<enum>I</enum><header>Punishment for concealment of security breaches and tools to combat cybercrime</header> <section id="H1E10914409F347FDAB89C91EE8EFCF56"><enum>101.</enum><header>Concealment of security breaches involving sensitive personally identifiable information</header> <subsection id="H2292CAC95E4A49DB8C63976A49C9546E"><enum>(a)</enum><header>In general</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/18/47">Chapter 47</external-xref> of title 18, United States Code, is amended by adding at the end the following:</text> <quoted-block display-inline="no-display-inline" id="HC16F15968CCB483886F9D221E360BAFF" style="USC"> <section id="HE9FD77E993FD49E1B158D759660D802E"><enum>1041.</enum><header>Concealment of security breaches involving sensitive personally identifiable information</header> <subsection id="H25308A14CF484192916D94FD1F3BA0AA"><enum>(a)</enum><header>In general</header><text>Whoever, having knowledge of a security breach and of the fact that notice of such security breach is required under title II of the <short-title>Consumer Privacy Protection Act of 2017</short-title>, intentionally and willfully conceals the fact of such security breach, shall, in the event that such security breach results in economic harm to any individual in the amount of $1,000 or more, be fined under this title or imprisoned for not more than 5 years, or both.</text> </subsection><subsection id="HE03B7530FFC24FA9AA431BF98873A8B0"><enum>(b)</enum><header>Person defined</header><text>For purposes of subsection (a), the term <term>person</term> has the meaning given the term in section 1030(e)(12).</text></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="H8A968AB317BB4DCD94326F9F08EE8947"><enum>(b)</enum><header>Conforming and technical amendments</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/18/47">chapter 47</external-xref> of title 18, United States Code, is amended by adding at the end the following:</text> <quoted-block id="H49A50446B2F9455AA5CA3735BCCE85B5" style="USC"> <toc> <toc-entry idref="HE9FD77E993FD49E1B158D759660D802E" level="section">1041. Concealment of security breaches involving sensitive personally identifiable information.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="H98335FF01443444EA607D03BF482EDBC"><enum>(c)</enum><header>Enforcement authority</header> <paragraph id="HC333F54D57664F1397B85088C65AB41C"><enum>(1)</enum><header>In general</header><text>The United States Secret Service and Federal Bureau of Investigation shall have the authority to investigate offenses under section 1041 of title 18, United States Code, as added by subsection (a).</text> </paragraph><paragraph id="HB19E9B05047A4129AD426A0D6A1A4853"><enum>(2)</enum><header>Nonexclusivity</header><text>The authority granted in paragraph (1) shall not be exclusive of any existing authority held by any other Federal agency.</text> </paragraph></subsection></section><section id="H581579923CA545E1BF72925216135758"><enum>102.</enum><header>Reporting of certain cybercrimes</header><text display-inline="no-display-inline">Section 1030 of title 18, United States Code, is amended by striking subsection (h) and inserting the following:</text> <quoted-block display-inline="no-display-inline" id="H132D75BB9F9345D6AF65062B45362DD1" style="OLC"> <subsection id="HE594643248254E5893B00025943ACAF0"><enum>(h)</enum><header>Reporting certain criminal cases</header><text>Not later than 1 year after the date of the enactment of this subsection, and annually thereafter, the Attorney General shall report to the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives the number of criminal cases brought under subsection (a) that involve conduct in which—</text> <paragraph id="H425CAFE5255F4A7CAA3A8047E49E90D3"><enum>(1)</enum><text>the defendant—</text> <subparagraph id="H0D943958A95042E2BB53E13180C88AF5"><enum>(A)</enum><text>exceeded authorized access to a nongovernmental computer; or</text> </subparagraph><subparagraph id="HB505AF8F186D4DEE90755A4A473EA06B"><enum>(B)</enum><text>accessed a nongovernmental computer without authorization; and</text> </subparagraph></paragraph><paragraph id="H901B31FE04004881B93578CF13F46DD1"><enum>(2)</enum><text>the sole basis for the Government determining that access to the nongovernmental computer was unauthorized, or in excess of authorization, was that the defendant violated a contractual obligation or agreement with a service provider or employer, such as an acceptable use policy or terms of service agreement.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block> </section><section id="H375FC28FF6534E6B91E69FA084670917"><enum>103.</enum><header>Authority to shut down botnets</header> <subsection id="HA9B3ABF46D2643CC98B9A52BCC71A83F"><enum>(a)</enum><header>Amendment</header><text display-inline="yes-display-inline">Section 1345 of title 18, United States Code, is amended—</text> <paragraph id="H06EAE25EBE3E47C786BD5F873A33329E"><enum>(1)</enum><text>in the heading, by inserting <quote><header-in-text level="section" style="USC">and abuse</header-in-text></quote> after <quote><header-in-text level="section" style="USC">fraud</header-in-text></quote>;</text> </paragraph><paragraph id="H4F78CF7263264616A7D5386DA4310D80"><enum>(2)</enum><text>in subsection (a)—</text> <subparagraph id="HB96CCF1561984ED1974BF1D3F245452A"><enum>(A)</enum><text>in paragraph (1)—</text> <clause id="H3BA578AE5A6E4D39B36A2EE8D3CD08CA"><enum>(i)</enum><text>in subparagraph (B), by striking <quote>or</quote> at the end;</text> </clause><clause id="H6C27C5B8518C484EA18D8BE0275B61E1"><enum>(ii)</enum><text>in subparagraph (C), by inserting <quote>or</quote> after the semicolon; and</text> </clause><clause id="HF67332994DE34C50941543C081596813"><enum>(iii)</enum><text>by inserting after subparagraph (C) the following:</text> <quoted-block display-inline="no-display-inline" id="H2F77143D83284526A572B5D2C4489BF2" style="OLC"> <subparagraph id="HCE9C7150A5944B5AAEFCB2627481DEDD" indent="up1"><enum>(D)</enum><text>violating section 1030(a)(5) where such conduct would damage (as defined in section 1030), 100 or more protected computers (as defined in section 1030) during any 1-year period, including by denying access to or operation of the computers, installing unwanted software on the computers, using the computers without authorization, or obtaining information from the computers without authorization;</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block> </clause></subparagraph><subparagraph id="HB8B1ADCFE9A049788AE2457DA5D56660"><enum>(B)</enum><text>in paragraph (2), by inserting <quote>, a violation of section 1030(a)(5) as described in subsection (a)(1)(D),</quote> before <quote>or a Federal</quote>;</text> </subparagraph></paragraph><paragraph id="HA74CC13B500342BE87C14FEC8E5B8D79"><enum>(3)</enum><text>in subsection (b), by adding <quote>, except in the case of a person violating section 1030(a)(5) in the manner described in subsection (a)(1)(D),</quote> before <quote>take such other action</quote>; and</text> </paragraph><paragraph id="HB96C6EB1485A4497AE7F8C1A64D9F97E"><enum>(4)</enum><text>by adding at the end the following:</text> <quoted-block display-inline="no-display-inline" id="H5A94A130430344DAB38D368E0122B241" style="OLC"> <subsection id="H357969F2F25940D0BCEB5BE62E158412"><enum>(c)</enum><text>A restraining order or prohibition described in subsection (b), if issued in circumstances described in subsection (a)(1)(D)—</text> <paragraph id="H0F9684510BC4446194D49328A8E39B6E"><enum>(1)</enum><text>may only authorize action that solely affects persons violating section 1030 in the manner described in subsection (a)(1)(D); and</text> </paragraph><paragraph id="HDA81026E11A84F9AB8423DD165069011"><enum>(2)</enum><text>may, upon application of the Attorney General—</text> <subparagraph id="H042A398AFAFC4A38A0036E06B0FBBA47"><enum>(A)</enum><text>specify that no cause of action shall lie in any court against a person for complying with the restraining order, prohibition, or other action; and</text> </subparagraph><subparagraph id="H13497B3516704A0A9C1652FAA3BCB2BC"><enum>(B)</enum><text>provide that the United States shall pay to such person a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in complying with the restraining order, prohibition, or other action.</text> </subparagraph></paragraph></subsection><subsection id="H5FE8FEEFD6444DAA91683D738FB131DA"><enum>(d)</enum><text>There are authorized to be appropriated to the Department of Justice, the Department of Homeland Security, and the Department of the Treasury such sums as are necessary to implement this section, including payments made by the United States of a fee for reimbursement.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block> </paragraph></subsection><subsection id="HA396A09A9C984E2FAFC0B0E4B9FF8BF1"><enum>(b)</enum><header>Technical and conforming amendment</header><text>The table of sections for chapter 63 is amended by striking the item relating to section 1345 and inserting the following:</text> <quoted-block display-inline="no-display-inline" id="H5195909E1A7C45358FC238ECCB0FBB0B" style="OLC"> <toc> <toc-entry bold="off" level="section">1345. Injunctions against fraud and abuse.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block> </subsection></section><section id="H2C7876F1E88D472587AF5D65F9305612"><enum>104.</enum><header>Deterring the development and sale of computer and cell phone spying devices</header><text display-inline="no-display-inline">Section 1956(c)(7)(D) of title 18, United States Code, is amended by inserting <quote>section 2512 (relating to the manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices),</quote> before <quote>section 46502</quote>.</text> </section>

115 HR 4081 IH: Consumer Privacy Protection Act of 2017 U.S. House of Representatives 2017-10-19 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

115th CONGRESS1st Session

H. R. 4081

IN THE HOUSE OF REPRESENTATIVES

October 19, 2017

Mr. Cicilline (for himself, Ms. Lee, Ms. Norton, Mr. Raskin, Mr. Garamendi, Mr. Nadler, Mr. Capuano, and Mr. Takano) introduced the following bill; which was referred to the Committee on the Judiciary, and in addition to the Committees on Energy and Commerce, Financial Services, and the Budget, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

To ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive personal information, and to enhance law enforcement assistance and other protections against security breaches, fraudulent access, and misuse of personal information.

Short title; table of contents

(a)

Short title

This Act may be cited as the

Consumer Privacy Protection Act of 2017

. (b)

Table of contents

The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Sec. 2. Findings.

Sec. 3. Definitions.

TITLE I—Punishment for concealment of security breaches and tools to combat cybercrime

Sec. 101. Concealment of security breaches involving sensitive personally identifiable information.

Sec. 102. Reporting of certain cybercrimes.

Sec. 103. Authority to shut down botnets.

Sec. 104. Deterring the development and sale of computer and cell phone spying devices.

TITLE II—Consumer privacy and security of sensitive personally identifiable information

Subtitle A—Consumer privacy and data security program

Sec. 201. Purpose and applicability of consumer privacy and data security program.

Sec. 202. Requirements for consumer privacy and data security program.

Sec. 203. Federal enforcement.

Sec. 204. Enforcement by State attorneys general.

Sec. 205. Relation to other laws.

Subtitle B—Security breach notification

Sec. 211. Notice to individuals.

Sec. 212. Exemptions.

Sec. 213. Methods of notice.

Sec. 214. Content of notification.

Sec. 215. Coordination of notification with credit reporting agencies.

Sec. 216. Notice to the Federal Trade Commission.

Sec. 217. Notice to law enforcement.

Sec. 218. Federal enforcement.

Sec. 219. Enforcement by State attorneys general.

Sec. 220. Effect on Federal and State law.

Sec. 221. Reporting on exemptions.

Sec. 222. Effective date.

TITLE III—Compliance with statutory Pay-As-You-Go Act

Sec. 301. Budget compliance.

Findings

Congress finds that— (1)databases of sensitive personally identifiable information are increasingly prime targets of hackers, identity thieves, rogue employees, and other criminals, including organized and sophisticated criminal operations; (2)security breaches caused by such criminal acts are a serious threat to consumer privacy, consumer confidence, homeland security, national security, e-commerce, and economic stability; (3)misuse of sensitive personally identifiable information has the potential to cause serious or irreparable harm to an individual's livelihood, privacy, and liberty and undermine efficient and effective business and government operations; (4)identity theft is a serious threat to the Nation's economic stability, national security, homeland security, cybersecurity, the development of e-commerce, and the privacy rights of Americans; (5)it is important for business entities that own, use, store, or license sensitive personally identifiable information to adopt reasonable policies and procedures to help ensure the security and privacy of sensitive personally identifiable information; and (6)individuals whose personal information has been compromised or who have been victims of identity theft should receive the necessary information and assistance to mitigate any potential damage.

Definitions

In this Act, the following definitions shall apply: (1)

Affiliate

The term affiliate means persons related by common ownership or by corporate control. (2)

Agency

The term agency has the same meaning given such term in section 551 of title 5, United States Code. (3)

Business entity

The term business entity means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture established to make a profit, or a nonprofit organization. (4)

Consumer privacy and data security program

The term consumer privacy and data security program means the program described in section 202(a). (5)

Covered entity

The term covered entity means any business entity, other than a service provider, that collects, uses, accesses, transmits, stores, or disposes of sensitive personally identifiable information. (6)

Designated entity

The term designated entity means the Federal Government entity designated by the Secretary of Homeland Security under section 217(a). (7)

Encryption

The term encryption— (A)means the protection of data in electronic form, in storage or in transit, using an encryption technology that has been generally accepted by experts in the field of information security that renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and (B)includes appropriate management and safeguards of such cryptographic keys so as to protect the integrity of the encryption. (8)

Identity theft

The term identity theft means a violation of section 1028(a)(7) of title 18, United States Code. (9)

Security breach

(A)

In general

The term security breach means compromise of the privacy or security of computerized data that results in, or that there is a reasonable basis to conclude has resulted in, unauthorized access to or acquisition of sensitive personally identifiable information. (B)

Exclusion

The term security breach does not include— (i)a good faith access or acquisition of sensitive personally identifiable information by a business entity, or an employee or agent of a business entity, if the sensitive personally identifiable information is not subject to further unauthorized disclosure; (ii)the release of a public record not otherwise subject to confidentiality or nondisclosure requirements; or (iii)any lawfully authorized investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the United States, a State, or a political subdivision of a State. (10)

Sensitive personally identifiable information

The term sensitive personally identifiable information means any information or compilation of information, in electronic or digital form that includes the following: (A)A non-truncated Social Security number, a driver’s license number, passport number, or alien registration number or other government-issued unique identification number. (B)A financial account number or credit or debit card number in combination with any security code, access code, or password if required for an individual to obtain credit, withdraw funds, or engage in financial transactions. (C)A unique electronic account identifier, including an online user name or e-mail address, in combination with any security code, access code, password, or security question and answer, if required for an individual to obtain money, goods, services, access to digital photographs, digital videos or electronic communications, or any other thing of value. (D)Unique biometric data, such as faceprint, fingerprint, voice print, a retina or iris image, or any other unique physical representation. (E)An individual's first and last name or first initial and last name in combination with any information that relates to the individual’s past, present, or future physical or mental health or condition, or to the provision of health care to or diagnosis of the individual, including health insurance information such as a health insurance policy number or subscriber identification number, or any information in an individual’s health insurance application and claims history. (F)Information about an individual’s geographic location generated by or derived from the operation or use of an electronic communications device that is sufficient to identify the street and name of the city or town in which the device is located, excluding telephone numbers or network or internet protocol addresses. (G)Password-protected digital photographs and digital videos not otherwise available to the public. (11)

Service provider

The term service provider means a business entity that provides electronic data transmission, routing, intermediate and transient storage, or connections to its system or network, where the business entity providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and the business entity transmits, routes, or provides connections for sensitive personally identifiable information in a manner that sensitive personally identifiable information is undifferentiated from other types of data that such business entity transmits, routes, or provides connections. Any such business entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage or connections.

<enum>I</enum><header>Punishment for concealment of security breaches and tools to combat cybercrime</header> <section id="H1E10914409F347FDAB89C91EE8EFCF56"><enum>101.</enum><header>Concealment of security breaches involving sensitive personally identifiable information</header> <subsection id="H2292CAC95E4A49DB8C63976A49C9546E"><enum>(a)</enum><header>In general</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/18/47">Chapter 47</external-xref> of title 18, United States Code, is amended by adding at the end the following:</text> <quoted-block display-inline="no-display-inline" id="HC16F15968CCB483886F9D221E360BAFF" style="USC"> <section id="HE9FD77E993FD49E1B158D759660D802E"><enum>1041.</enum><header>Concealment of security breaches involving sensitive personally identifiable information</header> <subsection id="H25308A14CF484192916D94FD1F3BA0AA"><enum>(a)</enum><header>In general</header><text>Whoever, having knowledge of a security breach and of the fact that notice of such security breach is required under title II of the <short-title>Consumer Privacy Protection Act of 2017</short-title>, intentionally and willfully conceals the fact of such security breach, shall, in the event that such security breach results in economic harm to any individual in the amount of $1,000 or more, be fined under this title or imprisoned for not more than 5 years, or both.</text> </subsection><subsection id="HE03B7530FFC24FA9AA431BF98873A8B0"><enum>(b)</enum><header>Person defined</header><text>For purposes of subsection (a), the term <term>person</term> has the meaning given the term in section 1030(e)(12).</text></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="H8A968AB317BB4DCD94326F9F08EE8947"><enum>(b)</enum><header>Conforming and technical amendments</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/18/47">chapter 47</external-xref> of title 18, United States Code, is amended by adding at the end the following:</text> <quoted-block id="H49A50446B2F9455AA5CA3735BCCE85B5" style="USC"> <toc> <toc-entry idref="HE9FD77E993FD49E1B158D759660D802E" level="section">1041. Concealment of security breaches involving sensitive personally identifiable information.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="H98335FF01443444EA607D03BF482EDBC"><enum>(c)</enum><header>Enforcement authority</header> <paragraph id="HC333F54D57664F1397B85088C65AB41C"><enum>(1)</enum><header>In general</header><text>The United States Secret Service and Federal Bureau of Investigation shall have the authority to investigate offenses under section 1041 of title 18, United States Code, as added by subsection (a).</text> </paragraph><paragraph id="HB19E9B05047A4129AD426A0D6A1A4853"><enum>(2)</enum><header>Nonexclusivity</header><text>The authority granted in paragraph (1) shall not be exclusive of any existing authority held by any other Federal agency.</text> </paragraph></subsection></section><section id="H581579923CA545E1BF72925216135758"><enum>102.</enum><header>Reporting of certain cybercrimes</header><text display-inline="no-display-inline">Section 1030 of title 18, United States Code, is amended by striking subsection (h) and inserting the following:</text> <quoted-block display-inline="no-display-inline" id="H132D75BB9F9345D6AF65062B45362DD1" style="OLC"> <subsection id="HE594643248254E5893B00025943ACAF0"><enum>(h)</enum><header>Reporting certain criminal cases</header><text>Not later than 1 year after the date of the enactment of this subsection, and annually thereafter, the Attorney General shall report to the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives the number of criminal cases brought under subsection (a) that involve conduct in which—</text> <paragraph id="H425CAFE5255F4A7CAA3A8047E49E90D3"><enum>(1)</enum><text>the defendant—</text> <subparagraph id="H0D943958A95042E2BB53E13180C88AF5"><enum>(A)</enum><text>exceeded authorized access to a nongovernmental computer; or</text> </subparagraph><subparagraph id="HB505AF8F186D4DEE90755A4A473EA06B"><enum>(B)</enum><text>accessed a nongovernmental computer without authorization; and</text> </subparagraph></paragraph><paragraph id="H901B31FE04004881B93578CF13F46DD1"><enum>(2)</enum><text>the sole basis for the Government determining that access to the nongovernmental computer was unauthorized, or in excess of authorization, was that the defendant violated a contractual obligation or agreement with a service provider or employer, such as an acceptable use policy or terms of service agreement.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block> </section><section id="H375FC28FF6534E6B91E69FA084670917"><enum>103.</enum><header>Authority to shut down botnets</header> <subsection id="HA9B3ABF46D2643CC98B9A52BCC71A83F"><enum>(a)</enum><header>Amendment</header><text display-inline="yes-display-inline">Section 1345 of title 18, United States Code, is amended—</text> <paragraph id="H06EAE25EBE3E47C786BD5F873A33329E"><enum>(1)</enum><text>in the heading, by inserting <quote><header-in-text level="section" style="USC">and abuse</header-in-text></quote> after <quote><header-in-text level="section" style="USC">fraud</header-in-text></quote>;</text> </paragraph><paragraph id="H4F78CF7263264616A7D5386DA4310D80"><enum>(2)</enum><text>in subsection (a)—</text> <subparagraph id="HB96CCF1561984ED1974BF1D3F245452A"><enum>(A)</enum><text>in paragraph (1)—</text> <clause id="H3BA578AE5A6E4D39B36A2EE8D3CD08CA"><enum>(i)</enum><text>in subparagraph (B), by striking <quote>or</quote> at the end;</text> </clause><clause id="H6C27C5B8518C484EA18D8BE0275B61E1"><enum>(ii)</enum><text>in subparagraph (C), by inserting <quote>or</quote> after the semicolon; and</text> </clause><clause id="HF67332994DE34C50941543C081596813"><enum>(iii)</enum><text>by inserting after subparagraph (C) the following:</text> <quoted-block display-inline="no-display-inline" id="H2F77143D83284526A572B5D2C4489BF2" style="OLC"> <subparagraph id="HCE9C7150A5944B5AAEFCB2627481DEDD" indent="up1"><enum>(D)</enum><text>violating section 1030(a)(5) where such conduct would damage (as defined in section 1030), 100 or more protected computers (as defined in section 1030) during any 1-year period, including by denying access to or operation of the computers, installing unwanted software on the computers, using the computers without authorization, or obtaining information from the computers without authorization;</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block> </clause></subparagraph><subparagraph id="HB8B1ADCFE9A049788AE2457DA5D56660"><enum>(B)</enum><text>in paragraph (2), by inserting <quote>, a violation of section 1030(a)(5) as described in subsection (a)(1)(D),</quote> before <quote>or a Federal</quote>;</text> </subparagraph></paragraph><paragraph id="HA74CC13B500342BE87C14FEC8E5B8D79"><enum>(3)</enum><text>in subsection (b), by adding <quote>, except in the case of a person violating section 1030(a)(5) in the manner described in subsection (a)(1)(D),</quote> before <quote>take such other action</quote>; and</text> </paragraph><paragraph id="HB96C6EB1485A4497AE7F8C1A64D9F97E"><enum>(4)</enum><text>by adding at the end the following:</text> <quoted-block display-inline="no-display-inline" id="H5A94A130430344DAB38D368E0122B241" style="OLC"> <subsection id="H357969F2F25940D0BCEB5BE62E158412"><enum>(c)</enum><text>A restraining order or prohibition described in subsection (b), if issued in circumstances described in subsection (a)(1)(D)—</text> <paragraph id="H0F9684510BC4446194D49328A8E39B6E"><enum>(1)</enum><text>may only authorize action that solely affects persons violating section 1030 in the manner described in subsection (a)(1)(D); and</text> </paragraph><paragraph id="HDA81026E11A84F9AB8423DD165069011"><enum>(2)</enum><text>may, upon application of the Attorney General—</text> <subparagraph id="H042A398AFAFC4A38A0036E06B0FBBA47"><enum>(A)</enum><text>specify that no cause of action shall lie in any court against a person for complying with the restraining order, prohibition, or other action; and</text> </subparagraph><subparagraph id="H13497B3516704A0A9C1652FAA3BCB2BC"><enum>(B)</enum><text>provide that the United States shall pay to such person a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in complying with the restraining order, prohibition, or other action.</text> </subparagraph></paragraph></subsection><subsection id="H5FE8FEEFD6444DAA91683D738FB131DA"><enum>(d)</enum><text>There are authorized to be appropriated to the Department of Justice, the Department of Homeland Security, and the Department of the Treasury such sums as are necessary to implement this section, including payments made by the United States of a fee for reimbursement.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block> </paragraph></subsection><subsection id="HA396A09A9C984E2FAFC0B0E4B9FF8BF1"><enum>(b)</enum><header>Technical and conforming amendment</header><text>The table of sections for chapter 63 is amended by striking the item relating to section 1345 and inserting the following:</text> <quoted-block display-inline="no-display-inline" id="H5195909E1A7C45358FC238ECCB0FBB0B" style="OLC"> <toc> <toc-entry bold="off" level="section">1345. Injunctions against fraud and abuse.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block> </subsection></section><section id="H2C7876F1E88D472587AF5D65F9305612"><enum>104.</enum><header>Deterring the development and sale of computer and cell phone spying devices</header><text display-inline="no-display-inline">Section 1956(c)(7)(D) of title 18, United States Code, is amended by inserting <quote>section 2512 (relating to the manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices),</quote> before <quote>section 46502</quote>.</text> </section><enum>II</enum><header>Consumer privacy and security of sensitive personally identifiable information</header> <subtitle id="H445447CD5C5C4E9CBF2528992A8A5FD2"><enum>A</enum><header>Consumer privacy and data security program</header> <section id="H9F41D5AEEBDF432E83E9FB0DC4735161"><enum>201.</enum><header>Purpose and applicability of consumer privacy and data security program</header> <subsection id="H75A7CC743C0E4548AC80B08775D524DD"><enum>(a)</enum><header>Purpose</header><text>The purpose of this subtitle is to ensure standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information.</text> </subsection><subsection id="HD9084CA783AD4DA78B147551763C9257"><enum>(b)</enum><header>Applicability</header><text>A covered entity engaging in interstate commerce that collects, uses, accesses, transmits, stores, or disposes of sensitive personally identifiable information in electronic or digital form of not less than 10,000 United States persons during any 12-month period is subject to the requirements for a consumer privacy and data security program for protecting sensitive personally identifiable information.</text> </subsection><subsection id="H6A7B8BB9996747E694E4D292F6976F7B"><enum>(c)</enum><header>Limitations</header><text>Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following:</text> <paragraph id="H41E79EF85AE94228A26ED7C4618A5CAB"><enum>(1)</enum><header>Financial institutions</header><text>Financial institutions—</text> <subparagraph id="H3929408C86BA4C1CBD1869A3F0CC2D28"><enum>(A)</enum><text>subject to and in compliance with the data security requirements and standards under section 501(b) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801(b)</external-xref>); and</text> </subparagraph><subparagraph id="HF2BD99FDB5234F5F900AFB1AA8CF6862"><enum>(B)</enum><text>subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6805">15 U.S.C. 6805(a)</external-xref>).</text> </subparagraph></paragraph><paragraph id="H0650D8B04EEE45D48E55F11A05CC2344"><enum>(2)</enum><header>HIPAA and hitech regulated entities</header><text>An entity that is subject to and in compliance with the data security requirements of the following, with respect to data that is subject to such requirements:</text> <subparagraph id="H2189DBF1BA6240C1B198109EC43E7176"><enum>(A)</enum><text>Section 13401 of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931</external-xref>).</text> </subparagraph><subparagraph id="HB586AA684D714F58975C303254779CBE"><enum>(B)</enum><text>Part 160 or 164 of title 45, Code of Federal Regulations (or any successor regulations).</text> </subparagraph><subparagraph id="HBEA85544FDB644BE9BC01B043209D1F9"><enum>(C)</enum><text>The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note).</text> </subparagraph><subparagraph id="H1DD337D232D447A3875FDCC5F97F6966"><enum>(D)</enum><text>In the case of a business associate, as defined in section 13400 of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17921">42 U.S.C. 17921</external-xref>), the applicable privacy and data security requirements of part 1 of subtitle D of title XIII of division A of the American Reinvestment and Recovery Act of 2009 (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931</external-xref> et seq.).</text> </subparagraph></paragraph><paragraph id="HFB8AA7C0618B4866A7A0990F75EE8528"><enum>(3)</enum><header>Service providers</header><text>A service provider for any electronic communication by a third party, to the extent that the service provider is engaged solely in the transmission, routing, or temporary, intermediate, or transient storage of that communication.</text> </paragraph></subsection></section><section id="H69655C4B758F4204BC0FDBBF0AA11F79"><enum>202.</enum><header>Requirements for consumer privacy and data security program</header> <subsection id="H247EF16ED87E4AF69053F75AEDB18415"><enum>(a)</enum><header>Consumer privacy and data security program</header><text>A covered entity subject to this subtitle shall comply with the following safeguards and any other administrative, technical, or physical safeguards identified by the Federal Trade Commission in a rulemaking process pursuant to section 553 of title 5, United States Code, for the protection of sensitive personally identifiable information:</text> <paragraph id="H26C5A4F3BFEC4DBAB3564977BE826714"><enum>(1)</enum><header>Scope</header><text>A covered entity shall implement a comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.</text> </paragraph><paragraph id="HD4E34C154A9342A7A20873B5BDCAA210"><enum>(2)</enum><header>Design</header><text>The consumer privacy and data security program shall be designed to—</text> <subparagraph id="H887DAD81E6E3420DBA07236148F33399"><enum>(A)</enum><text>ensure the privacy and security of sensitive personally identifying information;</text> </subparagraph><subparagraph id="H0930DF0BFFFE49AF81D68FC773852675"><enum>(B)</enum><text>protect against any anticipated vulnerabilities to the privacy and security of sensitive personally identifying information; and</text> </subparagraph><subparagraph id="H075312407F5E4E1FB41DB75535B14101"><enum>(C)</enum><text>protect against unauthorized access, acquisition, disclosure, or use of sensitive personally identifying information.</text> </subparagraph></paragraph><paragraph id="H5927376ADC1342A0B9C3A04F333E0F41"><enum>(3)</enum><header>Risk assessment</header><text>A covered entity shall—</text> <subparagraph id="H951BEB2B8F14408598A9B0AA8C985DF1"><enum>(A)</enum><text>identify reasonably foreseeable internal and external vulnerabilities and internal and external threats that could result in unauthorized access, disclosure, or use of sensitive personally identifiable information or of systems containing sensitive personally identifiable information;</text> </subparagraph><subparagraph id="H4076D3BCD4E343DF8655A5317DABA69D"><enum>(B)</enum><text>assess the likelihood of and potential damage from unauthorized access, acquisition, disclosure, or use of sensitive personally identifiable information;</text> </subparagraph><subparagraph id="H237474831F644A74BB7CAF6865384110"><enum>(C)</enum><text>assess the sufficiency of its technical, physical, and administrative controls in place to control and minimize risks from unauthorized access, acquisition, disclosure, or use of sensitive personally identifiable information; and</text> </subparagraph><subparagraph id="H7CD36A82B9EE48818064D3530D608142"><enum>(D)</enum><text>assess the vulnerability of sensitive personally identifiable information during destruction and disposal of such information, including through the disposal or retirement of hardware.</text> </subparagraph></paragraph><paragraph id="HFB37A7ED031747F38A1D0D55850A8CEF"><enum>(4)</enum><header>Risk management and control</header><text>Each covered entity shall—</text> <subparagraph id="HF6CEA6D542B349B59F1B0BA8840C61CF"><enum>(A)</enum><text>design its consumer privacy and data security program to control the risks identified under paragraph (3);</text> </subparagraph><subparagraph id="HCC6BBF80066A497F88C5C639BC274235"><enum>(B)</enum><text>adopt measures commensurate with the sensitivity of the data as well as the size, complexity, nature, and scope of the activities of the covered entity that—</text> <clause id="H0860D6B5FB4948FCA05D189822A11AEA"><enum>(i)</enum><text>controls access to sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals;</text> </clause><clause id="HD2D9BA0D3D78463EB7EE1CDA626C4E89"><enum>(ii)</enum><text>detect, record, and preserve information relevant to actual and attempted fraudulent, unlawful, or unauthorized access, acquisition, disclosure, or use of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access;</text> </clause><clause id="H4F883613EC3F4CA3A541EE14C9D0A804"><enum>(iii)</enum><text>protect sensitive personally identifiable information during use, transmission, storage, and disposal by encryption, redaction, disclosure limitation methodologies, or access controls, that are widely accepted as an effective industry practice or industry standard, or other reasonable means;</text> </clause><clause id="H2A6549AF7F194F458B02FB8B26AF2E59"><enum>(iv)</enum><text>ensure that sensitive personally identifiable information is properly destroyed and disposed of, including during the destruction of computers and other electronic media that contain sensitive personally identifiable information; and</text> </clause><clause id="HCD050E6E48C244EB86DCFD63CF0C798E"><enum>(v)</enum><text>ensure that no third party is authorized to access or acquire sensitive personally identifiable information in its possession without the covered entity first performing sufficient due diligence to ascertain, with reasonable certainty, that such information is being sought for a valid legal purpose; and</text> </clause></subparagraph><subparagraph id="H2209AD01B0D545C2BC78E9A8EC2DD434"><enum>(C)</enum><text>establish a plan and procedures for minimizing the amount of sensitive personally identifiable information maintained by the covered entity, which shall provide for the retention of sensitive personally identifiable information only as reasonably needed for the business purposes of such business entity or as necessary to comply with any legal obligation.</text> </subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="HE1EE34B92AC545DE84DEB88C2FFA2A2E"><enum>(5)</enum><header display-inline="yes-display-inline">Limitation</header><text display-inline="yes-display-inline">Nothing in this subsection shall be construed to permit, and nothing does permit, the Federal Trade Commission to issue regulations requiring, or according greater legal status to, the implementation of or application of a specific technology or technological specifications for meeting the requirements of this title.</text> </paragraph></subsection><subsection id="H529F0C7ACE05482CB0879791D559AC73"><enum>(b)</enum><header>Training</header><text>Covered entities subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the consumer privacy and data security program of the covered entity.</text> </subsection><subsection id="HDFC0D21833574C05BF1549F465E708A5"><enum>(c)</enum><header>Vulnerability testing</header> <paragraph id="HB906D56ACB47410C87EE256174FEF9AB"><enum>(1)</enum><header>In general</header><text>Covered entities subject to this subtitle shall take steps to ensure regular testing of key technical, physical, and administrative controls for information and information systems of the consumer privacy and data security program to detect, prevent, and respond to attacks or intrusions, or other system failures.</text> </paragraph><paragraph id="H832423943F9D42558E14300229B8741A"><enum>(2)</enum><header>Frequency</header><text>The frequency and nature of the tests required under paragraph (1) shall be determined by the risk assessment of the covered entity under subsection (a)(3).</text> </paragraph></subsection><subsection id="H2D65891FF7EB4A5CA45AAD1D8A9B29B2"><enum>(d)</enum><header>Relationship to certain providers of services</header><text>In the event a covered entity subject to this subtitle engages a person or entity not subject to this subtitle (other than a service provider) to receive sensitive personally identifiable information in performing services or functions (other than the services or functions provided by a service provider) on behalf of and under the instruction of such covered entity, the covered entity shall—</text> <paragraph id="HD2E256DB150442E4ABAA2B8964A2CBF2"><enum>(1)</enum><text>exercise appropriate due diligence in selecting the person or entity for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain a person or entity that is capable of maintaining appropriate controls for the privacy and security of the sensitive personally identifiable information at issue; and</text> </paragraph><paragraph id="HC382FE7D36414417A79820C40C633AE9"><enum>(2)</enum><text>require the person or entity by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing subtitle A.</text> </paragraph></subsection><subsection id="HC6F341DA47AD4D49BE26FF931E960C0C"><enum>(e)</enum><header>Periodic assessment and consumer privacy and data security modernization</header><text>Each covered entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its consumer privacy and data security program in light of any relevant changes in—</text> <paragraph id="HEC604BD57A3C45AFA329E6EB8F9366B4"><enum>(1)</enum><text>technology;</text> </paragraph><paragraph id="H7A737B0B85C34F328E54D96C4605A347"><enum>(2)</enum><text>internal or external threats and vulnerabilities to sensitive personally identifiable information; and</text> </paragraph><paragraph id="HE5492A6E2E1543EFA580CE51EB318EC4"><enum>(3)</enum><text>the changing business arrangements of the covered entity, such as—</text> <subparagraph id="HD06A5703173B431CB33BDC3E96B502D6"><enum>(A)</enum><text>mergers and acquisitions;</text> </subparagraph><subparagraph id="H06D9544112F6481FB5DB703679370A3C"><enum>(B)</enum><text>alliances and joint ventures;</text> </subparagraph><subparagraph id="HDD21557440D54DA497FDF362971881B2"><enum>(C)</enum><text>outsourcing arrangements;</text> </subparagraph><subparagraph id="H2DE49E0F7FAB4A128960616F4D90C03B"><enum>(D)</enum><text>bankruptcy; and</text> </subparagraph><subparagraph id="H8B8276843A90489CAB348EC64A4155E9"><enum>(E)</enum><text>changes to sensitive personally identifiable information systems.</text> </subparagraph></paragraph></subsection><subsection id="HB3DAC010752C44B9A03985718B537AED"><enum>(f)</enum><header>Implementation timeline</header><text>Not later than 1 year after the date of enactment of this Act, a covered entity subject to the provisions of this subtitle shall implement a consumer privacy and data security program pursuant to this subtitle.</text> </subsection></section><section id="H1135C861466F461684EB42139D16FFFA"><enum>203.</enum><header>Federal enforcement</header> <subsection id="HA8652B3B5FEE476EB0A8D0810E8071D8"><enum>(a)</enum><header>In general</header><text>The Attorney General and the Federal Trade Commission may enforce civil violations of section 201 or 202.</text> </subsection><subsection id="H5EF3801C3AC244518F05D0D343324FA2"><enum>(b)</enum><header>Civil actions by the Attorney General of the United States</header> <paragraph id="H1261151321024EA2BC14FAA214E6D275"><enum>(1)</enum><header>In general</header><text>The Attorney General may bring a civil action in the appropriate United States district court against any covered entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such covered entity shall be subject to a civil penalty in an amount that is not greater than the product of the number of individuals whose sensitive personally identifiable information was placed at risk as a result of the violation and $16,500.</text> </paragraph><paragraph id="HC3D3C9C78DA94C76A8F65DEBC4B681E3"><enum>(2)</enum><header>Penalty limitation</header><text>Notwithstanding any other provision of law, the total amount of the civil penalty assessed against a covered entity for conduct involving the same or related acts or omissions that results in a violation of this subtitle may not exceed $5,000,000, unless such conduct is found to be willful or intentional.</text> </paragraph><paragraph id="HD53F91DE5BA24FDFBB08678D51B451B9"><enum>(3)</enum><header>Determinations</header><text>The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact.</text> </paragraph><paragraph id="HF9C82BC8CCC64CD89D9A4C66DE54AD6C"><enum>(4)</enum><header>Additional penalty limit</header><text>If a court determines under paragraph (3) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $5,000,000.</text> </paragraph></subsection><subsection id="HA40C4F95C8FB4DD6927D66D45709381B"><enum>(c)</enum><header>Injunctive actions by the Attorney General</header> <paragraph id="H2DC11B5DC3D247298A52C38B42846190"><enum>(1)</enum><header>In general</header><text>If it appears that a covered entity has engaged, or is engaged, in any act or practice constituting a violation of this subtitle, the Attorney General may petition an appropriate district court of the United States for an order—</text> <subparagraph id="HA08D214CB2144083AAC7504479453DD7"><enum>(A)</enum><text>enjoining such act or practice; or</text> </subparagraph><subparagraph id="H4A4DE06A8A93451DAACE57A09A656233"><enum>(B)</enum><text>enforcing compliance with this subtitle.</text> </subparagraph></paragraph><paragraph id="H9E2606958DD545FD86F34C54E8F3DDBE"><enum>(2)</enum><header>Issuance of order</header><text>A court may issue an order under paragraph (1), if the court finds that the conduct in question constitutes a violation of this subtitle.</text> </paragraph></subsection><subsection id="H7735F7F0B8574E988BD6C65BB260FA9F"><enum>(d)</enum><header>Civil actions by the Federal Trade Commission</header> <paragraph id="H615BDB4E0F9A467B86CF2E7FFE734D87"><enum>(1)</enum><header>In general</header><text>Compliance with the requirements imposed under this subtitle may be enforced under the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41</external-xref> et seq.) by the Federal Trade Commission with respect to business entities subject to this Act. All of the functions and powers of the Federal Trade Commission under the Federal Trade Commission Act are available to the Commission to enforce compliance by any person with the requirements imposed under this title.</text> </paragraph><paragraph id="HC7C90BD6EDEE45139C9560FCDD3F32DE"><enum>(2)</enum><header>Civil penalties</header> <subparagraph id="H57CD3258044B426C8FF80B9C5D6F3688"><enum>(A)</enum><header>In general</header><text>Any covered entity that violates the provisions of this subtitle shall be subject to a civil penalty in the amount that is not greater than the product of the number of individuals whose sensitive personally identifiable information was placed at risk as a result of the violation and $16,500.</text> </subparagraph><subparagraph id="H2C563F7BA77E45C2B0865663D52689B2"><enum>(B)</enum><header>Penalty limitation</header><text>Notwithstanding any other provision of law, the total amount of the civil penalty assessed against a covered entity for conduct involving the same or related acts or omissions that results in a violation of this subtitle may not exceed $5,000,000, unless such conduct is found to be willful or intentional.</text> </subparagraph><subparagraph id="H785FCA009725484783204F7841303695"><enum>(C)</enum><header>Determinations</header><text>The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact.</text> </subparagraph><subparagraph id="H0C56504C783B497A9ADE6A4A86618E51"><enum>(D)</enum><header>Additional penalty limit</header><text>If a court determines under subparagraph (C) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $5,000,000.</text> </subparagraph></paragraph><paragraph id="H43B50FE5226147E69F1C53C83C995B05"><enum>(3)</enum><header>Unfair or deceptive acts or practices</header><text>For the purpose of the exercise by the Federal Trade Commission of its functions and powers under the Federal Trade Commission Act, a violation of any requirement or prohibition imposed under this title shall constitute an unfair or deceptive act or practice in commerce in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(I)(B)</external-xref>) regarding unfair or deceptive acts or practices and shall be subject to enforcement by the Federal Trade Commission under that Act with respect to any business entity, irrespective of whether that business entity is engaged in commerce or meets any other jurisdictional tests in the Federal Trade Commission Act.</text> </paragraph></subsection><subsection id="HE767FAA5C97940B68935058F85441624"><enum>(e)</enum><header>Coordination of enforcement</header> <paragraph id="H12CC84CE78C24ACC9DDFA39260970ABD"><enum>(1)</enum><header>In general</header><text>When opening an investigation, the Federal Trade Commission shall consult with the Attorney General.</text> </paragraph><paragraph id="H52B8DBE8FA3C4337B32A050545CF62AC"><enum>(2)</enum><header>Limitation</header><text>The Federal Trade Commission may initiate investigations under this subsection unless the Attorney General determines that such an investigation would impede an ongoing criminal investigation or national security activity.</text> </paragraph><paragraph id="H5FCFA7731B68462AA92BA5307646178F"><enum>(3)</enum><header>Coordination agreement</header> <subparagraph id="H6397B875680E4252959E16231DCABE35"><enum>(A)</enum><header>In general</header><text>In order to avoid conflicts and promote consistency regarding the enforcement and litigation of matters under this Act, not later than 180 days after the date of enactment of this Act, the Attorney General and the Federal Trade Commission shall enter into an agreement for coordination regarding the enforcement of this Act.</text> </subparagraph><subparagraph id="H8F66072F8C4443678F397EA7FA2551DB"><enum>(B)</enum><header>Requirement</header><text>The coordination agreement entered into under subparagraph (A) shall include provisions to ensure that parallel investigations and proceedings under this section are conducted in a manner that avoids conflicts and does not impede the ability of the Attorney General to prosecute violations of Federal criminal laws.</text> </subparagraph></paragraph></subsection><subsection id="H49254355EF3843D6B369D6AB27C02865"><enum>(f)</enum><header>Other rights and remedies</header><text>The rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law.</text> </subsection></section><section id="H7EF1FD4EFF044061B3894A5FD351924C"><enum>204.</enum><header>Enforcement by State attorneys general</header> <subsection id="HD6CA3F3AAF1B440B92A966BB70692F6D"><enum>(a)</enum><header>State enforcement</header> <paragraph id="HF4222283EBAE4357B1D79D362C3AEE35"><enum>(1)</enum><header>Civil actions</header><text>In any case in which the attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that a covered entity has violated section 201 or 202, the State, as parens patriae, may bring a civil action on behalf of the residents of that State to—</text> <subparagraph id="H7B40685C586D413FB47308C421116FF2"><enum>(A)</enum><text>enjoin that act or practice;</text> </subparagraph><subparagraph id="HADA0A7B89E8D46119650338105EA6F9D"><enum>(B)</enum><text>enforce compliance with section 201 or 202; or</text> </subparagraph><subparagraph commented="no" id="H8954EA71E6994DE1A48256FB914E4CC8"><enum>(C)</enum><text>impose a civil penalty in an amount that is not greater than the product of the number of individuals whose sensitive personally identifiable information was placed at risk as a result of the violation and $16,500.</text> </subparagraph></paragraph><paragraph id="HDCD5CED618CA4BDDB99E44BD693C0190"><enum>(2)</enum><header>Penalty limitation</header> <subparagraph id="HFC369992541043428B46292934EA5117"><enum>(A)</enum><header>In general</header><text>Notwithstanding any other provision of law, the total sum of civil penalties assessed against a covered entity for all violations of the provisions of this subtitle resulting from the same or related acts or omissions may not exceed $5,000,000, unless such conduct is found to be willful or intentional.</text> </subparagraph><subparagraph id="H508AB9020F0844C1BB45D39548BCD8D4"><enum>(B)</enum><header>Determinations</header><text>The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact.</text> </subparagraph><subparagraph id="H1C31E9035987400883E6152923CD4220"><enum>(C)</enum><header>Additional penalty limit</header><text>If a court determines under subparagraph (B) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $5,000,000.</text> </subparagraph></paragraph><paragraph id="HD699937C45794A3B977756C9CC78E2B0"><enum>(3)</enum><header>Notice</header> <subparagraph id="H0EB9E8C7A1184E4D8C0C283FA0506FED"><enum>(A)</enum><header>In general</header><text>Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General of the United States and the Federal Trade Commission—</text> <clause id="H56F28F05CB36429A88BFBCB40C686646"><enum>(i)</enum><text>a written notice of that action; and</text> </clause><clause id="HC7A438C9FF83467EB1E02E8260E5E64F"><enum>(ii)</enum><text>a copy of the complaint for that action.</text> </clause></subparagraph><subparagraph id="HC23F9FEE575C4D56850C39D6C0385CEF"><enum>(B)</enum><header>Exception</header><text>Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action.</text> </subparagraph><subparagraph id="H687DDDACFE5648C3980F6F879DD55EF1"><enum>(C)</enum><header>Notification when practicable</header><text>In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Attorney General of the United States and the Federal Trade Commission as soon after the filing of the complaint as practicable.</text> </subparagraph></paragraph><paragraph id="H9201AFD78D15482997A9767BA847C2FD"><enum>(4)</enum><header>Federal proceedings</header><text>Upon receiving notice under paragraph (2), the Attorney General of the United States and the Federal Trade Commission shall have the right to—</text> <subparagraph id="H40C94A5AC6174A1B84E13F03C6ABF76B"><enum>(A)</enum><text>move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in section 203;</text> </subparagraph><subparagraph id="H3B762A93CB3744E9AE7A4E8EF2D6BFC5"><enum>(B)</enum><text>initiate an action in the appropriate United States district court under section 203 and move to consolidate all pending actions, including State actions, in such court;</text> </subparagraph><subparagraph id="H30BD2CB706B44978BCCDCADA3F9E4FC3"><enum>(C)</enum><text>intervene in an action brought under paragraph (1); and</text> </subparagraph><subparagraph id="HE33CE27E1F45439B80AD04976B6291DA"><enum>(D)</enum><text>file petitions for appeal.</text> </subparagraph></paragraph><paragraph id="H37B1E9F950B54028A408022638F44714"><enum>(5)</enum><header>Pending proceedings</header><text>If the Attorney General of the United States or the Federal Trade Commission initiates a Federal civil action for a violation of this subtitle, or any regulations thereunder, no attorney general of a State may bring an action for a violation of this subtitle that resulted from the same or related acts or omissions against a defendant named in the Federal civil action initiated by the Attorney General of the United States or the Federal Trade Commission.</text> </paragraph><paragraph id="HFCDDA6BA772A4AA18983925A2EBE53E1"><enum>(6)</enum><header>Rule of construction</header><text>For purposes of bringing any civil action under paragraph (1) nothing in this subtitle shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—</text> <subparagraph id="HCAEAD0D1611F4B238C8CC43A7106F680"><enum>(A)</enum><text>conduct investigations;</text> </subparagraph><subparagraph id="H697C387E40154996A5C2E9A265ACA157"><enum>(B)</enum><text>administer oaths and affirmations; or</text> </subparagraph><subparagraph id="H8C698DF2CC844E9689BB9828EC377A04"><enum>(C)</enum><text>compel the attendance of witnesses or the production of documentary and other evidence.</text> </subparagraph></paragraph><paragraph id="HE57B4F0F754A4D37AB471BCD5FB82792"><enum>(7)</enum><header>Venue; service of process</header> <subparagraph id="HF6F498855E9D4ADD88670AFF99C986C2"><enum>(A)</enum><header>Venue</header><text>Any action brought under subsection (a) may be brought in—</text> <clause id="H553A042DEBFD424EAD2CDFB68624D458"><enum>(i)</enum><text>the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or</text> </clause><clause id="H527F745EDDED40C1802C9EEA916BA5A9"><enum>(ii)</enum><text>another court of competent jurisdiction.</text> </clause></subparagraph><subparagraph id="H73F70C734C0F456B9B1BDA3389A36BB5"><enum>(B)</enum><header>Service of process</header><text>In an action brought under subsection (a), process may be served in any district in which the defendant—</text> <clause id="H546FBDF226084D528E6707FD32E3573C"><enum>(i)</enum><text>is an inhabitant; or</text> </clause><clause id="HDDEFAD8130B74C3B990DB9ADC1464A54"><enum>(ii)</enum><text>may be found.</text> </clause></subparagraph></paragraph></subsection><subsection id="HAEABB7D8BBCA4FF78C5CF227189D0572"><enum>(b)</enum><header>No private cause of action</header><text>Nothing in this subtitle establishes a private cause of action against a business entity for violation of any provision of this subtitle.</text> </subsection></section><section id="HBBFD44C1BFED4C4E9C529F7900D085DD"><enum>205.</enum><header>Relation to other laws</header> <subsection commented="no" id="H017ED36C3B4C4411A3B5ADA74DF7D961"><enum>(a)</enum><header>Preemption</header><text>For any covered entity that is subject to this subtitle, the provisions of this subtitle shall supersede any other provision of Federal law, or any provisions of the law of any State or political subdivision of a State requiring data security practices that are less stringent than the requirements of this subtitle.</text> </subsection><subsection id="H858B1EA6F4944756A2F5F9A1932B9807"><enum>(b)</enum><header>Consumer protection laws</header><text>Except as provided in subsection (a), this section shall not be construed to limit the enforcement of any State consumer protection law by an attorney general of a State.</text> </subsection><subsection id="HF6A593B2BEE6406184EC3C071DB572AA"><enum>(c)</enum><header>Protection of certain State laws</header><text>Nothing in this Act shall be construed to preempt the applicability of—</text> <paragraph id="H5E3E2244D74047F3A8A34C879D677FA5"><enum>(1)</enum><text>State trespass, contract, or tort law; or</text> </paragraph><paragraph id="HEB18503610A04CD6B12B5082C090996B"><enum>(2)</enum><text>any other State law to the extent that the law relates to acts of fraud.</text> </paragraph></subsection><subsection id="HAFE74F3FB0D24765A05D2A0C1CE8610B"><enum>(d)</enum><header>Preservation of FTC authority</header><text>Nothing in this Act may be construed in any way to limit the authority of the Federal Trade Commission under any other provision of law.</text> </subsection></section></subtitle><subtitle id="H3BD8C7CAD5204870BB730E01AFAAC241"><enum>B</enum><header>Security breach notification</header> <section id="H07D3D2B2003F47848FB8AE90D88105BF"><enum>211.</enum><header>Notice to individuals</header> <subsection id="HB9763A339D44421F815364E2A7889910"><enum>(a)</enum><header>In general</header><text>Except as provided in section 212, a covered entity shall, following the discovery of a security breach of such information, notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.</text> </subsection><subsection id="HE2A12A55F83645339BAFB1148F9AD51C"><enum>(b)</enum><header>Obligation of third-Party entities</header> <paragraph id="H269DA63E52E7478F81C19492CE448656"><enum>(1)</enum><header>In general</header><text>In the event of a breach of security of a system maintained by a third-party entity that has been contracted to maintain or process data in electronic form containing sensitive personally identifiable information on behalf of a covered entity who owns or possesses such data, the third-party entity shall notify the covered entity of the breach of security. Upon receiving notification from the third-party entity, such covered entity shall provide the notification required under subsection (a).</text> </paragraph><paragraph id="HC626EB38F78642A5BAAFABD0DDC82B2C"><enum>(2)</enum><header>Notice by third-party entities</header><text>Nothing in this subtitle shall prevent or abrogate an agreement between a covered entity required to give notice under this section and a third-party entity that has been contracted to maintain or process data in electronic form containing sensitive personally identifiable information for a covered entity, to provide the notifications required under subsection (a).</text> </paragraph><paragraph id="H623840C8E305414EA32CA5CB738BBA59"><enum>(3)</enum><header>Service providers</header><text>If a service provider becomes aware of a security breach containing sensitive personally identifiable information that is owned or possessed by a covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall be required to promptly notify the covered entity who initiated such connection, transmission, routing, or storage of the security breach if the covered entity can be reasonably identified. Upon receiving such notification from a service provider, the covered entity shall be required to provide the notification required under subsection (a).</text> </paragraph></subsection><subsection id="HA5E82DAA34AA4FCC8748689DAEE4F900"><enum>(c)</enum><header>Timeliness of notification</header> <paragraph id="H6B9C5E73A8324E58A2EB92074D7EDAB2"><enum>(1)</enum><header>In general</header><text>All notifications required under this section shall be made as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach.</text> </paragraph><paragraph id="H516B5564470D4EF6B023552271E5AA03"><enum>(2)</enum><header>Reasonable delay</header><text>Reasonable delay under this subsection may include any reasonable time necessary to determine the scope of the security breach, prevent further disclosures, and provide notice to law enforcement when required. Except as provided in subsection (d), delay of notification shall not exceed 30 days following the discovery of a security breach.</text> </paragraph><paragraph id="H37FA31F306B64B5892E8D13ED74EFE88"><enum>(3)</enum><header>Burden of production</header><text>The covered entity required to provide notice under this subtitle shall, upon the request of the Attorney General of the United States or the Federal Trade Commission provide records or other evidence of the notifications required under this subtitle, including to the extent applicable, the reasons for any delay of notification.</text> </paragraph></subsection><subsection id="H92FA35E283B944168C9FE38AD4741A86"><enum>(d)</enum><header>Delay of notification authorized for law enforcement or national security purposes</header> <paragraph id="H301CD7BDF25D46A0A322F34E03684FC8"><enum>(1)</enum><header>In general</header><text>If a Federal law enforcement agency or intelligence agency determines that the notification required under this section would impede a criminal investigation, or national security activity, such notification shall be delayed upon written notice from a Federal law enforcement agency or intelligence agency to the covered entity that experienced the security breach. The notification from a Federal law enforcement agency or intelligence agency shall specify in writing the period of delay requested for law enforcement or national security purposes.</text> </paragraph><paragraph id="H3298EB063F324E95A513CDECFCEDB992"><enum>(2)</enum><header>Extended delay of notification</header><text>If the notification required under subsection (a) is delayed pursuant to paragraph (1), a covered entity shall give notice 15 days after the day such law enforcement or national security delay was invoked unless a Federal law enforcement or intelligence agency provides written notification that further delay is necessary.</text> </paragraph><paragraph id="H8D901119E700466185C47342D5F9D047"><enum>(3)</enum><header>Law enforcement immunity</header><text>No nonconstitutional cause of action shall lie in any court against any agency for acts relating to the delay of notification for law enforcement or national security purposes under this subtitle.</text> </paragraph></subsection><subsection id="H517FBDCEFE464E3297E2939AC1DE170F"><enum>(e)</enum><header>Limitations</header><text>Notwithstanding any other obligation under this subtitle, this subtitle does not apply to the following:</text> <paragraph id="H25B2BAC5CCB24C1B8816937DE24583D2"><enum>(1)</enum><header>Financial institutions</header><text>Financial institutions—</text> <subparagraph id="H3FF164608CB54C0EA0FC430045196EC1"><enum>(A)</enum><text>subject to and in compliance with the data security requirements and standards under section 501(b) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801(b)</external-xref>); and</text> </subparagraph><subparagraph id="H8587C330DF3B4E6DB23C40EAD1720D92"><enum>(B)</enum><text>subject to the jurisdiction of an agency or authority described in section 505(a) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6805">15 U.S.C. 6805(a)</external-xref>).</text> </subparagraph></paragraph><paragraph id="H5A42464CAA8A42B8B70464211865C9B0"><enum>(2)</enum><header>HIPAA and hitech regulated entities</header><text>An entity that is subject to and in compliance with the data breach notification of the following, with respect to data that is subject to such requirements:</text> <subparagraph id="H6F780AEB1E9E49AF80C46020E4A04625"><enum>(A)</enum><text>Section 13401 of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931</external-xref>).</text> </subparagraph><subparagraph id="HF861CEC1F29C429385FB956EB765014F"><enum>(B)</enum><text>Part 160 or 164 of title 45, Code of Federal Regulations (or any successor regulations).</text> </subparagraph><subparagraph id="H9C7084A69DB543C096220ED38BE252AA"><enum>(C)</enum><text>The regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2</external-xref> note).</text> </subparagraph><subparagraph id="HE86C5691271344FBA9EAEA0126473C0E"><enum>(D)</enum><text>In the case of a business entity, the applicable data breach notification requirements of part 1 of subtitle D of title XIII of division A of the American Reinvestment and Recovery Act of 2009 (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931</external-xref> et seq.), if such business entity is acting as a covered entity, a business associate, or a vendor of personal health records, as those terms are defined in section 13400 of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17921">42 U.S.C. 17921</external-xref>).</text> </subparagraph><subparagraph id="HB52B7844FEB64A8BAA150AE163A24CEF"><enum>(E)</enum><text>In the case of a third-party service provider, section 13407 of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17937">42 U.S.C. 17937</external-xref>).</text> </subparagraph></paragraph></subsection></section><section id="H6B8B0DB24FFF4E4E8A4A284AE3238121"><enum>212.</enum><header>Exemptions</header> <subsection id="H2C21D2BAD8A94121A87F80DB803E3C97"><enum>(a)</enum><header>National security and law enforcement exemption</header> <paragraph id="H98F7A4F6D7A0498CB8535ED0B71ADD11"><enum>(1)</enum><header>In general</header><text>Section 211 shall not apply to a covered entity if a Federal law enforcement agency or intelligence agency—</text> <subparagraph id="H0DAA516E30844ED3B5B784E432832F3E"><enum>(A)</enum><text>determines that notification of the security breach—</text> <clause id="H2411D087DD794FFABAABF8FC723F6BEB"><enum>(i)</enum><text>could be expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement investigations; or</text> </clause><clause id="HB7CE75CE149D48998FFE05AE61002F0C"><enum>(ii)</enum><text>could be expected to cause damage to the national security;</text> </clause></subparagraph><subparagraph id="H1FCA7F46F6A5439C8E9BC1E190D7EB97"><enum>(B)</enum><text>communicates the determination made under subparagraph (A) to the covered entity; and</text> </subparagraph><subparagraph id="HE1B8C5B785324DF0877A3BA47FBC1336"><enum>(C)</enum><text>orders that notification required under section 211 not be made.</text> </subparagraph></paragraph><paragraph id="HF1D8D56B5DB24FD3A49BBE66E06649C7"><enum>(2)</enum><header>Immunity</header><text>No nonconstitutional cause of action shall lie in any court against any Federal agency for acts relating to the exemption from notification for law enforcement or national security purposes under this title.</text> </paragraph></subsection><subsection id="H4590C246B7CF4C82B213D53FD8B938F3"><enum>(b)</enum><header>Safe harbor exemption</header><text>A covered entity shall be exempt from the notice requirements under section 211 if the covered entity reasonably determines that sensitive personally identifiable information is rendered unusable, unreadable, or indecipherable through data security technology or methodology, including encryption or redaction, that is generally accepted by experts in the field of information security, such that there is no reasonable likelihood that a security breach has resulted in, or will result in, the misuse of data.</text> </subsection></section><section id="HE3DF4A0F14AA4F72B727DFE0341698BC"><enum>213.</enum><header>Methods of notice</header><text display-inline="no-display-inline">A covered entity shall be in compliance with section 211 if it provides the following:</text> <paragraph id="H65D120D2E79D4647B02EBA8D970DFA75"><enum>(1)</enum><header>Individual notice</header><text>Notice to individuals by one of the following means if the method of notification selected can most likely be expected to reach the intended individual:</text> <subparagraph id="HB43B923E07DD4349B16311A3C28BC6DF"><enum>(A)</enum><text>Written notification to the last known home mailing address of the individual in the records of the covered entity.</text> </subparagraph><subparagraph id="HF2E0060473094F09A51CFAE8FE5B8F2D"><enum>(B)</enum><text>Telephone notice to the individual personally, provided that the telephone notice is made directly to each affected consumer, and is not made through a prerecorded message.</text> </subparagraph><subparagraph id="HA44657355B6D47DEB34FBC57A7CB66CA"><enum>(C)</enum><text>E-mail notice, if—</text> <clause id="H3A298CE94B12421490633A9DD1D04781"><enum>(i)</enum> <subclause commented="no" display-inline="yes-display-inline" id="H455ADA58307646C4832F6EAB6346635C"><enum>(I)</enum><text>the covered entity’s primary method of communication with the individual is by e-mail; or</text> </subclause><subclause id="H4B0DA5DBBDA94ED2AE94A0D36FC4F804" indent="up1"><enum>(II)</enum><text>the individual has consented to receive such notice and the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7001">15 U.S.C. 7001</external-xref>); and</text> </subclause></clause><clause id="H095BA5E293E0466F8EBB0DBA6D13BA2F"><enum>(ii)</enum><text>the e-mail notice does not request, or contain a hypertext link to a request, that the consumer provide personal information in response to the notice.</text> </clause></subparagraph></paragraph><paragraph id="H06659AF89F1F43B4814B8ED222599F2B"><enum>(2)</enum><header>Media and website notice</header><text>In the event notice is required to more than 5,000 individuals in 1 State and individual notice is not feasible due to lack of sufficient contact information for the individuals required to be notified, a covered entity shall—</text> <subparagraph id="H80D2449C8B6148089783F0886A5D4A89"><enum>(A)</enum><text>provide notice to the major media outlets serving the State or jurisdiction of the individuals believed to be affected; and</text> </subparagraph><subparagraph id="H5DFB54391A5E468A97B91D655D41244B"><enum>(B)</enum><text>place notice in a clear and conspicuous place on the website of the covered entity if the covered entity operates a website.</text> </subparagraph></paragraph></section><section id="H93BCA486AE4A420491DDE66C4D28A858"><enum>214.</enum><header>Content of notification</header> <subsection id="HF11300C0D74243DCAE595BA79DC32C97"><enum>(a)</enum><header>In general</header><text>Regardless of the method by which notice is provided to individuals under section 213, such notice shall include, to the extent possible—</text> <paragraph id="H210D51EC36994AB7BF55573D6EC78774"><enum>(1)</enum><text>a general description of the incident and the date or estimated date of the security breach and the date range during which the sensitive personally identifiable information was compromised;</text> </paragraph><paragraph id="H4881279910B34EAF88C7492FE256F45E"><enum>(2)</enum><text>a description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person;</text> </paragraph><paragraph id="HD27490D2BCD443A7A963A95BFE4E25B7"><enum>(3)</enum><text>the acts the covered entity, or the agent of the covered entity, has taken to protect sensitive personally identifiable information from further security breach;</text> </paragraph><paragraph id="HBA46991B123648CD82D53532C017CE9E"><enum>(4)</enum><text>a toll-free number—</text> <subparagraph id="H14CC628EC31947B7A94DD5B83358EF8A"><enum>(A)</enum><text>that the individual may use to contact the covered entity, or the agent of the covered entity; and</text> </subparagraph><subparagraph id="H758DBD105C8D40B0B85C9368C9E3D05C"><enum>(B)</enum><text>from which the individual may learn what types of sensitive personally identifiable information the covered entity maintained about that individual; and</text> </subparagraph></paragraph><paragraph id="H4E1AE593044040F993FE49BF47098C8C"><enum>(5)</enum><text>the toll-free contact telephone numbers and addresses for the major credit reporting agencies if the sensitive personally identifiable information that was breached could be used to commit financial fraud or identity theft.</text> </paragraph></subsection><subsection id="H5D8CDC1E4AF24593BC3AD7EB0CEDD4EE"><enum>(b)</enum><header>Direct business relationship</header><text>Regardless of whether a covered entity or a designated third party provides the notice required pursuant to section 211(b), such notice shall include the name of the covered entity that has the most direct relationship with the individual being notified.</text> </subsection></section><section id="HB0BE37BB555349A9B02C670CF647F479"><enum>215.</enum><header>Coordination of notification with credit reporting agencies</header><text display-inline="no-display-inline">If a covered entity is required to provide notification to more than 5,000 individuals under section 211(a) and the sensitive personally identifiable information that was breached could be used to commit financial fraud or identity theft, the covered entity shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in section 603(p) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(p)</external-xref>)) of the timing and distribution of the notices. Such notice shall be given to the consumer credit reporting agencies without unreasonable delay and, if it will not delay notice to the affected individuals, prior to the distribution of notices to the affected individuals.</text> </section><section id="H4593892E452A4E929D7389EF7EE03C5F"><enum>216.</enum><header>Notice to the Federal Trade Commission</header><text display-inline="no-display-inline">A covered entity required to provide notification under section 211(a) shall provide a copy of the notification to the Federal Trade Commission not later than the date on which notice is provided to individuals required to be notified. The Federal Trade Commission shall establish procedures to ensure the attorneys general of each State with affected residents receives a copy of the notice provided to it under this section.</text> </section><section id="H07E3F91CCF904D63B589361B1B963E0E"><enum>217.</enum><header>Notice to law enforcement</header> <subsection id="HFCF41CB51492453EB8C1817C9B286951"><enum>(a)</enum><header>Designation of government entity To receive notice</header> <paragraph id="H197EAA08A3394F74823E370D87BF2F1D"><enum>(1)</enum><header>In general</header><text>Not later than 60 days after the date of enactment of this Act, the Secretary of Homeland Security, in consultation with the Attorney General, shall designate a Federal Government entity to receive the notices required under section 211 and this section.</text> </paragraph><paragraph id="H1BAF433A96C74BA282B3D44ED5C6E2C2"><enum>(2)</enum><header>Responsibilities of the designated entity</header><text>The designated entity shall—</text> <subparagraph id="HEBBCF76BBD9B45E1866D9C868D7561B9"><enum>(A)</enum><text>promptly provide the information that it receives to the United States Secret Service or the Federal Bureau of Investigation for law enforcement purposes; and</text> </subparagraph><subparagraph id="HBB7722F3B7E34ADC98E4EA5A6A98B5EB"><enum>(B)</enum><text>provide the information described in subparagraph (A) as appropriate to other Federal agencies for law enforcement, national security, or data security purposes.</text> </subparagraph></paragraph></subsection><subsection id="H4CE73713CD04470187A680BE3A6B27E4"><enum>(b)</enum><header>Notice</header><text>A covered entity shall notify the designated entity of the fact that a security breach has occurred if—</text> <paragraph id="HA51ADBE0ABCD45ED9BE24FC01C3F69F0"><enum>(1)</enum><text>the number of individuals whose sensitive personally identifying information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000;</text> </paragraph><paragraph id="HA1CECA783B704C29990EB2690388AE93"><enum>(2)</enum><text>the security breach involves a database, networked or integrated databases, or other data system containing the sensitive personally identifiable information of more than 500,000 individuals nationwide;</text> </paragraph><paragraph id="H0D8B4CEB5C054DEDB3C1F0D79A4EECA8"><enum>(3)</enum><text>the security breach involves databases owned by the Federal Government; or</text> </paragraph><paragraph id="HE541D678EB54452ABBBE44DC84CE0393"><enum>(4)</enum><text>the security breach involves primarily sensitive personally identifiable information of individuals known to the covered entity to be employees and contractors of the Federal Government involved in national security or law enforcement.</text> </paragraph></subsection><subsection id="H1F4EDF1BF951412EA759179C6ABF8F2E"><enum>(c)</enum><header>Department of Justice review of thresholds for notice</header><text>The Attorney General, in consultation with the Secretary of Homeland Security, after notice and the opportunity for public comment, and in a manner consistent with this section, shall promulgate regulations, as necessary, under section 553 of title 5, United States Code, to adjust the thresholds for notice to law enforcement and national security authorities under subsection (a) and to facilitate the purposes of this section.</text> </subsection><subsection id="H8FCB7E8D0372454BA8C9E4BBAB6BC441"><enum>(d)</enum><header>Timing</header><text>The notice required under subsection (b) shall be provided as promptly as possible, but such notice must be provided not less than 72 hours before notice is provided to an individual pursuant to section 211, or not later than 10 days after the discovery of the events requiring notice, whichever occurs first. For each breach requiring notice under this subsection, a copy of the notice to individuals required under section 211 shall also be provided to the designated entity not later than the date on which the notice is provided to affected individuals.</text> </subsection></section><section id="H1471BECE6D0C45ED9AE2F0787647FB4E"><enum>218.</enum><header>Federal enforcement</header> <subsection id="HFD985D44FD7446A3B368F95937086464"><enum>(a)</enum><header>In general</header><text>The Attorney General and the Federal Trade Commission may enforce civil violations of this subtitle.</text> </subsection><subsection id="H39465D6CD29D4C5B8EB487EF51CE56B0"><enum>(b)</enum><header>Civil actions by the Attorney General of the United States</header> <paragraph id="H4FF770E0178B4B90AC473A5428929D41"><enum>(1)</enum><header>In general</header><text>The Attorney General may bring a civil action in the appropriate United States district court against any covered entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, the covered entity shall be subject to a civil penalty in an amount not greater than the product of the number of violations of this subtitle and $16,500. Each failure to provide notification to an individual as required under this subtitle shall be treated as a separate violation.</text> </paragraph><paragraph id="H39AB7DB25E924FC183EE6D4C167907A0"><enum>(2)</enum><header>Penalty limitation</header><text>Notwithstanding any other provision of law, the total amount of the civil penalty assessed against a covered entity for conduct involving the same or related acts or omissions that results in a violation of this subtitle may not exceed $5,000,000, unless such conduct is found to be willful or intentional.</text> </paragraph><paragraph id="H47E70A9567D04B9DBEBD07EA0B44E406"><enum>(3)</enum><header>Determinations</header><text>The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact.</text> </paragraph><paragraph id="H40FA984EFE414A5593CDAC08F3228E79"><enum>(4)</enum><header>Additional penalty limit</header><text>If a court determines under paragraph (3) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $5,000,000.</text> </paragraph></subsection><subsection id="HC1F230EE4FE14E1C9AAA74B5B1D94163"><enum>(c)</enum><header>Injunctive actions by the Attorney General</header> <paragraph id="H7E806ACCF7EC42C99E9B468B2716D7D0"><enum>(1)</enum><header>In general</header><text>If it appears that a covered entity has engaged, or is engaged, in any act or practice constituting a violation of this subtitle, the Attorney General may petition an appropriate district court of the United States for an order—</text> <subparagraph id="H3B6E07768D0D4079878C00A6D6CCF640"><enum>(A)</enum><text>enjoining such act or practice; or</text> </subparagraph><subparagraph id="H18AF737EAFDC4F12BF13EB17EE61890D"><enum>(B)</enum><text>enforcing compliance with this subtitle.</text> </subparagraph></paragraph><paragraph id="H72A4D882C68F4DA7BD84972672B5A1F7"><enum>(2)</enum><header>Issuance of order</header><text>A court may issue an order under paragraph (1), if the court finds that the conduct in question constitutes a violation of this subtitle.</text> </paragraph></subsection><subsection id="H0AD28D9F671F4F778B5C3D0A9E574E29"><enum>(d)</enum><header>Civil actions by the Federal Trade Commission</header> <paragraph id="HF97C36CA67A14388A3D164876DD4C3C3"><enum>(1)</enum><header>In general</header><text>Compliance with the requirements imposed under this subtitle may be enforced under the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41</external-xref> et seq.) by the Federal Trade Commission with respect to business entities subject to this Act. All of the functions and powers of the Federal Trade Commission under the Federal Trade Commission Act are available to the Commission to enforce compliance by any person with the requirements imposed under this title.</text> </paragraph><paragraph id="H3EC82B07A0F74AE58B95FB3EF5AFF8FB"><enum>(2)</enum><header>Civil penalties</header> <subparagraph id="H679C363C9B58423FBC616468BCF396FF"><enum>(A)</enum><header>In general</header><text>Any covered entity that violates this subtitle shall be subject to a civil penalty in the amount that is not greater than the product of the number of violations of this subtitle and $16,500. Each failure to provide notification to an individual as required under this subtitle shall be treated as a separate violation.</text> </subparagraph><subparagraph id="HB18CD050F22342C88EE3596A81AB3BB0"><enum>(B)</enum><header>Penalty limitation</header><text>Notwithstanding any other provision of law, the total sum of civil penalties assessed against a covered entity for all violations of the provisions of this subtitle resulting from the same or related acts or omissions may not exceed $5,000,000, unless such conduct is found to be willful or intentional.</text> </subparagraph><subparagraph id="HBF5DC86FB4554B61882279B97E482279"><enum>(C)</enum><header>Determinations</header><text>The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact.</text> </subparagraph><subparagraph id="HA01826FE41404E638EDF8F76BFC46C08"><enum>(D)</enum><header>Additional penalty limit</header><text>If a court determines under subparagraph (C) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $5,000,000.</text> </subparagraph></paragraph><paragraph id="H0772ADF78B5B42548B797E32D630A94D"><enum>(3)</enum><header>Unfair or deceptive acts or practices</header><text>For the purpose of the exercise by the Federal Trade Commission of its functions and powers under the Federal Trade Commission Act, a violation of any requirement or prohibition imposed under this title shall constitute an unfair or deceptive act or practice in commerce in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(I)(B)</external-xref>) regarding unfair or deceptive acts or practices and shall be subject to enforcement by the Federal Trade Commission under that Act with respect to any business entity, irrespective of whether that business entity is engaged in commerce or meets any other jurisdictional tests in the Federal Trade Commission Act.</text> </paragraph></subsection><subsection id="H91BB02CF7C7747B89CB4BD42197F57D5"><enum>(e)</enum><header>Coordination of enforcement</header> <paragraph id="H6118D1F48ADC41C9AA0144817375590B"><enum>(1)</enum><header>In general</header><text>When opening an investigation, the Federal Trade Commission shall consult with the Attorney General.</text> </paragraph><paragraph id="HFC571BEEC08542E69E1C1B0D26CB6D26"><enum>(2)</enum><header>Limitation</header><text>The Federal Trade Commission may initiate investigations under this subsection unless the Attorney General determines that such an investigation would impede an ongoing criminal investigation or national security activity.</text> </paragraph><paragraph id="H14053224034E451397D11593BB89AC3A"><enum>(3)</enum><header>Coordination agreement</header> <subparagraph id="H8CDAD6F9B85D489798B0E2FF42628F28"><enum>(A)</enum><header>In general</header><text>In order to avoid conflicts and promote consistency regarding the enforcement and litigation of matters under this Act, not later than 180 days after the enactment of this Act, the Attorney General and the Federal Trade Commission shall enter into an agreement for coordination regarding the enforcement of this Act.</text> </subparagraph><subparagraph id="H9D2FF22315564B839D1C026FFE347C09"><enum>(B)</enum><header>Requirement</header><text>The coordination agreement entered into under subparagraph (A) shall include provisions to ensure that parallel investigations and proceedings under this section are conducted in a manner that avoids conflicts and does not impede the ability of the Attorney General to prosecute violations of Federal criminal laws.</text> </subparagraph></paragraph></subsection><subsection id="HB22AA3E1687E42C69A6C5AF3E3AC11DD"><enum>(f)</enum><header>Rulemaking</header><text>The Federal Trade Commission may, in consultation with the Attorney General, issue such other regulations as it determines to be necessary to carry out this subtitle. All regulations promulgated under this Act shall be issued in accordance with section 553 of title 5, United States Code.</text> </subsection><subsection id="H361FFADCA7FF4538AD010BEC372CFA33"><enum>(g)</enum><header>Other rights and remedies</header><text>The rights and remedies available under this subtitle are cumulative and shall not affect any other rights and remedies available under law.</text> </subsection><subsection id="HBB243C540F464AC2A6BF448C7FE0D528"><enum>(h)</enum><header>Fraud alert</header><text>Section 605A(b)(1) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681c-1">15 U.S.C. 1681c–1(b)(1)</external-xref>) is amended by inserting <quote>, or evidence that the consumer has received notice that the consumer’s financial information has or may have been compromised,</quote> after <quote>identity theft report</quote>.</text> </subsection></section><section id="H0B9AC850406B4749803D72A6DF63614F"><enum>219.</enum><header>Enforcement by State attorneys general</header> <subsection id="H211887B1B55943E0B534175C6BB63CCC"><enum>(a)</enum><header>In general</header> <paragraph id="H5227EE80858F4FE1A65344DC5C92AE2A"><enum>(1)</enum><header>Civil actions</header> <subparagraph id="H085F9FD57657490DB364FAD780DF891B"><enum>(A)</enum><header>In general</header><text>In any case in which the attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that a covered entity has violated this subtitle, the State, as parens patriae, may bring a civil action on behalf of the residents of the State to—</text> <clause id="HA57ED258AD174436896AEEBF1E8C992C"><enum>(i)</enum><text>enjoin that practice;</text> </clause><clause id="H6650CC4841734AC186314191DC45479D"><enum>(ii)</enum><text>enforce compliance with this subtitle; or</text> </clause><clause id="H1FBF204E50734DD29B91CAC78465F73F"><enum>(iii)</enum><text>impose a civil penalty in an amount not greater than the product of the number of violations of this subtitle and $16,500.</text> </clause></subparagraph><subparagraph id="H75C7C0B478F6402E9ED91D4A3B7E4E4A"><enum>(B)</enum><header>Failure to provide notification</header><text>For purposes of subparagraph (A)(iii), each failure to provide notification to an individual as required under this subtitle shall be treated as a separate violation.</text> </subparagraph></paragraph><paragraph id="HE0AF1FC3ADF0426FBBD67F19E0F25CEE"><enum>(2)</enum><header>Penalty limitation</header> <subparagraph id="H965EC7F279E8423982564583BD2A238C"><enum>(A)</enum><header>In general</header><text>Notwithstanding any other provision of law, the total sum of civil penalties assessed against a covered entity for all violations of the provisions of this subtitle resulting from the same or related acts or omissions may not exceed $5,000,000, unless such conduct is found to be willful or intentional.</text> </subparagraph><subparagraph id="H4DBFC3DEFD974A809B73D6A52CDD2AF6"><enum>(B)</enum><header>Determinations</header><text>The determination of whether a violation of a provision of this subtitle has occurred, and if so, the amount of the penalty to be imposed, if any, shall be made by the court sitting as the finder of fact. The determination of whether a violation of a provision of this subtitle was willful or intentional, and if so, the amount of the additional penalty to be imposed, if any, shall be made by the court sitting as the finder of fact.</text> </subparagraph><subparagraph id="H4490F97CFBD64873B277299729065577"><enum>(C)</enum><header>Additional penalty limit</header><text>If a court determines under subparagraph (B) that a violation of a provision of this subtitle was willful or intentional and imposes an additional penalty, the court may not impose an additional penalty in an amount that exceeds $5,000,000.</text> </subparagraph></paragraph><paragraph id="HA4400F1C2F4746EC8BEBEC4394262F6A"><enum>(3)</enum><header>Notice</header> <subparagraph id="HB0CE9675469D491291BDCCCCDF45E272"><enum>(A)</enum><header>In general</header><text>Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General of the United States and the Federal Trade Commission—</text> <clause id="H8D66AAE7F90B40E5B8C0CA1AF8A45DDE"><enum>(i)</enum><text>written notice of the action; and</text> </clause><clause id="H671AED723DCC459689FF492995086EE2"><enum>(ii)</enum><text>a copy of the complaint for the action.</text> </clause></subparagraph><subparagraph id="H387D557E123A4322880EDE6B6D54DB7D"><enum>(B)</enum><header>Exemption</header> <clause id="HFC7AB1D045DB43AEB609CF9F5EE2AC5D"><enum>(i)</enum><header>In general</header><text>Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subtitle, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.</text> </clause><clause id="H8B85CB9E1B904A78BED01E123420CD67"><enum>(ii)</enum><header>Notification</header><text>In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General of the United States and the Federal Trade Commission at the time the State attorney general files the action.</text> </clause></subparagraph></paragraph></subsection><subsection id="H574ADF9E791E459ABED41341C0A3660D"><enum>(b)</enum><header>Federal proceedings</header><text>Upon receiving notice under subsection (a)(2), the Attorney General and the Federal Trade Commission shall have the right to—</text> <paragraph id="H81CFCEEF01FF4CF6956CB5B1B2FD1F5D"><enum>(1)</enum><text>move to stay the action, pending the final disposition of a pending Federal proceeding or action;</text> </paragraph><paragraph id="HD7048CCC353E487C833454B15C34024C"><enum>(2)</enum><text>initiate an action in the appropriate United States district court under section 218 and move to consolidate all pending actions, including State actions, in such court;</text> </paragraph><paragraph id="HC2E1D2E8CFCB4FB2AE77EEC4B21A32BD"><enum>(3)</enum><text>intervene in an action brought under subsection (a)(2); and</text> </paragraph><paragraph id="H05BA4523373B4EC9BCB585E714661B84"><enum>(4)</enum><text>file petitions for appeal.</text> </paragraph></subsection><subsection id="HACD4063F8F8C4085BF30EB0622B6066F"><enum>(c)</enum><header>Pending proceedings</header><text>If the Attorney General or the Federal Trade Commission initiates a criminal proceeding or civil action for a violation of a provision of this subtitle, or any regulations thereunder, no attorney general of a State may bring an action for a violation of a provision of this subtitle against a defendant named in the Federal criminal proceeding or civil action.</text> </subsection><subsection id="HB0A739A2BAB24A378FF027F84FB73DE1"><enum>(d)</enum><header>Construction</header><text>For purposes of bringing any civil action under subsection (a), nothing in this subtitle regarding notification shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to—</text> <paragraph id="H0DC12EE2BEF343AE906EBA6F44E9AA0D"><enum>(1)</enum><text>conduct investigations;</text> </paragraph><paragraph id="HC96E02516D66472BBD498CDCD19A079B"><enum>(2)</enum><text>administer oaths or affirmations; or</text> </paragraph><paragraph id="HCBF4DE0CA9AA4986A90CADD52DA077DA"><enum>(3)</enum><text>compel the attendance of witnesses or the production of documentary and other evidence.</text> </paragraph></subsection><subsection id="H5C16987F1CCF4A98B13AA0CA1CF2F51F"><enum>(e)</enum><header>Venue; service of process</header> <paragraph id="H31FE5C33BEB64A57A2F5A5B83CB11E00"><enum>(1)</enum><header>Venue</header><text>Any action brought under subsection (a) may be brought in—</text> <subparagraph id="H276028AC69264C42B3C267F4A1C82E13"><enum>(A)</enum><text>the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or</text> </subparagraph><subparagraph id="H8B2ABE73A0E3478EBABF7C20BA5C56E3"><enum>(B)</enum><text>another court of competent jurisdiction.</text> </subparagraph></paragraph><paragraph id="H4719A062432F43289CBD9CD9C2C97835"><enum>(2)</enum><header>Service of process</header><text>In an action brought under subsection (a), process may be served in any district in which the defendant—</text> <subparagraph id="H56F2570474544D9C939D85AAE8E76FD4"><enum>(A)</enum><text>is an inhabitant; or</text> </subparagraph><subparagraph id="H00AC02522AA24D0DA5C343885E82A4D9"><enum>(B)</enum><text>may be found.</text> </subparagraph></paragraph></subsection><subsection id="H5478182028D74B7191E9D016A564BBD2"><enum>(f)</enum><header>No private cause of action</header><text>Nothing in this subtitle establishes a private cause of action against a business entity for violation of any provision of this subtitle.</text> </subsection></section><section id="H4BCD945ECE2D45D78D339F5561AA5708"><enum>220.</enum><header>Effect on Federal and State law</header> <subsection commented="no" id="HF147239E07EB4B4BB88E371D287D4916"><enum>(a)</enum><header>Preemption</header><text>For a covered entity that is subject to this subtitle, the provisions of this subtitle shall supersede any other provision of Federal law, or any provisions of the law of any State or political subdivision of a State requiring notification of a security breach of sensitive personally identifiable information that are less stringent than the requirements of this subtitle.</text> </subsection><subsection id="HB8B06AD429C74A7B914685F436348768"><enum>(b)</enum><header>Consumer protection laws</header><text>Except as provided in subsection (a), this section shall not be construed to limit the enforcement of any State consumer protection law by an attorney general of a State.</text> </subsection><subsection id="HA5C259369AF549CFB06FB1D4D1B20576"><enum>(c)</enum><header>Protection of certain State laws</header><text>Nothing in this Act shall be construed to preempt the applicability of—</text> <paragraph id="H5E7D7819FA124F57BC550CBFF61E7724"><enum>(1)</enum><text>State trespass, contract, or tort law; or</text> </paragraph><paragraph id="H4DAA697F3C5149B8A32B006E5822DB38"><enum>(2)</enum><text>any other State law to the extent that the law relates to acts of fraud.</text> </paragraph></subsection><subsection id="HE062464A223A4E7D89F98CC404FAE15D"><enum>(d)</enum><header>Preservation of FTC authority</header><text>Nothing in this Act may be construed in any way to limit the authority of the Federal Trade Commission under any other provision of law.</text> </subsection><subsection id="H4880B51D008440EF90EEE9A2BCDCCFA2"><enum>(e)</enum><header>Preservation of FCC authority</header><text>Nothing in this Act may be construed in any way to limit the authority of the Federal Communications Commission under any other provision of law.</text> </subsection></section><section commented="no" id="H56397B033F1A47739EA1124A02238E4D"><enum>221.</enum><header>Reporting on exemptions</header><text display-inline="no-display-inline">Not later than 18 months after the date of enactment of this Act, and upon the request by Congress thereafter, the Attorney General, in consultation with the Secretary of Homeland Security, shall submit a report to Congress on the number and nature of security breaches subject to the national security and law enforcement exemptions under section 212(a).</text> </section><section id="H5FF954F4979E471DBB0A641B51215678"><enum>222.</enum><header>Effective date</header><text display-inline="no-display-inline">This subtitle shall take effect on the expiration of the date that is 90 days after the date of enactment of this Act.</text> </section></subtitle><enum>III</enum><header>Compliance with statutory Pay-As-You-Go Act</header> <section id="H836089BAC86647A4BB267133DCCC6D7F"><enum>301.</enum><header>Budget compliance</header><text display-inline="no-display-inline">The budgetary effects of this Act, for the purpose of complying with the Statutory Pay-As-You-Go Act of 2010, shall be determined by reference to the latest statement titled <quote>Budgetary Effects of PAYGO Legislation</quote> for this Act, submitted for printing in the Congressional Record by the Chairman of the Senate Budget Committee, provided that such statement has been submitted prior to the vote on passage.</text> </section>