Data Breach Notification and Punishing Cyber Criminals Act of 2015
Requires certain commercial entities that acquire, maintain, store, or utilize individuals' nonpublic personal information to protect and secure any such data that is held unencrypted in electronic form.
Directs entities that own or license such data, following discovery of a security breach, to notify each individual U.S. citizen or resident: (1) whose personal information is reasonably believed to have been accessed and acquired by an unauthorized person; or (2) who may be at risk of identity theft, fraud, actual financial harm, or other unlawful conduct.
Requires the Department of Homeland Security (DHS) to designate a federal entity to receive information from commercial entities regarding breaches, incidents, threats, and vulnerabilities. Requires the DHS-designated entity to provide such information to: (1) the U.S. Secret Service and the Federal Bureau of Investigation; (2) the Federal Trade Commission (FTC) for civil law enforcement purposes; and (3) other federal agencies for law enforcement, national security, or data security purposes.
Directs entities to notify the DHS-designated entity if a breach involves: (1) the personal information of more than 1,000 individuals, (2) a data system containing the personal information of more than 250,000 individuals, (3) federal databases, or (4) the personal information of primarily federal employees and contractors involved in national security or law enforcement.
Provides alternative compliance procedures for: (1) third parties that maintain personal data in electronic form on behalf of another entity, and (2) certain electronic data service providers.
Sets forth FTC enforcement authority.
Exempts from the requirements of this Act: (1) financial institutions subject to the Gramm-Leach-Bliley Act, and (2) entities subject to health information privacy regulations. Provides for the requirements of this Act to apply to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission.
Increases maximum fines or terms of imprisonment for certain cyber-related criminal offenses involving identity theft or fraud.
Directs the Department of State to consult with governments of countries in which international cyber criminals are physically present (if the countries do not have a mutual legal assistance or an extradition treaty with the United States) to determine what actions those governments have taken to prosecute and prevent cyber or intellectual property crimes against U.S. interests or citizens.
Preempts certain state data security laws.
[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 1027 Introduced in Senate (IS)]
114th CONGRESS
1st Session
S. 1027
To require notification of information security breaches and to enhance
penalties for cyber criminals, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 21, 2015
Mr. Kirk (for himself and Mrs. Gillibrand) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To require notification of information security breaches and to enhance
penalties for cyber criminals, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Breach Notification and
Punishing Cyber Criminals Act of 2015''.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
Each covered entity shall take reasonable measures to protect and
secure data in electronic form containing personal information.
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Notification.--
(1) In general.--A covered entity that owns or licenses
data in electronic form containing personal information shall
give notice of any breach of the security of the system
following discovery by the covered entity of the breach of the
security of the system to each individual who is a citizen or
resident of the United States--
(A) whose personal information was, or that the
covered entity reasonably believes to have been,
accessed and acquired by an unauthorized person; or
(B) who the covered entity reasonably believes may
be at risk of identity theft, fraud, actual financial
harm, or other unlawful conduct.
(2) Law enforcement.--
(A) Designation of a government entity to receive
notice.--
(i) In general.--Not later than 60 days
after the date of enactment of this Act, the
Secretary of Homeland Security, in consultation
with the Attorney General, shall designate a
Federal Government entity to receive the
information required to be submitted under this
section, and any other reports and information
about information security incidents, threats,
and vulnerabilities.
(ii) Responsibilities of the designated
entity.--The designated entity shall--
(I) be responsible for promptly
providing the information it receives
to the United States Secret Service and
the Federal Bureau of Investigation,
and to the Federal Trade Commission for
civil law enforcement purposes; and
(II) provide the information
described in subclause (I) as
appropriate to other Federal agencies
for law enforcement, national security,
or data security purposes.
(B) Notice.--Not later than 30 days after the date
on which a security breach is discovered, a covered
entity shall notify the designated entity of the fact
that the breach of security has occurred if--
(i) the number of individuals whose
personal information was, or is reasonably
believed to be to have been accessed and
acquired by an unauthorized person is more than
1,000;
(ii) the security breach involves a
database, networked or integrated databases, or
other data system containing the personal
information of more than 250,000 individuals;
(iii) the security breach involves
databases owned by the Federal Government; or
(iv) the security breach involves personal
information of primarily individuals known to
the covered entity to be employees and
contractors of the Federal Government involved
in national security or law enforcement.
(C) FTC review of thresholds.--
(i) Review.--Not later than 1 year after
the date of enactment of this Act, the Federal
Trade Commission, in consultation with the
Attorney General and the Secretary of Homeland
Security, shall promulgate regulations
regarding the reports required under
subparagraph (A).
(ii) Rulemaking.--The Federal Trade
Commission, in consultation with the Attorney
General and the Secretary of Homeland Security,
after notice and the opportunity for public
comment, and in a manner consistent with this
section, shall promulgate regulations, as
necessary, under section 553 of title 5, United
States Code, to adjust the thresholds for
notice to law enforcement and national security
authorities under subparagraph (A) and to
facilitate the purposes of this section.
(b) Special Notification Requirements.--
(1) Third-party agents.--
(A) In general.--In the event of a breach of
security of a system maintained by a third-party entity
that has been contracted to maintain, store, or process
data in electronic form containing personal information
on behalf of a covered entity who owns or possesses
such data, the third-party entity shall notify the
covered entity of the breach of security.
(B) Covered entities who receive notice from third
parties.--Upon receiving notification from a third
party under subparagraph (A), a covered entity shall
provide notification as required under subsection (a).
(C) Exception for service providers.--For purposes
of this paragraph, a service provider shall not be
considered a third-party agent.
(2) Service providers.--
(A) In general.--If a service provider becomes
aware of a breach of security involving data in
electronic form containing personal information that is
owned or possessed by a covered entity that connects to
or uses a system or network provided by the service
provider for the purpose of transmitting, routing, or
providing intermediate or transient storage of such
data, the service provider shall notify the covered
entity who initiated such connection, transmission,
routing, or storage if the covered entity can be
reasonably identified.
(B) Covered entities who receive notice from
service providers.--Upon receiving notification from a
service provider under subparagraph (A), a covered
entity shall provide notification as required under
subsection (a).
(c) Timeliness of Notification.--
(1) Notification to affected individuals.--
(A) In general.--Unless subject to a delay
authorized under subparagraph (B) or paragraph (2), a
notification required under subsection (a)(1) with
respect to a security breach shall be made not later
than 30 days after the date on which the security
breach was discovered, consistent with any measures
necessary to determine the scope of the security breach
and restore the reasonable integrity of the data system
that was breached.
(B) Follow-up notification.--Not later than 60 days
after the date on which notice is provided under
subsection (a)(1), if a covered entity has discovered
additional information relating to how a breach of
security occurred (as required under subsection
(d)(1)(B)(iii) to be included in a notification) the
covered entity may provide a follow-up notification to
affected individuals that contains the additional
information.
(2) Delay of notification authorized for law enforcement or
national security purposes.--
(A) Law enforcement.--If a Federal law enforcement
agency determines that the notification required under
subsection (a) would impede a civil or criminal
investigation, such notification shall be delayed upon
the written request of the law enforcement agency for
any period which the law enforcement agency determines
is reasonably necessary. A law enforcement agency may,
by a subsequent written request, revoke such delay or
extend the period set forth in the original request
made under this subparagraph by a subsequent request if
further delay is necessary.
(B) National security.--If a Federal national
security agency or homeland security agency determines
that the notification required under this section would
threaten national or homeland security, such
notification may be delayed upon the written request of
the national security agency or homeland security
agency for any period which the national security
agency or homeland security agency determines is
reasonably necessary. A Federal national security
agency or homeland security agency may revoke such
delay or extend the period set forth in the original
request made under this subparagraph by a subsequent
written request if further delay is necessary.
(d) Method and Content of Notification.--
(1) Direct notification.--
(A) Method of notification.--A covered entity
required to provide notification to an individual under
subsection (a) shall be in compliance with such
requirement if the covered entity provides such notice
by any one of the following methods:
(i) Written notification, sent to the
postal address of the individual in the records
of the covered entity.
(ii) Telephone.
(iii) Email or other electronic means.
(B) Content of notification.--Regardless of the
method by which notification is provided to an
individual under subparagraph (A) with respect to a
security breach, such notification, to the extent
practicable, shall include--
(i) the date, estimated date, or estimated
date range of the breach of security;
(ii) a description of the personal
information that was accessed and acquired, or
reasonably believed to have been accessed and
acquired, by an unauthorized person as a part
of the security breach;
(iii) a general description of how the
breach of security occurred; and
(iv) information that the individual can
use to contact the covered entity to inquire
about--
(I) the breach of security; or
(II) the information the covered
entity maintained about that
individual.
(2) Substitute notification.--
(A) Circumstances giving rise to substitute
notification.--A covered entity required to provide
notification to an individual under subsection (a) may
provide substitute notification in lieu of the direct
notification required by paragraph (1) if such direct
notification is not feasible due to--
(i) excessive cost to the covered entity
required to provide such notification relative
to the resources of such covered entity; or
(ii) lack of sufficient contact information
for the individual required to be notified.
(B) Form of substitute notification.--Substitute
notification described in subparagraph (A) shall
include--
(i) a conspicuous notice on the Internet
Web site of the covered entity (if such covered
entity maintains such a Web site); and
(ii) notification in print and to broadcast
media, including major media in metropolitan
and rural areas where the individuals whose
personal information was acquired reside.
(3) Cost of notification.--A covered entity required to
provide notification to an individual under subsection (a)
shall provide such notification at no cost to the individual.
(e) Treatment of Persons Governed by Other Federal Law.--Except as
provided in section 4(b), a covered entity who is in compliance with
any other Federal law that requires such covered entity to provide
notification to individuals following a breach of security shall be
deemed to be in compliance with this section.
SEC. 4. APPLICATION AND ENFORCEMENT.
(a) General Application.--The requirements of sections 2 and 3
apply to--
(1) any covered entity over which the Commission has
authority pursuant to section 5(a)(2) of the Federal Trade
Commission Act (15 U.S.C. 45(a)(2)); and
(2) notwithstanding section 5(a)(2) of the Federal Trade
Commission Act (15 U.S.C. 45(a)(2)), common carriers subject to
the Communications Act of 1934 (47 U.S.C. 151 et seq.).
(b) Application to Cable Operators, Satellite Operators, and
Telecommunications Carriers.--Sections 222, 338, and 631 of the
Communications Act of 1934 (47 U.S.C. 222, 338, and 551), and any
regulations promulgated thereunder, shall not apply with respect to the
information security practices, including practices relating to the
notification of unauthorized access to data in electronic form, of any
covered entity otherwise subject to those sections.
(c) Enforcement by Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 or 3 shall be treated as an unfair or deceptive act
or practice in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of commission.--
(A) In general.--Except as provided in subsection
(a), the Commission shall enforce this Act in the same
manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates section 3 or 4 shall be subject to the
penalties and entitled to the privileges and immunities
provided in such Act.
(3) Maximum total liability.--Notwithstanding the number of
actions which may be brought against a covered entity under
this subsection, the maximum civil penalty for which any
covered entity may be liable under this subsection for all
actions shall not exceed--
(A) $1,000,000 for all violations of section 2
resulting from the same related act or omission; and
(B) $1,000,000 for all violations of section 3
resulting from a single breach of security.
(d) No Private Cause of Action.--Nothing in this Act shall be
construed to establish a private cause of action against a person for a
violation of this Act.
SEC. 5. CRIMINAL PENALTIES FOR CYBER CRIMES.
Part I of title 18, United States Code, is amended--
(1) in chapter 47--
(A) in section 1028(b)--
(i) in paragraph (1)--
(I) in subparagraph (B), by
inserting ``or'' after the semicolon;
(II) in subparagraph (C), by
striking ``or'' after the semicolon;
and
(III) by striking subparagraph (D);
(ii) by redesignating paragraphs (5) and
(6), as paragraphs (6) and (7), respectively;
and
(iii) by inserting after paragraph (4), the
following:
``(5) for an offense under paragraph (7) of such
subsection, a fine of not more than $500,000 ($1,000,000 if the
person is an organization), imprisonment for not more than 30
years, or both;'';
(B) in section 1028A(a)(1), by striking ``2 years''
and inserting ``4 years'';
(C) in section 1029(c)(1)--
(i) in subparagraph (A)--
(I) in clause (i), by striking ``a
fine under this title or imprisonment
for not more than 10 years'' and
inserting ``a fine of not more than
$500,000 ($1,000,000 if the person is
an organization), imprisonment for not
more than 20 years''; and
(II) in clause (ii), by striking
``a fine under this title or
imprisonment for not more than 15
years'' and inserting ``a fine of not
more than $500,000 ($1,000,000 if the
person is an organization),
imprisonment for not more than 30
years''; and
(ii) in subparagraph (B), by striking ``a
fine under this title or imprisonment for not
more than 20 years'' and inserting ``a fine of
not more than $500,000 ($1,000,000 if the
person is an organization), imprisonment for
not more than 40 years''; and
(D) in section 1030(c)--
(i) in paragraph (2)--
(I) in subparagraph (A), by
striking ``subsection (a)(2), (a)(3),''
and inserting ``subsection (a)(3)'';
(II) in subparagraph (B)--
(aa) in the matter
preceding clause (i), by
striking ``a fine under this
title or imprisonment for not
more than 5 years'' and
inserting ``a fine of not more
than $500,000 ($1,000,000 if
the person is an organization),
imprisonment for not more than
10 years''; and
(bb) in clause (iii), by
striking ``and'' at the end;
(III) in subparagraph (C), by
striking ``(a)(2),''; and
(IV) by adding at the end the
following:
``(D) a fine of not more than $500,000 ($1,000,000 if the
person is an organization), imprisonment for not more than 2
years, or both, in the case of an offense under subsection
(a)(2) which does not occur after a conviction for another
offense under this section, or an attempt to commit an offense
punishable under this subparagraph; and
``(E) a fine of not more than $500,000 ($1,000,000 if the
person is an organization), imprisonment for not more than 20
years, or both, in the case of an offense under subsection
(a)(2) which occurs after a conviction for another offense
under this section, or an attempt to commit an offense
punishable under this subparagraph;'';
(ii) in paragraph (3)--
(I) in subparagraph (A), by
striking ``(a)(4) or''; and
(II) in subparagraph (B), by
striking ``(a)(4), or'';
(iii) in paragraph (4)--
(I) in subparagraph (A), in the
matter preceding clause (i), by
striking ``a fine under this title,
imprisonment for not more than 5
years'' and inserting ``a fine of not
more than $500,000 ($1,000,000 if the
person is an organization),
imprisonment for not more than 10
years'';
(II) in subparagraph (B), in the
matter preceding clause (i), by
striking ``a fine under this title,
imprisonment for not more than 10
years'' and inserting ``a fine of not
more than $500,000 ($1,000,000 if the
person is an organization),
imprisonment for not more than 20
years'';
(III) in subparagraph (C), in the
matter preceding clause (i), by
striking ``a fine under this title,
imprisonment for not more than 20
years'' and inserting ``a fine of not
more than $500,000 ($1,000,000 if the
person is an organization),
imprisonment for not more than 40
years'';
(IV) in subparagraph (D), in the
matter preceding clause (i), by
striking ``a fine under this title,
imprisonment for not more than 10
years'' and inserting ``a fine of not
more than $500,000 ($1,000,000 if the
person is an organization),
imprisonment for not more than 20
years'';
(V) in subparagraph (E), by
striking ``a fine under this title,
imprisonment for not more than 20
years'' and inserting ``a fine of not
more than $500,000 ($1,000,000 if the
person is an organization),
imprisonment for not more than 40
years'';
(VI) in subparagraph (F)--
(aa) by striking ``a fine
under this title'' and
inserting ``a fine of not more
than $500,000 ($1,000,000 if
the person is an
organization)''; and
(bb) by striking ``or'' at
the end; and
(VII) in subparagraph (G)--
(aa) in the matter
preceding clause (i), by
striking ``under this title,
imprisonment for not more than
1 year'' and inserting ``of not
more than $500,000 ($1,000,000
if the person is an
organization), imprisonment for
not more than 2 years''; and
(bb) in clause (ii), by
striking the period at the end
and inserting ``; and''; and
(iv) by adding at the end the following:
``(5)(A) a fine of not more than $500,000 ($1,000,000 if
the person is an organization), imprisonment for not more than
10 years, or both, in the case of an offense under subsection
(a)(4) which does not occur after a conviction for another
offense under this section, or an attempt to commit an offense
punishable under this subparagraph; and
``(B) a fine of not more than $500,000 ($1,000,000 if the
person is an organization), imprisonment for not more than 20
years, or both, in the case of an offense under subsection
(a)(4) which occurs after a conviction for another offense
under this section, or an attempt to commit an offense
punishable under this subparagraph.'';
(2) in chapter 63--
(A) in section 1343--
(i) in the first sentence, by striking
``fined under this title or imprisoned not more
than 20 years'' and inserting ``fined not more
than $500,000 ($1,000,000 if the person is an
organization), imprisoned not more than 40
years''; and
(ii) in the second sentence, by striking
``$1,000,000 or imprisoned not more than 30
years'' and inserting ``$2,000,000, imprisoned
for any term of years or for life''; and
(B) in section 1344, by striking ``$1,000,000 or
imprisoned not more than 30 years'' and inserting
``$2,000,000 or imprisoned for any term of years or for
life''; and
(3) in section 1519, by striking ``fined under this title,
imprisoned not more than 20 years'' and inserting ``fined not
more than $500,000 ($1,000,000 if the person is an
organization), imprisoned not more than 40 years''.
SEC. 6. APPREHENSION AND PROSECUTION OF INTERNATIONAL CYBER CRIMINALS.
(a) International Cyber Criminal Defined.--In this section, the
term ``international cyber criminal'' means an individual--
(1) who is physically present within a country with which
the United States does not have a mutual legal assistance
treaty or an extradition treaty;
(2) who is believed to have committed a cybercrime or
intellectual property crime against the interests of the United
States or its citizens; and
(3) for whom--
(A) an arrest warrant has been issued by a judge in
the United States; or
(B) an international wanted notice (commonly
referred to as a ``Red Notice'') has been circulated by
Interpol.
(b) Bilateral Consultations.--The Secretary of State, or designee,
shall consult with the appropriate government official of each country
in which one or more international cyber criminals are physically
present to determine what actions the government of such country has
taken--
(1) to apprehend and prosecute such criminals; and
(2) to prevent such criminals from carrying out cybercrimes
or intellectual property crimes against the interests of the
United States or its citizens.
(c) Annual Report.--
(1) In general.--The Secretary of State shall submit to the
appropriate congressional committees an annual report that
identifies--
(A) the number of international cyber criminals who
are located in countries that do not have an
extradition treaty or mutual legal assistance treaty
with the United States, broken down by country;
(B) the dates on which an official of the
Department of State, as a result of this Act, discussed
ways to thwart or prosecute international cyber
criminals in a bilateral conversation with an official
of another country, including the name of each such
country; and
(C) for each international cyber criminal who was
extradited into the United States during the most
recently completed calendar year--
(i) his or her name;
(ii) the crimes for which he or she was
charged;
(iii) his or her previous country of
residence; and
(iv) the country from which he or she was
extradited into the United States.
(2) Appropriate congressional committees.--For purposes of
this subsection, the term ``appropriate congressional
committees'' means--
(A) the Committee on Foreign Relations of the
Senate;
(B) the Committee on Appropriations of the Senate;
(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(D) the Committee on Banking, Housing, and Urban
Affairs of the Senate;
(E) the Committee on Foreign Affairs of the House
of Representatives;
(F) the Committee on Appropriations of the House of
Representatives;
(G) the Committee on Homeland Security of the House
of Representatives; and
(H) the Committee on Financial Services of the
House of Representatives.
SEC. 7. DEFINITIONS.
In this Act:
(1) Breach of security.--The term ``breach of security''
means unauthorized access and acquisition of data in electronic
form containing personal information.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Covered entity.--
(A) In general.--The term ``covered entity'' means
a sole proprietorship, partnership, corporation, trust,
estate, cooperative, association, or other commercial
entity that acquires, maintains, stores, or utilizes
personal information.
(B) Exemptions.--The term ``covered entity'' does
not include the following:
(i) Financial institutions subject to title
V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801
et seq.).
(ii) An entity covered by the regulations
issued under section 264(c) of the Health
Insurance Portability and Accountability Act of
1996 (Public Law 104-191) to the extent that
such entity is subject to the requirements of
such regulations with respect to protected
health information.
(4) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices.
(5) Designated entity.--The term ``designated entity''
means the Federal Government entity designated under section
3(a)(2)(A).
(6) Personal information.--
(A) In general.--The term ``personal information''
means an individual's first name or first initial and
last name in combination with any one or more of the
following data elements for that individual:
(i) Social Security number.
(ii) Driver's license number, passport
number, military identification number, or
other similar number issued on a government
document used to verify identity.
(iii) Financial account number, or credit
or debit card number, and any required security
code, access code, or password that is
necessary to permit access to an individual's
financial account.
(iv) Federal or State government issued
identification card.
(v) A username or email address, in
combination with a password or security
question and answer that would allow access to
an online account.
(vi) Medical information, including the
medical history, mental or physical condition,
or medical treatment or diagnosis by a health
care professional of the individual.
(vii) Health insurance information,
including a health insurance policy number or
subscriber identification number, any unique
identifier used by a health insurer to identify
an individual, or any information in a health
insurance application or claim history filed by
the individual.
(viii) An individual taxpayer
identification number.
(B) Exclusions.--
(i) Public record information.--Personal
information does not include information
obtained about an individual which has been
lawfully made publicly available by a Federal,
State, or local government entity or widely
distributed by media.
(ii) Encrypted, redacted, or secured
data.--Personal information does not include
information that is encrypted, redacted, or
secured by any other method or technology that
renders the data elements unusable.
(7) Service provider.--The term ``service provider'' means
an entity that provides electronic data transmission, routing,
intermediate, and transient storage, or connections to its
system or network, where such entity providing such services
does not select or modify the content of the electronic data,
is not the sender or the intended recipient of the data, and
does not differentiate personal information from other
information that such entity transmits, routes, stores, or for
which such entity provides connections. Any such entity shall
be treated as a service provider under this Act only to the
extent that it is engaged in the provision of such
transmission, routing, intermediate and transient storage, or
connections.
SEC. 8. EFFECT ON OTHER LAWS.
This Act preempts any law, rule, regulation, requirement, standard,
or other provision having the force and effect of law of any State, or
political subdivision of a State, relating to the protection or
security of data in electronic form containing personal information or
the notification of a breach of security.
SEC. 9. EFFECTIVE DATE.
This Act shall take effect on the date that is 1 year after the
date of enactment of this Act.
<all>
Introduced in Senate
Read twice and referred to the Committee on Commerce, Science, and Transportation. (Sponsor introductory remarks on measure: CR S2304)
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line