S.1207 - Data Security and Breach Notification Act of 2011112th Congress (2011-2012)
|Sponsor:||Sen. Pryor, Mark L. [D-AR] (Introduced 06/15/2011)|
|Committees:||Senate - Commerce, Science, and Transportation|
|Latest Action:||06/15/2011 Read twice and referred to the Committee on Commerce, Science, and Transportation. (All Actions)|
This bill has the status Introduced
Here are the steps for Status of Legislation:
Summary: S.1207 — 112th Congress (2011-2012)All Bill Information (Except Text)
Introduced in Senate (06/15/2011)
Data Security and Breach Notification Act of 2011 - Requires the Federal Trade Commission (FTC) to promulgate regulations requiring each covered entity (proprietorships, partnerships, estates, trusts, cooperatives, and nonprofit and for-profit corporations) that owns or possesses data containing personal information to implement policies and procedures regarding information security practices for the treatment and protection of such information.
Sets forth additional requirements for information brokers, including requiring brokers to: (1) submit their security policies to the FTC with a notification of a security breach or upon FTC request; (2) establish procedures to assure the accuracy of the information they collect, assemble, or maintain that is personal information or that identifies an individual; (3) provide individuals access to their personal information for review; and (4) correct inaccurate information. Authorizes the FTC to conduct information security practices audits of brokers who have had a security breach or require such brokers to conduct independent audits.
Directs the FTC to require information brokers to establish measures that facilitate the auditing or retracing of access to, or transmissions of, any data containing personal information.
Makes it unlawful for information brokers to obtain or disclose personal information by false pretenses (pretexting).
Establishes procedures in the event of an information security breach. Requires a covered entity that discovers a breach to notify the FTC and affected individuals. Sets forth requirements concerning such notification, including the method of notification requirements and timeliness requirements. Allows an exemption from notification requirements if such entity determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. Establishes a presumption that there is no such risk for encrypted data.
Applies this Act to nonprofit organizations.
Sets forth enforcement provisions.