[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1770 Reported in House (RH)]
<DOC>
Union Calendar No. 719
114th CONGRESS
2d Session
H. R. 1770
[Report No. 114-908]
To require certain entities who collect and maintain personal
information of individuals to secure such information and to provide
notice to such individuals in the case of a breach of security
involving such information, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 14, 2015
Mrs. Blackburn (for herself, Mr. Welch, Mr. Burgess, and Mr. Upton)
introduced the following bill; which was referred to the Committee on
Energy and Commerce
January 3, 2017
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed
in italic]
[For text of introduced bill, see copy of bill as introduced on April
14, 2015]
_______________________________________________________________________
A BILL
To require certain entities who collect and maintain personal
information of individuals to secure such information and to provide
notice to such individuals in the case of a breach of security
involving such information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; PURPOSES.
(a) Short Title.--This Act may be cited as the ``Data Security and
Breach Notification Act of 2015''.
(b) Purposes.--The purposes of this Act are to--
(1) protect consumers from identity theft, economic loss or
economic harm, and financial fraud by establishing strong and
uniform national data security and breach notification
standards for electronic data in interstate commerce while
minimizing State law burdens that may substantially affect
interstate commerce; and
(2) expressly preempt any related State laws to ensure
uniformity of this Act's standards and the consistency of their
application across jurisdictions.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
A covered entity shall implement and maintain reasonable security
measures and practices to protect and secure personal information in
electronic form against unauthorized access and acquisition as
appropriate for the size and complexity of such covered entity and the
nature and scope of its activities.
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) In General.--
(1) Restoring security.--Except as otherwise provided by
this section, a covered entity that uses, accesses, transmits,
stores, disposes of, or collects personal information shall,
following the discovery of a breach of security restore the
reasonable integrity, security, and confidentiality of the data
system and identify the impact of the breach pursuant to
paragraph (2).
(2) Investigation.--A covered entity shall conduct in good
faith a reasonable and prompt investigation of the breach of
security to determine whether there is a reasonable risk that
the breach of security has resulted in, or will result in,
identity theft, economic loss or economic harm, or financial
fraud to the individuals whose personal information was subject
to the breach of security.
(3) Notification to individuals required.--
(A) Trigger.--Unless there is no reasonable risk
that the breach of security has resulted in, or will
result in, identity theft, economic loss or economic
harm, or financial fraud to the individuals whose
personal information was affected by the breach of
security, the covered entity shall notify any resident
of the United States that has been affected by the
breach of security pursuant to this section.
(B) Notification duty.--Unless subject to a delay
authorized under subsection (c)--
(i) a breached covered entity shall notify
any individual for whom an election was not
made under paragraph (4)(C) not later than 25
days after the non-breached covered entity
declines or fails to exercise the election
under paragraph (4)(C);
(ii) a non-breached covered entity shall
notify any individual for whom the non-breached
covered entity provided personal information to
the breached covered entity, and such personal
information was affected by the breach of
security, not later than 25 days after
exercising the election under paragraph (4)(C);
and
(iii) any other covered entity shall
identify the individuals affected by a breach
of security and make the notification required
under this subsection as expeditiously as
possible, without unreasonable delay, and not
later than 30 days after completing the
requirements of paragraph (1).
(C) Notification required upon discovery of
additional individuals affected.--If a covered entity,
breached covered entity, or non-breached covered entity
has provided the notification to individuals required
under this subsection and after such notification
discovers additional individuals to whom notification
is required under this subsection with respect to the
same breach of security, the covered entity, breached
covered entity, or non-breached covered entity shall
make such notification to such individuals as
expeditiously as possible and without unreasonable
delay.
(4) Non-breached covered entity election notice.--
(A) Notice to non-breached covered entity
required.--Subject to the requirements of this
paragraph, unless there is no reasonable risk that the
breach of security has resulted in, or will result in,
identity theft, economic loss or economic harm, or
financial fraud related to the personal information
provided by the non-breached covered entity to the
breached covered entity, the breached covered entity
shall, as expeditiously as possible and without
unreasonable delay within 10 days after fulfilling the
requirements described in paragraph (1), notify in
writing each non-breached covered entity of the breach
of security.
(B) Contents of notice.--The breached covered
entity shall include in the notice described in
subparagraph (A) the elements of personal information
received from the non-breached covered entity pursuant
to the contract described in subparagraph (C)
reasonably believed to be affected by the breach of
security.
(C) Election by non-breached covered entity after
receiving notice from a breached covered entity.--In
the case of a breached covered entity that is a party
to a written contract with a non-breached covered
entity in which the breached covered entity maintains,
stores, transmits, or processes data in electronic form
containing personal information, not later than 10 days
after receipt of the notice described in subparagraph
(A), the non-breached covered entity may elect, in
writing to the breached covered entity, to provide
notification required by paragraph (3) all individuals
whose personal information was provided by the non-
breached covered entity to the breached covered entity
and was affected by the breach of security. Such
election relieves the breached covered entity of the
requirements under paragraph (3) with respect to such
individuals.
(D) Obligation after election.--
(i) Breached covered entity cooperation.--
If a non-breached covered entity elects under
subparagraph (C) to provide notice under
paragraph (3), the breached covered entity
shall cooperate in all reasonable respects with
the non-breached covered entity and provide any
of the information the breached covered entity
possesses that is described under subsection
(d)(1)(B) and provide all personal information
received from the non-breached covered entity
that was affected by the breach of security so
that the notification to such individuals is
made as required under this section. Not later
than 10 business days after the non-breached
covered entity submits a written request for
information requested under this subsection to
the breached covered entity, the breached
covered entity shall provide such information.
(ii) Non-breached covered entity
cooperation.--If a non-breached covered entity
does not elect to provide notice to individuals
under subparagraph (C), the non-breached
covered entity shall provide any of the
information the non-breached covered entity
possesses that is described under subsection
(d)(1)(B) for any individual whose personal
information was received from the non-breached
covered entity that was affected by the breach
of security, and cooperate in all reasonable
respects with, the breached covered entity so
that the notification to such individuals is
made as required under this section. Not later
than 10 business days after the breached
covered entity submits a written request for
information requested under this subsection to
the non-breached covered entity, the non-
breached covered entity shall provide such
information.
(5) Law enforcement.--A covered entity shall as
expeditiously as possible notify the Commission and the Secret
Service or the Federal Bureau of Investigation of the fact that
a breach of security has occurred if the number of individuals
whose personal information was, or there is a reasonable basis
to conclude was, accessed and acquired by an unauthorized
person exceeds 10,000. Any notification provided to the Secret
Service or the Federal Bureau of Investigation pursuant to this
paragraph shall be provided not less than 10 days before
notification is provided to individuals pursuant to paragraph
(3).
(b) Special Notification Requirements.--
(1) Non-profit organizations.--In the event of a breach of
security involving personal information that would trigger
notification under subsection (a), a non-profit organization
may complete such notification according to the procedures set
forth in subsection (d)(2).
(2) Coordination of notification with consumer reporting
agencies.--If a covered entity is required to provide
notification to more than 10,000 individuals under subsection
(a), such covered entity shall also notify a consumer reporting
agency that compiles and maintains files on consumers on a
nationwide basis, of the timing and distribution of the
notices. Such notice shall be given to such consumer reporting
agencies without unreasonable delay and, if it will not delay
notice to the affected individuals, prior to the distribution
of notices to the affected individuals.
(c) Delay of Notification Authorized for Law Enforcement or
National Security Purposes.--Notwithstanding paragraph (1), if a
Federal, State, or local law enforcement agency determines that the
notification to individuals required under this section would impede a
civil or criminal investigation or a Federal agency determines that
such notification would threaten national security, such notification
shall be delayed upon written request of the law enforcement agency or
Federal agency which the law enforcement agency or Federal agency
determines is reasonably necessary and requests in writing. A law
enforcement agency or Federal agency may, by a subsequent written
request, revoke such delay or extend the period of time set forth in
the original request made under this paragraph if further delay is
necessary. If a law enforcement agency or Federal agency requests a
delay of notification to individuals under this paragraph, the
Commission shall, upon written request of the law enforcement agency or
Federal agency, delay any public disclosure of a notification received
by the Commission under this section relating to the same breach of
security until the delay of notification to individuals is no longer in
effect.
(d) Method and Content of Notification.--
(1) Direct notification.--
(A) Method of notification.--A covered entity
required to provide notification to an individual under
subsection (a) shall be in compliance with such
requirement if the covered entity provides such notice
by one of the following methods (if the selected method
can reasonably be expected to reach the intended
individual):
(i) Written notification by postal mail.
(ii) Notification by email or other
electronic means, if the covered entity's
primary method of communication with the
individual is by email or such other electronic
means or the individual has consented to
receive such notification.
(B) Content of notification.--Regardless of the
method by which notification is provided to an
individual under subparagraph (A) with respect to a
breach of security, such notification shall include
each of the following:
(i) The identity of the covered entity that
suffered the breach and, if such covered entity
is also a breached covered entity providing
notice under section 3(b)(1), the identity of
each non-breached covered entity that did not
elect to notify affected individuals pursuant
to section 3(b)(1)(B) sufficient to show the
breached covered entity's commercial
relationship to the individual receiving
notice.
(ii) A description of the personal
information that was, or there is a reasonable
basis to conclude was, acquired and accessed by
an unauthorized person.
(iii) The date range of the breach of
security, or an approximate date range of the
breach of security if a specific date range is
unknown based on the information available at
the time of the notification.
(iv) A telephone number, or toll-free
telephone number for any covered entity that
does not meet the definition of a small
business concern or non-profit organization,
that the individual may use to contact the
covered entity to inquire about the breach of
security or the information the covered entity
maintained about that individual.
(v) The toll-free contact telephone numbers
and addresses for a consumer reporting agency
that compiles and maintains files on consumers
on a nationwide basis.
(vi) The toll-free telephone number and
Internet website address for the Commission
whereby the individual may obtain information
regarding identity theft.
(2) Substitute notification.--
(A) In general.--If, after making reasonable
efforts to contact all individuals to whom notice is
required under subsection (a), the covered entity finds
that contact information for 500 or more individuals is
insufficient or out-of-date, the covered entity shall
also provide substitute notice to those individuals,
which shall be reasonably calculated to reach the
individuals affected by the breach of security.
(B) Form of substitute notification.--A covered
entity may provide substitute notification by--
(i) email or other electronic notification
to the extent that the covered entity has
contact information for individuals to whom it
is required to provide notification under
subsection (a); and
(ii) a conspicuous notice on the covered
entity's Internet website (if such covered
entity maintains such a website) for at least
90 days.
(C) Content of substitute notice.--Each form of
substitute notice under clauses (i) and (ii) of
subparagraph (B) shall include the information required
under paragraph (1)(B).
(3) Direct notification by a third party.--Nothing in this
Act shall be construed to prevent a covered entity from
contracting with a third party to provide the notification
required under this section, provided such third party issues
such notification without unreasonable delay, in accordance
with the requirements of this section, and indicates to all
individuals in such notification that such third party is
sending such notification on behalf of the covered entity.
(e) Requirements of Service Providers.--
(1) In general.--If a service provider becomes aware of a
breach of security involving data in electronic form containing
personal information that is owned or licensed by a covered
entity that connects to or uses a system or network provided by
the service provider for the purpose of transmitting, routing,
or providing intermediate or transient storage of such data,
such service provider shall notify the covered entity who
initiated such connection, transmission, routing, or storage of
the data containing personal information breached, if such
covered entity can be reasonably identified. If a service
provider is acting solely as a service provider for purposes of
this subsection, the service provider has no other notification
obligations under this section.
(2) Covered entities who receive notice from service
providers.--Upon receiving notification from a service provider
under paragraph (1), a covered entity shall provide
notification as required under this section.
SEC. 4. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 or 3 shall be treated as an unfair and deceptive act
or practice in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of commission.--The Commission shall enforce
this Act in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all applicable
terms and provisions of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) were incorporated into and made a part of
this Act, and any covered entity who violates this Act shall be
subject to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act (15
U.S.C. 41 et seq.), and as provided in clauses (ii) and (iii)
of section 5(5)(A). Notwithstanding section 5(m) of the Federal
Trade Commission Act, the Commission may impose civil penalties
for violations of section 3 in an amount not greater than
$1,000 per violation. Each failure to send notification as
required under section 3 to a resident of the United States
shall be treated as a separate violation.
(3) Maximum total liability for first-time violation of
section 2.--The maximum total civil penalty for which any
covered entity is liable under this subsection for all
violations of section 2 resulting from the same related act or
omission may not exceed $8,760,000, if such act or omission
constitutes the covered entity's first violation of section 2.
(4) Maximum total liability for first-time violation of
section 3.--The maximum total civil penalty for which any
covered entity is liable under this subsection for all
violations of section 3 resulting from the same related act or
omission may not exceed $17,520,000, if such act or omission
constitutes the covered entity's first violation of section 3.
(b) Enforcement by State Attorneys General.--
(1) Civil action.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by any covered entity who violates section 2
or 3 of this Act, the attorney general of the State, as parens
patriae, may bring a civil action on behalf of the residents of
the State in a district court of the United States of
appropriate jurisdiction to--
(A) enjoin further violation of such section by the
defendant;
(B) compel compliance with such section; or
(C) obtain civil penalties in the amount determined
under paragraph (2).
(2) Civil penalties.--
(A) Calculation.--
(i) Treatment of violations of section 2.--
For purposes of paragraph (1)(C) with regard to
all violations of section 2 resulting from the
same related act or omission, the amount
determined under this paragraph is the amount
calculated by multiplying the number of days
that a covered entity is not in compliance with
such section by an amount not greater than
$11,000.
(ii) Treatment of violations of section
3.--For purposes of paragraph (1)(C) with
regard to a violation of section 3, the amount
determined under this paragraph is the amount
calculated by multiplying the number of
violations of such section by an amount not
greater than $1,000. Each failure to send
notification as required under section 3 to a
resident of the State shall be treated as a
separate violation.
(B) Maximum total liability.--Notwithstanding the
number of actions which may be brought against a
covered entity under this subsection, the maximum civil
penalty for which any covered entity may be liable
under this subsection shall not exceed--
(i) $2,500,000 for each violation of
section 2; and
(ii) $2,500,000 for all violations of
section 3 resulting from a single breach of
security.
(C) Adjustment for inflation.--Beginning on the
date that the Consumer Price Index is first published
by the Bureau of Labor Statistics that is after one
year after the date of enactment of this Act, and each
year thereafter, the amounts specified in clauses (i)
and (ii) of subparagraph (A) and clauses (i) and (ii)
of subparagraph (B) shall be increased by the
percentage increase in the Consumer Price Index
published on that date from the Consumer Price Index
published the previous year.
(D) Penalty factors.--In determining the amount of
such a civil penalty, the degree of culpability, any
history of prior such conduct, ability to pay, effect
on ability to continue to do business, and such other
matters as justice may require shall be taken into
account.
(3) Intervention by the federal trade commission.--
(A) Notice and intervention.--In all cases, the
State shall provide prior written notice of any action
under paragraph (1) to the Commission and provide the
Commission with a copy of its complaint, except in any
case in which such prior notice is not feasible, in
which case the State shall serve such notice
immediately upon instituting such action. The
Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on
all matters arising therein; and
(iii) to file petitions for appeal.
(B) Pending proceedings.--If the Federal Trade
Commission initiates a Federal civil action for a
violation of this Act, no State attorney general may
bring an action for a violation of this Act that
resulted from the same or related acts or omissions
against a defendant named in the civil action initiated
by the Federal Trade Commission.
(4) Construction.--For purposes of bringing any civil
action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(c) No Private Cause of Action.--Nothing in this Act shall be
construed to establish a private cause of action against a person for a
violation of this Act.
SEC. 5. DEFINITIONS.
In this Act:
(1) Breach of security.--The term ``breach of security''--
(A) means a compromise of the security,
confidentiality, or integrity of, or loss of, data in
electronic form that results in, or there is a
reasonable basis to conclude has resulted in,
unauthorized access to and acquisition of personal
information from a covered entity; and
(B) does not include the good faith acquisition of
personal information by an employee or agent of the
covered entity for the purposes of the covered entity,
if the personal information is not used or subject to
further unauthorized disclosure.
(2) Breached covered entity.--The term ``breached covered
entity'' means a covered entity that has incurred a breach of
security affecting data in electronic form containing personal
information of a non-breached covered entity that has directly
contracted the breached covered entity to maintain, store, or
process data in electronic form containing personal information
on behalf of such non-breached covered entity. For purposes of
this definition, the term ``breached covered entity'' shall not
include a service provider that is subject to section 3(e).
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Consumer reporting agency that compiles and maintains
files on consumers on a nationwide basis.--The term ``consumer
reporting agency that compiles and maintains files on consumers
on a nationwide basis'' has the meaning given that term in
section 603(p) of the Fair Credit Reporting Act (15 U.S.C.
1681a(p)).
(5) Covered entity.--
(A) In general.--The term ``covered entity''
means--
(i) a sole proprietorship, partnership,
corporation, trust, estate, cooperative,
association, or other entity in or affecting
commerce that acquires, maintains, stores,
sells, or otherwise uses data in electronic
form that includes personal information, over
which the Commission has authority pursuant to
section 5(a)(2) of the Federal Trade Commission
Act (15 U.S.C. 45(a)(2));
(ii) notwithstanding section 5(a)(2) of the
Federal Trade Commission Act (15 U.S.C.
45(a)(2)), common carriers subject to the
Communications Act of 1934 (47 U.S.C. 151 et
seq.); and
(iii) notwithstanding any jurisdictional
limitation of the Federal Trade Commission Act
(15 U.S.C. 41 et seq.), any non-profit
organization.
(B) Exceptions.--The term ``covered entity'' does
not include--
(i) a covered entity, as defined in section
160.103 of title 45, Code of Federal
Regulations;
(ii) a business associate, as defined in
section 160.103 of title 45, Code of Federal
Regulations, acting in its capacity as a
business associate;
(iii) if a covered entity, as defined in
section 160.103 of title 45, Code of Federal
Regulations, is a hybrid entity, as defined in
section 164.105 of title 45, Code of Federal
Regulations, then the health care component of
such hybrid entity;
(iv) a broker, dealer, investment adviser,
futures commission merchant, special purpose
vehicle, finance company, or person engaged in
providing insurance that is subject to title V
of Public Law 106-102 (15 U.S.C. 6801 et seq.);
(v) a State-chartered credit union, as
defined in section 101(6) of the Federal Credit
Union Act (12 U.S.C. 1752(6)), that is not an
insured credit union as defined in section
101(7) of such Act (12 U.S.C. 1752(7)); or
(vi) a credit union service organization as
outlined in section 106(7)(I) of the Federal
Credit Union Act (12 U.S.C. 1757(7)(I)).
(6) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices.
(7) Encrypted.--The term ``encrypted'', used with respect
to data in electronic form, in storage or in transit--
(A) means the data is protected using an encryption
technology that has been generally accepted by experts
in the field of information security at the time the
breach of security occurred that renders such data
indecipherable in the absence of associated
cryptographic keys necessary to enable decryption of
such data; and
(B) includes appropriate management and safeguards
of such cryptographic keys in order to protect the
integrity of the encryption.
(8) Non-breached covered entity.--The term ``non-breached
covered entity'' means a covered entity that has not incurred
the breach of security involving data in electronic form
containing personal information that it owns or licenses but
whose data has been affected by the breach of security incurred
by a breached covered entity it directly contracts to maintain,
store, or process data in electronic form containing personal
information on behalf of the non-breached covered entity.
(9) Non-profit organization.--The term ``non-profit
organization'' means an organization that is described in
section 501(c)(3) of the Internal Revenue Code of 1986 and
exempt from tax under section 501(a) of such Code.
(10) Personal information.--
(A) In general.--The term ``personal information''
means any information or compilation of information in
electronic form that includes the following:
(i) An individual's first and last name or
first initial and last name in combination with
all of the following:
(I) Home address or telephone
number.
(II) Mother's maiden name, if
identified as such.
(III) Month, day, and year of
birth.
(ii) A financial account number or credit
or debit card number or other identifier, in
combination with any security code, access
code, or password that is required for an
individual to obtain credit, withdraw funds, or
engage in a financial transaction.
(iii) A unique account identifier (other
than for an account described in clause (ii)),
electronic identification number, biometric
data unique to an individual, user name, or
routing code in combination with any associated
security code, access code, biometric data
unique to an individual, or password that is
required for an individual to obtain money, or
purchase goods, services, or any other thing of
value.
(iv) A non-truncated social security
number.
(v) Any information that pertains to the
transmission of specific calls, including, for
outbound calls, the number called, and the
time, location, or duration of any call and,
for inbound calls, the number from which the
call was placed, and the time, location, or
duration of any call.
(vi) A user name or email address, in
combination with a password or security
question and answer that would permit access to
an online account.
(vii) A driver's license number, passport
number, or alien registration number or other
government-issued unique identification number.
(B) Exceptions.--The term ``personal information''
does not include--
(i) information that is encrypted or
rendered unusable, unreadable, or
indecipherable through data security technology
or methodology that is generally accepted by
experts in the field of information security at
the time the breach of security occurred, such
as redaction or access controls; or
(ii) information available in a publicly
available source, including information
obtained from a news report, periodical, or
other widely distributed media, or from
Federal, State, or local government records.
(11) Service provider.--The term ``service provider'' means
a covered entity subject to the Communications Act of 1934 (47
U.S.C. 151 et seq.) that provides electronic data transmission,
routing, intermediate and transient storage, or connection to
its system or network, where such entity providing such service
does not select or modify the content of the electronic data,
is not the sender or the intended recipient of the data, and
does not differentiate personal information from other
information that such entity transmits, routes, stores, or for
which such entity provides connections. Any such entity shall
be treated as a service provider under this Act only to the
extent that it is engaged in the provision of such
transmission, routing, intermediate and transient storage, or
connections.
(12) Small business concern.--The term ``small business
concern'' has the meaning given such term under section 3 of
the Small Business Act (15 U.S.C. 632).
(13) State.--The term ``State'' means each of the several
States, the District of Columbia, the Commonwealth of Puerto
Rico, Guam, American Samoa, the Virgin Islands of the United
States, the Commonwealth of the Northern Mariana Islands, any
other territory or possession of the United States, and each
federally recognized Indian tribe.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws.--No State or
political subdivision of a State shall, with respect to a covered
entity subject to this Act, adopt, maintain, enforce, or impose or
continue in effect any law, rule, regulation, duty, requirement,
standard, or other provision having the force and effect of law
relating to or with respect to the security of data in electronic form
or notification following a security breach of such data.
(b) Common Law.--This section shall not exempt a covered entity
from liability under common law.
(c) Certain FTC Enforcement Limited to Data Security and Breach
Notification.--
(1) Data security and breach notification.--Insofar as
sections 201, 202, 222, 338, and 631 of the Communications Act
of 1934 (47 U.S.C. 201, 202, 222, 338, and 551), and any
regulations promulgated thereunder, apply to covered entities
with respect to securing information in electronic form from
unauthorized access and acquisition, including notification of
unauthorized access and acquisition to data in electronic form
containing personal information, such sections and regulations
promulgated thereunder shall have no force or effect, unless
such regulations pertain solely to 9-1-1 calls.
(2) Rule of construction.--Nothing in this subsection
otherwise limits the Federal Communications Commission's
authority with respect to sections 201, 202, 222, 338, and 631
of the Communications Act of 1934 (47 U.S.C. 201, 202, 222,
338, and 551).
(d) Preservation of Commission Authority.--Nothing in this Act may
be construed in any way to limit or affect the Commission's authority
under any other provision of law.
SEC. 7. EDUCATION AND OUTREACH FOR SMALL BUSINESSES.
The Commission shall conduct education and outreach for small
business concerns on data security practices and how to prevent hacking
and other unauthorized access to, acquisition of, or use of data
maintained by such small business concerns.
SEC. 8. WEBSITE ON DATA SECURITY BEST PRACTICES.
The Commission shall establish and maintain an Internet website
containing non-binding best practices for businesses regarding data
security and how to prevent hacking and other unauthorized access to,
acquisition of, or use of data maintained by such businesses.
SEC. 9. EFFECTIVE DATE.
This Act shall take effect 1 year after the date of enactment of
this Act.
Union Calendar No. 719
114th CONGRESS
2d Session
H. R. 1770
[Report No. 114-908]
_______________________________________________________________________
A BILL
To require certain entities who collect and maintain personal
information of individuals to secure such information and to provide
notice to such individuals in the case of a breach of security
involving such information, and for other purposes.
_______________________________________________________________________
January 3, 2017
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed