[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[S. 1535 Introduced in Senate (IS)]

112th CONGRESS
  1st Session
                                S. 1535

  To protect consumers by mitigating the vulnerability of personally 
identifiable information to theft through a security breach, providing 
notice and remedies to consumers in the wake of such a breach, holding 
   companies accountable for preventable breaches, facilitating the 
  sharing of post-breach technical information between companies, and 
 enhancing criminal and civil penalties and other protections against 
     the unauthorized collection or use of personally identifiable 
                              information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 8, 2011

Mr. Blumenthal introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
  To protect consumers by mitigating the vulnerability of personally 
identifiable information to theft through a security breach, providing 
notice and remedies to consumers in the wake of such a breach, holding 
   companies accountable for preventable breaches, facilitating the 
  sharing of post-breach technical information between companies, and 
 enhancing criminal and civil penalties and other protections against 
     the unauthorized collection or use of personally identifiable 
                              information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Personal Data 
Protection and Breach Accountability Act of 2011''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Organized criminal activity in connection with unauthorized 
                            access to personally identifiable 
                            information.
Sec. 102. Concealment of security breaches involving sensitive 
                            personally identifiable information.
Sec. 103. Penalties for fraud and related activity in connection with 
                            computers.
Sec. 104. False notification.
Sec. 105. Unauthorized installation of personal information collection 
                            features on a user's computer.
 TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

Sec. 201. Purpose and applicability of data privacy and security 
                            program.
Sec. 202. Requirements for a personal data privacy and security 
                            program.
Sec. 203. Federal enforcement.
Sec. 204. Enforcement by State Attorneys General.
Sec. 205. Supplemental enforcement by individuals.
                Subtitle B--Security Breach Notification

Sec. 211. Notice to individuals.
Sec. 212. Exemptions from notice to individuals.
Sec. 213. Methods of notice to individuals.
Sec. 214. Content of notice to individuals.
Sec. 215. Remedies for security breach.
Sec. 216. Notice to credit reporting agencies.
Sec. 217. Notice to law enforcement.
Sec. 218. Federal enforcement.
Sec. 219. Enforcement by State attorneys general.
Sec. 220. Supplemental enforcement by individuals.
Sec. 221. Relation to other laws.
Sec. 222. Authorization of appropriations.
Sec. 223. Reporting on risk assessment exemptions.
      Subtitle C--Post-Breach Technical Information Clearinghouse

Sec. 230. Clearinghouse information collection, maintenance, and 
                            access.
Sec. 231. Protections for clearinghouse participants.
Sec. 232. Effective date.
            TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 301. General services administration review of contracts.
Sec. 302. Requirement to audit information security practices of 
                            contractors and third party business 
                            entities.
Sec. 303. Privacy impact assessment of government use of commercial 
                            information services containing personally 
                            identifiable information.
Sec. 304. FBI report on reported breaches and compliance.
Sec. 305. Department of Justice report on enforcement actions.
Sec. 306. Department of Justice report on enforcement actions.
Sec. 307. FBI report on notification effectiveness.
         TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

Sec. 401. Budget compliance.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) databases of personally identifiable information are 
        increasingly prime targets of hackers, identity thieves, rogue 
        employees, and other criminals, including organized and 
        sophisticated criminal operations;
            (2) identity theft is a serious threat to the Nation's 
        economic stability, homeland security, the development of e-
        commerce, and the privacy rights of Americans;
            (3) over 9,300,000 individuals were victims of identity 
        theft in America last year;
            (4) security breaches are a serious threat to consumer 
        confidence, homeland security, e-commerce, and economic 
        stability;
            (5) it is important for business entities that own, use, or 
        license personally identifiable information to adopt reasonable 
        procedures to ensure the security, privacy, and confidentiality 
        of that personally identifiable information;
            (6) individuals whose personal information has been 
        compromised or who have been victims of identity theft should 
        receive the necessary information and assistance to mitigate 
        their damages and to restore the integrity of their personal 
        information and identities;
            (7) data brokers have assumed a significant role in 
        providing identification, authentication, and screening 
        services, and related data collection and analyses for 
        commercial, nonprofit, and government operations;
            (8) data misuse and use of inaccurate data have the 
        potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government operations;
            (9) there is a need to ensure that data brokers conduct 
        their operations in a manner that prioritizes fairness, 
        transparency, accuracy, and respect for the privacy of 
        consumers;
            (10) government access to commercial data can potentially 
        improve safety, law enforcement, and national security;
            (11) because government use of commercial data containing 
        personal information potentially affects individual privacy, 
        and law enforcement and national security operations, there is 
        a need for Congress to exercise oversight over government use 
        of commercial data;
            (12) over 22,960,000 cases of data breaches involving 
        personally identifiable information were reported through July 
        of 2011, and in 2009 through 2010, over 230,900,000 cases of 
        personal data breaches were reported;
            (13) facilitating information sharing among business 
        entities and across sectors in the event of a breach can assist 
        in remediating the breach and preventing similar breaches in 
        the future;
            (14) because the Federal Government has limited resources, 
        consumers themselves play a vital and complementary role in 
        facilitating prompt notification and protecting against future 
        breaches of security;
            (15) in addition to the immediate damages caused by 
        security breaches, the lack of basic remedial requirements 
        often forces individuals whose sensitive personally 
        identifiable information is compromised as a result of a 
        security breach to incur the economic costs of litigation to 
        seek remedies, and the economic costs of fees required in many 
        States to freeze compromised accounts; and
            (16) victims of personal data breaches may suffer 
        debilitating emotional and physical effects and become 
        depressed or anxious, especially in cases of repeated or 
        unresolved instances of data breaches.

SEC. 3. DEFINITIONS.

    In this Act, the following definitions shall apply:
            (1) Affiliate.--The term ``affiliate'' means persons 
        related by common ownership or by corporate control.
            (2) Agency.--The term ``agency'' has the meaning given such 
        term in section 551 of title 5, United States Code.
            (3) Business entity.--The term ``business entity'' means 
        any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or venture 
        established to make a profit, or nonprofit.
            (4) Credit rating agency.--The term ``credit rating 
        agency'' has the meaning given such term in section 3(a)(61) of 
        the Securities Exchange Act of 1934 (12 U.S.C. 78c(a)(61)).
            (5) Credit report.--The term ``credit report'' means a 
        consumer report, as that term is defined in section 603 of the 
        Fair Credit Reporting Act (15 U.S.C. 1681a).
            (6) Data broker.--The term ``data broker'' means a business 
        entity which for monetary fees or dues regularly engages in the 
        practice of collecting, transmitting, or providing access to 
        sensitive personally identifiable information on more than 
        5,000 individuals who are not the customers or employees of 
        that business entity or affiliate primarily for the purposes of 
        providing such information to nonaffiliated third parties on an 
        interstate basis.
            (7) Data furnisher.--The term ``data furnisher'' means any 
        agency, organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or nonprofit that 
        serves as a source of information for a data broker.
            (8) Encryption.--The term ``encryption''--
                    (A) means the protection of data in electronic 
                form, in storage or in transit, using an encryption 
                technology that has been adopted by a widely accepted 
                standards setting body or, has been widely accepted as 
                an effective industry practice which renders such data 
                indecipherable in the absence of associated 
                cryptographic keys necessary to enable decryption of 
                such data; and
                    (B) includes appropriate management and safeguards 
                of such cryptographic keys so as to protect the 
                integrity of the encryption.
            (9) Identity theft.--The term ``identity theft'' means a 
        violation of section 1028(a)(7) of title 18, United States 
        Code.
            (10) Intelligence community.--The term ``intelligence 
        community'' includes the following:
                    (A) The Office of the Director of National 
                Intelligence.
                    (B) The Central Intelligence Agency.
                    (C) The National Security Agency.
                    (D) The Defense Intelligence Agency.
                    (E) The National Geospatial-Intelligence Agency.
                    (F) The National Reconnaissance Office.
                    (G) Other offices within the Department of Defense 
                for the collection of specialized national intelligence 
                through reconnaissance programs.
                    (H) The intelligence elements of the Army, the 
                Navy, the Air Force, the Marine Corps, the Federal 
                Bureau of Investigation, and the Department of Energy.
                    (I) The Bureau of Intelligence and Research of the 
                Department of State.
                    (J) The Office of Intelligence and Analysis of the 
                Department of the Treasury.
                    (K) The elements of the Department of Homeland 
                Security concerned with the analysis of intelligence 
                information, including the Office of Intelligence of 
                the Coast Guard.
                    (L) Such other elements of any other department or 
                agency as may be designated by the President, or 
                designated jointly by the Director of National 
                Intelligence and the head of the department or agency 
                concerned, as an element of the intelligence community.
            (11) Personal electronic record.--
                    (A) In general.--The term ``personal electronic 
                record'' means data associated with an individual 
                contained in a database, networked or integrated 
                databases, or other data system that is provided by a 
                data broker to nonaffiliated third parties and includes 
                personally identifiable information about that 
                individual.
                    (B) Exclusions.--The term ``personal electronic 
                record'' does not include--
                            (i) any data related to an individual's 
                        past purchases of consumer goods; or
                            (ii) any proprietary assessment or 
                        evaluation of an individual or any proprietary 
                        assessment or evaluation of information about 
                        an individual.
            (12) Personally identifiable information.--The term 
        ``personally identifiable information'' means any information, 
        or compilation of information, in electronic or digital form 
        that is a means of identification (as defined in section 
        1028(d)(7) of title 18, United State Code).
            (13) Predispute arbitration agreement.--The term 
        ``predispute arbitration agreement'' means any agreement to 
        arbitrate a dispute that had not yet arisen at the time of the 
        making of the agreement.
            (14) Public record source.--The term ``public record 
        source'' means the Congress, any agency, any State or local 
        government agency, the government of the District of Columbia 
        and governments of the territories or possessions of the United 
        States, and Federal, State or local courts, courts martial and 
        military commissions, that maintain personally identifiable 
        information in records available to the public.
            (15) Security breach.--
                    (A) In general.--The term ``security breach'' means 
                compromise of the security, confidentiality, or 
                integrity of computerized data through 
                misrepresentation or actions--
                            (i) that result in, or that there is a 
                        reasonable basis to conclude has resulted in--
                                    (I) the unauthorized acquisition of 
                                sensitive personally identifiable 
                                information; or
                                    (II) access to sensitive personally 
                                identifiable information that is for an 
                                unauthorized purpose, or in excess of 
                                authorization; and
                            (ii) which present a significant risk of 
                        harm or fraud to any individual.
                    (B) Exclusion.--The term ``security breach'' does 
                not include--
                            (i) a good faith acquisition of sensitive 
                        personally identifiable information by a 
                        business entity or agency, or an employee or 
                        agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure;
                            (ii) the release of a public record not 
                        otherwise subject to confidentiality or 
                        nondisclosure requirements; or
                            (iii) any lawfully authorized criminal 
                        investigation or authorized investigative, 
                        protective, or intelligence activities that are 
                        carried out by or on behalf of any element of 
                        the intelligence community and conducted in 
                        accordance with the United States laws, 
                        authorities, and regulations governing such 
                        intelligence activities.
            (16) Security freeze.--The term ``security freeze'' means a 
        notice, at the request of the consumer and subject to 
        exceptions in section 215(b), that prohibits the consumer 
        reporting agency from releasing all or any part of the 
        consumer's credit report or any information derived from it 
        without the express authorization of the consumer.
            (17) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        any information or compilation of information, in electronic or 
        digital form that includes--
                    (A) an individual's first and last name or first 
                initial and last name in combination with any 1 of the 
                following data elements:
                            (i) A nontruncated social security number, 
                        driver's license number, passport number, or 
                        alien registration number.
                            (ii) Any 2 of the following:
                                    (I) Home address.
                                    (II) Telephone number.
                                    (III) Mother's maiden name.
                                    (IV) Month, day, and year of birth.
                            (iii) Unique biometric data such as a 
                        finger print, voice print, a retina or iris 
                        image, or any other unique physical 
                        representation.
                            (iv) A unique account identifier, 
                        electronic identification number, user name, or 
                        routing code in combination with any associated 
                        security code, access code, or password if the 
                        code or password is required for an individual 
                        to obtain money, goods, services, or any other 
                        thing of value;
                    (B) a financial account number or credit or debit 
                card number in combination with any security code, 
                access code, or password that is required for an 
                individual to obtain credit, withdraw funds, or engage 
                in a financial transaction; or
                    (C) any other combination of data elements that 
                could allow unauthorized access to or acquisition of 
                the information described in subparagraph (A) or (B), 
                including--
                            (i) a unique account identifier;
                            (ii) an electronic identification number;
                            (iii) a user name;
                            (iv) a routing code; or
                            (v) any associated security code, access 
                        code, or password or any associated security 
                        questions and answers that could allow 
                        unauthorized access to the account.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED 
              ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.

    Section 1961(1) of title 18, United States Code, is amended by 
inserting ``section 1030 (relating to fraud and related activity in 
connection with computers) if the act is a felony,'' before ``section 
1084''.

SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 1041. Concealment of security breaches involving sensitive 
              personally identifiable information
    ``(a) Whoever, having knowledge of a security breach and having the 
obligation to provide notice of such breach to individuals under the 
Personal Data Protection and Breach Accountability Act of 2011, and 
having not otherwise qualified for an exemption from providing notice 
under section 212 of the Personal Data Protection and Breach 
Accountability Act of 2011, intentionally or willfully conceals the 
fact of such security breach and which breach causes economic damage or 
substantial emotional distress to 1 or more persons, shall be fined 
under this title or imprisoned not more than 5 years, or both.
    ``(b) For purposes of subsection (a), the term `person' has the 
same meaning as in section 1030(e)(12) of title 18, United States Code.
    ``(c) Any person seeking an exemption under section 212(b) of the 
Personal Data Protection and Breach Accountability Act of 2011 shall be 
immune from prosecution under this section if the United States Secret 
Service does not indicate, in writing, that such notice be given under 
section 212(b)(3) of the Personal Data Protection and Breach 
Accountability Act of 2011.''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

``1041. Concealment of security breaches involving personally 
                            identifiable information.''.
    (c) Enforcement Authority.--
            (1) In general.--The United States Secret Service shall 
        have the authority to investigate offenses under this section.
            (2) Nonexclusivity.--The authority granted in paragraph (1) 
        shall not be exclusive of any existing authority held by any 
        other Federal agency.

SEC. 103. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH 
              COMPUTERS.

    Section 1030(c) of title 18, United States Code, is amended--
            (1) by inserting ``or conspiracy'' after ``or an attempt'' 
        each place it appears, except for paragraph (4);
            (2) in paragraph (2)(B)--
                    (A) in clause (i), by inserting ``, or attempt or 
                conspiracy or conspiracy to commit an offense,'' after 
                ``the offense'';
                    (B) in clause (ii), by inserting ``, or attempt or 
                conspiracy or conspiracy to commit an offense,'' after 
                ``the offense''; and
                    (C) in clause (iii), by inserting ``(or, in the 
                case of an attempted offense, would, if completed, have 
                obtained)'' after ``information obtained''; and
            (3) in paragraph (4)--
                    (A) in subparagraph (A)--
                            (i) by striking clause (ii);
                            (ii) by striking ``in the case of--'' and 
                        all that follows through ``an offense under 
                        subsection (a)(5)(B)'' and inserting ``in the 
                        case of an offense, or an attempt or conspiracy 
                        to commit an offense, under subsection 
                        (a)(5)(B)'';
                            (iii) by inserting ``or conspiracy'' after 
                        ``if the offense'';
                            (iv) by redesignating subclauses (I) 
                        through (VI) as clauses (i) through (vi), 
                        respectively, and adjusting the margin 
                        accordingly; and
                            (v) in clause (vi), as so redesignated, by 
                        striking ``; or'' and inserting a semicolon;
                    (B) in subparagraph (B)--
                            (i) by striking clause (ii);
                            (ii) by striking ``in the case of--'' and 
                        all that follows through ``an offense under 
                        subsection (a)(5)(A)'' and inserting ``in the 
                        case of an offense, or an attempt or conspiracy 
                        to commit an offense, under subsection 
                        (a)(5)(A)'';
                            (iii) by inserting ``or conspiracy'' after 
                        ``if the offense''; and
                            (iv) by striking ``; or'' and inserting a 
                        semicolon;
                    (C) in subparagraph (C)--
                            (i) by striking clause (ii);
                            (ii) by striking ``in the case of--'' and 
                        all that follows through ``an offense or an 
                        attempt to commit an offense'' and inserting 
                        ``in the case of an offense, or an attempt or 
                        conspiracy to commit an offense,''; and
                            (iii) by striking ``; or'' and inserting a 
                        semicolon;
                    (D) in subparagraph (D)--
                            (i) by striking clause (ii);
                            (ii) by striking ``in the case of--'' and 
                        all that follows through ``an offense or an 
                        attempt to commit an offense'' and inserting 
                        ``in the case of an offense, or an attempt or 
                        conspiracy to commit an offense,''; and
                            (iii) by striking ``; or'' and inserting a 
                        semicolon;
                    (E) in subparagraph (E), by inserting ``or 
                conspires'' after ``offender attempts'';
                    (F) in subparagraph (F), by inserting ``or 
                conspires'' after ``offender attempts''; and
                    (G) in subparagraph (G)(ii), by inserting ``or 
                conspiracy'' after ``an attempt''.

SEC. 104. FALSE NOTIFICATION.

    (a) In General.--It shall be unlawful for an individual to send a 
notification of a breach of security that is false or intentionally 
misleading in order to obtain sensitive personally identifiable 
information in an effort to defraud an individual.
    (b) Penalty.--Any person that violates subsection (a) shall be 
fined not more than $1,000,000, imprisoned not more than 5 years, or 
both.
    (c) Rule of Construction.--For purposes of this section, any single 
action or conduct that violates subsection (a) with respect to multiple 
protected computers shall be construed to be a single violation.

SEC. 105. UNAUTHORIZED INSTALLATION OF PERSONAL INFORMATION COLLECTION 
              FEATURES ON A USER'S COMPUTER.

    (a) Definition.--In this section, the term ``protected computer'' 
has the meaning given the term in section 1030(e)(2) of title 18, 
United States Code.
    (b) In General.--It shall be unlawful for a person that is not an 
authorized user of a protected computer to cause the installation on 
the protected computer of software that collects sensitive personally 
identifiable information from an authorized user, unless the person--
            (1) provides a clear and conspicuous disclosure of such 
        collection; and
            (2) obtains the consent of an authorized user of the 
        protected computer prior to any collection of sensitive 
        personally identifiable information.
    (c) Collection and Use of Personal Information in Web Searches.--It 
shall be unlawful for an Internet service provider or proxy server to 
knowingly or intentionally--
            (1) bypass the display of search engine results and 
        redirect web searches or queries entered by an authorized user 
        of a protected computer directly to a commercial website, 
        counterfeit web page, or targeted advertisement and derive an 
        economic benefit from such activity; or
            (2) monitor, manipulate, aggregate, and market the data 
        collected in the process of intercepting a web search or query 
        entered by an authorized user of a protected computer and 
        derive an economic benefit from such activity.
    (d) Other Collection of Personal Information.--
            (1) In general.--It shall be unlawful for a person who is 
        not an authorized user of a protected computer to cause the 
        installation on the protected computer of software that engages 
        in any of the collection practices described in paragraph (2), 
        unless the person--
                    (A) provides a clear and conspicuous disclosure of 
                such collection; and
                    (B) obtains the consent of an authorized user of 
                the protected computer prior to any such collection of 
                information.
            (2) Collection practices described.--The collection 
        practices described in this paragraph are--
                    (A) the use of a keystroke-logging function that 
                records all or substantially all keystrokes made by an 
                owner or operator of a computer and transfers that 
                information from the computer to another person;
                    (B) the collection of data in a manner that--
                            (i) correlates sensitive personally 
                        identifiable information with a history of--
                                    (I) all, or substantially all, of 
                                the websites visited by an owner or 
                                operator, other than websites operated 
                                by the person providing such software; 
                                or
                                    (II) all, or substantially all, of 
                                the web searches conducted by an owner 
                                or operator other than search data 
                                collected by a search engine; and
                            (ii) uses the information described in 
                        clause (i) to deliver advertising to, or 
                        display advertising on, the computer; and
                    (C) the extracting from the hard drive or other 
                storage medium of the computer--
                            (i) the substantive contents of files, 
                        data, software, or other information knowingly 
                        saved or installed by the authorized user of a 
                        protected computer; or
                            (ii) the substantive contents of 
                        communications sent by an authorized user of a 
                        protected computer to any other computer.
    (e) Exception.--This section shall not restrict a person from 
causing the installation of software that collects information for the 
provider of an online service or website knowingly used or subscribed 
to by an authorized user if the information collected is used only to 
affect the experience of the user while using that online service or 
website.
    (f) Uninstall Functionality.--
            (1) In general.--Software that performs any function 
        described in subsection (b) or (c) shall have the capability to 
        subsequently be uninstalled or disabled by an authorized user 
        through a program removal function that is usual and customary 
        with the operating system of the computer or otherwise as 
        clearly and conspicuously disclosed to the user.
            (2) Authority to uninstall.--Software that enables an 
        authorized user of a protected computer, such as a parent, 
        employer, or system administrator, to choose to prevent another 
        user of the same computer from uninstalling or disabling the 
        software shall not be considered to prevent reasonable efforts 
        to uninstall or disable the software within the meaning of 
        paragraph (1) if not less than 1 authorized user retains the 
        ability to uninstall or disable the software.
    (g) Limitations on Liability.--
            (1) In general.--The restrictions imposed under this 
        section do not apply to any monitoring of, or interaction with, 
        a subscriber's Internet or other network connection or service, 
        or a protected computer, by or at the direction of a 
        telecommunications carrier, cable operator, computer hardware 
        or software provider, financial institution or provider of 
        information services or interactive computer service for--
                    (A) network or computer security purposes;
                    (B) diagnostics;
                    (C) technical support;
                    (D) repair;
                    (E) network management;
                    (F) authorized updates of software or system 
                firmware;
                    (G) authorized remote system management;
                    (H) authorized provision of protection for users of 
                the computer from objectionable content;
                    (I) authorized scanning for computer software used 
                in violation of this section for removal by an 
                authorized user; or
                    (J) detection or prevention of the unauthorized use 
                of software fraudulent or other illegal activities.
            (2) Manufacturer's liability for third-party software.--A 
        manufacturer or retailer of a computer shall not be liable 
        under any provision of this section for causing the 
        installation on the computer, prior to the first retail sale 
        and delivery of the computer, of third-party branded software, 
        unless the manufacturer or retailer knowingly allows the 
        installation of such third-party branded software and derives a 
        benefit from the operation of such software.
            (3) Exception for authorized investigative agencies.--
        Nothing in this section prohibits any lawfully authorized 
        criminal investigation or authorized investigative, protective, 
        or intelligence activities that are carried out by or on behalf 
        of any element of the intelligence community and conducted in 
        accordance with the United States laws, authorities, and 
        regulations governing such intelligence activities, of a law 
        enforcement agency of the United States, a State, or a 
        political subdivision of a State, or of an intelligence agency 
        of the United States.
    (h) Enforcement by the Attorney General.--
            (1) Liability and penalty for violations.--Any person who 
        engages in an activity in violation of this section shall be 
        fined not more than $500,000, imprisoned not more than 5 years, 
        or both.
            (2) Enhanced liability and penalties for pattern or 
        practice of violations.--
                    (A) In general.--Any person who engages in a 
                pattern or practice of activity that violates the 
                provisions of this section shall be fined not more than 
                $1,000,000, imprisoned not more than 5 years, or both.
                    (B) Treatment of single action or conduct.--For 
                purposes of subparagraph (A), any single action or 
                conduct that violates this section with respect to 
                multiple protected computers shall be construed as a 
                single violation.
            (3) Considerations.--In determining the amount of any 
        penalty under paragraph (1) or (2), the court shall take into 
        account--
                    (A) the degree of culpability of the defendant;
                    (B) any history of prior such conduct;
                    (C) the ability of the defendant to pay any fine 
                imposed;
                    (D) the effect on the ability of the defendant to 
                continue to do business; and
                    (E) such other matters as justice may require.

 TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Purpose.--The purpose of this subtitle is to ensure standards 
for developing and implementing administrative, technical, and physical 
safeguards to protect the security of sensitive personally identifiable 
information.
    (b) In General.--A business entity engaging in interstate commerce 
that involves collecting, accessing, transmitting, using, storing, or 
disposing of sensitive personally identifiable information in 
electronic or digital form on 10,000 or more United States persons is 
subject to the requirements for a data privacy and security program 
under section 202 for protecting sensitive personally identifiable 
information.
    (c) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to:
            (1) Financial institutions.--Financial institutions--
                    (A) subject to the data security requirements and 
                implementing regulations under the Gramm-Leach-Bliley 
                Act (15 U.S.C. 6801 et seq.); and
                    (B) subject to--
                            (i) examinations for compliance with the 
                        requirements of this Act by a Federal 
                        Functional Regulator or State Insurance 
                        Authority (as those terms are defined in 
                        section 509 of the Gramm-Leach-Bliley Act (15 
                        U.S.C. 6809)); or
                            (ii) compliance with part 314 of title 16, 
                        Code of Federal Regulations.
            (2) HIPAA regulated entities.--
                    (A) Covered entities.--Covered entities subject to 
                the Health Insurance Portability and Accountability Act 
                of 1996 (42 U.S.C. 1301 et seq.), including the data 
                security requirements and implementing regulations of 
                that Act.
                    (B) Business entities.--A business entity shall be 
                deemed in compliance with this Act if the business 
                entity--
                            (i) is acting as a business associate, as 
                        that term is defined under the Health Insurance 
                        Portability and Accountability Act of 1996 (42 
                        U.S.C. 1301 et seq.) and is in compliance with 
                        the requirements imposed under that Act and 
                        implementing regulations promulgated under that 
                        Act; and
                            (ii) is subject to, and currently in 
                        compliance, with the privacy and data security 
                        requirements under sections 13401 and 13404 of 
                        division A of the American Reinvestment and 
                        Recovery Act of 2009 (42 U.S.C. 17931 and 
                        17934) and implementing regulations promulgated 
                        under such sections.
            (3) Public records.--Public records not otherwise subject 
        to a confidentiality or nondisclosure requirement, or 
        information obtained from a news report or periodical.
    (d) Rule of Construction.--Nothing in this subtitle shall be 
construed to modify, limit, or supersede the operation of the 
provisions of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), or 
its implementing regulations, including such regulations adopted or 
enforced by the States.

SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Personal Data Privacy and Security Program.--A business entity 
subject to this subtitle shall comply with the following safeguards and 
any other administrative, technical, or physical safeguards identified 
by the Federal Trade Commission in a rulemaking process pursuant to 
section 553 of title 5, United States Code, for the protection of 
sensitive personally identifiable information:
            (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.
            (2) Design.--The personal data privacy and security program 
        shall be designed to--
                    (A) ensure the privacy, security, and 
                confidentiality of sensitive personally identifiable 
                information;
                    (B) protect against any anticipated vulnerabilities 
                to the privacy, security, or integrity of sensitive 
                personally identifiable information; and
                    (C) protect against unauthorized access or use of 
                sensitive personally identifiable information that 
                could create a significant risk of harm or fraud to any 
                individual.
            (3) Risk assessment.--A business entity shall--
                    (A) identify reasonably foreseeable internal and 
                external vulnerabilities that could result in 
                unauthorized access, disclosure, use, or alteration of 
                sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;
                    (B) assess the likelihood of and potential damage 
                from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information;
                    (C) assess the sufficiency of its policies, 
                technologies, and safeguards in place to control and 
                minimize risks from unauthorized access, disclosure, 
                use, or alteration of sensitive personally identifiable 
                information; and
                    (D) assess the vulnerability of sensitive 
                personally identifiable information during destruction 
                and disposal of such information, including through the 
                disposal or retirement of hardware.
            (4) Risk management and control.--Each business entity 
        shall--
                    (A) design its personal data privacy and security 
                program to control the risks identified under paragraph 
                (3); and
                    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--
                            (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;
                            (ii) detect, record, and preserve 
                        information relevant to actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access;
                            (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption, redaction, or access controls that 
                        are widely accepted as an effective industry 
                        practice or industry standard, or other 
                        reasonable means (including as directed for 
                        disposal of records under section 628 of the 
                        Fair Credit Reporting Act (15 U.S.C. 1681w) and 
                        the implementing regulations of such Act as set 
                        forth in section 682 of title 16, Code of 
                        Federal Regulations);
                            (iv) ensure that sensitive personally 
                        identifiable information is properly destroyed 
                        and disposed of, including during the 
                        destruction of computers, diskettes, and other 
                        electronic media that contain sensitive 
                        personally identifiable information;
                            (v) trace access to records containing 
                        sensitive personally identifiable information 
                        so that the business entity can determine who 
                        accessed or acquired such sensitive personally 
                        identifiable information pertaining to specific 
                        individuals;
                            (vi) ensure that no third party or customer 
                        of the business entity is authorized to access 
                        or acquire sensitive personally identifiable 
                        information without the business entity first 
                        performing sufficient due diligence to 
                        ascertain, with reasonable certainty, that such 
                        information is being sought for a valid legal 
                        purpose; and
                            (vii) minimize the amount of personal 
                        information maintained by the business entity, 
                        providing for the retention of such personal 
                        information only as reasonably needed for the 
                        business purposes of the business entity or as 
                        necessary to comply with any other provision of 
                        law.
    (b) Training.--Each business entity subject to this subtitle shall 
take steps to ensure employee training and supervision for 
implementation of the data security program of the business entity.
    (c) Vulnerability Testing.--
            (1) In general.--Each business entity subject to this 
        subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.
            (2) Frequency.--The frequency and nature of the tests 
        required under paragraph (1) shall be determined by the risk 
        assessment of the business entity under subsection (a)(3).
    (d) Relationship to Service Providers.--In the event a business 
entity subject to this subtitle engages service providers not subject 
to this subtitle, such business entity shall--
            (1) exercise appropriate due diligence in selecting those 
        service providers for responsibilities related to sensitive 
        personally identifiable information, and take reasonable steps 
        to select and retain service providers that are capable of 
        maintaining appropriate safeguards for the security, privacy, 
        and integrity of the sensitive personally identifiable 
        information at issue; and
            (2) require those service providers by contract to 
        implement and maintain appropriate measures designed to meet 
        the objectives and requirements governing entities subject to 
        section 201, this section, and subtitle B.
    (e) Periodic Assessment and Personal Data Privacy and Security 
Modernization.--Each business entity subject to this subtitle shall on 
a regular basis monitor, evaluate, and adjust, as appropriate its data 
privacy and security program in light of any relevant changes in--
            (1) technology;
            (2) the sensitivity of personally identifiable information;
            (3) internal or external threats to personally identifiable 
        information; and
            (4) the changing business arrangements of the business 
        entity, such as--
                    (A) mergers and acquisitions;
                    (B) alliances and joint ventures;
                    (C) outsourcing arrangements;
                    (D) bankruptcy; and
                    (E) changes to sensitive personally identifiable 
                information systems.
    (f) Implementation Timeline.--Not later than 1 year after the date 
of enactment of this Act, a business entity subject to the provisions 
of this subtitle shall implement a data privacy and security program 
pursuant to this subtitle.

SEC. 203. FEDERAL ENFORCEMENT.

    (a) Civil Penalties.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any business entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, such business entity shall be 
        subject to a civil penalty of not more than $5,000 per 
        violation per day while such a violation exists, with a maximum 
        of $20,000,000 per violation, unless such conduct is found to 
        be willful or intentional.
            (2) Intentional or willful violation.--A business entity 
        that intentionally or willfully violates the provisions of this 
        subtitle shall be subject to additional penalties in the amount 
        of $5,000 per violation per day while such a violation exists.
            (3) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose personally 
                identifiable information was compromised by the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (c) Other Rights and Remedies.--The rights and remedies available 
under this section are cumulative and shall not affect any other rights 
and remedies available under law.

SEC. 204. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) Civil Actions.--
            (1) In general.--In any case in which the attorney general 
        of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a business entity that violate this subtitle, the 
        State may bring a civil action on behalf of the residents of 
        that State in a district court of the United States of 
        appropriate jurisdiction, or any other court of competent 
        jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this subtitle; or
                    (C) obtain civil penalties of not more than $5,000 
                per violation per day while such violations persist, up 
                to a maximum of $20,000,000 per violation.
            (2) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose personally 
                identifiable information was compromised by the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
            (3) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Attorney General--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the attorney general of a State 
                        determines that it is not feasible to provide 
                        the notice described in this subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) initiate an action in the appropriate United States 
        district court under section 217 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 205. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.

    (a) In General.--Any person aggrieved by a violation of the 
provisions of this subtitle by a business entity may bring a civil 
action in a court of appropriate jurisdiction to recover for personal 
injuries sustained as a result of the violation.
    (b) Authority To Bring Civil Action; Jurisdiction.--As provided in 
subsection (c), any person may commence a civil action on his own 
behalf against any business entity who is alleged to have violated the 
provisions of this subtitle.
    (c) Remedies in a Citizen Suit.--
            (1) Damages.--Any individual harmed by a failure of a 
        business entity to comply with the provisions of this subtitle, 
        shall be able to collect damages of not more than $10,000 per 
        violation per day while such violations persist, up to a 
        maximum of $20,000,000 per violation.
            (2) Punitive damages.--A business entity may be liable for 
        punitive damages if the business entity intentionally or 
        willfully violates the provisions of this subtitle.
            (3) Equitable relief.--A business entity that violates the 
        provisions of this subtitle may be enjoined to comply with the 
        provisions of those sections.
    (d) Other Rights and Remedies.--The rights and remedies available 
under this subsection are cumulative and shall not affect any other 
rights and remedies available under law.
    (e) Access to Justice.--The rights and remedies afforded by this 
section shall not be abridged or precluded by any predispute 
arbitration agreement, and any claims under this section that arise 
from the same security breach are presumed to meet the commonality 
requirement under rule 23(a)(2) of the Federal Rules of Civil 
Procedure.

                Subtitle B--Security Breach Notification

SEC. 211. NOTICE TO INDIVIDUALS.

    (a) In General.--Any agency, or business entity engaged in 
interstate commerce, that uses, accesses, transmits, stores, disposes 
of or collects sensitive personally identifiable information that 
experiences a security breach of such information, shall, following the 
discovery of such security breach of such information, notify any 
resident of the United States whose sensitive personally identifiable 
information has been, or is reasonably believed to have been, accessed, 
or acquired.
    (b) Obligation of Owner or Licensee.--
            (1) Notice to owner or licensee.--Any agency, or business 
        entity engaged in interstate commerce, that uses, accesses, 
        transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach involving such information.
            (2) Notice by owner, licensee or other designated third 
        party.--Nothing in this subtitle shall prevent or abrogate an 
        agreement between an agency or business entity required to give 
        notice under this section and a designated third party, 
        including an owner or licensee of the sensitive personally 
        identifiable information subject to the security breach, to 
        provide the notifications required under subsection (a).
            (3) Business entity relieved from giving notice.--A 
        business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.
    (c) Timeliness of Notification.--
            (1) In general.--All notifications required under this 
        section shall be made without unreasonable delay following the 
        discovery by the agency or business entity of a security 
        breach.
            (2) Reasonable delay.--Reasonable delay under this 
        subsection may include any time necessary to determine the 
        scope of the security breach, conduct the risk assessment 
        described in section 212(b)(1), and provide notice to law 
        enforcement when required.
            (3) Burden of production.--The agency, business entity, 
        owner, or licensee required to provide notice under this 
        subtitle shall, upon the request of the Attorney General or the 
        attorney general of a State or any State or local law 
        enforcement agency authorized by the attorney general of the 
        State or by State statute to prosecute violations of consumer 
        protection law, provide records or other evidence of the 
        notifications required under this subtitle, including to the 
        extent applicable, the reasons for any delay of notification.
    (d) Delay of Notification Authorized for Law Enforcement 
Purposes.--
            (1) In general.--If a Federal law enforcement agency or 
        member of the intelligence community determines that the 
        notification required under this section would impede any 
        lawfully authorized criminal investigation or authorized 
        investigative, protective, or intelligence activities that are 
        carried out by or on behalf of any element of the intelligence 
        community and conducted in accordance with the United States 
        laws, authorities, and regulations governing such intelligence 
        activities, such notification shall be delayed upon written 
        notice from such Federal law enforcement or intelligence agency 
        to the agency or business entity that experienced the breach.
            (2) Extended delay of notification.--If the notification 
        required under subsection (a) is delayed pursuant to paragraph 
        (1), an agency or business entity shall give notice 30 days 
        after the day such law enforcement delay was invoked unless a 
        Federal law enforcement or intelligence agency provides written 
        notification that further delay is necessary.
            (3) Law enforcement immunity.--No cause of action shall lie 
        in any court against any law enforcement agency for acts 
        relating to the delay of notification for law enforcement or 
        intelligence purposes under this subtitle.

SEC. 212. EXEMPTIONS FROM NOTICE TO INDIVIDUALS.

    (a) Exemption for National Security and Law Enforcement.--
            (1) In general.--Section 211 shall not apply to an agency 
        or business entity if the agency or business entity certifies, 
        in writing, that notification of the security breach as 
        required by section 211 reasonably could be expected to--
                    (A) cause damage to the national security; or
                    (B) hinder a law enforcement investigation or the 
                ability of the agency to conduct law enforcement 
                investigations.
            (2) Limits on certifications.--An agency or business entity 
        may not execute a certification under paragraph (1) to--
                    (A) conceal violations of law, inefficiency, or 
                administrative error;
                    (B) prevent embarrassment to a business entity, 
                organization, or agency;
                    (C) restrain competition; or
                    (D) delay notification under section 211 for any 
                other reason, except where the agency or business 
                entity reasonably believes an exemption under paragraph 
                (1) applies.
            (3) Notice.--In every case in which an agency or business 
        agency issues a certification under paragraph (1), the 
        certification, accompanied by a description of the factual 
        basis for the certification, shall be immediately provided to 
        the United States Secret Service and the Federal Bureau of 
        Investigation.
            (4) Secret service and fbi review of certifications.--
                    (A) In general.--The United States Secret Service 
                or the Federal Bureau of Investigation may review a 
                certification provided by an agency under paragraph 
                (3), and shall review a certification provided by a 
                business entity under paragraph (3), to determine 
                whether an exemption under paragraph (1) is merited. 
                Such review shall be completed not later than 7 
                business days after the date of receipt of the 
                certification, except as provided in paragraph (5)(C).
                    (B) Notice.--Upon completing a review under 
                subparagraph (A) the United States Secret Service or 
                the Federal Bureau of Investigation shall immediately 
                notify the agency or business entity, in writing, of 
                its determination of whether an exemption under 
                paragraph (1) is merited.
                    (C) Exemption.--The exemption under paragraph (1) 
                shall not apply if the United States Secret Service or 
                the Federal Bureau of Investigation determines under 
                this paragraph that the exemption is not merited.
            (5) Additional authority of the secret service and fbi.--
                    (A) In general.--In determining under paragraph (4) 
                whether an exemption under paragraph (1) is merited, 
                the United States Secret Service or the Federal Bureau 
                of Investigation may request additional information 
                from the agency or business entity regarding the basis 
                for the claimed exemption, if such additional 
                information is necessary to determine whether the 
                exemption is merited.
                    (B) Required compliance.--Any agency or business 
                entity that receives a request for additional 
                information under subparagraph (A) shall cooperate with 
                any such request.
                    (C) Timing.--If the United States Secret Service or 
                the Federal Bureau of Investigation requests additional 
                information under subparagraph (A), the United States 
                Secret Service or the Federal Bureau of Investigation 
                shall notify the agency or business entity not later 
                than 7 business days after the date of receipt of the 
                additional information whether an exemption under 
                paragraph (1) is merited.
    (b) Safe Harbor.--
            (1) In general.--An agency or business entity will be 
        exempt from the notice requirements under section 211, if--
                    (A) a risk assessment conducted by the agency or 
                business entity concludes that there is no significant 
                risk that a security breach has resulted in, or will 
                result in harm to the individuals whose sensitive 
                personally identifiable information was subject to the 
                security breach; and
                    (B) the United States Secret Service or the Federal 
                Bureau of Investigation does not indicate within 7 
                business days from the receipt of written notification 
                from an agency or business entity pursuant to 
                subsection (b)(2), that the agency or business entity 
                should not be exempt from the notice requirements of 
                section 211.
            (2) Risk assessment requirements.--
                    (A) Conducting a risk assessment.--Upon discovery 
                of a security breach of an agency or business entity, 
                the agency or business entity shall conduct a risk 
                assessment to determine if there is a significant risk 
                that the security breach resulted in, or will result 
                in, harm to the individuals whose sensitive personally 
                identifiable information was subject to the security 
                breach.
                            (i) Presumption of no significant risk.--It 
                        is presumed that there is no significant risk 
                        that the security breach has resulted in, or 
                        will result in, harm to the individuals whose 
                        sensitive personally identifiable information 
                        was subject to the security breach, if such 
                        sensitive personally identifiable information 
                        has been rendered indecipherable through the 
                        use of best practices or methods as described 
                        by the Federal Trade Commission, such as 
                        redaction, access controls, or other such 
                        mechanisms, which are widely accepted as an 
                        effective industry practice, or an effective 
                        industry standard, or other such mechanisms 
                        establishing a presumption that no significant 
                        risk exists.
                            (ii) Presumption of significant risk.--It 
                        is presumed that there is a significant risk 
                        that the security breach has resulted in, or 
                        will result in, harm to individuals whose 
                        sensitive personally identifiable information 
                        was subject to the security breach if the 
                        agency or business entity failed to render such 
                        sensitive personally identifiable information 
                        indecipherable through the use of best 
                        practices or methods, such as redaction, access 
                        controls, or other such mechanisms which are 
                        widely accepted as an effective industry 
                        practice or an effective industry standard, or 
                        other such mechanisms establishing a 
                        presumption that a significant risk exists.
                    (B) Written notification to law enforcement.--
                Without unreasonable delay, but not later than 7 days 
                after the discovery of a security breach, unless 
                extended by the United States Secret Service or the 
                Federal Bureau of Investigation, the agency or business 
                entity must notify the United States Secret Service and 
                the Federal Bureau of Investigation, in writing, of--
                            (i) the results of the risk assessment; and
                            (ii) its decision to invoke the risk 
                        assessment exemption.
    (c) Financial Fraud Prevention Exemption.--
            (1) In general.--A business entity shall be exempt from the 
        notice requirement under section 211 if the business entity 
        utilizes or participates in a security program that--
                    (A) is designed to block the use of the sensitive 
                personally identifiable information to initiate 
                unauthorized financial transactions before they are 
                charged to the account of the individual; and
                    (B) provides for notice to affected individuals 
                after a security breach that has resulted in fraud or 
                unauthorized transactions.
            (2) Limitation.--Paragraph (1) does not apply to a business 
        entity if--
                    (A) the information subject to the security breach 
                includes sensitive personally identifiable information, 
                other than a credit card or credit card security code, 
                of any type of the sensitive personally identifiable 
                information identified in section 3; or
                    (B) the security breach includes both the 
                individual's credit card number and the individual's 
                first and last name.

SEC. 213. METHODS OF NOTICE TO INDIVIDUALS.

    To comply with section 211, an agency or business entity shall 
provide the following forms of notice:
            (1) Individual written notice.--Written notice to 
        individuals by 1 of the following means:
                    (A) Individual written notification to the last 
                known home mailing address of the individual in the 
                records of the agency or business entity.
                    (B) E-mail notice, unless the individual has 
                expressly opted not to receive such notices of security 
                breaches or the notice is inconsistent with the 
                provisions permitting electronic transmission of 
                notices under section 101 of the Electronic Signatures 
                in Global and National Commerce Act (15 U.S.C. 7001).
            (2) Telephone notice.--Telephone notice to the individual 
        personally.
            (3) Public notice.--
                    (A) Electronic notice.--Prominent notice via all 
                reasonable means of electronic contact between the 
                individual and the agency or business entity, including 
                any website, networked devices, or other interface 
                through which the agency or business entity regularly 
                interacts with the consumer, if the number of 
                individuals whose personally identifiable information 
                was or is reasonably believed to have been accessed or 
                acquired by an unauthorized person exceeds 5,000.
                    (B) Media notice.--Notice to major media outlets 
                serving a State or jurisdiction, if the number of 
                residents of such State whose sensitive personally 
                identifiable information was, or is reasonably believed 
                to have been, accessed or acquired by an unauthorized 
                person exceeds 5,000.

SEC. 214. CONTENT OF NOTICE TO INDIVIDUALS.

    (a) In General.--Regardless of the method by which individual 
notice is provided to individuals under section 213(1), such notice 
shall include--
            (1) a description of the categories of sensitive personally 
        identifiable information that was, or is reasonably believed to 
        have been, accessed or acquired by an unauthorized person, and 
        how the agency or business entity came into possession the 
        sensitive personally identifiable information at issue;
            (2) a toll-free number--
                    (A) that the individual may use to contact the 
                agency or business entity, or the agent of the agency 
                or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual;
            (3) the toll-free contact telephone numbers, websites, and 
        addresses for the major credit reporting agencies;
            (4) the telephone numbers and websites for the relevant 
        Federal agencies that provide information regarding identity 
        theft prevention and protection;
            (5) notice that the individual is entitled to receive, at 
        no cost to such individual, consumer credit reports on a 
        quarterly basis for a period of 2 years, credit monitoring or 
        any other service that enables consumers to detect the misuse 
        of sensitive personally identifiable information for a period 
        of 2 years, and instructions to the individual on requesting 
        such reports or service from the agency or business entity;
            (6) notice that the individual is entitled to receive a 
        security freeze and that the agency or business entity will be 
        liable for any costs associated with the security freeze for 2 
        years and the necessary instructions for requesting a security 
        freeze; and
            (7) notice that any costs or damages incurred by an 
        individual as a result of a security breach will be paid by the 
        business entity or agency that experienced the security breach.
    (b) Telephone Notice.--Telephone notice described in section 213(2) 
shall include, to the extent possible--
            (1) notification that a security breach has occurred and 
        that the individual's sensitive personally identifiable 
        information may have been compromised;
            (2) a description of the categories of sensitive personally 
        identifiable information that were, or are reasonably believed 
        to have been, accessed or acquired by an unauthorized person;
            (3) a toll-free number and website--
                    (A) that the individual may use to contact the 
                agency or business entity, or the authorized agent of 
                the agency or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual and remedies available to that individual; 
                and
            (4) an alert to the individual that the agency or business 
        entity is sending or has sent written notification containing 
        additional information as required under section 213(1)(A).
    (c) Public Notice.--Public notice described in section 213(3) shall 
include--
            (1) electronic notice, which includes--
                    (A) notification that a security breach has 
                occurred and that the individual's sensitive personally 
                identifiable information may have been compromised;
                    (B) a description of the categories of sensitive 
                personally identifiable information that were, or are 
                reasonably believed to have been, accessed or acquired 
                by an unauthorized person; and
                    (C) a toll-free number and website--
                            (i) that the individual may use to contact 
                        the agency or business entity, or the 
                        authorized agent of the agency or business 
                        entity; and
                            (ii) from which the individual may learn 
                        what types of sensitive personally identifiable 
                        information the agency or business entity 
                        maintained about that individual and remedies 
                        available to that individual;
            (2) media notice, which includes--
                    (A) a description of the categories of sensitive 
                personally identifiable information that was, or is 
                reasonably believed to have been, accessed or acquired 
                by an unauthorized person;
                    (B) a toll-free number--
                            (i) that the individual may use to contact 
                        the agency or business entity, or the 
                        authorized agent of the agency or business 
                        entity; and
                            (ii) from which the individual may learn 
                        what types of sensitive personally identifiable 
                        information the agency or business entity 
                        maintained about that individual and remedies 
                        available to that individual;
                    (C) the toll-free contact telephone numbers, 
                websites, and addresses for the major credit reporting 
                agencies;
                    (D) the telephone numbers and websites for the 
                relevant Federal agencies that provide information 
                regarding identity theft prevention and protection;
                    (E) notice that the affected individuals are 
                entitled to receive, at no cost to such individuals, 
                consumer credit reports on a quarterly basis for a 
                period of 2 years, credit monitoring, or any other 
                service that enables consumers to detect the misuse of 
                sensitive personally identifiable information for a 
                period of 2 years;
                    (F) notice that the individual is entitled to 
                receive a security freeze and that the agency or 
                business entity will be liable for any costs associated 
                with the security freeze for 2 years; and
                    (G) notice that the individual is entitled to 
                receive compensation from the business entity or agency 
                for any costs or damages incurred by the individual 
                resulting from the security breach.
    (d) Additional Content.--Notwithstanding section 221, a State may 
require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.

SEC. 215. REMEDIES FOR SECURITY BREACH.

    (a) Credit Reports and Credit Monitoring.--An agency or business 
entity required to provide notification under this subtitle shall, upon 
request of an individual whose sensitive personally identifiable 
information was included in the security breach, provide or arrange for 
the provision of, to each such individual and at no cost to such 
individual--
            (1) consumer credit reports from not fewer than 1 of the 
        major credit reporting agencies beginning not later than 60 
        days following the request of the individual and continuing on 
        a quarterly basis for a period of 2 years thereafter; and
            (2) a credit monitoring or other service that enables 
        consumers to detect the misuse of their personal information, 
        beginning not later than 60 days following the request of the 
        individual and continuing for a period of 2 years.
    (b) Security Freeze.--
            (1) Request.--Any consumer may submit a written request, by 
        certified mail or such other secure method as authorized by a 
        credit rating agency, to a credit rating agency to place a 
        security freeze on the credit report of the consumer.
            (2) Implementation of security freeze.--Upon receipt of a 
        written request under paragraph (1), a credit rating agency 
        shall--
                    (A) not later than 5 business days after receipt of 
                the request, place a security freeze on the credit 
                report of the consumer; and
                    (B) not later than 10 business days after placing a 
                security freeze, send a written confirmation of such 
                security freeze to the consumer, which shall provide 
                the consumer with a unique personal identification 
                number or password to be used by the consumer when 
                providing authorization for the release of the credit 
                report of the consumer to a third party or for a 
                specified period of time.
            (3) Duration of security freeze.--Except as provided in 
        paragraph (4), any security freeze authorized pursuant to the 
        provisions of this section shall remain in effect until the 
        consumer requests security freeze to be removed.
            (4) Disclosure of credit report to third party.--
                    (A) In general.--If a consumer that has requested a 
                security freeze under this subsection wishes to 
                authorize the disclosure of the credit report of the 
                consumer to a third party, or for a specified period of 
                time, while such security freeze is in effect, the 
                consumer shall contact the credit rating agency and 
                provide--
                            (i) proper identification;
                            (ii) the unique personal identification 
                        number or password described in paragraph 
                        (2)(B); and
                            (iii) proper information regarding the 
                        third party who is to receive the credit report 
                        or the time period for which the credit report 
                        shall be available.
                    (B) Requirement.--Not later than 3 business days 
                after receipt of a request under subparagraph (A), a 
                credit rating agency shall lift the security freeze.
            (5) Procedures.--
                    (A) In general.--A credit rating agency shall 
                develop procedures to receive and process requests from 
                consumers under paragraph (2) of this section.
                    (B) Requirement.--Procedures developed under 
                subparagraph (A), at a minimum, shall include the 
                ability of a consumer to send such temporary lift or 
                removal request by electronic mail, letter, telephone, 
                or facsimile.
            (6) Requests by third party.--If a third party requests 
        access to a credit report of a consumer that has been frozen 
        under this subsection and the consumer has not authorized the 
        disclosure of the credit report of the consumer to the third 
        party, the third party may deem such credit application as 
        incomplete.
            (7) Determination by credit rating agency.--
                    (A) In general.--A credit rating agency may refuse 
                to implement or may remove a security freeze under this 
                subsection if the agency determines, in good faith, 
                that--
                            (i) the request for a security freeze was 
                        made as part of a fraud that the consumer 
                        participated in, had knowledge of, or that can 
                        be demonstrated by circumstantial evidence; or
                            (ii) the consumer credit report was frozen 
                        due to a material misrepresentation of fact by 
                        the consumer.
                    (B) Notice.--If a credit rating agency makes a 
                determination under subparagraph (A) to not implement, 
                or to remove, a security freeze under this subsection, 
                the credit rating agency shall notify the consumer in 
                writing of such determination--
                            (i) in the case of a determination not to 
                        implement a security freeze, not later than 5 
                        business days after the determination is made; 
                        and
                            (ii) in the case of a removal of a security 
                        freeze, prior to removing the freeze on the 
                        credit report of the consumer.
            (8) Rule of construction.--Nothing in this section shall be 
        construed to prohibit disclosure of a credit report of a 
        consumer to--
                    (A) a person, or the person's subsidiary, 
                affiliate, agent or assignee with which the consumer 
                has or, prior to assignment, had an account, contract 
                or debtor-creditor relationship for the purpose of 
                reviewing the account or collecting the financial 
                obligation owing for the account, contract or debt;
                    (B) a subsidiary, affiliate, agent, assignee or 
                prospective assignee of a person to whom access has 
                been granted under paragraph (4) for the purpose of 
                facilitating the extension of credit or other 
                permissible use;
                    (C) any person acting pursuant to a court order, 
                warrant or subpoena;
                    (D) any person for the purpose of using such credit 
                information to prescreen as provided by the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.);
                    (E) any person for the sole purpose of providing a 
                credit file monitoring subscription service to which 
                the consumer has subscribed;
                    (F) a credit rating agency for the sole purpose of 
                providing a consumer with a copy of the credit report 
                of the consumer upon the request of the consumer; or
                    (G) a Federal, State or local governmental entity, 
                including a law enforcement agency, or court, or their 
                agents or assignees pursuant to their statutory or 
                regulatory duties. For purposes of this subsection, 
                ``reviewing the account'' includes activities related 
                to account maintenance, monitoring, credit line 
                increases and account upgrades and enhancements; and
                    (H) any person for the sole purpose of providing a 
                remedy requested by an individual under this section.
            (9) Exceptions.--The following persons shall not be 
        required to place a security freeze under this subsection, but 
        shall be subject to any security freeze placed on a credit 
        report by another credit rating agency:
                    (A) A check services or fraud prevention services 
                company that reports on incidents of fraud or issues 
                authorizations for the purpose of approving or 
                processing negotiable instruments, electronic fund 
                transfers or similar methods of payment.
                    (B) A deposit account information service company 
                that issues reports regarding account closures due to 
                fraud, substantial overdrafts, automated teller machine 
                abuse, or similar information regarding a consumer to 
                inquiring banks or other financial institutions for use 
                only in reviewing a consumer request for a deposit 
                account at the inquiring bank or financial institution.
                    (C) A credit rating agency that--
                            (i) acts only to resell credit information 
                        by assembling and merging information contained 
                        in a database of 1 or more credit reporting 
                        agencies; and
                            (ii) does not maintain a permanent database 
                        of credit information from which new credit 
                        reports are produced.
            (10) Fees.--
                    (A) In general.--A credit rating agency may charge 
                reasonable fees for each security freeze, removal of 
                such freeze or temporary lift of such freeze for a 
                period of time, and a temporary lift of such freeze for 
                a specific party.
                    (B) Requirement.--Any fees charged under 
                subparagraph (A) shall be borne by the agency or 
                business entity providing notice under section 214 for 
                2 years following the establishment of the security 
                freeze under this subsection.
    (c) Costs Resulting From a Security Breach.--
            (1) In general.--A business entity or agency that 
        experiences a security breach and is required to provide notice 
        under this subtitle shall pay, upon request, to any individual 
        whose sensitive personally identifiable information has been, 
        or is reasonably believed to have been, accessed or acquired as 
        a result of such security breach, any costs or damages incurred 
        by the individual as a result of such security breach, 
        including costs associated with identity theft suffered as a 
        result of such security breach.
            (2) Compliance.--A business entity or agency shall be 
        deemed in compliance with this subsection if the business 
        entity or agency--
                    (A) provides insurance to any individual whose 
                sensitive personally identifiable information has been, 
                or is reasonably believed to have been, accessed or 
                acquired as a result of a security breach and such 
                insurance is sufficient to compensate the consumer for 
                not less than $25,000 of costs or damages; or
                    (B) pays, without unreasonable delay, any actual 
                costs or damages incurred by an individual as a result 
                of the security breach.

SEC. 216. NOTICE TO CREDIT REPORTING AGENCIES.

    If an agency or business entity is required to provide notification 
to more than 5,000 individuals under section 211(a), the agency or 
business entity shall also notify all consumer reporting agencies that 
compile and maintain files on consumers on a nationwide basis (as 
defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 
1681a(p)) of the timing and distribution of the notices. Such notice 
shall be given to the consumer credit reporting agencies without 
unreasonable delay and, if it will not delay notice to the affected 
individuals, prior to the distribution of notices to the affected 
individuals.

SEC. 217. NOTICE TO LAW ENFORCEMENT.

    (a) Secret Service and FBI.--Any business entity or agency shall 
notify the United States Secret Service and the Federal Bureau of 
Investigation of the fact that a security breach has occurred if--
            (1) the number of individuals whose sensitive personally 
        identifying information was, or is reasonably believed to have 
        been accessed or acquired by an unauthorized person exceeds 
        5,000;
            (2) the security breach involves a database, networked or 
        integrated databases, or other data system containing the 
        sensitive personally identifiable information of more than 
        500,000 individuals nationwide;
            (3) the security breach involves databases owned by the 
        Federal Government; or
            (4) the security breach involves primarily sensitive 
        personally identifiable information of individuals known to the 
        agency or business entity to be employees and contractors of 
        the Federal Government involved in national security or law 
        enforcement.
    (b) FTC Review of Thresholds.--The Federal Trade Commission may 
alter the circumstances under which notification is required under 
subsection (a) in a matter consistent with the public interest.
    (c) Notice to Other Law Enforcement Agencies.--The United States 
Secret Service and the Federal Bureau of Investigation shall be 
responsible for notifying--
            (1) the United States Postal Inspection Service, if the 
        security breach involves mail fraud;
            (2) the attorney general of each State affected by the 
        security breach; and
            (3) the Federal Trade Commission, if the security breach 
        involves consumer reporting agencies subject to the Fair Credit 
        Reporting Act (15 U.S.C. 1681 et seq.), or anticompetitive 
        conduct.
    (d) Timing of Notices.--The notices required under this section 
shall be delivered as follows:
            (1) Notice under subsection (a) shall be delivered as 
        promptly as possible, but not later than 10 days after 
        discovery of the security breach.
            (2) Notice under section 211 shall be delivered to 
        individuals not later than 48 hours after the Federal Bureau of 
        Investigation or the Secret Service receives notice of a 
        security breach from an agency or business entity.

SEC. 218. FEDERAL ENFORCEMENT.

    (a) Civil Actions by the Attorney General.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any business entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, such business entity shall be 
        subject to a civil penalty of not more than $500 per day per 
        individual whose sensitive personally identifiable information 
        was, or is reasonably believed to have been, accessed or 
        acquired by an unauthorized person, up to a maximum of 
        $20,000,000 per violation, unless such conduct is found to be 
        willful or intentional.
            (2) Presumption.--A violation of section 212(a)(2) shall be 
        presumed to be willful or intentional conduct.
    (b) Considerations.--In determining the amount of a civil penalty 
under this subsection, the court shall take into account--
            (1) the degree of culpability of the business entity;
            (2) any prior violations of this subtitle by the business 
        entity;
            (3) the ability of the business entity to pay a civil 
        penalty;
            (4) the effect on the ability of the business entity to 
        continue to do business;
            (5) the number of individuals whose personally identifiable 
        information was compromised by the breach;
            (6) the relative cost of compliance with this subtitle; and
            (7) such other matters as justice may require.
    (c) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (d) Other Rights and Remedies.--The rights and remedies available 
under this subtitle are cumulative and shall not affect any other 
rights and remedies available under law.
    (e) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence 
that the consumer has received notice that the consumer's financial 
information has or may have been compromised,'' after ``identity theft 
report''.

SEC. 219. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--
                    (A) In general.--In any case in which the attorney 
                general of a State or any State or local law 
                enforcement agency authorized by the State attorney 
                general or by State statute to prosecute violations of 
                consumer protection law, has reason to believe that an 
                interest of the residents of that State has been or is 
                threatened or adversely affected by the engagement of a 
                business entity in a practice that is prohibited under 
                this subtitle, the State or the State or local law 
                enforcement agency on behalf of the residents of the 
                agency's jurisdiction, may bring a civil action on 
                behalf of the residents of the State or jurisdiction in 
                a district court of the United States of appropriate 
                jurisdiction or any other court of competent 
                jurisdiction, including a State court, to--
                            (i) enjoin that practice;
                            (ii) enforce compliance with this subtitle; 
                        or
                            (iii) obtain civil penalties of not more 
                        than $500 per day per individual whose 
                        sensitive personally identifiable information 
                        was, or is reasonably believed to have been, 
                        accessed or acquired by an unauthorized person, 
                        up to a maximum of $20,000,000 per violation, 
                        unless such conduct is found to be willful or 
                        intentional.
                    (B) Presumption.--A violation of section 212(a)(2) 
                shall be presumed to be willful or intentional.
            (2) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose personally 
                identifiable information was compromised by the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
            (3) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subtitle, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) initiate an action in the appropriate United States 
        district court under section 217 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 220. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.

    (a) In General.--Any person aggrieved by a violation of the 
provisions of section 211, 213, 214, 215, or 216 by a business entity 
may bring a civil action in a court of appropriate jurisdiction to 
recover for personal injuries sustained as a result of the violation.
    (b) Remedies in a Citizen Suit.--
            (1) Damages.--Any individual harmed by a failure of a 
        business entity to comply with the provisions of section 211, 
        213, 214, 215, or 216, shall be able to collect damages of not 
        more than $500 per day per individual whose sensitive 
        personally identifiable information was, or is reasonably 
        believed to have been, accessed or acquired by an unauthorized 
        person, up to a maximum of $20,000,000 per violation.
            (2) Punitive damages.--A business entity may be liable for 
        punitive damages if it--
                    (A) intentionally or willfully violates the 
                provisions of section 211, 213, 214, 215, or 216; or
                    (B) failed to comply with the requirements of 
                subsections (a) through (d) of section 202.
            (3) Equitable relief.--A business entity that violates the 
        provisions of section 211, 213, 214, 215, or 216 may be 
        enjoined to provide required remedies under section 215 by a 
        court of competent jurisdiction.
            (4) Other rights and remedies.--The rights and remedies 
        available under this subsection are cumulative and shall not 
        affect any other rights and remedies available under law.
    (c) Access to Justice.--The rights and remedies afforded by this 
section shall not be abridged or precluded by any predispute 
arbitration agreement, and any claims under this section that arise 
from the same security breach are presumed to meet the commonality 
requirement under rule 23(a)(2) of the Federal Rules of Civil 
Procedure.

SEC. 221. RELATION TO OTHER LAWS.

    (a) In General.--The provisions of this subtitle shall supersede 
any other provision of Federal law or any provision of law of any State 
relating to notification by a business entity engaged in interstate 
commerce or an agency of a security breach, except as provided in 
section 214(c).
    (b) Rule of Construction.--Nothing in this subtitle shall be 
construed to exempt any entity from liability under common law, 
including through the operation of ordinary preemption principles, for 
damages caused by the failure to notify an individual following a 
security breach.
    (c) Presumption of Per Se Negligence.--If a business entity fails 
to comply with the requirements in section 211, 212, 213, 214, 215, or 
216, there shall be a presumption that the entity was per se negligent.

SEC. 222. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated such sums as may be 
necessary to cover the costs incurred by the United States Secret 
Service to carry out investigations and risk assessments of security 
breaches as required under this subtitle.

SEC. 223. REPORTING ON RISK ASSESSMENT EXEMPTIONS.

    The United States Secret Service and the Federal Bureau of 
Investigation shall report to Congress not later than 18 months after 
the date of enactment of this Act, and upon the request by Congress 
thereafter, on--
            (1) the number and nature of the security breaches 
        described in the notices filed by those business entities 
        invoking the risk assessment exemption under section 212(b) and 
        the response of the United States Secret Service and the 
        Federal Bureau of Investigation to such notices; and
            (2) the number and nature of security breaches subject to 
        the national security and law enforcement exemptions under 
        section 212(a), provided that such report may not disclose the 
        contents of any risk assessment provided to the United States 
        Secret Service and the Federal Bureau of Investigation pursuant 
        to this subtitle.

      Subtitle C--Post-Breach Technical Information Clearinghouse

SEC. 230. CLEARINGHOUSE INFORMATION COLLECTION, MAINTENANCE, AND 
              ACCESS.

    (a) In General.--The Attorney General shall maintain a 
clearinghouse of technical information concerning system 
vulnerabilities identified in the wake of security breaches, which 
shall--
            (1) contain information disclosed by agencies or business 
        entities under subsection (b); and
            (2) be accessible to certified entities under subsection 
        (c).
    (b) Post-Breach Technical Notification.--In any instance where an 
agency or business entity is required to notify the United States 
Secret Service and the Federal Bureau of Investigation under section 
217, the agency or business entity shall also provide the Attorney 
General with technical information concerning the nature of the 
security breach, including--
            (1) technical information regarding any system 
        vulnerabilities of the agency or business entity revealed by or 
        identified as a consequence of the security breach;
            (2) technical information regarding any system 
        vulnerabilities of the agency or business entity actually 
        exploited during the security breach; and
            (3) any other technical information concerning the nature 
        of the security breach deemed appropriate for collection by the 
        Attorney General in furtherance of this subtitle.
    (c) Access to Clearinghouse.--Any entity certified under subsection 
(d) may review information maintained by the technical information 
clearinghouse for the purpose of preventing security breaches that 
threaten the security of sensitive personally identifiable information.
    (d) Certification for Access.--The Attorney General shall issue and 
revoke certifications to agencies and business entities wishing to 
review information maintained by the technical information 
clearinghouse and shall establish conditions for obtaining and 
maintaining such certifications, including agreement that any 
information obtained directly or derived indirectly from the review of 
information maintained by the technical information clearinghouse--
            (1) shall only be used to improve the security and reduce 
        the vulnerability of networks that use personally identifiable 
        information;
            (2) may not be used for any competitive commercial purpose; 
        and
            (3) may not be shared with any third party, including other 
        parties certified for access to the information clearinghouse, 
        without the express written consent of the Attorney General.
    (e) Rulemaking.--In consultation with the private sector, 
appropriate representatives of State and local governments, and other 
appropriate Federal agencies, the Attorney General shall promulgate any 
regulations pursuant to section 553 of title 5, United States Code, 
necessary to carry out the provisions of this section.

SEC. 231. PROTECTIONS FOR CLEARINGHOUSE PARTICIPANTS.

    (a) Protection of Proprietary Information.--To the extent feasible, 
the Attorney General shall ensure that any technical information 
disclosed to the Attorney General under this subtitle shall be stored 
in a format designed to protect proprietary business information from 
inadvertent disclosure.
    (b) Anonymous Data Release.--To the extent feasible, the Attorney 
General shall ensure that all information stored in the technical 
information clearinghouse and accessed by certified parties is 
presented in a form that minimizes the potential for such information 
to be traced to a particular network, company, or security breach 
incident.
    (c) Protection From Public Disclosure.--Except as otherwise 
provided in this subtitle--
            (1) security and vulnerability information collected under 
        this section and provided to the Federal Government, including 
        aggregated analysis and data, shall be exempt from disclosure 
        under section 552(b)(3) of title 5, United States Code; and
            (2) under section 230(e), security and vulnerability-
        related information provided to the Federal Government under 
        this section, including aggregated analysis and data, shall be 
        protected from public disclosure, except that this paragraph--
                    (A) does not prohibit the sharing of such 
                information, as the Attorney General determines to be 
                appropriate, in order to mitigate cybersecurity threats 
                or further the official functions of a government 
                agency; and
                    (B) does not authorized such information to be 
                withheld from a committee of Congress authorized to 
                request the information.
    (d) Protection of Classified Information.--Nothing in this subtitle 
permits the unauthorized disclosure of classified information.

SEC. 232. EFFECTIVE DATE.

    This subtitle shall take effect on the expiration of the date which 
is 90 days after the date of enactment of this Act.

            TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA

SEC. 301. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.

    (a) In General.--In considering contract awards totaling more than 
$500,000 and entered into after the date of enactment of this Act with 
data brokers, the Administrator of the General Services Administration 
shall evaluate--
            (1) the data privacy and security program of a data broker 
        to ensure the privacy and security of data containing 
        personally identifiable information, including whether such 
        program adequately addresses privacy and security threats 
        created by malicious software or code, or the use of peer-to-
        peer file sharing software;
            (2) the compliance of a data broker with such program;
            (3) the extent to which the databases and systems 
        containing personally identifiable information of a data broker 
        have been compromised by security breaches; and
            (4) the response by a data broker to such breaches, 
        including the efforts by such data broker to mitigate the 
        impact of such security breaches.
    (b) Compliance Safe Harbor.--The data privacy and security program 
of a data broker shall be deemed sufficient for the purposes of 
subsection (a), if the data broker complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of personally identifiable 
information involved in the ordinary course of business of such data 
broker.
    (c) Penalties.--In awarding contracts with data brokers for 
products or services related to access, use, compilation, distribution, 
processing, analyzing, or evaluating personally identifiable 
information, the Administrator of the General Services Administration 
shall--
            (1) include monetary or other penalties--
                    (A) for failure to comply with subtitles A and B of 
                title III; or
                    (B) if a contractor knows or has reason to know 
                that the personally identifiable information being 
                provided is inaccurate, and provides such inaccurate 
                information; and
            (2) require a data broker that engages service providers 
        not subject to subtitle A of title III for responsibilities 
        related to sensitive personally identifiable information to--
                    (A) exercise appropriate due diligence in selecting 
                those service providers for responsibilities related to 
                personally identifiable information;
                    (B) take reasonable steps to select and retain 
                service providers that are capable of maintaining 
                appropriate safeguards for the security, privacy, and 
                integrity of the personally identifiable information at 
                issue; and
                    (C) require such service providers, by contract, to 
                implement and maintain appropriate measures designed to 
                meet the objectives and requirements in title III.
    (d) Limitation.--The penalties under subsection (c) shall not apply 
to a data broker providing information that is accurately and 
completely recorded from a public record source or licensor.

SEC. 302. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF 
              CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.

    Section 3544(b) of title 44, United States Code, is amended--
            (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (8), by striking the period and inserting 
        ``; and''; and
            (3) by adding at the end the following:
            ``(9) procedures for evaluating and auditing the 
        information security practices of contractors or third party 
        business entities supporting the information systems or 
        operations of the agency involving personally identifiable 
        information (as that term is defined in section 3 of the 
        Personal Data Protection and Breach Accountability Act of 2011) 
        and ensuring remedial action to address any significant 
        deficiencies.''.

SEC. 303. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL 
              INFORMATION SERVICES CONTAINING PERSONALLY IDENTIFIABLE 
              INFORMATION.

    (a) In General.--Section 208(b)(1) of the E-Government Act of 2002 
(44 U.S.C. 3501 note) is amended--
            (1) in subparagraph (A)(i), by striking ``or'';
            (2) in subparagraph (A)(ii), by striking the period and 
        inserting ``; or''; and
            (3) by inserting after clause (ii) the following:
                            ``(iii) purchasing or subscribing for a fee 
                        to personally identifiable information from a 
                        data broker (as such terms are defined in 
                        section 3 of the Personal Data Protection and 
                        Breach Accountability Act of 2011).''.
    (b) Limitation.--Notwithstanding any other provision of law, 
commencing 1 year after the date of enactment of this Act, no Federal 
agency may enter into a contract with a data broker to access for a fee 
any database consisting primarily of personally identifiable 
information concerning United States persons (other than news reporting 
or telephone directories) unless the head of such department or 
agency--
            (1) completes a privacy impact assessment under section 208 
        of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
        shall subject to the provision in that Act pertaining to 
        sensitive information, include a description of--
                    (A) such database;
                    (B) the name of the data broker from whom it is 
                obtained; and
                    (C) the amount of the contract for use;
            (2) adopts regulations that specify--
                    (A) the personnel permitted to access, analyze, or 
                otherwise use such databases;
                    (B) standards governing the access, analysis, or 
                use of such databases;
                    (C) any standards used to ensure that the 
                personally identifiable information accessed, analyzed, 
                or used is the minimum necessary to accomplish the 
                intended legitimate purpose of the Federal agency;
                    (D) standards limiting the retention and 
                redisclosure of personally identifiable information 
                obtained from such databases;
                    (E) procedures ensuring that such data meet 
                standards of accuracy, relevance, completeness, and 
                timeliness;
                    (F) the auditing and security measures to protect 
                against unauthorized access, analysis, use, or 
                modification of data in such databases;
                    (G) applicable mechanisms by which individuals may 
                secure timely redress for any adverse consequences 
                wrongly incurred due to the access, analysis, or use of 
                such databases;
                    (H) mechanisms, if any, for the enforcement and 
                independent oversight of existing or planned 
                procedures, policies, or guidelines; and
                    (I) an outline of enforcement mechanisms for 
                accountability to protect individuals and the public 
                against unlawful or illegitimate access or use of 
                databases; and
            (3) incorporates into the contract or other agreement 
        totaling more than $500,000, provisions--
                    (A) providing for penalties--
                            (i) for failure to comply with title III of 
                        this Act; or
                            (ii) if the entity knows or has reason to 
                        know that the personally identifiable 
                        information being provided to the Federal 
                        department or agency is inaccurate, and 
                        provides such inaccurate information; and
                    (B) requiring a data broker that engages service 
                providers not subject to subtitle A of title III for 
                responsibilities related to sensitive personally 
                identifiable information to--
                            (i) exercise appropriate due diligence in 
                        selecting those service providers for 
                        responsibilities related to personally 
                        identifiable information;
                            (ii) take reasonable steps to select and 
                        retain service providers that are capable of 
                        maintaining appropriate safeguards for the 
                        security, privacy, and integrity of the 
                        personally identifiable information at issue; 
                        and
                            (iii) require such service providers, by 
                        contract, to implement and maintain appropriate 
                        measures designed to meet the objectives and 
                        requirements in title III.
    (c) Limitation on Penalties.--The penalties under subsection 
(b)(3)(A) shall not apply to a data broker providing information that 
is accurately and completely recorded from a public record source.
    (d) Study of Government Use.--
            (1) Scope of study.--Not later than 180 days after the date 
        of enactment of this Act, the Comptroller General of the United 
        States shall conduct a study and audit and prepare a report on 
        Federal agency actions to address the recommendations in the 
        Government Accountability Office's April 2006 report on agency 
        adherence to key privacy principles in using data brokers or 
        commercial databases containing personally identifiable 
        information.
            (2) Report.--A copy of the report required under paragraph 
        (1) shall be submitted to Congress.

SEC. 304. FBI REPORT ON REPORTED BREACHES AND COMPLIANCE.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, and each year thereafter, the Federal Bureau of 
Investigation, in coordination with the Secret Service, shall submit to 
the Committee on the Judiciary of the Senate and the Committee on the 
Judiciary of the House of Representatives a report regarding any 
reported breaches at agencies or business entities during the preceding 
year.
    (b) Report Content.--Such reporting shall include--
            (1) the total instances of breaches of security in the 
        previous year;
            (2) the percentage of breaches described in subsection (a) 
        that occurred at an agency or business entity that did not 
        comply with the personal data privacy and security program 
        under section 202; and
            (3) recommendations, if any, for modifying or amending this 
        Act to increase its effectiveness.

SEC. 305. DEPARTMENT OF JUSTICE REPORT ON ENFORCEMENT ACTIONS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, and each year thereafter, the Attorney General shall 
submit to Congress a report on the enforcement actions taken in the 
previous year in cases of violations of any sections of this Act.
    (b) Report Content.--The report required under subsection (a) shall 
include--
            (1) statistics on Federal enforcement actions, State 
        attorneys general enforcement actions, and private enforcement 
        actions related to the provisions of this Act; and
            (2) recommendations, if any, for modifying of amending this 
        Act to increase the effectiveness of such enforcement actions.

SEC. 306. DEPARTMENT OF JUSTICE REPORT ON ENFORCEMENT ACTIONS.

    Section 529 of title 28, United States Code, is amended by adding 
at the end the following:
    ``(c) Not later than 1 year after the date of enactment of the 
Personal Data Protection and Breach Accountability Act of 2011, and 
every fiscal year thereafter, the Attorney General shall submit to 
Congress a report on the efforts of the Federal Government to enforce 
the Personal Data Protection and Breach Accountability Act of 2011 that 
shall include a description of the best practices for enforcement of 
such Act.''.

SEC. 307. FBI REPORT ON NOTIFICATION EFFECTIVENESS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, and each year thereafter, the Federal Bureau of 
Investigation, in coordination with the Secret Service, shall submit to 
the Committee on the Judiciary of the Senate and the Committee on the 
Judiciary of the House of Representatives a report regarding the 
effectiveness of post-breach notification practices by agencies and 
business entities.
    (b) Report Content.--The report required under subsection (a) shall 
include--
            (1) in each instance of a breach of security, the amount of 
        time between the instance of the breach and the discovery of 
        the breach by the affected business entity;
            (2) in each instance of a breach of security, the amount of 
        time between the discovery of the breach by the affected 
        business entity and the notification to the FBI and Secret 
        Service; and
            (3) in each instance of a breach of security, the amount of 
        time between the discovery of the breach by the affected 
        business entity and the notification to individuals whose 
        sensitive personally identifiable information was compromised.

         TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

SEC. 401. BUDGET COMPLIANCE.

    The budgetary effects of this Act, for the purpose of complying 
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by 
reference to the latest statement titled ``Budgetary Effects of PAYGO 
Legislation'' for this Act, submitted for printing in the Congressional 
Record by the Chairman of the Senate Budget Committee, provided that 
such statement has been submitted prior to the vote on passage.
                                 <all>