Personal Data Privacy and Security Act of 2014 - Defines "sensitive personally identifiable information" to include: (1) specified combinations of data elements in electronic or digital form, such as an individual's name, home address or telephone number, mother's maiden name, and date of birth; (2) a non-truncated social security number, driver's license number, passport number, or government-issued unique identification number; (3) unique biometric data; (4) a unique account identifier; and (5) any security code, access code, password, or secure code that could be used to generate such codes or passwords.
Title I: Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security - Amends the federal criminal code to make fraud in connection with the unauthorized access of personally identifiable information (in electronic or digital form) a predicate for instituting a prosecution for racketeering.
Imposes a prison term of up to five years and/or a fine on any individual who has knowledge of and intentionally and willfully conceals a security breach and such breach results in economic harm of $1,000 or more to any individual. Grants the Secret Service and the Federal Bureau of Investigation (FBI) authority to investigate criminal concealments of security breaches.
Increases penalties for fraud and related activity, and imposes criminal penalties for attempts and conspiracies to commit fraud and related activity, in connection with computers.
Expands the prohibition against trafficking in passwords to include trafficking through any means by which a protected computer may be accessed without authorization.
Modifies criminal and civil forfeiture provisions, including requiring certain civil forfeiture seizures and forfeitures to be performed by persons designated for that purpose by the Secretary of Homeland Security (DHS) or the Attorney General (DOJ).
Prohibits civil actions involving unauthorized use of a protected computer if a violation of a contractual obligation or agreement constitutes the sole basis for determining that access to the computer is unauthorized.
Directs the Attorney General to report the number of criminal cases that involve: (1) unauthorized access to a nongovernmental computer, and (2) conduct in which the sole basis for such a determination was that the defendant violated a contractual obligation or agreement with a service provider or employer.
Prohibits, during and in relation to a felony violation of provisions regarding fraud and related activity in connection with computers, intentionally causing or attempting to cause damage to a critical infrastructure computer if such damage results or would have resulted in the substantial impairment of the operation of that computer or associated critical infrastructure.
Excludes from the definition of "exceeds authorized access" for purposes of the prohibition against fraudulent use of computers, access in violation of a contractual obligation or agreement with an Internet service provider, Internet website, or nongovernment employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.
Title II: Privacy and Security of Personally Identifiable Information - Subjects a business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive information in electronic or digital form on 10,000 or more U.S. persons to the requirements for the data privacy and security program established by this title. Excepts: (1) financial institutions subject to the data security requirements and standards under the Gramm-Leach-Bliley Act; (2) specified entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (3) service providers for any electronic communication by a third-party to the extent that such provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication; and (4) public records not otherwise subject to a confidentiality or nondisclosure requirement.
Deems a business entity to be in compliance with such requirements if the entity complies with or provides protection equal to industry standards or standards widely accepted as an effective industry practice that are applicable to the type of sensitive information involved in the ordinary course of business.
Requires a business entity subject to this title to: (1) comply with specified safeguards identified by the FTC in a rulemaking process for the protection of sensitive personally identifiable information; and (2) implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the entity and the nature and scope of its activities. Requires such program to be designed to: (1) ensure the privacy, security, and confidentiality of sensitive information; (2) protect against any anticipated vulnerabilities; and (3) protect against unauthorized access to use of such information that could create a significant risk of harm or fraud to any individual.
Requires such a business entity to: (1) identify reasonably foreseeable vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive information or systems containing such information; (2) assess the likelihood of and potential damage from unauthorized access to, or disclosure, use, or alteration of, sensitive information; (3) assess the sufficiency of its policies, technologies, and safeguards to control and minimize risks from unauthorized access, disclosure, use, or alteration of sensitive information; (4) assess the vulnerability of sensitive information during destruction and disposal of such information; (5) design its personal data privacy and security program to control risks; (6) adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of activities of the entity that control access to systems and facilities containing sensitive information; (7) establish a plan and procedures for minimizing the amount of sensitive information maintained; and (8) take steps to ensure appropriate employee training and regular testing of key controls, systems, and procedures of the entity's personal data privacy and security program.
Prescribes penalties for violations of such requirements. Allows an injunction against a business entity to stop continuing violations of the requirements of this subtitle.
Grants authority to the FTC to enforce such requirements. Authorizes state attorneys general and law enforcement agencies to bring civil actions to protect state residents against business entities that are violating such requirements. Preempts state laws relating to administrative, technical, and physical safeguards for the protection of personal information.
Requires any agency or business entity engaged in interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information to notify any U.S. resident whose information has been accessed or acquired without unreasonable delay after the discovery of a security breach.
Excepts: (1) financial institutions subject to the data security requirements and standards under the Gramm-Leach-Bliley Act, and (2) specified entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Allows exemptions if: (1) the Secret Service or the FBI determines that notification of the security breach could be expected to reveal sensitive sources and methods or similarly impede the government's ability to conduct law enforcement investigations, or (2) the FBI determines that notification of the breach could be expected to damage national security.
Provides that an agency or business entity shall be exempt from notice requirements if: (1) a risk assessment concludes that there is no significant risk that a security breach has resulted in, or will result in, identity theft, economic loss or harm, or physical harm to the individuals whose sensitive information was subject to the breach; (2) without unreasonable delay but not later than 45 days after the discovery of the breach, the agency or entity notifies the FTC of the results of the risk assessment and its decision to invoke the exemption; and (3) the FTC does not indicate, within 10 business days from receipt of the decision, that notice should be given.
Provides that a business entity will be exempt from notice requirements if it utilizes or participates in a security program that: (1) effectively blocks the use of the sensitive information to initiate unauthorized financial transactions before they are charged to the individual's account, and (2) provides for notice to affected individuals after a security breach that has resulted in fraud or unauthorized transactions.
Provides for individual notice by mail, telephone, and e-mail of a security breach and for notice to major media outlets serving a state or jurisdiction if a security breach involves more than 5,000 individuals. Specifies the required content of a security breach notification. Requires an agency or business entity that is required to provide notification of a breach involving more than 5,000 individuals to also provide notification to credit reporting agencies.
Directs the DHS Secretary to designate a federal entity to receive the notices. Requires business entities and federal agencies to report data security breaches to the designated entity if the breach involves: (1) more than 5,000 individuals, (2) a database that contains information about more than 500,000 individuals, (3) a federal government database, or (4) individuals known to be federal employees or contractors involved in national security or law enforcement. Requires the designated agency to report information it receives about security breaches to the Secret Service, FBI, and FTC for civil law enforcement purposes as promptly as possible, but either 72 hours before notice of a breach is required to be provided to an individual or not later than 10 days after the breach is discovered, whichever occurs first.
Authorizes the Attorney General and the FTC to bring civil and administrative actions against business entities for violations of this subtitle and to seek injunctive relief or civil penalties.
Authorizes state attorneys general or state or local law enforcement agencies to bring a civil action on behalf of state residents who have been threatened or adversely affected by a business entity violating provisions of this title and to obtain injunctive relief or civil penalties. Requires a state attorney general bringing a civil action to provide written notice to the Attorney General who may then move to stay the action, move to consolidate all pending actions, intervene, and file petitions for appeal.
Directs the FTC to report on the number and nature of the security breaches described in notices filed by business entities invoking the risk assessment exemption and their response to such notices.
Directs the Secret Service and FBI to report on the number and nature of security breaches subject to the national security and law enforcement exemptions.
Title III: Compliance with Statutory Pay-As-You-Go Act - Provides that the budgetary effects of this Act, for the purpose of complying with the Statutory Pay-As-You-Go Act of 2010, shall be determined by reference to the latest statement titled "Budgetary Effects of PAYGO Legislation" for this Act, provided that such statement has been submitted prior to the vote on passage.
[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3990 Introduced in House (IH)]
113th CONGRESS
2d Session
H. R. 3990
To prevent and mitigate identity theft, to ensure privacy, to provide
notice of security breaches, and to enhance criminal penalties, law
enforcement assistance, and other protections against security
breaches, fraudulent access, and misuse of personally identifiable
information.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
February 4, 2014
Ms. Shea-Porter introduced the following bill; which was referred to
the Committee on the Judiciary, and in addition to the Committees on
Energy and Commerce, Financial Services, Oversight and Government
Reform, and the Budget, for a period to be subsequently determined by
the Speaker, in each case for consideration of such provisions as fall
within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To prevent and mitigate identity theft, to ensure privacy, to provide
notice of security breaches, and to enhance criminal penalties, law
enforcement assistance, and other protections against security
breaches, fraudulent access, and misuse of personally identifiable
information.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Personal Data
Privacy and Security Act of 2014''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
Sec. 101. Organized criminal activity in connection with unauthorized
access to personally identifiable
information.
Sec. 102. Concealment of security breaches involving sensitive
personally identifiable information.
Sec. 103. Penalties for fraud and related activity in connection with
computers.
Sec. 104. Trafficking in passwords.
Sec. 105. Conspiracy and attempted computer fraud offenses.
Sec. 106. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 107. Limitation on civil actions involving unauthorized use.
Sec. 108. Reporting of certain criminal cases.
Sec. 109. Damage to critical infrastructure computers.
Sec. 110. Limitation on actions involving unauthorized use.
TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
Subtitle A--A Data Privacy and Security Program
Sec. 201. Purpose and applicability of data privacy and security
program.
Sec. 202. Requirements for a personal data privacy and security
program.
Sec. 203. Enforcement.
Sec. 204. Relation to other laws.
Subtitle B--Security Breach Notification
Sec. 211. Notice to individuals.
Sec. 212. Exemptions.
Sec. 213. Methods of notice.
Sec. 214. Content of notification.
Sec. 215. Coordination of notification with credit reporting agencies.
Sec. 216. Notice to law enforcement.
Sec. 217. Enforcement.
Sec. 218. Enforcement by State attorneys general.
Sec. 219. Effect on Federal and State law.
Sec. 220. Reporting on exemptions.
Sec. 221. Effective date.
TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT
Sec. 301. Budget compliance.
SEC. 2. FINDINGS.
Congress finds that--
(1) databases of personally identifiable information are
increasingly prime targets of hackers, identity thieves, rogue
employees, and other criminals, including organized and
sophisticated criminal operations;
(2) identity theft is a serious threat to the Nation's
economic stability, national security, homeland security,
cybersecurity, the development of e-commerce, and the privacy
rights of Americans;
(3) security breaches are a serious threat to consumer
confidence, homeland security, national security, e-commerce,
and economic stability;
(4) it is important for business entities that own, use, or
license personally identifiable information to adopt reasonable
procedures to ensure the security, privacy, and confidentiality
of that personally identifiable information;
(5) individuals whose personal information has been
compromised or who have been victims of identity theft should
receive the necessary information and assistance to mitigate
their damages and to restore the integrity of their personal
information and identities;
(6) data misuse and use of inaccurate data have the
potential to cause serious or irreparable harm to an
individual's livelihood, privacy, and liberty and undermine
efficient and effective business and government operations;
(7) government access to commercial data can potentially
improve safety, law enforcement, and national security; and
(8) because government use of commercial data containing
personal information potentially affects individual privacy,
and law enforcement and national security operations, there is
a need for Congress to exercise oversight over government use
of commercial data.
SEC. 3. DEFINITIONS.
In this Act, the following definitions shall apply:
(1) Affiliate.--The term ``affiliate'' means persons
related by common ownership or by corporate control.
(2) Agency.--The term ``agency'' has the same meaning given
such term in section 551 of title 5, United States Code.
(3) Business entity.--The term ``business entity'' means
any organization, corporation, trust, partnership, sole
proprietorship, unincorporated association, or venture
established to make a profit, or nonprofit.
(4) Data system communication information.--The term ``data
system communication information'' means dialing, routing,
addressing, or signaling information that identifies the
origin, direction, destination, processing, transmission, or
termination of each communication initiated, attempted, or
received.
(5) Designated entity.--The term ``designated entity''
means the Federal Government entity designated by the Secretary
of Homeland Security under section 216(a).
(6) Encryption.--The term ``encryption''--
(A) means the protection of data in electronic
form, in storage or in transit, using an encryption
technology that has been generally accepted by experts
in the field of information security that renders such
data indecipherable in the absence of associated
cryptographic keys necessary to enable decryption of
such data; and
(B) includes appropriate management and safeguards
of such cryptographic keys so as to protect the
integrity of the encryption.
(7) Identity theft.--The term ``identity theft'' means a
violation of section 1028(a)(7) of title 18, United States
Code.
(8) Personally identifiable information.--The term
``personally identifiable information'' means any information,
or compilation of information, in electronic or digital form
that is a means of identification, as defined by section
1028(d)(7) of title 18, United States Code.
(9) Public record source.--The term ``public record
source'' means the Congress, any agency, any State or local
government agency, the government of the District of Columbia
and governments of the territories or possessions of the United
States, and Federal, State or local courts, courts martial and
military commissions, that maintain personally identifiable
information in records available to the public.
(10) Security breach.--
(A) In general.--The term ``security breach'' means
compromise of the security, confidentiality, or
integrity of, or the loss of, computerized data that
result in, or that there is a reasonable basis to
conclude has resulted in--
(i) the unauthorized acquisition of
sensitive personally identifiable information;
and
(ii) access to sensitive personally
identifiable information that is for an
unauthorized purpose, or in excess of
authorization.
(B) Exclusion.--The term ``security breach'' does
not include--
(i) a good faith acquisition of sensitive
personally identifiable information by a
business entity or agency, or an employee or
agent of a business entity or agency, if the
sensitive personally identifiable information
is not subject to further unauthorized
disclosure;
(ii) the release of a public record not
otherwise subject to confidentiality or
nondisclosure requirements or the release of
information obtained from a public record,
including information obtained from a news
report or periodical; or
(iii) any lawfully authorized
investigative, protective, or intelligence
activity of a law enforcement or intelligence
agency of the United States, a State, or a
political subdivision of a State.
(11) Sensitive personally identifiable information.--The
term ``sensitive personally identifiable information'' means
any information or compilation of information, in electronic or
digital form that includes the following:
(A) An individual's first and last name or first
initial and last name in combination with any two of
the following data elements:
(i) Home address or telephone number.
(ii) Mother's maiden name.
(iii) Month, day, and year of birth.
(B) A non-truncated social security number,
driver's license number, passport number, or alien
registration number or other government-issued unique
identification number.
(C) Unique biometric data such as a fingerprint,
voice print, a retina or iris image, or any other
unique physical representation.
(D) A unique account identifier, including a
financial account number or credit or debit card
number, electronic identification number, user name, or
routing code.
(E) Any combination of the following data elements:
(i) An individual's first and last name or
first initial and last name.
(ii) A unique account identifier, including
a financial account number or credit or debit
card number, electronic identification number,
user name, or routing code.
(iii) Any security code, access code, or
password, or source code that could be used to
generate such codes or passwords.
(12) Service provider.--The term ``service provider'' means
a business entity that provides electronic data transmission,
routing, intermediate and transient storage, or connections to
its system or network, where the business entity providing such
services does not select or modify the content of the
electronic data, is not the sender or the intended recipient of
the data, and the business entity transmits, routes, stores, or
provides connections for personal information in a manner that
personal information is undifferentiated from other types of
data that such business entity transmits, routes, stores, or
provides connections. Any such business entity shall be treated
as a service provider under this Act only to the extent that it
is engaged in the provision of such transmission, routing,
intermediate and transient storage or connections.
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED
ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.
Section 1961(1) of title 18, United States Code, is amended by
inserting ``section 1030 (relating to fraud and related activity in
connection with computers) if the act is a felony,'' before ``section
1084''.
SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE
PERSONALLY IDENTIFIABLE INFORMATION.
(a) In General.--Chapter 47 of title 18, United States Code, is
amended by adding at the end the following:
``Sec. 1041. Concealment of security breaches involving sensitive
personally identifiable information
``(a) In General.--Whoever, having knowledge of a security breach
and of the fact that notice of such security breach is required under
title II of the Personal Data Privacy and Security Act of 2014,
intentionally and willfully conceals the fact of such security breach,
shall, in the event that such security breach results in economic harm
to any individual in the amount of $1,000 or more, be fined under this
tile or imprisoned for not more than 5 years, or both.
``(b) Person Defined.--For purposes of subsection (a), the term
`person' has the meaning given the term in section 1030(e)(12).
``(c) Notice Requirement.--Any person seeking an exemption under
section 212(b) of the Personal Data Privacy and Security Act of 2014
shall be immune from prosecution under this section if the Federal
Trade Commission does not indicate, in writing, that such notice be
given under section 212(b)(3) of such Act.''.
(b) Conforming and Technical Amendments.--The table of sections for
chapter 47 of title 18, United States Code, is amended by adding at the
end the following:
``1041. Concealment of security breaches involving sensitive personally
identifiable information.''.
(c) Enforcement Authority.--
(1) In general.--The United States Secret Service and
Federal Bureau of Investigation shall have the authority to
investigate offenses under section 1041 of title 18, United
States Code, as added by subsection (a).
(2) Nonexclusivity.--The authority granted in paragraph (1)
shall not be exclusive of any existing authority held by any
other Federal agency.
SEC. 103. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH
COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended to read
as follows:
``(c) The punishment for an offense under subsection (a) or (b) of
this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years, or
both, in the case of an offense under subsection (a)(2); or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
paragraph (a)(2) of this section, if--
``(i) the offense was committed for purposes of
commercial advantage or private financial gain;
``(ii) the offense was committed in the furtherance
of any criminal or tortious act in violation of the
Constitution or laws of the United States, or of any
State; or
``(iii) the value of the information obtained, or
that would have been obtained if the offense was
completed, exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 1 year, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (D), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year
period (and, for purposes of an investigation,
prosecution, or other proceeding brought by the United
States only, loss resulting from a related course of
conduct affecting 1 or more other protected computers)
aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on
behalf of, an entity of the United States Government in
furtherance of the administration of justice, national
defense, or national security; or
``(vi) damage affecting 10 or more protected
computers during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided in
clauses (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of subsection
(a)(5)(A), a fine under this title, imprisonment for any term
of years or for life, or both; or
``(D) a fine under this title, imprisonment for not more
than 1 year, or both, for any other offense under subsection
(a)(5);
``(6) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(7) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 104. TRAFFICKING IN PASSWORDS.
Section 1030(a) of title 18, United States Code, is amended by
striking paragraph (6) and inserting the following:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in--
``(A) any password or similar information through
which a protected computer as defined in subparagraphs
(A) and (B) of subsection (e)(2) may be accessed
without authorization; or
``(B) any means of access through which a protected
computer as defined in subsection (e)(2)(A) may be
accessed without authorization.''.
SEC. 105. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended by
inserting ``for the completed offense'' after ``punished as provided''.
SEC. 106. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY
IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition to
any other sentence imposed and irrespective of any provision of
State law, that such person forfeit to the United States--
``(A) such person's interest in any property, real
or personal, that was used, or intended to be used, to
commit or facilitate the commission of such violation;
and
``(B) any property, real or personal, constituting
or derived from any gross proceeds, or any property
traceable to such property, that such person obtained,
directly or indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section 413
of the Comprehensive Drug Abuse Prevention and Control Act of
1970 (21 U.S.C. 853), except subsection (d) of that section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was
used, or intended to be used, to commit or facilitate
the commission of any violation of this section, or a
conspiracy to violate this section.
``(B) Any property, real or personal, constituting
or derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property,
as a result of the commission of any violation of this
section, or a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents and
other persons as may be designated for that purpose by the
Secretary of Homeland Security or the Attorney General.''.
SEC. 107. LIMITATION ON CIVIL ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(g) of title 18, United States Code, is amended--
(1) by inserting ``(1)'' before ``Any person''; and
(2) by adding at the end the following:
``(2) No action may be brought under this subsection if a violation
of a contractual obligation or agreement, such as an acceptable use
policy or terms of service agreement, constitutes the sole basis for
determining that access to the protected computer is unauthorized, or
in excess of authorization.''.
SEC. 108. REPORTING OF CERTAIN CRIMINAL CASES.
Section 1030 of title 18, United States Code, is amended by adding
at the end the following:
``(k) Reporting Certain Criminal Cases.--Not later than 1 year
after the date of the enactment of this Act, and annually thereafter,
the Attorney General shall report to the Committee on the Judiciary of
the Senate and the Committee on the Judiciary of the House of
Representatives the number of criminal cases brought under subsection
(a) that involve conduct in which--
``(1) the defendant--
``(A) exceeded authorized access to a non-
governmental computer; or
``(B) accessed a non-governmental computer without
authorization; and
``(2) the sole basis for the Government determining that
access to the non-governmental computer was unauthorized, or in
excess of authorization was that the defendant violated a
contractual obligation or agreement with a service provider or
employer, such as an acceptable use policy or terms of service
agreement.''.
SEC. 109. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States Code, is
amended by inserting after section 1030 the following:
``Sec. 1030A. Aggravated damage to a critical infrastructure computer
``(a) Definitions.--In this section--
``(1) the terms `computer' and `damage' have the meanings
given such terms in section 1030; and
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of those
matters, whether publicly or privately owned or operated,
including--
``(A) gas and oil production, storage, and delivery
systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential
services to the public.
``(b) Offense.--It shall be unlawful to, during and in relation to
a felony violation of section 1030, intentionally cause or attempt to
cause damage to a critical infrastructure computer, and such damage
results in (or, in the case of an attempt, would, if completed have
resulted in) the substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b) shall be
fined under this title, imprisoned for not less than 3 years nor more
than 20 years, or both.
``(d) Consecutive Sentence.--Notwithstanding any other provision of
law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including any
term of imprisonment imposed on the person under any other
provision of law, including any term of imprisonment imposed
for the felony violation section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the court,
run concurrently, in whole or in part, only with another term
of imprisonment that is imposed by the court at the same time
on that person for an additional violation of this section,
provided that such discretion shall be exercised in accordance
with any applicable guidelines and policy statements issued by
the United States Sentencing Commission pursuant to section 994
of title 28.''.
(b) Technical and Conforming Amendment.--The table of sections for
chapter 47 of title 18, United States Code, is amended by inserting
after the item relating to section 1030 the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 110. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is amended by
striking ``alter;'' and inserting ``alter, but does not include access
in violation of a contractual obligation or agreement, such as an
acceptable use policy or terms of service agreement, with an Internet
service provider, Internet website, or non-government employer, if such
violation constitutes the sole basis for determining that access to a
protected computer is unauthorized;''.
TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
Subtitle A--A Data Privacy and Security Program
SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY
PROGRAM.
(a) Purpose.--The purpose of this subtitle is to ensure standards
for developing and implementing administrative, technical, and physical
safeguards to protect the security of sensitive personally identifiable
information.
(b) Applicability.--A business entity engaging in interstate
commerce that involves collecting, accessing, transmitting, using,
storing, or disposing of sensitive personally identifiable information
in electronic or digital form on 10,000 or more United States persons
is subject to the requirements for a data privacy and security program
under section 202 for protecting sensitive personally identifiable
information.
(c) Limitations.--Notwithstanding any other obligation under this
subtitle, this subtitle does not apply to the following:
(1) Financial institutions.--Financial institutions--
(A) subject to the data security requirements and
standards under section 501(b) of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801(b)); and
(B) subject to the jurisdiction of an agency or
authority described in section 505(a) of the Gramm-
Leach-Bliley Act (15 U.S.C. 6805(a)).
(2) HIPAA regulated entities.--
(A) Covered entities.--Covered entities subject to
the Health Insurance Portability and Accountability Act
of 1996 (42 U.S.C. 1301 et seq.), including the data
security requirements and implementing regulations of
that Act.
(B) Business entities.--A business entity shall be
deemed in compliance with this Act if the business
entity--
(i) is acting as a business associate, as
that term is defined under the Health Insurance
Portability and Accountability Act of 1996 (42
U.S.C. 1301 et seq.) and is in compliance with
the requirements imposed under that Act and
implementing regulations promulgated under that
Act; and
(ii) is subject to, and currently in
compliance, with the privacy and data security
requirements under sections 13401 and 13404 of
division A of the American Reinvestment and
Recovery Act of 2009 (42 U.S.C. 17931 and
17934) and implementing regulations promulgated
under such sections.
(3) Service providers.--A service provider for any
electronic communication by a third party, to the extent that
the service provider is exclusively engaged in the
transmission, routing, or temporary, intermediate, or transient
storage of that communication.
(4) Public records.--Public records not otherwise subject
to a confidentiality or nondisclosure requirement, or
information obtained from a public record, including
information obtained from a news report or periodical.
(d) Safe Harbors.--
(1) In general.--A business entity shall be deemed in
compliance with the privacy and security program requirements
under section 202 if the business entity complies with or
provides protection equal to industry standards or standards
widely accepted as an effective industry practice, as
identified by the Federal Trade Commission, that are applicable
to the type of sensitive personally identifiable information
involved in the ordinary course of business of such business
entity.
(2) Limitation.--Nothing in this subsection shall be
construed to permit, and nothing does permit, the Federal Trade
Commission to issue regulations requiring, or according greater
legal status to, the implementation of or application of a
specific technology or technological specifications for meeting
the requirements of this title.
SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY
PROGRAM.
(a) Personal Data Privacy and Security Program.--A business entity
subject to this subtitle shall comply with the following safeguards and
any other administrative, technical, or physical safeguards identified
by the Federal Trade Commission in a rulemaking process pursuant to
section 553 of title 5, United States Code, for the protection of
sensitive personally identifiable information:
(1) Scope.--A business entity shall implement a
comprehensive personal data privacy and security program that
includes administrative, technical, and physical safeguards
appropriate to the size and complexity of the business entity
and the nature and scope of its activities.
(2) Design.--The personal data privacy and security program
shall be designed to--
(A) ensure the privacy, security, and
confidentiality of sensitive personally identifying
information;
(B) protect against any anticipated vulnerabilities
to the privacy, security, or integrity of sensitive
personally identifying information; and
(C) protect against unauthorized access to use of
sensitive personally identifying information that could
create a significant risk of harm or fraud to any
individual.
(3) Risk assessment.--A business entity shall--
(A) identify reasonably foreseeable internal and
external vulnerabilities that could result in
unauthorized access, disclosure, use, or alteration of
sensitive personally identifiable information or
systems containing sensitive personally identifiable
information;
(B) assess the likelihood of and potential damage
from unauthorized access, disclosure, use, or
alteration of sensitive personally identifiable
information;
(C) assess the sufficiency of its policies,
technologies, and safeguards in place to control and
minimize risks from unauthorized access, disclosure,
use, or alteration of sensitive personally identifiable
information; and
(D) assess the vulnerability of sensitive
personally identifiable information during destruction
and disposal of such information, including through the
disposal or retirement of hardware.
(4) Risk management and control.--Each business entity
shall--
(A) design its personal data privacy and security
program to control the risks identified under paragraph
(3);
(B) adopt measures commensurate with the
sensitivity of the data as well as the size,
complexity, and scope of the activities of the business
entity that--
(i) control access to systems and
facilities containing sensitive personally
identifiable information, including controls to
authenticate and permit access only to
authorized individuals;
(ii) detect, record, and preserve
information relevant to actual and attempted
fraudulent, unlawful, or unauthorized access,
disclosure, use, or alteration of sensitive
personally identifiable information, including
by employees and other individuals otherwise
authorized to have access;
(iii) protect sensitive personally
identifiable information during use,
transmission, storage, and disposal by
encryption, redaction, or access controls that
are widely accepted as an effective industry
practice or industry standard, or other
reasonable means (including as directed for
disposal of records under section 628 of the
Fair Credit Reporting Act (15 U.S.C. 1681w) and
the implementing regulations of such Act as set
forth in section 682 of title 16, Code of
Federal Regulations);
(iv) ensure that sensitive personally
identifiable information is properly destroyed
and disposed of, including during the
destruction of computers, diskettes, and other
electronic media that contain sensitive
personally identifiable information;
(v) trace access to records containing
sensitive personally identifiable information
so that the business entity can determine who
accessed or acquired such sensitive personally
identifiable information pertaining to specific
individuals; and
(vi) ensure that no third party or customer
of the business entity is authorized to access
or acquire sensitive personally identifiable
information without the business entity first
performing sufficient due diligence to
ascertain, with reasonable certainty, that such
information is being sought for a valid legal
purpose; and
(C) establish a plan and procedures for minimizing
the amount of sensitive personally identifiable
information maintained by such business entity, which
shall provide for the retention of sensitive personally
identifiable information only as reasonably needed for
the business purposes of such business entity or as
necessary to comply with any legal obligation.
(b) Training.--Each business entity subject to this subtitle shall
take steps to ensure employee training and supervision for
implementation of the data security program of the business entity.
(c) Vulnerability Testing.--
(1) In general.--Each business entity subject to this
subtitle shall take steps to ensure regular testing of key
controls, systems, and procedures of the personal data privacy
and security program to detect, prevent, and respond to attacks
or intrusions, or other system failures.
(2) Frequency.--The frequency and nature of the tests
required under paragraph (1) shall be determined by the risk
assessment of the business entity under subsection (a)(3).
(d) Relationship to Certain Providers of Services.--In the event a
business entity subject to this subtitle engages a person or entity not
subject to this subtitle (other than a service provider) to receive
sensitive personally identifiable information in performing services or
functions (other than the services or functions provided by a service
provider) on behalf of and under the instruction of such business
entity, such business entity shall--
(1) exercise appropriate due diligence in selecting the
person or entity for responsibilities related to sensitive
personally identifiable information, and take reasonable steps
to select and retain a person or entity that is capable of
maintaining appropriate safeguards for the security, privacy,
and integrity of the sensitive personally identifiable
information at issue; and
(2) require the person or entity by contract to implement
and maintain appropriate measures designed to meet the
objectives and requirements governing entities subject to
section 201, this section, and subtitle B.
(e) Periodic Assessment and Personal Data Privacy and Security
Modernization.--Each business entity subject to this subtitle shall on
a regular basis monitor, evaluate, and adjust, as appropriate its data
privacy and security program in light of any relevant changes in--
(1) technology;
(2) the sensitivity of personally identifiable information;
(3) internal or external threats to personally identifiable
information; and
(4) the changing business arrangements of the business
entity, such as--
(A) mergers and acquisitions;
(B) alliances and joint ventures;
(C) outsourcing arrangements;
(D) bankruptcy; and
(E) changes to sensitive personally identifiable
information systems.
(f) Implementation Timeline.--Not later than 1 year after the date
of enactment of this Act, a business entity subject to the provisions
of this subtitle shall implement a data privacy and security program
pursuant to this subtitle.
SEC. 203. ENFORCEMENT.
(a) Civil Penalties.--
(1) In general.--Any business entity that violates the
provisions of section 201 or 202 shall be subject to civil
penalties of not more than $5,000 per violation per day while
such a violation exists, with a maximum of $500,000 per
violation.
(2) Intentional or willful violation.--A business entity
that intentionally or willfully violates the provisions of
section 201 or 202 shall be subject to additional penalties in
the amount of $5,000 per violation per day while such a
violation exists, with a maximum of an additional $500,000 per
violation.
(3) Penalty limits.--
(A) In general.--Notwithstanding any other
provision of law, the total sum of civil penalties
assessed against a business entity for all violations
of the provisions of this subtitle resulting from the
same or related acts or omissions shall not exceed
$500,000, unless such conduct is found to be willful or
intentional.
(B) Determinations.--The determination of whether a
violation of a provision of this subtitle has occurred,
and if so, the amount of the penalty to be imposed, if
any, shall be made by the court sitting as the finder
of fact. The determination of whether a violation of a
provision of this subtitle was willful or intentional,
and if so, the amount of the additional penalty to be
imposed, if any, shall be made by the court sitting as
the finder of fact.
(C) Additional penalty limit.--If a court
determines under subparagraph (B) that a violation of a
provision of this subtitle was willful or intentional
and imposes an additional penalty, the court may not
impose an additional penalty in an amount that exceeds
$500,000.
(4) Equitable relief.--A business entity engaged in
interstate commerce that violates this section may be enjoined
from further violations by a United States district court.
(5) Other rights and remedies.--The rights and remedies
available under this section are cumulative and shall not
affect any other rights and remedies available under law.
(b) Federal Trade Commission Authority.--Any business entity shall
have the provisions of this subtitle enforced against it by the Federal
Trade Commission.
(c) State Enforcement.--
(1) Civil actions.--In any case in which the attorney
general of a State or any State or local law enforcement agency
authorized by the State attorney general or by State statute to
prosecute violations of consumer protection law, has reason to
believe that an interest of the residents of that State has
been or is threatened or adversely affected by the acts or
practices of a business entity that violate this subtitle, the
State may bring a civil action on behalf of the residents of
that State in a district court of the United States of
appropriate jurisdiction to--
(A) enjoin that act or practice;
(B) enforce compliance with this subtitle; or
(C) obtain civil penalties of not more than $5,000
per violation per day while such violations persist, up
to a maximum of $500,000 per violation.
(2) Penalty limits.--
(A) In general.--Notwithstanding any other
provision of law, the total sum of civil penalties
assessed against a business entity for all violations
of the provisions of this subtitle resulting from the
same or related acts or omissions shall not exceed
$500,000, unless such conduct is found to be willful or
intentional.
(B) Determinations.--The determination of whether a
violation of a provision of this subtitle has occurred,
and if so, the amount of the penalty to be imposed, if
any, shall be made by the court sitting as the finder
of fact. The determination of whether a violation of a
provision of this subtitle was willful or intentional,
and if so, the amount of the additional penalty to be
imposed, if any, shall be made by the court sitting as
the finder of fact.
(C) Additional penalty limit.--If a court
determines under subparagraph (B) that a violation of a
provision of this subtitle was willful or intentional
and imposes an additional penalty, the court may not
impose an additional penalty in an amount that exceeds
$500,000.
(3) Notice.--
(A) In general.--Before filing an action under this
subsection, the attorney general of the State involved
shall provide to the Federal Trade Commission--
(i) a written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exception.--Subparagraph (A) shall not apply
with respect to the filing of an action by an attorney
general of a State under this subsection, if the
attorney general of a State determines that it is not
feasible to provide the notice described in this
subparagraph before the filing of the action.
(C) Notification when practicable.--In an action
described under subparagraph (B), the attorney general
of a State shall provide the written notice and the
copy of the complaint to the Federal Trade Commission
as soon after the filing of the complaint as
practicable.
(4) Federal trade commission authority.--Upon receiving
notice under paragraph (2), the Federal Trade Commission shall
have the right to--
(A) move to stay the action, pending the final
disposition of a pending Federal proceeding or action
as described in paragraph (4);
(B) intervene in an action brought under paragraph
(1); and
(C) file petitions for appeal.
(5) Pending proceedings.--If the Federal Trade Commission
initiates a Federal civil action for a violation of this
subtitle, or any regulations thereunder, no attorney general of
a State may bring an action for a violation of this subtitle
that resulted from the same or related acts or omissions
against a defendant named in the Federal civil action initiated
by the Federal Trade Commission.
(6) Rule of construction.--For purposes of bringing any
civil action under paragraph (1) nothing in this subtitle shall
be construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths and affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(7) Venue; service of process.--
(A) Venue.--Any action brought under this
subsection may be brought in the district court of the
United States that meets applicable requirements
relating to venue under section 1391 of title 28,
United States Code.
(B) Service of process.--In an action brought under
this subsection, process may be served in any district
in which the defendant--
(i) is an inhabitant; or
(ii) may be found.
(d) No Private Cause of Action.--Nothing in this subtitle
establishes a private cause of action against a business entity for
violation of any provision of this subtitle.
SEC. 204. RELATION TO OTHER LAWS.
(a) In General.--No State may require any business entity subject
to this subtitle to comply with any requirements with respect to
administrative, technical, and physical safeguards for the protection
of personal information.
(b) Limitations.--Nothing in this subtitle shall be construed to
modify, limit, or supersede the operation of the Gramm-Leach-Bliley Act
(15 U.S.C. 6801 et seq.) or its implementing regulations, including
those adopted or enforced by States.
Subtitle B--Security Breach Notification
SEC. 211. NOTICE TO INDIVIDUALS.
(a) In General.--Except as provided in section 212, any agency, or
business entity engaged in interstate commerce, other than a service
provider, that uses, accesses, transmits, stores, disposes of or
collects sensitive personally identifiable information shall, following
the discovery of a security breach of such information, notify any
resident of the United States whose sensitive personally identifiable
information has been, or is reasonably believed to have been, accessed,
or acquired.
(b) Obligation of Owner or Licensee.--
(1) Notice to owner or licensee.--Any agency, or business
entity engaged in interstate commerce, that uses, accesses,
transmits, stores, disposes of, or collects sensitive
personally identifiable information that the agency or business
entity does not own or license shall notify the owner or
licensee of the information following the discovery of a
security breach involving such information.
(2) Notice by owner, licensee, or other designated third
party.--Nothing in this subtitle shall prevent or abrogate an
agreement between an agency or business entity required to give
notice under this section and a designated third party,
including an owner or licensee of the sensitive personally
identifiable information subject to the security breach, to
provide the notifications required under subsection (a).
(3) Business entity relieved from giving notice.--A
business entity obligated to give notice under subsection (a)
shall be relieved of such obligation if an owner or licensee of
the sensitive personally identifiable information subject to
the security breach, or other designated third party, provides
such notification.
(4) Service providers.--If a service provider becomes aware
of a security breach of data in electronic form containing
sensitive personal information that is owned or possessed by
another business entity that connects to or uses a system or
network provided by the service provider for the purpose of
transmitting, routing, or providing intermediate or transient
storage of such data, the service provider shall be required to
notify the business entity who initiated such connection,
transmission, routing, or storage of the security breach if the
business entity can be reasonably identified. Upon receiving
such notification from a service provider, the business entity
shall be required to provide the notification required under
subsection (a).
(c) Timeliness of Notification.--
(1) In general.--All notifications required under this
section shall be made without unreasonable delay following the
discovery by the agency or business entity of a security
breach.
(2) Reasonable delay.--
(A) In general.--Reasonable delay under this
subsection may include any time necessary to determine
the scope of the security breach, prevent further
disclosures, conduct the risk assessment described in
section 202(a)(3), and restore the reasonable integrity
of the data system and provide notice to law
enforcement when required.
(B) Extension.--
(i) In general.--Except as provided in
subsection (d), delay of notification shall not
exceed 60 days following the discovery of the
security breach, unless the business entity or
agency requests an extension of time and the
Federal Trade Commission determines in writing
that additional time is reasonably necessary to
determine the scope of the security breach,
prevent further disclosures, conduct the risk
assessment, restore the reasonable integrity of
the data system, or to provide notice to the
designated entity.
(ii) Approval of request.--If the Federal
Trade Commission approves the request for
delay, the agency or business entity may delay
the time period for notification for additional
periods of up to 30 days.
(3) Burden of production.--The agency, business entity,
owner, or licensee required to provide notice under this
subtitle shall, upon the request of the Attorney General or the
Federal Trade Commission provide records or other evidence of
the notifications required under this subtitle, including to
the extent applicable, the reasons for any delay of
notification.
(d) Delay of Notification Authorized for Law Enforcement or
National Security Purposes.--
(1) In general.--If the United States Secret Service or the
Federal Bureau of Investigation determines that the
notification required under this section would impede a
criminal investigation, or national security activity, such
notification shall be delayed upon written notice from the
United States Secret Service or the Federal Bureau of
Investigation to the agency or business entity that experienced
the breach. The notification from the United States Secret
Service or the Federal Bureau of Investigation shall specify in
writing the period of delay requested for law enforcement or
national security purposes.
(2) Extended delay of notification.--If the notification
required under subsection (a) is delayed pursuant to paragraph
(1), an agency or business entity shall give notice 30 days
after the day such law enforcement or national security delay
was invoked unless a Federal law enforcement or intelligence
agency provides written notification that further delay is
necessary.
(3) Law enforcement immunity.--No non-constitutional cause
of action shall lie in any court against any agency for acts
relating to the delay of notification for law enforcement or
national security purposes under this subtitle.
(e) Limitations.--Notwithstanding any other obligation under this
subtitle, this subtitle does not apply to the following:
(1) Financial institutions.--Financial institutions--
(A) subject to the data security requirements and
standards under section 501(b) of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801(b)); and
(B) subject to the jurisdiction of an agency or
authority described in section 505(a) of the Gramm-
Leach-Bliley Act (15 U.S.C. 6805(a)).
(2) HIPAA regulated entities.--
(A) Covered entities.--Covered entities subject to
the Health Insurance Portability and Accountability Act
of 1996 (42 U.S.C. 1301 et seq.), including the data
security requirements and implementing regulations of
that Act.
(B) Business entities.--A business entity shall be
deemed in compliance with this Act if the business
entity--
(i)(I) is acting as a covered entity and as
a business associate, as those terms are
defined under the Health Insurance Portability
and Accountability Act of 1996 (42 U.S.C. 1301
et seq.) and is in compliance with the
requirements imposed under that Act and
implementing regulations promulgated under that
Act; and
(II) is subject to, and currently in
compliance, with the data breach notification,
privacy and data security requirements under
the Health Information Technology for Economic
and Clinical Health (HITECH) Act, (42 U.S.C.
17932) and implementing regulations promulgated
thereunder; or
(ii) is acting as a vendor of personal
health records and third party service
provider, subject to the Health Information
Technology for Economic and Clinical Health
(HITECH) Act (42 U.S.C. 17937), including the
data breach notification requirements and
implementing regulations of that Act.
SEC. 212. EXEMPTIONS.
(a) Exemption for National Security and Law Enforcement.--
(1) In general.--Section 211 shall not apply to an agency
or business entity if--
(A) the United States Secret Service or the Federal
Bureau of Investigation determines that notification of
the security breach could be expected to reveal
sensitive sources and methods or similarly impede the
ability of the Government to conduct law enforcement
investigations; or
(B) the Federal Bureau of Investigation determines
that notification of the security breach could be
expected to cause damage to the national security.
(2) Immunity.--No non-constitutional cause of action shall
lie in any court against any Federal agency for acts relating
to the exemption from notification for law enforcement or
national security purposes under this title.
(b) Safe Harbor.--
(1) In general.--An agency or business entity shall be
exempt from the notice requirements under section 211, if--
(A) a risk assessment conducted by the agency or
business entity concludes that, based upon the
information available, there is no significant risk
that a security breach has resulted in, or will result
in, identity theft, economic loss or harm, or physical
harm to the individuals whose sensitive personally
identifiable information was subject to the security
breach;
(B) without unreasonable delay, but not later than
45 days after the discovery of a security breach,
unless extended by the Federal Trade Commission, the
agency or business entity notifies the Federal Trade
Commission, in writing, of--
(i) the results of the risk assessment; and
(ii) its decision to invoke the risk
assessment exemption; and
(C) the Federal Trade Commission does not indicate,
in writing, within 10 business days from receipt of the
decision, that notice should be given.
(2) Rebuttable presumptions.--For purposes of paragraph
(1)--
(A) the encryption of sensitive personally
identifiable information described in paragraph
(1)(A)(i) shall establish a rebuttable presumption that
no significant risk exists; and
(B) the rendering of sensitive personally
identifiable information described in paragraph
(1)(A)(ii) unusable, unreadable, or indecipherable
through data security technology or methodology that is
generally accepted by experts in the field of
information security, such as redaction or access
controls shall establish a rebuttable presumption that
no significant risk exists.
(3) Violation.--It shall be a violation of this section
to--
(A) fail to conduct the risk assessment in a
reasonable manner, or according to standards generally
accepted by experts in the field of information
security; or
(B) submit the results of a risk assessment that
contains fraudulent or deliberately misleading
information.
(c) Financial Fraud Prevention Exemption.--
(1) In general.--A business entity will be exempt from the
notice requirement under section 211 if the business entity
utilizes or participates in a security program that--
(A) effectively blocks the use of the sensitive
personally identifiable information to initiate
unauthorized financial transactions before they are
charged to the account of the individual; and
(B) provides for notice to affected individuals
after a security breach that has resulted in fraud or
unauthorized transactions.
(2) Limitation.--The exemption in paragraph (1) does not
apply if the information subject to the security breach
includes an individual's first and last name, or any other type
of sensitive personally identifiable information as defined in
section 3, unless that information is only a credit card number
or credit card security code.
SEC. 213. METHODS OF NOTICE.
An agency or business entity shall be in compliance with section
211 if it provides the following:
(1) Individual notice.--Notice to individuals by one of the
following means:
(A) Written notification to the last known home
mailing address of the individual in the records of the
agency or business entity.
(B) Telephone notice to the individual personally.
(C) E-mail notice, if the individual has consented
to receive such notice and the notice is consistent
with the provisions permitting electronic transmission
of notices under section 101 of the Electronic
Signatures in Global and National Commerce Act (15
U.S.C. 7001).
(2) Media notice.--Notice to major media outlets serving a
State or jurisdiction, if the number of residents of such State
whose sensitive personally identifiable information was, or is
reasonably believed to have been, accessed or acquired by an
unauthorized person exceeds 5,000.
SEC. 214. CONTENT OF NOTIFICATION.
(a) In General.--Regardless of the method by which notice is
provided to individuals under section 213, such notice shall include,
to the extent possible--
(1) a description of the categories of sensitive personally
identifiable information that was, or is reasonably believed to
have been, accessed or acquired by an unauthorized person;
(2) a toll-free number--
(A) that the individual may use to contact the
agency or business entity, or the agent of the agency
or business entity; and
(B) from which the individual may learn what types
of sensitive personally identifiable information the
agency or business entity maintained about that
individual; and
(3) the toll-free contact telephone numbers and addresses
for the major credit reporting agencies.
(b) Additional Content.--Notwithstanding section 219, a State may
require that a notice under subsection (a) shall also include
information regarding victim protection assistance provided for by that
State.
(c) Direct Business Relationship.--Regardless of whether a business
entity, agency, or a designated third party provides the notice
required pursuant to section 211(b), such notice shall include the name
of the business entity or agency that has a direct relationship with
the individual being notified.
SEC. 215. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.
If an agency or business entity is required to provide notification
to more than 5,000 individuals under section 211(a), the agency or
business entity shall also notify all consumer reporting agencies that
compile and maintain files on consumers on a nationwide basis (as
defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C.
1681a(p))) of the timing and distribution of the notices. Such notice
shall be given to the consumer credit reporting agencies without
unreasonable delay and, if it will not delay notice to the affected
individuals, prior to the distribution of notices to the affected
individuals.
SEC. 216. NOTICE TO LAW ENFORCEMENT.
(a) Designation of Government Entity To Receive Notice.--
(1) In general.--Not later than 60 days after the date of
enactment of this Act, the Secretary of Homeland Security shall
designate a Federal Government entity to receive the notices
required under section 212 and this section, and any other
reports and information about information security incidents,
threats, and vulnerabilities.
(2) Responsibilities of the designated entity.--The
designated entity shall--
(A) be responsible for promptly providing the
information that it receives to the United States
Secret Service and the Federal Bureau of Investigation,
and to the Federal Trade Commission for civil law
enforcement purposes; and
(B) provide the information described in
subparagraph (A) as appropriate to other Federal
agencies for law enforcement, national security, or
data security purposes.
(b) Notice.--Any business entity or agency shall notify the
designated entity of the fact that a security breach has occurred if--
(1) the number of individuals whose sensitive personally
identifying information was, or is reasonably believed to have
been accessed or acquired by an unauthorized person exceeds
5,000;
(2) the security breach involves a database, networked or
integrated databases, or other data system containing the
sensitive personally identifiable information of more than
500,000 individuals nationwide;
(3) the security breach involves databases owned by the
Federal Government; or
(4) the security breach involves primarily sensitive
personally identifiable information of individuals known to the
agency or business entity to be employees and contractors of
the Federal Government involved in national security or law
enforcement.
(c) FTC Rulemaking and Review of Thresholds.--
(1) Reports.--Not later than 1 year after the date of the
enactment of this Act, the Federal Trade Commission, in
consultation with the Attorney General of the United States and
the Secretary of Homeland Security, shall promulgate
regulations under section 553 of title 5, United States Code,
regarding the reports required under subsection (a).
(2) Thresholds for notice.--The Federal Trade Commission,
in consultation with the Attorney General and the Secretary of
Homeland Security, after notice and the opportunity for public
comment, and in a manner consistent with this section, shall
promulgate regulations, as necessary, under section 553 of
title 5, United States Code, to adjust the thresholds for
notice to law enforcement and national security authorities
under subsection (a) and to facilitate the purposes of this
section.
(d) Timing.--The notice required under subsection (a) shall be
provided as promptly as possible, but such notice must be provided
either 72 hours before notice is provided to an individual pursuant to
section 211, or not later than 10 days after the business entity or
agency discovers the security breach or discovers that the nature of
the security breach requires notice to law enforcement under this
section, whichever occurs first.
SEC. 217. ENFORCEMENT.
(a) In General.--The Attorney General and the Federal Trade
Commission may enforce civil violations of section 211.
(b) Civil Actions by the Attorney General of the United States.--
(1) In general.--The Attorney General may bring a civil
action in the appropriate United States district court against
any business entity that engages in conduct constituting a
violation of this subtitle and, upon proof of such conduct by a
preponderance of the evidence, such business entity shall be
subject to a civil penalty of not more than $11,000 per day per
security breach.
(2) Penalty limitation.--Notwithstanding any other
provision of law, the total amount of the civil penalty
assessed against a business entity for conduct involving the
same or related acts or omissions that results in a violation
of this subtitle may not exceed $1,000,000.
(3) Determinations.--The determination of whether a
violation of a provision of this subtitle has occurred, and if
so, the amount of the penalty to be imposed, if any, shall be
made by the court sitting as the finder of fact. The
determination of whether a violation of a provision of this
subtitle was willful or intentional, and if so, the amount of
the additional penalty to be imposed, if any, shall be made by
the court sitting as the finder of fact.
(4) Additional penalty limit.--If a court determines under
paragraph (3) that a violation of a provision of this subtitle
was willful or intentional and imposes an additional penalty,
the court may not impose an additional penalty in an amount
that exceeds $1,000,000.
(c) Injunctive Actions by the Attorney General.--
(1) In general.--If it appears that a business entity has
engaged, or is engaged, in any act or practice constituting a
violation of this subtitle, the Attorney General may petition
an appropriate district court of the United States for an
order--
(A) enjoining such act or practice; or
(B) enforcing compliance with this subtitle.
(2) Issuance of order.--A court may issue an order under
paragraph (1), if the court finds that the conduct in question
constitutes a violation of this subtitle.
(d) Civil Actions by the Federal Trade Commission.--
(1) In general.--Compliance with the requirements imposed
under this subtitle may be enforced under the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) by the Federal Trade
Commission with respect to business entities subject to this
Act. All of the functions and powers of the Federal Trade
Commission under the Federal Trade Commission Act are available
to the Commission to enforce compliance by any person with the
requirements imposed under this title.
(2) Penalty limitation.--
(A) In general.--Notwithstanding any other
provision of law, the total sum of civil penalties
assessed against a business entity for all violations
of the provisions of this subtitle resulting from the
same or related acts or omissions may not exceed
$1,000,000, unless such conduct is found to be willful
or intentional.
(B) Determinations.--The determination of whether a
violation of a provision of this subtitle has occurred,
and if so, the amount of the penalty to be imposed, if
any, shall be made by the court sitting as the finder
of fact. The determination of whether a violation of a
provision of this subtitle was willful or intentional,
and if so, the amount of the additional penalty to be
imposed, if any, shall be made by the court sitting as
the finder of fact.
(C) Additional penalty limit.--If a court
determines under subparagraph (B) that a violation of a
provision of this subtitle was willful or intentional
and imposes an additional penalty, the court may not
impose an additional penalty in an amount that exceeds
$1,000,000.
(3) Unfair or deceptive acts or practices.--For the purpose
of the exercise by the Federal Trade Commission of its
functions and powers under the Federal Trade Commission Act, a
violation of any requirement or prohibition imposed under this
title shall constitute an unfair or deceptive act or practice
in commerce in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(I)(B)) regarding unfair or deceptive acts or practices
and shall be subject to enforcement by the Federal Trade
Commission under that Act with respect to any business entity,
irrespective of whether that business entity is engaged in
commerce or meets any other jurisdictional tests in the Federal
Trade Commission Act.
(e) Coordination of Enforcement.--
(1) In general.--Before opening an investigation, the
Federal Trade Commission shall consult with the Attorney
General.
(2) Limitation.--The Federal Trade Commission may initiate
investigations under this subsection unless the Attorney
General determines that such an investigation would impede an
ongoing criminal investigation or national security activity.
(3) Coordination agreement.--
(A) In general.--In order to avoid conflicts and
promote consistency regarding the enforcement and
litigation of matters under this Act, not later than
180 days after the enactment of this Act, the Attorney
General and the Federal Trade Commission shall enter
into an agreement for coordination regarding the
enforcement of this Act.
(B) Requirement.--The coordination agreement
entered into under subparagraph (A) shall include
provisions to ensure that parallel investigations and
proceedings under this section are conducted in a
matter that avoids conflicts and does not impede the
ability of the Attorney General to prosecute violations
of Federal criminal laws.
(4) Coordination with the fcc.--If an enforcement action
under this Act relates to customer proprietary network
information, the Federal Trade Commission shall coordinate the
enforcement action with the Federal Communications Commission.
(f) Rulemaking.--The Federal Trade Commission may, in consultation
with the Attorney General, issue such other regulations as it
determines to be necessary to carry out this subtitle. All regulations
promulgated under this Act shall be issued in accordance with section
553 of title 5, United States Code. Where regulations relate to
customer proprietary network information, the promulgation of such
regulations will be coordinated with the Federal Communications
Commission.
(g) Other Rights and Remedies.--The rights and remedies available
under this subtitle are cumulative and shall not affect any other
rights and remedies available under law.
(h) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence
that the consumer has received notice that the consumer's financial
information has or may have been compromised,'' after ``identity theft
report''.
SEC. 218. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State or any State or local law enforcement agency
authorized by the State attorney general or by State statute to
prosecute violations of consumer protection law, has reason to
believe that an interest of the residents of that State has
been or is threatened or adversely affected by the engagement
of a business entity in a practice that is prohibited under
this subtitle, the State or the State or local law enforcement
agency on behalf of the residents of the agency's jurisdiction,
may bring a civil action on behalf of the residents of the
State or jurisdiction in a district court of the United States
of appropriate jurisdiction to--
(A) enjoin that practice;
(B) enforce compliance with this subtitle; or
(C) civil penalties of not more than $11,000 per
day per security breach up to a maximum of $1,000,000
per violation, unless such conduct is found to be
willful or intentional.
(2) Penalty limitation.--
(A) In general.--Notwithstanding any other
provision of law, the total sum of civil penalties
assessed against a business entity for all violations
of the provisions of this subtitle resulting from the
same or related acts or omissions may not exceed
$1,000,000, unless such conduct is found to be willful
or intentional.
(B) Determinations.--The determination of whether a
violation of a provision of this subtitle has occurred,
and if so, the amount of the penalty to be imposed, if
any, shall be made by the court sitting as the finder
of fact. The determination of whether a violation of a
provision of this subtitle was willful or intentional,
and if so, the amount of the additional penalty to be
imposed, if any, shall be made by the court sitting as
the finder of fact.
(C) Additional penalty limit.--If a court
determines under subparagraph (B) that a violation of a
provision of this subtitle was willful or intentional
and imposes an additional penalty, the court may not
impose an additional penalty in an amount that exceeds
$1,000,000.
(3) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Attorney General of the
United States--
(i) written notice of the action; and
(ii) a copy of the complaint for the
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subtitle, if the State attorney general
determines that it is not feasible to provide
the notice described in such subparagraph
before the filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the Attorney General at the time
the State attorney general files the action.
(b) Federal Proceedings.--Upon receiving notice under subsection
(a)(2), the Attorney General shall have the right to--
(1) move to stay the action, pending the final disposition
of a pending Federal proceeding or action;
(2) initiate an action in the appropriate United States
district court under section 217 and move to consolidate all
pending actions, including State actions, in such court;
(3) intervene in an action brought under subsection (a)(2);
and
(4) file petitions for appeal.
(c) Pending Proceedings.--If the Attorney General or the Federal
Trade Commission initiate a criminal proceeding or civil action for a
violation of a provision of this subtitle, or any regulations
thereunder, no attorney general of a State may bring an action for a
violation of a provision of this subtitle against a defendant named in
the Federal criminal proceeding or civil action.
(d) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this subtitle regarding notification shall
be construed to prevent an attorney general of a State from exercising
the powers conferred on such attorney general by the laws of that State
to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(e) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in--
(A) the district court of the United States that
meets applicable requirements relating to venue under
section 1391 of title 28, United States Code; or
(B) another court of competent jurisdiction.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
(f) No Private Cause of Action.--Nothing in this subtitle
establishes a private cause of action against a business entity for
violation of any provision of this subtitle.
SEC. 219. EFFECT ON FEDERAL AND STATE LAW.
For any entity, or agency that is subject to this subtitle, the
provisions of this subtitle shall supersede any other provision of
Federal law, or any provisions of the law of any State, relating to
notification of a security breach, except as provided in section
214(b). Nothing in this subtitle shall be construed to modify, limit,
or supersede the operation of the Gramm-Leach-Bliley Act (15 U.S.C.
6801 et seq.) or its implementing regulations, including those
regulations adopted or enforced by States, the Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.) or
its implementing regulations, or the Health Information Technology for
Economic and Clinical Health Act (42 U.S.C. 17937) or its implementing
regulations.
SEC. 220. REPORTING ON EXEMPTIONS.
(a) FTC Report.--Not later than 18 months after the date of
enactment of this Act, and upon request by Congress thereafter, the
Federal Trade Commission shall submit a report to Congress on the
number and nature of the security breaches described in the notices
filed by those business entities invoking the risk assessment exemption
under section 212(b) and their response to such notices.
(b) Law Enforcement Report.--
(1) In general.--Not later than 18 months after the date of
enactment of this Act, and upon the request by Congress
thereafter, the United States Secret Service and Federal Bureau
of Investigation shall submit a report to Congress on the
number and nature of security breaches subject to the national
security and law enforcement exemptions under section 212(a).
(2) Requirement.--The report required under paragraph (1)
shall not include the contents of any risk assessment provided
to the United States Secret Service and the Federal Bureau of
Investigation under this subtitle.
SEC. 221. EFFECTIVE DATE.
This subtitle shall take effect on the expiration of the date which
is 90 days after the date of enactment of this Act.
TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT
SEC. 301. BUDGET COMPLIANCE.
The budgetary effects of this Act, for the purpose of complying
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by
reference to the latest statement titled ``Budgetary Effects of PAYGO
Legislation'' for this Act, submitted for printing in the Congressional
Record by the Chairman of the Senate Budget Committee, provided that
such statement has been submitted prior to the vote on passage.
<all>
Introduced in House
Introduced in House
Referred to the Committee on the Judiciary, and in addition to the Committees on Energy and Commerce, Financial Services, Oversight and Government Reform, and the Budget, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on the Judiciary, and in addition to the Committees on Energy and Commerce, Financial Services, Oversight and Government Reform, and the Budget, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on the Judiciary, and in addition to the Committees on Energy and Commerce, Financial Services, Oversight and Government Reform, and the Budget, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on the Judiciary, and in addition to the Committees on Energy and Commerce, Financial Services, Oversight and Government Reform, and the Budget, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on the Judiciary, and in addition to the Committees on Energy and Commerce, Financial Services, Oversight and Government Reform, and the Budget, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line
Referred to the Subcommittee on Commerce, Manufacturing, and Trade.
Referred to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations.