Personal Data Notification and Protection Act of 2015 2015-03-26 Introduced in House Personal Data Notification and Protection Act of 2015

Requires certain businesses that use, access, transmit, store, dispose of, or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period to notify individuals whose information is believed to have been accessed or acquired through a discovered security breach.

Directs businesses, within 30 days after discovery of a breach, to notify: (1) affected individuals by mail, telephone, or email; and (2) major media outlets if the number of affected residents of a state exceeds 5,000. Allows the Federal Trade Commission (FTC) to extend the notification period if a business seeks additional time.

Requires the Department of Homeland Security (DHS) to designate a federal government entity to receive notices about security incidents, threats, and vulnerabilities. Directs businesses to notify the DHS-designated entity, and requires the DHS-designated entity to then notify the U.S. Secret Service, the Federal Bureau of Investigation (FBI), and the FTC, if a security breach affects: (1) more than 5,000 individuals, (2) a database that contains the sensitive information of more than 500,000 individuals, (3) federal government databases, or (4) federal employees or contractors involved in national security or law enforcement. Requires the DHS-designated entity to also make the information available to other appropriate federal agencies for law enforcement, national security, or computer security purposes.

Authorizes the Secret Service or the FBI to require businesses to delay or exempt individuals from notifications for national security or law enforcement purposes.

Requires businesses to notify consumer reporting agencies if more than 5,000 individuals must be notified of a breach.

Exempts a business from individual notification requirements if the business: (1) conducts and notifies the FTC of a risk assessment finding no reasonable risk that a breach resulted in, or will result in, harm to the affected individuals, provided that the FTC is given 10 days to determine whether individual notification should be provided before the exemption automatically becomes effective; or (2) uses or participates in a security program that blocks the use of certain sensitive personal information to initiate financial transactions if the program also notifies affected individuals after a breach that results in fraud or unauthorized transactions.

Sets forth authority for the FTC and states to enforce against violations of this Act.

Amends the federal criminal code to extend extraterritorially the application of penalties for fraud offenses involving an access device issued, owned, managed, or controlled by a financial institution, credit card system member, or other entity organized under the laws of the United States or any U.S. state or territory. (An access device is any card, code, electronic serial number, telecommunications service, or other means of account access that can be used to initiate a transfer of funds or to obtain money, goods, or services.) Removes a condition under current law that subjects a person to such penalties only if the underlying articles, property, or proceeds are held within or have transferred through U.S. jurisdiction.

]]> text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain. Congressional Research Service, Library of Congress This file contains bill summaries for federal legislation. A bill summary describes the most significant provisions of a piece of legislation and details the effects the legislative text may have on current law and federal programs. Bill summaries are authored by the Congressional Research Service (CRS) of the Library of Congress. As stated in Public Law 91-510 (2 USC 166 (d)(6)), one of the duties of CRS is "to prepare summaries and digests of bills and resolutions of a public general nature introduced in the Senate or House of Representatives". For more information, refer to the User Guide that accompanies this file.