
	
		I
		112th CONGRESS
		1st Session
		H. R. 2577
		IN THE HOUSE OF REPRESENTATIVES
		
			July 18, 2011
			Mrs. Bono Mack
			 introduced the following bill; which was referred to the
			 Committee on Energy and
			 Commerce
		
		A BILL
		To protect consumers by requiring reasonable security
		  policies and procedures to protect data containing personal information, and to
		  provide for nationwide notice in the event of a security
		  breach.
	
	
		1.Short titleThis Act may be cited as the
			 Secure and Fortify Electronic Data
			 Act or the SAFE
			 Data Act.
		2.Requirements for
			 information security
			(a)General security
			 policies and procedures
				(1)RegulationsNot
			 later than 1 year after the date of enactment of this Act, the Commission shall
			 promulgate regulations under section 553 of title 5, United States Code, to
			 require any person engaged in interstate commerce that owns or possesses data
			 containing personal information related to that commercial activity, including
			 an information broker and any third party that has contracted with such person
			 to maintain or process such data on behalf of such person, to establish and
			 implement reasonable policies and procedures regarding information security
			 practices for the treatment and protection of personal information, taking into
			 consideration—
					(A)the size of, and
			 the nature, scope, and complexity of the activities engaged in by, such
			 person;
					(B)the current state
			 of the art in administrative, technical, and physical safeguards for protecting
			 such information; and
					(C)the cost of
			 implementing such safeguards.
					(2)Data security
			 requirementsSuch regulations
			 shall, taking into consideration the quantity, type, nature, and sensitivity of
			 the personal information, require the policies and procedures to include the
			 following:
					(A)A security policy with respect to the
			 collection, use, sale, other dissemination, and maintenance of such personal
			 information.
					(B)The identification of an officer or other
			 individual as the point of contact with responsibility for the management of
			 information security.
					(C)A process for identifying and assessing any
			 reasonably foreseeable vulnerabilities in each system maintained by such person
			 that contains such data, which shall include regular monitoring to detect a
			 breach of security of each such system.
					(D)A process for
			 taking preventive and corrective action to mitigate against any vulnerabilities
			 identified in the process required by subparagraph (C), which may include
			 implementing any changes to security practices and to the architecture and
			 installation of network or operating software.
					(E)A process for
			 disposing of data in electronic form containing personal information by
			 shredding, permanently erasing, or otherwise modifying the personal information
			 contained in such data to make such personal information permanently unreadable
			 or indecipherable.
					(F)A standard method
			 or methods for the destruction of paper documents and other non-electronic data
			 containing personal information.
					(b)Data
			 minimization requirementsA person subject to the requirements
			 under subsection (a) shall establish a plan and procedures for minimizing the
			 amount of personal information maintained by such person. Such plan and
			 procedures shall provide for the retention of such personal information only as
			 reasonably needed for the business purposes of such person or as necessary to
			 comply with any legal obligation.
			(c)Exemption for
			 certain service providersNothing in this section shall apply to a
			 service provider for any electronic communication by a third party that is
			 transmitted, routed, or stored in intermediate or transient storage by such
			 service provider.
			3.Notification and
			 other requirements in the event of a breach of security
			(a)Requirements in
			 the event of a breach of securityAny person engaged in interstate commerce
			 that owns or possesses data in electronic form containing personal information
			 related to that commercial activity, following the discovery of a breach of
			 security of any system maintained by such person that contains such data,
			 shall, without unreasonable delay—
				(1)notify appropriate Federal law enforcement
			 officials of the breach of security, unless such person determines that the
			 breach involved no unlawful activity;
				(2)take such steps necessary to prevent
			 further breach or unauthorized disclosures;
				(3)identify affected
			 individuals whose personal information may have been acquired or accessed;
			 and
				(4)not later than 48 hours after identifying
			 affected individuals under paragraph (3), unless the person makes a reasonable
			 determination that the breach of security presents no reasonable risk of
			 identity theft, fraud, or other unlawful conduct affecting such individuals,
			 notify—
					(A)the Commission;
			 and
					(B)as promptly as
			 possible, subject to subsection (c), each individual who is a citizen or
			 resident of the United States whose personal information is known to have been
			 acquired or accessed as a result of such a breach of security.
					(b)Special
			 Notification Requirements
				(1)Third party
			 agentsIn the event of a breach of security of any third party
			 entity that has contracted with a person to maintain or process data in
			 electronic form containing personal information on behalf of such person, such
			 third party entity shall—
					(A)take the actions
			 required under paragraphs (1) and (2) of subsection (a); and
					(B)notify as promptly
			 as possible such person of the breach of security.
					Upon receiving notification from the
			 third party entity under subparagraph (B), such person shall take the actions
			 required under paragraphs (3) and (4) of subsection (a).(2)Service
			 providersIf a service
			 provider becomes aware of a breach of security of data in electronic form
			 containing personal information that is owned or possessed by another person
			 engaged in interstate commerce that connects to or uses a system or network
			 provided by the service provider for the purpose of transmitting, routing, or
			 providing intermediate or transient storage of such data in connection with
			 that commercial activity, such service provider shall—
					(A)take the actions
			 required under paragraphs (1) and (2) of subsection (a); and
					(B)notify only the
			 person who initiated such connection, transmission, routing, or storage, of the
			 breach of security, if such person can be reasonably identified.
					Upon receiving such notification from
			 a service provider, such person shall take the action required under paragraphs
			 (3) and (4) of subsection (a).(3)Coordination of
			 notification with credit reporting agenciesIf a person is required to provide
			 notification to more than 5,000 individuals under subsection (a)(4)(B), the
			 person shall also notify the major credit reporting agencies that compile and
			 maintain files on consumers on a nationwide basis of the timing and
			 distribution of the notices. Such notice shall be given to the credit reporting
			 agencies without unreasonable delay and, if it will not delay notice to the
			 affected individuals, prior to the distribution of notices to the affected
			 individuals.
				(c)Timing and Delay
			 of Notification Authorized for Law Enforcement or National Security
			 Purposes
				(1)Deadline for
			 commencing notificationExcept as provided under paragraph (2) or
			 (3), a person required to provide notification to individuals of a breach of
			 security pursuant to subsection (a)(4)(B) shall begin to notify such
			 individuals not later than 45 days after discovery of such breach.
				(2)Law
			 enforcementIf a Federal law enforcement agency determines that
			 the notification required under subsection (a)(4)(B) would impede a civil or
			 criminal investigation, such notification shall be delayed upon the request of
			 the law enforcement agency for 30 days or such lesser period of time that the
			 law enforcement agency determines is reasonably necessary. The law enforcement
			 agency shall follow up such a request in writing. A law enforcement agency may,
			 by a subsequent written request, revoke such delay or extend the period of time
			 set forth in the original request made under this paragraph if further delay is
			 necessary.
				(3)National
			 securityIf a Federal
			 national security agency or homeland security agency determines that the
			 notification required under subsection (a)(4)(B) would threaten national or
			 homeland security, such notification may be delayed for a period of time that
			 the national security agency or homeland security agency determines is
			 reasonably necessary. The national security agency or homeland security agency
			 shall follow up such a request in writing. A Federal national security agency
			 or homeland security agency may revoke such delay or extend the period of time
			 set forth in the original request made under this paragraph by a subsequent
			 written request if further delay is necessary.
				(d)Method and
			 Content of Notification
				(1)Direct
			 notification
					(A)Method of
			 notificationA person required to provide notification to
			 individuals under subsection (a)(4)(B) shall be in compliance with such
			 requirement if the person provides a conspicuous and clearly identified
			 notification by one of the following methods (provided the selected method can
			 reasonably be expected to reach the intended individual):
						(i)Written
			 notification.
						(ii)Notification by
			 email or other electronic means, if—
							(I)the person’s
			 primary method of communication with the individual is by email or such other
			 electronic means; or
							(II)the individual
			 has consented to receive such notification and the notification is provided in
			 a manner that is consistent with the provisions permitting electronic
			 transmission of notices under section 101 of the Electronic Signatures in
			 Global and National Commerce Act (15 U.S.C. 7001).
							(B)Content of
			 notificationRegardless of the method by which notification is
			 provided to an individual under subparagraph (A), such notification shall
			 include—
						(i)a
			 description of the personal information that may have been acquired or accessed
			 by an unauthorized person;
						(ii)a
			 telephone number that the individual may use, at no cost to such individual, to
			 contact the person to inquire about the breach of security or the information
			 the person maintained about that individual;
						(iii)notice that the individual is entitled to
			 receive, at no cost to such individual, consumer credit reports on a quarterly
			 basis for a period of 2 years, or credit monitoring or other service that
			 enables consumers to detect the misuse of their personal information for a
			 period of 2 years, and instructions to the individual on requesting such
			 reports or service from the person, except when the only information which has
			 been the subject of the security breach is the individual’s first name or
			 initial and last name, or address, or phone number, in combination with a
			 credit or debit card number, and any required security code;
						(iv)the
			 toll-free contact telephone numbers and addresses for the major credit
			 reporting agencies; and
						(v)a
			 toll-free telephone number and website address for the Commission whereby the
			 individual may obtain information regarding identity theft.
						(2)Substitute
			 notification
					(A)Circumstances
			 giving rise to substitute notificationA person required to
			 provide notification to individuals under subsection (a)(4)(B) may provide
			 substitute notification in lieu of the direct notification required by
			 paragraph (1) if the person owns or possesses data in electronic form
			 containing personal information of fewer than 1,000 individuals and such direct
			 notification is not feasible due to—
						(i)excessive cost to
			 the person required to provide such notification relative to the resources of
			 such person, as determined in accordance with the regulations issued by the
			 Commission under paragraph (3)(A); or
						(ii)lack of
			 sufficient contact information for the individual required to be
			 notified.
						(B)Form of
			 substitute notificationSuch substitute notification shall
			 include—
						(i)email notification
			 to the extent that the person has email addresses of individuals to whom it is
			 required to provide notification under subsection (a)(4)(B);
						(ii)a
			 conspicuous notice on the website of the person (if such person maintains a
			 website); and
						(iii)notification in
			 print and to broadcast media, including major media in metropolitan and rural
			 areas where the individuals whose personal information was acquired or accessed
			 reside.
						(C)Content of
			 substitute noticeEach form of substitute notice under this
			 paragraph shall include—
						(i)notice that individuals whose personal
			 information is included in the breach of security are entitled to receive, at
			 no cost to the individuals, consumer credit reports on a quarterly basis for a
			 period of 2 years, or credit monitoring or other service that enables consumers
			 to detect the misuse of their personal information for a period of 2 years, and
			 instructions on requesting such reports or service from the person, except when
			 the only information which has been the subject of the security breach is the
			 individual’s first name or initial and last name, or address, or phone number,
			 in combination with a credit or debit card number, and any required security
			 code; and
						(ii)a
			 telephone number by which an individual can, at no cost to such individual,
			 learn whether that individual’s personal information is included in the breach
			 of security.
						(3)Regulations and
			 guidance
					(A)RegulationsNot
			 later than 1 year after the date of enactment of this Act, the Commission
			 shall, by regulation under section 553 of title 5, United States Code,
			 establish criteria for determining circumstances under which substitute
			 notification may be provided under paragraph (2), including criteria for
			 determining if notification under paragraph (1) is not feasible due to
			 excessive costs to the person required to provide such notification relative to
			 the resources of such person. Such regulations may also identify other
			 circumstances where substitute notification would be appropriate for any
			 person, including circumstances under which the cost of providing notification
			 exceeds the benefits to consumers.
					(B)GuidanceIn
			 addition, the Commission shall provide and publish general guidance with
			 respect to compliance with this subsection. Such guidance shall include—
						(i)a description of
			 written or email notification that complies with the requirements of paragraph
			 (1); and
						(ii)guidance on the
			 content of substitute notification under paragraph (2), including the extent of
			 notification to print and broadcast media that complies with the requirements
			 of such paragraph.
						(e)Other
			 Obligations Following Breach
				(1)In
			 generalA person required to provide notification under
			 subsection (a)(4)(B) shall, in accordance with the determination described in
			 paragraph (3), upon request of an individual whose personal information was
			 included in the breach of security, provide or arrange for the provision of, to
			 each such individual and at no cost to such individual—
					(A)consumer credit
			 reports from at least one of the major credit reporting agencies beginning not
			 later than 60 days following the individual’s request and continuing on a
			 quarterly basis for a period of 2 years thereafter; or
					(B)a credit monitoring or other service that
			 enables consumers to detect the misuse of their personal information, beginning
			 not later than 60 days following the individual’s request and continuing for a
			 period of 2 years.
					(2)LimitationThis
			 subsection shall not apply if the only personal information which has been the
			 subject of the security breach is the individual’s first name or initial and
			 last name, or address, or phone number, in combination with a credit or debit
			 card number, and any required security code.
				(3)RulemakingAs
			 part of the Commission’s rulemaking described in subsection (d)(3), the
			 Commission shall determine the circumstances under which a person required to
			 provide notification under subsection (a)(4)(B) shall provide or arrange for
			 the provision of free consumer credit reports or credit monitoring or other
			 service to affected individuals.
				(f)Presumption
			 concerning data in certain forms
				(1)In
			 generalIf the data in
			 electronic form containing personal information is unusable, unreadable, or
			 indecipherable to an unauthorized person by encryption or other security
			 technology or methodology (if the method of encryption or such other technology
			 or methodology is generally accepted by experts in the information security
			 field), there shall be a presumption, for purposes of subsection (a)(4), that
			 no reasonable risk of identity theft, fraud, or other unlawful conduct exists
			 following a breach of security of such data. Any such presumption may be
			 rebutted by facts demonstrating that the encryption or other security
			 technologies or methodologies in a specific case have been or are reasonably
			 likely to be compromised.
				(2)Methodologies or
			 technologiesThe Commission
			 may issue guidance to identify security methodologies or technologies that
			 render data in electronic form unusable, unreadable, or indecipherable, that
			 shall, if applied to such data, establish a presumption that no reasonable risk
			 of identity theft, fraud, or other unlawful conduct exists following a breach
			 of security of such data. Any such presumption may be rebutted by facts
			 demonstrating that any such methodology or technology in a specific case has
			 been or is reasonably likely to be compromised. In issuing such rules or
			 guidance, the Commission shall consult with relevant industries, consumer
			 organizations, and data security and identity theft prevention experts and
			 established standards setting bodies.
				(g)Website Notice
			 of Federal Trade CommissionIf the Commission, upon receiving
			 notification of any breach of security that is reported to the Commission under
			 subsection (a)(4)(A), finds that notification of such a breach of security
			 available on the Commission’s website would be in the public interest or for
			 the protection of consumers, the Commission may place such a notice in a clear
			 and conspicuous location on such website.
			(h)FTC Study on
			 Notification in Languages in Addition to EnglishNot later than 1
			 year after the date of enactment of this Act, the Commission shall conduct a
			 study on the practicality and cost effectiveness of requiring the notification
			 required by subsection (d)(1) to be provided in a language in addition to
			 English to individuals known to speak only such other language.
			(i)General
			 rulemaking authorityThe
			 Commission may promulgate regulations, pursuant to section 553 of title 5,
			 United States Code, as necessary to effectively implement and enforce the
			 requirements of this section.
			4.Application and
			 Enforcement
			(a)General
			 applicationThe requirements of sections 2 and 3 apply, according
			 to their terms, to—
				(1)those persons,
			 partnerships, or corporations over which the Commission has authority pursuant
			 to section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2));
			 and
				(2)notwithstanding section 4 and section
			 5(a)(2) of that Act (15 U.S.C. 44 and 45(a)(2)), any organization described in
			 section 501(c) of the Internal Revenue Code of 1986 that is exempt from
			 taxation under section 501(a) of such Code.
				(b)Enforcement by
			 the Federal Trade Commission
				(1)Unfair or
			 deceptive acts or practicesA violation of section 2 or 3 shall
			 be treated as an unfair and deceptive act or practice in violation of a
			 regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15
			 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
				(2)Powers of
			 commissionThe Commission shall enforce this Act in the same
			 manner, by the same means, and with the same jurisdiction, powers, and duties
			 as though all applicable terms and provisions of the Federal Trade Commission
			 Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
			 Any person who violates section 2 or 3 shall be subject to the penalties and
			 entitled to the privileges and immunities provided in that Act, except that the
			 Commission may not assess civil penalties for a violation of section
			 3(a)(1).
				(c)Enforcement by
			 State Attorneys General
				(1)Civil
			 actionIn any case in which the attorney general of a State, or
			 an official or agency of a State, has reason to believe that an interest of the
			 residents of that State has been or is threatened or adversely affected by any
			 person who violates section 2 or 3 of this Act, the attorney general, official,
			 or agency of the State, as parens patriae, may bring a civil action on behalf
			 of the residents of the State in a district court of the United States of
			 appropriate jurisdiction—
					(A)to enjoin further
			 violation of such section by the defendant;
					(B)to compel
			 compliance with such section; or
					(C)to obtain civil
			 penalties in the amount determined under paragraph (2).
					(2)Civil
			 penalties
					(A)Calculation
						(i)Treatment of
			 violations of section 2For
			 purposes of paragraph (1)(C) with regard to a violation of section 2, the
			 amount determined under this paragraph is the amount calculated by multiplying
			 the number of days that a person is not in compliance with such section by an
			 amount not greater than $11,000.
						(ii)Treatment of
			 violations of section 3For purposes of paragraph (1)(C) with
			 regard to a violation of section 3, the amount determined under this paragraph
			 is the amount calculated by multiplying the number of violations of such
			 section by an amount not greater than $11,000. Each failure to send
			 notification as required under section 3 to a resident of the State shall be
			 treated as a separate violation.
						(B)Adjustment for
			 inflationBeginning on the date that the Consumer Price Index is
			 first published by the Bureau of Labor Statistics that is at least 1 year after
			 the date of enactment of this Act, and each year thereafter, the amounts
			 specified in clauses (i) and (ii) of subparagraph (A) shall be increased by the
			 percentage increase in the Consumer Price Index published on that date from the
			 Consumer Price Index published the previous year.
					(C)Maximum total
			 liabilityNotwithstanding the
			 number of actions which may be brought against a person under this subsection,
			 the maximum civil penalty for which any person may be liable under this
			 subsection shall not exceed—
						(i)$5,000,000 for all
			 related violations of section 2; and
						(ii)$5,000,000 for
			 all violations of section 3 resulting from a single breach of security.
						(3)Intervention by
			 the FTC
					(A)Notice and
			 interventionThe State shall provide prior written notice of any
			 action under paragraph (1) to the Commission and provide the Commission with a
			 copy of its complaint, except in any case in which such prior notice is not
			 feasible, in which case the State shall serve such notice immediately upon
			 instituting such action. The Commission shall have the right—
						(i)to
			 intervene in the action;
						(ii)upon so
			 intervening, to be heard on all matters arising therein; and
						(iii)to
			 file petitions for appeal.
						(B)Limitation on
			 state action while federal action is pendingIf the Commission
			 has instituted a civil action for violation of this Act, no State attorney
			 general, or official or agency of a State, may bring an action under this
			 subsection during the pendency of that action against any defendant named in
			 the complaint of the Commission for any violation of this Act alleged in the
			 complaint.
					(4)ConstructionFor
			 purposes of bringing any civil action under paragraph (1), nothing in this Act
			 shall be construed to prevent an attorney general of a State from exercising
			 the powers conferred on the attorney general by the laws of that State
			 to—
					(A)conduct
			 investigations;
					(B)administer oaths
			 or affirmations; or
					(C)compel the
			 attendance of witnesses or the production of documentary and other
			 evidence.
					(d)Entities
			 governed by HIPAA and Gramm-Leach-Bliley
				(1)HIPAA
					(A)Information
			 security requirementsTo the
			 extent that the information security requirements of part C of title XI of the
			 Social Security Act (42 U.S.C. 1320d et seq.) apply in any circumstance to a
			 person who is subject to such part, including as applied under subtitle D of
			 title IV of the Health Information Technology for Economic and Clinical Health
			 Act (42 U.S.C. 17921 et seq.), such person shall be exempt from the
			 requirements of section 2.
					(B)Notification
			 requirementsTo the extent
			 that the breach notification requirements of part C of title XI of the Social
			 Security Act (42 U.S.C. 1320d et seq.) apply in any circumstance to a person
			 who is subject to such part, including as applied under subtitle D of title IV
			 of the Health Information Technology for Economic and Clinical Health Act (42
			 U.S.C. 17921 et seq.), such person shall be exempt from the requirements of
			 section 3.
					(2)Gramm-Leach-Bliley
					(A)In
			 generalExcept as provided in subparagraph (B), a person who is
			 subject to title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et
			 seq.)—
						(i)with regard to information security
			 requirements, shall be exempt from the requirements of section 2; and
						(ii)with regard to
			 notification requirements, shall be exempt from the requirements of section
			 3.
						(B)ExceptionNotwithstanding subparagraph (A), those
			 persons subject to the jurisdiction of the Federal Trade Commission under
			 section 505(a)(7) of the Gramm-Leach-Bliley Act (15 U.S.C. 6805) shall be
			 subject to the requirements of this Act. If such person is in compliance with
			 the information security requirements of title V of such Act, such person shall
			 be deemed in compliance with section 2 of this Act.
					5.DefinitionsIn this Act the following definitions
			 apply:
			(1)Breach of
			 securityThe term breach of security means any
			 unauthorized access to or acquisition of data in electronic form containing
			 personal information.
			(2)CommissionThe
			 term Commission means the Federal Trade Commission.
			(3)Data in
			 electronic formThe term data in electronic form
			 means any data stored electronically or digitally on any computer system or
			 other database and includes recordable tapes and other mass storage
			 devices.
			(4)EncryptionThe
			 term encryption means the protection of data in electronic form in
			 storage or in transit using an encryption technology that has been adopted by
			 an established standards setting body which renders such data indecipherable in
			 the absence of associated cryptographic keys necessary to enable decryption of
			 such data. Such encryption must include appropriate management and safeguards
			 of such keys to protect the integrity of the encryption.
			(5)Identity
			 theftThe term identity theft means the unauthorized
			 use of another person’s personal information for the purpose of engaging in
			 commercial transactions under the name of such other person.
			(6)Information
			 brokerThe term information broker—
				(A)means a commercial
			 entity whose business is to collect, assemble, or maintain personal information
			 concerning individuals who are not current or former customers of such entity
			 in order to sell such information or provide access to such information to any
			 nonaffiliated third party in exchange for consideration, whether such
			 collection, assembly, or maintenance of personal information is performed by
			 the information broker directly, or by contract or subcontract with any other
			 entity; and
				(B)does not include a commercial entity to the
			 extent that such entity processes information collected by or on behalf of and
			 received from or on behalf of a nonaffiliated third party concerning
			 individuals who are current or former customers or employees of such third
			 party to enable such third party directly or through parties acting on its
			 behalf to provide benefits for its employees or directly transact business with
			 its customers.
				(7)Personal
			 information
				(A)DefinitionThe
			 term personal information means an individual’s first name or
			 initial and last name, or address, or phone number, in combination with any 1
			 or more of the following data elements for that individual:
					(i)Social Security
			 number.
					(ii)Driver’s license
			 number, passport number, military identification number, or other similar
			 number issued on a government document used to verify identity.
					(iii)Financial
			 account number, or credit or debit card number, and any required security code,
			 access code, or password that is necessary to permit access to an individual’s
			 financial account.
					(B)Public record
			 informationSuch term does not include public record
			 information.
				(C)Modified
			 definition by rulemakingThe
			 Commission may, by rule promulgated under section 553 of title 5, United States
			 Code, modify the definition of personal information under
			 subparagraph (A)—
					(i)for the purpose of section 2, to the extent
			 that such modification is necessary to accomplish the purposes of such section
			 as a result of changes in technology or practices and will not unreasonably
			 impede technological innovation or otherwise adversely affect interstate
			 commerce; and
					(ii)for the purpose of section 3, if the
			 Commission determines that access to or acquisition of the additional data
			 elements in the event of a breach of security would create an unreasonable risk
			 of identity theft, fraud, or other unlawful conduct and that such modification
			 will not unreasonably impede technological innovation or otherwise adversely
			 affect interstate commerce.
					(8)Public record
			 informationThe term
			 public record information means information about an individual
			 that is lawfully made available to the general public from Federal, State, or
			 local government records.
			(9)Service
			 providerThe term
			 service provider means a person that provides electronic data
			 transmission, routing, intermediate and transient storage, or connections to
			 its system or network, where the person providing such services does not select
			 or modify the content of the electronic data, is not the sender or the intended
			 recipient of the data, and does not differentiate personal information from
			 other information that such person transmits, routes, or stores, or for which
			 such person provides connections. Any such person shall be treated as a service
			 provider under this Act only to the extent that it is engaged in the provision
			 of such transmission, routing, intermediate and transient storage, or
			 connections.
			6.Relation to other
			 laws and conforming amendments
			(a)Preemption of
			 State Information Security LawsThis Act supersedes any provision
			 of a statute, regulation, or rule of a State or political subdivision of a
			 State, with respect to any entity subject to this Act, that contains—
				(1)requirements for
			 information security practices or treatment of data similar to those under
			 section 2; or
				(2)requirements for
			 notification of a breach of security similar to the notification required under
			 section 3.
				(b)Additional
			 Preemption
				(1)In
			 generalNo person other than a person specified in section 4(c)
			 may bring a civil action under the laws of any State if such action is premised
			 in whole or in part upon the defendant violating any provision of this
			 Act.
				(2)Protection of
			 consumer protection lawsThis subsection shall not be construed
			 to limit the enforcement of any State consumer protection law by an attorney
			 general of a State.
				(c)Protection of
			 Certain State LawsThis Act shall not be construed to preempt the
			 applicability of—
				(1)State trespass,
			 contract, or tort law; or
				(2)other State laws
			 to the extent that those laws relate to acts of fraud.
				(d)Preservation of
			 FTC AuthorityNothing in this Act may be construed in any way to
			 limit or affect the Commission’s authority under any other provision of
			 law.
			(e)Conforming
			 amendmentSection 631(c)(1) of the Communications Act of 1934 (47
			 U.S.C. 551(c)(1)) is amended by striking and shall take such actions as
			 are necessary to prevent unauthorized access to such information by a person
			 other than the subscriber or cable operator.
			7.Effective
			 dateThis Act shall take
			 effect 1 year after the date of enactment of this Act.
		
