[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1704 Introduced in House (IH)]
114th CONGRESS
1st Session
H. R. 1704
To establish a national data breach notification standard, and for
other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 26, 2015
Mr. Langevin introduced the following bill; which was referred to the
Committee on Energy and Commerce, and in addition to the Committee on
the Judiciary, for a period to be subsequently determined by the
Speaker, in each case for consideration of such provisions as fall
within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To establish a national data breach notification standard, and for
other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Personal Data
Notification and Protection Act of 2015''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--NATIONAL DATA BREACH NOTIFICATION STANDARD
Sec. 101. Notification to individuals.
Sec. 102. Exemptions from notification to individuals.
Sec. 103. Methods of notification.
Sec. 104. Content of notification.
Sec. 105. Coordination of notification with credit reporting agencies.
Sec. 106. Notification for law enforcement and other purposes.
Sec. 107. Enforcement by the Federal Trade Commission.
Sec. 108. Enforcement by State attorneys general.
Sec. 109. Effect on State law.
Sec. 110. Reporting on security breaches.
Sec. 111. Excluded business entities.
Sec. 112. Definitions.
Sec. 113. Effective date.
TITLE II--EXTRATERRITORIAL APPLICATION OF CYBER CRIME LAW
Sec. 201. Extraterritorial jurisdiction.
TITLE I--NATIONAL DATA BREACH NOTIFICATION STANDARD
SEC. 101. NOTIFICATION TO INDIVIDUALS.
(a) In General.--Except as provided for in section 102, any
business entity engaged in or affecting interstate commerce, that uses,
accesses, transmits, stores, disposes of, or collects sensitive
personally identifiable information about more than 10,000 individuals
during any 12-month period shall, following the discovery of a security
breach of such information, notify, in accordance with sections 103 and
104, any individual whose sensitive personally identifiable information
has been, or is reasonably believed to have been, accessed or acquired.
(b) Obligations of and to Owner or Licensee.--
(1) Notification to owner or licensee.--Any business entity
engaged in or affecting interstate commerce, that uses,
accesses, transmits, stores, disposes of, or collects sensitive
personally identifiable information that the business entity
does not own or license shall notify the owner or licensee of
the information following the discovery of a security breach
involving such information, unless there is no reasonable risk
of harm or fraud to such owner or licensee.
(2) Notification by owner, licensee, or other designated
third party.--Nothing in this title shall prevent or abrogate
an agreement between a business entity required to provide
notification under this section and a designated third party,
including an owner or licensee of the sensitive personally
identifiable information subject to the security breach, to
provide the notifications required under subsection (a).
(3) Business entity relieved from giving notification.--A
business entity required to provide notification under
subsection (a) shall not be required to provide such
notification if an owner or licensee of the sensitive
personally identifiable information subject to the security
breach, or other designated third party, provides such
notification.
(c) Timeliness of Notification.--
(1) In general.--All notifications required under this
section shall be made without unreasonable delay following the
discovery by the business entity of a security breach. A
business entity shall, upon the request of the Commission,
provide records or other evidence of the notifications required
under this section.
(2) Reasonable delay.--
(A) In general.--Except as provided in subsection
(d), reasonable delay under this subsection shall not
exceed 30 days, unless the business entity seeking
additional time requests an extension of time and the
Commission determines that additional time is
reasonably necessary to determine the scope of the
security breach, prevent further disclosures, conduct
the risk assessment, restore the reasonable integrity
of the data system, or provide notice to the breach
notification entity.
(B) Extension.--If the Commission determines that
additional time is reasonably necessary as described in
subparagraph (A), the Commission may extend the time
period for notification for additional periods of up to
30 days each. Any such extension shall be provided in
writing by the Commission.
(3) Burden of production.--If a business entity requires
additional time under paragraph (2), the business entity shall
provide the Commission with records or other evidence of the
reasons necessitating delay of notification.
(d) Delay of Notification for Law Enforcement or National
Security.--
(1) In general.--If the Director of the United States
Secret Service or the Director of the Federal Bureau of
Investigation determines that the notification required under
this section would impede a criminal investigation or national
security activity, the time period for notification shall be
extended 30 days upon written notice from such Director to the
business entity that experienced the breach.
(2) Extended delay of notification.--If the time period for
notification required under subsection (a) is extended pursuant
to paragraph (1), a business entity shall provide the
notification within such time period unless the Director of the
United States Secret Service or the Director of the Federal
Bureau of Investigation provides written notification that
further extension of the time period is necessary. The Director
of the United States Secret Service or the Director of the
Federal Bureau of Investigation may extend the time period for
additional periods of up to 30 days each.
(3) Immunity.--No cause of action for which jurisdiction is
based under section 1346(b) of title 28, United States Code,
shall lie against any Federal law enforcement agency for acts
relating to the extension of the deadline for notification for
law enforcement or national security purposes under this
section.
(e) Designation of Breach Notification Entity.--Not later than 60
days after the date of the enactment of this Act, the Secretary of
Homeland Security shall designate a Federal Government entity to
receive notices, reports, and information about information security
incidents, threats, and vulnerabilities under this title.
SEC. 102. EXEMPTIONS FROM NOTIFICATION TO INDIVIDUALS.
(a) Exemption for National Security and Law Enforcement.--
(1) In general.--Notwithstanding section 101, if the
Director of the United States Secret Service or the Director of
the Federal Bureau of Investigation determines that
notification of the security breach required by such section
could be expected to reveal sensitive sources and methods or
similarly impede the ability of a Federal, State, or local law
enforcement agency to conduct law enforcement investigations,
or if the Director of the Federal Bureau of Investigation
determines that notification of the security breach could be
expected to cause damage to national security, such
notification is not required.
(2) Immunity.--No cause of action for which jurisdiction is
based under section 1346(b) of title 28, United States Code,
shall lie against any Federal law enforcement agency for acts
relating to the extension of the deadline for notification for
law enforcement or national security purposes under this
section.
(b) Safe Harbor.--
(1) In general.--A business entity is exempt from the
notification requirement under section 101, if the following
requirements are met:
(A) Risk assessment.--A risk assessment, in
accordance with paragraph (3), is conducted by or on
behalf of the business entity that concludes that there
is no reasonable risk that a security breach has
resulted in, or will result in, harm to the individuals
whose sensitive personally identifiable information was
subject to the security breach.
(B) Notice to commission.--Without unreasonable
delay and not later than 30 days after the discovery of
a security breach, unless extended by the Commission,
the Director of the United States Secret Service, or
the Director of the Federal Bureau of Investigation
under section 101 (in which case, before the extended
deadline), the business entity notifies the Commission,
in writing, of--
(i) the results of the risk assessment; and
(ii) the decision by the business entity to
invoke the risk assessment exemption described
under subparagraph (A).
(C) Determination by commission.--During the period
beginning on the date on which the notification
described in subparagraph (B) is submitted and ending
10 days after such date, the Commission has not issued
a determination in writing that a notification should
be provided under section 101.
(2) Rebuttable presumption.--For purposes of paragraph
(1)--
(A) the rendering of sensitive personally
identifiable information at issue unusable, unreadable,
or indecipherable through a security technology
generally accepted by experts in the field of
information security shall establish a rebuttable
presumption that such reasonable risk does not exist;
and
(B) any such presumption shall be rebuttable by
facts demonstrating that the security technologies or
methodologies in a specific case have been, or are
reasonably likely to have been, compromised.
(3) Risk assessment requirements.--A risk assessment is in
accordance with this paragraph if the following requirements
are met:
(A) Properly conducted.--The risk assessment is
conducted in a reasonable manner or according to
standards generally accepted by experts in the field of
information security.
(B) Logging data required.--The risk assessment
includes logging data, as applicable and to the extent
available, for a period of at least six months before
the discovery of a security breach described in section
101(a)--
(i) for each communication or attempted
communication with a database or data system
containing sensitive personally identifiable
information, the data system communication
information for the communication or attempted
communication, including any Internet
addresses, and the date and time associated
with the communication or attempted
communication; and
(ii) all log-in information associated with
databases or data systems containing sensitive
personally identifiable information, including
both administrator and user log-in information.
(C) Fraudulent or misleading information.--The risk
assessment does not contain fraudulent or deliberately
misleading information.
(c) Financial Fraud Prevention Exemption.--
(1) In general.--A business entity is exempt from the
notification requirement under section 101 if the business
entity uses or participates in a security program that--
(A) effectively blocks the use of the sensitive
personally identifiable information to initiate
unauthorized financial transactions before they are
charged to the account of the individual; and
(B) provides notification to affected individuals
after a security breach that has resulted in fraud or
unauthorized transactions.
(2) Limitation.--The exemption in paragraph (1) does not
apply if the information subject to the security breach
includes the individual's first and last name or any other type
of sensitive personally identifiable information other than a
credit card number or credit card security code.
SEC. 103. METHODS OF NOTIFICATION.
A business entity shall be in compliance with the requirements of
this section if, with respect to the method of notification as required
under section 101, the following requirements are met:
(1) Individual notification.--Notification to an individual
is by one of the following means:
(A) Written notification to the last known home
mailing address of the individual in the records of the
business entity.
(B) Telephone notification to the individual
personally.
(C) E-mail notification, if the individual has
consented to receive such notification and the
notification is consistent with the provisions
permitting electronic transmission of notifications
under section 101 of the Electronic Signatures in
Global and National Commerce Act (15 U.S.C. 7001).
(2) Media notification.--If the number of residents of a
State whose sensitive personally identifiable information was,
or is reasonably believed to have been, accessed or acquired by
an unauthorized person exceeds 5,000, notification is provided
to media reasonably calculated to reach such individuals, such
as major media outlets serving a State or jurisdiction.
SEC. 104. CONTENT OF NOTIFICATION.
The notification provided to individuals required by section 101
shall include, to the extent possible, the following:
(1) A description of the categories of sensitive personally
identifiable information that was, or is reasonably believed to
have been, accessed or acquired by an unauthorized person.
(2) A toll-free number--
(A) that the individual may use to contact the
business entity, or the agent of the business entity;
and
(B) from which the individual may learn what types
of sensitive personally identifiable information the
business entity maintained about that individual.
(3) The toll-free contact telephone numbers and addresses
for the major credit reporting agencies and the Commission.
(4) The name of the business entity that has a direct
business relationship with the individual.
(5) Notwithstanding section 109, any information regarding
victim protection assistance required by the State in which the
individual resides.
SEC. 105. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.
(a) Requirement To Notify Credit Reporting Agencies.--If a business
entity is required to notify more than 5,000 individuals under section
101, the business entity shall also notify each consumer reporting
agency that compiles and maintains files on consumers on a nationwide
basis (as defined in section 603(p) of the Fair Credit Reporting Act
(15 U.S.C. 1681a(p))) of the timing and distribution of the
notifications. Such notification shall be given to the consumer credit
reporting agencies without unreasonable delay and, if it will not delay
notification to the affected individuals, prior to the distribution of
notifications to the affected individuals.
(b) Reasonable Delay.--Reasonable delay under subsection (a) shall
not exceed 30 days following the discovery of a security breach, except
as provided in subsection (c) or (d) of section 101 (in which case,
before the extended deadline), or unless the business entity providing
notification can demonstrate to the Commission that additional time is
reasonably necessary to determine the scope of the security breach,
prevent further disclosures, conduct the risk assessment, restore the
reasonable integrity of the data system, and provide notice to the
breach notification entity. If the Commission determines that
additional time is necessary, the Commission may extend the time period
for notification for additional periods of up to 30 days each. Any such
extension shall be provided in writing.
SEC. 106. NOTIFICATION FOR LAW ENFORCEMENT AND OTHER PURPOSES.
(a) Notification to Law Enforcement and National Security
Authorities.--Any business entity shall notify the breach notification
entity, and the breach notification entity shall promptly notify and
provide that information to the United States Secret Service, the
Federal Bureau of Investigation, and the Commission for civil law
enforcement purposes, and shall make it available as appropriate to
other Federal agencies for law enforcement, national security, or
computer security purposes, if--
(1) the number of individuals whose sensitive personally
identifiable information was, or is reasonably believed to have
been, accessed or acquired by an unauthorized person exceeds
5,000;
(2) the security breach involves a database, networked or
integrated databases, or other data system containing the
sensitive personally identifiable information of more than
500,000 individuals nationwide;
(3) the security breach involves databases owned by the
Federal Government; or
(4) the security breach involves primarily sensitive
personally identifiable information of individuals known to the
business entity to be employees and contractors of the Federal
Government involved in national security or law enforcement.
(b) Regulations.--Not later than one year after the date of
enactment of this Act, the Commission shall promulgate regulations (in
accordance with section 553 of title 5, United States Code) in
consultation with the Attorney General and the Secretary of Homeland
Security, that describe what information is required to be included in
the notification under subsection (a). In addition the Commission shall
promulgate regulations, as necessary, (in accordance with section 553
of title 5, United States Code) in consultation with the Attorney
General, to adjust the thresholds for notification to law enforcement
and national security authorities under subsection (a) and to
facilitate the purposes of this section.
(c) Timing of Notification.--The notification required under this
section shall be provided as promptly as possible and at least 72 hours
before notification of an individual pursuant to section 101 or 10 days
after discovery of the breach requiring notification, whichever comes
first.
SEC. 107. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) Unfair or Deceptive Acts or Practices.--A violation of this
title or a regulation promulgated under this title shall be treated as
a violation of a regulation under section 18(a)(1)(B) of the Federal
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or
deceptive acts or practices.
(b) Powers of Commission.--The Federal Trade Commission shall
enforce this title and the regulations promulgated under this title in
the same manner, by the same means, and with the same jurisdiction,
powers, and duties as though all applicable terms and provisions of the
Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act, except that the exceptions described
in section 5(a)(2) of such Act (15 U.S.C. 45(a)(2)) shall not apply.
Any business entity who violates this title or a regulation promulgated
under this title shall be subject to the penalties and entitled to the
privileges and immunities provided in the Federal Trade Commission Act.
(c) Federal Communications Commission.--In a case in which
enforcement under this title involves a business entity that is subject
to the authority of the Federal Communications Commission, enforcement
actions by the Commission, the Commission shall consult with the
Federal Communications Commission.
(d) Consumer Financial Protection Bureau.--In a case in which
enforcement under this title relates to financial information or
information associated with the provision of a consumer financial
product or service, enforcement actions by the Commission, the
Commission shall consult with the Consumer Financial Protection Bureau.
(e) Consultation With the Attorney General Required.--The
Commission shall consult with the Attorney General before opening an
investigation. If the Attorney General determines that such an
investigation would impede an ongoing criminal investigation or
national security activity, the Commission may not open such
investigation.
(f) Regulations.--
(1) In general.--The Commission may promulgate regulations,
in addition to the regulations promulgated pursuant to section
106(b), relating to the duties of the Commission under this
title, in accordance with section 553 of title 5, United States
Code, as the Commission determines to be necessary to carry out
this title.
(2) Federal communications commission.--With regard to a
regulation promulgated under this section that relates to an
entity subject to the authority of the Federal Communications
Commission, the Commission may only promulgate such regulation
after consultation with the Federal Communications Commission.
(3) Consumer financial protection bureau.--With regard to a
regulation promulgated under this section that relates to
financial information or information associated with the
provision of a consumer financial product or service, the
Commission may only promulgate such regulation after
consultation with the Consumer Financial Protection Bureau.
SEC. 108. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State or an official or agency of a State has
reason to believe that an interest of the residents of that
State has been or is threatened or adversely affected by an act
or practice in violation of this title or a regulation
promulgated under this title, the State, as parens patriae, may
bring a civil action on behalf of the residents of the State in
an appropriate State court or an appropriate district court of
the United States to--
(A) enjoin that practice;
(B) enforce compliance with this title; or
(C) impose civil penalties of not more than $1,000
per day per individual whose sensitive personally
identifiable information was, or is reasonably believed
to have been, accessed or acquired by an unauthorized
person, up to a maximum of $1,000,000 per violation,
unless such conduct is found to be willful or
intentional.
(2) Notice.--Before filing an action under paragraph (1),
the attorney general, official, or agency of the State involved
shall provide to the Attorney General and the Commission--
(A) a written notice of the action; and
(B) a copy of the complaint for the action.
(3) Attorney general certification.--An action may not be
filed under paragraph (1) if the Attorney General determines
that the filing would impede a criminal investigation or
national security activity.
(b) Authority of Federal Trade Commission.--Upon receiving notice
under subsection (a)(2), the Commission may--
(1) move to stay the action, pending the final disposition
of a pending Federal proceeding or action;
(2) initiate an action in the appropriate United States
district court under section 107 and move to consolidate all
pending actions, including State actions, in such court;
(3) intervene in the action brought under subsection (a);
or
(4) file petitions for appeal.
(c) Pending Proceedings.--If the Commission has instituted a
proceeding or action for a violation of this title or any regulations
promulgated under this title, a State attorney general, official, or
agency may not bring an action under this title during the pendency of
the Federal action against any defendant named in such proceeding or
action for any violation that is alleged in that proceeding or action.
(d) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this title shall be construed to prevent an
attorney general, official, or agency of a State from exercising the
powers conferred on such attorney general, official, or agency by the
laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(e) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in--
(A) the district court of the United States that
meets applicable requirements relating to venue under
section 1391 of title 28, United States Code; or
(B) another court of competent jurisdiction.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 109. EFFECT ON STATE LAW.
The provisions of this title shall supersede any provision of the
law of any State, or a political subdivision thereof, relating to
notification by a business entity engaged in interstate commerce of a
security breach, except as provided in section 104(5).
SEC. 110. REPORTING ON SECURITY BREACHES.
(a) Report Required on National Security and Law Enforcement
Exemptions.--Not later than 18 months after the date of enactment of
this title, and annually thereafter, the Director of the United States
Secret Service and the Director of the Federal Bureau of Investigation
shall submit to the Committee on Energy and Commerce of the House of
Representatives and the Committee on Commerce, Science, and
Transportation of the Senate on a report on the number and nature of
security breaches subject to the national security and law enforcement
exemptions under section 102(a).
(b) Report Required on Safe Harbor Exemptions.--Not later than 18
months after the date of enactment of this title, and annually
thereafter, the Commission shall submit to the Committee on Energy and
Commerce of the House of Representatives and the Committee on Commerce,
Science, and Transportation of the Senate a report on the number and
nature of the security breaches described in the notices filed by
business entities invoking the risk assessment exemption under section
102(b) and the response of the Commission to such notices.
SEC. 111. EXCLUDED BUSINESS ENTITIES.
Nothing in this title, or the regulations promulgated under this
title, shall apply to--
(1) business entities to the extent that such entities act
as covered entities or business associates (as such terms are
defined in section 13400 of the Health Information Technology
for Economic and Clinical Health Act (42 U.S.C. 17921)) subject
to section 13402 of such Act (42 U.S.C. 17932); and
(2) business entities to the extent that they act as
vendors of personal health records (as such term is defined in
section 13400 of such Act (42 U.S.C. 17921)) and third-party
service providers subject to section 13407 of such Act (42
U.S.C. 17937).
SEC. 112. DEFINITIONS.
In this title:
(1) Affiliate.--The term ``affiliate'' means persons
related by common ownership or by corporate control.
(2) Breach notification entity.--The term ``breach
notification entity'' means the Federal Government entity
designated pursuant to section 101(e).
(3) Business entity.--The term ``business entity'' means
any organization, corporation, trust, partnership, sole
proprietorship, unincorporated association, or venture, whether
or not established to make a profit.
(4) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(5) Consumer financial product or service.--The term
``consumer financial product or service'' has the meaning given
that term in section 1002 of the Dodd-Frank Wall Street Reform
and Consumer Protection Act (12 U.S.C. 5481).
(6) Data system communication information.--The term ``data
system communication information'' means dialing, routing,
addressing, or signaling information that identifies the
origin, direction, destination, processing, transmission, or
termination of each communication initiated, attempted, or
received.
(7) Date and time.--The term ``date and time'' includes the
date, time, and specification of the time zone offset from
Coordinated Universal Time.
(8) Federal agency.--The term ``Federal agency'' has the
meaning given the term ``agency'' in section 3502 of title 44,
United States Code.
(9) Intelligence community.--The term ``intelligence
community'' has the meaning given that term in section 3(4) of
the National Security Act of 1947 (50 U.S.C. 3003(4)).
(10) Internet address.--The term ``Internet address'' means
an Internet Protocol address as specified by the Internet
Protocol version 4 or 6 protocol, or any successor protocol or
any unique number for a specific host on the Internet.
(11) Security breach.--
(A) In general.--The term ``security breach'' means
a compromise of the security, confidentiality, or
integrity of, or the loss of, computerized data that
results in, or there is a reasonable basis to conclude
has resulted in--
(i) the unauthorized acquisition of
sensitive personally identifiable information;
or
(ii) access to sensitive personally
identifiable information that is for an
unauthorized purpose, or in excess of
authorization.
(B) Exclusion.--The term ``security breach'' does
not include any lawfully authorized investigative,
protective, or intelligence activity of a law
enforcement agency of the United States, a State, or a
political subdivision of a State, or of an element of
the intelligence community.
(12) Sensitive personally identifiable information.--The
term ``sensitive personally identifiable information'' means
any information or compilation of information, in electronic or
digital form that includes one or more of the following:
(A) An individual's first and last name or first
initial and last name in combination with any two of
the following data elements:
(i) Home address or telephone number.
(ii) Mother's maiden name.
(iii) Month, day, and year of birth.
(B) A social security number (but not including
only the last four digits of a social security number),
driver's license number, passport number, or alien
registration number or other government-issued unique
identification number.
(C) Unique biometric data such as a finger print,
voice print, a retina or iris image, or any other
unique physical representation.
(D) A unique account identifier, including a
financial account number or credit or debit card
number, electronic identification number, user name, or
routing code.
(E) A user name or electronic mail address, in
combination with a password or security question and
answer that would permit access to an online account.
(F) Any combination of the following data elements:
(i) An individual's first and last name or
first initial and last name.
(ii) A unique account identifier, including
a financial account number or credit or debit
card number, electronic identification number,
user name, or routing code.
(iii) Any security code, access code, or
password, or source code that could be used to
generate such codes or passwords.
(13) Modified definition by rulemaking.--The Commission
may, by rule promulgated under section 553 of title 5, United
States Code, amend the definition of ``sensitive personally
identifiable information'' to the extent that such amendment
will accomplish the purposes of this title. In amending the
definition, the Commission may determine--
(A) that any particular combinations of information
are sensitive personally identifiable information; or
(B) that any particular piece of information, on
its own, is sensitive personally identifiable
information.
SEC. 113. EFFECTIVE DATE.
This title shall take effect 90 days after the date of enactment of
this Act.
TITLE II--EXTRATERRITORIAL APPLICATION OF CYBER CRIME LAW
SEC. 201. EXTRATERRITORIAL JURISDICTION.
Subsection (h) of section 1029 of title 18, United States Code, is
amended to read as follows:
``(h) Any person who, outside the jurisdiction of the United
States, engages in any act that, if committed within the jurisdiction
of the United States, would constitute an offense under subsection (a)
or (b), shall be subject to the fines, penalties, imprisonment, and
forfeiture provided in this title if the offense involves an access
device issued, owned, managed, or controlled by a financial
institution, account issuer, credit card system member, or other entity
organized under the laws of the United States, or any State, the
District of Columbia, or other territory of the United States.''.
<all>