[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1770 Introduced in House (IH)]
114th CONGRESS
1st Session
H. R. 1770
To require certain entities who collect and maintain personal
information of individuals to secure such information and to provide
notice to such individuals in the case of a breach of security
involving such information, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 14, 2015
Mrs. Blackburn (for herself, Mr. Welch, Mr. Burgess, and Mr. Upton)
introduced the following bill; which was referred to the Committee on
Energy and Commerce
_______________________________________________________________________
A BILL
To require certain entities who collect and maintain personal
information of individuals to secure such information and to provide
notice to such individuals in the case of a breach of security
involving such information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; PURPOSES.
(a) Short Title.--This Act may be cited as the ``Data Security and
Breach Notification Act of 2015''.
(b) Purposes.--The purposes of this Act are to--
(1) protect consumers from identity theft, economic loss or
economic harm, and financial fraud by establishing strong and
uniform national data security and breach notification
standards for electronic data in interstate commerce while
minimizing State law burdens that may substantially affect
interstate commerce; and
(2) expressly preempt any related State laws to ensure
uniformity of this Act's standards and the consistency of their
application across jurisdictions.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
A covered entity shall implement and maintain reasonable security
measures and practices to protect and secure personal information in
electronic form against unauthorized access as appropriate for the size
and complexity of such covered entity and the nature and scope of its
activities.
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) In General.--
(1) Restoring security.--Except as otherwise provided by
this section, a covered entity that uses, accesses, transmits,
stores, disposes of, or collects personal information shall,
following the discovery of a breach of security restore the
reasonable integrity, security, and confidentiality of the data
system.
(2) Investigation.--A covered entity or breached covered
entity shall conduct in good faith a reasonable and prompt
investigation of the breach of security to determine whether
there is a reasonable risk that the breach of security has
resulted in, or will result in, identity theft, economic loss
or economic harm, or financial fraud to the individuals whose
personal information was subject to the breach of security.
(3) Notification to individuals required.--Unless there is
no reasonable risk that the breach of security has resulted in,
or will result in, identity theft, economic loss or economic
harm, or financial fraud to the individuals whose personal
information was affected by the breach of security, the covered
entity, breached covered entity, or non-breached covered
entity, as the case may be, shall notify any resident of the
United States that has been affected by the breach of security
within the time specified in subsection (c).
(4) Non-breached covered entity election notice.--
(A) Notice to non-breached covered entity
required.--Subject to the requirements of this
paragraph, in the event of a breach of security that
presents a reasonable risk that the breach of security
has resulted in, or will result in, identity theft,
economic loss or economic harm, or financial fraud to
individuals whose personal information or record is
described in the notice provided under this paragraph
the breached covered entity shall, as expeditiously as
possible and without unreasonable delay within 10 days
after fulfilling the requirements described in
paragraph (1), notify in writing each non-breached
covered entity of the breach of security.
(B) Contents of notice.--The breached covered
entity shall include in the notice described in
subparagraph (A)--
(i) the elements of personal information
reasonably believed to be affected by the
breach of security;
(ii) an identification of the records
received from the non-breached entity that have
been, or are reasonably believed to have been,
affected by the breach of security; and
(iii) whether there is a reasonable risk
that the breach of security relating to such
information and records has resulted in, or
will result in, identity theft, economic loss
or economic harm, or financial fraud.
(C) Election by non-breached covered entity after
receiving notice from a breached covered entity.--In
the case of a breached covered entity that is a party
to a written contract with a non-breached covered
entity in which the breached covered entity maintains,
stores, transmits, or processes data in electronic form
containing personal information identified in
subparagraph (B), not later than 10 days after receipt
of the notice described in subparagraph (A), the non-
breached covered entity may elect, in writing to the
breached covered entity, to provide notification
required by paragraph (3) to the individuals described
in the notice. Such election relieves the breached
covered entity of the requirements under paragraph (3)
with respect to the individuals described in the
notice.
(D) Obligation after election.--
(i) Breached covered entity cooperation.--
If a non-breached covered entity elects under
subparagraph (C) to provide notice under
paragraph (3), the breached covered entity
shall cooperate in all reasonable respects with
the non-breached covered entity so that the
notification to such individuals is made as
required under this section. Not later than 10
business days after the non-breached covered
entity submits a written request for necessary
information to the breached covered entity, the
breached covered entity shall provide such
information.
(ii) Non-breached covered entity
cooperation.--If a non-breached covered entity
does not elect to provide notice to individuals
under subparagraph (C), the non-breached
covered entity shall provide all required
information about such individuals to, and
cooperate in all reasonable respects with, the
breached covered entity so that the
notification to such individuals is made as
required under this section. Not later than 10
business days after the breached covered entity
submits a written request for necessary
information to the non-breached covered entity,
the non-breached covered entity shall provide
such information.
(5) Law enforcement.--A covered entity shall as
expeditiously as possible notify the Commission and the Secret
Service or the Federal Bureau of Investigation of the fact that
a breach of security has occurred if the number of individuals
whose personal information was, or there is a reasonable basis
to conclude was, accessed or acquired by an unauthorized person
exceeds 10,000. Any notification provided to the Secret Service
or the Federal Bureau of Investigation pursuant to this
paragraph shall be provided not less than 10 days before
notification is provided to individuals pursuant to paragraph
(3).
(b) Special Notification Requirements.--
(1) Non-profit organizations.--In the event of a breach of
security involving personal information that would trigger
notification under subsection (a), a non-profit organization
may complete such notification according to the procedures set
forth in subsection (d)(2).
(2) Coordination of notification with consumer reporting
agencies.--If a covered entity is required to provide
notification to more than 10,000 individuals under subsection
(a), such covered entity shall also notify a consumer reporting
agency that compiles and maintains files on consumers on a
nationwide basis, of the timing and distribution of the
notices. Such notice shall be given to such consumer reporting
agencies without unreasonable delay and, if it will not delay
notice to the affected individuals, prior to the distribution
of notices to the affected individuals.
(c) Timeliness of Notification.--
(1) In general.--Unless subject to a delay authorized under
paragraph (2), a breached covered entity shall make the
notification required under subsection (a)(3) within 25 days
after the non-breached covered entity declines or fails to
exercise the election under subsection (a)(4)(C), a non-
breached covered entity shall make the notification required
under subsection (a)(3) within 25 days after exercising the
election under subsection (a)(4)(C), and any other covered
entity shall identify the individuals affected by a breach of
security and make the notification required under subsection
(a) as expeditiously as possible and without unreasonable
delay, not later than 30 days after completing the requirements
of subsection (a)(1). If a covered entity has provided the
notification to individuals required under subsection (a) and
after such notification discovers additional individuals to
whom notification is required under such subsection with
respect to the same breach of security, the covered entity
shall make such notification to such individuals as
expeditiously as possible and without unreasonable delay.
(2) Delay of notification authorized for law enforcement or
national security purposes.--Notwithstanding paragraph (1), if
a Federal, State, or local law enforcement agency determines
that the notification to individuals required under this
section would impede a civil or criminal investigation or a
Federal agency determines that such notification would threaten
national security, such notification shall be delayed upon
written request of the law enforcement agency or Federal agency
which the law enforcement agency or Federal agency determines
is reasonably necessary and requests in writing. A law
enforcement agency or Federal agency may, by a subsequent
written request, revoke such delay or extend the period of time
set forth in the original request made under this paragraph if
further delay is necessary. If a law enforcement agency or
Federal agency requests a delay of notification to individuals
under this paragraph, the Commission shall, upon written
request of the law enforcement agency or Federal agency, delay
any public disclosure of a notification received by the
Commission under this section relating to the same breach of
security until the delay of notification to individuals is no
longer in effect.
(d) Method and Content of Notification.--
(1) Direct notification.--
(A) Method of notification.--A covered entity
required to provide notification to an individual under
subsection (a) shall be in compliance with such
requirement if the covered entity provides such notice
by one of the following methods (if the selected method
can reasonably be expected to reach the intended
individual):
(i) Written notification by postal mail.
(ii) Notification by email or other
electronic means, if--
(I) the covered entity's primary
method of communication with the
individual is by email or such other
electronic means or the individual has
consented to receive such notification;
and
(II) the email or other electronic
means does not contain a hyperlink.
(B) Content of notification.--Regardless of the
method by which notification is provided to an
individual under subparagraph (A) with respect to a
breach of security, such notification shall include
each of the following:
(i) The identity of the covered entity that
suffered the breach and, if such covered entity
is also a breached covered entity providing
notice under section 3(b)(1), the identity of
each non-breached covered entity that did not
elect to notify affected individuals pursuant
to section 3(b)(1)(B) sufficient to show the
breached covered entity's commercial
relationship to the individual receiving
notice.
(ii) A description of the personal
information that was, or there is a reasonable
basis to conclude was, acquired or accessed by
an unauthorized person.
(iii) The date range of the breach of
security, or an approximate date range of the
breach of security if a specific date range is
unknown based on the information available at
the time of the notification.
(iv) A telephone number, or toll-free
telephone number for any covered entity that
does not meet the definition of a small
business concern or non-profit organization,
that the individual may use to contact the
covered entity to inquire about the breach of
security or the information the covered entity
maintained about that individual.
(v) The toll-free contact telephone numbers
and addresses for a consumer reporting agency
that compiles and maintains files on consumers
on a nationwide basis.
(vi) The toll-free telephone number and
Internet website address for the Commission
whereby the individual may obtain information
regarding identity theft.
(2) Substitute notification.--
(A) In general.--If, after making reasonable
efforts to contact all individuals to whom notice is
required under subsection (a), the covered entity finds
that contact information for 500 or more individuals is
insufficient or out-of-date, the covered entity shall
also provide substitute notice to those individuals,
which shall be reasonably calculated to reach the
individuals affected by the breach of security.
(B) Form of substitute notification.--A covered
entity may provide substitute notification by--
(i) email or other electronic notification
to the extent that the covered entity has
contact information for individuals to whom it
is required to provide notification under
subsection (a) and provided such email or
electronic means does not contain a hyperlink;
and
(ii) a conspicuous notice on the covered
entity's Internet website (if such covered
entity maintains such a website) for at least
90 days.
(C) Content of substitute notice.--Each form of
substitute notice under clauses (i) and (ii) of
subparagraph (B) shall include the information required
under paragraph (1)(B).
(3) Direct notification by a third party.--Nothing in this
Act shall be construed to prevent a covered entity from
contracting with a third party to provide the notification
required under this section, provided such third party issues
such notification without unreasonable delay, in accordance
with the requirements of this section, and indicates to all
individuals in such notification that such third party is
sending such notification on behalf of the covered entity.
(e) Requirements of Service Providers.--
(1) In general.--If a service provider becomes aware of a
breach of security involving data in electronic form containing
personal information that is owned or licensed by a covered
entity that connects to or uses a system or network provided by
the service provider for the purpose of transmitting, routing,
or providing intermediate or transient storage of such data,
such service provider shall notify the covered entity who
initiated such connection, transmission, routing, or storage of
the data containing personal information breached, if such
covered entity can be reasonably identified. If a service
provider is acting solely as a service provider for purposes of
this subsection, the service provider has no other notification
obligations under this section.
(2) Covered entities who receive notice from service
providers.--Upon receiving notification from a service provider
under paragraph (1), a covered entity shall provide
notification as required under this section.
SEC. 4. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 or 3 shall be treated as an unfair and deceptive act
or practice in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of commission.--The Commission shall enforce
this Act in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all applicable
terms and provisions of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) were incorporated into and made a part of
this Act, and any covered entity who violates this Act shall be
subject to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act (15
U.S.C. 41 et seq.), and as provided in clauses (ii) and (iii)
of section 5(4)(A).
(b) Enforcement by State Attorneys General.--
(1) Civil action.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by any covered entity who violates section 2
or 3 of this Act, the attorney general of the State, as parens
patriae, may bring a civil action on behalf of the residents of
the State in a district court of the United States of
appropriate jurisdiction to--
(A) enjoin further violation of such section by the
defendant;
(B) compel compliance with such section; or
(C) obtain civil penalties in the amount determined
under paragraph (2).
(2) Civil penalties.--
(A) Calculation.--
(i) Treatment of violations of section 2.--
For purposes of paragraph (1)(C) with regard to
a violation of section 2, the amount determined
under this paragraph is the amount calculated
by multiplying the number of days that a
covered entity is not in compliance with such
section by an amount not greater than $11,000.
(ii) Treatment of violations of section
3.--For purposes of paragraph (1)(C) with
regard to a violation of section 3, the amount
determined under this paragraph is the amount
calculated by multiplying the number of
violations of such section by an amount not
greater than $11,000. Each failure to send
notification as required under section 3 to a
resident of the State shall be treated as a
separate violation.
(B) Maximum total liability.--Notwithstanding the
number of actions which may be brought against a
covered entity under this subsection, the maximum civil
penalty for which any covered entity may be liable
under this subsection shall not exceed--
(i) $2,500,000 for each violation of
section 2; and
(ii) $2,500,000 for all violations of
section 3 resulting from a single breach of
security.
(C) Adjustment for inflation.--Beginning on the
date that the Consumer Price Index is first published
by the Bureau of Labor Statistics that is after one
year after the date of enactment of this Act, and each
year thereafter, the amounts specified in clauses (i)
and (ii) of subparagraph (A) and clauses (i) and (ii)
of subparagraph (B) shall be increased by the
percentage increase in the Consumer Price Index
published on that date from the Consumer Price Index
published the previous year.
(D) Penalty factors.--In determining the amount of
such a civil penalty, the degree of culpability, any
history of prior such conduct, ability to pay, effect
on ability to continue to do business, and such other
matters as justice may require shall be taken into
account.
(3) Intervention by the federal trade commission.--
(A) Notice and intervention.--In all cases, the
State shall provide prior written notice of any action
under paragraph (1) to the Commission and provide the
Commission with a copy of its complaint, except in any
case in which such prior notice is not feasible, in
which case the State shall serve such notice
immediately upon instituting such action. The
Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on
all matters arising therein; and
(iii) to file petitions for appeal.
(B) Pending proceedings.--If the Federal Trade
Commission initiates a Federal civil action for a
violation of this Act, no State attorney general may
bring an action for a violation of this Act that
resulted from the same or related acts or omissions
against a defendant named in the civil action initiated
by the Federal Trade Commission.
(4) Construction.--For purposes of bringing any civil
action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(c) No Private Cause of Action.--Nothing in this Act shall be
construed to establish a private cause of action against a person for a
violation of this Act.
SEC. 5. DEFINITIONS.
In this Act:
(1) Breach of security.--The term ``breach of security''--
(A) means a compromise of the security,
confidentiality, or integrity of, or loss of, data in
electronic form that results in, or there is a
reasonable basis to conclude has resulted in,
unauthorized access to or acquisition of personal
information from a covered entity; and
(B) does not include the good faith acquisition of
personal information by an employee or agent of the
covered entity for the purposes of the covered entity,
if the personal information is not used or subject to
further unauthorized disclosure.
(2) Breached covered entity.--The term ``breached covered
entity'' means a covered entity that has incurred a breach of
security affecting data in electronic form containing personal
information of a non-breached covered entity that has directly
contracted the breached covered entity to maintain, store, or
process data in electronic form containing personal information
on behalf of such non-breached covered entity. For purposes of
this definition, the term ``breached covered entity'' shall not
include a service provider.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Consumer reporting agency that compiles and maintains
files on consumers on a nationwide basis.--The term ``consumer
reporting agency that compiles and maintains files on consumers
on a nationwide basis'' has the meaning given that term in
section 603(p) of the Fair Credit Reporting Act (15 U.S.C.
1681a(p)).
(5) Covered entity.--
(A) In general.--The term ``covered entity''
means--
(i) a sole proprietorship, partnership,
corporation, trust, estate, cooperative,
association, or other entity in or affecting
commerce that acquires, maintains, stores,
sells, or otherwise uses data in electronic
form that includes personal information, over
which the Commission has authority pursuant to
section 5(a)(2) of the Federal Trade Commission
Act (15 U.S.C. 45(a)(2));
(ii) notwithstanding section 5(a)(2) of the
Federal Trade Commission Act (15 U.S.C.
45(a)(2)), common carriers subject to the
Communications Act of 1934 (47 U.S.C. 151 et
seq.); and
(iii) notwithstanding any jurisdictional
limitation of the Federal Trade Commission Act
(15 U.S.C. 41 et seq.), any non-profit
organization.
(B) Exceptions.--The term ``covered entity'' does
not include--
(i) a covered entity, as defined in section
160.103 of title 45, Code of Federal
Regulations;
(ii) a business associate, as defined in
section 160.103 of title 45, Code of Federal
Regulations, acting in its capacity as a
business associate;
(iii) if a covered entity, as defined in
section 160.103 of title 45, Code of Federal
Regulations, is a hybrid entity, as defined in
section 164.105 of title 45, Code of Federal
Regulations, then the health care component of
such hybrid entity;
(iv) a broker, dealer, investment adviser,
or person engaged in providing insurance that
is subject to title V of Public Law 106-102 (15
U.S.C. 6801 et seq.); or
(v) a State-chartered credit union, as
defined in section 101(6) of the Federal Credit
Union Act (12 U.S.C. 1752(6)), that is not an
insured credit union as defined in section
101(7) of such Act (12 U.S.C. 1752(7)).
(6) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices.
(7) Encrypted.--The term ``encrypted'', used with respect
to data in electronic form, in storage or in transit--
(A) means the data is protected using an encryption
technology that has been generally accepted by experts
in the field of information security at the time the
breach of security occurred that renders such data
indecipherable in the absence of associated
cryptographic keys necessary to enable decryption of
such data; and
(B) includes appropriate management and safeguards
of such cryptographic keys in order to protect the
integrity of the encryption.
(8) Non-breached covered entity.--The term ``non-breached
covered entity'' means a covered entity that has not incurred
the breach of security involving data in electronic form
containing personal information that it owns or licenses but
whose data has been affected by the breach of security incurred
by a breached covered entity it directly contracts to maintain,
store, or process data in electronic form containing personal
information on behalf of the non-breached covered entity.
(9) Non-profit organization.--The term ``non-profit
organization'' means an organization that is described in
section 501(c)(3) of the Internal Revenue Code of 1986 and
exempt from tax under section 501(a) of such Code.
(10) Personal information.--
(A) In general.--The term ``personal information''
means any information or compilation of information in
electronic form that includes the following:
(i) An individual's first and last name or
first initial and last name in combination with
any one of the following data elements:
(I) A driver's license number,
passport number, or alien registration
number or other government-issued
unique identification number.
(II) Any two of the following:
(aa) Home address or
telephone number.
(bb) Mother's maiden name,
if identified as such.
(cc) Month, day, and year
of birth.
(ii) A financial account number or credit
or debit card number or other identifier, in
combination with any security code, access
code, or password that is required for an
individual to obtain credit, withdraw funds, or
engage in a financial transaction.
(iii) A unique account identifier (other
than for an account described in clause (ii)),
electronic identification number, biometric
data unique to an individual, user name, or
routing code in combination with any associated
security code, access code, biometric data
unique to an individual, or password that is
required for an individual to obtain money, or
purchase goods, services, or any other thing of
value.
(iv) A non-truncated social security
number.
(v) For any telecommunications carrier or
interconnected VoIP provider, the location of,
number from which and to which a call is
placed, and the time and duration of such call.
(B) Exceptions.--The term ``personal information''
does not include--
(i) information that is encrypted or
rendered unusable, unreadable, or
indecipherable through data security technology
or methodology that is generally accepted by
experts in the field of information security at
the time the breach of security occurred, such
as redaction or access controls; or
(ii) information available in a publicly
available source, including information
obtained from a news report, periodical, or
other widely distributed media, or from
Federal, State, or local government records.
(11) Service provider.--The term ``service provider'' means
a covered entity subject to the Communications Act of 1934 (47
U.S.C. 151 et seq.) that provides electronic data transmission,
routing, intermediate and transient storage, or connection to
its system or network, where such entity providing such service
does not select or modify the content of the electronic data,
is not the sender or the intended recipient of the data, and
does not differentiate personal information from other
information that such entity transmits, routes, stores, or for
which such entity provides connections. Any such entity shall
be treated as a service provider under this Act only to the
extent that it is engaged in the provision of such
transmission, routing, intermediate and transient storage, or
connections.
(12) Small business concern.--The term ``small business
concern'' has the meaning given such term under section 3 of
the Small Business Act (15 U.S.C. 632).
(13) State.--The term ``State'' means each of the several
States, the District of Columbia, the Commonwealth of Puerto
Rico, Guam, American Samoa, the Virgin Islands of the United
States, the Commonwealth of the Northern Mariana Islands, any
other territory or possession of the United States, and each
federally recognized Indian tribe.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws.--No State or
political subdivision of a State shall, with respect to a covered
entity subject to this Act, adopt, maintain, enforce, or impose or
continue in effect any law, rule, regulation, duty, requirement,
standard, or other provision having the force and effect of law
relating to or with respect to the security of data in electronic form
or notification following a security breach of such data.
(b) Common Law.--This section shall not exempt a covered entity
from liability under common law.
(c) Certain FTC Enforcement Limited to Data Security and Breach
Notification.--
(1) Data security and breach notification.--Insofar as
sections 201, 202, 222, 338, and 631 of the Communications Act
of 1934 (47 U.S.C. 201, 202, 222, 338, and 551), and any
regulations promulgated thereunder, apply to covered entities
with respect to securing information in electronic form from
unauthorized access, including notification of unauthorized
access to data in electronic form containing personal
information, such sections and regulations promulgated
thereunder shall have no force or effect, unless such
regulations pertain solely to 9-1-1 calls.
(2) Rule of construction.--Nothing in this subsection
otherwise limits the Federal Communications Commission's
authority with respect to sections 201, 202, 222, 338, and 631
of the Communications Act of 1934 (47 U.S.C. 201, 202, 222,
338, and 551).
(d) Preservation of Commission Authority.--Nothing in this Act may
be construed in any way to limit or affect the Commission's authority
under any other provision of law.
SEC. 7. EDUCATION AND OUTREACH FOR SMALL BUSINESSES.
The Commission shall conduct education and outreach for small
business concerns on data security practices and how to prevent hacking
and other unauthorized access to, acquisition of, or use of data
maintained by such small business concerns.
SEC. 8. WEBSITE ON DATA SECURITY BEST PRACTICES.
The Commission shall establish and maintain an Internet website
containing non-binding best practices for businesses regarding data
security and how to prevent hacking and other unauthorized access to,
acquisition of, or use of data maintained by such businesses.
SEC. 9. EFFECTIVE DATE.
This Act shall take effect 1 year after the date of enactment of
this Act.
<all>