38 U.S.C. § 5726

1. (a)
   1. (1)Not later than 30 days after the last day of a fiscal quarter, the Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report on any data breach with respect to sensitive personal information processed or maintained by the Department that occurred during that quarter.
   2. (2)Each report submitted under paragraph (1) shall identify, for each data breach covered by the report—
      1. (A)the Administration and facility of the Department responsible for processing or maintaining the sensitive personal information involved in the data breach; and
      2. (B)the status of any remedial or corrective action with respect to the data breach.
2. (b)
   1. (1)In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that the Secretary determines is significant, the Secretary shall provide notice of such breach to the Committees on Veterans’ Affairs of the Senate and House of Representatives.
   2. (2)In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that is the sensitive personal information of a member of the Army, Navy, Air Force, or Marine Corps or a civilian officer or employee of the Department of Defense that the Secretary determines is significant under paragraph (1), the Secretary shall provide the notice required under paragraph (1) to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives in addition to the Committees on Veterans’ Affairs of the Senate and House of Representatives.
   3. (3)Notice under paragraphs (1) and (2) shall be provided promptly following the discovery of such a data breach and the implementation of any measures necessary to determine the scope of the breach, prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.