Short title

This Act may be cited as the

Data Accountability and Trust Act

Requirements for information security

(a)

General security policies and procedures

(1)

Regulations

Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require each covered entity to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information taking into consideration— (A)the size of, and the nature, scope, and complexity of the activities engaged in by such covered entity; (B)the sensitivity of any personal information at issue; (C)the current state of the art in administrative, technical, and physical safeguards for protecting such information; and (D)the cost of implementing such safeguards. (2)

Requirements

Such regulations shall require the policies and procedures to include the following: (A)A written security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information. (B)The identification of an officer or other individual as the point of contact with responsibility for the management of information security. (C)A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by such covered entity that contains such data, which shall include regular monitoring for a breach of security of such system or systems. (D)A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph (C), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software, and for regularly testing or otherwise monitoring the effectiveness of the safeguards’ key controls, systems, and procedures. (E)A process for disposing of data containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or undecipherable. (F)A process for overseeing persons to whom personal information is disclosed, or who have access to internet-connected devices, by— (i)taking reasonable steps to select and retain persons that are capable of maintaining appropriate safeguards for the personal information or internet-connected devices at issue; and (ii)requiring all such persons to implement and maintain such security measures. (3)

Treatment of entities governed by other Federal law

Any covered entity who is in compliance with any other Federal law that requires such covered entity to maintain standards and safeguards for information security and protection of personal information that, taken as a whole and as the Commission shall determine in the rulemaking required under this subsection, provide protections substantially similar to, or greater than, those required under this subsection, shall be deemed to be in compliance with this subsection. (b)

Special requirements for information brokers

(1)

Submission of policies to the FTC

The regulations promulgated under subsection (a) shall require each information broker to submit its security policies to the Commission in conjunction with a notification of a breach of security under section 3 or upon request of the Commission. (2)

Post-breach audit

For any information broker required to provide notification under section 3, the Commission may conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker’s security practices during the preceding 5 years). (3)

Accuracy of and individual access to personal information

(A)

Accuracy

(i)

In general

Each information broker shall establish reasonable procedures to assure the maximum possible accuracy of the personal information the information broker collects, assembles, or maintains, and any other information the information broker collects, assembles, or maintains that specifically identifies an individual, other than information which merely identifies an individual’s name or address. (ii)

Limited exception for fraud databases

The requirement in clause (i) shall not prevent the collection or maintenance of information that may be inaccurate with respect to a particular individual when that information is being collected or maintained solely— (I)for the purpose of indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual; and (II)to help identify, or authenticate the identity of, an individual, or to protect against or investigate fraud or other unlawful conduct. (B)

Consumer access to information

Each information broker shall— (i)provide to each individual whose personal information the information broker maintains, at the individual’s request at least once per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review any personal information regarding such individual maintained by the information broker and any other information maintained by the information broker that specifically identifies such individual, other than information which merely identifies an individual’s name or address; and (ii)place a conspicuous notice on the Internet website of the information broker (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under clause (i), and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes under subparagraph (D). (C)

Disputed information

Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, shall— (i)correct any inaccuracy; or (ii)in the case of information that is— (I)public record information, inform the individual of the source of the information, and, if reasonably available, where a request for correction may be directed and, if the individual provides proof that the public record has been corrected or that the information broker was reporting the information incorrectly, correct the inaccuracy in the information broker’s records; or (II)nonpublic information, note the information that is disputed, including the individual’s statement disputing such information, and take reasonable steps to independently verify such information under the procedures outlined in subparagraph (A) if such information can be independently verified. (D)

Alternative procedure for certain marketing information

In accordance with regulations issued under subparagraph (F), an information broker that maintains any information described in subparagraph (A) which is used, shared, or sold by such information broker for marketing purposes, may, in lieu of complying with the access and dispute requirements set forth in subparagraphs (B) and (C), provide each individual whose information the information broker maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual’s information for marketing purposes. (E)

Limitations

An information broker may limit the access to information required under subparagraph (B)(i) and is not required to provide notice to individuals as required under subparagraph (B)(ii) in the following circumstances: (i)If access of the individual to the information is limited by law or legally recognized privilege. (ii)If the information is used for a legitimate governmental or fraud prevention purpose that would be compromised by such access. (iii)If the information consists of a published media record, unless that record has been included in a report about an individual shared with a third party. (F)

Rulemaking

Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to carry out this paragraph and to facilitate the purposes of this Act. In addition, the Commission shall issue regulations, as necessary, under section 553 of title 5, United States Code, on the scope of the application of the limitations in subparagraph (E), including any additional circumstances in which an information broker may limit access to information under such clause that the Commission determines to be appropriate. (G)

FCRA regulated persons

Any information broker who is engaged in activities subject to the Fair Credit Reporting Act and who is in compliance with sections 609, 610, and 611 of such Act (15 U.S.C. 1681g; 1681h; 1681i) with respect to information subject to such Act, shall be deemed to be in compliance with this paragraph with respect to such information. (4)

Requirement of audit log of accessed and transmitted information

Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require information brokers to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker. (5)

Prohibition on pretexting by information brokers

(A)

Prohibition on obtaining personal information by false pretenses

It shall be unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by— (i)making a false, fictitious, or fraudulent statement or representation to any person; or (ii)providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation. (B)

Prohibition on solicitation to obtain personal information under false pretenses

It shall be unlawful for an information broker to request a person to obtain personal information or any other information relating to any other person, if the information broker knew or should have known that the person to whom such a request is made will obtain or attempt to obtain such information in the manner described in subparagraph (A).

Notification of information security breach

(a)

Individual notification

(1)

In general

Each covered entity shall, following the discovery of a breach of security, notify each individual who is a citizen or resident of the United States whose personal information was, or is reasonably believed to have been, acquired or accessed by an unauthorized person, or used for an unauthorized purpose. (2)

Timeliness of notification

(A)

In general

Unless subject to a delay authorized under subparagraph (B), a notification required under paragraph (1) shall be made as expeditiously as practicable and without unreasonable delay, but not later than 30 days following the discovery of a breach of security. (B)

Delay of notification authorized for law enforcement or national security purposes

(i)

Law enforcement

If a Federal or State law enforcement agency, including an attorney general of a State, determines that the notification required under this section would impede a civil or criminal investigation, such notification shall be delayed upon the written request of the law enforcement agency for 30 days or such lesser period of time which the law enforcement agency determines is reasonably necessary and requests in writing. Such law enforcement agency may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary. (ii)

National security

If a Federal national security agency or homeland security agency determines that the notification required under this section would threaten national or homeland security, such notification may be delayed for a period of time which the national security agency or homeland security agency determines is reasonably necessary and requests in writing. A Federal national security agency or homeland security agency may revoke such delay or extend the period of time set forth in the original request made under this paragraph by a subsequent written request if further delay is necessary. (b)

Coordination of notification with credit reporting agencies

If a covered entity is required to provide notification to more than 5,000 individuals under subsection (a)(1), the covered entity shall also notify the major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing and distribution of the notifications. Such notification shall be given to the credit reporting agencies without unreasonable delay and, if such notification will not delay notification to the affected individuals, prior to the distribution of notifications to the affected individuals. (c)

Method and content of notification

(1)

General notification

A covered entity required to provide notification to individuals under subsection (a)(1) shall be in compliance with such requirement if the covered entity provides conspicuous and clearly identified notification by one of the following methods (provided the selected method can reasonably be expected to reach the intended individual): (A)Written notification to the last known home mailing address of the individual in the records of the covered entity. (B)Notification by email or other electronic means, if— (i)the covered entity’s primary method of communication with the individual is by email or such other electronic means; or (ii)the individual has consented to receive such notification and the notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notifications under section 101 of the Electronic Signatures in Global Commerce Act (15 U.S.C. 7001). (2)

Website notification

The covered entity shall also provide conspicuous notification on the Internet website of the covered entity (if such covered entity maintains such a website) for a period of not less than 90 days. (3)

Media notification

If the number of residents of a State whose personal information was, or is reasonably believed to have been acquired or accessed by an unauthorized person, or used for an unauthorized purpose exceeds 5,000, the covered entity shall also provide notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was, or is reasonably believed to have been, acquired or accessed by an unauthorized person, or used for an unauthorized purpose, reside. (4)

Content of notification

(A)

In general

Regardless of the method by which notification is provided to an individual under paragraphs (1), (2), and (3), such notification shall include— (i)a description of the personal information that was, or is reasonably believed to have been, acquired or accessed by an unauthorized person, or used for an unauthorized purpose; (ii)a telephone number that the individual may use, at no cost to such individual, to contact the covered entity, or agent of the covered entity, to inquire about the breach of security or the information the covered entity maintained about that individual; (iii)notification that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 5 years, or credit monitoring or other service that enables consumers to detect the misuse of their personal information for a period of 5 years, and instructions to the individual on requesting such reports or service from the covered entity; (iv)the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and (v)a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft. (B)

Direct business relationship

Regardless of whether the covered entity or a designated third party provides notification under this subsection, such notification shall identify the covered entity that has a direct business relationship with the individual. (5)

Regulations for substitute notification

Not later than 1 year after the date of enactment of this Act, the Commission shall, by regulation under section 553 of title 5, United States Code— (A)establish criteria for determining circumstances under which substitute notification may be provided in lieu of direct notification required by paragraph (1), including criteria for determining if notification under paragraph (1) is not feasible due to excessive costs to the covered entity required to provided such notification relative to the resources of such covered entity; and (B)establish the form and content of substitute notification. (d)

Notification for law enforcement and other purposes

A covered entity shall, as expeditiously as practicable and without unreasonable delay, but not later than 14 days following the discovery of a breach of security, provide notification of the breach to— (1)the Commission; (2)the Federal Bureau of Investigation; (3)the Secret Service; (4)for common carriers, the Federal Communications Commission; (5)the Consumer Financial Protection Bureau; and (6)the attorney general of each State in which the personal information of a resident or residents of the State was, or is reasonably believed to have been, acquired or accessed by an unauthorized person, or used for an unauthorized purpose. (e)

Other obligations following breach

(1)

In general

A covered entity required to provide notification under subsection (a) shall, upon request of an individual whose personal information was included in the breach of security, provide or arrange for the provision of, to each such individual and at no cost to such individual— (A)consumer credit reports from the major credit reporting agencies beginning not later than 60 days following the individual’s request and continuing on a quarterly basis for a period of 5 years thereafter; or (B)a credit monitoring or other service that enables consumers to detect the misuse of their personal information, beginning not later than 60 days following the individual’s request and continuing for a period of 5 years. (2)

Rulemaking

As part of the Commission’s rulemaking described in subsection (c)(5), the Commission shall determine the circumstances under which a covered entity required to provide notification under subsection (a) shall provide or arrange for the provision of free consumer credit reports or credit monitoring or other service to affected individuals. (f)

Website notification of Federal Trade Commission

If the Commission, upon receiving notification of any breach of security that is reported to the Commission under subsection (d)(1), finds that notification of such a breach of security via the Commission’s Internet website would be in the public interest or for the protection of consumers, the Commission shall place such a notification in a clear and conspicuous location on its Internet website. (g)

Website notification of State attorneys general

If a State attorney general, upon receiving notification of any breach of security that is reported to the Commission under subsection (d)(5), finds that notification of such a breach of security through the State attorney general’s Internet website would be in the public interest or for the protection of consumers, the State attorney general shall place such a notification in a clear and conspicuous location on its Internet website. (h)

FTC study on notification in languages in addition to English

Not later than 1 year after the date of enactment of this Act, the Commission shall conduct a study on the practicality and cost effectiveness of requiring the notification required by subsection (c)(1) to be provided in a language in addition to English to individuals known to speak only such other language. (i)

Education and outreach for small businesses

The Commission shall conduct education and outreach for small business concerns on data security practices and how to prevent hacking and other unauthorized access to, acquisition of, or use of data maintained by such small business concerns. (j)

Website on data security best practices

The Commission shall establish and maintain an Internet website containing non-binding best practices for businesses regarding data security and how to prevent hacking and other unauthorized access to, acquisition of, or use of data maintained by such businesses. (k)

General rulemaking authority

(1)

In general

The Commission may promulgate regulations necessary under section 553 of title 5, United States Code, to effectively enforce the requirements of this section. (2)

Limitation

In promulgating rules under this Act, the Commission shall not require the deployment or use of any specific products or technologies, including any specific computer software or hardware. (l)

Treatment of persons governed by other law

A covered entity who is in compliance with any other Federal law that requires such covered entity to provide notification to individuals following a breach of security, shall be deemed to be in compliance with this section with respect to activities and information covered under such Federal law.

Application and enforcement

(a)

Enforcement by the federal Trade Commission

(1)

Unfair or deceptive acts or practices

A violation of section 2 or 3 shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices and shall be subject to enforcement by the Commission under that Act with respect to any covered entity. All of the functions and powers of the Commission under the Federal Trade Commission Act are available to the Commission to enforce compliance by any person with the requirements imposed under this title, irrespective of whether that person is engaged in commerce or meets any other jurisdictional tests under the Federal Trade Commission Act. (2)

Coordination with Federal Communications Commission

Where enforcement relates to entities subject to the authority of the Federal Communications Commission, enforcement actions by the Commission will be coordinated with the Federal Communications Commission. (3)

Coordination with Consumer Financial Protection Bureau

Where enforcement relates to financial information or information associated with the provision of financial products or services, enforcement actions by the Commission will be coordinated with the Consumer Financial Protection Bureau. (b)

Enforcement by State attorneys general

(1)

In general

If the chief law enforcement officer of a State, or an official or agency designated by a State, has reason to believe that any covered entity has violated or is violating section 2 or 3 of this Act, the attorney general, official, or agency of the State, in addition to any authority it may have to bring an action in State court under its consumer protection law, may bring a civil action in any appropriate United States district court or in any other court of competent jurisdiction, including a State court, to— (A)enjoin further such violation by the defendant; (B)enforce compliance with this such section; (C)obtain civil penalties in the amount determined under paragraph (2); and (D)obtain damages, restitution, or other compensation on behalf of residents of the State. (2)

Civil penalties

(A)

Calculation

(i)

Treatment of violations of section 2

For purposes of paragraph (1)(C) with regard to a violation of section 2, the amount determined under this paragraph is the amount calculated by multiplying the number of days that a covered entity is not in compliance with such section by an amount to be determined by the Commission. Such amount determined by the Commission shall be adjusted as described in the Federal Civil Penalties Inflation Adjustment Act of 1990 (Public Law 101–410; 28 U.S.C. 2461 note). (ii)

Treatment of violations of section 3

For purposes of paragraph (1)(C) with regard to a violation of section 3, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount to be determined by the Commission. Each failure to send notification as required under section 3 to a citizen or resident of the United States shall be treated as a separate violation. (B)

Adjustment for inflation

Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amounts specified in clauses (i) and (ii) of subparagraph (A) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year. (3)

Notice and intervention by the FTC

(A)The attorney general of a State shall provide prior written notice of any action under paragraph (1) to the Commission and provide the Commission with a copy of the complaint in the action, except in any case in which such prior notice is not feasible, in which case the attorney general shall serve such notice immediately upon instituting such action. The Commission shall have the right— (i)to intervene in the action; (ii)upon so intervening, to be heard on all matters arising therein; and (iii)to file petitions for appeal. (B)

Limitation on State action while Federal action is pending

If the Commission has instituted a civil action for violation of this Act, no State attorney general, or official or agency of a State, may bring an action under this subsection during the pendency of that action against any defendant named in the complaint of the Commission for any violation of this Act alleged in the complaint. (4)

Relationship with State-law claims

If the attorney general of a State has authority to bring an action under State law directed at acts or practices that also violate this Act, the attorney general may assert the State-law claim and a claim under this Act in the same civil action.

Definitions

In this Act: (1)

Breach of security

The term breach of security means unauthorized access to, acquisition of, sale of, or use of data containing personal information. (2)

Commission

The term Commission means the Federal Trade Commission. (3)

Covered entity

The term covered entity means— (A)any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); (B)notwithstanding section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)), common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.); and (C)notwithstanding sections 4 and 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 44 and 45(a)(2)), any non-profit organization, including any organization described in section 501(c) of the Internal Revenue Code of 1986 that is exempt from taxation under section 501(a) of the Internal Revenue Code of 1986. (4)

Personal information

(A)

Definition

The term personal information means any information or compilation of information that includes any of the following: (i)An individual’s first name or initial and last name in combination with any of the following data elements for that individual: (I)Home address or telephone number. (II)Mother’s maiden name. (III)Month, day, and year of birth. (IV)User name or electronic mail address. (ii)Driver’s license number, passport number, military identification number, alien registration number, or other similar number issued on a government document used to verify identity. (iii)Unique account identifier, including a financial account number, or credit or debit card number, electronic identification number, user name, or routing code. (iv)Partial or complete Social Security number. (v)Unique biometric or genetic data such as a fingerprint, voice print, a retina or iris image, or any other unique physical representations. (vi)Information that could be used to access an individual’s account, such as user name and password or e-mail address and password. (vii)Any two or more of the following data elements: (I)An individual’s first and last name or first initial and last name. (II)A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code. (III)Any security code, access code, or password, or source code that could be used to generate such codes or passwords. (viii)Information generated or derived from the operation or use of an electronic communications device that is sufficient to identify the street name and name of the city or town in which the device is located. (ix)Any information regarding an individual’s medical history, mental or physical condition, medical treatment or diagnosis by a health care professional, or the provision of health care to the individual, including health information provided to a website or mobile application. (x)A health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual, or any information in an individual’s health insurance application and claims history, including any appeals records. (xi)Digitized or other electronic signature. (xii)Nonpublic communications or other user-created content such as emails, photographs, or videos. (xiii)Any record or information concerning payroll, income, financial accounts, mortgages, loans, lines of credit, utility bills, accumulated purchases, or any other information regarding financial assets, obligations, or spending habits. (xiv)Any additional element the Commission defines as personal information. (B)

Modified definition by rulemaking

The Commission may, by rule promulgated under section 553 of title 5, United States Code, modify the definition of personal information under subparagraph (A). (5)

State

The term State means each of the several States, the District of Columbia, the Commonwealth of Puerto Rico, Guam, American Samoa, the United States Virgin Islands, the Commonwealth of the Northern Mariana Islands, any other territory or possession of the United States, and each federally recognized Indian tribe.

Effect on other laws

(a)

Effect on State data security and breach notification laws

This Act supersedes any provision of a statute or regulation of a State or political subdivision of a State, with respect to a covered entity, that expressly— (1)requires information security practices for the treatment and protection of personal information similar to any of those required under section 2; or (2)requires notification to individuals of a breach of security of personal information. (b)

Effect on other State laws

Nothing in this Act shall be construed to— (1)preempt or limit any provision of any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, including any State consumer protection law, any State law relating to acts of fraud or deception, and any State trespass, contract, or tort law; (2)prevent or limit the attorney general of a State from exercising the powers conferred upon the attorney general by the laws of the State, including conducting investigations, administering oaths or affirmations, or compelling the attendance of witnesses or the production of documentary and other evidence; or (3)preempt or limit any provision of any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State with respect to any person that is not a covered entity. (c)

Preservation of authority

(1)

Federal Trade Commission

Nothing in this Act may be construed in any way to limit the Commission’s authority under any other provision of law. (2)

Federal Communications Commission

Nothing in this Act may be construed in any way to limit or affect the Federal Communication Commission’s authority under any other provision of law. (3)

Consumer Financial Protection Bureau

Nothing in this Act may be construed in any way to limit or affect the Consumer Financial Protection Bureau’s authority under any other provision of law.

Effective date

This Act shall take effect 90 days after the date of enactment of this Act.