U.S. Congress - Text of S.1490 as Reported in Senate Personal Data Privacy and Security Act of 2009
The easiest way to email your members of Congress
Donate NowS.1490 - Personal Data Privacy and Security Act of 2009
A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
| Version | Word Count | Changes From Previous Version | Percent Change |
|---|---|---|---|
| Introduced in Senate | 12,336 | n/a | n/a |
| Reported in Senate | 12,530 | 33 Show Changes Hide Changes | 7% |
Key: changed or removed text inserted or modified text
Loading Bill Text
Rollover any line of text to comment and/or link to it.
S 1490 ISRSCommentsClose CommentsPermalink
Calendar No. 208CommentsClose CommentsPermalink
111th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
S. 1490CommentsClose CommentsPermalink
To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.CommentsClose CommentsPermalink
IN THE SENATE OF THE UNITED STATESCommentsClose CommentsPermalink
July 22, 2009CommentsClose CommentsPermalink
July 22, 2009CommentsClose CommentsPermalink
Mr. LEAHY (for himself, Mr. BROWN, Mr. FEINGOLD, Mr. SCHUMER, Mr. SPECTER, Mr. CARDIN, and Mr. HATCH) introduced the following bill; which was read twice and referred to the Committee on the JudiciaryCommentsClose CommentsPermalink
November 5, 2009CommentsClose CommentsPermalink
November 5, 2009CommentsClose CommentsPermalink
Reported by Mr. LEAHY, with amendmentsCommentsClose CommentsPermalink
[Omit the part struck through and insert the part printed in italic]CommentsClose CommentsPermalink
[Omit the part struck through and insert the part printed in italic]CommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title- This Act may be cited as the ‘Personal Data Privacy and Security Act of 2009’.CommentsClose CommentsPermalink
(b) Table of Contents- The table of contents of this Act is as follows:CommentsClose CommentsPermalink
Sec. 1. Short title; table of contents.CommentsClose CommentsPermalink
Sec. 2. Findings.CommentsClose CommentsPermalink
Sec. 3. Definitions.CommentsClose CommentsPermalink
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY
Sec. 101. Organized criminal activity in connection with unauthorized access to personally identifiable information.CommentsClose CommentsPermalink
Sec. 102. Concealment of security breaches involving sensitive personally identifiable information.CommentsClose CommentsPermalink
Sec. 103. Review and amendment of Federal sentencing guidelines related to fraudulent access to or misuse of digitized or electronic personally identifiable information.CommentsClose CommentsPermalink
Sec. 104. Effects of identity theft on bankruptcy proceedings.CommentsClose CommentsPermalink
TITLE II--DATA BROKERS
Sec. 201. Transparency and accuracy of data collection.CommentsClose CommentsPermalink
Sec. 202. Enforcement.CommentsClose CommentsPermalink
Sec. 203. Relation to State laws.CommentsClose CommentsPermalink
Sec. 204. Effective date.CommentsClose CommentsPermalink
TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
Subtitle A--A Data Privacy and Security Program
Sec. 301. Purpose and applicability of data privacy and security program.CommentsClose CommentsPermalink
Sec. 302. Requirements for a personal data privacy and security program.CommentsClose CommentsPermalink
Sec. 303. Enforcement.CommentsClose CommentsPermalink
Sec. 304. Relation to other laws.CommentsClose CommentsPermalink
Subtitle B--Security Breach Notification
Sec. 311. Notice to individuals.CommentsClose CommentsPermalink
Sec. 312. Exemptions.CommentsClose CommentsPermalink
Sec. 313. Methods of notice.CommentsClose CommentsPermalink
Sec. 314. Content of notification.CommentsClose CommentsPermalink
Sec. 315. Coordination of notification with credit reporting agencies.CommentsClose CommentsPermalink
Sec. 316. Notice to law enforcement.CommentsClose CommentsPermalink
Sec. 317. Enforcement.CommentsClose CommentsPermalink
Sec. 318. Enforcement by State attorneys general.CommentsClose CommentsPermalink
Sec. 319. Effect on Federal and State law.CommentsClose CommentsPermalink
Sec. 320. Authorization of appropriations.CommentsClose CommentsPermalink
Sec. 321. Reporting on risk assessment exemptions.CommentsClose CommentsPermalink
Sec. 322. Effective date.CommentsClose CommentsPermalink
SEC. 2. FINDINGS.
Congress finds that--CommentsClose CommentsPermalink
(1) databases of personally identifiable information are increasingly prime targets of hackers, identity thieves, rogue employees, and other criminals, including organized and sophisticated criminal operations;CommentsClose CommentsPermalink
(2) identity theft is a serious threat to the Nation’s economic stability, homeland security, the development of e-commerce, and the privacy rights of Americans;CommentsClose CommentsPermalink
(3) over 9,300,000 individuals were victims of identity theft in America last year;CommentsClose CommentsPermalink
(4) security breaches are a serious threat to consumer confidence, homeland security, e-commerce, and economic stability;CommentsClose CommentsPermalink
(5) it is important for business entities that own, use, or license personally identifiable information to adopt reasonable procedures to ensure the security, privacy, and confidentiality of that personally identifiable information;CommentsClose CommentsPermalink
(6) individuals whose personal information has been compromised or who have been victims of identity theft should receive the necessary information and assistance to mitigate their damages and to restore the integrity of their personal information and identities;CommentsClose CommentsPermalink
(7) data brokers have assumed a significant role in providing identification, authentication, and screening services, and related data collection and analyses for commercial, nonprofit, and government operations;CommentsClose CommentsPermalink
(8) data misuse and use of inaccurate data have the potential to cause serious or irreparable harm to an individual’s livelihood, privacy, and liberty and undermine efficient and effective business and government operations;CommentsClose CommentsPermalink
(9) there is a need to ensure that data brokers conduct their operations in a manner that prioritizes fairness, transparency, accuracy, and respect for the privacy of consumers;CommentsClose CommentsPermalink
(10) government access to commercial data can potentially improve safety, law enforcement, and national security; andCommentsClose CommentsPermalink
(11) because government use of commercial data containing personal information potentially affects individual privacy, and law enforcement and national security operations, there is a need for Congress to exercise oversight over government use of commercial data.CommentsClose CommentsPermalink
SEC. 3. DEFINITIONS.
In this Act, the following definitions shall apply:CommentsClose CommentsPermalink
(1) AGENCY- The term ‘agency’ has the same meaning given such term in
(2) AFFILIATE- The term ‘affiliate’ means persons related by common ownership or by corporate control.CommentsClose CommentsPermalink
(3) BUSINESS ENTITY- The term ‘business entity’ means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture established to make a profit, or nonprofit.CommentsClose CommentsPermalink
(4) IDENTITY THEFT- The term ‘identity theft’ means a violation of
(5) DATA BROKER- The term ‘data broker’ means a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis.CommentsClose CommentsPermalink
(6) DATA FURNISHER- The term ‘data furnisher’ means any agency, organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or nonprofit that serves as a source of information for a data broker.CommentsClose CommentsPermalink
(7) ENCRYPTION- The term ‘encryption’--CommentsClose CommentsPermalink
(A) means the protection of data in electronic form, in storage or in transit, using an encryption technology that has been adopted by an establish [Struck out->]an established[<-Struck out] a widely accepted standards setting bodyor, has been widely accepted as an effective industry practice which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; andCommentsClose CommentsPermalink
(B) includes appropriate management and safeguards of such cryptographic keys so as to protect the integrity of the encryption.CommentsClose CommentsPermalink
(8) PERSONAL ELECTRONIC RECORD-CommentsClose CommentsPermalink
(A) IN GENERAL- The term ‘personal electronic record’ means data associated with an individual contained in a database, networked or integrated databases, or other data system that is provided to nonaffiliated third parties and includes sensitive personally identifiable information about that individual.CommentsClose CommentsPermalink
(B) EXCLUSIONS- The term ‘personal electronic record’ does not include--CommentsClose CommentsPermalink
(i) any data related to an individual’s past purchases of consumer goods; orCommentsClose CommentsPermalink
(ii) any proprietary assessment or evaluation of an individual or any proprietary assessment or evaluation of information about an individual.CommentsClose CommentsPermalink
(9) PERSONALLY IDENTIFIABLE INFORMATION- The term ‘personally identifiable information’ means any information, or compilation of information, in electronic or digital form serving as a means of identification, as defined by section 1028(d)(7) of title 18, United State Code.CommentsClose CommentsPermalink
(10) PUBLIC RECORD SOURCE- The term ‘public record source’ means the Congress, any agency, any State or local government agency, the government of the District of Columbia and governments of the territories or possessions of the United States, and Federal, State or local courts, courts martial and military commissions, that maintain personally identifiable information in records available to the public.CommentsClose CommentsPermalink
(11) SECURITY BREACH-CommentsClose CommentsPermalink
(A) IN GENERAL- The term ‘security breach’ means compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, acquisition of or access to sensitive personally identifiable information that is unauthorized or in excess of authorization and which present a significant risk of harm or fraud to any individual.CommentsClose CommentsPermalink
(B) EXCLUSION- The term ‘security breach’ does not include--CommentsClose CommentsPermalink
(i) a good faith acquisition of sensitive personally identifiable information by a business entity or agency, or an employee or agent of a business entity or agency, if the sensitive personally identifiable information is not subject to further unauthorized disclosure; orCommentsClose CommentsPermalink
(ii) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements.CommentsClose CommentsPermalink
(12) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term ‘sensitive personally identifiable information’ means any information or compilation of information, in electronic or digital form that includes--CommentsClose CommentsPermalink
(A) an individual’s first and last name or first initial and last name in combination with any 1 of the following data elements:CommentsClose CommentsPermalink
(i) A non-truncated social security number, driver’s license number, passport number, or alien registration number.CommentsClose CommentsPermalink
(ii) Any 2 of the following:CommentsClose CommentsPermalink
(I) Home address or telephone number.CommentsClose CommentsPermalink
(II) Mother’s maiden name, if identified as such.CommentsClose CommentsPermalink
(III) Month, day, and year of birth.CommentsClose CommentsPermalink
(iii) Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation.CommentsClose CommentsPermalink
(iv) A unique account identifier, electronic identification number, user name, or routing code in combination with any associated security code, access code, or password that is required for an individual to obtain money, goods, services, or any other thing of value; orCommentsClose CommentsPermalink
(B) a financial account number or credit or debit card number in combination with any security code, access code, or password that is required for an individual to obtain credit, withdraw funds, or engage in a financial transaction.CommentsClose CommentsPermalink
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITYCommentsClose CommentsPermalink
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITYCommentsClose CommentsPermalink
SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.
SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.
(a) In General- Chapter 47 of title 18, United States Code, is amended by adding at the end the following:CommentsClose CommentsPermalink
‘Sec. 1041. Concealment of security breaches involving sensitive personally identifiable information
‘(a) Whoever, having knowledge of a security breach and of the obligation to provide notice of such breach to individuals under title III of the Personal Data Privacy and Security Act of 2009, and having not otherwise qualified for an exemption from providing notice under section 312 of such Act, intentionally and willfully conceals the fact of such security breach and which breach causes economic damage to 1 or more persons, shall be fined under this title or imprisoned not more than 5 years, or both.CommentsClose CommentsPermalink
‘(b) For purposes of subsection (a), the term ‘person’ has the same meaning as in
.CommentsClose CommentsPermalink section 1030(e)(12) of title 18, United States Code ‘(c) Any person seeking an exemption under section 312(b) of the Personal Data Privacy and Security Act of 2009 shall be immune from prosecution under this section if the United States Secret Service does not indicate, in writing, that such notice be given under section 312(b)(3) of such Act.’.CommentsClose CommentsPermalink
(b) Conforming and Technical Amendments- The table of sections for chapter 47 of title 18, United States Code, is amended by adding at the end the following:CommentsClose CommentsPermalink
‘1041. Concealment of security breaches involving personally identifiable information.’.CommentsClose CommentsPermalink
(c) Enforcement Authority-CommentsClose CommentsPermalink
(1) IN GENERAL- The United States Secret Service shall have the authority to investigate offenses under this section.CommentsClose CommentsPermalink
(2) NONEXCLUSIVITY- The authority granted in paragraph (1) shall not be exclusive of any existing authority held by any other Federal agency.CommentsClose CommentsPermalink
SEC. 103. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.
(a) Review and Amendment- The United States Sentencing Commission, pursuant to its authority under
(1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of title 18, United States Code; andCommentsClose CommentsPermalink
(2) any other relevant provision.CommentsClose CommentsPermalink
(b) Requirements- In carrying out the requirements of this section, the United States Sentencing Commission shall--CommentsClose CommentsPermalink
(1) ensure that the Federal sentencing guidelines (including its policy statements) reflect--CommentsClose CommentsPermalink
(A) the serious nature of the offenses and penalties referred to in this Act;CommentsClose CommentsPermalink
(B) the growing incidences of theft and misuse of digitized or electronic personally identifiable information, including identity theft; andCommentsClose CommentsPermalink
(C) the need to deter, prevent, and punish such offenses;CommentsClose CommentsPermalink
(2) consider the extent to which the Federal sentencing guidelines (including its policy statements) adequately address violations of the sections amended by this Act to--CommentsClose CommentsPermalink
(A) sufficiently deter and punish such offenses; andCommentsClose CommentsPermalink
(B) adequately reflect the enhanced penalties established under this Act;CommentsClose CommentsPermalink
(3) maintain reasonable consistency with other relevant directives and sentencing guidelines;CommentsClose CommentsPermalink
(4) account for any additional aggravating or mitigating circumstances that might justify exceptions to the generally applicable sentencing ranges;CommentsClose CommentsPermalink
(5) consider whether to provide a sentencing enhancement for those convicted of the offenses described in subsection (a), if the conduct involves--CommentsClose CommentsPermalink
(A) the online sale of fraudulently obtained or stolen personally identifiable information;CommentsClose CommentsPermalink
(B) the sale of fraudulently obtained or stolen personally identifiable information to an individual who is engaged in terrorist activity or aiding other individuals engaged in terrorist activity; orCommentsClose CommentsPermalink
(C) the sale of fraudulently obtained or stolen personally identifiable information to finance terrorist activity or other criminal activities;CommentsClose CommentsPermalink
(6) make any necessary conforming changes to the Federal sentencing guidelines to ensure that such guidelines (including its policy statements) as described in subsection (a) are sufficiently stringent to deter, and adequately reflect crimes related to fraudulent access to, or misuse of, personally identifiable information; andCommentsClose CommentsPermalink
(7) ensure that the Federal sentencing guidelines adequately meet the purposes of sentencing under
(c) Emergency Authority to Sentencing Commission- The United States Sentencing Commission may, as soon as practicable, promulgate amendments under this section in accordance with procedures established in section 21(a) of the Sentencing Act of 1987 (
SEC. 104. EFFECTS OF IDENTITY THEFT ON BANKRUPTCY PROCEEDINGS.
(a) Definitions-
(1) by redesignating paragraph (27B) as paragraph (27D); andCommentsClose CommentsPermalink
(2) by inserting after paragraph (27A) the following:CommentsClose CommentsPermalink
‘(27) The term ‘identity theft’ means a fraud committed or attempted using the personally identifiable information of another person.CommentsClose CommentsPermalink
‘(28) The term ‘identity theft victim’ means a debtor who, as a result of an identify theft in any consecutive 12-month period during the 3-year period before the date on which a petition is filed under this title, had claims asserted against such debtor in excess of the least of--CommentsClose CommentsPermalink
‘(A) $20,000;CommentsClose CommentsPermalink
‘(B) 50 percent of all claims asserted against such debtor; orCommentsClose CommentsPermalink
‘(C) 25 percent of the debtor’s gross income for such 12-month period.’.CommentsClose CommentsPermalink
(b) Prohibition-
‘(8) No judge, United States trustee (or bankruptcy administrator, if any), trustee, or other party in interest may file a motion under paragraph (2) if the debtor is an identity theft victim.’.CommentsClose CommentsPermalink
TITLE II--DATA BROKERSCommentsClose CommentsPermalink
TITLE II--DATA BROKERSCommentsClose CommentsPermalink
SEC. 201. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.
(a) In General- Data brokers engaging in interstate commerce are subject to the requirements of this title for any product or service offered to third parties that allows access or use of sensitive personally identifiable information.CommentsClose CommentsPermalink
(b) Limitation- Notwithstanding any other provision of this title, this section shall not apply to--CommentsClose CommentsPermalink
(1) any product or service offered by a data broker engaging in interstate commerce where such product or service is currently subject to, and in compliance with, access and accuracy protections similar to those under subsections (c) through(f [Struck out->](f)[<-Struck out] (e) of this section under the Fair Credit Reporting Act (
(2) any data broker that is subject to regulation under the Gramm-Leach-Bliley Act (
(3) any data broker currently subject to and in compliance with the data security requirements for such entities under the Health Insurance Portability and Accountability Act (
(4) information in a personal electronic record that--CommentsClose CommentsPermalink
(A) the data broker has identified as inaccurate, but maintains for the purpose of aiding the data broker in preventing inaccurate information from entering an individual’s personal electronic record; andCommentsClose CommentsPermalink
(B) is not maintained primarily for the purpose of transmitting or otherwise providing that information, or assessments based on that information, to nonaffiliated third parties;and [Struck out->]and[<-Struck out]CommentsClose CommentsPermalink
(5) information concerning proprietary methodologies, techniques, scores, or algorithms relating to fraud prevention not normally provided to third parties in the ordinary course of business.(c) [Struck out->].[<-Struck out] ; andCommentsClose CommentsPermalink
(6) information that is used for legitimate governmental or fraud prevention purposes that would be compromised by disclosure to the individual. CommentsClose CommentsPermalink
(c) Disclosures to Individuals-CommentsClose CommentsPermalink
(1) IN GENERAL- A data broker shall, upon the request of an individual, disclose to such individual for a reasonable fee all personal electronic records pertaining to that individual maintained specifically for disclosure to third parties that request information on that individual in the ordinary course of business in the databases or systems of the data broker at the time of such request.CommentsClose CommentsPermalink
(2) INFORMATION ON HOW TO CORRECT INACCURACIES- The disclosures required under paragraph (1) shall also include guidance to individuals on procedures for correcting inaccuracies.CommentsClose CommentsPermalink
(d) Disclosure to Individuals of Adverse Actions Taken by Third Parties-CommentsClose CommentsPermalink
(1) IN GENERAL- In addition to any other rights established under this Act, if a person takes any adverse action with respect to any individual that is based, in whole or in part, on any information contained in a personal electronic record that is maintained, updated, or otherwise owned or possessed by a data broker, such person, at no cost to the affected individual, shall provide--CommentsClose CommentsPermalink
(A) written or electronic notice of the adverse action to the individual;CommentsClose CommentsPermalink
(B) to the individual, in writing or electronically, the name, address, and telephone number of the data broker that furnished the information to the person;CommentsClose CommentsPermalink
(C) a copy of the information such person obtained from the data broker; andCommentsClose CommentsPermalink
(D) information to the individual on the procedures for correcting any inaccuracies in such information.CommentsClose CommentsPermalink
(2) ACCEPTED METHODS OF NOTICE- A person shall be in compliance with the notice requirements under paragraph (1) if such person provides written or electronic notice in the same manner and using the same methods as are required under section 313(1) of this Act.CommentsClose CommentsPermalink
(e) Accuracy Resolution Process-CommentsClose CommentsPermalink
(1) INFORMATION FROM A PUBLIC RECORD OR LICENSOR-CommentsClose CommentsPermalink
(A) IN GENERAL- If an individual notifies a data broker of a dispute as to the completeness or accuracy of information disclosed to such individual under subsection (c) that is obtained from a public record source or a license agreement, such data broker shall determine within 30 days whether the information in its system accurately and completely records the information available from the licensor or public record source.CommentsClose CommentsPermalink
(B) DATA BROKER ACTIONS- If a data broker determines under subparagraph (A) that the information in its systems does not accurately and completely record the information available from a public record source or licensor, the data broker shall--CommentsClose CommentsPermalink
(i) correct any inaccuracies or incompleteness, and provide to such individual written notice of such changes; andCommentsClose CommentsPermalink
(ii) provide such individual with the contact information of the public record or licensor.CommentsClose CommentsPermalink
(2) INFORMATION NOT FROM A PUBLIC RECORD SOURCE OR LICENSOR- If an individual notifies a data broker of a dispute as to the completeness or accuracy of information not from a public record or licensor that was disclosed to the individual under subsection (c), the data broker shall, within 30 days of receiving notice of such dispute--CommentsClose CommentsPermalink
(A) review and consider free of charge any information submitted by such individual that is relevant to the completeness or accuracy of the disputed information; andCommentsClose CommentsPermalink
(B) correct any information found to be incomplete or inaccurate and provide notice to such individual of whether and what information was corrected, if any.CommentsClose CommentsPermalink
(3) EXTENSION OF REVIEW PERIOD- The 30-day period described in paragraph (1) may be extended for not more than 30 additional days if a data broker receives information from the individual during the initial 30-day period that is relevant to the completeness or accuracy of any disputed information.CommentsClose CommentsPermalink
(4) NOTICE IDENTIFYING THE DATA FURNISHER- If the completeness or accuracy of any information not from a public record source or licensor that was disclosed to an individual under subsection (c) is disputed by such individual, the data broker shall provide, upon the request of such individual, the contact information of any data furnisher that provided the disputed information.CommentsClose CommentsPermalink
(5) DETERMINATION THAT DISPUTE IS FRIVOLOUS OR IRRELEVANT-CommentsClose CommentsPermalink
(A) IN GENERAL- Notwithstanding paragraphs (1) through (3), a data broker may decline to investigate or terminate a review of information disputed by an individual under those paragraphs if the data broker reasonably determines that the dispute by the individual is frivolous or intended to perpetrate fraud.CommentsClose CommentsPermalink
(B) NOTICE- A data broker shall notify an individual of a determination under subparagraph (A) within a reasonable time by any means available to such data broker.CommentsClose CommentsPermalink
SEC. 202. ENFORCEMENT.
(a) Civil Penalties-CommentsClose CommentsPermalink
(1) PENALTIES- Any data broker that violates the provisions of section 201 shall be subject to civil penalties of not more than $1,000 per violation per day while such violations persist, up to a maximum of $250,000 per violation.CommentsClose CommentsPermalink
(2) INTENTIONAL OR WILLFUL VIOLATION- A data broker that intentionally or willfully violates the provisions of section 201 shall be subject to additional penalties in the amount of $1,000 per violation per day, to a maximum of an additional $250,000 per violation, while such violations persist.CommentsClose CommentsPermalink
(3) EQUITABLE RELIEF- A data broker engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction.CommentsClose CommentsPermalink
(4) OTHER RIGHTS AND REMEDIES- The rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law.CommentsClose CommentsPermalink
(b) Federal Trade Commission Authority- Any data broker shall have the provisions of this title enforced against it by the Federal Trade Commission.CommentsClose CommentsPermalink
(c) State Enforcement-CommentsClose CommentsPermalink
(1) CIVIL ACTIONS- In any case in which the attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the acts or practices of a data broker that violate this title, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to--CommentsClose CommentsPermalink
(A) enjoin that act or practice;CommentsClose CommentsPermalink
(B) enforce compliance with this title; orCommentsClose CommentsPermalink
(C) obtain civil penalties of not more than $1,000 per violation per day while such violations persist, up to a maximum of $250,000 per violation.CommentsClose CommentsPermalink
(2) NOTICE-CommentsClose CommentsPermalink
(A) IN GENERAL- Before filing an action under this subsection, the attorney general of the State involved shall provide to the Federal Trade Commission--CommentsClose CommentsPermalink
(i) a written notice of that action; andCommentsClose CommentsPermalink
(ii) a copy of the complaint for that action.CommentsClose CommentsPermalink
(B) EXCEPTION- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in subparagraph (A) before the filing of the action.CommentsClose CommentsPermalink
(C) NOTIFICATION WHEN PRACTICABLE- In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Federal Trade Commission as soon after the filing of the complaint as practicable.CommentsClose CommentsPermalink
(3) FEDERAL TRADE COMMISSION AUTHORITY- Upon receiving notice under paragraph (2), the Federal Trade Commission shall have the right to--CommentsClose CommentsPermalink
(A) move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4);CommentsClose CommentsPermalink
(B) intervene in an action brought under paragraph (1); andCommentsClose CommentsPermalink
(C) file petitions for appeal.CommentsClose CommentsPermalink
(4) PENDING PROCEEDINGS- If the Federal Trade Commission has instituted a proceeding or civil action for a violation of this title, no attorney general of a State may, during the pendency of such proceeding or civil action, bring an action under this subsection against any defendant named in such civil action for any violation that is alleged in that civil action.CommentsClose CommentsPermalink
(5) RULE OF CONSTRUCTION- For purposes of bringing any civil action under paragraph (1), nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--CommentsClose CommentsPermalink
(A) conduct investigations;CommentsClose CommentsPermalink
(B) administer oaths and affirmations; orCommentsClose CommentsPermalink
(C) compel the attendance of witnesses or the production of documentary and other evidence.CommentsClose CommentsPermalink
(6) VENUE; SERVICE OF PROCESS-CommentsClose CommentsPermalink
(A) VENUE- Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under
(B) SERVICE OF PROCESS- In an action brought under this subsection, process may be served in any district in which the defendant--CommentsClose CommentsPermalink
(i) is an inhabitant; orCommentsClose CommentsPermalink
(ii) may be found.CommentsClose CommentsPermalink
(d) No Private Cause of Action- Nothing in this title establishes a private cause of action against a data broker for violation of any provision of this title.CommentsClose CommentsPermalink
SEC. 203. RELATION TO STATE LAWS.
No requirement or prohibition may be imposed under the laws of any State with respect to any subject matter regulated under section 201, relating to individual access to, and correction of, personal electronic records held by data brokers.CommentsClose CommentsPermalink
SEC. 204. EFFECTIVE DATE.
This title shall take effect 180 days after the date of enactment of this Act.CommentsClose CommentsPermalink
TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATIONCommentsClose CommentsPermalink
TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATIONCommentsClose CommentsPermalink
Subtitle A--A Data Privacy and Security ProgramCommentsClose CommentsPermalink
Subtitle A--A Data Privacy and Security ProgramCommentsClose CommentsPermalink
SEC. 301. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY PROGRAM.
(a) Purpose- The purpose of this subtitle is to ensure standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information.CommentsClose CommentsPermalink
(b) In General- A business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons is subject to the requirements for a data privacy and security program under section 302 for protecting sensitive personally identifiable information.CommentsClose CommentsPermalink
(c) Limitations- Notwithstanding any other obligation under this subtitle, this subtitle does not apply to:CommentsClose CommentsPermalink
(1) FINANCIAL INSTITUTIONS- Financial institutions--CommentsClose CommentsPermalink
(A) subject to the data security requirements and implementing regulations under the Gramm-Leach-Bliley Act (
(B) subject to--CommentsClose CommentsPermalink
(i) examinations for compliance with the requirements of this Act by a Federal Functional Regulator or State Insurance Authority (as those terms are defined in section 509 of the Gramm-Leach-Bliley Act (
(ii) compliance with part 314 of title 16, Code of Federal Regulations.CommentsClose CommentsPermalink
(2) HIPPA REGULATED ENTITIES-CommentsClose CommentsPermalink
(A) COVERED ENTITIES- Covered entities subject to the Health Insurance Portability and Accountability Act of 1996 (
(B) BUSINESS ENTITIES- A business entity shall be deemed in compliance with the privacy and security program requirements under section 302 if the business entity is acting as a ‘business associate’ as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (
(3) PUBLIC RECORDS- Public records not otherwise subject to a confidentiality or nondisclosure requirement, or information obtained from a news report or periodical.CommentsClose CommentsPermalink
(d) Safe Harbors-CommentsClose CommentsPermalink
(1) IN GENERAL- A business entity shall be deemed in compliance with the privacy and security program requirements under section 302 if the business entity complies with or provides protection equal to industry standards or widely accepted as an effective industry practice, as identified by the Federal Trade Commission, that are applicable to the type of sensitive personally identifiable information involved in the ordinary course of business of such business entity.CommentsClose CommentsPermalink
(2) LIMITATION- Nothing in this subsection shall be construed to permit, and nothing does permit, the Federal Trade Commission to issue regulations requiring, or according greater legal status to, the implementation of or application of a specific technology or technological specifications for meeting the requirements of this title.CommentsClose CommentsPermalink
SEC. 302. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY PROGRAM.
(a) Personal Data Privacy and Security Program- A business entity subject to this subtitle shall comply with the following safeguards and any other administrative, technical, or physical safeguards identified by the Federal Trade Commission in a rulemaking process pursuant to
(1) SCOPE- A business entity shall implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities.CommentsClose CommentsPermalink
(2) DESIGN- The personal data privacy and security program shall be designed to--CommentsClose CommentsPermalink
(A) ensure the privacy, security, and confidentiality of sensitive personally identifying information;CommentsClose CommentsPermalink
(B) protect against any anticipated vulnerabilities to the privacy, security, or integrity of sensitive personally identifying information; andCommentsClose CommentsPermalink
(C) protect against unauthorized access to use of sensitive personally identifying information that could [Struck out->]result in substantial harm or inconvenience to any individual.(3)[<-Struck out] create a significant risk of harm or fraud to any individual.CommentsClose CommentsPermalink
(3) RISK ASSESSMENT- A business entity shall--CommentsClose CommentsPermalink
(A) identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information or systems containing sensitive personally identifiable information;CommentsClose CommentsPermalink
(B) assess the likelihood of and potential damage from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information;CommentsClose CommentsPermalink
(C) assess the sufficiency of its policies, technologies, and safeguards in place to control and minimize risks from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; andCommentsClose CommentsPermalink
(D) assess the vulnerability of sensitive personally identifiable information during destruction and disposal of such information, including through the disposal or retirement of hardware.CommentsClose CommentsPermalink
(4) RISK MANAGEMENT AND CONTROL- Each business entity shall--CommentsClose CommentsPermalink
(A) design its personal data privacy and security program to control the risks identified under paragraph (3); andCommentsClose CommentsPermalink
(B) adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of the activities of the business entity that--CommentsClose CommentsPermalink
(i) control access to systems and facilities containing sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals;CommentsClose CommentsPermalink
(ii) detect actual and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access;CommentsClose CommentsPermalink
(iii) protect sensitive personally identifiable information during use, transmission, storage, and disposal by encryption, redaction, or access controls that are widely accepted as an effective industry practice or industry standard, or other reasonable means (including as directed for disposal of records under section 628 of the Fair Credit Reporting Act (
(iv) ensure that sensitive personally identifiable information is properly destroyed and disposed of, including during the destruction of computers, diskettes, and other electronic media that contain sensitive personally identifiable information;CommentsClose CommentsPermalink
(v) trace access to records containing sensitive personally identifiable information so that the business entity can determine who accessed or acquired such sensitive personally identifiable information pertaining to specific individuals; andCommentsClose CommentsPermalink
(vi) ensure that no third party or customer of the business entity is authorized to access or acquire sensitive personally identifiable information without the business entity first performing sufficient due diligence to ascertain, with reasonable certainty, that such information is being sought for a valid legal purpose.CommentsClose CommentsPermalink
(b) Training- Each business entity subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the data security program of the business entity.CommentsClose CommentsPermalink
(c) Vulnerability Testing-CommentsClose CommentsPermalink
(1) IN GENERAL- Each business entity subject to this subtitle shall take steps to ensure regular testing of key controls, systems, and procedures of the personal data privacy and security program to detect, prevent, and respond to attacks or intrusions, or other system failures.CommentsClose CommentsPermalink
(2) FREQUENCY- The frequency and nature of the tests required under paragraph (1) shall be determined by the risk assessment of the business entity under subsection (a)(3).CommentsClose CommentsPermalink
(d) Relationship to Service Providers- In the event a business entity subject to this subtitle engages service providers not subject to this subtitle, such business entity shall--CommentsClose CommentsPermalink
(1) exercise appropriate due diligence in selecting those service providers for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; andCommentsClose CommentsPermalink
(2) require those service providers by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing entities subject to section 301, this section, and subtitle B.CommentsClose CommentsPermalink
(e) Periodic Assessment and Personal Data Privacy and Security Modernization- Each business entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its data privacy and security program in light of any relevant changes in--CommentsClose CommentsPermalink
(1) technology;CommentsClose CommentsPermalink
(2) the sensitivity of personally identifiable information;CommentsClose CommentsPermalink
(3) internal or external threats to personally identifiable information; andCommentsClose CommentsPermalink
(4) the changing business arrangements of the business entity, such as--CommentsClose CommentsPermalink
(A) mergers and acquisitions;CommentsClose CommentsPermalink
(B) alliances and joint ventures;CommentsClose CommentsPermalink
(C) outsourcing arrangements;CommentsClose CommentsPermalink
(D) bankruptcy; andCommentsClose CommentsPermalink
(E) changes to sensitive personally identifiable information systems.CommentsClose CommentsPermalink
(f) Implementation Timeline- Not later than 1 year after the date of enactment of this Act, a business entity subject to the provisions of this subtitle shall implement a data privacy and security program pursuant to this subtitle.CommentsClose CommentsPermalink
SEC. 303. ENFORCEMENT.
(a) Civil Penalties-CommentsClose CommentsPermalink
(1) IN GENERAL- Any business entity that violates the provisions of sections 301 or 302 shall be subject to civil penalties of not more than $5,000 per violation per day while such a violation exists, with a maximum of $500,000 per violation.CommentsClose CommentsPermalink
(2) INTENTIONAL OR WILLFUL VIOLATION- A business entity that intentionally or willfully violates the provisions of sections 301 or 302 shall be subject to additional penalties in the amount of $5,000 per violation per day while such a violation exists, with a maximum of an additional $500,000 per violation.CommentsClose CommentsPermalink
(3) EQUITABLE RELIEF- A business entity engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction.CommentsClose CommentsPermalink
(4) OTHER RIGHTS AND REMEDIES- The rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law.CommentsClose CommentsPermalink
(b) Federal Trade Commission Authority- Any data broker [Struck out->]data broker[<-Struck out] business entity shall have the provisions of this subtitle enforced against it by the Federal Trade Commission.CommentsClose CommentsPermalink
(c) State Enforcement-CommentsClose CommentsPermalink
(1) CIVIL ACTIONS- In any case in which the attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the acts or practices of a data broker that [Struck out->]data broker[<-Struck out] business entity that violate this subtitle, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to--CommentsClose CommentsPermalink
(A) enjoin that act or practice;CommentsClose CommentsPermalink
(B) enforce compliance with this subtitle; orCommentsClose CommentsPermalink
(C) obtain civil penalties of not more than $5,000 per violation per day while such violations persist, up to a maximum of $500,000 per violation.CommentsClose CommentsPermalink
(2) NOTICE-CommentsClose CommentsPermalink
(A) IN GENERAL- Before filing an action under this subsection, the attorney general of the State involved shall provide to the Federal Trade Commission--CommentsClose CommentsPermalink
(i) a written notice of that action; andCommentsClose CommentsPermalink
(ii) a copy of the complaint for that action.CommentsClose CommentsPermalink
(B) EXCEPTION- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action.CommentsClose CommentsPermalink
(C) NOTIFICATION WHEN PRACTICABLE- In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Federal Trade Commission as soon after the filing of the complaint as practicable.CommentsClose CommentsPermalink
(3) FEDERAL TRADE COMMISSION AUTHORITY- Upon receiving notice under paragraph (2), the Federal Trade Commission shall have the right to--CommentsClose CommentsPermalink
(A) move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4);CommentsClose CommentsPermalink
(B) intervene in an action brought under paragraph (1); andCommentsClose CommentsPermalink
(C) file petitions for appeal.CommentsClose CommentsPermalink
(4) PENDING PROCEEDINGS- If the Federal Trade Commission has instituted a proceeding or action for a violation of this subtitle or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action.CommentsClose CommentsPermalink
(5) RULE OF CONSTRUCTION- For purposes of bringing any civil action under paragraph (1) nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--CommentsClose CommentsPermalink
(A) conduct investigations;CommentsClose CommentsPermalink
(B) administer oaths and affirmations; orCommentsClose CommentsPermalink
(C) compel the attendance of witnesses or the production of documentary and other evidence.CommentsClose CommentsPermalink
(6) VENUE; SERVICE OF PROCESS-CommentsClose CommentsPermalink
(A) VENUE- Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under
(B) SERVICE OF PROCESS- In an action brought under this subsection, process may be served in any district in which the defendant--CommentsClose CommentsPermalink
(i) is an inhabitant; orCommentsClose CommentsPermalink
(ii) may be found.CommentsClose CommentsPermalink
(d) No Private Cause of Action- Nothing in this subtitle establishes a private cause of action against a business entity for violation of any provision of this subtitle.CommentsClose CommentsPermalink
SEC. 304. RELATION TO OTHER LAWS.
(a) In General- No State may require any business entity subject to this subtitle to comply with any requirements with respect to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information.CommentsClose CommentsPermalink
(b) Limitations- Nothing in this subtitle shall be construed to modify, limit, or supersede the operation of the Gramm-Leach-Bliley Act or its implementing regulations, including those adopted or enforced by States.CommentsClose CommentsPermalink
Subtitle B--Security Breach NotificationCommentsClose CommentsPermalink
Subtitle B--Security Breach NotificationCommentsClose CommentsPermalink
SEC. 311. NOTICE TO INDIVIDUALS.
(a) In General- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach of such information, notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired.CommentsClose CommentsPermalink
(b) Obligation of Owner or Licensee-CommentsClose CommentsPermalink
(1) NOTICE TO OWNER OR LICENSEE- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information.CommentsClose CommentsPermalink
(2) NOTICE BY OWNER, LICENSEE OR OTHER DESIGNATED THIRD PARTY- Nothing in this subtitle shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a).CommentsClose CommentsPermalink
(3) BUSINESS ENTITY RELIEVED FROM GIVING NOTICE- A business entity obligated to give notice under subsection (a) shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification.CommentsClose CommentsPermalink
(c) Timeliness of Notification-CommentsClose CommentsPermalink
(1) IN GENERAL- All notifications required under this section shall be made without unreasonable delay following the discovery by the agency or business entity of a security breach.CommentsClose CommentsPermalink
(2) REASONABLE DELAY- Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data system and provide notice to law enforcement when required.CommentsClose CommentsPermalink
(3) BURDEN OF PROOF- The agency, business entity, owner, or licensee required to provide notification under this section shall have the burden of demonstrating that all notifications were made as required under this subtitle, including evidence demonstrating the reasons for any delay.CommentsClose CommentsPermalink
(d) Delay of Notification Authorized for Law Enforcement Purposes-CommentsClose CommentsPermalink
(1) IN GENERAL- If a Federal law enforcement agency determines that the notification required under this section would impede a criminal investigation, such notification shall be delayed upon written notice from such Federal law enforcement agency to the agency or business entity that experienced the breach.CommentsClose CommentsPermalink
(2) EXTENDED DELAY OF NOTIFICATION- If the notification required under subsection (a) is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement delay was invoked unless a Federal law enforcement agency provides written notification that further delay is necessary.CommentsClose CommentsPermalink
(3) LAW ENFORCEMENT IMMUNITY- No cause of action shall lie in any court against any law enforcement agency for acts relating to the delay of notification for law enforcement purposes under this subtitle.CommentsClose CommentsPermalink
SEC. 312. EXEMPTIONS.
(a) Exemption for National Security and Law Enforcement-CommentsClose CommentsPermalink
(1) IN GENERAL- Section 311 shall not apply to an agency or business entity if the agency or business entity certifies, in writing, that notification of the security breach as required by section 311 reasonably could be expected to--CommentsClose CommentsPermalink
(A) cause damage to the national security; orCommentsClose CommentsPermalink
(B) hinder a law enforcement investigation or the ability of the agency to conduct law enforcement investigations.CommentsClose CommentsPermalink
(2) LIMITS ON CERTIFICATIONS- An agency or business entity may not execute a certification under paragraph (1) to--CommentsClose CommentsPermalink
(A) conceal violations of law, inefficiency, or administrative error;CommentsClose CommentsPermalink
(B) prevent embarrassment to a business entity, organization, or agency; orCommentsClose CommentsPermalink
(C) restrain competition.CommentsClose CommentsPermalink
(3) NOTICE- In every case in which an agency or business agency issues a certification under paragraph (1), the certification, accompanied by a description of the factual basis for the certification, shall be immediately provided to the United States Secret Service.CommentsClose CommentsPermalink
(4) SECRET SERVICE REVIEW OF CERTIFICATIONS-CommentsClose CommentsPermalink
(A) IN GENERAL- The United States Secret Service may review a certification provided by an agency under paragraph (3), and shall review a certification provided by a business entity under paragraph (3), to determine whether an exemption under paragraph (1) is merited. Such review shall be completed not later than 10 business days after the date of receipt of the certification, except as provided in paragraph (5)(C).CommentsClose CommentsPermalink
(B) NOTICE- Upon completing a review under subparagraph (A) the United States Secret Service shall immediately notify the agency or business entity, in writing, of its determination of whether an exemption under paragraph (1) is merited.CommentsClose CommentsPermalink
(C) EXEMPTION- The exemption under paragraph (1) shall not apply if the United States Secret Service determines under this paragraph that the exemption is not merited.CommentsClose CommentsPermalink
(5) ADDITIONAL AUTHORITY OF THE SECRET SERVICE-CommentsClose CommentsPermalink
(A) IN GENERAL- In determining under paragraph (4) whether an exemption under paragraph (1) is merited, the United States Secret Service may request additional information from the agency or business entity regarding the basis for the claimed exemption, if such additional information is necessary to determine whether the exemption is merited.CommentsClose CommentsPermalink
(B) REQUIRED COMPLIANCE- Any agency or business entity that receives a request for additional information under subparagraph (A) shall cooperate with any such request.CommentsClose CommentsPermalink
(C) TIMING- If the United States Secret Service requests additional information under subparagraph (A), the United States Secret Service shall notify the agency or business entity not later than 10 business days after the date of receipt of the additional information whether an exemption under paragraph (1) is merited.CommentsClose CommentsPermalink
(b) Safe Harbor- An agency or business entity will be exempt from the notice requirements under section 311, if--CommentsClose CommentsPermalink
(1) a risk assessment concludes that--CommentsClose CommentsPermalink
(A) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the encryption of such information establishing a presumption that no significant risk exists; orCommentsClose CommentsPermalink
(B) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the rendering of such sensitive personally identifiable information indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, which are widely accepted as an effective industry practice, or an effective industry standard, establishing a presumption that no significant risk exists;CommentsClose CommentsPermalink
(2) without unreasonable delay, but not later than 45 days after the discovery of a security breach, unless extended by the United States Secret Service, the agency or business entity notifies the United States Secret Service, in writing, of--CommentsClose CommentsPermalink
(A) the results of the risk assessment; andCommentsClose CommentsPermalink
(B) its decision to invoke the risk assessment exemption; andCommentsClose CommentsPermalink
(3) the United States Secret Service does not indicate, in writing, within 10 business days from receipt of the decision, that notice should be given.CommentsClose CommentsPermalink
(c) Financial Fraud Prevention Exemption-CommentsClose CommentsPermalink
(1) IN GENERAL- A business entity will be exempt from the notice requirement under section 311 if the business entity utilizes or participates in a security program that--CommentsClose CommentsPermalink
(A) is designed to block the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; andCommentsClose CommentsPermalink
(B) provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions.CommentsClose CommentsPermalink
(2) LIMITATION- The exemption by this subsection does not apply if--CommentsClose CommentsPermalink
(A) the information subject to the security breach includes sensitive personally identifiable information, other than a credit card or credit card security code, of any type of the sensitive personally identifiable information identified in section 3; orCommentsClose CommentsPermalink
(B) the security breach includes both the individual’s credit card number and the individual’s first and last name.CommentsClose CommentsPermalink
SEC. 313. METHODS OF NOTICE.
An agency or business entity shall be in compliance with section 311 if it provides both:CommentsClose CommentsPermalink
(1) INDIVIDUAL NOTICE- Notice to individuals by 1 of the following means:CommentsClose CommentsPermalink
(A) Written notification to the last known home mailing address of the individual in the records of the agency or business entity.CommentsClose CommentsPermalink
(B) Telephone notice to the individual personally.CommentsClose CommentsPermalink
(C) E-mail notice, if the individual has consented to receive such notice and the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (
(2) MEDIA NOTICE- Notice to major media outlets serving a State or jurisdiction, if the number of residents of such State whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000.CommentsClose CommentsPermalink
SEC. 314. CONTENT OF NOTIFICATION.
(a) In General- Regardless of the method by which notice is provided to individuals under section 313, such notice shall include, to the extent possible--CommentsClose CommentsPermalink
(1) a description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person;CommentsClose CommentsPermalink
(2) a toll-free number--CommentsClose CommentsPermalink
(A) that the individual may use to contact the agency or business entity, or the agent of the agency or business entity; andCommentsClose CommentsPermalink
(B) from which the individual may learn what types of sensitive personally identifiable information the agency or business entity maintained about that individual; andCommentsClose CommentsPermalink
(3) the toll-free contact telephone numbers and addresses for the major credit reporting agencies.CommentsClose CommentsPermalink
(b) Additional Content- Notwithstanding section 319, a State may require that a notice under subsection (a) shall also include information regarding victim protection assistance provided for by that State.CommentsClose CommentsPermalink
SEC. 315. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.
If an agency or business entity is required to provide notification to more than 5,000 individuals under section 311(a), the agency or business entity shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in section 603(p) of the Fair Credit Reporting Act (
SEC. 316. NOTICE TO LAW ENFORCEMENT.
(a) Secret Service- Any business entity or agency shall notify the United States Secret Service of the fact that a security breach has occurred if--CommentsClose CommentsPermalink
(1) the number of individuals whose sensitive personally identifying information was, or is reasonably believed to have been accessed or acquired by an unauthorized person exceeds 10,000;CommentsClose CommentsPermalink
(2) the security breach involves a database, networked or integrated databases, or other data system containing the sensitive personally identifiable information of more than 1,000,000 individuals nationwide;CommentsClose CommentsPermalink
(3) the security breach involves databases owned by the Federal Government; orCommentsClose CommentsPermalink
(4) the security breach involves primarily sensitive personally identifiable information of individuals known to the agency or business entity to be employees and contractors of the Federal Government involved in national security or law enforcement.CommentsClose CommentsPermalink
(b) Notice to Other Law Enforcement Agencies- The United States Secret Service shall be responsible for notifying--CommentsClose CommentsPermalink
(1) the Federal Bureau of Investigation, if the security breach involves espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (
(2) the United States Postal Inspection Service, if the security breach involves mail fraud; andCommentsClose CommentsPermalink
(3) the attorney general of each State affected by the security breach.CommentsClose CommentsPermalink
(c) Timing of Notices- The notices required under this section shall be delivered as follows:CommentsClose CommentsPermalink
(1) Notice under subsection (a) shall be delivered as promptly as possible, but not later than 14 days after discovery of the events requiring notice.CommentsClose CommentsPermalink
(2) Notice under subsection (b) shall be delivered not later than 14 days after the Service receives notice of a security breach from an agency or business entity.CommentsClose CommentsPermalink
SEC. 317. ENFORCEMENT.
(a) Civil Actions by the Attorney General- The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.CommentsClose CommentsPermalink
(b) Injunctive Actions by the Attorney General-CommentsClose CommentsPermalink
(1) IN GENERAL- If it appears that a business entity has engaged, or is engaged, in any act or practice constituting a violation of this subtitle, the Attorney General may petition an appropriate district court of the United States for an order--CommentsClose CommentsPermalink
(A) enjoining such act or practice; orCommentsClose CommentsPermalink
(B) enforcing compliance with this subtitle.CommentsClose CommentsPermalink
(2) ISSUANCE OF ORDER- A court may issue an order under paragraph (1), if the court finds that the conduct in question constitutes a violation of this subtitle.CommentsClose CommentsPermalink
(c) Other Rights and Remedies- The rights and remedies available under this subtitle are cumulative and shall not affect any other rights and remedies available under law.CommentsClose CommentsPermalink
(d) Fraud Alert- Section 605A(b)(1) of the Fair Credit Reporting Act (
SEC. 318. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General-CommentsClose CommentsPermalink
(1) CIVIL ACTIONS- In any case in which the attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of a business entity in a practice that is prohibited under this subtitle, the State or the State or local law enforcement agency on behalf of the residents of the agency’s jurisdiction, may bring a civil action on behalf of the residents of the State or jurisdiction in a district court of the United States of appropriate jurisdiction or any other court of competent jurisdiction, including a State court, to--CommentsClose CommentsPermalink
(A) enjoin that practice;CommentsClose CommentsPermalink
(B) enforce compliance with this subtitle; orCommentsClose CommentsPermalink
(C) civil penalties of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.CommentsClose CommentsPermalink
(2) NOTICE-CommentsClose CommentsPermalink
(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General of the United States--CommentsClose CommentsPermalink
(i) written notice of the action; andCommentsClose CommentsPermalink
(ii) a copy of the complaint for the action.CommentsClose CommentsPermalink
(B) EXEMPTION-CommentsClose CommentsPermalink
(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subtitle, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.CommentsClose CommentsPermalink
(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the time the State attorney general files the action.CommentsClose CommentsPermalink
(b) Federal Proceedings- Upon receiving notice under subsection (a)(2), the Attorney General shall have the right to--CommentsClose CommentsPermalink
(1) move to stay the action, pending the final disposition of a pending Federal proceeding or action;CommentsClose CommentsPermalink
(2) initiate an action in the appropriate United States district court under section 317 and move to consolidate all pending actions, including State actions, in such court;CommentsClose CommentsPermalink
(3) intervene in an action brought under subsection (a)(2); andCommentsClose CommentsPermalink
(4) file petitions for appeal.CommentsClose CommentsPermalink
(c) Pending Proceedings- If the Attorney General has instituted a proceeding or action for a violation of this subtitle or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subtitle against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action.CommentsClose CommentsPermalink
(d) Construction- For purposes of bringing any civil action under subsection (a), nothing in this subtitle regarding notification shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to--CommentsClose CommentsPermalink
(1) conduct investigations;CommentsClose CommentsPermalink
(2) administer oaths or affirmations; orCommentsClose CommentsPermalink
(3) compel the attendance of witnesses or the production of documentary and other evidence.CommentsClose CommentsPermalink
(e) Venue; Service of Process-CommentsClose CommentsPermalink
(1) VENUE- Any action brought under subsection (a) may be brought in--CommentsClose CommentsPermalink
(A) the district court of the United States that meets applicable requirements relating to venue under
(B) another court of competent jurisdiction.CommentsClose CommentsPermalink
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--CommentsClose CommentsPermalink
(A) is an inhabitant; orCommentsClose CommentsPermalink
(B) may be found.CommentsClose CommentsPermalink
(f) No Private Cause of Action- Nothing in this subtitle establishes a private cause of action against a business entity for violation of any provision of this subtitle.CommentsClose CommentsPermalink
SEC. 319. EFFECT ON FEDERAL AND STATE LAW.
The provisions of this subtitle shall supersede any other provision of Federal law or any provision of law of any State relating to notification by a business entity engaged in interstate commerce or an agency of a security breach, except as provided in section 314(b).CommentsClose CommentsPermalink
SEC. 320. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated such sums as may be necessary to cover the costs incurred by the United States Secret Service to carry out investigations and risk assessments of security breaches as required under this subtitle.CommentsClose CommentsPermalink
SEC. 321. REPORTING ON RISK ASSESSMENT EXEMPTIONS.
The United States Secret Service shall report to Congress not later than 18 months after the date of enactment of this Act, and upon the request by Congress thereafter, on--CommentsClose CommentsPermalink
(1) the number and nature of the security breaches described in the notices filed by those business entities invoking the risk assessment exemption under section 312(b) and the response of the United States Secret Service to such notices; andCommentsClose CommentsPermalink
(2) the number and nature of security breaches subject to the national security and law enforcement exemptions under section 312(a), provided that such report may not disclose the contents of any risk assessment provided to the United States Secret Service pursuant to this subtitle.CommentsClose CommentsPermalink
SEC. 322. EFFECTIVE DATE.
This subtitle shall take effect on the expiration of the date which is 90 days after the date of enactment of this Act.CommentsClose CommentsPermalink
TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATACommentsClose CommentsPermalink
TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATACommentsClose CommentsPermalink
SEC. 401. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.
(a) In General- In considering contract awards totaling more than $500,000 and entered into after the date of enactment of this Act with data brokers, the Administrator of the General Services Administration shall evaluate--CommentsClose CommentsPermalink
(1) the data privacy and security program of a data broker to ensure the privacy and security of data containing personally identifiable information, including whether such program adequately addresses privacy and security threats created by malicious software or code, or the use of peer-to-peer file sharing software;CommentsClose CommentsPermalink
(2) the compliance of a data broker with such program;CommentsClose CommentsPermalink
(3) the extent to which the databases and systems containing personally identifiable information of a data broker have been compromised by security breaches; andCommentsClose CommentsPermalink
(4) the response by a data broker to such breaches, including the efforts by such data broker to mitigate the impact of such security breaches.CommentsClose CommentsPermalink
(b) Compliance Safe Harbor- The data privacy and security program of a data broker shall be deemed sufficient for the purposes of subsection (a), if the data broker complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of personally identifiable information involved in the ordinary course of business of such data broker.CommentsClose CommentsPermalink
(c) Penalties- In awarding contracts with data brokers for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating personally identifiable information, the Administrator of the General Services Administration shall--CommentsClose CommentsPermalink
(1) include monetary or other penalties--CommentsClose CommentsPermalink
(A) for failure to comply with subtitles A and B of title III; orCommentsClose CommentsPermalink
(B) if a contractor knows or has reason to know that the personally identifiable information being provided is inaccurate, and provides such inaccurate information; andCommentsClose CommentsPermalink
(2) require a data broker that engages service providers not subject to subtitle A of title III for responsibilities related to sensitive personally identifiable information to--CommentsClose CommentsPermalink
(A) exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiable information;CommentsClose CommentsPermalink
(B) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the personally identifiable information at issue; andCommentsClose CommentsPermalink
(C) require such service providers, by contract, to implement and maintain appropriate measures designed to meet the objectives and requirements in title III.CommentsClose CommentsPermalink
(d) Limitation- The penalties under subsection (c) shall not apply to a data broker providing information that is accurately and completely recorded from a public record source or licensor.CommentsClose CommentsPermalink
SEC. 402. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.
(1) in paragraph (7)(C)(iii), by striking ‘and’ after the semicolon;CommentsClose CommentsPermalink
(2) in paragraph (8), by striking the period and inserting ‘; and’; andCommentsClose CommentsPermalink
(3) by adding at the end the following:CommentsClose CommentsPermalink
‘(9) procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the information systems or operations of the agency involving personally identifiable information (as that term is defined in section 3 of the Personal Data Privacy and Security Act of 2009) and ensuring remedial action to address any significant deficiencies.’.CommentsClose CommentsPermalink
SEC. 403. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL INFORMATION SERVICES CONTAINING PERSONALLY IDENTIFIABLE INFORMATION.
(a) In General- Section 208(b)(1) of the E-Government Act of 2002 (
(1) in subparagraph (A)(i), by striking ‘or’; andCommentsClose CommentsPermalink
(2) in subparagraph (A)(ii), by striking the period and inserting ‘; or’; andCommentsClose CommentsPermalink
(3) by inserting after clause (ii) the following:CommentsClose CommentsPermalink
‘(iii) purchasing or subscribing for a fee to personally identifiable information from a data broker (as such terms are defined in section 3 of the Personal Data Privacy and Security Act of 2009).’.CommentsClose CommentsPermalink
(b) Limitation- Notwithstanding any other provision of law, commencing 1 year after the date of enactment of this Act, no Federal agency may enter into a contract with a data broker to access for a fee any database consisting primarily of personally identifiable information concerning United States persons (other than news reporting or telephone directories) unless the head of such department or agency--CommentsClose CommentsPermalink
(1) completes a privacy impact assessment under section 208 of the E-Government Act of 2002 (
(A) such database;CommentsClose CommentsPermalink
(B) the name of the data broker from whom it is obtained; andCommentsClose CommentsPermalink
(C) the amount of the contract for use;CommentsClose CommentsPermalink
(2) adopts regulations that specify--CommentsClose CommentsPermalink
(A) the personnel permitted to access, analyze, or otherwise use such databases;CommentsClose CommentsPermalink
(B) standards governing the access, analysis, or use of such databases;CommentsClose CommentsPermalink
(C) any standards used to ensure that the personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency;CommentsClose CommentsPermalink
(D) standards limiting the retention and redisclosure of personally identifiable information obtained from such databases;CommentsClose CommentsPermalink
(E) procedures ensuring that such data meet standards of accuracy, relevance, completeness, and timeliness;CommentsClose CommentsPermalink
(F) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases;CommentsClose CommentsPermalink
(G) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases;CommentsClose CommentsPermalink
(H) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; andCommentsClose CommentsPermalink
(I) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases; andCommentsClose CommentsPermalink
(3) incorporates into the contract or other agreement totaling more than $500,000, provisions--CommentsClose CommentsPermalink
(A) providing for penalties--CommentsClose CommentsPermalink
(i) for failure to comply with title III of this Act; orCommentsClose CommentsPermalink
(ii) if the entity knows or has reason to know that the personally identifiable information being provided to the Federal department or agency is inaccurate, and provides such inaccurate information; andCommentsClose CommentsPermalink
(B) requiring a data broker that engages service providers not subject to subtitle A of title III for responsibilities related to sensitive personally identifiable information to--CommentsClose CommentsPermalink
(i) exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiable information;CommentsClose CommentsPermalink
(ii) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the personally identifiable information at issue; andCommentsClose CommentsPermalink
(iii) require such service providers, by contract, to implement and maintain appropriate measures designed to meet the objectives and requirements in title III.CommentsClose CommentsPermalink
(c) Limitation on Penalties- The penalties under subsection (b)(3)(A) shall not apply to a data broker providing information that is accurately and completely recorded from a public record source.CommentsClose CommentsPermalink
(d) Study of Government Use-CommentsClose CommentsPermalink
(1) SCOPE OF STUDY- Not later than 180 days after the date of enactment of this Act, the Comptroller General of the United States shall conduct a study and audit and prepare a report on Federal agency actions to address the recommendations in the Government Accountability Office’s April 2006 report on agency adherence to key privacy principles in using data brokers or commercial databases containing personally identifiable information.CommentsClose CommentsPermalink
(2) REPORT- A copy of the report required under paragraph (1) shall be submitted to Congress.CommentsClose CommentsPermalink
SEC. 404. IMPLEMENTATION OF CHIEF PRIVACY OFFICER REQUIREMENTS.
(a) Designation of the Chief Privacy Officer- Pursuant to the requirements under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (division H of
(b) Duties and Responsibilities of Chief Privacy Officer- In addition to the duties and responsibilities outlined under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (division H of
(1) oversee the Department of Justice’s implementation of the requirements under section 403 to conduct privacy impact assessments of the use of commercial data containing personally identifiable information by the Department; andCommentsClose CommentsPermalink
(2) coordinate with the Privacy and Civil Liberties Oversight Board, established in the Intelligence Reform and Terrorism Prevention Act of 2004 (
Calendar No. 208CommentsClose CommentsPermalink
111th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
S. 1490CommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.CommentsClose CommentsPermalink
November 5, 2009CommentsClose CommentsPermalink
November 5, 2009CommentsClose CommentsPermalink
Reported with amendmentsCommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
