Text: H.R.6743 — 115th Congress (2017-2018)All Information (Except Text)

Text available as:

Shown Here:
Reported in House (12/21/2018)

Union Calendar No. 849

115th CONGRESS
2d Session
H. R. 6743

[Report No. 115–1097]


To amend the Gramm-Leach-Bliley Act to provide a national standard for financial institution data security and breach notification on behalf of all consumers, and for other purposes.


IN THE HOUSE OF REPRESENTATIVES

September 7, 2018

Mr. Luetkemeyer introduced the following bill; which was referred to the Committee on Financial Services

December 21, 2018

Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed

[Strike out all after the enacting clause and insert the part printed in italic]

[For text of introduced bill, see copy of bill as introduced on September 7, 2018]


A BILL

To amend the Gramm-Leach-Bliley Act to provide a national standard for financial institution data security and breach notification on behalf of all consumers, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Consumer Information Notification Requirement Act”.

SEC. 2. Breach notification standards.

Section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) is amended—

(1) in subsection (b)(3) by striking the period at the end and inserting “, including through the provision of a breach notice in the event of unauthorized access that is reasonably likely to result in identity theft, fraud, or economic loss.”; and

(2) by adding at the end the following:

“(c) Standards with respect to breach notification.—Subject to section 504(a)(2) and sections 505(b) and 505(c), within 6 months after the date of enactment of this subsection, each agency or authority required to establish standards described under subsection (b)(3) with respect to the provision of a breach notice shall ensure that such standards are in compliance with subsection (b).

“(d) Insurance.—

“(1) ENFORCEMENT.—Notwithstanding section 505(a)(6), with respect to an entity engaged in providing insurance, the standards under subsection (b) shall be enforced—

“(A) with respect to any such standards related to data security safeguards, by—

“(i) the State insurance authority of the State in which the entity is domiciled; or

“(ii) in the case of an insurance agency or brokerage, the State insurance authority of the State in which such agency or brokerage has its principal place of business; and

“(B) with respect to any such standards related to notification of the breach of data security, by the State insurance authority of any State in which customers of the entity are affected by such a breach of data security.

“(2) NOTIFICATION BY ASSUMING INSURER.—

“(A) IN GENERAL.—Notwithstanding subsection (b), an assuming insurer that experiences a breach of data security shall only be required to notify the State insurance authority of the State in which the assuming insurer is domiciled.

“(B) ASSUMING INSURER DEFINED.—For purposes of this paragraph, the term ‘assuming insurer’ means an entity engaged in providing insurance that acquires an insurance obligation or risk from another entity engaged in providing insurance pursuant to a reinsurance agreement.

“(3) SAFEGUARDS FOR INSURANCE CUSTOMERS.—In carrying out subsection (b) with respect to an entity engaged in providing insurance, a State insurance authority shall establish the standards for safeguarding customer information maintained by entities engaged in activities described in section 4(k)(4)(B) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(4)(k)(4)(B)) that are the same as the standards contained in the interagency guidelines issued by the Comptroller of the Currency, the Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision titled ‘Interagency Guidelines Establishing Standards for Safeguarding Customer Information’, published February 1, 2001 (66 Fed. Reg. 8633), and such standards shall be applied as if the entity engaged in providing insurance was a bank to the extent appropriate and practicable.”.

SEC. 3. Preemption with respect to financial institution safeguards.

Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is amended to read as follows:

“SEC. 507. Relation to State laws.

“(a) In general.—This subtitle preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, or political subdivision of a State, with respect to a financial institution or affiliate thereof securing personal information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data.

“(b) Insurance.—Subsection (a) shall not prevent a State or political subdivision of a State from establishing the standards for entities engaged in providing insurance required by sections 501(c) and 501(d), provided the standards established by such State or political subdivision do not impose any requirement that is in addition to or different from those standards, except where necessary to effectuate the purposes of this subtitle.”.


Union Calendar No. 849

115th CONGRESS
     2d Session
H. R. 6743
[Report No. 115–1097]

A BILL
To amend the Gramm-Leach-Bliley Act to provide a national standard for financial institution data security and breach notification on behalf of all consumers, and for other purposes.

December 21, 2018
Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed