Data Security and Breach Notification Act of 2015 2017-01-03 Reported to House with amendment(s) Data Security and Breach Notification Act of 2015

This bill requires certain commercial entities regulated by the Federal Trade Commission (FTC), common carriers subject to the Communications Act of 1934, and nonprofit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to: (1) implement security measures to protect electronic information against unauthorized access and acquisition; (2) restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach; and (3) determine whether there is a risk that a breach will result in identity theft, economic loss or harm, or financial fraud to individuals' personal information.

Notification of a breach must be sent to: (1) affected U.S. residents; (2) the FTC and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses and acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.

The bill establishes special procedures to coordinate notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach.

The bill provides different sets of civil penalties that the FTC and states may impose to enforce against violations of this bill.

The FTC must educate small businesses about data security and establish an Internet website containing non-binding best practices.

The bill preempts state information security and notification laws, but does not exempt an entity from liability under common law. The bill applies to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.

]]> 2015-04-14 Introduced in House Data Security and Breach Notification Act of 2015

Requires certain commercial entities and non-profit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach.

Requires notification to: (1) affected U.S. residents when there is a reasonable risk that such a breach has resulted in, or will result in, identity theft, economic harm, or financial fraud; (2) the Federal Trade Commission (FTC) and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses or acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.

Establishes special procedures to coordinate the notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach.

Provides authority to the FTC and states to enforce against violations of this Act.

Directs the FTC to educate small businesses about data security and establish an Internet website containing non-binding best practices.

Preempts state information security and notification laws, but does not exempt an entity from liability under common law. Provides for the requirements of this Act to apply to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.

]]> text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain. Congressional Research Service, Library of Congress This file contains bill summaries for federal legislation. A bill summary describes the most significant provisions of a piece of legislation and details the effects the legislative text may have on current law and federal programs. Bill summaries are authored by the Congressional Research Service (CRS) of the Library of Congress. As stated in Public Law 91-510 (2 USC 166 (d)(6)), one of the duties of CRS is "to prepare summaries and digests of bills and resolutions of a public general nature introduced in the Senate or House of Representatives". For more information, refer to the User Guide that accompanies this file.