U.S. Congress - Text of S.1535 as Reported in Senate Personal Data Protection and Breach Accountability Act of 2011
The easiest way to email your members of Congress
Donate NowS.1535 - Personal Data Protection and Breach Accountability Act of 2011
A bill to protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach, providing notice and remedies to consumers in the wake of such a breach, holding companies accountable for preventable breaches, facilitating the sharing of post-breach technical information between companies, and enhancing criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information.
| Version | Word Count | Changes From Previous Version | Percent Change |
|---|---|---|---|
| Introduced in Senate | 16,871 | n/a | n/a |
| Reported in Senate | 34,089 | 311 Show Changes Hide Changes | 37% |
Key: changed or removed text inserted or modified text
Loading Bill Text
Rollover any line of text to comment and/or link to it.
S 1535 ISRSCommentsClose CommentsPermalink
Calendar No. 182CommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
S. 1535CommentsClose CommentsPermalink
To protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach, providing notice and remedies to consumers in the wake of such a breach, holding companies accountable for preventable breaches, facilitating the sharing of post-breach technical information between companies, and enhancing criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information.CommentsClose CommentsPermalink
IN THE SENATE OF THE UNITED STATESCommentsClose CommentsPermalink
September 8, 2011CommentsClose CommentsPermalink
September 8, 2011CommentsClose CommentsPermalink
Mr. BLUMENTHAL (for himself and Mr. FRANKEN) introduced the following bill; which was read twice and referred to the Committee on the JudiciaryCommentsClose CommentsPermalink
September 22, 2011CommentsClose CommentsPermalink
September 22, 2011CommentsClose CommentsPermalink
Reported by Mr. LEAHY, with an amendmentCommentsClose CommentsPermalink
[Strike out all after the enacting clause and insert the part printed in italic]CommentsClose CommentsPermalink
[Strike out all after the enacting clause and insert the part printed in italic]CommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach, providing notice and remedies to consumers in the wake of such a breach, holding companies accountable for preventable breaches, facilitating the sharing of post-breach technical information between companies, and enhancing criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title- This Act may be cited as the ‘Personal Data Protection and Breach Accountability Act of 2011’. CommentsClose CommentsPermalink
(b) Table of Contents- The table of contents of this Act is as follows: CommentsClose CommentsPermalink
Sec. 1. Short title; table of contents. CommentsClose CommentsPermalink
Sec. 2. Findings. CommentsClose CommentsPermalink
Sec. 3. Definitions. CommentsClose CommentsPermalink
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY
Sec. 101. Organized criminal activity in connection with unauthorized access to personally identifiable information.Sec. 102. Concealment of security breaches involving sensitive personally identifiable information. CommentsClose CommentsPermalink
Sec. 103. Penalties for fraud and related activity in connection with computers. Sec. 104. False notification.
TITLE II--PRIVACY AND SECURITY OF SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION
Subtitle A--A Data Privacy and Security Program
Sec. 201. Purpose and applicability of data privacy and security program. CommentsClose CommentsPermalink
Sec. 202. Requirements for a personal data privacy and security program. CommentsClose CommentsPermalink
Sec. 203. Federal enforcement. CommentsClose CommentsPermalink
Sec. 204. Enforcement by State Attorneys General. CommentsClose CommentsPermalink
Sec. 205. Supplemental enforcement by individuals. CommentsClose CommentsPermalink
Subtitle B--Security Breach Notification
Sec. 211. Notice to individuals. CommentsClose CommentsPermalink
Sec. 212. Exemptions from notice to individuals. CommentsClose CommentsPermalink
Sec. 213. Methods of notice to individuals. CommentsClose CommentsPermalink
Sec. 214. Content of notice to individuals. CommentsClose CommentsPermalink
Sec. 215. Remedies for security breach. CommentsClose CommentsPermalink
Sec. 216. Notice to credit reporting agencies. CommentsClose CommentsPermalink
Sec. 217. Notice to law enforcement. CommentsClose CommentsPermalink
Sec. 218. Federal enforcement. CommentsClose CommentsPermalink
Sec. 219. Enforcement by State attorneys general. CommentsClose CommentsPermalink
Sec. 220. Supplemental enforcement by individuals. CommentsClose CommentsPermalink
Sec. 221. Relation to other laws. CommentsClose CommentsPermalink
Sec. 222. Authorization of appropriations. CommentsClose CommentsPermalink
Sec. 223. Reporting on risk assessment exemptions. CommentsClose CommentsPermalink
Subtitle C--Post-Breach Technical Information Clearinghouse
Sec. 230. Clearinghouse information collection, maintenance, and access. CommentsClose CommentsPermalink
Sec. 231. Protections for clearinghouse participants. CommentsClose CommentsPermalink
Sec. 232. Effective date. CommentsClose CommentsPermalink
TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA
Sec. 301. General services administration review of contracts. CommentsClose CommentsPermalink
Sec. 302. Requirement to audit information security practices of contractors and third party business entities. CommentsClose CommentsPermalink
Sec. 303. Privacy impact assessment of government use of commercial information services containing sensitive personally identifiable information. CommentsClose CommentsPermalink
Sec. 304. FBI report on reported breaches and compliance. CommentsClose CommentsPermalink
Sec. 305. Department of Justice report on enforcement actions. CommentsClose CommentsPermalink
Sec. 306. Department of Justice report on enforcement actions.Sec. 307. FBI report on notificationReport on notification effectiveness. CommentsClose CommentsPermalink
TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT
Sec. 401. Budget compliance. CommentsClose CommentsPermalink
SEC. 2. FINDINGS.
Congress finds that-- CommentsClose CommentsPermalink
(1) databases of personally identifiable information are increasingly prime targets of hackers, identity thieves, rogue employees, and other criminals, including organized and sophisticated criminal operations; CommentsClose CommentsPermalink
(2) identity theft is a serious threat to the Nation’s economic stability, homeland security, the development of e-commerce, and the privacy rights of Americans; CommentsClose CommentsPermalink
(3) over 9,300,000 individuals were victims of identity theft in America last year; CommentsClose CommentsPermalink
(4) security breaches are a serious threat to consumer confidence, homeland security, e-commerce, and economic stability; CommentsClose CommentsPermalink
(5) it is important for business entities that own, use, or license personally identifiable information to adopt reasonable procedures to ensure the security, privacy, and confidentiality of that personally identifiable information; CommentsClose CommentsPermalink
(6) individuals whose personal information has been compromised or who have been victims of identity theft should receive the necessary information and assistance to mitigate their damages and to restore the integrity of their personal information and identities; CommentsClose CommentsPermalink
(7) data brokers have assumed a significant role in providing identification, authentication, and screening services, and related data collection and analyses for commercial, nonprofit, and government operations;(8) data misuse and use of inaccurate data have the potential to cause serious or irreparable harm to an individual’s livelihood, privacy, and liberty and undermine efficient and effective business and government operations; CommentsClose CommentsPermalink
(98) there is a need to ensure that data brokers conduct their operations in a manner that prioritizes fairness, transparency, accuracy, and respect for the privacy of consumers; CommentsClose CommentsPermalink
(109) government access to commercial data can potentially improve safety, law enforcement, and national security; CommentsClose CommentsPermalink
(110) because government use of commercial data containing personal information potentially affects individual privacy, and law enforcement and national security operations, there is a need for Congress to exercise oversight over government use of commercial data; CommentsClose CommentsPermalink
(121) over 22,960,000 cases of data breaches involving personally identifiable information were reported through July of 2011, and in 2009 through 2010, over 230,900,000 cases of personal data breaches were reported; CommentsClose CommentsPermalink
(132) facilitating information sharing among business entities and across sectors in the event of a breach can assist in remediating the breach and preventing similar breaches in the future; CommentsClose CommentsPermalink
(143) because the Federal Government has limited resources, consumers themselves play a vital and complementary role in facilitating prompt notification and protecting against future breaches of security; CommentsClose CommentsPermalink
(154) in addition to the immediate damages caused by security breaches, the lack of basic remedial requirements often forces individuals whose sensitive personally identifiable information is compromised as a result of a security breach to incur the economic costs of litigation to seek remedies, and the economic costs of fees required in many States to freeze compromised accounts; and CommentsClose CommentsPermalink
(165) victims of personal data breaches may suffer debilitating emotional and physical effects and become depressed or anxious, especially in cases of repeated or unresolved instances of data breaches. CommentsClose CommentsPermalink
SEC. 3. DEFINITIONS.
(a) In General- In this Act, the following definitions shall apply: CommentsClose CommentsPermalink
(1) AFFILIATE- The term ‘affiliate’ means persons related by common ownership or by corporate control. CommentsClose CommentsPermalink
(2) AGENCY- The term ‘agency’ has the meaning given such term in
(3) BUSINESS ENTITY- The term ‘business entity’ means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture established to make a profit, or nonprofit. CommentsClose CommentsPermalink
(4) CREDIT RATING AGENCY- The term ‘credit rating agency’ has the meaning given such term in section 3(a)(61) of the Securities Exchange Act of 1934 (
(5) CREDIT REPORT- The term ‘credit report’ means a consumer report, as that term is defined in section 603 of the Fair Credit Reporting Act (
(6) DATA BROKER- The term ‘data broker’ means a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis. CommentsClose CommentsPermalink
(7) DATA FURNISHER- The term ‘data furnisher’ means any agency, organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or nonprofit that serves as a source of information for a data brokerESIGNATED ENTITY- The term ‘designated entity’ means the Federal Government entity designated under section 217(a). CommentsClose CommentsPermalink
(8) ENCRYPTION- The term ‘encryption’-- CommentsClose CommentsPermalink
(A) means the protection of data in electronic form, in storage or in transit, using an encryption technology that has been adopted by a widely accepted standards setting body or, has been widely accepted as an effective industry practice whichgenerally accepted by experts in the field of information security that renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and CommentsClose CommentsPermalink
(B) includes appropriate management and safeguards of such cryptographic keys so as to protect the integrity of the encryption. CommentsClose CommentsPermalink
(9) IDENTITY THEFT- The term ‘identity theft’ means a violation of
(10) INTELLIGENCE COMMUNITY- The term ‘intelligence community’ includes the following: CommentsClose CommentsPermalink
(A) The Office of the Director of National Intelligence. CommentsClose CommentsPermalink
(B) The Central Intelligence Agency. CommentsClose CommentsPermalink
(C) The National Security Agency. CommentsClose CommentsPermalink
(D) The Defense Intelligence Agency. CommentsClose CommentsPermalink
(E) The National Geospatial-Intelligence Agency. CommentsClose CommentsPermalink
(F) The National Reconnaissance Office. CommentsClose CommentsPermalink
(G) Other offices within the Department of Defense for the collection of specialized national intelligence through reconnaissance programs. CommentsClose CommentsPermalink
(H) The intelligence elements of the Army, the Navy, the Air Force, the Marine Corps, the Federal Bureau of Investigation, and the Department of Energy. CommentsClose CommentsPermalink
(I) The Bureau of Intelligence and Research of the Department of State. CommentsClose CommentsPermalink
(J) The Office of Intelligence and Analysis of the Department of the Treasury. CommentsClose CommentsPermalink
(K) The elements of the Department of Homeland Security concerned with the analysis of intelligence information, including the Office of Intelligence of the Coast Guard. CommentsClose CommentsPermalink
(L) Such other elements of any other department or agency as may be designated by the President, or designated jointly by the Director of National Intelligence and the head of the department or agency concerned, as an element of the intelligence community. CommentsClose CommentsPermalink
(11) PERSONAL ELECTRONIC RECORD- (A) IN GENERAL- The term ‘personal electronic record’ means data associated with an individual contained in a database, networked or integrated databases, or other data system that is provided by a data broker to nonaffiliated third parties and includes personally identifiable information about that individual. (B) EXCLUSIONS- The term ‘personal electronic record’ does not include-- (i) any data related to an individual’s past purchases of consumer goods; or (ii) any proprietary assessment or evaluation of an individual or any proprietary assessment or evaluation of information about an individual. (12) PERSONALLY IDENTIFIABLE INFORMATION- The term ‘personally identifiable information’ means any information, or compilation of information, in electronic or digital form that is a means of identification (as defined in section 1028(d)(7) of title 18, United State Code).
(142) PUBLIC RECORD SOURCE- The term ‘public record source’ means the Congress, any agency, any State or local government agency, the government of the District of Columbia and governments of the territories or possessions of the United States, and Federal, State or local courts, courts martial and military commissions, that maintain personally identifiable information in records available to the public. CommentsClose CommentsPermalink
(153) SECURITY BREACH- CommentsClose CommentsPermalink
(A) IN GENERAL- The term ‘security breach’ means compromise of the security, confidentiality, or integrity of computerized data through, or the loss of, computerized data through misrepresentation or actions--(i) that result in, or that there is a reasonable basis to conclude has resulted in-- CommentsClose CommentsPermalink
(Ii) the unauthorized acquisition of sensitive personally identifiable information; or CommentsClose CommentsPermalink
(IIii) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization; and(ii) which present a significant risk of harm or fraud to any individual. CommentsClose CommentsPermalink
(B) EXCLUSION- The term ‘security breach’ does not include-- CommentsClose CommentsPermalink
(i) a good faith acquisition of sensitive personally identifiable information by a business entity or agency, or an employee or agent of a business entity or agency, if the sensitive personally identifiable information is not subject to further unauthorized disclosure; CommentsClose CommentsPermalink
(ii) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements or the release of information obtained from a public record; or CommentsClose CommentsPermalink
(iii) any lawfully authorized criminal investigation or authorized investigative, protective, or intelligence activities that are carried out by or on behalf of any element of the intelligence community and conducted in accordance with the United States laws, authorities, and regulations governing such intelligence activities. CommentsClose CommentsPermalink
(164) SECURITY FREEZE- The term ‘security freeze’ means a notice, at the request of the consumer and subject to exceptions in section 215(b), that prohibits the consumer reporting agency from releasing all or any part of the consumer’s credit report or any information derived from it without the express authorization of the consumer. CommentsClose CommentsPermalink
(175) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term ‘sensitive personally identifiable information’ means any information or compilation of information, in electronic or digital form that includes--(A) a the following: CommentsClose CommentsPermalink
(A) An individual’s first and last name or first initial and last name in combination with any 1 of the following data elements: (i) A nontruncated social security number, driver’s license number, passport number, or alien registration number.
(i) Home address. CommentsClose CommentsPermalink
(II) Telephone number.(III) ii) Telephone number of the individual. CommentsClose CommentsPermalink
(iii) Mother’s maiden name. CommentsClose CommentsPermalink
(IViv) Month, day, and year of birth. CommentsClose CommentsPermalink
(iiiB) A non-truncated social security number, driver’s license number, passport number, or alien registration number or other government-issued unique identification number. CommentsClose CommentsPermalink
(C) Information about an individual’s geographic location that is in whole or in part generated by or derived from that individual’s use of a wireless communication device or other electronic device, excluding telephone and instrument numbers and network or Internet Protocol addresses. CommentsClose CommentsPermalink
(D) Unique biometric data such as a finger print, voice print, face print, a retina or iris image, or any other unique physical representation. CommentsClose CommentsPermalink
(iv) A unique account identifiE) A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, health insurance policy or subscriber identification number, or routing code in combination with any associated security code, access code, or password if the code or password is required for an individual to obtain money, goods, services, or any other thing of value;(B). CommentsClose CommentsPermalink
(F) Not less than 2 of the following data elements: CommentsClose CommentsPermalink
(i) An individual’s first and last name or first initial and last name. CommentsClose CommentsPermalink
(ii) A unique account identifier, including a financial account number or credit or debit card number in combination with any security, electronic identification number, user name, or routing code. CommentsClose CommentsPermalink
(iii) Any security code, access code, or password that is required for an individual to obtain credit, withdraw funds, or engage in a financial transaction; or(C) a, or source code that could be used to generate such codes and passwords. CommentsClose CommentsPermalink
(iv) Information regarding an individual’s medical history, mental or physical medical condition, or medical treatment or diagnosis by a health care professional. CommentsClose CommentsPermalink
(G) Any other combination of data elements that could allow unauthorized access to or acquisition of the information described in subparagraph (A) or (B, (B), (C), (D), (E), or (F), including-- CommentsClose CommentsPermalink
(i) a unique account identifier; CommentsClose CommentsPermalink
(ii) an electronic identification number; CommentsClose CommentsPermalink
(iii) a user name; CommentsClose CommentsPermalink
(iv) a routing code; or CommentsClose CommentsPermalink
(v) any associated security code, access code, or password or any associated security questions and answers that could allow unauthorized access to the account. CommentsClose CommentsPermalink
(16) SERVICE PROVIDER- CommentsClose CommentsPermalink
(A) IN GENERAL- The term ‘service provider’ means a business entity that-- CommentsClose CommentsPermalink
(i) provides electronic data transmission, routing, intermediate and transient storage, or connections to the system or network of the business entity; CommentsClose CommentsPermalink
(ii) is not the sender or the intended recipient of the data; CommentsClose CommentsPermalink
(iii) is not ordinarily expected to select or modify the content of the electronic data; and CommentsClose CommentsPermalink
(iv) transmits, routes, stores, or provides connections for personal information in a manner that personal information is undifferentiated from other types of data that such business entity transmits, routes, stores, or provides connections. CommentsClose CommentsPermalink
(B) SAVINGS CLAUSE- Any such business entity shall be treated as a service provider under this Act only to the extent that the business entity is engaged in the provision of the transmission, routing, intermediate and transient storage or connections described in subparagraph (A). CommentsClose CommentsPermalink
(b) Modified Definition by Rulemaking- The Federal Trade Commission may, by rule promulgated under
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY
CommentsClose CommentsPermalink
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY CommentsClose CommentsPermalink
SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.Section 1961(1) of title 18, United States Code
SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.
(a) In General- Chapter 47 of title 18, United States Code, is amended by adding at the end the following: CommentsClose CommentsPermalink
‘Sec. 1041. Concealment of security breaches involving sensitive personally identifiable information
‘(a) Whoever, having knowledge of a security breach and having the obligation to provide notice of such breach to individuals under the Personal Data Protection and Breach Accountability Act of 2011, and having not otherwise qualified for an exemption from providing notice under section 212of the fact that notice of such security breach is required under title II of the Personal Data Protection and Breach Accountability Act of 2011, intentionally or willfully conceals the fact of such security breach and which breach causes, shall, in the event that such security breach results in economic damageharm or substantial emotional distress to 1 or more persons, shall be fined under this title or imprisoned not more than 5 years, or both. CommentsClose CommentsPermalink
‘(b) For purposes of subsection (a), the term ‘person’ has the same meaning as in
. CommentsClose CommentsPermalink section 1030(e)(12) of title 18, United States Code ‘(c) Any person seeking an exemption under section 212(b) of the Personal Data Protection and Breach Accountability Act of 2011 shall be immune from prosecution under this section if the United States Secret Service does not indicate, in writing, that such notice be given under section 212(b)(31)(B) of the Personal Data Protection and Breach Accountability Act of 2011.’. CommentsClose CommentsPermalink
(b) Conforming and Technical Amendments- The table of sections for chapter 47 of title 18, United States Code, is amended by adding at the end the following: CommentsClose CommentsPermalink
‘1041. Concealment of security breaches involving sensitive personally identifiable information.’. CommentsClose CommentsPermalink
(c) Enforcement Authority- CommentsClose CommentsPermalink
(1) IN GENERAL- The United States Secret Service and the Federal Bureau of Investigation shall have the authority to investigate offenses under this section. CommentsClose CommentsPermalink
(2) NONEXCLUSIVITY- The authority granted in paragraph (1) shall not be exclusive of any existing authority held by any other Federal agency. CommentsClose CommentsPermalink
SEC. 103. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS.Section 1030(c) of title 18, United States Code
(1) by inserting ‘or conspiracy’ after ‘or an attempt’ each place it appears, except for paragraph (4);
(2) in paragraph (2)(B)--
(A) in clause (i), by inserting ‘, or attempt or conspiracy or conspiracy to commit an offense,’ after ‘the offense’;
(B) in clause (ii), by inserting ‘, or attempt or conspiracy or conspiracy to commit an offense,’ after ‘the offense’; and
(C) in clause (iii), by inserting ‘(or, in the case of an attempted offense, would, if completed, have obtained)’ after ‘information obtained’; and
(3) in paragraph (4)--
(A) in subparagraph (A)--
(i) by striking clause (ii);
(ii) by striking ‘in the case of--’ and all that follows through ‘an offense under subsection (a)(5)(B)’ and inserting ‘in the case of an offense, or an attempt or conspiracy to commit an offense, under subsection (a)(5)(B)’;
(iii) by inserting ‘or conspiracy’ after ‘if the offense’;
(iv) by redesignating subclauses (I) through (VI) as clauses (i) through (vi), respectively, and adjusting the margin accordingly; and
(v) in clause (vi), as so redesignated, by striking ‘; or’ and inserting a semicolon;
(B) in subparagraph (B)--
(i) by striking clause (ii);
(ii) by striking ‘in the case of--’ and all that follows through ‘an offense under subsection (a)(5)(A)’ and inserting ‘in the case of an offense, or an attempt or conspiracy to commit an offense, under subsection (a)(5)(A)’;
(iii) by inserting ‘or conspiracy’ after ‘if the offense’; and
(iv) by striking ‘; or’ and inserting a semicolon;
(C) in subparagraph (C)--
(i) by striking clause (ii);
(ii) by striking ‘in the case of--’ and all that follows through ‘an offense or an attempt to commit an offense’ and inserting ‘in the case of an offense, or an attempt or conspiracy to commit an offense,’; and
(iii) by striking ‘; or’ and inserting a semicolon;
(D) in subparagraph (D)--
(i) by striking clause (ii);
(ii) by striking ‘in the case of--’ and all that follows through ‘an offense or an attempt to commit an offense’ and inserting ‘in the case of an offense, or an attempt or conspiracy to commit an offense,’; and
(iii) by striking ‘; or’ and inserting a semicolon;
(E) in subparagraph (E), by inserting ‘or conspires’ after ‘offender attempts’;
(F) in subparagraph (F), by inserting ‘or conspires’ after ‘offender attempts’; and
(G) in subparagraph (G)(ii), by inserting ‘or conspiracy’ after ‘an attempt’.
SEC. 104. FALSE NOTIFICATION.(a) In General- It shall be unlawful for an individual to send a notification of a breach of security that is false or intentionally misleading in order to obtain sensitive personally identifiable information in an effort to defraud an individual.
(b) Penalty- Any person that violates subsection (a) shall be fined not more than $1,000,000, imprisoned not more than 5 years, or both.
(c) Rule of Construction- For purposes of this section, any single action or conduct that violates subsection (a) with respect to multiple protected computers shall be construed to be a single violation.
SEC. 1052. UNAUTHORIZED INSTALLATION OF PERSONAL INFORMATION COLLECTION FEATURESMANIPULATION OF INTERNET TRAFFIC ON A USER’S COMPUTER.
(a) Definition- In this section, the term ‘protected computer’ has the meaning given the term in
(b) In General- It shall be unlawful for a person that is not an authorized user of a protected computer to cause the installation on the protected computer of software that collects sensitive personally identifiable information from an authorized user, unless the person--(1)Prohibition- CommentsClose CommentsPermalink
(1) IN GENERAL- Unless a service provider provides a clear and conspicuous disclosure of such collection; and(2)data collected in the process of intercepting a web search or query entered by an authorized user of a protected computer, and obtains the consent of an authorized user of the protected computer prior to any collection of sensitive personally identifiable information.(c) Collection and Use of Personal Information in Web Searches- It shall be unlawful for an Internet service provider or proxy servsuch action, it shall be unlawful for a service provider to knowingly or intentionally-- CommentsClose CommentsPermalink
(1A) bypass the display of search engine results and redirect web searches or queries entered by an authorized user of a protected computer directly to a commercial website, counterfeit web page, or targeted advertisement and derive an economic benefit from such activity; or CommentsClose CommentsPermalink
(2B) monitor, manipulate, aggregate, and market the data collected in the process of intercepting a web search or query entered by an authorized user of a protected computer and derive an economic benefit from such activity. CommentsClose CommentsPermalink
(d) Other Collection of Personal Information- (1) IN GENERAL- It shall be unlawful for a person who is not an authorized user of a protected computer to cause the installation on the protected computer of software that engages in any of the collection practices described in paragraph (2), unless the person-- (A) provides a clear and conspicuous disclosure of such collection; and (B) obtains the consent of an authorized user of the protected computer prior to any such collection of information. (2) COLLECTION PRACTICES DESCRIBED- The collection practices described in this paragraph are-- (A) the use of a keystroke-logging function that records all or substantially all keystrokes made by an owner or operator of a computer and transfers that information from the computer to another person; (B) the collection of data in a manner that-- (i) correlates sensitive personally identifiable information with a history of-- (I) all, or substantially all, of the websites visited by an owner or operator, other than websites operated by the person providing such software; or (II) all, or substantially all, of the web searches conducted by an owner or operator other than search data collected by a search engine; and (ii) uses the information described in clause (i) to deliver advertising to, or display advertising on, the computer; and (C) the extracting from the hard drive or other storage medium of the computer-- (i) the substantive contents of files, data, software, or other information knowingly saved or installed by the authorized user of a protected computer; or (ii) the substantive contents of communications sent by an authorized user of a protected computer to any other computer. (e) Exception- This section shall not restrict a person from causing the installation of software that collects information for the provider of an online service or website knowingly used or subscribed to by an authorized user if the information collected is used only to affect the experience of the user while using that online service or website. (f) Uninstall Functionality- (1) IN GENERAL- Software that performs any function described in subsection (b) or (c) shall have the capability to subsequently be uninstalled or disabled by an authorized user through a program removal function that is usual and customary with the operating system of the computer or otherwise as clearly and conspicuously disclosed to the user.
(c) Limitations on Liability-(1) IN GENERAL- The restrictions imposed under this section do not apply to any monitoring of, or interaction with, a subscriber’s Internet or other network connection or service, or a protected computer, by or at the direction of a telecommunications carrier, cable operator, computer hardware or software provider, financial institution or provider of information services or interactive computer service for-- CommentsClose CommentsPermalink
(A) network or computer security purposes; (B) diagnostics;
(2) diagnostics; CommentsClose CommentsPermalink
(3) technical support; CommentsClose CommentsPermalink
(D) repair;(E4) repair; CommentsClose CommentsPermalink
(5) network management; CommentsClose CommentsPermalink
(F6) authorized updates of software or system firmware; CommentsClose CommentsPermalink
(G7) authorized remote system management; CommentsClose CommentsPermalink
(H8) authorized provision of protection for users of the computer from objectionable content; CommentsClose CommentsPermalink
(I9) authorized scanning for computer software used in violation of this section for removal by an authorized user; or CommentsClose CommentsPermalink
(J10) detection or prevention of the unauthorized use of software fraudulent or other illegal activities. (2) Manufacturer’S LIABILITY FOR THIRD-PARTY SOFTWARE- A manufacturer or retailer of a computer shall not be liable under any provision of this section for causing the installation on the computer, prior to the first retail sale and delivery of the computer, of third-party branded software, unless the manufacturer or retailer knowingly allows the installation of such third-party branded software and derives a benefit from the operation of such software. (3) EXCEPTION FOR AUTHORIZED INVESTIGATIVE AGENCIES- Nothing in this section prohibits any lawfully authorized criminal investigation or authorized investigative, protective, or intelligence activities that are carried out by or on behalf of any element of the intelligence community and conducted in accordance with the United States laws, authorities, and regulations governing such intelligence activities, of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
(d) Enforcement by the Attorney General- CommentsClose CommentsPermalink
(1) LIABILITY AND PENALTY FOR VIOLATIONS- Any person who engages in an activity in violation of this section shall be fined not more than $500,000, imprisoned not more than 5 years, or both. CommentsClose CommentsPermalink
(2) ENHANCED LIABILITY AND PENALTIES FOR PATTERN OR PRACTICE OF VIOLATIONS- CommentsClose CommentsPermalink
(A) IN GENERAL- Any person who engages in a pattern or practice of activity that violates the provisions of this section shall be fined not more than $1,000,000, imprisoned not more than 5 years, or both. CommentsClose CommentsPermalink
(B) TREATMENT OF SINGLE ACTION OR CONDUCT- For purposes of subparagraph (A), any single action or conduct that violates this section with respect to multiple protected computers shall be construed as a single violation. CommentsClose CommentsPermalink
(3) CONSIDERATIONS- In determining the amount of any penalty under paragraph (1) or (2), the court shall take into account-- CommentsClose CommentsPermalink
(A) the degree of culpability of the defendant; CommentsClose CommentsPermalink
(B) any history of prior such conduct; CommentsClose CommentsPermalink
(C) the ability of the defendant to pay any fine imposed; CommentsClose CommentsPermalink
(D) the effect on the ability of the defendant to continue to do business; and CommentsClose CommentsPermalink
(E) such other matters as justice may require. CommentsClose CommentsPermalink
TITLE II--PRIVACY AND SECURITY OF SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION
CommentsClose CommentsPermalink
TITLE II--PRIVACY AND SECURITY OF SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION CommentsClose CommentsPermalink
Subtitle A--A Data Privacy and Security Program
CommentsClose CommentsPermalink
Subtitle A--A Data Privacy and Security Program CommentsClose CommentsPermalink
SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY PROGRAM.
(a) Purpose- The purpose of this subtitle is to ensure standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information. CommentsClose CommentsPermalink
(b) In General- A business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons is subject to the requirements for a data privacy and security program under section 202 for protecting sensitive personally identifiable information. CommentsClose CommentsPermalink
(c) Limitations- Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following: CommentsClose CommentsPermalink
(1) FINANCIAL INSTITUTIONS- Financial institutions--(A) subject to the data security requirements and implementing regulations underA financial institution subject to the data security requirements and standards under 501(b) of the Gramm-Leach-Bliley Act ( (B) subject to-- (ii) compliance with part 314 of title 16, Code of Federal Regulations.
(2) HIPAA REGULATED ENTITIES- CommentsClose CommentsPermalink
(A) COVERED ENTITIES- Covered entitiesA business entity subject to the Health Insurance Portability and Accountability Act of 1996 (
(B) BUSINESS ENTITIES- A business entity shall be deemed in compliance with this Act if the business entityCOMPLIANCE- A business entity that-- CommentsClose CommentsPermalink
(i) is acting as a business associate, as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (
(ii) is subject to, and currently in compliance, with the privacy and data security requirements under sections 13401 and 13404 of division A of the American Reinvestment and Recovery Act of 2009 (
(3) SERVICE PROVIDERS- A service provider for any electronic communication by a third-party, to the extent that the service provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication. CommentsClose CommentsPermalink
(4) PUBLIC RECORDS- Public records not otherwise subject to a confidentiality or nondisclosure requirement, or information obtained from a public record, including information obtained from a news report or periodical. CommentsClose CommentsPermalink
(d) Rule of Construction- Nothing in this subtitle shall be construed to modify, limit, or supersede the operation of the provisions of the Gramm-Leach-Bliley Act (
SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY PROGRAM.
(a) Personal Data Privacy and Security Program- A business entity subject to this subtitle shall comply with the following safeguards and any other administrative, technical, or physical safeguards identified by the Federal Trade Commission in a rulemaking process pursuant to
(1) SCOPE- A business entity shall implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities. CommentsClose CommentsPermalink
(2) DESIGN- The personal data privacy and security program shall be designed to-- CommentsClose CommentsPermalink
(A) ensure the privacy, security, and confidentiality of sensitive personally identifiable information; CommentsClose CommentsPermalink
(B) protect against any anticipated vulnerabilities to the privacy, security, or integrity of sensitive personally identifiable information; and CommentsClose CommentsPermalink
(C) protect against unauthorized access to or use of sensitive personally identifiable information that could create a significant risk of harm or fraud to any individual. CommentsClose CommentsPermalink
(3) RISK ASSESSMENT- A business entity shall-- CommentsClose CommentsPermalink
(A) identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information or systems containing sensitive personally identifiable information; CommentsClose CommentsPermalink
(B) assess the likelihood of and potential damage from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; CommentsClose CommentsPermalink
(C) assess the sufficiency of its policies, technologies, and safeguards in place to control and minimize risks from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; and CommentsClose CommentsPermalink
(D) assess the vulnerability of sensitive personally identifiable information during destruction and disposal of such information, including through the disposal or retirement of hardware. CommentsClose CommentsPermalink
(4) RISK MANAGEMENT AND CONTROL- Each business entity shall-- CommentsClose CommentsPermalink
(A) design its personal data privacy and security program to control the risks identified under paragraph (3); and CommentsClose CommentsPermalink
(B) adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of the activities of the business entity that-- CommentsClose CommentsPermalink
(i) control access to systems and facilities containing sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals; CommentsClose CommentsPermalink
(ii) detect, record, and preserve information relevant to actual and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access; CommentsClose CommentsPermalink
(iii) protect sensitive personally identifiable information during use, transmission, storage, and disposal by encryption, redaction, or access controls that are widely accepted as an effective industry practice or industry standard, or other reasonable means (including as directed for disposal of records under section 628 of the Fair Credit Reporting Act (
(iv) ensure that sensitive personally identifiable information is properly destroyed and disposed of, including during the destruction of computers, diskettes, and other electronic media that contain sensitive personally identifiable information; CommentsClose CommentsPermalink
(v) trace access to records containing sensitive personally identifiable information so that the business entity can determine who accessed or acquired such sensitive personally identifiable information pertaining to specific individuals; CommentsClose CommentsPermalink
(vi) ensure that no third party or customer of the business entity is authorized to access or acquire sensitive personally identifiable information without the business entity first performing sufficient due diligence to ascertain, with reasonable certainty, that such information is being sought for a valid legal purpose; and CommentsClose CommentsPermalink
(vii) minimize the amount of personal information maintained by the business entity, providing for the retention of such personal information only as reasonably needed for the business purposes of the business entity or as necessary to comply with any other provision of law. CommentsClose CommentsPermalink
(b) Training- Each business entity subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the data security program of the business entity. CommentsClose CommentsPermalink
(c) Vulnerability Testing- CommentsClose CommentsPermalink
(1) IN GENERAL- Each business entity subject to this subtitle shall take steps to ensure regular testing of key controls, systems, and procedures of the personal data privacy and security program to detect, prevent, and respond to attacks or intrusions, or other system failures. CommentsClose CommentsPermalink
(2) FREQUENCY- The frequency and nature of the tests required under paragraph (1) shall be determined by the risk assessment of the business entity under subsection (a)(3). CommentsClose CommentsPermalink
(d) Relationship to Service ProviderCertain Relationship to Providers of Services- In the event a business entity subject to this subtitle engages service providers not subject to this subtitlea person or entity not subject to this subtitle (other than a service provider) to receive sensitive personally identifiable information in performing services or functions (other than the services or functions provided by a service provider) on behalf of and under the instruction of such business entity, such business entity shall-- CommentsClose CommentsPermalink
(1) exercise appropriate due diligence in selecting those service providerse person or entity for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain service providers that area person or entity that is capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and CommentsClose CommentsPermalink
(2) require those service providerse person or entity by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing entities subject to section 201, this section, and subtitle B. CommentsClose CommentsPermalink
(e) Periodic Assessment and Personal Data Privacy and Security Modernization- Each business entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its data privacy and security program in light of any relevant changes in-- CommentsClose CommentsPermalink
(1) technology; CommentsClose CommentsPermalink
(2) the sensitivity of sensitive personally identifiable information; CommentsClose CommentsPermalink
(3) internal or external threats to personally identifiablesensitive personally identifiable information; and CommentsClose CommentsPermalink
(4) the changing business arrangements of the business entity, such as-- CommentsClose CommentsPermalink
(A) mergers and acquisitions; CommentsClose CommentsPermalink
(B) alliances and joint ventures; CommentsClose CommentsPermalink
(C) outsourcing arrangements; CommentsClose CommentsPermalink
(D) bankruptcy; and CommentsClose CommentsPermalink
(E) changes to sensitive personally identifiable information systems. CommentsClose CommentsPermalink
(f) Implementation Timeline- Not later than 1 year after the date of enactment of this Act, a business entity subject to the provisions of this subtitle shall implement a data privacy and security program pursuant to this subtitle. CommentsClose CommentsPermalink
SEC. 203. FEDERAL ENFORCEMENT.
(a) Civil Penalties- CommentsClose CommentsPermalink
(1) IN GENERAL- The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $5,000 per violation per day while such a violation exists, with a maximum of $20,000,000 per violation, unless such conduct is found to be willful or intentional. CommentsClose CommentsPermalink
(2) INTENTIONAL OR WILLFUL VIOLATION- A business entity that intentionally or willfully violates the provisions of this subtitle shall be subject to additional penalties in the amount of $5,000 per violation per day while such a violation exists. CommentsClose CommentsPermalink
(3) CONSIDERATIONS- In determining the amount of a civil penalty under this subsection, the court shall take into account-- CommentsClose CommentsPermalink
(A) the degree of culpability of the business entity; CommentsClose CommentsPermalink
(B) any prior violations of this subtitle by the business entity; CommentsClose CommentsPermalink
(C) the ability of the business entity to pay a civil penalty; CommentsClose CommentsPermalink
(D) the effect on the ability of the business entity to continue to do business; CommentsClose CommentsPermalink
(E) the number of individuals whose personally identifiable informationsensitive personally identifiable information was compromised by the breach; CommentsClose CommentsPermalink
(F) the relative cost of compliance with this subtitle; and CommentsClose CommentsPermalink
(G) such other matters as justice may require. CommentsClose CommentsPermalink
(b) Injunctive Actions by the Attorney General- CommentsClose CommentsPermalink
(1) IN GENERAL- If it appears that a business entity has engaged, or is engaged, in any act or practice constituting a violation of this subtitle, the Attorney General may petition an appropriate district court of the United States for an order-- CommentsClose CommentsPermalink
(A) enjoining such act or practice; or CommentsClose CommentsPermalink
(B) enforcing compliance with this subtitle. CommentsClose CommentsPermalink
(2) ISSUANCE OF ORDER- A court may issue an order under paragraph (1), if the court finds that the conduct in question constitutes a violation of this subtitle. CommentsClose CommentsPermalink
(c) Other Rights and Remedies- The rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law. CommentsClose CommentsPermalink
SEC. 204. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) Civil Actions- CommentsClose CommentsPermalink
(1) IN GENERAL- In any case in which the attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the acts or practices of a business entity that violate this subtitle, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to-- CommentsClose CommentsPermalink
(A) enjoin that act or practice; CommentsClose CommentsPermalink
(B) enforce compliance with this subtitle; or CommentsClose CommentsPermalink
(C) obtain civil penalties of not more than $5,000 per violation per day while such violations persist, up to a maximum of $20,000,000 per violation. CommentsClose CommentsPermalink
(2) CONSIDERATIONS- In determining the amount of a civil penalty under this subsection, the court shall take into account-- CommentsClose CommentsPermalink
(A) the degree of culpability of the business entity; CommentsClose CommentsPermalink
(B) any prior violations of this subtitle by the business entity; CommentsClose CommentsPermalink
(C) the ability of the business entity to pay a civil penalty; CommentsClose CommentsPermalink
(D) the effect on the ability of the business entity to continue to do business; CommentsClose CommentsPermalink
(E) the number of individuals whose personally identifiable informationsensitive personally identifiable information was compromised by the breach; CommentsClose CommentsPermalink
(F) the relative cost of compliance with this subtitle; and CommentsClose CommentsPermalink
(G) such other matters as justice may require. CommentsClose CommentsPermalink
(3) NOTICE- CommentsClose CommentsPermalink
(A) IN GENERAL- Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General-- CommentsClose CommentsPermalink
(i) a written notice of that action; and CommentsClose CommentsPermalink
(ii) a copy of the complaint for that action. CommentsClose CommentsPermalink
(B) EXEMPTION-(i) IN GENERALCEPTION- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action. CommentsClose CommentsPermalink
(ii) NOTIFICATIONC) NOTIFICATION WHEN PRACTICABLE- In an action described in clause (isubparagraph (B), the attorney general of a State shall provide the written notice and a copy of the complaint to the Attorney General at the time the State attorney general files the actions soon after the filing of the complaint as practicable. CommentsClose CommentsPermalink
(b) Federal Proceedings- Upon receiving notice under subsection (a)(23), the Attorney General shall have the right to-- CommentsClose CommentsPermalink
(1) move to stay the action, pending the final disposition of a pending Federal proceeding or action described in subsection (c); CommentsClose CommentsPermalink
(2) initiate an action in the appropriate United States district court under section 2178 and move to consolidate all pending actions, including State actions, in such court; CommentsClose CommentsPermalink
(3) intervene in an action brought under subsection (a)(2); and CommentsClose CommentsPermalink
(4) file petitions for appeal. CommentsClose CommentsPermalink
(c) Pending Proceedings- If the Attorney General has instituted a proceeding or action for a violation of this subtitle or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subtitleection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action. CommentsClose CommentsPermalink
(d) Construction- For purposes of bringing any civil action under subsection (a), nothing in this subtitle regarding notificaection shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to-- CommentsClose CommentsPermalink
(1) conduct investigations; CommentsClose CommentsPermalink
(2) administer oaths or affirmations; or CommentsClose CommentsPermalink
(3) compel the attendance of witnesses or the production of documentary and other evidence. CommentsClose CommentsPermalink
(e) Venue; Service of Process- CommentsClose CommentsPermalink
(1) VENUE- Any action brought under subsection (a) may be brought in-- CommentsClose CommentsPermalink
(A) the district court of the United States that meets applicable requirements relating to venue under
(B) another court of competent jurisdiction. CommentsClose CommentsPermalink
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant-- CommentsClose CommentsPermalink
(A) is an inhabitant; or CommentsClose CommentsPermalink
(B) may be found. CommentsClose CommentsPermalink
SEC. 205. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.
(a) In General- Any person aggrieved by a violation of the provisions of this subtitle by a business entity may bring a civil action in a court of appropriate jurisdiction to recover for personal injuries sustained as a result of the violation. CommentsClose CommentsPermalink
(b) Authority To Bring Civil Action; Jurisdiction- As provided in subsection (c), any person may commence a civil action on his own behalf against any business entity who is alleged to have violated the provisions of this subtitle. CommentsClose CommentsPermalink
(c) Remedies in a Citizen Suit- CommentsClose CommentsPermalink
(1) DAMAGES- Any individual harmed by a failure of a business entity to comply with the provisions of this subtitle, shall be able to collect damages of not more than $10,000 per violation per day while such violations persist, up to a maximum of $20,000,000 per violation. CommentsClose CommentsPermalink
(2) PUNITIVE DAMAGES- A business entity may be liable for punitive damages if the business entity intentionally or willfully violates the provisions of this subtitle. CommentsClose CommentsPermalink
(3) EQUITABLE RELIEF- A business entity that violates the provisions of this subtitle may be enjoined to comply with the provisions of those sections. CommentsClose CommentsPermalink
(d) Other Rights and Remedies- The rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law. CommentsClose CommentsPermalink
(e) Access to JusticeNonenforceability of Certain Provisions Waiving Rights and Remedies or Requiring Arbitration of Disputes- CommentsClose CommentsPermalink
(1) WAIVER OF RIGHTS AND REMEDIES- The rights and remedies afforded by this section shall not be abridged or precluded by any provided for in this section may not be waived by any agreement, policy form, or condition of employment including by a predispute arbitration agreement, and any claims under this section that arise from the same security breach are presumed to meet the commonality requirement under rule 23(a)(2) of the Federal Rules of Civil Procedu. CommentsClose CommentsPermalink
(2) PREDISPUTE ARBITRATION AGREEMENTS- No predispute arbitration agreement shall be valid or enforceable, if the agreement requires arbitration of a dispute arising under this section. CommentsClose CommentsPermalink
(f) Considerations- In determining the amount of a civil penalty under this subsection, the court shall take into account-- CommentsClose CommentsPermalink
(1) the degree of culpability of the business entity; CommentsClose CommentsPermalink
(2) any prior violations of this subtitle by the business entity; CommentsClose CommentsPermalink
(3) the ability of the business entity to pay a civil penalty; CommentsClose CommentsPermalink
(4) the effect on the ability of the business entity to continue to do business; CommentsClose CommentsPermalink
(5) the number of individuals whose sensitive personally identifiable information was compromised by the breach; CommentsClose CommentsPermalink
(6) the relative cost of compliance with this subtitle; and CommentsClose CommentsPermalink
(7) such other matters as justice may require. CommentsClose CommentsPermalink
Subtitle B--Security Breach Notification
CommentsClose CommentsPermalink
Subtitle B--Security Breach Notification CommentsClose CommentsPermalink
SEC. 211. NOTICE TO INDIVIDUALS.
(a) In General- Any agency, or business entity engaged in interstate commerce other than a service provider, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information that experiences a security breach of such information, shall, following the discovery of such security breach of such information, notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired. CommentsClose CommentsPermalink
(b) Obligation of Owner or Licensee- CommentsClose CommentsPermalink
(1) NOTICE TO OWNER OR LICENSEE- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information. CommentsClose CommentsPermalink
(2) NOTICE BY OWNER, LICENSEE OR OTHER DESIGNATED THIRD PARTY- Nothing in this subtitle shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a). CommentsClose CommentsPermalink
(3) BUSINESS ENTITY RELIEVED FROM GIVING NOTICE- A business entity obligated to give notice under subsection (a) shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification. CommentsClose CommentsPermalink
(4) SERVICE PROVIDERS- If a service provider becomes aware of a security breach containing sensitive personally identifiable information that is owned or possessed by another business entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall be required to notify the business entity who initiated such connection, transmission, routing, or storage of the security breach if the business entity can be reasonably identified. Upon receiving such notification from a service provider, the business entity shall be required to provide the notification required under subsection (a). CommentsClose CommentsPermalink
(c) Timeliness of Notification- CommentsClose CommentsPermalink
(1) IN GENERAL- All notifications required under this section shall be made without unreasonable delay following the discovery by the agency or business entity of a security breach. CommentsClose CommentsPermalink
(2) REASONABLE DELAY- Reasonable delay under this subsection may include any time necessary to determine the scope of the security breach, conduct the risk assessment described in section 212(b)(1), and provide notice to law enforcement when required. CommentsClose CommentsPermalink
(3) BURDEN OF PRODUCTION- The agency, business entity, owner, or licensee required to provide notice under this subtitle shall, upon the request of the Attorney General or the attorney general of a State or any State or, the Federal Trade Commission, or the attorney general of a State or any State or local law enforcement agency authorized by the attorney general of the State or by State statute to prosecute violations of consumer protection law, provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification. CommentsClose CommentsPermalink
(d) Delay of Notification Authorized for Law Enforcement or National Security Purposes- CommentsClose CommentsPermalink
(1) IN GENERAL- If a Federal law enforcement agency or member of the intelligence community determines that the notification required under this section would impede any lawfully authorized criminal investigation or authorized investigative, protective, or intelligence activities that are carried out by or on behalf of any element of the intelligence community and conducted in accordance with the United States laws, authorities, and regulations governing such intelligence activities, such notification shall be delayed upon written notice from such Federal law enforcement or intelligence agency to the agency or business entity that experienced the breachagency or member of the intelligence community to the agency or business entity that experienced the breach. The notification shall specify in writing the period of delay required. CommentsClose CommentsPermalink
(2) EXTENDED DELAY OF NOTIFICATION- If the notification required under subsection (a) is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement delay was invoked unless a Federal law enforcement or intelligence agencmember of the intelligence community provides written notification that further delay is necessary. CommentsClose CommentsPermalink
(3) LAW ENFORCEMENT IMMUNITY- No non-constitutional cause of action shall lie in any court against any law enforcement agency for acts relating to the delay of notification for law enforcement or intelligence purposes under this subtitle. CommentsClose CommentsPermalink
SEC. 212. EXEMPTIONS FROM NOTICE TO INDIVIDUALS.
(a) Exemption for National Security and Law Enforcement- CommentsClose CommentsPermalink
(1) IN GENERAL- Section 211 shall not apply to an agency or business entity if the agency or business entity certifies, in writing, that notification of the security breach as required by section 211 reasonably could be expected to-- (A) cause damage to the national security; or (B) hinder a law enforcement investigation or the ability of the agency to conduct law enforcement investigations. (2) LIMITS ON CERTIFICATIONS- An agency or business entity may not execute a certification under paragraph (1) to-- (A) conceal violations of law, inefficiency, or administrative error; (B) prevent embarrassment to a business entity, organization, or agency; (C) restrain competition; or (D) delay notification under section 211 for any other reason, except where the agency or business entity reasonably believes an exemption under paragraph (1) applies. (3) NOTICE- In every case in which an agency or business agency issues a certification under paragraph (1), the certification, accompanied by a description of the factual basis for the certification, shall be immediately provided to the United States Secret Service and the Federal Bureau of Investigation. (4) SECRET SERVICE AND FBI REVIEW OF CERTIFICATIONS- (A) IN GENERAL- The United States Secret Service or the Federal Bureau of Investigation may review a certification provided by an agency under paragraph (3), and shall review a certification provided by a business entity under paragraph (3), to determine whether an exemption under paragraph (1) is merited. Such review shall be completed not later than 7 business days after the date of receipt of the certification, except as provided in paragraph (5)(C). (B) NOTICE- Upon completing a review under subparagraph (A) the United States Secret Service or the Federal Bureau of Investigation shall immediately notify the agency or business entity, in writing, of its determination of whether an exemption under paragraph (1) is merited.
(A) the United States Secret Service or the Federal Bureau of Investigation determines under this paragraph that the exemption is not merited. (5) ADDITIONAL AUTHORITY OF THE SECRET SERVICE AND FBI-
(B) the Federal Bureau of Investigation may request additional information from the agency or business entity regarding the basis for the claimed exemption, if such additional information is necessary to determine whether the exemption is merited. (B) REQUIRED COMPLIANCE- Any agency or business entity that receives a request for additional information under subparagraph (A) shall cooperate with any such request.
(2) IMMUNITY- No non-constitutional cause of action shall lie in any court against any Federal agency for acts relating to the exemption from notification under this subtitle. CommentsClose CommentsPermalink
(b) Safe Harbor- CommentsClose CommentsPermalink
(1) IN GENERAL- An agency or business entity will be exempt from the notice requirements under sectionshall be exempt from the notice requirements under section 211, if-- CommentsClose CommentsPermalink
(A) a risk assessment conducted by the agency or business entity, in consultation with the Federal Trade Commission, concludes that there is no significant risk that a security breach has resulted in, or will result in harm to the individuals whose sensitive personally identifiable information was subject to the security breach; and CommentsClose CommentsPermalink
(B) the United States Secret Service or the Federal Bureau of InvestigationFederal Trade Commission or designated entity does not indicate within 7 business days from the receipt of written notification from an agency or business entity pursuant to subsection 212 (b)(2), that the agency or business entity should not be exempt from the notice requirements of section 211. CommentsClose CommentsPermalink
(2) RISK ASSESSMENT REQUIREMENTS- CommentsClose CommentsPermalink
(A) CONDUCTING A RISK ASSESSMENT- Upon discovery of a security breach of an agency or business entity, the agency or business entity shall conduct a risk assessment to determine if there is a significant risk that the security breach resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach. CommentsClose CommentsPermalink
(i) PRESUMPTION OF NO SIGNIFICANT RISK- It is presumed that there is no significant risk that the security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable informationdata was subject to the security breach, if suchthe sensitive personally identifiable information has been rendered indecipherable through the use of best practices or methods as described by the Federal Trade Commission, such as redaction, access controls, or other such mechanisms, which are widely accepted as an effective industry practice, or an effective industry standard, or other such mechanisms establishing a presumption that no significant risk existsunusable, unreadable, or indecipherable through a security technology or methodology (if the technology or methodology is generally accepted by experts in the information security field). Any such presumption may be rebutted by facts demonstrating that the security technologies or methodologies in a specific case, have been or are reasonably likely to be compromised. CommentsClose CommentsPermalink
(ii) PRESUMPTION OF SIGNIFICANT RISK- It is presumed that there is a significant risk that the security breach has resulted in, or will result in, harm to individuals whose sensitive personally identifiable information was subject to the security breach if the agency or business entity failed to render such sensitive personally identifiable information indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms which are widely accepted as an effective industry practice or an effective industry standard, or other such mechanisms establishing a presumption that a significant risk exists.(B) a security technology or methodology (if the technology or methodology is generally accepted by experts in the information security field). CommentsClose CommentsPermalink
(iii) METHODOLOGIES OR TECHNOLOGIES- CommentsClose CommentsPermalink
(I) REQUIRED RULEMAKING- Not later than 1 year after the date of the enactment of this Act, and biannually thereafter, the Federal Trade Commission, after consultation with the National Institute of Standards and Technology, shall issue rules (pursuant to
(II) REQUIRED CONSULTATION- In issuing rules or guidance under subclause (II), the Commission shall also consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies. CommentsClose CommentsPermalink
(iv) FTC GUIDANCE- Not later than 1 year after the date of the enactment of this Act, the Federal Trade Commission, after consultation with the National Institute of Standards and Technology, shall issue guidance regarding the application of the exemption in clause (i). CommentsClose CommentsPermalink
(B) WRITTEN NOTIFICATION TO LAW ENFORCEMENT- Without unreasonable delay, but not later than 7 days after the discovery of a security breach, unless extended by the United States Secret Service or the Federal Bureau of Investigation, the agency or business entity must notify the United States Secret Service and the Federal Bureau of InvestigationFederal Trade Commission and designated entity, in writing, of-- CommentsClose CommentsPermalink
(i) the results of the risk assessment; and CommentsClose CommentsPermalink
(ii) its decision to invoke the risk assessment exemption. CommentsClose CommentsPermalink
(C) VIOLATIONS- It shall be a violation of this section to-- CommentsClose CommentsPermalink
(i) fail to conduct a risk assessment in a reasonable manner, or according to standards generally accepted by experts in the field of information security; or CommentsClose CommentsPermalink
(ii) submit results of a risk assessment that-- CommentsClose CommentsPermalink
(I) conceal violations of law, inefficiency, or administrative error; CommentsClose CommentsPermalink
(II) prevent embarrassment to a business entity, organization, or agency; CommentsClose CommentsPermalink
(III) restrain competition; CommentsClose CommentsPermalink
(IV) contain fraudulent or deliberately misleading information; or CommentsClose CommentsPermalink
(V) delay notification under section 211 for any other reason, except where the agency or business entity reasonably believes that the risk assessment exception may apply. CommentsClose CommentsPermalink
(c) Financial Fraud Prevention Exemption- CommentsClose CommentsPermalink
(1) IN GENERAL- A business entity shall be exempt from the notice requirement under section 211 if the business entitys of this subtitle if the business entity utilizes or participates in a security program that-- CommentsClose CommentsPermalink
(A) is designed to blockeffectively blocks the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and CommentsClose CommentsPermalink
(B) provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions. CommentsClose CommentsPermalink
(2) LIMITATION- Paragraph (1) doesshall not apply to a business entity if--(A) the information subject to the security breach includes an individual’s first and last name, or any other type of sensitive personally identifiable information, other than a credit card or credit card security code, of any type of the sensitive personally identifiable information identified in section 3; or(B) the security breach includes both the individual’s credit card number and the, unless that information is only a credit card number or a credit card security code. CommentsClose CommentsPermalink
(d) Limitations- Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following-- CommentsClose CommentsPermalink
(1) FINANCIAL INSTITUTIONS- A financial institution subject to the data security requirements and standards under 501(b) of the Gramm-Leach-Bliley Act (
(2) HIPAA REGULATED ENTITIES EXEMPTION- CommentsClose CommentsPermalink
(A) IN GENERAL- A business entity shall be exempt from the notice requirement under section 211 if the business entity is one of the following: CommentsClose CommentsPermalink
(i) COVERED ENTITIES- A business entity subject to the Health Insurance Portability and Accountability Act of 1996 (
(ii) BUSINESS ENTITIES- A business entity that-- CommentsClose CommentsPermalink
(I) is acting as a business associate, as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (
(II) is subject to, and currently in compliance with, the data breach notification requirements under section 13402 or 13407 of the American Reinvestment and Recovery Act of 2009 (
(B) LIMITATION- Paragraph (1) shall not apply to a business entity if the information subject to the security breach includes an individual’s first and last name, or any other type of sensitive personally identifiable information other than a health insurance policy or subscriber identification number or information regarding an individual’s medical history, mental or physical medical condition, or medical treatment or diagnosis by a health care professional as identified in section 3 unless that information is only a health insurance policy or subscriber identification number or information regarding an individual’s medical history, mental or physical medical condition, or medical treatment or diagnosis by a health care professional. CommentsClose CommentsPermalink
SEC. 213. METHODS OF NOTICE TO INDIVIDUALS.
To comply with section 211, an agency or business entity shall provide the following forms of notice: CommentsClose CommentsPermalink
(1) INDIVIDUAL WRITTEN NOTICE- Written notice to individuals by 1 of the following means: CommentsClose CommentsPermalink
(A) Individual written notification to the last known home mailing address of the individual in the records of the agency or business entity. CommentsClose CommentsPermalink
(B) E-mail notice, unless the individual has expressly opted not to receive such notices of security breaches or the notice is inconsistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (
(2) TELEPHONE NOTICE- Telephone notice to the individual personally. CommentsClose CommentsPermalink
(3) PUBLIC NOTICE- CommentsClose CommentsPermalink
(A) ELECTRONIC NOTICE- Prominent notice via all reasonable means of electronic contact between the individual and the agency or business entity, including any website, networked devices, or other interface through which the agency or business entity regularly interacts with the consumer, if the number of individuals whose sensitive personally identifiable information was or is reasonably believed to have been accessed or acquired by an unauthorized person exceeds 5,000. CommentsClose CommentsPermalink
(B) MEDIA NOTICE- Notice to major media outlets serving a State or jurisdiction, if the number of residents of such State whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000. CommentsClose CommentsPermalink
SEC. 214. CONTENT OF NOTICE TO INDIVIDUALS.
(a) In General- Regardless of the method by which individual notice is provided to individuals under section 213(1), such notice shall include-- CommentsClose CommentsPermalink
(1) a description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, and how the agency or business entity came into possession of the sensitive personally identifiable information at issue; CommentsClose CommentsPermalink
(2) a toll-free number-- CommentsClose CommentsPermalink
(A) that the individual may use to contact the agency or business entity, or the agent of the agency or business entity; and CommentsClose CommentsPermalink
(B) from which the individual may learn what types of sensitive personally identifiable information the agency or business entity maintained about that individual; CommentsClose CommentsPermalink
(3) the toll-free contact telephone numbers, websites, and addresses for the major credit reporting agencies; CommentsClose CommentsPermalink
(4) the telephone numbers and websites for the relevant Federal agencies that provide information regarding identity theft prevention and protection; CommentsClose CommentsPermalink
(5) notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, credit monitoring or any other service that enables consumers to detect the misuse of sensitive personally identifiable information for a period of 2 years, and instructions to the individual on requesting such reports or service from the agency or business entity; CommentsClose CommentsPermalink
(6) notice that the individual is entitled to receive a security freeze and that the agency or business entity will be liable for any costs associated with the security freeze for 2 years and the necessary instructions for requesting a security freeze; and CommentsClose CommentsPermalink
(7) notice that any costs or damages incurred by an individual as a result of a security breach will be paid by the business entity or agency that experienced the security breach. CommentsClose CommentsPermalink
(b) Telephone Notice- Telephone notice described in section 213(2) shall include, to the extent possible-- CommentsClose CommentsPermalink
(1) notification that a security breach has occurred and that the individual’s sensitive personally identifiable information may have been compromised; CommentsClose CommentsPermalink
(2) a description of the categories of sensitive personally identifiable information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person; CommentsClose CommentsPermalink
(3) a toll-free number and website-- CommentsClose CommentsPermalink
(A) that the individual may use to contact the agency or business entity, or the authorized agent of the agency or business entity; and CommentsClose CommentsPermalink
(B) from which the individual may learn what types of sensitive personally identifiable information the agency or business entity maintained about that individual and remedies available to that individual; and CommentsClose CommentsPermalink
(4) an alert to the individual that the agency or business entity is sending or has sent written notification containing additional information as required under section 213(1)(A). CommentsClose CommentsPermalink
(c) Public Notice- Public notice described in section 213(3) shall include-- CommentsClose CommentsPermalink
(1) electronic notice, which includes-- CommentsClose CommentsPermalink
(A) notification that a security breach has occurred and that the individual’s sensitive personally identifiable information may have been compromised; CommentsClose CommentsPermalink
(B) a description of the categories of sensitive personally identifiable information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person; and CommentsClose CommentsPermalink
(C) a toll-free number and website-- CommentsClose CommentsPermalink
(i) that the individual may use to contact the agency or business entity, or the authorized agent of the agency or business entity; and CommentsClose CommentsPermalink
(ii) from which the individual may learn what types of sensitive personally identifiable information the agency or business entity maintained about that individual and remedies available to that individual; CommentsClose CommentsPermalink
(2) media notice, which includes-- CommentsClose CommentsPermalink
(A) a description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person; CommentsClose CommentsPermalink
(B) a toll-free number-- CommentsClose CommentsPermalink
(i) that the individual may use to contact the agency or business entity, or the authorized agent of the agency or business entity; and CommentsClose CommentsPermalink
(ii) from which the individual may learn what types of sensitive personally identifiable information the agency or business entity maintained about that individual and remedies available to that individual; CommentsClose CommentsPermalink
(C) the toll-free contact telephone numbers, websites, and addresses for the major credit reporting agencies; CommentsClose CommentsPermalink
(D) the telephone numbers and websites for the relevant Federal agencies that provide information regarding identity theft prevention and protection; CommentsClose CommentsPermalink
(E) notice that the affected individuals are entitled to receive, at no cost to such individuals, consumer credit reports on a quarterly basis for a period of 2 years, credit monitoring, or any other service that enables consumers to detect the misuse of sensitive personally identifiable information for a period of 2 years; CommentsClose CommentsPermalink
(F) notice that the individual is entitled to receive a security freeze and that the agency or business entity will be liable for any costs associated with the security freeze for 2 years; and CommentsClose CommentsPermalink
(G) notice that the individual is entitled to receive compensation from the business entity or agency for any costs or damages incurred by the individual resulting from the security breach. CommentsClose CommentsPermalink
(d) Additional Content- Notwithstanding section 221, a State may require that a notice under subsection (a) shall also include information regarding victim protection assistance provided for by that State. CommentsClose CommentsPermalink
(e) Direct Business Relationship- Regardless of whether a business entity, agency, or a designated third party provides the notice required pursuant to section 211(b), such notice shall include the name of the business entity or agency that has a direct relationship with the individual being notified. CommentsClose CommentsPermalink
SEC. 215. REMEDIES FOR SECURITY BREACH.
(a) Credit Reports and Credit Monitoring- An agency or business entity required to provide notification under this subtitle shall, upon request of an individual whose sensitive personally identifiable information was included in the security breach, provide or arrange for the provision of, to each such individual and at no cost to such individual-- CommentsClose CommentsPermalink
(1) consumer credit reports from not fewer than 1 of the major credit reporting agencies beginning not later than 60 days following the request of the individual and continuing on a quarterly basis for a period of 2 years thereafter; and CommentsClose CommentsPermalink
(2) a credit monitoring or other service that enables consumers to detect the misuse of their personal information, beginning not later than 60 days following the request of the individual and continuing for a period of 2 years. CommentsClose CommentsPermalink
(b) Security Freeze- CommentsClose CommentsPermalink
(1) REQUEST- Any consumer may submit a written request, by certified mail or such other secure method as authorized by a credit rating agency, to a credit rating agency to place a security freeze on the credit report of the consumer. CommentsClose CommentsPermalink
(2) IMPLEMENTATION OF SECURITY FREEZE- Upon receipt of a written request under paragraph (1), a credit rating agency shall-- CommentsClose CommentsPermalink
(A) not later than 5 business days after receipt of the request, place a security freeze on the credit report of the consumer; and CommentsClose CommentsPermalink
(B) not later than 10 business days after placing a security freeze, send a written confirmation of such security freeze to the consumer, which shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of the credit report of the consumer to a third party or for a specified period of time. CommentsClose CommentsPermalink
(3) DURATION OF SECURITY FREEZE- Except as provided in paragraph (4), any security freeze authorized pursuant to the provisions of this section shall remain in effect until the consumer requests security freeze to be removed. CommentsClose CommentsPermalink
(4) DISCLOSURE OF CREDIT REPORT TO THIRD PARTY- CommentsClose CommentsPermalink
(A) IN GENERAL- If a consumer that has requested a security freeze under this subsection wishes to authorize the disclosure of the credit report of the consumer to a third party, or for a specified period of time, while such security freeze is in effect, the consumer shall contact the credit rating agency and provide-- CommentsClose CommentsPermalink
(i) proper identification; CommentsClose CommentsPermalink
(ii) the unique personal identification number or password described in paragraph (2)(B); and CommentsClose CommentsPermalink
(iii) proper information regarding the third party who is to receive the credit report or the time period for which the credit report shall be available. CommentsClose CommentsPermalink
(B) REQUIREMENT- Not later than 3 business days after receipt of a request under subparagraph (A), a credit rating agency shall lift the security freeze. CommentsClose CommentsPermalink
(5) PROCEDURES- CommentsClose CommentsPermalink
(A) IN GENERAL- A credit rating agency shall develop procedures to receive and process requests from consumers under paragraph (2) of this section. CommentsClose CommentsPermalink
(B) REQUIREMENT- Procedures developed under subparagraph (A), at a minimum, shall include the ability of a consumer to send such temporary lift or removal request by electronic mail, letter, telephone, or facsimile. CommentsClose CommentsPermalink
(6) REQUESTS BY THIRD PARTY- If a third party requests access to a credit report of a consumer that has been frozen under this subsection and the consumer has not authorized the disclosure of the credit report of the consumer to the third party, the third party may deem such credit application as incomplete. CommentsClose CommentsPermalink
(7) DETERMINATION BY CREDIT RATING AGENCY- CommentsClose CommentsPermalink
(A) IN GENERAL- A credit rating agency may refuse to implement or may remove a security freeze under this subsection if the agency determines, in good faith, that-- CommentsClose CommentsPermalink
(i) the request for a security freeze was made as part of a fraud that the consumer participated in, had knowledge of, or that can be demonstrated by circumstantial evidence; or CommentsClose CommentsPermalink
(ii) the consumer credit report was frozen due to a material misrepresentation of fact by the consumer. CommentsClose CommentsPermalink
(B) NOTICE- If a credit rating agency makes a determination under subparagraph (A) to not implement, or to remove, a security freeze under this subsection, the credit rating agency shall notify the consumer in writing of such determination-- CommentsClose CommentsPermalink
(i) in the case of a determination not to implement a security freeze, not later than 5 business days after the determination is made; and CommentsClose CommentsPermalink
(ii) in the case of a removal of a security freeze, prior to removing the freeze on the credit report of the consumer. CommentsClose CommentsPermalink
(8) RULE OF CONSTRUCTION- Nothing in this section shall be construed to prohibit disclosure of a credit report of a consumer to-- CommentsClose CommentsPermalink
(A) a person, or the person’s subsidiary, affiliate, agent or assignee with which the consumer has or, prior to assignment, had an account, contract or debtor-creditor relationship for the purpose of reviewing the account or collecting the financial obligation owing for the account, contract or debt; CommentsClose CommentsPermalink
(B) a subsidiary, affiliate, agent, assignee or prospective assignee of a person to whom access has been granted under paragraph (4) for the purpose of facilitating the extension of credit or other permissible use; CommentsClose CommentsPermalink
(C) any person acting pursuant to a court order, warrant or subpoena; CommentsClose CommentsPermalink
(D) any person for the purpose of using such credit information to prescreen as provided by the Fair Credit Reporting Act (
(E) any person for the sole purpose of providing a credit file monitoring subscription service to which the consumer has subscribed; CommentsClose CommentsPermalink
(F) a credit rating agency for the sole purpose of providing a consumer with a copy of the credit report of the consumer upon the request of the consumer; or CommentsClose CommentsPermalink
(G) a Federal, State or local governmental entity, including a law enforcement agency, or court, or their agents or assignees pursuant to their statutory or regulatory duties. For purposes of this subsection, ‘reviewing the account’ includes activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements; and CommentsClose CommentsPermalink
(H) any person for the sole purpose of providing a remedy requested by an individual under this section. CommentsClose CommentsPermalink
(9) EXCEPTIONS- The following persons shall not be required to place a security freeze under this subsection, but shall be subject to any security freeze placed on a credit report by another credit rating agency: CommentsClose CommentsPermalink
(A) A check services or fraud prevention services company that reports on incidents of fraud or issues authorizations for the purpose of approving or processing negotiable instruments, electronic fund transfers or similar methods of payment. CommentsClose CommentsPermalink
(B) A deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution. CommentsClose CommentsPermalink
(C) A credit rating agency that-- CommentsClose CommentsPermalink
(i) acts only to resell credit information by assembling and merging information contained in a database of 1 or more credit reporting agencies; and CommentsClose CommentsPermalink
(ii) does not maintain a permanent database of credit information from which new credit reports are produced. CommentsClose CommentsPermalink
(10) FEES- CommentsClose CommentsPermalink
(A) IN GENERAL- A credit rating agency may charge reasonable fees for each security freeze, removal of such freeze or temporary lift of such freeze for a period of time, and a temporary lift of such freeze for a specific party. CommentsClose CommentsPermalink
(B) REQUIREMENT- Any fees charged under subparagraph (A) shall be borne by the agency or business entity providing notice under section 214 for 2 years following the establishment of the security freeze under this subsection. CommentsClose CommentsPermalink
(c) Costs Resulting From a Security Breach- CommentsClose CommentsPermalink
(1) IN GENERAL- A business entity or agency that experiences a security breach and is required to provide notice under this subtitle shall pay, upon request, to any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired as a result of such security breach, any costs or damages incurred by the individual as a result of such security breach, including costs associated with identity theft suffered as a result of such security breach. CommentsClose CommentsPermalink
(2) COMPLIANCE- A business entity or agency shall be deemed in compliance with this subsection if the business entity or agency-- CommentsClose CommentsPermalink
(A) provides insurance to any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired as a result of a security breach and such insurance is sufficient to compensate the consumer for not less than $25,000 of costs or damages; or CommentsClose CommentsPermalink
(B) pays, without unreasonable delay, any actual costs or damages incurred by an individual as a result of the security breach. CommentsClose CommentsPermalink
SEC. 216. NOTICE TO CREDIT REPORTING AGENCIES.
If an agency or business entity is required to provide notification to more than 5,000 individuals under section 211(a), the agency or business entity shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in section 603(p) of the Fair Credit Reporting Act (
SEC. 217. NOTICE TO LAW ENFORCEMENT.
(a) Secret Service and FBI- Any business entity or agency shall notify the United States Secret Service and the FederalDesignation of a Government Entity to Receive Notice- CommentsClose CommentsPermalink
(1) IN GENERAL- Not later than 60 days after the date of enactment of this Act, the Secretary of Homeland Security, in consultation with the Attorney General, shall designate a Federal Government entity to receive the information required to be submitted under this subtitle, and any other reports and information about information security incidents, threats, and vulnerabilities. CommentsClose CommentsPermalink
(2) RESPONSIBILITIES OF THE DESIGNATED ENTITY- The designated entity shall-- CommentsClose CommentsPermalink
(A) be responsible for promptly providing the information it receives to the United States Secret Service and the Federal Bureau of Investigation, and to the Federal Trade Commission for civil law enforcement purposes; and CommentsClose CommentsPermalink
(B) provide the information described in subparagraph (A) as appropriate to other Federal agencies for law enforcement, national security, or data security purposes. CommentsClose CommentsPermalink
(b) Notice- Any business entity or agency shall notify the designated entity of the fact that a security breach has occurred if-- CommentsClose CommentsPermalink
(1) the number of individuals whose sensitive personally identifyingiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000; CommentsClose CommentsPermalink
(2) the security breach involves a database, networked or integrated databases, or other data system containing the sensitive personally identifiable information of more than 500,000 individuals nationwide; CommentsClose CommentsPermalink
(3) the security breach involves databases owned by the Federal Government; or CommentsClose CommentsPermalink
(4) the security breach involves primarily sensitive personally identifiable information of individuals known to the agency or business entity to be employees and contractors of the Federal Government involved in national security or law enforcement. CommentsClose CommentsPermalink
(bc) FTC Review of Thresholds- CommentsClose CommentsPermalink
(1) REVIEW- Not later than 1 year after the date of enactment of this Act, the Federal Trade Commission, in consultation with the Attorney General and the Secretary of Homeland Security, shall promulgate regulations regarding the reports required under subsection (a). CommentsClose CommentsPermalink
(2) RULEMAKING- The Federal Trade Commission may alter the circumstances under which notification is required under subsection (a) in a matter consistent with the, in consultation with the Attorney General and the Secretary of Homeland Security, after notice and the opportunity for public interest. (c) Notice to Other Law Enforcement Agencies- The United States Secret Service and the Federal Bureau of Investigation shall be responsible for notifying-- (1) the United States Postal Inspection Service, if the security breach involves mail fraud; (2) the attorney general of each State affected by the security breach; and
(d) Timing of Notices- The notices required under this section shall be delivered as follows: CommentsClose CommentsPermalink
(1) Notice under subsection (a) shall be delivered as promptly as possible, but not later than 10 days after discovery of the security breach. CommentsClose CommentsPermalink
(2) Notice under section 211 shall be delivered to individuals not later than 48 hours after the Federal Bureau of Investigation or the Secret Service receives notice of a security breach from an agency or business entity. CommentsClose CommentsPermalink
SEC. 218. FEDERAL ENFORCEMENT.
(a) Civil Actions by the Attorney General- CommentsClose CommentsPermalink
(1) IN GENERAL- The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $500 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $20,000,000 per violation, unless such conduct is found to be willful or intentional. CommentsClose CommentsPermalink
(2) PRESUMPTION- A violation of section 212(a)(2b)(2)(C) shall be presumed to be willful or intentional conduct. CommentsClose CommentsPermalink
(b) Considerations- In determining the amount of a civil penalty under this subsection, the court shall take into account-- (1) the degree of culpability of the business entity; (2) any prior violations of this subtitle by the business entity; (3) the ability of the business entity to pay a civil penalty; (4) the effect on the ability of the business entity to continue to do business; (5) the number of individuals whose personally identifiable information was compromised by the breach; (6) the relative cost of compliance with this subtitle; and (7) such other matters as justice may require.
(1) IN GENERAL- If it appears that a business entity has engaged, or is engaged, in any act or practice constituting a violation of this subtitle, the Attorney General may petition an appropriate district court of the United States for an order-- CommentsClose CommentsPermalink
(A) enjoining such act or practice; or CommentsClose CommentsPermalink
(B) enforcing compliance with this subtitle. CommentsClose CommentsPermalink
(2) ISSUANCE OF ORDER- A court may issue an order under paragraph (1), if the court finds that the conduct in question constitutes a violation of this subtitle. CommentsClose CommentsPermalink
(c) Civil Actions by the Federal Trade Commission- CommentsClose CommentsPermalink
(1) IN GENERAL- Compliance with the requirements imposed under this subtitle may be enforced under the Federal Trade Commission Act (
(2) UNFAIR OR DECEPTIVE ACTS OR PRACTICES- For the purpose of the exercise by the Federal Trade Commission of its functions and powers under the Federal Trade Commission Act, a violation of any requirement or prohibition imposed under this title shall constitute an unfair or deceptive act or practice in commerce in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (
(d) Considerations- In determining the amount of a civil penalty under this subsection, the court shall take into account-- CommentsClose CommentsPermalink
(1) the degree of culpability of the business entity; CommentsClose CommentsPermalink
(2) any prior violations of this subtitle by the business entity; CommentsClose CommentsPermalink
(3) the ability of the business entity to pay a civil penalty; CommentsClose CommentsPermalink
(4) the effect on the ability of the business entity to continue to do business; CommentsClose CommentsPermalink
(5) the number of individuals whose sensitive personally identifiable information was compromised by the breach; CommentsClose CommentsPermalink
(6) the relative cost of compliance with this subtitle; and CommentsClose CommentsPermalink
(7) such other matters as justice may require. CommentsClose CommentsPermalink
(e) Coordination of Enforcement- CommentsClose CommentsPermalink
(1) IN GENERAL- Before opening an investigation, the Federal Trade Commission shall consult with the Attorney General. CommentsClose CommentsPermalink
(2) LIMITATION- The Federal Trade Commission may initiate investigations under this subsection unless the Attorney General determines that such an investigation would impede an ongoing criminal investigation or national security activity. CommentsClose CommentsPermalink
(3) COORDINATION AGREEMENT- CommentsClose CommentsPermalink
(A) IN GENERAL- In order to avoid conflicts and promote consistency regarding the enforcement and litigation of matters under this Act, not later than 180 days after the enactment of this Act, the Attorney General and the Commission shall enter into an agreement for coordination regarding the enforcement of this Act. CommentsClose CommentsPermalink
(B) REQUIREMENT- The coordination agreement entered into under subparagraph (A) shall include provisions to ensure that parallel investigations and proceedings under this section are conducted in a manner that avoids conflicts and does not impede the ability of the Attorney General to prosecute violations of Federal criminal laws. CommentsClose CommentsPermalink
(4) COORDINATION WITH THE FCC- If an enforcement action under this Act relates to customer proprietary network information, the Federal Trade Commission shall coordinate the enforcement action with the Federal Communications Commission. CommentsClose CommentsPermalink
(f) Rulemaking- The Federal Trade Commission may, in consultation with the Attorney General, issue such other regulations as it determines to be necessary to carry out this subtitle. All regulations promulgated under this Act shall be issued in accordance with
(g) Other Rights and Remedies- The rights and remedies available under this subtitle are cumulative and shall not affect any other rights and remedies available under law. CommentsClose CommentsPermalink
(eh) Fraud Alert- Section 605A(b)(1) of the Fair Credit Reporting Act (
SEC. 219. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General- CommentsClose CommentsPermalink
(1) CIVIL ACTIONS- CommentsClose CommentsPermalink
(A) IN GENERAL- In any case in which the attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of a business entity in a practice that is prohibited under this subtitle, the State or the State or local law enforcement agency on behalf of the residents of the agency’s jurisdiction, may bring a civil action on behalf of the residents of the State or jurisdiction in a district court of the United States of appropriate jurisdiction or any other court of competent jurisdiction, including a State court, to-- CommentsClose CommentsPermalink
(i) enjoin that practice; CommentsClose CommentsPermalink
(ii) enforce compliance with this subtitle; or CommentsClose CommentsPermalink
(iii) obtain civil penalties of not more than $500 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $20,000,000 per violation, unless such conduct is found to be willful or intentional. CommentsClose CommentsPermalink
(B) PRESUMPTION- A violation of section 212(a)(2b)(2)(C) shall be presumed to be willful or intentional. CommentsClose CommentsPermalink
(2) CONSIDERATIONS- In determining the amount of a civil penalty under this subsection, the court shall take into account-- CommentsClose CommentsPermalink
(A) the degree of culpability of the business entity; CommentsClose CommentsPermalink
(B) any prior violations of this subtitle by the business entity; CommentsClose CommentsPermalink
(C) the ability of the business entity to pay a civil penalty; CommentsClose CommentsPermalink
(D) the effect on the ability of the business entity to continue to do business; CommentsClose CommentsPermalink
(E) the number of individuals whose personally identifiable informationsensitive personally identifiable information was compromised by the breach; CommentsClose CommentsPermalink
(F) the relative cost of compliance with this subtitle; and CommentsClose CommentsPermalink
(G) such other matters as justice may require. CommentsClose CommentsPermalink
(3) NOTICE- CommentsClose CommentsPermalink
(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General of the United States-- CommentsClose CommentsPermalink
(i) written notice of the action; and CommentsClose CommentsPermalink
(ii) a copy of the complaint for the action. CommentsClose CommentsPermalink
(B) EXEMPTION- CommentsClose CommentsPermalink
(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subtitle, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action. CommentsClose CommentsPermalink
(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the time the State attorney general files the action. CommentsClose CommentsPermalink
(b) Federal Proceedings- Upon receiving notice under subsection (a)(2), the Attorney General shall have the right to-- CommentsClose CommentsPermalink
(1) move to stay the action, pending the final disposition of a pending Federal proceeding or action; CommentsClose CommentsPermalink
(2) initiate an action in the appropriate United States district court under section 2178 and move to consolidate all pending actions, including State actions, in such court; CommentsClose CommentsPermalink
(3) intervene in an action brought under subsection (a)(2); and CommentsClose CommentsPermalink
(4) file petitions for appeal. CommentsClose CommentsPermalink
(c) Pending Proceedings- If the Attorney General has instituted a proceeding or action for a violation of this subtitle or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subtitle against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action. CommentsClose CommentsPermalink
(d) Construction- For purposes of bringing any civil action under subsection (a), nothing in this subtitle regarding notification shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to-- CommentsClose CommentsPermalink
(1) conduct investigations; CommentsClose CommentsPermalink
(2) administer oaths or affirmations; or CommentsClose CommentsPermalink
(3) compel the attendance of witnesses or the production of documentary and other evidence. CommentsClose CommentsPermalink
(e) Venue; Service of Process- CommentsClose CommentsPermalink
(1) VENUE- Any action brought under subsection (a) may be brought in-- CommentsClose CommentsPermalink
(A) the district court of the United States that meets applicable requirements relating to venue under
(B) another court of competent jurisdiction. CommentsClose CommentsPermalink
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant-- CommentsClose CommentsPermalink
(A) is an inhabitant; or CommentsClose CommentsPermalink
(B) may be found. CommentsClose CommentsPermalink
SEC. 220. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.
(a) In General- Any person aggrieved by a violation of the provisions of section 211, 213, 214, 215, or 216 by a business entity may bring a civil action in a court of appropriate jurisdiction to recover for personal injuries sustained as a result of the violation. CommentsClose CommentsPermalink
(b) Authority to Bring Civil Action; Jurisdiction- As provided in subsection (c), an individual may commence a civil action on his own behalf against any business entity who is alleged to have violated the provisions of this subtitle. CommentsClose CommentsPermalink
(c) Remedies in a Citizen Suit- CommentsClose CommentsPermalink
(1) DAMAGES- Any individual harmed by a failure of a business entity to comply with the provisions of section 211, 213, 214, 215, or 216, shall be able to collect damages of not more than $500 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $20,000,000 per violation CommentsClose CommentsPermalink
.(2)(2) PUNITIVE DAMAGES- A business entity may be liable for punitive damages if it-- CommentsClose CommentsPermalink
(A) intentionally or willfully violates the provisions of section 211, 213, 214, 215, or 216; or CommentsClose CommentsPermalink
(B) failed to comply with the requirements of subsections (a) through (d) of section 202. CommentsClose CommentsPermalink
(3) EQUITABLE RELIEF- A business entity that violates the provisions of section 211, 213, 214, 215, or 216 may be enjoined to provide required remedies under section 215 by a court of competent jurisdiction. CommentsClose CommentsPermalink
(4) OTHER RIGHTS AND REMEDIESd) Other Rights and Remedies- The rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law. CommentsClose CommentsPermalink
(c) Access to Justicee) Nonenforceability of Certain Provisions Waiving Rights and Remedies or Requiring Arbitration of Disputes- CommentsClose CommentsPermalink
(1) WAIVER OF RIGHTS AND REMEDIES- The rights and remedies afforded by this section shall not be abridged or precluded by any provided for in this section may not be waived by any agreement, policy form, or condition of employment including by a predispute arbitration agreement, and any claims under this section that arise from the same security breach are presumed to meet the commonality requirement under rule 23(a)(2) of the Federal Rules of Civil Procedu. CommentsClose CommentsPermalink
(2) PREDISPUTE ARBITRATION AGREEMENTS- No predispute arbitration agreement shall be valid or enforceable, if the agreement requires arbitration of a dispute arising under this section. CommentsClose CommentsPermalink
(f) Considerations- In determining the amount of a civil penalty under this subsection, the court shall take into account-- CommentsClose CommentsPermalink
(1) the degree of culpability of the business entity; CommentsClose CommentsPermalink
(2) any prior violations of this subtitle by the business entity; CommentsClose CommentsPermalink
(3) the ability of the business entity to pay a civil penalty; CommentsClose CommentsPermalink
(4) the effect on the ability of the business entity to continue to do business; CommentsClose CommentsPermalink
(5) the number of individuals whose sensitive personally identifiable information was compromised by the breach; CommentsClose CommentsPermalink
(6) the relative cost of compliance with this subtitle; and CommentsClose CommentsPermalink
(7) such other matters as justice may require. CommentsClose CommentsPermalink
SEC. 221. RELATION TO OTHER LAWS.
(a) In General- The provisions of this subtitle shall supersede any other provision of Federal law or any provision of law of any State relating to notification by a business entity engaged in interstate commerce or an agency of a security breach, except as provided in section 214(c).(b) Rule of Constructionthis subsection. CommentsClose CommentsPermalink
(b) Limitations- CommentsClose CommentsPermalink
(1) STATE COMMON LAW- Nothing in this subtitle shall be construed to exempt any entity from liability under common law, including through the operation of ordinary preemption principles, and including liability through state trespass, contract, or tort law, for damages caused by the failure to notify an individual following a security breach. CommentsClose CommentsPermalink
(c) Presumption of Per Se Negligence- If a business entity fails to comply with the requirements in section 211, 212, 213, 214, 215, or 216, there shall be a presumption that the entity was per se negligent2) GRAMM-LEACH-BLILEY ACT- Nothing in this Act shall supersede the data security requirements of the Gramm-Leach-Bliley Act (
(3) HEALTH PRIVACY- CommentsClose CommentsPermalink
(A) To the extent that a business entity acts as a covered entity or a business associate under the Health Information Technology for Economic and Clinical Health Act (
(B) To the extent that a business entity acts as a vendor of personal health records, a third party service provider, or other entity subject to the Health Information Technology for Economical and Clinical Health Act (
SEC. 222. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated such sums as may be necessary to cover the costs incurred by the United States Secret Service to carry out investigations and risk assessments of security breaches as required under this subtitle. CommentsClose CommentsPermalink
SEC. 223. REPORTING ON RISK ASSESSMENT EXEMPTIONS.
The United States Secret Service and the Federal Bureau of Investigation shall report to Congress not later than 18 months after the date of enactment of this Act, and upon the request by Congress thereafter, on-- CommentsClose CommentsPermalink
(1) the number and nature of the security breaches described in the notices filed by those business entities invoking the risk assessment exemption under section 212(b) and the response of the United States Secret Service and the Federal Bureau of Investigation to such notices; and CommentsClose CommentsPermalink
(2) the number and nature of security breaches subject to the national security and law enforcement exemptions under section 212(a), provided that such report may not disclose the contents of any risk assessment provided to the United States Secret Service and the Federal Bureau of Investigation pursuant to this subtitle. CommentsClose CommentsPermalink
Subtitle C--Post-Breach Technical Information Clearinghouse
CommentsClose CommentsPermalink
Subtitle C--Post-Breach Technical Information Clearinghouse CommentsClose CommentsPermalink
SEC. 230. CLEARINGHOUSE INFORMATION COLLECTION, MAINTENANCE, AND ACCESS.
(a) In General- The Attorney Generaldesignated entity shall maintain a clearinghouse of technical information concerning system vulnerabilities identified in the wake of security breaches, which shall-- CommentsClose CommentsPermalink
(1) contain information disclosed by agencies or business entities under subsection (b); and CommentsClose CommentsPermalink
(2) be accessible to certified entities under subsection (c). CommentsClose CommentsPermalink
(b) Post-Bbreach Technical Notification- In any instance where an agency or business entity is required to notify the United States Secret Service and the Federal Bureau of Investigation under sectiondesignated entity under section 217, the agency or business entity shall also provide the Attorney Generaldesignated entity with technical information concerning the nature of the security breach, including-- CommentsClose CommentsPermalink
(1) technical information regarding any system vulnerabilities of the agency or business entity revealed by or identified as a consequence of the security breach; CommentsClose CommentsPermalink
(2) technical information regarding any system vulnerabilities of the agency or business entity actually exploited during the security breach; and CommentsClose CommentsPermalink
(3) any other technical information concerning the nature of the security breach deemed appropriate for collection by the Attorney Generaldesignated entity in furtherance of this subtitle. CommentsClose CommentsPermalink
(c) Access to Clearinghouse- Any entity certified under subsection (d) may review information maintained by the technical information clearinghouse for the purpose of preventing security breaches that threaten the security of sensitive personally identifiable information. CommentsClose CommentsPermalink
(d) Certification for Access- The Attorney Generaldesignated entity shall issue and revoke certifications to agencies and business entities wishing to review information maintained by the technical information clearinghouse and shall establish conditions for obtaining and maintaining such certifications, including agreement that any information obtained directly or derived indirectly from the review of information maintained by the technical information clearinghouse-- CommentsClose CommentsPermalink
(1) shall only be used to improve the security and reduce the vulnerability of networks that uscollect, access, transmit, use, store, or dispose of sensitive personally identifiable information; CommentsClose CommentsPermalink
(2) may not be used for any competitive commercial purpose; and CommentsClose CommentsPermalink
(3) may not be shared with any third party, including other parties certified for access to the information clearinghouse, without the express written consent of the Attorney General.(e)designated entity. CommentsClose CommentsPermalink
(e) Rulemaking- In consultation with the private sector, appropriate representatives of State and local governments, and other appropriate Federal agencies, the Attorney General shall promulgate any regulations pursuant to
SEC. 231. PROTECTIONS FOR CLEARINGHOUSE PARTICIPANTS.
(a) Protection of Proprietary Information- To the extent feasible, the Attorney Generaldesignated entity shall ensure that any technical information disclosed to the Attorney Generaldesignated entity under this subtitle shall be stored in a format designed to protect proprietary business information from inadvertent disclosure. CommentsClose CommentsPermalink
(b) Anonymous Data Release- To the extent feasible, the Attorney Generaldesignated entity shall ensure that all information stored in the technical information clearinghouse and accessed by certified parties is presented in a form that minimizes the potential for such information to be traced to a particular network, company, or security breach incident. CommentsClose CommentsPermalink
(c) Protection From Public Disclosure- Except as otherwise provided in this subtitle-- CommentsClose CommentsPermalink
(1) security and vulnerability information collected under this section and provided to the Federal Government, including aggregated analysis and data, shall be exempt from disclosure under
(2) under section 230(e), security and vulnerability-related information provided to the Federal Government under this section, including aggregated analysis and data, shall be protected from public disclosure, except that this paragraph-- CommentsClose CommentsPermalink
(A) does not prohibit the sharing of such information, as the Attorney Generaldesignated entity determines to be appropriate, in order to mitigate cybersecurity threats or further the official functions of a government agency; and CommentsClose CommentsPermalink
(B) does not authorized such information to be withheld from a committee of Congress authorized to request the information. CommentsClose CommentsPermalink
(d) Protection of Classified Information- Nothing in this subtitle permits the unauthorized disclosure of classified information. CommentsClose CommentsPermalink
SEC. 232. EFFECTIVE DATE.
This subtitle shall take effect on the expiration of the date which is 90 days after the date of enactment of this Act. CommentsClose CommentsPermalink
TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA
CommentsClose CommentsPermalink
TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA CommentsClose CommentsPermalink
SEC. 301. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.
(a) In General- In considering contract awards totaling more than $500,000 and entered into after the date of enactment of this Act with data brokers, the Administrator of the General Services Administration shall evaluate-- CommentsClose CommentsPermalink
(1) the data privacy and security program of a data broker to ensure the privacy and security of data containing personally identifiablesensitive personally identifiable information, including whether such program adequately addresses privacy and security threats created by malicious software or code, or the use of peer-to-peer file sharing software; CommentsClose CommentsPermalink
(2) the compliance of a data broker with such program; CommentsClose CommentsPermalink
(3) the extent to which the databases and systems containing sensitive personally identifiable information of a data broker have been compromised by security breaches; and CommentsClose CommentsPermalink
(4) the response by a data broker to such breaches, including the efforts by such data broker to mitigate the impact of such security breaches. CommentsClose CommentsPermalink
(b) Compliance Safe Harbor- The data privacy and security program of a data broker shall be deemed sufficient for the purposes of subsection (a), if the data broker complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of personally identifiable information sensitive personally identifiable information involved in the ordinary course of business of such data broker. CommentsClose CommentsPermalink
(c) Penalties- In awarding contracts with data brokers for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating personally identifiablesensitive personally identifiable information, the Administrator of the General Services Administration shall-- CommentsClose CommentsPermalink
(1) include monetary or other penalties-- CommentsClose CommentsPermalink
(A) for failure to comply with subtitles A and B of title III; or CommentsClose CommentsPermalink
(B) if a contractor knows or has reason to know that the personally sensitive personally identifiable information being provided is inaccurate, and provides such inaccurate information; and CommentsClose CommentsPermalink
(2) require a data broker that engages service providers not subject to subtitle A of title III for responsibilities related to sensitive personally identifiable information to-- CommentsClose CommentsPermalink
(A) exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiablesensitive personally identifiable information; CommentsClose CommentsPermalink
(B) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and CommentsClose CommentsPermalink
(C) require such service providers, by contract, to implement and maintain appropriate measures designed to meet the objectives and requirements in title III. CommentsClose CommentsPermalink
(d) Limitation- The penalties under subsection (c) shall not apply to a data broker providing information that is accurately and completely recorded from a public record source or licensor. CommentsClose CommentsPermalink
SEC. 302. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.
(1) in paragraph (7)(C)(iii), by striking ‘and’ after the semicolon; CommentsClose CommentsPermalink
(2) in paragraph (8), by striking the period and inserting ‘; and’; and CommentsClose CommentsPermalink
(3) by adding at the end the following: CommentsClose CommentsPermalink
‘(9) procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the information systems or operations of the agency involving personally identifiable information sensitive personally identifiable information (as that term is defined in section 3 of the Personal Data Protection and Breach Accountability Act of 2011) and ensuring remedial action to address any significant deficiencies.’. CommentsClose CommentsPermalink
SEC. 303. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL INFORMATION SERVICES CONTAINING SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.
(a) In General- Section 208(b)(1) of the E-Government Act of 2002 (
(1) in subparagraph (A)(i), by striking ‘or’; CommentsClose CommentsPermalink
(2) in subparagraph (A)(ii), by striking the period and inserting ‘; or’; and CommentsClose CommentsPermalink
(3) by inserting after clause (ii) the following: CommentsClose CommentsPermalink
‘(iii) purchasing or subscribing for a fee to sensitive personally identifiable information from a data broker (as such terms are defined in section 3 of the Personal Data Protection and Breach Accountability Act of 2011).’. CommentsClose CommentsPermalink
(b) Limitation- Notwithstanding any other provision of law, commencing 1 year after the date of enactment of this Act, no Federal agency may enter into a contract with a data broker to access for a fee any database consisting primarily of personally identifiable information sensitive personally identifiable information concerning United States persons (other than news reporting or telephone directories) unless the head of such department or agency-- CommentsClose CommentsPermalink
(1) completes a privacy impact assessment under section 208 of the E-Government Act of 2002 (
(A) such database; CommentsClose CommentsPermalink
(B) the name of the data broker from whom it is obtained; and CommentsClose CommentsPermalink
(C) the amount of the contract for use; CommentsClose CommentsPermalink
(2) adopts regulations that specify-- CommentsClose CommentsPermalink
(A) the personnel permitted to access, analyze, or otherwise use such databases; CommentsClose CommentsPermalink
(B) standards governing the access, analysis, or use of such databases; CommentsClose CommentsPermalink
(C) any standards used to ensure that the personally identifiable informationsensitive personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency; CommentsClose CommentsPermalink
(D) standards limiting the retention and redisclosure of personally identifiable informationsensitive personally identifiable information obtained from such databases; CommentsClose CommentsPermalink
(E) procedures ensuring that such data meet standards of accuracy, relevance, completeness, and timeliness; CommentsClose CommentsPermalink
(F) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases; CommentsClose CommentsPermalink
(G) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases; CommentsClose CommentsPermalink
(H) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and CommentsClose CommentsPermalink
(I) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases; and CommentsClose CommentsPermalink
(3) incorporates into the contract or other agreement totaling more than $500,000, provisions-- CommentsClose CommentsPermalink
(A) providing for penalties-- CommentsClose CommentsPermalink
(i) for failure to comply with title III of this Act; or CommentsClose CommentsPermalink
(ii) if the entity knows or has reason to know that the personally sensitive personally identifiable information being provided to the Federal department or agency is inaccurate, and provides such inaccurate information; and CommentsClose CommentsPermalink
(B) requiring a data broker that engages service providers not subject to subtitle A of title III for responsibilities related to sensitive personally identifiable information to-- CommentsClose CommentsPermalink
(i) exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiablesensitive personally identifiable information; CommentsClose CommentsPermalink
(ii) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and CommentsClose CommentsPermalink
(iii) require such service providers, by contract, to implement and maintain appropriate measures designed to meet the objectives and requirements in title III. CommentsClose CommentsPermalink
(c) Limitation on Penalties- The penalties under subsection (b)(3)(A) shall not apply to a data broker providing information that is accurately and completely recorded from a public record source. CommentsClose CommentsPermalink
(d) Study of Government Use- CommentsClose CommentsPermalink
(1) SCOPE OF STUDY- Not later than 180 days after the date of enactment of this Act, the Comptroller General of the United States shall conduct a study and audit and prepare a report on Federal agency actions to address the recommendations in the Government Accountability Office’s April 2006 report on agency adherence to key privacy principles in using data brokers or commercial databases containing personally identifiable information.(2) sensitive personally identifiable information. CommentsClose CommentsPermalink
(2) REPORT- A copy of the report required under paragraph (1) shall be submitted to Congress. CommentsClose CommentsPermalink
SEC. 304. FBI REPORT ON REPORTED BREACHES AND COMPLIANCE.
(a) In General- Not later than 1 year after the date of enactment of this Act, and each year thereafter, the Federal Bureau of Investigation, in coordination with the Secret Service, shall submit to the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives a report regarding any reported breaches at agencies or business entities during the preceding year. CommentsClose CommentsPermalink
(b) Report Content- Such reporting shall include-- CommentsClose CommentsPermalink
(1) the total instances of breaches of security in the previous year; CommentsClose CommentsPermalink
(2) the percentage of breaches described in subsection (a) that occurred at an agency or business entity that did not comply with the personal data privacy and security program under section 202; and CommentsClose CommentsPermalink
(3) recommendations, if any, for modifying or amending this Act to increase its effectiveness. CommentsClose CommentsPermalink
SEC. 305. DEPARTMENT OF JUSTICE REPORT ON ENFORCEMENT ACTIONS.
(a) In General- Not later than 1 year after the date of enactment of this Act, and each year thereafter, the Attorney General shall submit to Congress a report on the enforcement actions taken in the previous year in cases of violations of any sections of this Act. (b) Report Content- The report required under subsection (a) shall include-- (1) statistics on Federal enforcement actions, State attorneys general enforcement actions, and private enforcement actions related to the provisions of this Act; and (2) recommendations, if any, for modifying of amending this Act to increase the effectiveness of such enforcement actions.
‘(c) Not later than 1 year after the date of enactment of the Personal Data Protection and Breach Accountability Act of 2011, and every fiscal year thereafter, the Attorney General shall submit to Congress a report on the efforts of the Federal Government to enforceFederal enforcement actions, State attorneys general enforcement actions, and private enforcement actions, undertaken pursuant to the Personal Data Protection and Breach Accountability Act of 2011 that shall include a description of the best practices for enforcement of such Act as well as recommendations, if any, for modifying or amending this Act to increase the effectiveness of such enforcement actions.’. CommentsClose CommentsPermalink
SEC. 307. FBI6. REPORT ON NOTIFICATION EFFECTIVENESS.
(a) In General- Not later than 1 year after the date of enactment of this Act, and each year thereafter, the Federal Bureau of Investigation, in coordination with the Secret Servicedesignated entity, in coordination with the Attorney General and the Federal Trade Commission, shall submit to the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives a report regarding the effectiveness of post-breach notification practices by agencies and business entities. CommentsClose CommentsPermalink
(b) Report Content- The report required under subsection (a) shall include-- CommentsClose CommentsPermalink
(1) in each instance of a breach of security, the amount of time between the instance of the breach and the discovery of the breach by the affected business entity; CommentsClose CommentsPermalink
(2) in each instance of a breach of security, the amount of time between the discovery of the breach by the affected business entity and the notification to the FBI and Secret Service; and CommentsClose CommentsPermalink
(3) in each instance of a breach of security, the amount of time between the discovery of the breach by the affected business entity and the notification to individuals whose sensitive personally identifiable information was compromised. CommentsClose CommentsPermalink
TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT
CommentsClose CommentsPermalink
TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT CommentsClose CommentsPermalink
SEC. 401. BUDGET COMPLIANCE.
The budgetary effects of this Act, for the purpose of complying with the Statutory Pay-As-You-Go Act of 2010, shall be determined by reference to the latest statement titled ‘Budgetary Effects of PAYGO Legislation’ for this Act, submitted for printing in the Congressional Record by the Chairman of the Senate Budget Committee, provided that such statement has been submitted prior to the vote on passage. CommentsClose CommentsPermalink
Calendar No. 182CommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
S. 1535CommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach, providing notice and remedies to consumers in the wake of such a breach, holding companies accountable for preventable breaches, facilitating the sharing of post-breach technical information between companies, and enhancing criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information.CommentsClose CommentsPermalink
September 22, 2011CommentsClose CommentsPermalink
September 22, 2011CommentsClose CommentsPermalink
Reported with an amendmentCommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
OC Blog Articles Related To This Bill
- Senators Say DOJ is Lying About the PATRIOT Act Sep 22, 2011
- House Advances Internet Surveillance Bill Aug 04, 2011
- Reid Protects PATRIOT Act From Senators Seeking Reform May 25, 2011
- PATRIOT Act Extension Get Bipartisan Love in Senate May 24, 2011
- McCain and Lieberman's Nightmarish Detention Bill Mar 13, 2010