"Information security and breach notification requirements are imposed on some entities that own, possess, or license sensitive personal information. Information security standards are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to personally identifiable information for unauthorized purposes. Data breach notification laws require covered entities to provide notice to affected persons (e.g., cardholders, customers) about the occurrence of a data security breach involving personally identifiable information. Data security breaches occur when fraudulent accounts are created, laptops or computers are stolen or hacked, passwords are compromised, insiders or employees steal data, or discs or back-up tapes are misplaced. [..] Many data breach notification laws require covered entities to implement a breach notification policy, and include requirements for incident reporting and handling and external breach notification. Breach notification policies address whether breach notification is required, the time when notice should be given, who should provide notice, the level or risk that will trigger external notification, the contents of the notification, the means of providing the notification, and who should receive notification. In addition, such laws generally require a covered entity or a designated party to conduct a risk assessment of the likely risk of harm caused by the data breach and an assessment of the level of risk for potential misuse of information. Breach notification policies may also address when notification may be delayed and exemptions from external notification for information that is encrypted."
CRS Report for Congress, RL34120