H.R.1770 - Data Security and Breach Notification Act of 2015114th Congress (2015-2016)
|Sponsor:||Rep. Blackburn, Marsha [R-TN-7] (Introduced 04/14/2015)|
|Committees:||House - Energy and Commerce|
|Committee Reports:||H. Rept. 114-908|
|Latest Action:||01/03/2017 Placed on the Union Calendar, Calendar No. 719. (All Actions)|
This bill has the status Introduced
Here are the steps for Status of Legislation:
Summary: H.R.1770 — 114th Congress (2015-2016)All Bill Information (Except Text)
Reported to House with amendment(s) (01/03/2017)
Data Security and Breach Notification Act of 2015
This bill requires certain commercial entities regulated by the Federal Trade Commission (FTC), common carriers subject to the Communications Act of 1934, and nonprofit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to: (1) implement security measures to protect electronic information against unauthorized access and acquisition; (2) restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach; and (3) determine whether there is a risk that a breach will result in identity theft, economic loss or harm, or financial fraud to individuals' personal information.
Notification of a breach must be sent to: (1) affected U.S. residents; (2) the FTC and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses and acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.
The bill establishes special procedures to coordinate notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach.
The bill provides different sets of civil penalties that the FTC and states may impose to enforce against violations of this bill.
The FTC must educate small businesses about data security and establish an Internet website containing non-binding best practices.
The bill preempts state information security and notification laws, but does not exempt an entity from liability under common law. The bill applies to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.