. R, Dec. 29, 2022, 136 Stat. 5258, provided that:
“SEC. 101. SHORT TITLE.
“This division may be cited as the ‘No TikTok on Government Devices Act’.
“SEC. 102. PROHIBITION ON THE USE OF TIKTOK.
“(a) Definitions.—In this section—
“(1)
the term ‘covered application’ means the social networking service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited;
“(2)
the term ‘executive agency’ has the meaning given that term in
section 133 of title 41, United States Code; and
“(b) Prohibition on the Use of TikTok.—
“(1) In general.—
Not later than 60 days after the date of the enactment of this Act [
Dec. 29, 2022], the Director of the
Office of Management and Budget, in consultation with the Administrator of General Services, the Director of the Cybersecurity and Infrastructure Security Agency, the Director of National Intelligence, and the
Secretary of Defense, and consistent with the
information security requirements under subchapter II of
chapter 35 of title 44, United States Code, shall develop standards and guidelines for executive agencies requiring the removal of any covered application from
information technology.
“(2) National security and research exceptions.—The standards and guidelines developed under paragraph (1) shall include—
“(A)
exceptions for law enforcement activities, national security interests and activities, and security researchers; and
“(B)
for any authorized use of a covered application under an exception, requirements for executive agencies to develop and document risk mitigation actions for such use.”
Breaches
Pub. L. 113–283, § 2(d), Dec. 18, 2014, 128 Stat. 3085, provided that:
“(1) Requirements.—The Director of the Office of Management and Budget shall ensure that data breach notification policies and guidelines are updated periodically and require—
“(A) except as provided in paragraph (4), notice by the affected agency to each committee of Congress described in section 3554(c)(1) of title 44, United States Code, as added by subsection (a), the Committee on the Judiciary of the Senate, and the Committee on the Judiciary of the House of Representatives, which shall—
“(i)
be provided expeditiously and not later than 30 days after the date on which the agency discovered the unauthorized acquisition or access; and
“(ii) include—
“(I)
information about the breach, including a summary of any information that the agency knows on the date on which notification is provided about how the breach occurred;
“(II)
an estimate of the number of individuals affected by the breach, based on information that the agency knows on the date on which notification is provided, including an assessment of the risk of harm to affected individuals;
“(III)
a description of any circumstances necessitating a delay in providing notice to affected individuals; and
“(IV)
an estimate of whether and when the agency will provide notice to affected individuals; and
“(B)
notice by the affected agency to affected individuals, pursuant to data breach notification policies and guidelines, which shall be provided as expeditiously as practicable and without unreasonable delay after the agency discovers the unauthorized acquisition or access.
“(2) National security; law enforcement; remediation.—
The Attorney General, the head of an element of the
intelligence community (as such term is defined under section 3(4) of the
National Security Act of 1947 (
50 U.S.C. 3003(4)), or the
Secretary of Homeland Security may delay the notice to affected individuals under paragraph (1)(B) if the notice would disrupt a law enforcement investigation, endanger national security, or hamper security remediation actions.
“(3) Reports.—
“(A) Director of omb.—During the first 2 years beginning after the date of enactment of this Act [Dec. 18, 2014], the Director of the Office of Management and Budget shall, on an annual basis—
“(i)
assess agency implementation of data breach notification policies and guidelines in aggregate; and
“(B) Secretary of homeland security.—
During the first 2 years beginning after the date of enactment of this Act, the
Secretary of Homeland Security shall include an assessment of the status of agency implementation of data breach notification policies and guidelines in the requirements under
section 3553(b)(2)(B) of title 44, United States Code.
“(5) Rule of construction.—
Nothing in paragraph (1) shall be construed to alter any authority of a Federal agency or department.”
Similar provisions were contained in Pub. L. 113–282, § 7(b), Dec. 18, 2014, 128 Stat. 3071.