Summary: H.R.1770 — 114th Congress (2015-2016)All Information (Except Text)

Bill summaries are authored by CRS.

Shown Here:
Reported to House with amendment(s) (01/03/2017)

Data Security and Breach Notification Act of 2015

This bill requires certain commercial entities regulated by the Federal Trade Commission (FTC), common carriers subject to the Communications Act of 1934, and nonprofit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to: (1) implement security measures to protect electronic information against unauthorized access and acquisition; (2) restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach; and (3) determine whether there is a risk that a breach will result in identity theft, economic loss or harm, or financial fraud to individuals' personal information.

Notification of a breach must be sent to: (1) affected U.S. residents; (2) the FTC and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses and acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.

The bill establishes special procedures to coordinate notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach.

The bill provides different sets of civil penalties that the FTC and states may impose to enforce against violations of this bill.

The FTC must educate small businesses about data security and establish an Internet website containing non-binding best practices.

The bill preempts state information security and notification laws, but does not exempt an entity from liability under common law. The bill applies to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.