[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2577 Introduced in House (IH)]

112th CONGRESS
  1st Session
                                H. R. 2577

  To protect consumers by requiring reasonable security policies and 
  procedures to protect data containing personal information, and to 
    provide for nationwide notice in the event of a security breach.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 18, 2011

Mrs. Bono Mack introduced the following bill; which was referred to the 
                    Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
  To protect consumers by requiring reasonable security policies and 
  procedures to protect data containing personal information, and to 
    provide for nationwide notice in the event of a security breach.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Secure and Fortify Electronic Data 
Act'' or the ``SAFE Data Act''.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

    (a) General Security Policies and Procedures.--
            (1) Regulations.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        to require any person engaged in interstate commerce that owns 
        or possesses data containing personal information related to 
        that commercial activity, including an information broker and 
        any third party that has contracted with such person to 
        maintain or process such data on behalf of such person, to 
        establish and implement reasonable policies and procedures 
        regarding information security practices for the treatment and 
        protection of personal information, taking into consideration--
                    (A) the size of, and the nature, scope, and 
                complexity of the activities engaged in by, such 
                person;
                    (B) the current state of the art in administrative, 
                technical, and physical safeguards for protecting such 
                information; and
                    (C) the cost of implementing such safeguards.
            (2) Data security requirements.--Such regulations shall, 
        taking into consideration the quantity, type, nature, and 
        sensitivity of the personal information, require the policies 
        and procedures to include the following:
                    (A) A security policy with respect to the 
                collection, use, sale, other dissemination, and 
                maintenance of such personal information.
                    (B) The identification of an officer or other 
                individual as the point of contact with responsibility 
                for the management of information security.
                    (C) A process for identifying and assessing any 
                reasonably foreseeable vulnerabilities in each system 
                maintained by such person that contains such data, 
                which shall include regular monitoring to detect a 
                breach of security of each such system.
                    (D) A process for taking preventive and corrective 
                action to mitigate against any vulnerabilities 
                identified in the process required by subparagraph (C), 
                which may include implementing any changes to security 
                practices and to the architecture and installation of 
                network or operating software.
                    (E) A process for disposing of data in electronic 
                form containing personal information by shredding, 
                permanently erasing, or otherwise modifying the 
                personal information contained in such data to make 
                such personal information permanently unreadable or 
                indecipherable.
                    (F) A standard method or methods for the 
                destruction of paper documents and other non-electronic 
                data containing personal information.
    (b) Data Minimization Requirements.--A person subject to the 
requirements under subsection (a) shall establish a plan and procedures 
for minimizing the amount of personal information maintained by such 
person. Such plan and procedures shall provide for the retention of 
such personal information only as reasonably needed for the business 
purposes of such person or as necessary to comply with any legal 
obligation.
    (c) Exemption for Certain Service Providers.--Nothing in this 
section shall apply to a service provider for any electronic 
communication by a third party that is transmitted, routed, or stored 
in intermediate or transient storage by such service provider.

SEC. 3. NOTIFICATION AND OTHER REQUIREMENTS IN THE EVENT OF A BREACH OF 
              SECURITY.

    (a) Requirements in the Event of a Breach of Security.--Any person 
engaged in interstate commerce that owns or possesses data in 
electronic form containing personal information related to that 
commercial activity, following the discovery of a breach of security of 
any system maintained by such person that contains such data, shall, 
without unreasonable delay--
            (1) notify appropriate Federal law enforcement officials of 
        the breach of security, unless such person determines that the 
        breach involved no unlawful activity;
            (2) take such steps necessary to prevent further breach or 
        unauthorized disclosures;
            (3) identify affected individuals whose personal 
        information may have been acquired or accessed; and
            (4) not later than 48 hours after identifying affected 
        individuals under paragraph (3), unless the person makes a 
        reasonable determination that the breach of security presents 
        no reasonable risk of identity theft, fraud, or other unlawful 
        conduct affecting such individuals, notify--
                    (A) the Commission; and
                    (B) as promptly as possible, subject to subsection 
                (c), each individual who is a citizen or resident of 
                the United States whose personal information is known 
                to have been acquired or accessed as a result of such a 
                breach of security.
    (b) Special Notification Requirements.--
            (1) Third party agents.--In the event of a breach of 
        security of any third party entity that has contracted with a 
        person to maintain or process data in electronic form 
        containing personal information on behalf of such person, such 
        third party entity shall--
                    (A) take the actions required under paragraphs (1) 
                and (2) of subsection (a); and
                    (B) notify as promptly as possible such person of 
                the breach of security.
        Upon receiving notification from the third party entity under 
        subparagraph (B), such person shall take the actions required 
        under paragraphs (3) and (4) of subsection (a).
            (2) Service providers.--If a service provider becomes aware 
        of a breach of security of data in electronic form containing 
        personal information that is owned or possessed by another 
        person engaged in interstate commerce that connects to or uses 
        a system or network provided by the service provider for the 
        purpose of transmitting, routing, or providing intermediate or 
        transient storage of such data in connection with that 
        commercial activity, such service provider shall--
                    (A) take the actions required under paragraphs (1) 
                and (2) of subsection (a); and
                    (B) notify only the person who initiated such 
                connection, transmission, routing, or storage, of the 
                breach of security, if such person can be reasonably 
                identified.
        Upon receiving such notification from a service provider, such 
        person shall take the action required under paragraphs (3) and 
        (4) of subsection (a).
            (3) Coordination of notification with credit reporting 
        agencies.--If a person is required to provide notification to 
        more than 5,000 individuals under subsection (a)(4)(B), the 
        person shall also notify the major credit reporting agencies 
        that compile and maintain files on consumers on a nationwide 
        basis of the timing and distribution of the notices. Such 
        notice shall be given to the credit reporting agencies without 
        unreasonable delay and, if it will not delay notice to the 
        affected individuals, prior to the distribution of notices to 
        the affected individuals.
    (c) Timing and Delay of Notification Authorized for Law Enforcement 
or National Security Purposes.--
            (1) Deadline for commencing notification.--Except as 
        provided under paragraph (2) or (3), a person required to 
        provide notification to individuals of a breach of security 
        pursuant to subsection (a)(4)(B) shall begin to notify such 
        individuals not later than 45 days after discovery of such 
        breach.
            (2) Law enforcement.--If a Federal law enforcement agency 
        determines that the notification required under subsection 
        (a)(4)(B) would impede a civil or criminal investigation, such 
        notification shall be delayed upon the request of the law 
        enforcement agency for 30 days or such lesser period of time 
        that the law enforcement agency determines is reasonably 
        necessary. The law enforcement agency shall follow up such a 
        request in writing. A law enforcement agency may, by a 
        subsequent written request, revoke such delay or extend the 
        period of time set forth in the original request made under 
        this paragraph if further delay is necessary.
            (3) National security.--If a Federal national security 
        agency or homeland security agency determines that the 
        notification required under subsection (a)(4)(B) would threaten 
        national or homeland security, such notification may be delayed 
        for a period of time that the national security agency or 
        homeland security agency determines is reasonably necessary. 
        The national security agency or homeland security agency shall 
        follow up such a request in writing. A Federal national 
        security agency or homeland security agency may revoke such 
        delay or extend the period of time set forth in the original 
        request made under this paragraph by a subsequent written 
        request if further delay is necessary.
    (d) Method and Content of Notification.--
            (1) Direct notification.--
                    (A) Method of notification.--A person required to 
                provide notification to individuals under subsection 
                (a)(4)(B) shall be in compliance with such requirement 
                if the person provides a conspicuous and clearly 
                identified notification by one of the following methods 
                (provided the selected method can reasonably be 
                expected to reach the intended individual):
                            (i) Written notification.
                            (ii) Notification by email or other 
                        electronic means, if--
                                    (I) the person's primary method of 
                                communication with the individual is by 
                                email or such other electronic means; 
                                or
                                    (II) the individual has consented 
                                to receive such notification and the 
                                notification is provided in a manner 
                                that is consistent with the provisions 
                                permitting electronic transmission of 
                                notices under section 101 of the 
                                Electronic Signatures in Global and 
                                National Commerce Act (15 U.S.C. 7001).
                    (B) Content of notification.--Regardless of the 
                method by which notification is provided to an 
                individual under subparagraph (A), such notification 
                shall include--
                            (i) a description of the personal 
                        information that may have been acquired or 
                        accessed by an unauthorized person;
                            (ii) a telephone number that the individual 
                        may use, at no cost to such individual, to 
                        contact the person to inquire about the breach 
                        of security or the information the person 
                        maintained about that individual;
                            (iii) notice that the individual is 
                        entitled to receive, at no cost to such 
                        individual, consumer credit reports on a 
                        quarterly basis for a period of 2 years, or 
                        credit monitoring or other service that enables 
                        consumers to detect the misuse of their 
                        personal information for a period of 2 years, 
                        and instructions to the individual on 
                        requesting such reports or service from the 
                        person, except when the only information which 
                        has been the subject of the security breach is 
                        the individual's first name or initial and last 
                        name, or address, or phone number, in 
                        combination with a credit or debit card number, 
                        and any required security code;
                            (iv) the toll-free contact telephone 
                        numbers and addresses for the major credit 
                        reporting agencies; and
                            (v) a toll-free telephone number and 
                        website address for the Commission whereby the 
                        individual may obtain information regarding 
                        identity theft.
            (2) Substitute notification.--
                    (A) Circumstances giving rise to substitute 
                notification.--A person required to provide 
                notification to individuals under subsection (a)(4)(B) 
                may provide substitute notification in lieu of the 
                direct notification required by paragraph (1) if the 
                person owns or possesses data in electronic form 
                containing personal information of fewer than 1,000 
                individuals and such direct notification is not 
                feasible due to--
                            (i) excessive cost to the person required 
                        to provide such notification relative to the 
                        resources of such person, as determined in 
                        accordance with the regulations issued by the 
                        Commission under paragraph (3)(A); or
                            (ii) lack of sufficient contact information 
                        for the individual required to be notified.
                    (B) Form of substitute notification.--Such 
                substitute notification shall include--
                            (i) email notification to the extent that 
                        the person has email addresses of individuals 
                        to whom it is required to provide notification 
                        under subsection (a)(4)(B);
                            (ii) a conspicuous notice on the website of 
                        the person (if such person maintains a 
                        website); and
                            (iii) notification in print and to 
                        broadcast media, including major media in 
                        metropolitan and rural areas where the 
                        individuals whose personal information was 
                        acquired or accessed reside.
                    (C) Content of substitute notice.--Each form of 
                substitute notice under this paragraph shall include--
                            (i) notice that individuals whose personal 
                        information is included in the breach of 
                        security are entitled to receive, at no cost to 
                        the individuals, consumer credit reports on a 
                        quarterly basis for a period of 2 years, or 
                        credit monitoring or other service that enables 
                        consumers to detect the misuse of their 
                        personal information for a period of 2 years, 
                        and instructions on requesting such reports or 
                        service from the person, except when the only 
                        information which has been the subject of the 
                        security breach is the individual's first name 
                        or initial and last name, or address, or phone 
                        number, in combination with a credit or debit 
                        card number, and any required security code; 
                        and
                            (ii) a telephone number by which an 
                        individual can, at no cost to such individual, 
                        learn whether that individual's personal 
                        information is included in the breach of 
                        security.
            (3) Regulations and guidance.--
                    (A) Regulations.--Not later than 1 year after the 
                date of enactment of this Act, the Commission shall, by 
                regulation under section 553 of title 5, United States 
                Code, establish criteria for determining circumstances 
                under which substitute notification may be provided 
                under paragraph (2), including criteria for determining 
                if notification under paragraph (1) is not feasible due 
                to excessive costs to the person required to provide 
                such notification relative to the resources of such 
                person. Such regulations may also identify other 
                circumstances where substitute notification would be 
                appropriate for any person, including circumstances 
                under which the cost of providing notification exceeds 
                the benefits to consumers.
                    (B) Guidance.--In addition, the Commission shall 
                provide and publish general guidance with respect to 
                compliance with this subsection. Such guidance shall 
                include--
                            (i) a description of written or email 
                        notification that complies with the 
                        requirements of paragraph (1); and
                            (ii) guidance on the content of substitute 
                        notification under paragraph (2), including the 
                        extent of notification to print and broadcast 
                        media that complies with the requirements of 
                        such paragraph.
    (e) Other Obligations Following Breach.--
            (1) In general.--A person required to provide notification 
        under subsection (a)(4)(B) shall, in accordance with the 
        determination described in paragraph (3), upon request of an 
        individual whose personal information was included in the 
        breach of security, provide or arrange for the provision of, to 
        each such individual and at no cost to such individual--
                    (A) consumer credit reports from at least one of 
                the major credit reporting agencies beginning not later 
                than 60 days following the individual's request and 
                continuing on a quarterly basis for a period of 2 years 
                thereafter; or
                    (B) a credit monitoring or other service that 
                enables consumers to detect the misuse of their 
                personal information, beginning not later than 60 days 
                following the individual's request and continuing for a 
                period of 2 years.
            (2) Limitation.--This subsection shall not apply if the 
        only personal information which has been the subject of the 
        security breach is the individual's first name or initial and 
        last name, or address, or phone number, in combination with a 
        credit or debit card number, and any required security code.
            (3) Rulemaking.--As part of the Commission's rulemaking 
        described in subsection (d)(3), the Commission shall determine 
        the circumstances under which a person required to provide 
        notification under subsection (a)(4)(B) shall provide or 
        arrange for the provision of free consumer credit reports or 
        credit monitoring or other service to affected individuals.
    (f) Presumption Concerning Data in Certain Forms.--
            (1) In general.--If the data in electronic form containing 
        personal information is unusable, unreadable, or indecipherable 
        to an unauthorized person by encryption or other security 
        technology or methodology (if the method of encryption or such 
        other technology or methodology is generally accepted by 
        experts in the information security field), there shall be a 
        presumption, for purposes of subsection (a)(4), that no 
        reasonable risk of identity theft, fraud, or other unlawful 
        conduct exists following a breach of security of such data. Any 
        such presumption may be rebutted by facts demonstrating that 
        the encryption or other security technologies or methodologies 
        in a specific case have been or are reasonably likely to be 
        compromised.
            (2) Methodologies or technologies.--The Commission may 
        issue guidance to identify security methodologies or 
        technologies that render data in electronic form unusable, 
        unreadable, or indecipherable, that shall, if applied to such 
        data, establish a presumption that no reasonable risk of 
        identity theft, fraud, or other unlawful conduct exists 
        following a breach of security of such data. Any such 
        presumption may be rebutted by facts demonstrating that any 
        such methodology or technology in a specific case has been or 
        is reasonably likely to be compromised. In issuing such rules 
        or guidance, the Commission shall consult with relevant 
        industries, consumer organizations, and data security and 
        identity theft prevention experts and established standards 
        setting bodies.
    (g) Website Notice of Federal Trade Commission.--If the Commission, 
upon receiving notification of any breach of security that is reported 
to the Commission under subsection (a)(4)(A), finds that notification 
of such a breach of security available on the Commission's website 
would be in the public interest or for the protection of consumers, the 
Commission may place such a notice in a clear and conspicuous location 
on such website.
    (h) FTC Study on Notification in Languages in Addition to 
English.--Not later than 1 year after the date of enactment of this 
Act, the Commission shall conduct a study on the practicality and cost 
effectiveness of requiring the notification required by subsection 
(d)(1) to be provided in a language in addition to English to 
individuals known to speak only such other language.
    (i) General Rulemaking Authority.--The Commission may promulgate 
regulations, pursuant to section 553 of title 5, United States Code, as 
necessary to effectively implement and enforce the requirements of this 
section.

SEC. 4. APPLICATION AND ENFORCEMENT.

    (a) General Application.--The requirements of sections 2 and 3 
apply, according to their terms, to--
            (1) those persons, partnerships, or corporations over which 
        the Commission has authority pursuant to section 5(a)(2) of the 
        Federal Trade Commission Act (15 U.S.C. 45(a)(2)); and
            (2) notwithstanding section 4 and section 5(a)(2) of that 
        Act (15 U.S.C. 44 and 45(a)(2)), any organization described in 
        section 501(c) of the Internal Revenue Code of 1986 that is 
        exempt from taxation under section 501(a) of such Code.
    (b) Enforcement by the Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 2 or 3 shall be treated as an unfair and deceptive act 
        or practice in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of commission.--The Commission shall enforce 
        this Act in the same manner, by the same means, and with the 
        same jurisdiction, powers, and duties as though all applicable 
        terms and provisions of the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.) were incorporated into and made a part of 
        this Act. Any person who violates section 2 or 3 shall be 
        subject to the penalties and entitled to the privileges and 
        immunities provided in that Act, except that the Commission may 
        not assess civil penalties for a violation of section 3(a)(1).
    (c) Enforcement by State Attorneys General.--
            (1) Civil action.--In any case in which the attorney 
        general of a State, or an official or agency of a State, has 
        reason to believe that an interest of the residents of that 
        State has been or is threatened or adversely affected by any 
        person who violates section 2 or 3 of this Act, the attorney 
        general, official, or agency of the State, as parens patriae, 
        may bring a civil action on behalf of the residents of the 
        State in a district court of the United States of appropriate 
        jurisdiction--
                    (A) to enjoin further violation of such section by 
                the defendant;
                    (B) to compel compliance with such section; or
                    (C) to obtain civil penalties in the amount 
                determined under paragraph (2).
            (2) Civil penalties.--
                    (A) Calculation.--
                            (i) Treatment of violations of section 2.--
                        For purposes of paragraph (1)(C) with regard to 
                        a violation of section 2, the amount determined 
                        under this paragraph is the amount calculated 
                        by multiplying the number of days that a person 
                        is not in compliance with such section by an 
                        amount not greater than $11,000.
                            (ii) Treatment of violations of section 
                        3.--For purposes of paragraph (1)(C) with 
                        regard to a violation of section 3, the amount 
                        determined under this paragraph is the amount 
                        calculated by multiplying the number of 
                        violations of such section by an amount not 
                        greater than $11,000. Each failure to send 
                        notification as required under section 3 to a 
                        resident of the State shall be treated as a 
                        separate violation.
                    (B) Adjustment for inflation.--Beginning on the 
                date that the Consumer Price Index is first published 
                by the Bureau of Labor Statistics that is at least 1 
                year after the date of enactment of this Act, and each 
                year thereafter, the amounts specified in clauses (i) 
                and (ii) of subparagraph (A) shall be increased by the 
                percentage increase in the Consumer Price Index 
                published on that date from the Consumer Price Index 
                published the previous year.
                    (C) Maximum total liability.--Notwithstanding the 
                number of actions which may be brought against a person 
                under this subsection, the maximum civil penalty for 
                which any person may be liable under this subsection 
                shall not exceed--
                            (i) $5,000,000 for all related violations 
                        of section 2; and
                            (ii) $5,000,000 for all violations of 
                        section 3 resulting from a single breach of 
                        security.
            (3) Intervention by the ftc.--
                    (A) Notice and intervention.--The State shall 
                provide prior written notice of any action under 
                paragraph (1) to the Commission and provide the 
                Commission with a copy of its complaint, except in any 
                case in which such prior notice is not feasible, in 
                which case the State shall serve such notice 
                immediately upon instituting such action. The 
                Commission shall have the right--
                            (i) to intervene in the action;
                            (ii) upon so intervening, to be heard on 
                        all matters arising therein; and
                            (iii) to file petitions for appeal.
                    (B) Limitation on state action while federal action 
                is pending.--If the Commission has instituted a civil 
                action for violation of this Act, no State attorney 
                general, or official or agency of a State, may bring an 
                action under this subsection during the pendency of 
                that action against any defendant named in the 
                complaint of the Commission for any violation of this 
                Act alleged in the complaint.
            (4) Construction.--For purposes of bringing any civil 
        action under paragraph (1), nothing in this Act shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
    (d) Entities Governed by HIPAA and Gramm-Leach-Bliley.--
            (1) HIPAA.--
                    (A) Information security requirements.--To the 
                extent that the information security requirements of 
                part C of title XI of the Social Security Act (42 
                U.S.C. 1320d et seq.) apply in any circumstance to a 
                person who is subject to such part, including as 
                applied under subtitle D of title IV of the Health 
                Information Technology for Economic and Clinical Health 
                Act (42 U.S.C. 17921 et seq.), such person shall be 
                exempt from the requirements of section 2.
                    (B) Notification requirements.--To the extent that 
                the breach notification requirements of part C of title 
                XI of the Social Security Act (42 U.S.C. 1320d et seq.) 
                apply in any circumstance to a person who is subject to 
                such part, including as applied under subtitle D of 
                title IV of the Health Information Technology for 
                Economic and Clinical Health Act (42 U.S.C. 17921 et 
                seq.), such person shall be exempt from the 
                requirements of section 3.
            (2) Gramm-Leach-Bliley.--
                    (A) In general.--Except as provided in subparagraph 
                (B), a person who is subject to title V of the Gramm-
                Leach-Bliley Act (15 U.S.C. 6801 et seq.)--
                            (i) with regard to information security 
                        requirements, shall be exempt from the 
                        requirements of section 2; and
                            (ii) with regard to notification 
                        requirements, shall be exempt from the 
                        requirements of section 3.
                    (B) Exception.--Notwithstanding subparagraph (A), 
                those persons subject to the jurisdiction of the 
                Federal Trade Commission under section 505(a)(7) of the 
                Gramm-Leach-Bliley Act (15 U.S.C. 6805) shall be 
                subject to the requirements of this Act. If such person 
                is in compliance with the information security 
                requirements of title V of such Act, such person shall 
                be deemed in compliance with section 2 of this Act.

SEC. 5. DEFINITIONS.

    In this Act the following definitions apply:
            (1) Breach of security.--The term ``breach of security'' 
        means any unauthorized access to or acquisition of data in 
        electronic form containing personal information.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Data in electronic form.--The term ``data in electronic 
        form'' means any data stored electronically or digitally on any 
        computer system or other database and includes recordable tapes 
        and other mass storage devices.
            (4) Encryption.--The term ``encryption'' means the 
        protection of data in electronic form in storage or in transit 
        using an encryption technology that has been adopted by an 
        established standards setting body which renders such data 
        indecipherable in the absence of associated cryptographic keys 
        necessary to enable decryption of such data. Such encryption 
        must include appropriate management and safeguards of such keys 
        to protect the integrity of the encryption.
            (5) Identity theft.--The term ``identity theft'' means the 
        unauthorized use of another person's personal information for 
        the purpose of engaging in commercial transactions under the 
        name of such other person.
            (6) Information broker.--The term ``information broker''--
                    (A) means a commercial entity whose business is to 
                collect, assemble, or maintain personal information 
                concerning individuals who are not current or former 
                customers of such entity in order to sell such 
                information or provide access to such information to 
                any nonaffiliated third party in exchange for 
                consideration, whether such collection, assembly, or 
                maintenance of personal information is performed by the 
                information broker directly, or by contract or 
                subcontract with any other entity; and
                    (B) does not include a commercial entity to the 
                extent that such entity processes information collected 
                by or on behalf of and received from or on behalf of a 
                nonaffiliated third party concerning individuals who 
                are current or former customers or employees of such 
                third party to enable such third party directly or 
                through parties acting on its behalf to provide 
                benefits for its employees or directly transact 
                business with its customers.
            (7) Personal information.--
                    (A) Definition.--The term ``personal information'' 
                means an individual's first name or initial and last 
                name, or address, or phone number, in combination with 
                any 1 or more of the following data elements for that 
                individual:
                            (i) Social Security number.
                            (ii) Driver's license number, passport 
                        number, military identification number, or 
                        other similar number issued on a government 
                        document used to verify identity.
                            (iii) Financial account number, or credit 
                        or debit card number, and any required security 
                        code, access code, or password that is 
                        necessary to permit access to an individual's 
                        financial account.
                    (B) Public record information.--Such term does not 
                include public record information.
                    (C) Modified definition by rulemaking.--The 
                Commission may, by rule promulgated under section 553 
                of title 5, United States Code, modify the definition 
                of ``personal information'' under subparagraph (A)--
                            (i) for the purpose of section 2, to the 
                        extent that such modification is necessary to 
                        accomplish the purposes of such section as a 
                        result of changes in technology or practices 
                        and will not unreasonably impede technological 
                        innovation or otherwise adversely affect 
                        interstate commerce; and
                            (ii) for the purpose of section 3, if the 
                        Commission determines that access to or 
                        acquisition of the additional data elements in 
                        the event of a breach of security would create 
                        an unreasonable risk of identity theft, fraud, 
                        or other unlawful conduct and that such 
                        modification will not unreasonably impede 
                        technological innovation or otherwise adversely 
                        affect interstate commerce.
            (8) Public record information.--The term ``public record 
        information'' means information about an individual that is 
        lawfully made available to the general public from Federal, 
        State, or local government records.
            (9) Service provider.--The term ``service provider'' means 
        a person that provides electronic data transmission, routing, 
        intermediate and transient storage, or connections to its 
        system or network, where the person providing such services 
        does not select or modify the content of the electronic data, 
        is not the sender or the intended recipient of the data, and 
        does not differentiate personal information from other 
        information that such person transmits, routes, or stores, or 
        for which such person provides connections. Any such person 
        shall be treated as a service provider under this Act only to 
        the extent that it is engaged in the provision of such 
        transmission, routing, intermediate and transient storage, or 
        connections.

SEC. 6. RELATION TO OTHER LAWS AND CONFORMING AMENDMENTS.

    (a) Preemption of State Information Security Laws.--This Act 
supersedes any provision of a statute, regulation, or rule of a State 
or political subdivision of a State, with respect to any entity subject 
to this Act, that contains--
            (1) requirements for information security practices or 
        treatment of data similar to those under section 2; or
            (2) requirements for notification of a breach of security 
        similar to the notification required under section 3.
    (b) Additional Preemption.--
            (1) In general.--No person other than a person specified in 
        section 4(c) may bring a civil action under the laws of any 
        State if such action is premised in whole or in part upon the 
        defendant violating any provision of this Act.
            (2) Protection of consumer protection laws.--This 
        subsection shall not be construed to limit the enforcement of 
        any State consumer protection law by an attorney general of a 
        State.
    (c) Protection of Certain State Laws.--This Act shall not be 
construed to preempt the applicability of--
            (1) State trespass, contract, or tort law; or
            (2) other State laws to the extent that those laws relate 
        to acts of fraud.
    (d) Preservation of FTC Authority.--Nothing in this Act may be 
construed in any way to limit or affect the Commission's authority 
under any other provision of law.
    (e) Conforming Amendment.--Section 631(c)(1) of the Communications 
Act of 1934 (47 U.S.C. 551(c)(1)) is amended by striking ``and shall 
take such actions as are necessary to prevent unauthorized access to 
such information by a person other than the subscriber or cable 
operator''.

SEC. 7. EFFECTIVE DATE.

    This Act shall take effect 1 year after the date of enactment of 
this Act.
                                 <all>