There is 1 version of this bill. View text

Click the check-box to add or remove the section, click the text link to scroll to that section.
Titles Actions Overview All Actions Cosponsors Committees Related Bills Subjects Latest Summary All Summaries

Titles (2)

Short Titles

Short Titles - Senate

Short Titles as Introduced

Data Security and Breach Notification Act of 2015

Official Titles

Official Titles - Senate

Official Titles as Introduced

A bill to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.


Actions Overview (1)

Date Actions Overview
01/13/2015Introduced in Senate

All Actions (1)

Date All Actions
01/13/2015Read twice and referred to the Committee on Commerce, Science, and Transportation.
Action By: Senate

Cosponsors (1)

* = Original cosponsor
CosponsorDate Cosponsored
Sen. Blumenthal, Richard [D-CT] 04/20/2015

Committees (1)

Committees, subcommittees and links to reports associated with this bill are listed here, as well as the nature and date of committee activity and Congressional report number.

Committee / Subcommittee Date Activity Reports
Senate Commerce, Science, and Transportation01/13/2015 Referred to

No related bill information was received for S.177.


Latest Summary (1)

There is one summary for S.177. View summaries

Shown Here:
Introduced in Senate (01/13/2015)

Data Security and Breach Notification Act of 2015

Requires the Federal Trade Commission (FTC) to promulgate regulations requiring commercial entities, nonprofit and for-profit corporations, estates, trusts, cooperatives, and other specified entities that own or possess data containing personal information (covered entities), or that contract to have a third-party maintain or process such data for the entity, to implement information security policies and procedures for the treatment and protection of personal information.

Establishes procedures to be followed in the event of an information security breach. Requires a covered entity that discovers a breach to notify the FTC (unless the covered entity has already notified a federal entity designated by the Department of Homeland Security [DHS] to receive such information) and affected individuals. Sets forth requirements concerning such notification, including methods of notification and timeliness requirements. Allows an exemption from notification requirements if such entity reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. Establishes a presumption that there is no such risk for encrypted data.

Directs DHS to designate a federal entity that covered entities would be required to notify if a security breach involves: (1) the personal information of more than 10,000 individuals, (2) a database containing the personal information of more than 1 million individuals, (3) federal government databases, or (4) the personal information of federal employees or contractors known to be involved in national security or law enforcement.

Requires the designated entity to provide each notice it receives to:

  • the U.S. Secret Service;
  • the Federal Bureau of Investigation;
  • the FTC;
  • the U.S. Postal Inspection Service, if mail fraud is involved;
  • attorneys general of affected states; and
  • appropriate federal agencies for law enforcement, national security, or data security purposes.

Sets forth enforcement provisions for the FTC, state attorneys general, and the Attorney General.

Establishes criminal penalties of a fine, imprisonment for up to five years, or both, for concealment of a security breach that results in economic harm of at least $1,000 to an individual.