U.S. Congress - Text of H.R.1841 as Introduced in House Data Accountability and Trust Act (DATA) of 2011
The easiest way to email your members of Congress
Donate NowH.R.1841 - Data Accountability and Trust Act (DATA) of 2011
To protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach.
Loading Bill Text
Rollover any line of text to comment and/or link to it.
HR 1841 IHCommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
H. R. 1841CommentsClose CommentsPermalink
To protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach.CommentsClose CommentsPermalink
IN THE HOUSE OF REPRESENTATIVESCommentsClose CommentsPermalink
May 11, 2011CommentsClose CommentsPermalink
May 11, 2011CommentsClose CommentsPermalink
Mr. STEARNS (for himself and Mr. MATHESON) introduced the following bill; which was referred to the Committee on Energy and CommerceCommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘Data Accountability and Trust Act (DATA) of 2011’.CommentsClose CommentsPermalink
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
(a) General Security Policies and Procedures-CommentsClose CommentsPermalink
(1) REGULATIONS- Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under
(A) the size of, and the nature, scope, and complexity of the activities engaged in by, such person;CommentsClose CommentsPermalink
(B) the current state of the art in administrative, technical, and physical safeguards for protecting such information; andCommentsClose CommentsPermalink
(C) the cost of implementing such safeguards.CommentsClose CommentsPermalink
(2) REQUIREMENTS- Such regulations shall require the policies and procedures to include the following:CommentsClose CommentsPermalink
(A) A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information.CommentsClose CommentsPermalink
(B) The identification of an officer or other individual as the point of contact with responsibility for the management of information security.CommentsClose CommentsPermalink
(C) A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system maintained by such person that contains such electronic data, which shall include regular monitoring for a breach of security of such system.CommentsClose CommentsPermalink
(D) A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph (C), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software.CommentsClose CommentsPermalink
(E) A process for disposing of obsolete data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or undecipherable.CommentsClose CommentsPermalink
(3) TREATMENT OF ENTITIES GOVERNED BY OTHER LAW- In promulgating the regulations under this subsection, the Commission may determine to be in compliance with this subsection any person who is required under any other Federal law to maintain standards and safeguards for information security and protection of personal information that provide equal or greater protection than those required under this subsection.CommentsClose CommentsPermalink
(b) Destruction of Obsolete Paper Records Containing Personal Information-CommentsClose CommentsPermalink
(1) STUDY- Not later than 1 year after the date of enactment of this Act, the Commission shall conduct a study on the practicality of requiring a standard method or methods for the destruction of obsolete paper documents and other non-electronic data containing personal information by persons engaged in interstate commerce who own or possess such paper documents and non-electronic data. The study shall consider the cost, benefit, feasibility, and effect of a requirement of shredding or other permanent destruction of such paper documents and non-electronic data.CommentsClose CommentsPermalink
(2) REGULATIONS- The Commission may promulgate regulations under
(A) the improper disposal of obsolete paper documents and other non-electronic data creates a reasonable risk of identity theft, fraud, or other unlawful conduct;CommentsClose CommentsPermalink
(B) such a requirement would be effective in preventing identity theft, fraud, or other unlawful conduct;CommentsClose CommentsPermalink
(C) the benefit in preventing identity theft, fraud, or other unlawful conduct would outweigh the cost to persons subject to such a requirement; andCommentsClose CommentsPermalink
(D) compliance with such a requirement would be practicable.CommentsClose CommentsPermalink
In enforcing any such regulations, the Commission may determine to be in compliance with such regulations any person who is required under any other Federal law to dispose of obsolete paper documents and other non-electronic data containing personal information if such other Federal law provides equal or greater protection of personal information than the regulations promulgated under this subsection.CommentsClose CommentsPermalink
(c) Special Requirements for Information Brokers-CommentsClose CommentsPermalink
(1) SUBMISSION OF POLICIES TO THE FTC- The regulations promulgated under subsection (a) shall require information brokers to submit their security policies to the Commission in conjunction with a notification of a breach of security under section 3 or upon request of the Commission.CommentsClose CommentsPermalink
(2) POST-BREACH AUDIT- For any information broker required to provide notification under section 3, the Commission shall conduct an audit of the information security practices of such information broker, or require the information broker to conduct an independent audit of such practices (by an independent auditor who has not audited such information broker’s security practices during the preceding 5 years). The Commission may conduct or require additional audits for a period of 5 years following the breach of security or until the Commission determines that the security practices of the information broker are in compliance with the requirements of this section and are adequate to prevent further breaches of security.CommentsClose CommentsPermalink
(3) VERIFICATION OF AND INDIVIDUAL ACCESS TO PERSONAL INFORMATION-CommentsClose CommentsPermalink
(A) VERIFICATION- Each information broker shall establish reasonable procedures to verify the accuracy of the personal information it collects, assembles, or maintains, and any other information it collects, assembles, or maintains that specifically identifies an individual, other than information which merely identifies an individual’s name or address.CommentsClose CommentsPermalink
(B) CONSUMER ACCESS TO INFORMATION-CommentsClose CommentsPermalink
(i) ACCESS- Each information broker shall--CommentsClose CommentsPermalink
(I) provide to each individual whose personal information it maintains, at the individual’s request at least 1 time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review any personal information regarding such individual maintained by the information broker and any other information maintained by the information broker that specifically identifies such individual, other than information which merely identifies an individual’s name or address; andCommentsClose CommentsPermalink
(II) place a conspicuous notice on its Internet website (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under subclause (I).CommentsClose CommentsPermalink
(ii) DISPUTED INFORMATION- Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, shall--CommentsClose CommentsPermalink
(I) correct any inaccuracy; orCommentsClose CommentsPermalink
(II)(aa) in the case of information that is public record information, inform the individual of the source of the information, and, if reasonably available, where a request for correction may be directed; orCommentsClose CommentsPermalink
(bb) in the case of information that is non-public information, note the information that is disputed, including the individual’s statement disputing such information, and take reasonable steps to independently verify such information under the procedures outlined in subparagraph (A) if such information can be independently verified.CommentsClose CommentsPermalink
(iii) LIMITATIONS- An information broker may limit the access to information required under subparagraph (B) in the following circumstances:CommentsClose CommentsPermalink
(I) If access of the individual to the information is limited by law or legally recognized privilege.CommentsClose CommentsPermalink
(II) If the information is used for a legitimate governmental or fraud prevention purpose that would be compromised by such access.CommentsClose CommentsPermalink
(iv) RULEMAKING- The Commission shall issue regulations, as necessary, under
(C) TREATMENT OF ENTITIES GOVERNED BY OTHER LAW- The Commission may promulgate rules (under
(4) REQUIREMENT OF AUDIT LOG OF ACCESSED AND TRANSMITTED INFORMATION- Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under
(5) PROHIBITION ON PRETEXTING BY INFORMATION BROKERS-CommentsClose CommentsPermalink
(A) PROHIBITION ON OBTAINING PERSONAL INFORMATION BY FALSE PRETENSES- It shall be unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by--CommentsClose CommentsPermalink
(i) making a false, fictitious, or fraudulent statement or representation to any person; orCommentsClose CommentsPermalink
(ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.CommentsClose CommentsPermalink
(B) PROHIBITION ON SOLICITATION TO OBTAIN PERSONAL INFORMATION UNDER FALSE PRETENSES- It shall be unlawful for an information broker to request a person to obtain personal information or any other information relating to any other person, if the information broker knew or should have known that the person to whom such a request is made will obtain or attempt to obtain such information in the manner described in subparagraph (A).CommentsClose CommentsPermalink
(d) Exemption for Telecommunications Carrier, Cable Operator, Provider of Information Service, or Interactive Computer Service- Nothing in this section shall apply to any electronic communication by a third party stored by a telecommunications carrier (as defined in section 3 of the Communications Act of 1934 (
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Nationwide Notification- Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data--CommentsClose CommentsPermalink
(1) notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; andCommentsClose CommentsPermalink
(2) notify the Commission.CommentsClose CommentsPermalink
(b) Special Notification Requirement for Certain Entities-CommentsClose CommentsPermalink
(1) THIRD PARTY AGENTS- In the event of a breach of security by any third party entity that has been contracted to maintain or process data in electronic form containing personal information on behalf of any other person who owns or possesses such data, such third party entity shall be required only to notify such person of the breach of security. Upon receiving such notification from such third party, such person shall provide the notification required under subsection (a).CommentsClose CommentsPermalink
(2) TELECOMMUNICATIONS CARRIERS, CABLE OPERATORS, PROVIDERS OF INFORMATION SERVICE, AND INTERACTIVE COMPUTER SERVICES- If a telecommunications carrier (as defined in section 3 of the Communications Act of 1934 (
(3) BREACH OF HEALTH INFORMATION- If the Commission receives a notification of a breach of security and determines that information included in such breach is individually identifiable health information (as such term is defined in section 1171(6) of the Social Security Act (
(c) Timeliness of Notification- All notifications required under subsection (a) shall be made as promptly as possible and without unreasonable delay following the discovery of a breach of security of the system and consistent with any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.CommentsClose CommentsPermalink
(d) Method and Content of Notification-CommentsClose CommentsPermalink
(1) DIRECT NOTIFICATION-CommentsClose CommentsPermalink
(A) METHOD OF NOTIFICATION- A person required to provide notification to individuals under subsection (a)(1) shall be in compliance with such requirement if the person provides conspicuous and clearly identified notification by one of the following methods (provided the selected method can reasonably be expected to reach the intended individual):CommentsClose CommentsPermalink
(i) Written notification.CommentsClose CommentsPermalink
(ii) Email notification, if--CommentsClose CommentsPermalink
(I) the person’s primary method of communication with the individual is by email; orCommentsClose CommentsPermalink
(II) the individual has consented to receive such notification and the notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (
(B) CONTENT OF NOTIFICATION- Regardless of the method by which notification is provided to an individual under subparagraph (A), such notification shall include--CommentsClose CommentsPermalink
(i) a description of the personal information that was acquired by an unauthorized person;CommentsClose CommentsPermalink
(ii) a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the breach of security or the information the person maintained about that individual;CommentsClose CommentsPermalink
(iii) notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, and instructions to the individual on requesting such reports from the person;CommentsClose CommentsPermalink
(iv) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; andCommentsClose CommentsPermalink
(v) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft.CommentsClose CommentsPermalink
(2) SUBSTITUTE NOTIFICATION-CommentsClose CommentsPermalink
(A) CIRCUMSTANCES GIVING RISE TO SUBSTITUTE NOTIFICATION- A person required to provide notification to individuals under subsection (a)(1) may provide substitute notification in lieu of the direct notification required by paragraph (1) if--CommentsClose CommentsPermalink
(i) the person owns or possesses data in electronic form containing personal information of fewer than 1,000 individuals; andCommentsClose CommentsPermalink
(ii) such direct notification is not feasible due to--CommentsClose CommentsPermalink
(I) excessive cost to the person required to provide such notification relative to the resources of such person, as determined in accordance with the regulations issued by the Commission under paragraph (3)(A); orCommentsClose CommentsPermalink
(II) lack of sufficient contact information for the individual required to be notified.CommentsClose CommentsPermalink
(B) FORM OF SUBSTITUTE NOTICE- Such substitute notification shall include--CommentsClose CommentsPermalink
(i) email notification to the extent that the person has email addresses of individuals to whom it is required to provide notification under subsection (a)(1);CommentsClose CommentsPermalink
(ii) a conspicuous notice on the Internet website of the person (if such person maintains such a website); andCommentsClose CommentsPermalink
(iii) notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside.CommentsClose CommentsPermalink
(C) CONTENT OF SUBSTITUTE NOTICE- Each form of substitute notice under this paragraph shall include--CommentsClose CommentsPermalink
(i) notice that individuals whose personal information is included in the breach of security are entitled to receive, at no cost to the individuals, consumer credit reports on a quarterly basis for a period of 2 years, and instructions on requesting such reports from the person; andCommentsClose CommentsPermalink
(ii) a telephone number by which an individual can, at no cost to such individual, learn whether that individual’s personal information is included in the breach of security.CommentsClose CommentsPermalink
(3) FEDERAL TRADE COMMISSION REGULATIONS AND GUIDANCE-CommentsClose CommentsPermalink
(A) REGULATIONS- Not later than 1 year after the date of enactment of this Act, the Commission shall, by regulations under
(B) GUIDANCE- In addition, the Commission shall provide and publish general guidance with respect to compliance with this section. Such guidance shall include--CommentsClose CommentsPermalink
(i) a description of written or email notification that complies with the requirements of paragraph (1); andCommentsClose CommentsPermalink
(ii) guidance on the content of substitute notification under paragraph (2)(B), including the extent of notification to print and broadcast media that complies with the requirements of such paragraph.CommentsClose CommentsPermalink
(e) Other Obligations Following Breach- A person required to provide notification under subsection (a) shall, upon request of an individual whose personal information was included in the breach of security, provide or arrange for the provision of, to each such individual and at no cost to such individual, consumer credit reports from at least one of the major credit reporting agencies beginning not later than 2 months following the discovery of a breach of security and continuing on a quarterly basis for a period of 2 years thereafter.CommentsClose CommentsPermalink
(f) Exemption-CommentsClose CommentsPermalink
(1) GENERAL EXEMPTION- A person shall be exempt from the requirements under this section if, following a breach of security, such person determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.CommentsClose CommentsPermalink
(2) PRESUMPTIONS-CommentsClose CommentsPermalink
(A) ENCRYPTION- The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.CommentsClose CommentsPermalink
(B) ADDITIONAL METHODOLOGIES OR TECHNOLOGIES- Not later than 270 days after the date of the enactment of this Act, the Commission shall, by rule pursuant to
(3) FTC GUIDANCE- Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance regarding the application of the exemption in paragraph (1).CommentsClose CommentsPermalink
(g) Website Notice of Federal Trade Commission- If the Commission, upon receiving notification of any breach of security that is reported to the Commission under subsection (a)(2), finds that notification of such a breach of security via the Commission’s Internet website would be in the public interest or is necessary for the protection of consumers, the Commission shall place such a notice in a clear and conspicuous location on its Internet website.CommentsClose CommentsPermalink
(h) FTC Study on Notification in Languages in Addition to English- Not later than 1 year after the date of enactment of this Act, the Commission shall conduct a study on the practicality and cost effectiveness of requiring the notification required by subsection (d)(1) to be provided in a language in addition to English to individuals known to speak only such other language.CommentsClose CommentsPermalink
SEC. 4. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission-CommentsClose CommentsPermalink
(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES- A violation of section 2 or 3 shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (
(2) POWERS OF COMMISSION- The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (
(3) RULES-CommentsClose CommentsPermalink
(A) IN GENERAL- The Commission shall promulgate, under
(B) LIMITATION- In promulgating rules under this Act, the Commission shall not require the deployment or use of any specific products or technologies, including any specific computer software or hardware.CommentsClose CommentsPermalink
(b) Enforcement by State Attorneys General-CommentsClose CommentsPermalink
(1) CIVIL ACTION- In any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any person who violates section 2 or 3 of this Act, the attorney general, official, or agency of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction--CommentsClose CommentsPermalink
(A) to enjoin further violation of such section by the defendant;CommentsClose CommentsPermalink
(B) to compel compliance with such section; orCommentsClose CommentsPermalink
(C) to obtain civil penalties in the amount determined under paragraph (2).CommentsClose CommentsPermalink
(2) CIVIL PENALTIES-CommentsClose CommentsPermalink
(A) CALCULATION-CommentsClose CommentsPermalink
(i) TREATMENT OF VIOLATIONS OF SECTION 2- For purposes of paragraph (1)(C) with regard to a violation of section 2, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each day that a person is not in compliance with the requirements of such section shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000.CommentsClose CommentsPermalink
(ii) TREATMENT OF VIOLATIONS OF SECTION 3- For purposes of paragraph (1)(C) with regard to a violation of section 3, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification as required under section 3 to a resident of the State shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000.CommentsClose CommentsPermalink
(B) ADJUSTMENT FOR INFLATION- Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amounts specified in clauses (i) and (ii) of subparagraph (A) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.CommentsClose CommentsPermalink
(3) INTERVENTION BY THE FTC-CommentsClose CommentsPermalink
(A) NOTICE AND INTERVENTION- The State shall provide prior written notice of any action under paragraph (1) to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Commission shall have the right--CommentsClose CommentsPermalink
(i) to intervene in the action;CommentsClose CommentsPermalink
(ii) upon so intervening, to be heard on all matters arising therein; andCommentsClose CommentsPermalink
(iii) to file petitions for appeal.CommentsClose CommentsPermalink
(B) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING- If the Commission has instituted a civil action for violation of this Act, no State attorney general, or official or agency of a State, may bring an action under this subsection during the pendency of that action against any defendant named in the complaint of the Commission for any violation of this Act alleged in the complaint.CommentsClose CommentsPermalink
(4) CONSTRUCTION- For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--CommentsClose CommentsPermalink
(A) conduct investigations;CommentsClose CommentsPermalink
(B) administer oaths or affirmations; orCommentsClose CommentsPermalink
(C) compel the attendance of witnesses or the production of documentary and other evidence.CommentsClose CommentsPermalink
(c) Affirmative Defense for a Violation of Section 3- It shall be an affirmative defense to an enforcement action brought under subsection (a), or a civil action brought under subsection (b), based on a violation of section 3, that all of the personal information contained in the data in electronic form that was acquired as a result of a breach of security of the defendant is public record information that is lawfully made available to the general public from Federal, State, or local government records and was acquired by the defendant from such records.CommentsClose CommentsPermalink
SEC. 5. DEFINITIONS.
In this Act the following definitions apply:CommentsClose CommentsPermalink
(1) BREACH OF SECURITY- The term ‘breach of security’ means the unauthorized acquisition of data in electronic form containing personal information.CommentsClose CommentsPermalink
(2) COMMISSION- The term ‘Commission’ means the Federal Trade Commission.CommentsClose CommentsPermalink
(3) DATA IN ELECTRONIC FORM- The term ‘data in electronic form’ means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.CommentsClose CommentsPermalink
(4) ENCRYPTION- The term ‘encryption’ means the protection of data in electronic form in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.CommentsClose CommentsPermalink
(5) IDENTITY THEFT- The term ‘identity theft’ means the unauthorized use of another person’s personal information for the purpose of engaging in commercial transactions under the name of such other person.CommentsClose CommentsPermalink
(6) INFORMATION BROKER- The term ‘information broker’ means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.CommentsClose CommentsPermalink
(7) PERSONAL INFORMATION-CommentsClose CommentsPermalink
(A) DEFINITION- The term ‘personal information’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:CommentsClose CommentsPermalink
(i) Social Security number.CommentsClose CommentsPermalink
(ii) Driver’s license number or other State identification number.CommentsClose CommentsPermalink
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.CommentsClose CommentsPermalink
(B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule, modify the definition of ‘personal information’ under subparagraph (A) to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.CommentsClose CommentsPermalink
(8) PUBLIC RECORD INFORMATION- The term ‘public record information’ means information about an individual which has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.CommentsClose CommentsPermalink
(9) NON-PUBLIC INFORMATION- The term ‘non-public information’ means information about an individual that is of a private nature and neither available to the general public nor obtained from a public record.CommentsClose CommentsPermalink
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly--CommentsClose CommentsPermalink
(1) requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; andCommentsClose CommentsPermalink
(2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.CommentsClose CommentsPermalink
(b) Additional Preemption-CommentsClose CommentsPermalink
(1) IN GENERAL- No person other than the attorney general of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.CommentsClose CommentsPermalink
(2) PROTECTION OF CONSUMER PROTECTION LAWS- This subsection shall not be construed to limit the enforcement of any State consumer protection law by an attorney general of a State.CommentsClose CommentsPermalink
(c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of--CommentsClose CommentsPermalink
(1) State trespass, contract, or tort law; orCommentsClose CommentsPermalink
(2) other State laws to the extent that those laws relate to acts of fraud.CommentsClose CommentsPermalink
(d) Preservation of FTC Authority- Nothing in this Act may be construed in any way to limit or affect the Commission’s authority under any other provision of law, including the authority to issue advisory opinions (under subpart A of part 1 of title 16, Code of Federal Regulations), policy statements, or guidance regarding this Act.CommentsClose CommentsPermalink
SEC. 7. EFFECTIVE DATE AND SUNSET.
(a) Effective Date- This Act shall take effect 1 year after the date of enactment of this Act.CommentsClose CommentsPermalink
(b) Sunset- This Act shall cease to be in effect on September 30, 2016.CommentsClose CommentsPermalink
SEC. 8. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated to the Commission $1,000,000 for each of fiscal years 2012 through 2016 to carry out this Act.CommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
