Text: H.R.6743 — 115th Congress (2017-2018)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in House (09/07/2018)


115th CONGRESS
2d Session
H. R. 6743


To amend the Gramm-Leach-Bliley Act to provide a national standard for financial institution data security and breach notification on behalf of all consumers, and for other purposes.


IN THE HOUSE OF REPRESENTATIVES

September 7, 2018

Mr. Luetkemeyer introduced the following bill; which was referred to the Committee on Financial Services


A BILL

To amend the Gramm-Leach-Bliley Act to provide a national standard for financial institution data security and breach notification on behalf of all consumers, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Consumer Information Notification Requirement Act”.

SEC. 2. Breach notification standards.

Section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) is amended—

(1) in subsection (b)(3) by striking the period at the end and inserting “, including through the provision of a breach notice in the event of unauthorized access that is reasonably likely to result in identity theft, fraud, or economic loss.”; and

(2) by adding at the end the following:

“(c) Standards with respect to breach notification.—Each agency or authority required to establish standards described under subsection (b)(3) with respect to the provision of a breach notice shall establish the standards with respect to such notice that are contained in the interpretive guidance issued by the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision titled ‘Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice’, published March 29, 2005 (70 Fed. Reg. 15736), and for a financial institution that is not a bank, such standards shall be applied to the institution as if the institution was a bank to the extent appropriate and practicable.

“(d) Insurance.—

“(1) ENFORCEMENT.—Notwithstanding section 505(a)(6), with respect to an entity engaged in providing insurance, the standards under subsection (b) shall be enforced—

“(A) with respect to any such standards related to data security safeguards, by—

“(i) the State insurance authority of the State in which the entity is domiciled; or

“(ii) in the case of an insurance agent, agency, or brokerage, the State insurance authority of the State in which such agent, agency, or brokerage has its principal place of business; and

“(B) with respect to any such standards related to notification of the breach of data security, by the State insurance authority of any State in which customers of the entity are affected by such a breach of data security.

“(2) NOTIFICATION BY ASSUMING INSURER.—

“(A) IN GENERAL.—Notwithstanding subsection (b), an assuming insurer that experiences a breach of data security shall only be required to notify the State insurance authority of the State in which the assuming insurer is domiciled.

“(B) ASSUMING INSURER DEFINED.—For purposes of this paragraph, the term ‘assuming insurer’ means an entity engaged in providing insurance that acquires an insurance obligation or risk from another entity engaged in providing insurance pursuant to a reinsurance agreement.

“(3) SAFEGUARDS FOR INSURANCE CUSTOMERS.—In carrying out subsection (b) with respect to an entity engaged in providing insurance, a State insurance authority shall establish the standards for safeguarding customer information maintained by entities engaged in activities described in section 4(k)(4)(B) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(4)(k)(4)(B)) that are the same as the standards contained in the interagency guidelines issued by the Comptroller of the Currency, the Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision titled ‘Interagency Guidelines Establishing Standards for Safeguarding Customer Information’, published February 1, 2001 (66 Fed. Reg. 8633), and such standards shall be applied as if the entity engaged in providing insurance was a bank to the extent appropriate and practicable.”.

SEC. 3. Preemption with respect to financial institution safeguards.

Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is amended to read as follows:

“SEC. 507. Relation to State laws.

“(a) In general.—This subtitle preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, or political subdivision of a State, with respect to securing personal information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data.

“(b) Insurance.—Subsection (a) shall not prevent a State or political subdivision of a State from establishing the standards for entities engaged in providing insurance required by sections 501(c) and 501(d), provided the standards established by such State or political subdivision do not impose any requirement that is in addition to or different from those standards, expect where necessary to effectuate the purposes of this subtitle.”.