[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[S. 1535 Reported in Senate (RS)]

                                                       Calendar No. 182
112th CONGRESS
  1st Session
                                S. 1535

  To protect consumers by mitigating the vulnerability of personally 
identifiable information to theft through a security breach, providing 
notice and remedies to consumers in the wake of such a breach, holding 
   companies accountable for preventable breaches, facilitating the 
  sharing of post-breach technical information between companies, and 
 enhancing criminal and civil penalties and other protections against 
     the unauthorized collection or use of personally identifiable 
                              information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 8, 2011

 Mr. Blumenthal (for himself and Mr. Franken) introduced the following 
    bill; which was read twice and referred to the Committee on the 
                               Judiciary

                           September 22, 2011

                Reported by Mr. Leahy, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
  To protect consumers by mitigating the vulnerability of personally 
identifiable information to theft through a security breach, providing 
notice and remedies to consumers in the wake of such a breach, holding 
   companies accountable for preventable breaches, facilitating the 
  sharing of post-breach technical information between companies, and 
 enhancing criminal and civil penalties and other protections against 
     the unauthorized collection or use of personally identifiable 
                              information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>

<DELETED>    (a) Short Title.--This Act may be cited as the ``Personal 
Data Protection and Breach Accountability Act of 2011''.</DELETED>
<DELETED>    (b) Table of Contents.--The table of contents of this Act 
is as follows:</DELETED>

<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Findings.
<DELETED>Sec. 3. Definitions.
  <DELETED>TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER 
                VIOLATIONS OF DATA PRIVACY AND SECURITY

<DELETED>Sec. 101. Organized criminal activity in connection with 
                            unauthorized access to personally 
                            identifiable information.
<DELETED>Sec. 102. Concealment of security breaches involving sensitive 
                            personally identifiable information.
<DELETED>Sec. 103. Penalties for fraud and related activity in 
                            connection with computers.
<DELETED>Sec. 104. False notification.
<DELETED>Sec. 105. Unauthorized installation of personal information 
                            collection features on a user's computer.
  <DELETED>TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE 
                              INFORMATION

        <DELETED>Subtitle A--A Data Privacy and Security Program

<DELETED>Sec. 201. Purpose and applicability of data privacy and 
                            security program.
<DELETED>Sec. 202. Requirements for a personal data privacy and 
                            security program.
<DELETED>Sec. 203. Federal enforcement.
<DELETED>Sec. 204. Enforcement by State Attorneys General.
<DELETED>Sec. 205. Supplemental enforcement by individuals.
           <DELETED>Subtitle B--Security Breach Notification

<DELETED>Sec. 211. Notice to individuals.
<DELETED>Sec. 212. Exemptions from notice to individuals.
<DELETED>Sec. 213. Methods of notice to individuals.
<DELETED>Sec. 214. Content of notice to individuals.
<DELETED>Sec. 215. Remedies for security breach.
<DELETED>Sec. 216. Notice to credit reporting agencies.
<DELETED>Sec. 217. Notice to law enforcement.
<DELETED>Sec. 218. Federal enforcement.
<DELETED>Sec. 219. Enforcement by State attorneys general.
<DELETED>Sec. 220. Supplemental enforcement by individuals.
<DELETED>Sec. 221. Relation to other laws.
<DELETED>Sec. 222. Authorization of appropriations.
<DELETED>Sec. 223. Reporting on risk assessment exemptions.
  <DELETED>Subtitle C--Post-Breach Technical Information Clearinghouse

<DELETED>Sec. 230. Clearinghouse information collection, maintenance, 
                            and access.
<DELETED>Sec. 231. Protections for clearinghouse participants.
<DELETED>Sec. 232. Effective date.
        <DELETED>TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA

<DELETED>Sec. 301. General services administration review of contracts.
<DELETED>Sec. 302. Requirement to audit information security practices 
                            of contractors and third party business 
                            entities.
<DELETED>Sec. 303. Privacy impact assessment of government use of 
                            commercial information services containing 
                            personally identifiable information.
<DELETED>Sec. 304. FBI report on reported breaches and compliance.
<DELETED>Sec. 305. Department of Justice report on enforcement actions.
<DELETED>Sec. 306. Department of Justice report on enforcement actions.
<DELETED>Sec. 307. FBI report on notification effectiveness.
     <DELETED>TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

<DELETED>Sec. 401. Budget compliance.

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    Congress finds that--</DELETED>
        <DELETED>    (1) databases of personally identifiable 
        information are increasingly prime targets of hackers, identity 
        thieves, rogue employees, and other criminals, including 
        organized and sophisticated criminal operations;</DELETED>
        <DELETED>    (2) identity theft is a serious threat to the 
        Nation's economic stability, homeland security, the development 
        of e-commerce, and the privacy rights of Americans;</DELETED>
        <DELETED>    (3) over 9,300,000 individuals were victims of 
        identity theft in America last year;</DELETED>
        <DELETED>    (4) security breaches are a serious threat to 
        consumer confidence, homeland security, e-commerce, and 
        economic stability;</DELETED>
        <DELETED>    (5) it is important for business entities that 
        own, use, or license personally identifiable information to 
        adopt reasonable procedures to ensure the security, privacy, 
        and confidentiality of that personally identifiable 
        information;</DELETED>
        <DELETED>    (6) individuals whose personal information has 
        been compromised or who have been victims of identity theft 
        should receive the necessary information and assistance to 
        mitigate their damages and to restore the integrity of their 
        personal information and identities;</DELETED>
        <DELETED>    (7) data brokers have assumed a significant role 
        in providing identification, authentication, and screening 
        services, and related data collection and analyses for 
        commercial, nonprofit, and government operations;</DELETED>
        <DELETED>    (8) data misuse and use of inaccurate data have 
        the potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government 
        operations;</DELETED>
        <DELETED>    (9) there is a need to ensure that data brokers 
        conduct their operations in a manner that prioritizes fairness, 
        transparency, accuracy, and respect for the privacy of 
        consumers;</DELETED>
        <DELETED>    (10) government access to commercial data can 
        potentially improve safety, law enforcement, and national 
        security;</DELETED>
        <DELETED>    (11) because government use of commercial data 
        containing personal information potentially affects individual 
        privacy, and law enforcement and national security operations, 
        there is a need for Congress to exercise oversight over 
        government use of commercial data;</DELETED>
        <DELETED>    (12) over 22,960,000 cases of data breaches 
        involving personally identifiable information were reported 
        through July of 2011, and in 2009 through 2010, over 
        230,900,000 cases of personal data breaches were 
        reported;</DELETED>
        <DELETED>    (13) facilitating information sharing among 
        business entities and across sectors in the event of a breach 
        can assist in remediating the breach and preventing similar 
        breaches in the future;</DELETED>
        <DELETED>    (14) because the Federal Government has limited 
        resources, consumers themselves play a vital and complementary 
        role in facilitating prompt notification and protecting against 
        future breaches of security;</DELETED>
        <DELETED>    (15) in addition to the immediate damages caused 
        by security breaches, the lack of basic remedial requirements 
        often forces individuals whose sensitive personally 
        identifiable information is compromised as a result of a 
        security breach to incur the economic costs of litigation to 
        seek remedies, and the economic costs of fees required in many 
        States to freeze compromised accounts; and</DELETED>
        <DELETED>    (16) victims of personal data breaches may suffer 
        debilitating emotional and physical effects and become 
        depressed or anxious, especially in cases of repeated or 
        unresolved instances of data breaches.</DELETED>

<DELETED>SEC. 3. DEFINITIONS.</DELETED>

<DELETED>    In this Act, the following definitions shall 
apply:</DELETED>
        <DELETED>    (1) Affiliate.--The term ``affiliate'' means 
        persons related by common ownership or by corporate 
        control.</DELETED>
        <DELETED>    (2) Agency.--The term ``agency'' has the meaning 
        given such term in section 551 of title 5, United States 
        Code.</DELETED>
        <DELETED>    (3) Business entity.--The term ``business entity'' 
        means any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or venture 
        established to make a profit, or nonprofit.</DELETED>
        <DELETED>    (4) Credit rating agency.--The term ``credit 
        rating agency'' has the meaning given such term in section 
        3(a)(61) of the Securities Exchange Act of 1934 (12 U.S.C. 
        78c(a)(61)).</DELETED>
        <DELETED>    (5) Credit report.--The term ``credit report'' 
        means a consumer report, as that term is defined in section 603 
        of the Fair Credit Reporting Act (15 U.S.C. 1681a).</DELETED>
        <DELETED>    (6) Data broker.--The term ``data broker'' means a 
        business entity which for monetary fees or dues regularly 
        engages in the practice of collecting, transmitting, or 
        providing access to sensitive personally identifiable 
        information on more than 5,000 individuals who are not the 
        customers or employees of that business entity or affiliate 
        primarily for the purposes of providing such information to 
        nonaffiliated third parties on an interstate basis.</DELETED>
        <DELETED>    (7) Data furnisher.--The term ``data furnisher'' 
        means any agency, organization, corporation, trust, 
        partnership, sole proprietorship, unincorporated association, 
        or nonprofit that serves as a source of information for a data 
        broker.</DELETED>
        <DELETED>    (8) Encryption.--The term ``encryption''--
        </DELETED>
                <DELETED>    (A) means the protection of data in 
                electronic form, in storage or in transit, using an 
                encryption technology that has been adopted by a widely 
                accepted standards setting body or, has been widely 
                accepted as an effective industry practice which 
                renders such data indecipherable in the absence of 
                associated cryptographic keys necessary to enable 
                decryption of such data; and</DELETED>
                <DELETED>    (B) includes appropriate management and 
                safeguards of such cryptographic keys so as to protect 
                the integrity of the encryption.</DELETED>
        <DELETED>    (9) Identity theft.--The term ``identity theft'' 
        means a violation of section 1028(a)(7) of title 18, United 
        States Code.</DELETED>
        <DELETED>    (10) Intelligence community.--The term 
        ``intelligence community'' includes the following:</DELETED>
                <DELETED>    (A) The Office of the Director of National 
                Intelligence.</DELETED>
                <DELETED>    (B) The Central Intelligence 
                Agency.</DELETED>
                <DELETED>    (C) The National Security 
                Agency.</DELETED>
                <DELETED>    (D) The Defense Intelligence 
                Agency.</DELETED>
                <DELETED>    (E) The National Geospatial-Intelligence 
                Agency.</DELETED>
                <DELETED>    (F) The National Reconnaissance 
                Office.</DELETED>
                <DELETED>    (G) Other offices within the Department of 
                Defense for the collection of specialized national 
                intelligence through reconnaissance programs.</DELETED>
                <DELETED>    (H) The intelligence elements of the Army, 
                the Navy, the Air Force, the Marine Corps, the Federal 
                Bureau of Investigation, and the Department of 
                Energy.</DELETED>
                <DELETED>    (I) The Bureau of Intelligence and 
                Research of the Department of State.</DELETED>
                <DELETED>    (J) The Office of Intelligence and 
                Analysis of the Department of the Treasury.</DELETED>
                <DELETED>    (K) The elements of the Department of 
                Homeland Security concerned with the analysis of 
                intelligence information, including the Office of 
                Intelligence of the Coast Guard.</DELETED>
                <DELETED>    (L) Such other elements of any other 
                department or agency as may be designated by the 
                President, or designated jointly by the Director of 
                National Intelligence and the head of the department or 
                agency concerned, as an element of the intelligence 
                community.</DELETED>
        <DELETED>    (11) Personal electronic record.--</DELETED>
                <DELETED>    (A) In general.--The term ``personal 
                electronic record'' means data associated with an 
                individual contained in a database, networked or 
                integrated databases, or other data system that is 
                provided by a data broker to nonaffiliated third 
                parties and includes personally identifiable 
                information about that individual.</DELETED>
                <DELETED>    (B) Exclusions.--The term ``personal 
                electronic record'' does not include--</DELETED>
                        <DELETED>    (i) any data related to an 
                        individual's past purchases of consumer goods; 
                        or</DELETED>
                        <DELETED>    (ii) any proprietary assessment or 
                        evaluation of an individual or any proprietary 
                        assessment or evaluation of information about 
                        an individual.</DELETED>
        <DELETED>    (12) Personally identifiable information.--The 
        term ``personally identifiable information'' means any 
        information, or compilation of information, in electronic or 
        digital form that is a means of identification (as defined in 
        section 1028(d)(7) of title 18, United State Code).</DELETED>
        <DELETED>    (13) Predispute arbitration agreement.--The term 
        ``predispute arbitration agreement'' means any agreement to 
        arbitrate a dispute that had not yet arisen at the time of the 
        making of the agreement.</DELETED>
        <DELETED>    (14) Public record source.--The term ``public 
        record source'' means the Congress, any agency, any State or 
        local government agency, the government of the District of 
        Columbia and governments of the territories or possessions of 
        the United States, and Federal, State or local courts, courts 
        martial and military commissions, that maintain personally 
        identifiable information in records available to the 
        public.</DELETED>
        <DELETED>    (15) Security breach.--</DELETED>
                <DELETED>    (A) In general.--The term ``security 
                breach'' means compromise of the security, 
                confidentiality, or integrity of computerized data 
                through misrepresentation or actions--</DELETED>
                        <DELETED>    (i) that result in, or that there 
                        is a reasonable basis to conclude has resulted 
                        in--</DELETED>
                                <DELETED>    (I) the unauthorized 
                                acquisition of sensitive personally 
                                identifiable information; or</DELETED>
                                <DELETED>    (II) access to sensitive 
                                personally identifiable information 
                                that is for an unauthorized purpose, or 
                                in excess of authorization; 
                                and</DELETED>
                        <DELETED>    (ii) which present a significant 
                        risk of harm or fraud to any 
                        individual.</DELETED>
                <DELETED>    (B) Exclusion.--The term ``security 
                breach'' does not include--</DELETED>
                        <DELETED>    (i) a good faith acquisition of 
                        sensitive personally identifiable information 
                        by a business entity or agency, or an employee 
                        or agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure;</DELETED>
                        <DELETED>    (ii) the release of a public 
                        record not otherwise subject to confidentiality 
                        or nondisclosure requirements; or</DELETED>
                        <DELETED>    (iii) any lawfully authorized 
                        criminal investigation or authorized 
                        investigative, protective, or intelligence 
                        activities that are carried out by or on behalf 
                        of any element of the intelligence community 
                        and conducted in accordance with the United 
                        States laws, authorities, and regulations 
                        governing such intelligence 
                        activities.</DELETED>
        <DELETED>    (16) Security freeze.--The term ``security 
        freeze'' means a notice, at the request of the consumer and 
        subject to exceptions in section 215(b), that prohibits the 
        consumer reporting agency from releasing all or any part of the 
        consumer's credit report or any information derived from it 
        without the express authorization of the consumer.</DELETED>
        <DELETED>    (17) Sensitive personally identifiable 
        information.--The term ``sensitive personally identifiable 
        information'' means any information or compilation of 
        information, in electronic or digital form that includes--
        </DELETED>
                <DELETED>    (A) an individual's first and last name or 
                first initial and last name in combination with any 1 
                of the following data elements:</DELETED>
                        <DELETED>    (i) A nontruncated social security 
                        number, driver's license number, passport 
                        number, or alien registration number.</DELETED>
                        <DELETED>    (ii) Any 2 of the 
                        following:</DELETED>
                                <DELETED>    (I) Home 
                                address.</DELETED>
                                <DELETED>    (II) Telephone 
                                number.</DELETED>
                                <DELETED>    (III) Mother's maiden 
                                name.</DELETED>
                                <DELETED>    (IV) Month, day, and year 
                                of birth.</DELETED>
                        <DELETED>    (iii) Unique biometric data such 
                        as a finger print, voice print, a retina or 
                        iris image, or any other unique physical 
                        representation.</DELETED>
                        <DELETED>    (iv) A unique account identifier, 
                        electronic identification number, user name, or 
                        routing code in combination with any associated 
                        security code, access code, or password if the 
                        code or password is required for an individual 
                        to obtain money, goods, services, or any other 
                        thing of value;</DELETED>
                <DELETED>    (B) a financial account number or credit 
                or debit card number in combination with any security 
                code, access code, or password that is required for an 
                individual to obtain credit, withdraw funds, or engage 
                in a financial transaction; or</DELETED>
                <DELETED>    (C) any other combination of data elements 
                that could allow unauthorized access to or acquisition 
                of the information described in subparagraph (A) or 
                (B), including--</DELETED>
                        <DELETED>    (i) a unique account 
                        identifier;</DELETED>
                        <DELETED>    (ii) an electronic identification 
                        number;</DELETED>
                        <DELETED>    (iii) a user name;</DELETED>
                        <DELETED>    (iv) a routing code; or</DELETED>
                        <DELETED>    (v) any associated security code, 
                        access code, or password or any associated 
                        security questions and answers that could allow 
                        unauthorized access to the account.</DELETED>

  <DELETED>TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER 
           VIOLATIONS OF DATA PRIVACY AND SECURITY</DELETED>

<DELETED>SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH 
              UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
              INFORMATION.</DELETED>

<DELETED>    Section 1961(1) of title 18, United States Code, is 
amended by inserting ``section 1030 (relating to fraud and related 
activity in connection with computers) if the act is a felony,'' before 
``section 1084''.</DELETED>

<DELETED>SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.</DELETED>

<DELETED>    (a) In General.--Chapter 47 of title 18, United States 
Code, is amended by adding at the end the following:</DELETED>
<DELETED>``Sec. 1041. Concealment of security breaches involving 
              sensitive personally identifiable information</DELETED>
<DELETED>    ``(a) Whoever, having knowledge of a security breach and 
having the obligation to provide notice of such breach to individuals 
under the Personal Data Protection and Breach Accountability Act of 
2011, and having not otherwise qualified for an exemption from 
providing notice under section 212 of the Personal Data Protection and 
Breach Accountability Act of 2011, intentionally or willfully conceals 
the fact of such security breach and which breach causes economic 
damage or substantial emotional distress to 1 or more persons, shall be 
fined under this title or imprisoned not more than 5 years, or 
both.</DELETED>
<DELETED>    ``(b) For purposes of subsection (a), the term `person' 
has the same meaning as in section 1030(e)(12) of title 18, United 
States Code.</DELETED>
<DELETED>    ``(c) Any person seeking an exemption under section 212(b) 
of the Personal Data Protection and Breach Accountability Act of 2011 
shall be immune from prosecution under this section if the United 
States Secret Service does not indicate, in writing, that such notice 
be given under section 212(b)(3) of the Personal Data Protection and 
Breach Accountability Act of 2011.''.</DELETED>
<DELETED>    (b) Conforming and Technical Amendments.--The table of 
sections for chapter 47 of title 18, United States Code, is amended by 
adding at the end the following:</DELETED>

<DELETED>``1041. Concealment of security breaches involving personally 
                            identifiable information.''.
<DELETED>    (c) Enforcement Authority.--</DELETED>
        <DELETED>    (1) In general.--The United States Secret Service 
        shall have the authority to investigate offenses under this 
        section.</DELETED>
        <DELETED>    (2) Nonexclusivity.--The authority granted in 
        paragraph (1) shall not be exclusive of any existing authority 
        held by any other Federal agency.</DELETED>

<DELETED>SEC. 103. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
              CONNECTION WITH COMPUTERS.</DELETED>

<DELETED>    Section 1030(c) of title 18, United States Code, is 
amended--</DELETED>
        <DELETED>    (1) by inserting ``or conspiracy'' after ``or an 
        attempt'' each place it appears, except for paragraph 
        (4);</DELETED>
        <DELETED>    (2) in paragraph (2)(B)--</DELETED>
                <DELETED>    (A) in clause (i), by inserting ``, or 
                attempt or conspiracy or conspiracy to commit an 
                offense,'' after ``the offense'';</DELETED>
                <DELETED>    (B) in clause (ii), by inserting ``, or 
                attempt or conspiracy or conspiracy to commit an 
                offense,'' after ``the offense''; and</DELETED>
                <DELETED>    (C) in clause (iii), by inserting ``(or, 
                in the case of an attempted offense, would, if 
                completed, have obtained)'' after ``information 
                obtained''; and</DELETED>
        <DELETED>    (3) in paragraph (4)--</DELETED>
                <DELETED>    (A) in subparagraph (A)--</DELETED>
                        <DELETED>    (i) by striking clause 
                        (ii);</DELETED>
                        <DELETED>    (ii) by striking ``in the case 
                        of--'' and all that follows through ``an 
                        offense under subsection (a)(5)(B)'' and 
                        inserting ``in the case of an offense, or an 
                        attempt or conspiracy to commit an offense, 
                        under subsection (a)(5)(B)'';</DELETED>
                        <DELETED>    (iii) by inserting ``or 
                        conspiracy'' after ``if the 
                        offense'';</DELETED>
                        <DELETED>    (iv) by redesignating subclauses 
                        (I) through (VI) as clauses (i) through (vi), 
                        respectively, and adjusting the margin 
                        accordingly; and</DELETED>
                        <DELETED>    (v) in clause (vi), as so 
                        redesignated, by striking ``; or'' and 
                        inserting a semicolon;</DELETED>
                <DELETED>    (B) in subparagraph (B)--</DELETED>
                        <DELETED>    (i) by striking clause 
                        (ii);</DELETED>
                        <DELETED>    (ii) by striking ``in the case 
                        of--'' and all that follows through ``an 
                        offense under subsection (a)(5)(A)'' and 
                        inserting ``in the case of an offense, or an 
                        attempt or conspiracy to commit an offense, 
                        under subsection (a)(5)(A)'';</DELETED>
                        <DELETED>    (iii) by inserting ``or 
                        conspiracy'' after ``if the offense''; 
                        and</DELETED>
                        <DELETED>    (iv) by striking ``; or'' and 
                        inserting a semicolon;</DELETED>
                <DELETED>    (C) in subparagraph (C)--</DELETED>
                        <DELETED>    (i) by striking clause 
                        (ii);</DELETED>
                        <DELETED>    (ii) by striking ``in the case 
                        of--'' and all that follows through ``an 
                        offense or an attempt to commit an offense'' 
                        and inserting ``in the case of an offense, or 
                        an attempt or conspiracy to commit an 
                        offense,''; and</DELETED>
                        <DELETED>    (iii) by striking ``; or'' and 
                        inserting a semicolon;</DELETED>
                <DELETED>    (D) in subparagraph (D)--</DELETED>
                        <DELETED>    (i) by striking clause 
                        (ii);</DELETED>
                        <DELETED>    (ii) by striking ``in the case 
                        of--'' and all that follows through ``an 
                        offense or an attempt to commit an offense'' 
                        and inserting ``in the case of an offense, or 
                        an attempt or conspiracy to commit an 
                        offense,''; and</DELETED>
                        <DELETED>    (iii) by striking ``; or'' and 
                        inserting a semicolon;</DELETED>
                <DELETED>    (E) in subparagraph (E), by inserting ``or 
                conspires'' after ``offender attempts'';</DELETED>
                <DELETED>    (F) in subparagraph (F), by inserting ``or 
                conspires'' after ``offender attempts''; and</DELETED>
                <DELETED>    (G) in subparagraph (G)(ii), by inserting 
                ``or conspiracy'' after ``an attempt''.</DELETED>

<DELETED>SEC. 104. FALSE NOTIFICATION.</DELETED>

<DELETED>    (a) In General.--It shall be unlawful for an individual to 
send a notification of a breach of security that is false or 
intentionally misleading in order to obtain sensitive personally 
identifiable information in an effort to defraud an 
individual.</DELETED>
<DELETED>    (b) Penalty.--Any person that violates subsection (a) 
shall be fined not more than $1,000,000, imprisoned not more than 5 
years, or both.</DELETED>
<DELETED>    (c) Rule of Construction.--For purposes of this section, 
any single action or conduct that violates subsection (a) with respect 
to multiple protected computers shall be construed to be a single 
violation.</DELETED>

<DELETED>SEC. 105. UNAUTHORIZED INSTALLATION OF PERSONAL INFORMATION 
              COLLECTION FEATURES ON A USER'S COMPUTER.</DELETED>

<DELETED>    (a) Definition.--In this section, the term ``protected 
computer'' has the meaning given the term in section 1030(e)(2) of 
title 18, United States Code.</DELETED>
<DELETED>    (b) In General.--It shall be unlawful for a person that is 
not an authorized user of a protected computer to cause the 
installation on the protected computer of software that collects 
sensitive personally identifiable information from an authorized user, 
unless the person--</DELETED>
        <DELETED>    (1) provides a clear and conspicuous disclosure of 
        such collection; and</DELETED>
        <DELETED>    (2) obtains the consent of an authorized user of 
        the protected computer prior to any collection of sensitive 
        personally identifiable information.</DELETED>
<DELETED>    (c) Collection and Use of Personal Information in Web 
Searches.--It shall be unlawful for an Internet service provider or 
proxy server to knowingly or intentionally--</DELETED>
        <DELETED>    (1) bypass the display of search engine results 
        and redirect web searches or queries entered by an authorized 
        user of a protected computer directly to a commercial website, 
        counterfeit web page, or targeted advertisement and derive an 
        economic benefit from such activity; or</DELETED>
        <DELETED>    (2) monitor, manipulate, aggregate, and market the 
        data collected in the process of intercepting a web search or 
        query entered by an authorized user of a protected computer and 
        derive an economic benefit from such activity.</DELETED>
<DELETED>    (d) Other Collection of Personal Information.--</DELETED>
        <DELETED>    (1) In general.--It shall be unlawful for a person 
        who is not an authorized user of a protected computer to cause 
        the installation on the protected computer of software that 
        engages in any of the collection practices described in 
        paragraph (2), unless the person--</DELETED>
                <DELETED>    (A) provides a clear and conspicuous 
                disclosure of such collection; and</DELETED>
                <DELETED>    (B) obtains the consent of an authorized 
                user of the protected computer prior to any such 
                collection of information.</DELETED>
        <DELETED>    (2) Collection practices described.--The 
        collection practices described in this paragraph are--
        </DELETED>
                <DELETED>    (A) the use of a keystroke-logging 
                function that records all or substantially all 
                keystrokes made by an owner or operator of a computer 
                and transfers that information from the computer to 
                another person;</DELETED>
                <DELETED>    (B) the collection of data in a manner 
                that--</DELETED>
                        <DELETED>    (i) correlates sensitive 
                        personally identifiable information with a 
                        history of--</DELETED>
                                <DELETED>    (I) all, or substantially 
                                all, of the websites visited by an 
                                owner or operator, other than websites 
                                operated by the person providing such 
                                software; or</DELETED>
                                <DELETED>    (II) all, or substantially 
                                all, of the web searches conducted by 
                                an owner or operator other than search 
                                data collected by a search engine; 
                                and</DELETED>
                        <DELETED>    (ii) uses the information 
                        described in clause (i) to deliver advertising 
                        to, or display advertising on, the computer; 
                        and</DELETED>
                <DELETED>    (C) the extracting from the hard drive or 
                other storage medium of the computer--</DELETED>
                        <DELETED>    (i) the substantive contents of 
                        files, data, software, or other information 
                        knowingly saved or installed by the authorized 
                        user of a protected computer; or</DELETED>
                        <DELETED>    (ii) the substantive contents of 
                        communications sent by an authorized user of a 
                        protected computer to any other 
                        computer.</DELETED>
<DELETED>    (e) Exception.--This section shall not restrict a person 
from causing the installation of software that collects information for 
the provider of an online service or website knowingly used or 
subscribed to by an authorized user if the information collected is 
used only to affect the experience of the user while using that online 
service or website.</DELETED>
<DELETED>    (f) Uninstall Functionality.--</DELETED>
        <DELETED>    (1) In general.--Software that performs any 
        function described in subsection (b) or (c) shall have the 
        capability to subsequently be uninstalled or disabled by an 
        authorized user through a program removal function that is 
        usual and customary with the operating system of the computer 
        or otherwise as clearly and conspicuously disclosed to the 
        user.</DELETED>
        <DELETED>    (2) Authority to uninstall.--Software that enables 
        an authorized user of a protected computer, such as a parent, 
        employer, or system administrator, to choose to prevent another 
        user of the same computer from uninstalling or disabling the 
        software shall not be considered to prevent reasonable efforts 
        to uninstall or disable the software within the meaning of 
        paragraph (1) if not less than 1 authorized user retains the 
        ability to uninstall or disable the software.</DELETED>
<DELETED>    (g) Limitations on Liability.--</DELETED>
        <DELETED>    (1) In general.--The restrictions imposed under 
        this section do not apply to any monitoring of, or interaction 
        with, a subscriber's Internet or other network connection or 
        service, or a protected computer, by or at the direction of a 
        telecommunications carrier, cable operator, computer hardware 
        or software provider, financial institution or provider of 
        information services or interactive computer service for--
        </DELETED>
                <DELETED>    (A) network or computer security 
                purposes;</DELETED>
                <DELETED>    (B) diagnostics;</DELETED>
                <DELETED>    (C) technical support;</DELETED>
                <DELETED>    (D) repair;</DELETED>
                <DELETED>    (E) network management;</DELETED>
                <DELETED>    (F) authorized updates of software or 
                system firmware;</DELETED>
                <DELETED>    (G) authorized remote system 
                management;</DELETED>
                <DELETED>    (H) authorized provision of protection for 
                users of the computer from objectionable 
                content;</DELETED>
                <DELETED>    (I) authorized scanning for computer 
                software used in violation of this section for removal 
                by an authorized user; or</DELETED>
                <DELETED>    (J) detection or prevention of the 
                unauthorized use of software fraudulent or other 
                illegal activities.</DELETED>
        <DELETED>    (2) Manufacturer's liability for third-party 
        software.--A manufacturer or retailer of a computer shall not 
        be liable under any provision of this section for causing the 
        installation on the computer, prior to the first retail sale 
        and delivery of the computer, of third-party branded software, 
        unless the manufacturer or retailer knowingly allows the 
        installation of such third-party branded software and derives a 
        benefit from the operation of such software.</DELETED>
        <DELETED>    (3) Exception for authorized investigative 
        agencies.--Nothing in this section prohibits any lawfully 
        authorized criminal investigation or authorized investigative, 
        protective, or intelligence activities that are carried out by 
        or on behalf of any element of the intelligence community and 
        conducted in accordance with the United States laws, 
        authorities, and regulations governing such intelligence 
        activities, of a law enforcement agency of the United States, a 
        State, or a political subdivision of a State, or of an 
        intelligence agency of the United States.</DELETED>
<DELETED>    (h) Enforcement by the Attorney General.--</DELETED>
        <DELETED>    (1) Liability and penalty for violations.--Any 
        person who engages in an activity in violation of this section 
        shall be fined not more than $500,000, imprisoned not more than 
        5 years, or both.</DELETED>
        <DELETED>    (2) Enhanced liability and penalties for pattern 
        or practice of violations.--</DELETED>
                <DELETED>    (A) In general.--Any person who engages in 
                a pattern or practice of activity that violates the 
                provisions of this section shall be fined not more than 
                $1,000,000, imprisoned not more than 5 years, or 
                both.</DELETED>
                <DELETED>    (B) Treatment of single action or 
                conduct.--For purposes of subparagraph (A), any single 
                action or conduct that violates this section with 
                respect to multiple protected computers shall be 
                construed as a single violation.</DELETED>
        <DELETED>    (3) Considerations.--In determining the amount of 
        any penalty under paragraph (1) or (2), the court shall take 
        into account--</DELETED>
                <DELETED>    (A) the degree of culpability of the 
                defendant;</DELETED>
                <DELETED>    (B) any history of prior such 
                conduct;</DELETED>
                <DELETED>    (C) the ability of the defendant to pay 
                any fine imposed;</DELETED>
                <DELETED>    (D) the effect on the ability of the 
                defendant to continue to do business; and</DELETED>
                <DELETED>    (E) such other matters as justice may 
                require.</DELETED>

  <DELETED>TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE 
                         INFORMATION</DELETED>

   <DELETED>Subtitle A--A Data Privacy and Security Program</DELETED>

<DELETED>SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND 
              SECURITY PROGRAM.</DELETED>

<DELETED>    (a) Purpose.--The purpose of this subtitle is to ensure 
standards for developing and implementing administrative, technical, 
and physical safeguards to protect the security of sensitive personally 
identifiable information.</DELETED>
<DELETED>    (b) In General.--A business entity engaging in interstate 
commerce that involves collecting, accessing, transmitting, using, 
storing, or disposing of sensitive personally identifiable information 
in electronic or digital form on 10,000 or more United States persons 
is subject to the requirements for a data privacy and security program 
under section 202 for protecting sensitive personally identifiable 
information.</DELETED>
<DELETED>    (c) Limitations.--Notwithstanding any other obligation 
under this subtitle, this subtitle does not apply to:</DELETED>
        <DELETED>    (1) Financial institutions.--Financial 
        institutions--</DELETED>
                <DELETED>    (A) subject to the data security 
                requirements and implementing regulations under the 
                Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); 
                and</DELETED>
                <DELETED>    (B) subject to--</DELETED>
                        <DELETED>    (i) examinations for compliance 
                        with the requirements of this Act by a Federal 
                        Functional Regulator or State Insurance 
                        Authority (as those terms are defined in 
                        section 509 of the Gramm-Leach-Bliley Act (15 
                        U.S.C. 6809)); or</DELETED>
                        <DELETED>    (ii) compliance with part 314 of 
                        title 16, Code of Federal 
                        Regulations.</DELETED>
        <DELETED>    (2) HIPAA regulated entities.--</DELETED>
                <DELETED>    (A) Covered entities.--Covered entities 
                subject to the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1301 et seq.), 
                including the data security requirements and 
                implementing regulations of that Act.</DELETED>
                <DELETED>    (B) Business entities.--A business entity 
                shall be deemed in compliance with this Act if the 
                business entity--</DELETED>
                        <DELETED>    (i) is acting as a business 
                        associate, as that term is defined under the 
                        Health Insurance Portability and Accountability 
                        Act of 1996 (42 U.S.C. 1301 et seq.) and is in 
                        compliance with the requirements imposed under 
                        that Act and implementing regulations 
                        promulgated under that Act; and</DELETED>
                        <DELETED>    (ii) is subject to, and currently 
                        in compliance, with the privacy and data 
                        security requirements under sections 13401 and 
                        13404 of division A of the American 
                        Reinvestment and Recovery Act of 2009 (42 
                        U.S.C. 17931 and 17934) and implementing 
                        regulations promulgated under such 
                        sections.</DELETED>
        <DELETED>    (3) Public records.--Public records not otherwise 
        subject to a confidentiality or nondisclosure requirement, or 
        information obtained from a news report or 
        periodical.</DELETED>
<DELETED>    (d) Rule of Construction.--Nothing in this subtitle shall 
be construed to modify, limit, or supersede the operation of the 
provisions of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), or 
its implementing regulations, including such regulations adopted or 
enforced by the States.</DELETED>

<DELETED>SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND 
              SECURITY PROGRAM.</DELETED>

<DELETED>    (a) Personal Data Privacy and Security Program.--A 
business entity subject to this subtitle shall comply with the 
following safeguards and any other administrative, technical, or 
physical safeguards identified by the Federal Trade Commission in a 
rulemaking process pursuant to section 553 of title 5, United States 
Code, for the protection of sensitive personally identifiable 
information:</DELETED>
        <DELETED>    (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.</DELETED>
        <DELETED>    (2) Design.--The personal data privacy and 
        security program shall be designed to--</DELETED>
                <DELETED>    (A) ensure the privacy, security, and 
                confidentiality of sensitive personally identifiable 
                information;</DELETED>
                <DELETED>    (B) protect against any anticipated 
                vulnerabilities to the privacy, security, or integrity 
                of sensitive personally identifiable information; 
                and</DELETED>
                <DELETED>    (C) protect against unauthorized access or 
                use of sensitive personally identifiable information 
                that could create a significant risk of harm or fraud 
                to any individual.</DELETED>
        <DELETED>    (3) Risk assessment.--A business entity shall--
        </DELETED>
                <DELETED>    (A) identify reasonably foreseeable 
                internal and external vulnerabilities that could result 
                in unauthorized access, disclosure, use, or alteration 
                of sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;</DELETED>
                <DELETED>    (B) assess the likelihood of and potential 
                damage from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information;</DELETED>
                <DELETED>    (C) assess the sufficiency of its 
                policies, technologies, and safeguards in place to 
                control and minimize risks from unauthorized access, 
                disclosure, use, or alteration of sensitive personally 
                identifiable information; and</DELETED>
                <DELETED>    (D) assess the vulnerability of sensitive 
                personally identifiable information during destruction 
                and disposal of such information, including through the 
                disposal or retirement of hardware.</DELETED>
        <DELETED>    (4) Risk management and control.--Each business 
        entity shall--</DELETED>
                <DELETED>    (A) design its personal data privacy and 
                security program to control the risks identified under 
                paragraph (3); and</DELETED>
                <DELETED>    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--</DELETED>
                        <DELETED>    (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;</DELETED>
                        <DELETED>    (ii) detect, record, and preserve 
                        information relevant to actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access;</DELETED>
                        <DELETED>    (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption, redaction, or access controls that 
                        are widely accepted as an effective industry 
                        practice or industry standard, or other 
                        reasonable means (including as directed for 
                        disposal of records under section 628 of the 
                        Fair Credit Reporting Act (15 U.S.C. 1681w) and 
                        the implementing regulations of such Act as set 
                        forth in section 682 of title 16, Code of 
                        Federal Regulations);</DELETED>
                        <DELETED>    (iv) ensure that sensitive 
                        personally identifiable information is properly 
                        destroyed and disposed of, including during the 
                        destruction of computers, diskettes, and other 
                        electronic media that contain sensitive 
                        personally identifiable information;</DELETED>
                        <DELETED>    (v) trace access to records 
                        containing sensitive personally identifiable 
                        information so that the business entity can 
                        determine who accessed or acquired such 
                        sensitive personally identifiable information 
                        pertaining to specific individuals;</DELETED>
                        <DELETED>    (vi) ensure that no third party or 
                        customer of the business entity is authorized 
                        to access or acquire sensitive personally 
                        identifiable information without the business 
                        entity first performing sufficient due 
                        diligence to ascertain, with reasonable 
                        certainty, that such information is being 
                        sought for a valid legal purpose; and</DELETED>
                        <DELETED>    (vii) minimize the amount of 
                        personal information maintained by the business 
                        entity, providing for the retention of such 
                        personal information only as reasonably needed 
                        for the business purposes of the business 
                        entity or as necessary to comply with any other 
                        provision of law.</DELETED>
<DELETED>    (b) Training.--Each business entity subject to this 
subtitle shall take steps to ensure employee training and supervision 
for implementation of the data security program of the business 
entity.</DELETED>
<DELETED>    (c) Vulnerability Testing.--</DELETED>
        <DELETED>    (1) In general.--Each business entity subject to 
        this subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.</DELETED>
        <DELETED>    (2) Frequency.--The frequency and nature of the 
        tests required under paragraph (1) shall be determined by the 
        risk assessment of the business entity under subsection 
        (a)(3).</DELETED>
<DELETED>    (d) Relationship to Service Providers.--In the event a 
business entity subject to this subtitle engages service providers not 
subject to this subtitle, such business entity shall--</DELETED>
        <DELETED>    (1) exercise appropriate due diligence in 
        selecting those service providers for responsibilities related 
        to sensitive personally identifiable information, and take 
        reasonable steps to select and retain service providers that 
        are capable of maintaining appropriate safeguards for the 
        security, privacy, and integrity of the sensitive personally 
        identifiable information at issue; and</DELETED>
        <DELETED>    (2) require those service providers by contract to 
        implement and maintain appropriate measures designed to meet 
        the objectives and requirements governing entities subject to 
        section 201, this section, and subtitle B.</DELETED>
<DELETED>    (e) Periodic Assessment and Personal Data Privacy and 
Security Modernization.--Each business entity subject to this subtitle 
shall on a regular basis monitor, evaluate, and adjust, as appropriate 
its data privacy and security program in light of any relevant changes 
in--</DELETED>
        <DELETED>    (1) technology;</DELETED>
        <DELETED>    (2) the sensitivity of personally identifiable 
        information;</DELETED>
        <DELETED>    (3) internal or external threats to personally 
        identifiable information; and</DELETED>
        <DELETED>    (4) the changing business arrangements of the 
        business entity, such as--</DELETED>
                <DELETED>    (A) mergers and acquisitions;</DELETED>
                <DELETED>    (B) alliances and joint 
                ventures;</DELETED>
                <DELETED>    (C) outsourcing arrangements;</DELETED>
                <DELETED>    (D) bankruptcy; and</DELETED>
                <DELETED>    (E) changes to sensitive personally 
                identifiable information systems.</DELETED>
<DELETED>    (f) Implementation Timeline.--Not later than 1 year after 
the date of enactment of this Act, a business entity subject to the 
provisions of this subtitle shall implement a data privacy and security 
program pursuant to this subtitle.</DELETED>

<DELETED>SEC. 203. FEDERAL ENFORCEMENT.</DELETED>

<DELETED>    (a) Civil Penalties.--</DELETED>
        <DELETED>    (1) In general.--The Attorney General may bring a 
        civil action in the appropriate United States district court 
        against any business entity that engages in conduct 
        constituting a violation of this subtitle and, upon proof of 
        such conduct by a preponderance of the evidence, such business 
        entity shall be subject to a civil penalty of not more than 
        $5,000 per violation per day while such a violation exists, 
        with a maximum of $20,000,000 per violation, unless such 
        conduct is found to be willful or intentional.</DELETED>
        <DELETED>    (2) Intentional or willful violation.--A business 
        entity that intentionally or willfully violates the provisions 
        of this subtitle shall be subject to additional penalties in 
        the amount of $5,000 per violation per day while such a 
        violation exists.</DELETED>
        <DELETED>    (3) Considerations.--In determining the amount of 
        a civil penalty under this subsection, the court shall take 
        into account--</DELETED>
                <DELETED>    (A) the degree of culpability of the 
                business entity;</DELETED>
                <DELETED>    (B) any prior violations of this subtitle 
                by the business entity;</DELETED>
                <DELETED>    (C) the ability of the business entity to 
                pay a civil penalty;</DELETED>
                <DELETED>    (D) the effect on the ability of the 
                business entity to continue to do business;</DELETED>
                <DELETED>    (E) the number of individuals whose 
                personally identifiable information was compromised by 
                the breach;</DELETED>
                <DELETED>    (F) the relative cost of compliance with 
                this subtitle; and</DELETED>
                <DELETED>    (G) such other matters as justice may 
                require.</DELETED>
<DELETED>    (b) Injunctive Actions by the Attorney General.--
</DELETED>
        <DELETED>    (1) In general.--If it appears that a business 
        entity has engaged, or is engaged, in any act or practice 
        constituting a violation of this subtitle, the Attorney General 
        may petition an appropriate district court of the United States 
        for an order--</DELETED>
                <DELETED>    (A) enjoining such act or practice; 
                or</DELETED>
                <DELETED>    (B) enforcing compliance with this 
                subtitle.</DELETED>
        <DELETED>    (2) Issuance of order.--A court may issue an order 
        under paragraph (1), if the court finds that the conduct in 
        question constitutes a violation of this subtitle.</DELETED>
<DELETED>    (c) Other Rights and Remedies.--The rights and remedies 
available under this section are cumulative and shall not affect any 
other rights and remedies available under law.</DELETED>

<DELETED>SEC. 204. ENFORCEMENT BY STATE ATTORNEYS GENERAL.</DELETED>

<DELETED>    (a) Civil Actions.--</DELETED>
        <DELETED>    (1) In general.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a business entity that violate this subtitle, the 
        State may bring a civil action on behalf of the residents of 
        that State in a district court of the United States of 
        appropriate jurisdiction, or any other court of competent 
        jurisdiction, to--</DELETED>
                <DELETED>    (A) enjoin that act or practice;</DELETED>
                <DELETED>    (B) enforce compliance with this subtitle; 
                or</DELETED>
                <DELETED>    (C) obtain civil penalties of not more 
                than $5,000 per violation per day while such violations 
                persist, up to a maximum of $20,000,000 per 
                violation.</DELETED>
        <DELETED>    (2) Considerations.--In determining the amount of 
        a civil penalty under this subsection, the court shall take 
        into account--</DELETED>
                <DELETED>    (A) the degree of culpability of the 
                business entity;</DELETED>
                <DELETED>    (B) any prior violations of this subtitle 
                by the business entity;</DELETED>
                <DELETED>    (C) the ability of the business entity to 
                pay a civil penalty;</DELETED>
                <DELETED>    (D) the effect on the ability of the 
                business entity to continue to do business;</DELETED>
                <DELETED>    (E) the number of individuals whose 
                personally identifiable information was compromised by 
                the breach;</DELETED>
                <DELETED>    (F) the relative cost of compliance with 
                this subtitle; and</DELETED>
                <DELETED>    (G) such other matters as justice may 
                require.</DELETED>
        <DELETED>    (3) Notice.--</DELETED>
                <DELETED>    (A) In general.--Before filing an action 
                under this subsection, the attorney general of the 
                State involved shall provide to the Attorney General--
                </DELETED>
                        <DELETED>    (i) a written notice of that 
                        action; and</DELETED>
                        <DELETED>    (ii) a copy of the complaint for 
                        that action.</DELETED>
                <DELETED>    (B) Exemption.--</DELETED>
                        <DELETED>    (i) In general.--Subparagraph (A) 
                        shall not apply with respect to the filing of 
                        an action by an attorney general of a State 
                        under this subsection, if the attorney general 
                        of a State determines that it is not feasible 
                        to provide the notice described in this 
                        subparagraph before the filing of the 
                        action.</DELETED>
                        <DELETED>    (ii) Notification.--In an action 
                        described in clause (i), the attorney general 
                        of a State shall provide notice and a copy of 
                        the complaint to the Attorney General at the 
                        time the State attorney general files the 
                        action.</DELETED>
<DELETED>    (b) Federal Proceedings.--Upon receiving notice under 
subsection (a)(2), the Attorney General shall have the right to--
</DELETED>
        <DELETED>    (1) move to stay the action, pending the final 
        disposition of a pending Federal proceeding or 
        action;</DELETED>
        <DELETED>    (2) initiate an action in the appropriate United 
        States district court under section 217 and move to consolidate 
        all pending actions, including State actions, in such 
        court;</DELETED>
        <DELETED>    (3) intervene in an action brought under 
        subsection (a)(2); and</DELETED>
        <DELETED>    (4) file petitions for appeal.</DELETED>
<DELETED>    (c) Pending Proceedings.--If the Attorney General has 
instituted a proceeding or action for a violation of this subtitle or 
any regulations thereunder, no attorney general of a State may, during 
the pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.</DELETED>
<DELETED>    (d) Construction.--For purposes of bringing any civil 
action under subsection (a), nothing in this subtitle regarding 
notification shall be construed to prevent an attorney general of a 
State from exercising the powers conferred on such attorney general by 
the laws of that State to--</DELETED>
        <DELETED>    (1) conduct investigations;</DELETED>
        <DELETED>    (2) administer oaths or affirmations; or</DELETED>
        <DELETED>    (3) compel the attendance of witnesses or the 
        production of documentary and other evidence.</DELETED>
<DELETED>    (e) Venue; Service of Process.--</DELETED>
        <DELETED>    (1) Venue.--Any action brought under subsection 
        (a) may be brought in--</DELETED>
                <DELETED>    (A) the district court of the United 
                States that meets applicable requirements relating to 
                venue under section 1391 of title 28, United States 
                Code; or</DELETED>
                <DELETED>    (B) another court of competent 
                jurisdiction.</DELETED>
        <DELETED>    (2) Service of process.--In an action brought 
        under subsection (a), process may be served in any district in 
        which the defendant--</DELETED>
                <DELETED>    (A) is an inhabitant; or</DELETED>
                <DELETED>    (B) may be found.</DELETED>

<DELETED>SEC. 205. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.</DELETED>

<DELETED>    (a) In General.--Any person aggrieved by a violation of 
the provisions of this subtitle by a business entity may bring a civil 
action in a court of appropriate jurisdiction to recover for personal 
injuries sustained as a result of the violation.</DELETED>
<DELETED>    (b) Authority To Bring Civil Action; Jurisdiction.--As 
provided in subsection (c), any person may commence a civil action on 
his own behalf against any business entity who is alleged to have 
violated the provisions of this subtitle.</DELETED>
<DELETED>    (c) Remedies in a Citizen Suit.--</DELETED>
        <DELETED>    (1) Damages.--Any individual harmed by a failure 
        of a business entity to comply with the provisions of this 
        subtitle, shall be able to collect damages of not more than 
        $10,000 per violation per day while such violations persist, up 
        to a maximum of $20,000,000 per violation.</DELETED>
        <DELETED>    (2) Punitive damages.--A business entity may be 
        liable for punitive damages if the business entity 
        intentionally or willfully violates the provisions of this 
        subtitle.</DELETED>
        <DELETED>    (3) Equitable relief.--A business entity that 
        violates the provisions of this subtitle may be enjoined to 
        comply with the provisions of those sections.</DELETED>
<DELETED>    (d) Other Rights and Remedies.--The rights and remedies 
available under this subsection are cumulative and shall not affect any 
other rights and remedies available under law.</DELETED>
<DELETED>    (e) Access to Justice.--The rights and remedies afforded 
by this section shall not be abridged or precluded by any predispute 
arbitration agreement, and any claims under this section that arise 
from the same security breach are presumed to meet the commonality 
requirement under rule 23(a)(2) of the Federal Rules of Civil 
Procedure.</DELETED>

      <DELETED>Subtitle B--Security Breach Notification</DELETED>

<DELETED>SEC. 211. NOTICE TO INDIVIDUALS.</DELETED>

<DELETED>    (a) In General.--Any agency, or business entity engaged in 
interstate commerce, that uses, accesses, transmits, stores, disposes 
of or collects sensitive personally identifiable information that 
experiences a security breach of such information, shall, following the 
discovery of such security breach of such information, notify any 
resident of the United States whose sensitive personally identifiable 
information has been, or is reasonably believed to have been, accessed, 
or acquired.</DELETED>
<DELETED>    (b) Obligation of Owner or Licensee.--</DELETED>
        <DELETED>    (1) Notice to owner or licensee.--Any agency, or 
        business entity engaged in interstate commerce, that uses, 
        accesses, transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach involving such information.</DELETED>
        <DELETED>    (2) Notice by owner, licensee or other designated 
        third party.--Nothing in this subtitle shall prevent or 
        abrogate an agreement between an agency or business entity 
        required to give notice under this section and a designated 
        third party, including an owner or licensee of the sensitive 
        personally identifiable information subject to the security 
        breach, to provide the notifications required under subsection 
        (a).</DELETED>
        <DELETED>    (3) Business entity relieved from giving notice.--
        A business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.</DELETED>
<DELETED>    (c) Timeliness of Notification.--</DELETED>
        <DELETED>    (1) In general.--All notifications required under 
        this section shall be made without unreasonable delay following 
        the discovery by the agency or business entity of a security 
        breach.</DELETED>
        <DELETED>    (2) Reasonable delay.--Reasonable delay under this 
        subsection may include any time necessary to determine the 
        scope of the security breach, conduct the risk assessment 
        described in section 212(b)(1), and provide notice to law 
        enforcement when required.</DELETED>
        <DELETED>    (3) Burden of production.--The agency, business 
        entity, owner, or licensee required to provide notice under 
        this subtitle shall, upon the request of the Attorney General 
        or the attorney general of a State or any State or local law 
        enforcement agency authorized by the attorney general of the 
        State or by State statute to prosecute violations of consumer 
        protection law, provide records or other evidence of the 
        notifications required under this subtitle, including to the 
        extent applicable, the reasons for any delay of 
        notification.</DELETED>
<DELETED>    (d) Delay of Notification Authorized for Law Enforcement 
Purposes.--</DELETED>
        <DELETED>    (1) In general.--If a Federal law enforcement 
        agency or member of the intelligence community determines that 
        the notification required under this section would impede any 
        lawfully authorized criminal investigation or authorized 
        investigative, protective, or intelligence activities that are 
        carried out by or on behalf of any element of the intelligence 
        community and conducted in accordance with the United States 
        laws, authorities, and regulations governing such intelligence 
        activities, such notification shall be delayed upon written 
        notice from such Federal law enforcement or intelligence agency 
        to the agency or business entity that experienced the 
        breach.</DELETED>
        <DELETED>    (2) Extended delay of notification.--If the 
        notification required under subsection (a) is delayed pursuant 
        to paragraph (1), an agency or business entity shall give 
        notice 30 days after the day such law enforcement delay was 
        invoked unless a Federal law enforcement or intelligence agency 
        provides written notification that further delay is 
        necessary.</DELETED>
        <DELETED>    (3) Law enforcement immunity.--No cause of action 
        shall lie in any court against any law enforcement agency for 
        acts relating to the delay of notification for law enforcement 
        or intelligence purposes under this subtitle.</DELETED>

<DELETED>SEC. 212. EXEMPTIONS FROM NOTICE TO INDIVIDUALS.</DELETED>

<DELETED>    (a) Exemption for National Security and Law Enforcement.--
</DELETED>
        <DELETED>    (1) In general.--Section 211 shall not apply to an 
        agency or business entity if the agency or business entity 
        certifies, in writing, that notification of the security breach 
        as required by section 211 reasonably could be expected to--
        </DELETED>
                <DELETED>    (A) cause damage to the national security; 
                or</DELETED>
                <DELETED>    (B) hinder a law enforcement investigation 
                or the ability of the agency to conduct law enforcement 
                investigations.</DELETED>
        <DELETED>    (2) Limits on certifications.--An agency or 
        business entity may not execute a certification under paragraph 
        (1) to--</DELETED>
                <DELETED>    (A) conceal violations of law, 
                inefficiency, or administrative error;</DELETED>
                <DELETED>    (B) prevent embarrassment to a business 
                entity, organization, or agency;</DELETED>
                <DELETED>    (C) restrain competition; or</DELETED>
                <DELETED>    (D) delay notification under section 211 
                for any other reason, except where the agency or 
                business entity reasonably believes an exemption under 
                paragraph (1) applies.</DELETED>
        <DELETED>    (3) Notice.--In every case in which an agency or 
        business agency issues a certification under paragraph (1), the 
        certification, accompanied by a description of the factual 
        basis for the certification, shall be immediately provided to 
        the United States Secret Service and the Federal Bureau of 
        Investigation.</DELETED>
        <DELETED>    (4) Secret service and fbi review of 
        certifications.--</DELETED>
                <DELETED>    (A) In general.--The United States Secret 
                Service or the Federal Bureau of Investigation may 
                review a certification provided by an agency under 
                paragraph (3), and shall review a certification 
                provided by a business entity under paragraph (3), to 
                determine whether an exemption under paragraph (1) is 
                merited. Such review shall be completed not later than 
                7 business days after the date of receipt of the 
                certification, except as provided in paragraph 
                (5)(C).</DELETED>
                <DELETED>    (B) Notice.--Upon completing a review 
                under subparagraph (A) the United States Secret Service 
                or the Federal Bureau of Investigation shall 
                immediately notify the agency or business entity, in 
                writing, of its determination of whether an exemption 
                under paragraph (1) is merited.</DELETED>
                <DELETED>    (C) Exemption.--The exemption under 
                paragraph (1) shall not apply if the United States 
                Secret Service or the Federal Bureau of Investigation 
                determines under this paragraph that the exemption is 
                not merited.</DELETED>
        <DELETED>    (5) Additional authority of the secret service and 
        fbi.--</DELETED>
                <DELETED>    (A) In general.--In determining under 
                paragraph (4) whether an exemption under paragraph (1) 
                is merited, the United States Secret Service or the 
                Federal Bureau of Investigation may request additional 
                information from the agency or business entity 
                regarding the basis for the claimed exemption, if such 
                additional information is necessary to determine 
                whether the exemption is merited.</DELETED>
                <DELETED>    (B) Required compliance.--Any agency or 
                business entity that receives a request for additional 
                information under subparagraph (A) shall cooperate with 
                any such request.</DELETED>
                <DELETED>    (C) Timing.--If the United States Secret 
                Service or the Federal Bureau of Investigation requests 
                additional information under subparagraph (A), the 
                United States Secret Service or the Federal Bureau of 
                Investigation shall notify the agency or business 
                entity not later than 7 business days after the date of 
                receipt of the additional information whether an 
                exemption under paragraph (1) is merited.</DELETED>
<DELETED>    (b) Safe Harbor.--</DELETED>
        <DELETED>    (1) In general.--An agency or business entity will 
        be exempt from the notice requirements under section 211, if--
        </DELETED>
                <DELETED>    (A) a risk assessment conducted by the 
                agency or business entity concludes that there is no 
                significant risk that a security breach has resulted 
                in, or will result in harm to the individuals whose 
                sensitive personally identifiable information was 
                subject to the security breach; and</DELETED>
                <DELETED>    (B) the United States Secret Service or 
                the Federal Bureau of Investigation does not indicate 
                within 7 business days from the receipt of written 
                notification from an agency or business entity pursuant 
                to subsection (b)(2), that the agency or business 
                entity should not be exempt from the notice 
                requirements of section 211.</DELETED>
        <DELETED>    (2) Risk assessment requirements.--</DELETED>
                <DELETED>    (A) Conducting a risk assessment.--Upon 
                discovery of a security breach of an agency or business 
                entity, the agency or business entity shall conduct a 
                risk assessment to determine if there is a significant 
                risk that the security breach resulted in, or will 
                result in, harm to the individuals whose sensitive 
                personally identifiable information was subject to the 
                security breach.</DELETED>
                        <DELETED>    (i) Presumption of no significant 
                        risk.--It is presumed that there is no 
                        significant risk that the security breach has 
                        resulted in, or will result in, harm to the 
                        individuals whose sensitive personally 
                        identifiable information was subject to the 
                        security breach, if such sensitive personally 
                        identifiable information has been rendered 
                        indecipherable through the use of best 
                        practices or methods as described by the 
                        Federal Trade Commission, such as redaction, 
                        access controls, or other such mechanisms, 
                        which are widely accepted as an effective 
                        industry practice, or an effective industry 
                        standard, or other such mechanisms establishing 
                        a presumption that no significant risk 
                        exists.</DELETED>
                        <DELETED>    (ii) Presumption of significant 
                        risk.--It is presumed that there is a 
                        significant risk that the security breach has 
                        resulted in, or will result in, harm to 
                        individuals whose sensitive personally 
                        identifiable information was subject to the 
                        security breach if the agency or business 
                        entity failed to render such sensitive 
                        personally identifiable information 
                        indecipherable through the use of best 
                        practices or methods, such as redaction, access 
                        controls, or other such mechanisms which are 
                        widely accepted as an effective industry 
                        practice or an effective industry standard, or 
                        other such mechanisms establishing a 
                        presumption that a significant risk 
                        exists.</DELETED>
                <DELETED>    (B) Written notification to law 
                enforcement.--Without unreasonable delay, but not later 
                than 7 days after the discovery of a security breach, 
                unless extended by the United States Secret Service or 
                the Federal Bureau of Investigation, the agency or 
                business entity must notify the United States Secret 
                Service and the Federal Bureau of Investigation, in 
                writing, of--</DELETED>
                        <DELETED>    (i) the results of the risk 
                        assessment; and</DELETED>
                        <DELETED>    (ii) its decision to invoke the 
                        risk assessment exemption.</DELETED>
<DELETED>    (c) Financial Fraud Prevention Exemption.--</DELETED>
        <DELETED>    (1) In general.--A business entity shall be exempt 
        from the notice requirement under section 211 if the business 
        entity utilizes or participates in a security program that--
        </DELETED>
                <DELETED>    (A) is designed to block the use of the 
                sensitive personally identifiable information to 
                initiate unauthorized financial transactions before 
                they are charged to the account of the individual; 
                and</DELETED>
                <DELETED>    (B) provides for notice to affected 
                individuals after a security breach that has resulted 
                in fraud or unauthorized transactions.</DELETED>
        <DELETED>    (2) Limitation.--Paragraph (1) does not apply to a 
        business entity if--</DELETED>
                <DELETED>    (A) the information subject to the 
                security breach includes sensitive personally 
                identifiable information, other than a credit card or 
                credit card security code, of any type of the sensitive 
                personally identifiable information identified in 
                section 3; or</DELETED>
                <DELETED>    (B) the security breach includes both the 
                individual's credit card number and the individual's 
                first and last name.</DELETED>

<DELETED>SEC. 213. METHODS OF NOTICE TO INDIVIDUALS.</DELETED>

<DELETED>    To comply with section 211, an agency or business entity 
shall provide the following forms of notice:</DELETED>
        <DELETED>    (1) Individual written notice.--Written notice to 
        individuals by 1 of the following means:</DELETED>
                <DELETED>    (A) Individual written notification to the 
                last known home mailing address of the individual in 
                the records of the agency or business entity.</DELETED>
                <DELETED>    (B) E-mail notice, unless the individual 
                has expressly opted not to receive such notices of 
                security breaches or the notice is inconsistent with 
                the provisions permitting electronic transmission of 
                notices under section 101 of the Electronic Signatures 
                in Global and National Commerce Act (15 U.S.C. 
                7001).</DELETED>
        <DELETED>    (2) Telephone notice.--Telephone notice to the 
        individual personally.</DELETED>
        <DELETED>    (3) Public notice.--</DELETED>
                <DELETED>    (A) Electronic notice.--Prominent notice 
                via all reasonable means of electronic contact between 
                the individual and the agency or business entity, 
                including any website, networked devices, or other 
                interface through which the agency or business entity 
                regularly interacts with the consumer, if the number of 
                individuals whose personally identifiable information 
                was or is reasonably believed to have been accessed or 
                acquired by an unauthorized person exceeds 
                5,000.</DELETED>
                <DELETED>    (B) Media notice.--Notice to major media 
                outlets serving a State or jurisdiction, if the number 
                of residents of such State whose sensitive personally 
                identifiable information was, or is reasonably believed 
                to have been, accessed or acquired by an unauthorized 
                person exceeds 5,000.</DELETED>

<DELETED>SEC. 214. CONTENT OF NOTICE TO INDIVIDUALS.</DELETED>

<DELETED>    (a) In General.--Regardless of the method by which 
individual notice is provided to individuals under section 213(1), such 
notice shall include--</DELETED>
        <DELETED>    (1) a description of the categories of sensitive 
        personally identifiable information that was, or is reasonably 
        believed to have been, accessed or acquired by an unauthorized 
        person, and how the agency or business entity came into 
        possession the sensitive personally identifiable information at 
        issue;</DELETED>
        <DELETED>    (2) a toll-free number--</DELETED>
                <DELETED>    (A) that the individual may use to contact 
                the agency or business entity, or the agent of the 
                agency or business entity; and</DELETED>
                <DELETED>    (B) from which the individual may learn 
                what types of sensitive personally identifiable 
                information the agency or business entity maintained 
                about that individual;</DELETED>
        <DELETED>    (3) the toll-free contact telephone numbers, 
        websites, and addresses for the major credit reporting 
        agencies;</DELETED>
        <DELETED>    (4) the telephone numbers and websites for the 
        relevant Federal agencies that provide information regarding 
        identity theft prevention and protection;</DELETED>
        <DELETED>    (5) notice that the individual is entitled to 
        receive, at no cost to such individual, consumer credit reports 
        on a quarterly basis for a period of 2 years, credit monitoring 
        or any other service that enables consumers to detect the 
        misuse of sensitive personally identifiable information for a 
        period of 2 years, and instructions to the individual on 
        requesting such reports or service from the agency or business 
        entity;</DELETED>
        <DELETED>    (6) notice that the individual is entitled to 
        receive a security freeze and that the agency or business 
        entity will be liable for any costs associated with the 
        security freeze for 2 years and the necessary instructions for 
        requesting a security freeze; and</DELETED>
        <DELETED>    (7) notice that any costs or damages incurred by 
        an individual as a result of a security breach will be paid by 
        the business entity or agency that experienced the security 
        breach.</DELETED>
<DELETED>    (b) Telephone Notice.--Telephone notice described in 
section 213(2) shall include, to the extent possible--</DELETED>
        <DELETED>    (1) notification that a security breach has 
        occurred and that the individual's sensitive personally 
        identifiable information may have been compromised;</DELETED>
        <DELETED>    (2) a description of the categories of sensitive 
        personally identifiable information that were, or are 
        reasonably believed to have been, accessed or acquired by an 
        unauthorized person;</DELETED>
        <DELETED>    (3) a toll-free number and website--</DELETED>
                <DELETED>    (A) that the individual may use to contact 
                the agency or business entity, or the authorized agent 
                of the agency or business entity; and</DELETED>
                <DELETED>    (B) from which the individual may learn 
                what types of sensitive personally identifiable 
                information the agency or business entity maintained 
                about that individual and remedies available to that 
                individual; and</DELETED>
        <DELETED>    (4) an alert to the individual that the agency or 
        business entity is sending or has sent written notification 
        containing additional information as required under section 
        213(1)(A).</DELETED>
<DELETED>    (c) Public Notice.--Public notice described in section 
213(3) shall include--</DELETED>
        <DELETED>    (1) electronic notice, which includes--</DELETED>
                <DELETED>    (A) notification that a security breach 
                has occurred and that the individual's sensitive 
                personally identifiable information may have been 
                compromised;</DELETED>
                <DELETED>    (B) a description of the categories of 
                sensitive personally identifiable information that 
                were, or are reasonably believed to have been, accessed 
                or acquired by an unauthorized person; and</DELETED>
                <DELETED>    (C) a toll-free number and website--
                </DELETED>
                        <DELETED>    (i) that the individual may use to 
                        contact the agency or business entity, or the 
                        authorized agent of the agency or business 
                        entity; and</DELETED>
                        <DELETED>    (ii) from which the individual may 
                        learn what types of sensitive personally 
                        identifiable information the agency or business 
                        entity maintained about that individual and 
                        remedies available to that 
                        individual;</DELETED>
        <DELETED>    (2) media notice, which includes--</DELETED>
                <DELETED>    (A) a description of the categories of 
                sensitive personally identifiable information that was, 
                or is reasonably believed to have been, accessed or 
                acquired by an unauthorized person;</DELETED>
                <DELETED>    (B) a toll-free number--</DELETED>
                        <DELETED>    (i) that the individual may use to 
                        contact the agency or business entity, or the 
                        authorized agent of the agency or business 
                        entity; and</DELETED>
                        <DELETED>    (ii) from which the individual may 
                        learn what types of sensitive personally 
                        identifiable information the agency or business 
                        entity maintained about that individual and 
                        remedies available to that 
                        individual;</DELETED>
                <DELETED>    (C) the toll-free contact telephone 
                numbers, websites, and addresses for the major credit 
                reporting agencies;</DELETED>
                <DELETED>    (D) the telephone numbers and websites for 
                the relevant Federal agencies that provide information 
                regarding identity theft prevention and 
                protection;</DELETED>
                <DELETED>    (E) notice that the affected individuals 
                are entitled to receive, at no cost to such 
                individuals, consumer credit reports on a quarterly 
                basis for a period of 2 years, credit monitoring, or 
                any other service that enables consumers to detect the 
                misuse of sensitive personally identifiable information 
                for a period of 2 years;</DELETED>
                <DELETED>    (F) notice that the individual is entitled 
                to receive a security freeze and that the agency or 
                business entity will be liable for any costs associated 
                with the security freeze for 2 years; and</DELETED>
                <DELETED>    (G) notice that the individual is entitled 
                to receive compensation from the business entity or 
                agency for any costs or damages incurred by the 
                individual resulting from the security 
                breach.</DELETED>
<DELETED>    (d) Additional Content.--Notwithstanding section 221, a 
State may require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.</DELETED>

<DELETED>SEC. 215. REMEDIES FOR SECURITY BREACH.</DELETED>

<DELETED>    (a) Credit Reports and Credit Monitoring.--An agency or 
business entity required to provide notification under this subtitle 
shall, upon request of an individual whose sensitive personally 
identifiable information was included in the security breach, provide 
or arrange for the provision of, to each such individual and at no cost 
to such individual--</DELETED>
        <DELETED>    (1) consumer credit reports from not fewer than 1 
        of the major credit reporting agencies beginning not later than 
        60 days following the request of the individual and continuing 
        on a quarterly basis for a period of 2 years thereafter; 
        and</DELETED>
        <DELETED>    (2) a credit monitoring or other service that 
        enables consumers to detect the misuse of their personal 
        information, beginning not later than 60 days following the 
        request of the individual and continuing for a period of 2 
        years.</DELETED>
<DELETED>    (b) Security Freeze.--</DELETED>
        <DELETED>    (1) Request.--Any consumer may submit a written 
        request, by certified mail or such other secure method as 
        authorized by a credit rating agency, to a credit rating agency 
        to place a security freeze on the credit report of the 
        consumer.</DELETED>
        <DELETED>    (2) Implementation of security freeze.--Upon 
        receipt of a written request under paragraph (1), a credit 
        rating agency shall--</DELETED>
                <DELETED>    (A) not later than 5 business days after 
                receipt of the request, place a security freeze on the 
                credit report of the consumer; and</DELETED>
                <DELETED>    (B) not later than 10 business days after 
                placing a security freeze, send a written confirmation 
                of such security freeze to the consumer, which shall 
                provide the consumer with a unique personal 
                identification number or password to be used by the 
                consumer when providing authorization for the release 
                of the credit report of the consumer to a third party 
                or for a specified period of time.</DELETED>
        <DELETED>    (3) Duration of security freeze.--Except as 
        provided in paragraph (4), any security freeze authorized 
        pursuant to the provisions of this section shall remain in 
        effect until the consumer requests security freeze to be 
        removed.</DELETED>
        <DELETED>    (4) Disclosure of credit report to third party.--
        </DELETED>
                <DELETED>    (A) In general.--If a consumer that has 
                requested a security freeze under this subsection 
                wishes to authorize the disclosure of the credit report 
                of the consumer to a third party, or for a specified 
                period of time, while such security freeze is in 
                effect, the consumer shall contact the credit rating 
                agency and provide--</DELETED>
                        <DELETED>    (i) proper 
                        identification;</DELETED>
                        <DELETED>    (ii) the unique personal 
                        identification number or password described in 
                        paragraph (2)(B); and</DELETED>
                        <DELETED>    (iii) proper information regarding 
                        the third party who is to receive the credit 
                        report or the time period for which the credit 
                        report shall be available.</DELETED>
                <DELETED>    (B) Requirement.--Not later than 3 
                business days after receipt of a request under 
                subparagraph (A), a credit rating agency shall lift the 
                security freeze.</DELETED>
        <DELETED>    (5) Procedures.--</DELETED>
                <DELETED>    (A) In general.--A credit rating agency 
                shall develop procedures to receive and process 
                requests from consumers under paragraph (2) of this 
                section.</DELETED>
                <DELETED>    (B) Requirement.--Procedures developed 
                under subparagraph (A), at a minimum, shall include the 
                ability of a consumer to send such temporary lift or 
                removal request by electronic mail, letter, telephone, 
                or facsimile.</DELETED>
        <DELETED>    (6) Requests by third party.--If a third party 
        requests access to a credit report of a consumer that has been 
        frozen under this subsection and the consumer has not 
        authorized the disclosure of the credit report of the consumer 
        to the third party, the third party may deem such credit 
        application as incomplete.</DELETED>
        <DELETED>    (7) Determination by credit rating agency.--
        </DELETED>
                <DELETED>    (A) In general.--A credit rating agency 
                may refuse to implement or may remove a security freeze 
                under this subsection if the agency determines, in good 
                faith, that--</DELETED>
                        <DELETED>    (i) the request for a security 
                        freeze was made as part of a fraud that the 
                        consumer participated in, had knowledge of, or 
                        that can be demonstrated by circumstantial 
                        evidence; or</DELETED>
                        <DELETED>    (ii) the consumer credit report 
                        was frozen due to a material misrepresentation 
                        of fact by the consumer.</DELETED>
                <DELETED>    (B) Notice.--If a credit rating agency 
                makes a determination under subparagraph (A) to not 
                implement, or to remove, a security freeze under this 
                subsection, the credit rating agency shall notify the 
                consumer in writing of such determination--</DELETED>
                        <DELETED>    (i) in the case of a determination 
                        not to implement a security freeze, not later 
                        than 5 business days after the determination is 
                        made; and</DELETED>
                        <DELETED>    (ii) in the case of a removal of a 
                        security freeze, prior to removing the freeze 
                        on the credit report of the consumer.</DELETED>
        <DELETED>    (8) Rule of construction.--Nothing in this section 
        shall be construed to prohibit disclosure of a credit report of 
        a consumer to--</DELETED>
                <DELETED>    (A) a person, or the person's subsidiary, 
                affiliate, agent or assignee with which the consumer 
                has or, prior to assignment, had an account, contract 
                or debtor-creditor relationship for the purpose of 
                reviewing the account or collecting the financial 
                obligation owing for the account, contract or 
                debt;</DELETED>
                <DELETED>    (B) a subsidiary, affiliate, agent, 
                assignee or prospective assignee of a person to whom 
                access has been granted under paragraph (4) for the 
                purpose of facilitating the extension of credit or 
                other permissible use;</DELETED>
                <DELETED>    (C) any person acting pursuant to a court 
                order, warrant or subpoena;</DELETED>
                <DELETED>    (D) any person for the purpose of using 
                such credit information to prescreen as provided by the 
                Fair Credit Reporting Act (15 U.S.C. 1681 et 
                seq.);</DELETED>
                <DELETED>    (E) any person for the sole purpose of 
                providing a credit file monitoring subscription service 
                to which the consumer has subscribed;</DELETED>
                <DELETED>    (F) a credit rating agency for the sole 
                purpose of providing a consumer with a copy of the 
                credit report of the consumer upon the request of the 
                consumer; or</DELETED>
                <DELETED>    (G) a Federal, State or local governmental 
                entity, including a law enforcement agency, or court, 
                or their agents or assignees pursuant to their 
                statutory or regulatory duties. For purposes of this 
                subsection, ``reviewing the account'' includes 
                activities related to account maintenance, monitoring, 
                credit line increases and account upgrades and 
                enhancements; and</DELETED>
                <DELETED>    (H) any person for the sole purpose of 
                providing a remedy requested by an individual under 
                this section.</DELETED>
        <DELETED>    (9) Exceptions.--The following persons shall not 
        be required to place a security freeze under this subsection, 
        but shall be subject to any security freeze placed on a credit 
        report by another credit rating agency:</DELETED>
                <DELETED>    (A) A check services or fraud prevention 
                services company that reports on incidents of fraud or 
                issues authorizations for the purpose of approving or 
                processing negotiable instruments, electronic fund 
                transfers or similar methods of payment.</DELETED>
                <DELETED>    (B) A deposit account information service 
                company that issues reports regarding account closures 
                due to fraud, substantial overdrafts, automated teller 
                machine abuse, or similar information regarding a 
                consumer to inquiring banks or other financial 
                institutions for use only in reviewing a consumer 
                request for a deposit account at the inquiring bank or 
                financial institution.</DELETED>
                <DELETED>    (C) A credit rating agency that--
                </DELETED>
                        <DELETED>    (i) acts only to resell credit 
                        information by assembling and merging 
                        information contained in a database of 1 or 
                        more credit reporting agencies; and</DELETED>
                        <DELETED>    (ii) does not maintain a permanent 
                        database of credit information from which new 
                        credit reports are produced.</DELETED>
        <DELETED>    (10) Fees.--</DELETED>
                <DELETED>    (A) In general.--A credit rating agency 
                may charge reasonable fees for each security freeze, 
                removal of such freeze or temporary lift of such freeze 
                for a period of time, and a temporary lift of such 
                freeze for a specific party.</DELETED>
                <DELETED>    (B) Requirement.--Any fees charged under 
                subparagraph (A) shall be borne by the agency or 
                business entity providing notice under section 214 for 
                2 years following the establishment of the security 
                freeze under this subsection.</DELETED>
<DELETED>    (c) Costs Resulting From a Security Breach.--</DELETED>
        <DELETED>    (1) In general.--A business entity or agency that 
        experiences a security breach and is required to provide notice 
        under this subtitle shall pay, upon request, to any individual 
        whose sensitive personally identifiable information has been, 
        or is reasonably believed to have been, accessed or acquired as 
        a result of such security breach, any costs or damages incurred 
        by the individual as a result of such security breach, 
        including costs associated with identity theft suffered as a 
        result of such security breach.</DELETED>
        <DELETED>    (2) Compliance.--A business entity or agency shall 
        be deemed in compliance with this subsection if the business 
        entity or agency--</DELETED>
                <DELETED>    (A) provides insurance to any individual 
                whose sensitive personally identifiable information has 
                been, or is reasonably believed to have been, accessed 
                or acquired as a result of a security breach and such 
                insurance is sufficient to compensate the consumer for 
                not less than $25,000 of costs or damages; or</DELETED>
                <DELETED>    (B) pays, without unreasonable delay, any 
                actual costs or damages incurred by an individual as a 
                result of the security breach.</DELETED>

<DELETED>SEC. 216. NOTICE TO CREDIT REPORTING AGENCIES.</DELETED>

<DELETED>    If an agency or business entity is required to provide 
notification to more than 5,000 individuals under section 211(a), the 
agency or business entity shall also notify all consumer reporting 
agencies that compile and maintain files on consumers on a nationwide 
basis (as defined in section 603(p) of the Fair Credit Reporting Act 
(15 U.S.C. 1681a(p)) of the timing and distribution of the notices. 
Such notice shall be given to the consumer credit reporting agencies 
without unreasonable delay and, if it will not delay notice to the 
affected individuals, prior to the distribution of notices to the 
affected individuals.</DELETED>

<DELETED>SEC. 217. NOTICE TO LAW ENFORCEMENT.</DELETED>

<DELETED>    (a) Secret Service and FBI.--Any business entity or agency 
shall notify the United States Secret Service and the Federal Bureau of 
Investigation of the fact that a security breach has occurred if--
</DELETED>
        <DELETED>    (1) the number of individuals whose sensitive 
        personally identifying information was, or is reasonably 
        believed to have been accessed or acquired by an unauthorized 
        person exceeds 5,000;</DELETED>
        <DELETED>    (2) the security breach involves a database, 
        networked or integrated databases, or other data system 
        containing the sensitive personally identifiable information of 
        more than 500,000 individuals nationwide;</DELETED>
        <DELETED>    (3) the security breach involves databases owned 
        by the Federal Government; or</DELETED>
        <DELETED>    (4) the security breach involves primarily 
        sensitive personally identifiable information of individuals 
        known to the agency or business entity to be employees and 
        contractors of the Federal Government involved in national 
        security or law enforcement.</DELETED>
<DELETED>    (b) FTC Review of Thresholds.--The Federal Trade 
Commission may alter the circumstances under which notification is 
required under subsection (a) in a matter consistent with the public 
interest.</DELETED>
<DELETED>    (c) Notice to Other Law Enforcement Agencies.--The United 
States Secret Service and the Federal Bureau of Investigation shall be 
responsible for notifying--</DELETED>
        <DELETED>    (1) the United States Postal Inspection Service, 
        if the security breach involves mail fraud;</DELETED>
        <DELETED>    (2) the attorney general of each State affected by 
        the security breach; and</DELETED>
        <DELETED>    (3) the Federal Trade Commission, if the security 
        breach involves consumer reporting agencies subject to the Fair 
        Credit Reporting Act (15 U.S.C. 1681 et seq.), or 
        anticompetitive conduct.</DELETED>
<DELETED>    (d) Timing of Notices.--The notices required under this 
section shall be delivered as follows:</DELETED>
        <DELETED>    (1) Notice under subsection (a) shall be delivered 
        as promptly as possible, but not later than 10 days after 
        discovery of the security breach.</DELETED>
        <DELETED>    (2) Notice under section 211 shall be delivered to 
        individuals not later than 48 hours after the Federal Bureau of 
        Investigation or the Secret Service receives notice of a 
        security breach from an agency or business entity.</DELETED>

<DELETED>SEC. 218. FEDERAL ENFORCEMENT.</DELETED>

<DELETED>    (a) Civil Actions by the Attorney General.--</DELETED>
        <DELETED>    (1) In general.--The Attorney General may bring a 
        civil action in the appropriate United States district court 
        against any business entity that engages in conduct 
        constituting a violation of this subtitle and, upon proof of 
        such conduct by a preponderance of the evidence, such business 
        entity shall be subject to a civil penalty of not more than 
        $500 per day per individual whose sensitive personally 
        identifiable information was, or is reasonably believed to have 
        been, accessed or acquired by an unauthorized person, up to a 
        maximum of $20,000,000 per violation, unless such conduct is 
        found to be willful or intentional.</DELETED>
        <DELETED>    (2) Presumption.--A violation of section 212(a)(2) 
        shall be presumed to be willful or intentional 
        conduct.</DELETED>
<DELETED>    (b) Considerations.--In determining the amount of a civil 
penalty under this subsection, the court shall take into account--
</DELETED>
        <DELETED>    (1) the degree of culpability of the business 
        entity;</DELETED>
        <DELETED>    (2) any prior violations of this subtitle by the 
        business entity;</DELETED>
        <DELETED>    (3) the ability of the business entity to pay a 
        civil penalty;</DELETED>
        <DELETED>    (4) the effect on the ability of the business 
        entity to continue to do business;</DELETED>
        <DELETED>    (5) the number of individuals whose personally 
        identifiable information was compromised by the 
        breach;</DELETED>
        <DELETED>    (6) the relative cost of compliance with this 
        subtitle; and</DELETED>
        <DELETED>    (7) such other matters as justice may 
        require.</DELETED>
<DELETED>    (c) Injunctive Actions by the Attorney General.--
</DELETED>
        <DELETED>    (1) In general.--If it appears that a business 
        entity has engaged, or is engaged, in any act or practice 
        constituting a violation of this subtitle, the Attorney General 
        may petition an appropriate district court of the United States 
        for an order--</DELETED>
                <DELETED>    (A) enjoining such act or practice; 
                or</DELETED>
                <DELETED>    (B) enforcing compliance with this 
                subtitle.</DELETED>
        <DELETED>    (2) Issuance of order.--A court may issue an order 
        under paragraph (1), if the court finds that the conduct in 
        question constitutes a violation of this subtitle.</DELETED>
<DELETED>    (d) Other Rights and Remedies.--The rights and remedies 
available under this subtitle are cumulative and shall not affect any 
other rights and remedies available under law.</DELETED>
<DELETED>    (e) Fraud Alert.--Section 605A(b)(1) of the Fair Credit 
Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or 
evidence that the consumer has received notice that the consumer's 
financial information has or may have been compromised,'' after 
``identity theft report''.</DELETED>

<DELETED>SEC. 219. ENFORCEMENT BY STATE ATTORNEYS GENERAL.</DELETED>

<DELETED>    (a) In General.--</DELETED>
        <DELETED>    (1) Civil actions.--</DELETED>
                <DELETED>    (A) In general.--In any case in which the 
                attorney general of a State or any State or local law 
                enforcement agency authorized by the State attorney 
                general or by State statute to prosecute violations of 
                consumer protection law, has reason to believe that an 
                interest of the residents of that State has been or is 
                threatened or adversely affected by the engagement of a 
                business entity in a practice that is prohibited under 
                this subtitle, the State or the State or local law 
                enforcement agency on behalf of the residents of the 
                agency's jurisdiction, may bring a civil action on 
                behalf of the residents of the State or jurisdiction in 
                a district court of the United States of appropriate 
                jurisdiction or any other court of competent 
                jurisdiction, including a State court, to--</DELETED>
                        <DELETED>    (i) enjoin that 
                        practice;</DELETED>
                        <DELETED>    (ii) enforce compliance with this 
                        subtitle; or</DELETED>
                        <DELETED>    (iii) obtain civil penalties of 
                        not more than $500 per day per individual whose 
                        sensitive personally identifiable information 
                        was, or is reasonably believed to have been, 
                        accessed or acquired by an unauthorized person, 
                        up to a maximum of $20,000,000 per violation, 
                        unless such conduct is found to be willful or 
                        intentional.</DELETED>
                <DELETED>    (B) Presumption.--A violation of section 
                212(a)(2) shall be presumed to be willful or 
                intentional.</DELETED>
        <DELETED>    (2) Considerations.--In determining the amount of 
        a civil penalty under this subsection, the court shall take 
        into account--</DELETED>
                <DELETED>    (A) the degree of culpability of the 
                business entity;</DELETED>
                <DELETED>    (B) any prior violations of this subtitle 
                by the business entity;</DELETED>
                <DELETED>    (C) the ability of the business entity to 
                pay a civil penalty;</DELETED>
                <DELETED>    (D) the effect on the ability of the 
                business entity to continue to do business;</DELETED>
                <DELETED>    (E) the number of individuals whose 
                personally identifiable information was compromised by 
                the breach;</DELETED>
                <DELETED>    (F) the relative cost of compliance with 
                this subtitle; and</DELETED>
                <DELETED>    (G) such other matters as justice may 
                require.</DELETED>
        <DELETED>    (3) Notice.--</DELETED>
                <DELETED>    (A) In general.--Before filing an action 
                under paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--</DELETED>
                        <DELETED>    (i) written notice of the action; 
                        and</DELETED>
                        <DELETED>    (ii) a copy of the complaint for 
                        the action.</DELETED>
                <DELETED>    (B) Exemption.--</DELETED>
                        <DELETED>    (i) In general.--Subparagraph (A) 
                        shall not apply with respect to the filing of 
                        an action by an attorney general of a State 
                        under this subtitle, if the State attorney 
                        general determines that it is not feasible to 
                        provide the notice described in such 
                        subparagraph before the filing of the 
                        action.</DELETED>
                        <DELETED>    (ii) Notification.--In an action 
                        described in clause (i), the attorney general 
                        of a State shall provide notice and a copy of 
                        the complaint to the Attorney General at the 
                        time the State attorney general files the 
                        action.</DELETED>
<DELETED>    (b) Federal Proceedings.--Upon receiving notice under 
subsection (a)(2), the Attorney General shall have the right to--
</DELETED>
        <DELETED>    (1) move to stay the action, pending the final 
        disposition of a pending Federal proceeding or 
        action;</DELETED>
        <DELETED>    (2) initiate an action in the appropriate United 
        States district court under section 217 and move to consolidate 
        all pending actions, including State actions, in such 
        court;</DELETED>
        <DELETED>    (3) intervene in an action brought under 
        subsection (a)(2); and</DELETED>
        <DELETED>    (4) file petitions for appeal.</DELETED>
<DELETED>    (c) Pending Proceedings.--If the Attorney General has 
instituted a proceeding or action for a violation of this subtitle or 
any regulations thereunder, no attorney general of a State may, during 
the pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.</DELETED>
<DELETED>    (d) Construction.--For purposes of bringing any civil 
action under subsection (a), nothing in this subtitle regarding 
notification shall be construed to prevent an attorney general of a 
State from exercising the powers conferred on such attorney general by 
the laws of that State to--</DELETED>
        <DELETED>    (1) conduct investigations;</DELETED>
        <DELETED>    (2) administer oaths or affirmations; or</DELETED>
        <DELETED>    (3) compel the attendance of witnesses or the 
        production of documentary and other evidence.</DELETED>
<DELETED>    (e) Venue; Service of Process.--</DELETED>
        <DELETED>    (1) Venue.--Any action brought under subsection 
        (a) may be brought in--</DELETED>
                <DELETED>    (A) the district court of the United 
                States that meets applicable requirements relating to 
                venue under section 1391 of title 28, United States 
                Code; or</DELETED>
                <DELETED>    (B) another court of competent 
                jurisdiction.</DELETED>
        <DELETED>    (2) Service of process.--In an action brought 
        under subsection (a), process may be served in any district in 
        which the defendant--</DELETED>
                <DELETED>    (A) is an inhabitant; or</DELETED>
                <DELETED>    (B) may be found.</DELETED>

<DELETED>SEC. 220. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.</DELETED>

<DELETED>    (a) In General.--Any person aggrieved by a violation of 
the provisions of section 211, 213, 214, 215, or 216 by a business 
entity may bring a civil action in a court of appropriate jurisdiction 
to recover for personal injuries sustained as a result of the 
violation.</DELETED>
<DELETED>    (b) Remedies in a Citizen Suit.--</DELETED>
        <DELETED>    (1) Damages.--Any individual harmed by a failure 
        of a business entity to comply with the provisions of section 
        211, 213, 214, 215, or 216, shall be able to collect damages of 
        not more than $500 per day per individual whose sensitive 
        personally identifiable information was, or is reasonably 
        believed to have been, accessed or acquired by an unauthorized 
        person, up to a maximum of $20,000,000 per violation.</DELETED>
        <DELETED>    (2) Punitive damages.--A business entity may be 
        liable for punitive damages if it--</DELETED>
                <DELETED>    (A) intentionally or willfully violates 
                the provisions of section 211, 213, 214, 215, or 216; 
                or</DELETED>
                <DELETED>    (B) failed to comply with the requirements 
                of subsections (a) through (d) of section 
                202.</DELETED>
        <DELETED>    (3) Equitable relief.--A business entity that 
        violates the provisions of section 211, 213, 214, 215, or 216 
        may be enjoined to provide required remedies under section 215 
        by a court of competent jurisdiction.</DELETED>
        <DELETED>    (4) Other rights and remedies.--The rights and 
        remedies available under this subsection are cumulative and 
        shall not affect any other rights and remedies available under 
        law.</DELETED>
<DELETED>    (c) Access to Justice.--The rights and remedies afforded 
by this section shall not be abridged or precluded by any predispute 
arbitration agreement, and any claims under this section that arise 
from the same security breach are presumed to meet the commonality 
requirement under rule 23(a)(2) of the Federal Rules of Civil 
Procedure.</DELETED>

<DELETED>SEC. 221. RELATION TO OTHER LAWS.</DELETED>

<DELETED>    (a) In General.--The provisions of this subtitle shall 
supersede any other provision of Federal law or any provision of law of 
any State relating to notification by a business entity engaged in 
interstate commerce or an agency of a security breach, except as 
provided in section 214(c).</DELETED>
<DELETED>    (b) Rule of Construction.--Nothing in this subtitle shall 
be construed to exempt any entity from liability under common law, 
including through the operation of ordinary preemption principles, for 
damages caused by the failure to notify an individual following a 
security breach.</DELETED>
<DELETED>    (c) Presumption of Per Se Negligence.--If a business 
entity fails to comply with the requirements in section 211, 212, 213, 
214, 215, or 216, there shall be a presumption that the entity was per 
se negligent.</DELETED>

<DELETED>SEC. 222. AUTHORIZATION OF APPROPRIATIONS.</DELETED>

<DELETED>    There are authorized to be appropriated such sums as may 
be necessary to cover the costs incurred by the United States Secret 
Service to carry out investigations and risk assessments of security 
breaches as required under this subtitle.</DELETED>

<DELETED>SEC. 223. REPORTING ON RISK ASSESSMENT EXEMPTIONS.</DELETED>

<DELETED>    The United States Secret Service and the Federal Bureau of 
Investigation shall report to Congress not later than 18 months after 
the date of enactment of this Act, and upon the request by Congress 
thereafter, on--</DELETED>
        <DELETED>    (1) the number and nature of the security breaches 
        described in the notices filed by those business entities 
        invoking the risk assessment exemption under section 212(b) and 
        the response of the United States Secret Service and the 
        Federal Bureau of Investigation to such notices; and</DELETED>
        <DELETED>    (2) the number and nature of security breaches 
        subject to the national security and law enforcement exemptions 
        under section 212(a), provided that such report may not 
        disclose the contents of any risk assessment provided to the 
        United States Secret Service and the Federal Bureau of 
        Investigation pursuant to this subtitle.</DELETED>

        <DELETED>Subtitle C--Post-Breach Technical Information 
                        Clearinghouse</DELETED>

<DELETED>SEC. 230. CLEARINGHOUSE INFORMATION COLLECTION, MAINTENANCE, 
              AND ACCESS.</DELETED>

<DELETED>    (a) In General.--The Attorney General shall maintain a 
clearinghouse of technical information concerning system 
vulnerabilities identified in the wake of security breaches, which 
shall--</DELETED>
        <DELETED>    (1) contain information disclosed by agencies or 
        business entities under subsection (b); and</DELETED>
        <DELETED>    (2) be accessible to certified entities under 
        subsection (c).</DELETED>
<DELETED>    (b) Post-Breach Technical Notification.--In any instance 
where an agency or business entity is required to notify the United 
States Secret Service and the Federal Bureau of Investigation under 
section 217, the agency or business entity shall also provide the 
Attorney General with technical information concerning the nature of 
the security breach, including--</DELETED>
        <DELETED>    (1) technical information regarding any system 
        vulnerabilities of the agency or business entity revealed by or 
        identified as a consequence of the security breach;</DELETED>
        <DELETED>    (2) technical information regarding any system 
        vulnerabilities of the agency or business entity actually 
        exploited during the security breach; and</DELETED>
        <DELETED>    (3) any other technical information concerning the 
        nature of the security breach deemed appropriate for collection 
        by the Attorney General in furtherance of this 
        subtitle.</DELETED>
<DELETED>    (c) Access to Clearinghouse.--Any entity certified under 
subsection (d) may review information maintained by the technical 
information clearinghouse for the purpose of preventing security 
breaches that threaten the security of sensitive personally 
identifiable information.</DELETED>
<DELETED>    (d) Certification for Access.--The Attorney General shall 
issue and revoke certifications to agencies and business entities 
wishing to review information maintained by the technical information 
clearinghouse and shall establish conditions for obtaining and 
maintaining such certifications, including agreement that any 
information obtained directly or derived indirectly from the review of 
information maintained by the technical information clearinghouse--
</DELETED>
        <DELETED>    (1) shall only be used to improve the security and 
        reduce the vulnerability of networks that use personally 
        identifiable information;</DELETED>
        <DELETED>    (2) may not be used for any competitive commercial 
        purpose; and</DELETED>
        <DELETED>    (3) may not be shared with any third party, 
        including other parties certified for access to the information 
        clearinghouse, without the express written consent of the 
        Attorney General.</DELETED>
<DELETED>    (e) Rulemaking.--In consultation with the private sector, 
appropriate representatives of State and local governments, and other 
appropriate Federal agencies, the Attorney General shall promulgate any 
regulations pursuant to section 553 of title 5, United States Code, 
necessary to carry out the provisions of this section.</DELETED>

<DELETED>SEC. 231. PROTECTIONS FOR CLEARINGHOUSE 
              PARTICIPANTS.</DELETED>

<DELETED>    (a) Protection of Proprietary Information.--To the extent 
feasible, the Attorney General shall ensure that any technical 
information disclosed to the Attorney General under this subtitle shall 
be stored in a format designed to protect proprietary business 
information from inadvertent disclosure.</DELETED>
<DELETED>    (b) Anonymous Data Release.--To the extent feasible, the 
Attorney General shall ensure that all information stored in the 
technical information clearinghouse and accessed by certified parties 
is presented in a form that minimizes the potential for such 
information to be traced to a particular network, company, or security 
breach incident.</DELETED>
<DELETED>    (c) Protection From Public Disclosure.--Except as 
otherwise provided in this subtitle--</DELETED>
        <DELETED>    (1) security and vulnerability information 
        collected under this section and provided to the Federal 
        Government, including aggregated analysis and data, shall be 
        exempt from disclosure under section 552(b)(3) of title 5, 
        United States Code; and</DELETED>
        <DELETED>    (2) under section 230(e), security and 
        vulnerability-related information provided to the Federal 
        Government under this section, including aggregated analysis 
        and data, shall be protected from public disclosure, except 
        that this paragraph--</DELETED>
                <DELETED>    (A) does not prohibit the sharing of such 
                information, as the Attorney General determines to be 
                appropriate, in order to mitigate cybersecurity threats 
                or further the official functions of a government 
                agency; and</DELETED>
                <DELETED>    (B) does not authorized such information 
                to be withheld from a committee of Congress authorized 
                to request the information.</DELETED>
<DELETED>    (d) Protection of Classified Information.--Nothing in this 
subtitle permits the unauthorized disclosure of classified 
information.</DELETED>

<DELETED>SEC. 232. EFFECTIVE DATE.</DELETED>

<DELETED>    This subtitle shall take effect on the expiration of the 
date which is 90 days after the date of enactment of this 
Act.</DELETED>

   <DELETED>TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA</DELETED>

<DELETED>SEC. 301. GENERAL SERVICES ADMINISTRATION REVIEW OF 
              CONTRACTS.</DELETED>

<DELETED>    (a) In General.--In considering contract awards totaling 
more than $500,000 and entered into after the date of enactment of this 
Act with data brokers, the Administrator of the General Services 
Administration shall evaluate--</DELETED>
        <DELETED>    (1) the data privacy and security program of a 
        data broker to ensure the privacy and security of data 
        containing personally identifiable information, including 
        whether such program adequately addresses privacy and security 
        threats created by malicious software or code, or the use of 
        peer-to-peer file sharing software;</DELETED>
        <DELETED>    (2) the compliance of a data broker with such 
        program;</DELETED>
        <DELETED>    (3) the extent to which the databases and systems 
        containing personally identifiable information of a data broker 
        have been compromised by security breaches; and</DELETED>
        <DELETED>    (4) the response by a data broker to such 
        breaches, including the efforts by such data broker to mitigate 
        the impact of such security breaches.</DELETED>
<DELETED>    (b) Compliance Safe Harbor.--The data privacy and security 
program of a data broker shall be deemed sufficient for the purposes of 
subsection (a), if the data broker complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of personally identifiable 
information involved in the ordinary course of business of such data 
broker.</DELETED>
<DELETED>    (c) Penalties.--In awarding contracts with data brokers 
for products or services related to access, use, compilation, 
distribution, processing, analyzing, or evaluating personally 
identifiable information, the Administrator of the General Services 
Administration shall--</DELETED>
        <DELETED>    (1) include monetary or other penalties--
        </DELETED>
                <DELETED>    (A) for failure to comply with subtitles A 
                and B of title III; or</DELETED>
                <DELETED>    (B) if a contractor knows or has reason to 
                know that the personally identifiable information being 
                provided is inaccurate, and provides such inaccurate 
                information; and</DELETED>
        <DELETED>    (2) require a data broker that engages service 
        providers not subject to subtitle A of title III for 
        responsibilities related to sensitive personally identifiable 
        information to--</DELETED>
                <DELETED>    (A) exercise appropriate due diligence in 
                selecting those service providers for responsibilities 
                related to personally identifiable 
                information;</DELETED>
                <DELETED>    (B) take reasonable steps to select and 
                retain service providers that are capable of 
                maintaining appropriate safeguards for the security, 
                privacy, and integrity of the personally identifiable 
                information at issue; and</DELETED>
                <DELETED>    (C) require such service providers, by 
                contract, to implement and maintain appropriate 
                measures designed to meet the objectives and 
                requirements in title III.</DELETED>
<DELETED>    (d) Limitation.--The penalties under subsection (c) shall 
not apply to a data broker providing information that is accurately and 
completely recorded from a public record source or licensor.</DELETED>

<DELETED>SEC. 302. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES 
              OF CONTRACTORS AND THIRD PARTY BUSINESS 
              ENTITIES.</DELETED>

<DELETED>    Section 3544(b) of title 44, United States Code, is 
amended--</DELETED>
        <DELETED>    (1) in paragraph (7)(C)(iii), by striking ``and'' 
        after the semicolon;</DELETED>
        <DELETED>    (2) in paragraph (8), by striking the period and 
        inserting ``; and''; and</DELETED>
        <DELETED>    (3) by adding at the end the following:</DELETED>
        <DELETED>    ``(9) procedures for evaluating and auditing the 
        information security practices of contractors or third party 
        business entities supporting the information systems or 
        operations of the agency involving personally identifiable 
        information (as that term is defined in section 3 of the 
        Personal Data Protection and Breach Accountability Act of 2011) 
        and ensuring remedial action to address any significant 
        deficiencies.''.</DELETED>

<DELETED>SEC. 303. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF 
              COMMERCIAL INFORMATION SERVICES CONTAINING PERSONALLY 
              IDENTIFIABLE INFORMATION.</DELETED>

<DELETED>    (a) In General.--Section 208(b)(1) of the E-Government Act 
of 2002 (44 U.S.C. 3501 note) is amended--</DELETED>
        <DELETED>    (1) in subparagraph (A)(i), by striking 
        ``or'';</DELETED>
        <DELETED>    (2) in subparagraph (A)(ii), by striking the 
        period and inserting ``; or''; and</DELETED>
        <DELETED>    (3) by inserting after clause (ii) the 
        following:</DELETED>
                        <DELETED>    ``(iii) purchasing or subscribing 
                        for a fee to personally identifiable 
                        information from a data broker (as such terms 
                        are defined in section 3 of the Personal Data 
                        Protection and Breach Accountability Act of 
                        2011).''.</DELETED>
<DELETED>    (b) Limitation.--Notwithstanding any other provision of 
law, commencing 1 year after the date of enactment of this Act, no 
Federal agency may enter into a contract with a data broker to access 
for a fee any database consisting primarily of personally identifiable 
information concerning United States persons (other than news reporting 
or telephone directories) unless the head of such department or 
agency--</DELETED>
        <DELETED>    (1) completes a privacy impact assessment under 
        section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 
        note), which shall subject to the provision in that Act 
        pertaining to sensitive information, include a description of--
        </DELETED>
                <DELETED>    (A) such database;</DELETED>
                <DELETED>    (B) the name of the data broker from whom 
                it is obtained; and</DELETED>
                <DELETED>    (C) the amount of the contract for 
                use;</DELETED>
        <DELETED>    (2) adopts regulations that specify--</DELETED>
                <DELETED>    (A) the personnel permitted to access, 
                analyze, or otherwise use such databases;</DELETED>
                <DELETED>    (B) standards governing the access, 
                analysis, or use of such databases;</DELETED>
                <DELETED>    (C) any standards used to ensure that the 
                personally identifiable information accessed, analyzed, 
                or used is the minimum necessary to accomplish the 
                intended legitimate purpose of the Federal 
                agency;</DELETED>
                <DELETED>    (D) standards limiting the retention and 
                redisclosure of personally identifiable information 
                obtained from such databases;</DELETED>
                <DELETED>    (E) procedures ensuring that such data 
                meet standards of accuracy, relevance, completeness, 
                and timeliness;</DELETED>
                <DELETED>    (F) the auditing and security measures to 
                protect against unauthorized access, analysis, use, or 
                modification of data in such databases;</DELETED>
                <DELETED>    (G) applicable mechanisms by which 
                individuals may secure timely redress for any adverse 
                consequences wrongly incurred due to the access, 
                analysis, or use of such databases;</DELETED>
                <DELETED>    (H) mechanisms, if any, for the 
                enforcement and independent oversight of existing or 
                planned procedures, policies, or guidelines; 
                and</DELETED>
                <DELETED>    (I) an outline of enforcement mechanisms 
                for accountability to protect individuals and the 
                public against unlawful or illegitimate access or use 
                of databases; and</DELETED>
        <DELETED>    (3) incorporates into the contract or other 
        agreement totaling more than $500,000, provisions--</DELETED>
                <DELETED>    (A) providing for penalties--</DELETED>
                        <DELETED>    (i) for failure to comply with 
                        title III of this Act; or</DELETED>
                        <DELETED>    (ii) if the entity knows or has 
                        reason to know that the personally identifiable 
                        information being provided to the Federal 
                        department or agency is inaccurate, and 
                        provides such inaccurate information; 
                        and</DELETED>
                <DELETED>    (B) requiring a data broker that engages 
                service providers not subject to subtitle A of title 
                III for responsibilities related to sensitive 
                personally identifiable information to--</DELETED>
                        <DELETED>    (i) exercise appropriate due 
                        diligence in selecting those service providers 
                        for responsibilities related to personally 
                        identifiable information;</DELETED>
                        <DELETED>    (ii) take reasonable steps to 
                        select and retain service providers that are 
                        capable of maintaining appropriate safeguards 
                        for the security, privacy, and integrity of the 
                        personally identifiable information at issue; 
                        and</DELETED>
                        <DELETED>    (iii) require such service 
                        providers, by contract, to implement and 
                        maintain appropriate measures designed to meet 
                        the objectives and requirements in title 
                        III.</DELETED>
<DELETED>    (c) Limitation on Penalties.--The penalties under 
subsection (b)(3)(A) shall not apply to a data broker providing 
information that is accurately and completely recorded from a public 
record source.</DELETED>
<DELETED>    (d) Study of Government Use.--</DELETED>
        <DELETED>    (1) Scope of study.--Not later than 180 days after 
        the date of enactment of this Act, the Comptroller General of 
        the United States shall conduct a study and audit and prepare a 
        report on Federal agency actions to address the recommendations 
        in the Government Accountability Office's April 2006 report on 
        agency adherence to key privacy principles in using data 
        brokers or commercial databases containing personally 
        identifiable information.</DELETED>
        <DELETED>    (2) Report.--A copy of the report required under 
        paragraph (1) shall be submitted to Congress.</DELETED>

<DELETED>SEC. 304. FBI REPORT ON REPORTED BREACHES AND 
              COMPLIANCE.</DELETED>

<DELETED>    (a) In General.--Not later than 1 year after the date of 
enactment of this Act, and each year thereafter, the Federal Bureau of 
Investigation, in coordination with the Secret Service, shall submit to 
the Committee on the Judiciary of the Senate and the Committee on the 
Judiciary of the House of Representatives a report regarding any 
reported breaches at agencies or business entities during the preceding 
year.</DELETED>
<DELETED>    (b) Report Content.--Such reporting shall include--
</DELETED>
        <DELETED>    (1) the total instances of breaches of security in 
        the previous year;</DELETED>
        <DELETED>    (2) the percentage of breaches described in 
        subsection (a) that occurred at an agency or business entity 
        that did not comply with the personal data privacy and security 
        program under section 202; and</DELETED>
        <DELETED>    (3) recommendations, if any, for modifying or 
        amending this Act to increase its effectiveness.</DELETED>

<DELETED>SEC. 305. DEPARTMENT OF JUSTICE REPORT ON ENFORCEMENT 
              ACTIONS.</DELETED>

<DELETED>    (a) In General.--Not later than 1 year after the date of 
enactment of this Act, and each year thereafter, the Attorney General 
shall submit to Congress a report on the enforcement actions taken in 
the previous year in cases of violations of any sections of this 
Act.</DELETED>
<DELETED>    (b) Report Content.--The report required under subsection 
(a) shall include--</DELETED>
        <DELETED>    (1) statistics on Federal enforcement actions, 
        State attorneys general enforcement actions, and private 
        enforcement actions related to the provisions of this Act; 
        and</DELETED>
        <DELETED>    (2) recommendations, if any, for modifying of 
        amending this Act to increase the effectiveness of such 
        enforcement actions.</DELETED>

<DELETED>SEC. 306. DEPARTMENT OF JUSTICE REPORT ON ENFORCEMENT 
              ACTIONS.</DELETED>

<DELETED>    Section 529 of title 28, United States Code, is amended by 
adding at the end the following:</DELETED>
<DELETED>    ``(c) Not later than 1 year after the date of enactment of 
the Personal Data Protection and Breach Accountability Act of 2011, and 
every fiscal year thereafter, the Attorney General shall submit to 
Congress a report on the efforts of the Federal Government to enforce 
the Personal Data Protection and Breach Accountability Act of 2011 that 
shall include a description of the best practices for enforcement of 
such Act.''.</DELETED>

<DELETED>SEC. 307. FBI REPORT ON NOTIFICATION EFFECTIVENESS.</DELETED>

<DELETED>    (a) In General.--Not later than 1 year after the date of 
enactment of this Act, and each year thereafter, the Federal Bureau of 
Investigation, in coordination with the Secret Service, shall submit to 
the Committee on the Judiciary of the Senate and the Committee on the 
Judiciary of the House of Representatives a report regarding the 
effectiveness of post-breach notification practices by agencies and 
business entities.</DELETED>
<DELETED>    (b) Report Content.--The report required under subsection 
(a) shall include--</DELETED>
        <DELETED>    (1) in each instance of a breach of security, the 
        amount of time between the instance of the breach and the 
        discovery of the breach by the affected business 
        entity;</DELETED>
        <DELETED>    (2) in each instance of a breach of security, the 
        amount of time between the discovery of the breach by the 
        affected business entity and the notification to the FBI and 
        Secret Service; and</DELETED>
        <DELETED>    (3) in each instance of a breach of security, the 
        amount of time between the discovery of the breach by the 
        affected business entity and the notification to individuals 
        whose sensitive personally identifiable information was 
        compromised.</DELETED>

      <DELETED>TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO 
                             ACT</DELETED>

<DELETED>SEC. 401. BUDGET COMPLIANCE.</DELETED>

<DELETED>    The budgetary effects of this Act, for the purpose of 
complying with the Statutory Pay-As-You-Go Act of 2010, shall be 
determined by reference to the latest statement titled ``Budgetary 
Effects of PAYGO Legislation'' for this Act, submitted for printing in 
the Congressional Record by the Chairman of the Senate Budget 
Committee, provided that such statement has been submitted prior to the 
vote on passage.</DELETED>

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Personal Data 
Protection and Breach Accountability Act of 2011''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Concealment of security breaches involving sensitive 
                            personally identifiable information.
Sec. 102. Unauthorized manipulation of Internet traffic on a user's 
                            computer.

  TITLE II--PRIVACY AND SECURITY OF SENSITIVE PERSONALLY IDENTIFIABLE 
                              INFORMATION

            Subtitle A--A Data Privacy and Security Program

Sec. 201. Purpose and applicability of data privacy and security 
                            program.
Sec. 202. Requirements for a personal data privacy and security 
                            program.
Sec. 203. Federal enforcement.
Sec. 204. Enforcement by State Attorneys General.
Sec. 205. Supplemental enforcement by individuals.

                Subtitle B--Security Breach Notification

Sec. 211. Notice to individuals.
Sec. 212. Exemptions from notice to individuals.
Sec. 213. Methods of notice to individuals.
Sec. 214. Content of notice to individuals.
Sec. 215. Remedies for security breach.
Sec. 216. Notice to credit reporting agencies.
Sec. 217. Notice to law enforcement.
Sec. 218. Federal enforcement.
Sec. 219. Enforcement by State attorneys general.
Sec. 220. Supplemental enforcement by individuals.
Sec. 221. Relation to other laws.
Sec. 222. Authorization of appropriations.
Sec. 223. Reporting on risk assessment exemptions.

      Subtitle C--Post-Breach Technical Information Clearinghouse

Sec. 230. Clearinghouse information collection, maintenance, and 
                            access.
Sec. 231. Protections for clearinghouse participants.
Sec. 232. Effective date.

            TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 301. General services administration review of contracts.
Sec. 302. Requirement to audit information security practices of 
                            contractors and third party business 
                            entities.
Sec. 303. Privacy impact assessment of government use of commercial 
                            information services containing sensitive 
                            personally identifiable information.
Sec. 304. FBI report on reported breaches and compliance.
Sec. 305. Department of Justice report on enforcement actions.
Sec. 306. Report on notification effectiveness.

         TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

Sec. 401. Budget compliance.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) databases of personally identifiable information are 
        increasingly prime targets of hackers, identity thieves, rogue 
        employees, and other criminals, including organized and 
        sophisticated criminal operations;
            (2) identity theft is a serious threat to the Nation's 
        economic stability, homeland security, the development of e-
        commerce, and the privacy rights of Americans;
            (3) over 9,300,000 individuals were victims of identity 
        theft in America last year;
            (4) security breaches are a serious threat to consumer 
        confidence, homeland security, e-commerce, and economic 
        stability;
            (5) it is important for business entities that own, use, or 
        license personally identifiable information to adopt reasonable 
        procedures to ensure the security, privacy, and confidentiality 
        of that personally identifiable information;
            (6) individuals whose personal information has been 
        compromised or who have been victims of identity theft should 
        receive the necessary information and assistance to mitigate 
        their damages and to restore the integrity of their personal 
        information and identities;
            (7) data misuse and use of inaccurate data have the 
        potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government operations;
            (8) there is a need to ensure that data brokers conduct 
        their operations in a manner that prioritizes fairness, 
        transparency, accuracy, and respect for the privacy of 
        consumers;
            (9) government access to commercial data can potentially 
        improve safety, law enforcement, and national security;
            (10) because government use of commercial data containing 
        personal information potentially affects individual privacy, 
        and law enforcement and national security operations, there is 
        a need for Congress to exercise oversight over government use 
        of commercial data;
            (11) over 22,960,000 cases of data breaches involving 
        personally identifiable information were reported through July 
        of 2011, and in 2009 through 2010, over 230,900,000 cases of 
        personal data breaches were reported;
            (12) facilitating information sharing among business 
        entities and across sectors in the event of a breach can assist 
        in remediating the breach and preventing similar breaches in 
        the future;
            (13) because the Federal Government has limited resources, 
        consumers themselves play a vital and complementary role in 
        facilitating prompt notification and protecting against future 
        breaches of security;
            (14) in addition to the immediate damages caused by 
        security breaches, the lack of basic remedial requirements 
        often forces individuals whose sensitive personally 
        identifiable information is compromised as a result of a 
        security breach to incur the economic costs of litigation to 
        seek remedies, and the economic costs of fees required in many 
        States to freeze compromised accounts; and
            (15) victims of personal data breaches may suffer 
        debilitating emotional and physical effects and become 
        depressed or anxious, especially in cases of repeated or 
        unresolved instances of data breaches.

SEC. 3. DEFINITIONS.

    (a) In General.--In this Act, the following definitions shall 
apply:
            (1) Affiliate.--The term ``affiliate'' means persons 
        related by common ownership or by corporate control.
            (2) Agency.--The term ``agency'' has the meaning given such 
        term in section 551 of title 5, United States Code.
            (3) Business entity.--The term ``business entity'' means 
        any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or venture 
        established to make a profit, or nonprofit.
            (4) Credit rating agency.--The term ``credit rating 
        agency'' has the meaning given such term in section 3(a)(61) of 
        the Securities Exchange Act of 1934 (12 U.S.C. 78c(a)(61)).
            (5) Credit report.--The term ``credit report'' means a 
        consumer report, as that term is defined in section 603 of the 
        Fair Credit Reporting Act (15 U.S.C. 1681a).
            (6) Data broker.--The term ``data broker'' means a business 
        entity which for monetary fees or dues regularly engages in the 
        practice of collecting, transmitting, or providing access to 
        sensitive personally identifiable information on more than 
        5,000 individuals who are not the customers or employees of 
        that business entity or affiliate primarily for the purposes of 
        providing such information to nonaffiliated third parties on an 
        interstate basis.
            (7) Designated entity.--The term ``designated entity'' 
        means the Federal Government entity designated under section 
        217(a).
            (8) Encryption.--The term ``encryption''--
                    (A) means the protection of data in electronic 
                form, in storage or in transit, using an encryption 
                technology that has been generally accepted by experts 
                in the field of information security that renders such 
                data indecipherable in the absence of associated 
                cryptographic keys necessary to enable decryption of 
                such data; and
                    (B) includes appropriate management and safeguards 
                of such cryptographic keys so as to protect the 
                integrity of the encryption.
            (9) Identity theft.--The term ``identity theft'' means a 
        violation of section 1028(a)(7) of title 18, United States 
        Code.
            (10) Intelligence community.--The term ``intelligence 
        community'' includes the following:
                    (A) The Office of the Director of National 
                Intelligence.
                    (B) The Central Intelligence Agency.
                    (C) The National Security Agency.
                    (D) The Defense Intelligence Agency.
                    (E) The National Geospatial-Intelligence Agency.
                    (F) The National Reconnaissance Office.
                    (G) Other offices within the Department of Defense 
                for the collection of specialized national intelligence 
                through reconnaissance programs.
                    (H) The intelligence elements of the Army, the 
                Navy, the Air Force, the Marine Corps, the Federal 
                Bureau of Investigation, and the Department of Energy.
                    (I) The Bureau of Intelligence and Research of the 
                Department of State.
                    (J) The Office of Intelligence and Analysis of the 
                Department of the Treasury.
                    (K) The elements of the Department of Homeland 
                Security concerned with the analysis of intelligence 
                information, including the Office of Intelligence of 
                the Coast Guard.
                    (L) Such other elements of any other department or 
                agency as may be designated by the President, or 
                designated jointly by the Director of National 
                Intelligence and the head of the department or agency 
                concerned, as an element of the intelligence community.
            (11) Predispute arbitration agreement.--The term 
        ``predispute arbitration agreement'' means any agreement to 
        arbitrate a dispute that had not yet arisen at the time of the 
        making of the agreement.
            (12) Public record source.--The term ``public record 
        source'' means the Congress, any agency, any State or local 
        government agency, the government of the District of Columbia 
        and governments of the territories or possessions of the United 
        States, and Federal, State or local courts, courts martial and 
        military commissions, that maintain personally identifiable 
        information in records available to the public.
            (13) Security breach.--
                    (A) In general.--The term ``security breach'' means 
                compromise of the security, confidentiality, or 
                integrity of, or the loss of, computerized data through 
                misrepresentation or actions that result in, or that 
                there is a reasonable basis to conclude has resulted 
                in--
                            (i) the unauthorized acquisition of 
                        sensitive personally identifiable information; 
                        or
                            (ii) access to sensitive personally 
                        identifiable information that is for an 
                        unauthorized purpose, or in excess of 
                        authorization.
                    (B) Exclusion.--The term ``security breach'' does 
                not include--
                            (i) a good faith acquisition of sensitive 
                        personally identifiable information by a 
                        business entity or agency, or an employee or 
                        agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure;
                            (ii) the release of a public record not 
                        otherwise subject to confidentiality or 
                        nondisclosure requirements or the release of 
                        information obtained from a public record; or
                            (iii) any lawfully authorized criminal 
                        investigation or authorized investigative, 
                        protective, or intelligence activities that are 
                        carried out by or on behalf of any element of 
                        the intelligence community and conducted in 
                        accordance with the United States laws, 
                        authorities, and regulations governing such 
                        intelligence activities.
            (14) Security freeze.--The term ``security freeze'' means a 
        notice, at the request of the consumer and subject to 
        exceptions in section 215(b), that prohibits the consumer 
        reporting agency from releasing all or any part of the 
        consumer's credit report or any information derived from it 
        without the express authorization of the consumer.
            (15) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        any information or compilation of information, in electronic or 
        digital form that includes the following:
                    (A) An individual's first and last name or first 
                initial and last name in combination with any 2 of the 
                following data elements:
                            (i) Home address.
                            (ii) Telephone number of the individual.
                            (iii) Mother's maiden name.
                            (iv) Month, day, and year of birth.
                    (B) A non-truncated social security number, 
                driver's license number, passport number, or alien 
                registration number or other government-issued unique 
                identification number.
                    (C) Information about an individual's geographic 
                location that is in whole or in part generated by or 
                derived from that individual's use of a wireless 
                communication device or other electronic device, 
                excluding telephone and instrument numbers and network 
                or Internet Protocol addresses.
                    (D) Unique biometric data such as a finger print, 
                voice print, face print, a retina or iris image, or any 
                other unique physical representation.
                    (E) A unique account identifier, including a 
                financial account number or credit or debit card 
                number, electronic identification number, user name, 
                health insurance policy or subscriber identification 
                number, or routing code.
                    (F) Not less than 2 of the following data elements:
                            (i) An individual's first and last name or 
                        first initial and last name.
                            (ii) A unique account identifier, including 
                        a financial account number or credit or debit 
                        card number, electronic identification number, 
                        user name, or routing code.
                            (iii) Any security code, access code, or 
                        password, or source code that could be used to 
                        generate such codes and passwords.
                            (iv) Information regarding an individual's 
                        medical history, mental or physical medical 
                        condition, or medical treatment or diagnosis by 
                        a health care professional.
                    (G) Any other combination of data elements that 
                could allow unauthorized access to or acquisition of 
                the information described in subparagraph (A), (B), 
                (C), (D), (E), or (F), including--
                            (i) a unique account identifier;
                            (ii) an electronic identification number;
                            (iii) a user name;
                            (iv) a routing code; or
                            (v) any associated security code, access 
                        code, or password or any associated security 
                        questions and answers that could allow 
                        unauthorized access to the account.
            (16) Service provider.--
                    (A) In general.--The term ``service provider'' 
                means a business entity that--
                            (i) provides electronic data transmission, 
                        routing, intermediate and transient storage, or 
                        connections to the system or network of the 
                        business entity;
                            (ii) is not the sender or the intended 
                        recipient of the data;
                            (iii) is not ordinarily expected to select 
                        or modify the content of the electronic data; 
                        and
                            (iv) transmits, routes, stores, or provides 
                        connections for personal information in a 
                        manner that personal information is 
                        undifferentiated from other types of data that 
                        such business entity transmits, routes, stores, 
                        or provides connections.
                    (B) Savings clause.--Any such business entity shall 
                be treated as a service provider under this Act only to 
                the extent that the business entity is engaged in the 
                provision of the transmission, routing, intermediate 
                and transient storage or connections described in 
                subparagraph (A).
    (b) Modified Definition by Rulemaking.--The Federal Trade 
Commission may, by rule promulgated under section 553 of title 5, 
United States Code, modify the definition of ``sensitive personally 
identifiable information'' in a manner consistent with the purposes of 
this Act and to the extent that such modification will not unreasonably 
impede interstate commerce.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 1041. Concealment of security breaches involving sensitive 
              personally identifiable information
    ``(a) Whoever, having knowledge of a security breach and of the 
fact that notice of such security breach is required under title II of 
the Personal Data Protection and Breach Accountability Act of 2011, 
intentionally or willfully conceals the fact of such security breach 
and which breach, shall, in the event that such security breach results 
in economic harm or substantial emotional distress to 1 or more 
persons, shall be fined under this title or imprisoned not more than 5 
years, or both.
    ``(b) For purposes of subsection (a), the term `person' has the 
same meaning as in section 1030(e)(12) of title 18, United States Code.
    ``(c) Any person seeking an exemption under section 212(b) of the 
Personal Data Protection and Breach Accountability Act of 2011 shall be 
immune from prosecution under this section if the United States Secret 
Service does not indicate, in writing, that such notice be given under 
section 212(b)(1)(B) of the Personal Data Protection and Breach 
Accountability Act of 2011.''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

``1041. Concealment of security breaches involving sensitive personally 
                            identifiable information.''.
    (c) Enforcement Authority.--
            (1) In general.--The United States Secret Service and the 
        Federal Bureau of Investigation shall have the authority to 
        investigate offenses under this section.
            (2) Nonexclusivity.--The authority granted in paragraph (1) 
        shall not be exclusive of any existing authority held by any 
        other Federal agency.

SEC. 102. UNAUTHORIZED MANIPULATION OF INTERNET TRAFFIC ON A USER'S 
              COMPUTER.

    (a) Definition.--In this section, the term ``protected computer'' 
has the meaning given the term in section 1030(e)(2) of title 18, 
United States Code.
    (b) Prohibition.--
            (1) In general.--Unless a service provider provides a clear 
        and conspicuous disclosure of data collected in the process of 
        intercepting a web search or query entered by an authorized 
        user of a protected computer, and obtains the consent of an 
        authorized user of the protected computer prior to any such 
        action, it shall be unlawful for a service provider to 
        knowingly or intentionally--
                    (A) bypass the display of search engine results and 
                redirect web searches or queries entered by an 
                authorized user of a protected computer directly to a 
                commercial website, counterfeit web page, or targeted 
                advertisement and derive an economic benefit from such 
                activity; or
                    (B) monitor, manipulate, aggregate, and market the 
                data collected in the process of intercepting a web 
                search or query entered by an authorized user of a 
                protected computer and derive an economic benefit from 
                such activity.
            (2) Consent.--A service provider may not require consent to 
        perform the collection of data described in paragraph (1) as a 
        condition of providing service to an authorized user of the 
        protected computer.
    (c) Limitations on Liability.--The restrictions imposed under this 
section do not apply to any monitoring of, or interaction with, a 
subscriber's Internet or other network connection or service, or a 
protected computer, by or at the direction of a telecommunications 
carrier, cable operator, computer hardware or software provider, 
financial institution or provider of information services or 
interactive computer service for--
            (1) network or computer security purposes;
            (2) diagnostics;
            (3) technical support;
            (4) repair;
            (5) network management;
            (6) authorized updates of software or system firmware;
            (7) authorized remote system management;
            (8) authorized provision of protection for users of the 
        computer from objectionable content;
            (9) authorized scanning for computer software used in 
        violation of this section for removal by an authorized user; or
            (10) detection or prevention of fraud.
    (d) Enforcement by the Attorney General.--
            (1) Liability and penalty for violations.--Any person who 
        engages in an activity in violation of this section shall be 
        fined not more than $500,000.
            (2) Enhanced liability and penalties for pattern or 
        practice of violations.--
                    (A) In general.--Any person who engages in a 
                pattern or practice of activity that violates the 
                provisions of this section shall be fined not more than 
                $1,000,000.
                    (B) Treatment of single action or conduct.--For 
                purposes of subparagraph (A), any single action or 
                conduct that violates this section with respect to 
                multiple protected computers shall be construed as a 
                single violation.
            (3) Considerations.--In determining the amount of any 
        penalty under paragraph (1) or (2), the court shall take into 
        account--
                    (A) the degree of culpability of the defendant;
                    (B) any history of prior such conduct;
                    (C) the ability of the defendant to pay any fine 
                imposed;
                    (D) the effect on the ability of the defendant to 
                continue to do business; and
                    (E) such other matters as justice may require.

  TITLE II--PRIVACY AND SECURITY OF SENSITIVE PERSONALLY IDENTIFIABLE 
                              INFORMATION

            Subtitle A--A Data Privacy and Security Program

SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Purpose.--The purpose of this subtitle is to ensure standards 
for developing and implementing administrative, technical, and physical 
safeguards to protect the security of sensitive personally identifiable 
information.
    (b) In General.--A business entity engaging in interstate commerce 
that involves collecting, accessing, transmitting, using, storing, or 
disposing of sensitive personally identifiable information in 
electronic or digital form on 10,000 or more United States persons is 
subject to the requirements for a data privacy and security program 
under section 202 for protecting sensitive personally identifiable 
information.
    (c) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to the following:
            (1) Financial institutions.--A financial institution 
        subject to the data security requirements and standards under 
        501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)) and 
        subject to the jurisdiction of an agency or authority described 
        in section 505(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 
        6805(a)), if the Federal functional regulator (as defined in 
        section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)) 
        with jurisdiction over that financial institution has issued a 
        regulation under title V of the Gramm-Leach-Bliley Act (15 
        U.S.C. 6801 et seq.) that requires financial institutions 
        within its jurisdiction to provide notification to individuals 
        following a breach of security.
            (2) HIPAA regulated entities.--
                    (A) Covered entities.--A business entity subject to 
                the Health Insurance Portability and Accountability Act 
                of 1996 (42 U.S.C. 1301 et seq.), including the data 
                security requirements and implementing regulations of 
                that Act.
                    (B) Compliance.--A business entity that--
                            (i) is acting as a business associate, as 
                        that term is defined under the Health Insurance 
                        Portability and Accountability Act of 1996 (42 
                        U.S.C. 1301 et seq.) and is in compliance with 
                        the requirements imposed under that Act and 
                        implementing regulations promulgated under that 
                        Act; and
                            (ii) is subject to, and currently in 
                        compliance, with the privacy and data security 
                        requirements under sections 13401 and 13404 of 
                        division A of the American Reinvestment and 
                        Recovery Act of 2009 (42 U.S.C. 17931 and 
                        17934) and implementing regulations promulgated 
                        under such sections.
            (3) Service providers.--A service provider for any 
        electronic communication by a third-party, to the extent that 
        the service provider is exclusively engaged in the 
        transmission, routing, or temporary, intermediate, or transient 
        storage of that communication.
            (4) Public records.--Public records not otherwise subject 
        to a confidentiality or nondisclosure requirement, or 
        information obtained from a public record, including 
        information obtained from a news report or periodical.
    (d) Rule of Construction.--Nothing in this subtitle shall be 
construed to modify, limit, or supersede the operation of the 
provisions of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), or 
its implementing regulations, including such regulations adopted or 
enforced by the States.

SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Personal Data Privacy and Security Program.--A business entity 
subject to this subtitle shall comply with the following safeguards and 
any other administrative, technical, or physical safeguards identified 
by the Federal Trade Commission in a rulemaking process pursuant to 
section 553 of title 5, United States Code, for the protection of 
sensitive personally identifiable information:
            (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.
            (2) Design.--The personal data privacy and security program 
        shall be designed to--
                    (A) ensure the privacy, security, and 
                confidentiality of sensitive personally identifiable 
                information;
                    (B) protect against any anticipated vulnerabilities 
                to the privacy, security, or integrity of sensitive 
                personally identifiable information; and
                    (C) protect against unauthorized access to or use 
                of sensitive personally identifiable information that 
                could create a significant risk of harm to any 
                individual.
            (3) Risk assessment.--A business entity shall--
                    (A) identify reasonably foreseeable internal and 
                external vulnerabilities that could result in 
                unauthorized access, disclosure, use, or alteration of 
                sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;
                    (B) assess the likelihood of and potential damage 
                from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information;
                    (C) assess the sufficiency of its policies, 
                technologies, and safeguards in place to control and 
                minimize risks from unauthorized access, disclosure, 
                use, or alteration of sensitive personally identifiable 
                information; and
                    (D) assess the vulnerability of sensitive 
                personally identifiable information during destruction 
                and disposal of such information, including through the 
                disposal or retirement of hardware.
            (4) Risk management and control.--Each business entity 
        shall--
                    (A) design its personal data privacy and security 
                program to control the risks identified under paragraph 
                (3); and
                    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--
                            (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;
                            (ii) detect, record, and preserve 
                        information relevant to actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access;
                            (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption, redaction, or access controls that 
                        are widely accepted as an effective industry 
                        practice or industry standard, or other 
                        reasonable means (including as directed for 
                        disposal of records under section 628 of the 
                        Fair Credit Reporting Act (15 U.S.C. 1681w) and 
                        the implementing regulations of such Act as set 
                        forth in section 682 of title 16, Code of 
                        Federal Regulations);
                            (iv) ensure that sensitive personally 
                        identifiable information is properly destroyed 
                        and disposed of, including during the 
                        destruction of computers, diskettes, and other 
                        electronic media that contain sensitive 
                        personally identifiable information;
                            (v) trace access to records containing 
                        sensitive personally identifiable information 
                        so that the business entity can determine who 
                        accessed or acquired such sensitive personally 
                        identifiable information pertaining to specific 
                        individuals;
                            (vi) ensure that no third party or customer 
                        of the business entity is authorized to access 
                        or acquire sensitive personally identifiable 
                        information without the business entity first 
                        performing sufficient due diligence to 
                        ascertain, with reasonable certainty, that such 
                        information is being sought for a valid legal 
                        purpose; and
                            (vii) minimize the amount of personal 
                        information maintained by the business entity, 
                        providing for the retention of such personal 
                        information only as reasonably needed for the 
                        business purposes of the business entity or as 
                        necessary to comply with any other provision of 
                        law.
    (b) Training.--Each business entity subject to this subtitle shall 
take steps to ensure employee training and supervision for 
implementation of the data security program of the business entity.
    (c) Vulnerability Testing.--
            (1) In general.--Each business entity subject to this 
        subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.
            (2) Frequency.--The frequency and nature of the tests 
        required under paragraph (1) shall be determined by the risk 
        assessment of the business entity under subsection (a)(3).
    (d) Certain Relationship to Providers of Services.--In the event a 
business entity subject to this subtitle engages a person or entity not 
subject to this subtitle (other than a service provider) to receive 
sensitive personally identifiable information in performing services or 
functions (other than the services or functions provided by a service 
provider) on behalf of and under the instruction of such business 
entity, such business entity shall--
            (1) exercise appropriate due diligence in selecting the 
        person or entity for responsibilities related to sensitive 
        personally identifiable information, and take reasonable steps 
        to select and retain a person or entity that is capable of 
        maintaining appropriate safeguards for the security, privacy, 
        and integrity of the sensitive personally identifiable 
        information at issue; and
            (2) require the person or entity by contract to implement 
        and maintain appropriate measures designed to meet the 
        objectives and requirements governing entities subject to 
        section 201, this section, and subtitle B.
    (e) Periodic Assessment and Personal Data Privacy and Security 
Modernization.--Each business entity subject to this subtitle shall on 
a regular basis monitor, evaluate, and adjust, as appropriate its data 
privacy and security program in light of any relevant changes in--
            (1) technology;
            (2) the sensitivity of sensitive personally identifiable 
        information;
            (3) internal or external threats to sensitive personally 
        identifiable information; and
            (4) the changing business arrangements of the business 
        entity, such as--
                    (A) mergers and acquisitions;
                    (B) alliances and joint ventures;
                    (C) outsourcing arrangements;
                    (D) bankruptcy; and
                    (E) changes to sensitive personally identifiable 
                information systems.
    (f) Implementation Timeline.--Not later than 1 year after the date 
of enactment of this Act, a business entity subject to the provisions 
of this subtitle shall implement a data privacy and security program 
pursuant to this subtitle.

SEC. 203. FEDERAL ENFORCEMENT.

    (a) Civil Penalties.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any business entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, such business entity shall be 
        subject to a civil penalty of not more than $5,000 per 
        violation per day while such a violation exists, with a maximum 
        of $20,000,000 per violation, unless such conduct is found to 
        be willful or intentional.
            (2) Intentional or willful violation.--A business entity 
        that intentionally or willfully violates the provisions of this 
        subtitle shall be subject to additional penalties in the amount 
        of $5,000 per violation per day while such a violation exists.
            (3) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose sensitive 
                personally identifiable information was compromised by 
                the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (c) Other Rights and Remedies.--The rights and remedies available 
under this section are cumulative and shall not affect any other rights 
and remedies available under law.

SEC. 204. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) Civil Actions.--
            (1) In general.--In any case in which the attorney general 
        of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a business entity that violate this subtitle, the 
        State may bring a civil action on behalf of the residents of 
        that State in a district court of the United States of 
        appropriate jurisdiction, or any other court of competent 
        jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this subtitle; or
                    (C) obtain civil penalties of not more than $5,000 
                per violation per day while such violations persist, up 
                to a maximum of $20,000,000 per violation.
            (2) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose sensitive 
                personally identifiable information was compromised by 
                the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
            (3) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Attorney General--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in this 
                subparagraph before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described in subparagraph (B), the attorney general of 
                a State shall provide the written notice and a copy of 
                the complaint to the Attorney General as soon after the 
                filing of the complaint as practicable.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(3), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action described in 
        subsection (c);
            (2) initiate an action in the appropriate United States 
        district court under section 218 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
section against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall be construed to prevent 
an attorney general of a State from exercising the powers conferred on 
such attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 205. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.

    (a) In General.--Any person aggrieved by a violation of the 
provisions of this subtitle by a business entity may bring a civil 
action in a court of appropriate jurisdiction to recover for personal 
injuries sustained as a result of the violation.
    (b) Authority To Bring Civil Action; Jurisdiction.--As provided in 
subsection (c), any person may commence a civil action on his own 
behalf against any business entity who is alleged to have violated the 
provisions of this subtitle.
    (c) Remedies in a Citizen Suit.--
            (1) Damages.--Any individual harmed by a failure of a 
        business entity to comply with the provisions of this subtitle, 
        shall be able to collect damages of not more than $10,000 per 
        violation per day while such violations persist, up to a 
        maximum of $20,000,000 per violation.
            (2) Punitive damages.--A business entity may be liable for 
        punitive damages if the business entity intentionally or 
        willfully violates the provisions of this subtitle.
            (3) Equitable relief.--A business entity that violates the 
        provisions of this subtitle may be enjoined to comply with the 
        provisions of those sections.
    (d) Other Rights and Remedies.--The rights and remedies available 
under this subsection are cumulative and shall not affect any other 
rights and remedies available under law.
    (e) Nonenforceability of Certain Provisions Waiving Rights and 
Remedies or Requiring Arbitration of Disputes.--
            (1) Waiver of rights and remedies.--The rights and remedies 
        provided for in this section may not be waived by any 
        agreement, policy form, or condition of employment including by 
        a predispute arbitration agreement.
            (2) Predispute arbitration agreements.--No predispute 
        arbitration agreement shall be valid or enforceable, if the 
        agreement requires arbitration of a dispute arising under this 
        section.
    (f) Considerations.--In determining the amount of a civil penalty 
under this subsection, the court shall take into account--
            (1) the degree of culpability of the business entity;
            (2) any prior violations of this subtitle by the business 
        entity;
            (3) the ability of the business entity to pay a civil 
        penalty;
            (4) the effect on the ability of the business entity to 
        continue to do business;
            (5) the number of individuals whose sensitive personally 
        identifiable information was compromised by the breach;
            (6) the relative cost of compliance with this subtitle; and
            (7) such other matters as justice may require.

                Subtitle B--Security Breach Notification

SEC. 211. NOTICE TO INDIVIDUALS.

    (a) In General.--Any agency, or business entity engaged in 
interstate commerce other than a service provider, that uses, accesses, 
transmits, stores, disposes of or collects sensitive personally 
identifiable information that experiences a security breach of such 
information, shall, following the discovery of such security breach of 
such information, notify any resident of the United States whose 
sensitive personally identifiable information has been, or is 
reasonably believed to have been, accessed, or acquired.
    (b) Obligation of Owner or Licensee.--
            (1) Notice to owner or licensee.--Any agency, or business 
        entity engaged in interstate commerce, that uses, accesses, 
        transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach involving such information.
            (2) Notice by owner, licensee or other designated third 
        party.--Nothing in this subtitle shall prevent or abrogate an 
        agreement between an agency or business entity required to give 
        notice under this section and a designated third party, 
        including an owner or licensee of the sensitive personally 
        identifiable information subject to the security breach, to 
        provide the notifications required under subsection (a).
            (3) Business entity relieved from giving notice.--A 
        business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.
            (4) Service providers.--If a service provider becomes aware 
        of a security breach containing sensitive personally 
        identifiable information that is owned or possessed by another 
        business entity that connects to or uses a system or network 
        provided by the service provider for the purpose of 
        transmitting, routing, or providing intermediate or transient 
        storage of such data, the service provider shall be required to 
        notify the business entity who initiated such connection, 
        transmission, routing, or storage of the security breach if the 
        business entity can be reasonably identified. Upon receiving 
        such notification from a service provider, the business entity 
        shall be required to provide the notification required under 
        subsection (a).
    (c) Timeliness of Notification.--
            (1) In general.--All notifications required under this 
        section shall be made without unreasonable delay following the 
        discovery by the agency or business entity of a security 
        breach.
            (2) Reasonable delay.--Reasonable delay under this 
        subsection may include any time necessary to determine the 
        scope of the security breach, conduct the risk assessment 
        described in section 212(b)(1), and provide notice to law 
        enforcement when required.
            (3) Burden of production.--The agency, business entity, 
        owner, or licensee required to provide notice under this 
        subtitle shall, upon the request of the Attorney General, the 
        Federal Trade Commission, or the attorney general of a State or 
        any State or local law enforcement agency authorized by the 
        attorney general of the State or by State statute to prosecute 
        violations of consumer protection law, provide records or other 
        evidence of the notifications required under this subtitle, 
        including to the extent applicable, the reasons for any delay 
        of notification.
    (d) Delay of Notification Authorized for Law Enforcement or 
National Security Purposes.--
            (1) In general.--If a Federal law enforcement agency or 
        member of the intelligence community determines that the 
        notification required under this section would impede any 
        lawfully authorized criminal investigation or authorized 
        investigative, protective, or intelligence activities that are 
        carried out by or on behalf of any element of the intelligence 
        community and conducted in accordance with the United States 
        laws, authorities, and regulations governing such intelligence 
        activities, such notification shall be delayed upon written 
        notice from such Federal law enforcement agency or member of 
        the intelligence community to the agency or business entity 
        that experienced the breach. The notification shall specify in 
        writing the period of delay required.
            (2) Extended delay of notification.--If the notification 
        required under subsection (a) is delayed pursuant to paragraph 
        (1), an agency or business entity shall give notice 30 days 
        after the day such law enforcement delay was invoked unless a 
        Federal law enforcement or member of the intelligence community 
        provides written notification that further delay is necessary.
            (3) Law enforcement immunity.--No non-constitutional cause 
        of action shall lie in any court against an agency for acts 
        relating to the delay of notification for law enforcement or 
        intelligence purposes under this subtitle.

SEC. 212. EXEMPTIONS FROM NOTICE TO INDIVIDUALS.

    (a) Exemption for National Security and Law Enforcement.--
            (1) In general.--Section 211 shall not apply to an agency 
        or business entity if--
                    (A) the United States Secret Service or the Federal 
                Bureau of Investigation determines that notification of 
                the security breach could be expected to reveal 
                sensitive sources and methods or similarly impede the 
                ability of the Government to conduct law enforcement 
                investigations; or
                    (B) the Federal Bureau of Investigation determines 
                that notification of the security breach could be 
                expected to cause damage to national security.
            (2) Immunity.--No non-constitutional cause of action shall 
        lie in any court against any Federal agency for acts relating 
        to the exemption from notification under this subtitle.
    (b) Safe Harbor.--
            (1) In general.--An agency or business entity shall be 
        exempt from the notice requirements under section 211, if--
                    (A) a risk assessment conducted by the agency or 
                business entity, in consultation with the Federal Trade 
                Commission, concludes that there is no significant risk 
                that a security breach has resulted in, or will result 
                in harm to the individuals whose sensitive personally 
                identifiable information was subject to the security 
                breach; and
                    (B) the Federal Trade Commission or designated 
                entity does not indicate within 7 business days from 
                the receipt of written notification from an agency or 
                business entity pursuant to subsection 212 (b)(2), that 
                the agency or business entity should not be exempt from 
                the notice requirements of section 211.
            (2) Risk assessment requirements.--
                    (A) Conducting a risk assessment.--Upon discovery 
                of a security breach of an agency or business entity, 
                the agency or business entity shall conduct a risk 
                assessment to determine if there is a significant risk 
                that the security breach resulted in, or will result 
                in, harm to the individuals whose sensitive personally 
                identifiable information was subject to the security 
                breach.
                            (i) Presumption of no significant risk.--It 
                        is presumed that there is no significant risk 
                        that the security breach has resulted in, or 
                        will result in, harm to the individuals whose 
                        sensitive personally identifiable data was 
                        subject to the security breach, if the 
                        sensitive personally identifiable information 
                        has been rendered unusable, unreadable, or 
                        indecipherable through a security technology or 
                        methodology (if the technology or methodology 
                        is generally accepted by experts in the 
                        information security field). Any such 
                        presumption may be rebutted by facts 
                        demonstrating that the security technologies or 
                        methodologies in a specific case, have been or 
                        are reasonably likely to be compromised.
                            (ii) Presumption of significant risk.--It 
                        is presumed that there is a significant risk 
                        that the security breach has resulted in, or 
                        will result in, harm to individuals whose 
                        sensitive personally identifiable information 
                        was subject to the security breach if the 
                        agency or business entity failed to render such 
                        sensitive personally identifiable information 
                        indecipherable through a security technology or 
                        methodology (if the technology or methodology 
                        is generally accepted by experts in the 
                        information security field).
                            (iii) Methodologies or technologies.--
                                    (I) Required rulemaking.--Not later 
                                than 1 year after the date of the 
                                enactment of this Act, and biannually 
                                thereafter, the Federal Trade 
                                Commission, after consultation with the 
                                National Institute of Standards and 
                                Technology, shall issue rules (pursuant 
                                to section 553 of title 5, United 
                                States Code) or guidance to identify 
                                security methodologies or technologies, 
                                such as encryption, which render 
                                sensitive personally identifiable 
                                information unusable, unreadable, or 
                                indecipherable, that shall, if applied 
                                to such sensitive personally 
                                identifiable information, establish a 
                                presumption that no significant risk of 
                                harm exists to individuals whose 
                                sensitive personally identifiable 
                                information was subject to a security 
                                breach. Any such presumption may be 
                                rebutted by facts demonstrating that 
                                any such methodology or technology in a 
                                specific case has been or is reasonably 
                                likely to be compromised.
                                    (II) Required consultation.--In 
                                issuing rules or guidance under 
                                subclause (II), the Commission shall 
                                also consult with relevant industries, 
                                consumer organizations, and data 
                                security and identity theft prevention 
                                experts and established standards 
                                setting bodies.
                            (iv) FTC guidance.--Not later than 1 year 
                        after the date of the enactment of this Act, 
                        the Federal Trade Commission, after 
                        consultation with the National Institute of 
                        Standards and Technology, shall issue guidance 
                        regarding the application of the exemption in 
                        clause (i).
                    (B) Written notification.--Without unreasonable 
                delay, but not later than 7 days after the discovery of 
                a security breach, unless extended by the United States 
                Secret Service or the Federal Bureau of Investigation, 
                the agency or business entity must notify the Federal 
                Trade Commission and designated entity, in writing, 
                of--
                            (i) the results of the risk assessment; and
                            (ii) its decision to invoke the risk 
                        assessment exemption.
                    (C) Violations.--It shall be a violation of this 
                section to--
                            (i) fail to conduct a risk assessment in a 
                        reasonable manner, or according to standards 
                        generally accepted by experts in the field of 
                        information security; or
                            (ii) submit results of a risk assessment 
                        that--
                                    (I) conceal violations of law, 
                                inefficiency, or administrative error;
                                    (II) prevent embarrassment to a 
                                business entity, organization, or 
                                agency;
                                    (III) restrain competition;
                                    (IV) contain fraudulent or 
                                deliberately misleading information; or
                                    (V) delay notification under 
                                section 211 for any other reason, 
                                except where the agency or business 
                                entity reasonably believes that the 
                                risk assessment exception may apply.
    (c) Financial Fraud Prevention Exemption.--
            (1) In general.--A business entity shall be exempt from the 
        notice requirements of this subtitle if the business entity 
        utilizes or participates in a security program that--
                    (A) effectively blocks the use of the sensitive 
                personally identifiable information to initiate 
                unauthorized financial transactions before they are 
                charged to the account of the individual; and
                    (B) provides for notice to affected individuals 
                after a security breach that has resulted in fraud or 
                unauthorized transactions.
            (2) Limitation.--Paragraph (1) shall not apply to a 
        business entity if the information subject to the security 
        breach includes an individual's first and last name, or any 
        other type of sensitive personally identifiable information, 
        other than a credit card or credit card security code 
        identified in section 3, unless that information is only a 
        credit card number or a credit card security code.
    (d) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to the following--
            (1) Financial institutions.--A financial institution 
        subject to the data security requirements and standards under 
        501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), 
        and subject to the jurisdiction of an agency or authority 
        described in section 505(a) of the Gramm-Leach-Bliley Act (15 
        U.S.C. 6805(a)), if the Federal functional regulator (as 
        defined by section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 
        6809)) with jurisdiction over that financial institution has 
        issued a regulation under title V of the Gramm-Leach-Bliley Act 
        (15 U.S.C. 6801 et seq.) that requires financial institutions 
        within its jurisdiction to provide notification to individuals 
        following a breach of security.
            (2) HIPAA regulated entities exemption.--
                    (A) In general.--A business entity shall be exempt 
                from the notice requirement under section 211 if the 
                business entity is one of the following:
                            (i) Covered entities.--A business entity 
                        subject to the Health Insurance Portability and 
                        Accountability Act of 1996 (42 U.S.C. 1301 et 
                        seq.), including the data breach notification 
                        requirements and implementing regulations of 
                        that Act.
                            (ii) Business entities.--A business entity 
                        that--
                                    (I) is acting as a business 
                                associate, as that term is defined 
                                under the Health Insurance Portability 
                                and Accountability Act of 1996 (42 
                                U.S.C. 1301 et seq.) and is in 
                                compliance with the requirements 
                                imposed under that Act and implementing 
                                regulations promulgated under that Act; 
                                and
                                    (II) is subject to, and currently 
                                in compliance with, the data breach 
                                notification requirements under section 
                                13402 or 13407 of the American 
                                Reinvestment and Recovery Act of 2009 
                                (42 U.S.C. 17932 and 17937) and 
                                implementing regulations promulgated 
                                under such sections.
                    (B) Limitation.--Paragraph (1) shall not apply to a 
                business entity if the information subject to the 
                security breach includes an individual's first and last 
                name, or any other type of sensitive personally 
                identifiable information other than a health insurance 
                policy or subscriber identification number or 
                information regarding an individual's medical history, 
                mental or physical medical condition, or medical 
                treatment or diagnosis by a health care professional as 
                identified in section 3 unless that information is only 
                a health insurance policy or subscriber identification 
                number or information regarding an individual's medical 
                history, mental or physical medical condition, or 
                medical treatment or diagnosis by a health care 
                professional.

SEC. 213. METHODS OF NOTICE TO INDIVIDUALS.

    To comply with section 211, an agency or business entity shall 
provide the following forms of notice:
            (1) Individual written notice.--Written notice to 
        individuals by 1 of the following means:
                    (A) Individual written notification to the last 
                known home mailing address of the individual in the 
                records of the agency or business entity.
                    (B) E-mail notice, unless the individual has 
                expressly opted not to receive such notices of security 
                breaches or the notice is inconsistent with the 
                provisions permitting electronic transmission of 
                notices under section 101 of the Electronic Signatures 
                in Global and National Commerce Act (15 U.S.C. 7001).
            (2) Telephone notice.--Telephone notice to the individual 
        personally.
            (3) Public notice.--
                    (A) Electronic notice.--Prominent notice via all 
                reasonable means of electronic contact between the 
                individual and the agency or business entity, including 
                any website, networked devices, or other interface 
                through which the agency or business entity regularly 
                interacts with the consumer, if the number of 
                individuals whose sensitive personally identifiable 
                information was or is reasonably believed to have been 
                accessed or acquired by an unauthorized person exceeds 
                5,000.
                    (B) Media notice.--Notice to major media outlets 
                serving a State or jurisdiction, if the number of 
                residents of such State whose sensitive personally 
                identifiable information was, or is reasonably believed 
                to have been, accessed or acquired by an unauthorized 
                person exceeds 5,000.

SEC. 214. CONTENT OF NOTICE TO INDIVIDUALS.

    (a) In General.--Regardless of the method by which individual 
notice is provided to individuals under section 213(1), such notice 
shall include--
            (1) a description of the categories of sensitive personally 
        identifiable information that was, or is reasonably believed to 
        have been, accessed or acquired by an unauthorized person, and 
        how the agency or business entity came into possession of the 
        sensitive personally identifiable information at issue;
            (2) a toll-free number--
                    (A) that the individual may use to contact the 
                agency or business entity, or the agent of the agency 
                or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual;
            (3) the toll-free contact telephone numbers, websites, and 
        addresses for the major credit reporting agencies;
            (4) the telephone numbers and websites for the relevant 
        Federal agencies that provide information regarding identity 
        theft prevention and protection;
            (5) notice that the individual is entitled to receive, at 
        no cost to such individual, consumer credit reports on a 
        quarterly basis for a period of 2 years, credit monitoring or 
        any other service that enables consumers to detect the misuse 
        of sensitive personally identifiable information for a period 
        of 2 years, and instructions to the individual on requesting 
        such reports or service from the agency or business entity;
            (6) notice that the individual is entitled to receive a 
        security freeze and that the agency or business entity will be 
        liable for any costs associated with the security freeze for 2 
        years and the necessary instructions for requesting a security 
        freeze; and
            (7) notice that any costs or damages incurred by an 
        individual as a result of a security breach will be paid by the 
        business entity or agency that experienced the security breach.
    (b) Telephone Notice.--Telephone notice described in section 213(2) 
shall include, to the extent possible--
            (1) notification that a security breach has occurred and 
        that the individual's sensitive personally identifiable 
        information may have been compromised;
            (2) a description of the categories of sensitive personally 
        identifiable information that were, or are reasonably believed 
        to have been, accessed or acquired by an unauthorized person;
            (3) a toll-free number and website--
                    (A) that the individual may use to contact the 
                agency or business entity, or the authorized agent of 
                the agency or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual and remedies available to that individual; 
                and
            (4) an alert to the individual that the agency or business 
        entity is sending or has sent written notification containing 
        additional information as required under section 213(1)(A).
    (c) Public Notice.--Public notice described in section 213(3) shall 
include--
            (1) electronic notice, which includes--
                    (A) notification that a security breach has 
                occurred and that the individual's sensitive personally 
                identifiable information may have been compromised;
                    (B) a description of the categories of sensitive 
                personally identifiable information that were, or are 
                reasonably believed to have been, accessed or acquired 
                by an unauthorized person; and
                    (C) a toll-free number and website--
                            (i) that the individual may use to contact 
                        the agency or business entity, or the 
                        authorized agent of the agency or business 
                        entity; and
                            (ii) from which the individual may learn 
                        what types of sensitive personally identifiable 
                        information the agency or business entity 
                        maintained about that individual and remedies 
                        available to that individual;
            (2) media notice, which includes--
                    (A) a description of the categories of sensitive 
                personally identifiable information that was, or is 
                reasonably believed to have been, accessed or acquired 
                by an unauthorized person;
                    (B) a toll-free number--
                            (i) that the individual may use to contact 
                        the agency or business entity, or the 
                        authorized agent of the agency or business 
                        entity; and
                            (ii) from which the individual may learn 
                        what types of sensitive personally identifiable 
                        information the agency or business entity 
                        maintained about that individual and remedies 
                        available to that individual;
                    (C) the toll-free contact telephone numbers, 
                websites, and addresses for the major credit reporting 
                agencies;
                    (D) the telephone numbers and websites for the 
                relevant Federal agencies that provide information 
                regarding identity theft prevention and protection;
                    (E) notice that the affected individuals are 
                entitled to receive, at no cost to such individuals, 
                consumer credit reports on a quarterly basis for a 
                period of 2 years, credit monitoring, or any other 
                service that enables consumers to detect the misuse of 
                sensitive personally identifiable information for a 
                period of 2 years;
                    (F) notice that the individual is entitled to 
                receive a security freeze and that the agency or 
                business entity will be liable for any costs associated 
                with the security freeze for 2 years; and
                    (G) notice that the individual is entitled to 
                receive compensation from the business entity or agency 
                for any costs or damages incurred by the individual 
                resulting from the security breach.
    (d) Additional Content.--Notwithstanding section 221, a State may 
require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.
    (e) Direct Business Relationship.--Regardless of whether a business 
entity, agency, or a designated third party provides the notice 
required pursuant to section 211(b), such notice shall include the name 
of the business entity or agency that has a direct relationship with 
the individual being notified.

SEC. 215. REMEDIES FOR SECURITY BREACH.

    (a) Credit Reports and Credit Monitoring.--An agency or business 
entity required to provide notification under this subtitle shall, upon 
request of an individual whose sensitive personally identifiable 
information was included in the security breach, provide or arrange for 
the provision of, to each such individual and at no cost to such 
individual--
            (1) consumer credit reports from not fewer than 1 of the 
        major credit reporting agencies beginning not later than 60 
        days following the request of the individual and continuing on 
        a quarterly basis for a period of 2 years thereafter; and
            (2) a credit monitoring or other service that enables 
        consumers to detect the misuse of their personal information, 
        beginning not later than 60 days following the request of the 
        individual and continuing for a period of 2 years.
    (b) Security Freeze.--
            (1) Request.--Any consumer may submit a written request, by 
        certified mail or such other secure method as authorized by a 
        credit rating agency, to a credit rating agency to place a 
        security freeze on the credit report of the consumer.
            (2) Implementation of security freeze.--Upon receipt of a 
        written request under paragraph (1), a credit rating agency 
        shall--
                    (A) not later than 5 business days after receipt of 
                the request, place a security freeze on the credit 
                report of the consumer; and
                    (B) not later than 10 business days after placing a 
                security freeze, send a written confirmation of such 
                security freeze to the consumer, which shall provide 
                the consumer with a unique personal identification 
                number or password to be used by the consumer when 
                providing authorization for the release of the credit 
                report of the consumer to a third party or for a 
                specified period of time.
            (3) Duration of security freeze.--Except as provided in 
        paragraph (4), any security freeze authorized pursuant to the 
        provisions of this section shall remain in effect until the 
        consumer requests security freeze to be removed.
            (4) Disclosure of credit report to third party.--
                    (A) In general.--If a consumer that has requested a 
                security freeze under this subsection wishes to 
                authorize the disclosure of the credit report of the 
                consumer to a third party, or for a specified period of 
                time, while such security freeze is in effect, the 
                consumer shall contact the credit rating agency and 
                provide--
                            (i) proper identification;
                            (ii) the unique personal identification 
                        number or password described in paragraph 
                        (2)(B); and
                            (iii) proper information regarding the 
                        third party who is to receive the credit report 
                        or the time period for which the credit report 
                        shall be available.
                    (B) Requirement.--Not later than 3 business days 
                after receipt of a request under subparagraph (A), a 
                credit rating agency shall lift the security freeze.
            (5) Procedures.--
                    (A) In general.--A credit rating agency shall 
                develop procedures to receive and process requests from 
                consumers under paragraph (2) of this section.
                    (B) Requirement.--Procedures developed under 
                subparagraph (A), at a minimum, shall include the 
                ability of a consumer to send such temporary lift or 
                removal request by electronic mail, letter, telephone, 
                or facsimile.
            (6) Requests by third party.--If a third party requests 
        access to a credit report of a consumer that has been frozen 
        under this subsection and the consumer has not authorized the 
        disclosure of the credit report of the consumer to the third 
        party, the third party may deem such credit application as 
        incomplete.
            (7) Determination by credit rating agency.--
                    (A) In general.--A credit rating agency may refuse 
                to implement or may remove a security freeze under this 
                subsection if the agency determines, in good faith, 
                that--
                            (i) the request for a security freeze was 
                        made as part of a fraud that the consumer 
                        participated in, had knowledge of, or that can 
                        be demonstrated by circumstantial evidence; or
                            (ii) the consumer credit report was frozen 
                        due to a material misrepresentation of fact by 
                        the consumer.
                    (B) Notice.--If a credit rating agency makes a 
                determination under subparagraph (A) to not implement, 
                or to remove, a security freeze under this subsection, 
                the credit rating agency shall notify the consumer in 
                writing of such determination--
                            (i) in the case of a determination not to 
                        implement a security freeze, not later than 5 
                        business days after the determination is made; 
                        and
                            (ii) in the case of a removal of a security 
                        freeze, prior to removing the freeze on the 
                        credit report of the consumer.
            (8) Rule of construction.--Nothing in this section shall be 
        construed to prohibit disclosure of a credit report of a 
        consumer to--
                    (A) a person, or the person's subsidiary, 
                affiliate, agent or assignee with which the consumer 
                has or, prior to assignment, had an account, contract 
                or debtor-creditor relationship for the purpose of 
                reviewing the account or collecting the financial 
                obligation owing for the account, contract or debt;
                    (B) a subsidiary, affiliate, agent, assignee or 
                prospective assignee of a person to whom access has 
                been granted under paragraph (4) for the purpose of 
                facilitating the extension of credit or other 
                permissible use;
                    (C) any person acting pursuant to a court order, 
                warrant or subpoena;
                    (D) any person for the purpose of using such credit 
                information to prescreen as provided by the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.);
                    (E) any person for the sole purpose of providing a 
                credit file monitoring subscription service to which 
                the consumer has subscribed;
                    (F) a credit rating agency for the sole purpose of 
                providing a consumer with a copy of the credit report 
                of the consumer upon the request of the consumer; or
                    (G) a Federal, State or local governmental entity, 
                including a law enforcement agency, or court, or their 
                agents or assignees pursuant to their statutory or 
                regulatory duties. For purposes of this subsection, 
                ``reviewing the account'' includes activities related 
                to account maintenance, monitoring, credit line 
                increases and account upgrades and enhancements; and
                    (H) any person for the sole purpose of providing a 
                remedy requested by an individual under this section.
            (9) Exceptions.--The following persons shall not be 
        required to place a security freeze under this subsection, but 
        shall be subject to any security freeze placed on a credit 
        report by another credit rating agency:
                    (A) A check services or fraud prevention services 
                company that reports on incidents of fraud or issues 
                authorizations for the purpose of approving or 
                processing negotiable instruments, electronic fund 
                transfers or similar methods of payment.
                    (B) A deposit account information service company 
                that issues reports regarding account closures due to 
                fraud, substantial overdrafts, automated teller machine 
                abuse, or similar information regarding a consumer to 
                inquiring banks or other financial institutions for use 
                only in reviewing a consumer request for a deposit 
                account at the inquiring bank or financial institution.
                    (C) A credit rating agency that--
                            (i) acts only to resell credit information 
                        by assembling and merging information contained 
                        in a database of 1 or more credit reporting 
                        agencies; and
                            (ii) does not maintain a permanent database 
                        of credit information from which new credit 
                        reports are produced.
            (10) Fees.--
                    (A) In general.--A credit rating agency may charge 
                reasonable fees for each security freeze, removal of 
                such freeze or temporary lift of such freeze for a 
                period of time, and a temporary lift of such freeze for 
                a specific party.
                    (B) Requirement.--Any fees charged under 
                subparagraph (A) shall be borne by the agency or 
                business entity providing notice under section 214 for 
                2 years following the establishment of the security 
                freeze under this subsection.
    (c) Costs Resulting From a Security Breach.--
            (1) In general.--A business entity or agency that 
        experiences a security breach and is required to provide notice 
        under this subtitle shall pay, upon request, to any individual 
        whose sensitive personally identifiable information has been, 
        or is reasonably believed to have been, accessed or acquired as 
        a result of such security breach, any costs or damages incurred 
        by the individual as a result of such security breach, 
        including costs associated with identity theft suffered as a 
        result of such security breach.
            (2) Compliance.--A business entity or agency shall be 
        deemed in compliance with this subsection if the business 
        entity or agency--
                    (A) provides insurance to any individual whose 
                sensitive personally identifiable information has been, 
                or is reasonably believed to have been, accessed or 
                acquired as a result of a security breach and such 
                insurance is sufficient to compensate the consumer for 
                not less than $25,000 of costs or damages; or
                    (B) pays, without unreasonable delay, any actual 
                costs or damages incurred by an individual as a result 
                of the security breach.

SEC. 216. NOTICE TO CREDIT REPORTING AGENCIES.

    If an agency or business entity is required to provide notification 
to more than 5,000 individuals under section 211(a), the agency or 
business entity shall also notify all consumer reporting agencies that 
compile and maintain files on consumers on a nationwide basis (as 
defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 
1681a(p)) of the timing and distribution of the notices. Such notice 
shall be given to the consumer credit reporting agencies without 
unreasonable delay and, if it will not delay notice to the affected 
individuals, prior to the distribution of notices to the affected 
individuals.

SEC. 217. NOTICE TO LAW ENFORCEMENT.

    (a) Designation of a Government Entity to Receive Notice.--
            (1) In general.--Not later than 60 days after the date of 
        enactment of this Act, the Secretary of Homeland Security, in 
        consultation with the Attorney General, shall designate a 
        Federal Government entity to receive the information required 
        to be submitted under this subtitle, and any other reports and 
        information about information security incidents, threats, and 
        vulnerabilities.
            (2) Responsibilities of the designated entity.--The 
        designated entity shall--
                    (A) be responsible for promptly providing the 
                information it receives to the United States Secret 
                Service and the Federal Bureau of Investigation, and to 
                the Federal Trade Commission for civil law enforcement 
                purposes; and
                    (B) provide the information described in 
                subparagraph (A) as appropriate to other Federal 
                agencies for law enforcement, national security, or 
                data security purposes.
    (b) Notice.--Any business entity or agency shall notify the 
designated entity of the fact that a security breach has occurred if--
            (1) the number of individuals whose sensitive personally 
        identifiable information was, or is reasonably believed to have 
        been, accessed or acquired by an unauthorized person exceeds 
        5,000;
            (2) the security breach involves a database, networked or 
        integrated databases, or other data system containing the 
        sensitive personally identifiable information of more than 
        500,000 individuals nationwide;
            (3) the security breach involves databases owned by the 
        Federal Government; or
            (4) the security breach involves primarily sensitive 
        personally identifiable information of individuals known to the 
        agency or business entity to be employees and contractors of 
        the Federal Government involved in national security or law 
        enforcement.
    (c) FTC Review of Thresholds.--
            (1) Review.--Not later than 1 year after the date of 
        enactment of this Act, the Federal Trade Commission, in 
        consultation with the Attorney General and the Secretary of 
        Homeland Security, shall promulgate regulations regarding the 
        reports required under subsection (a).
            (2) Rulemaking.--The Federal Trade Commission, in 
        consultation with the Attorney General and the Secretary of 
        Homeland Security, after notice and the opportunity for public 
        comment, and in a manner consistent with this section, shall 
        promulgate regulations, as necessary, under section 553 of 
        title 5, United States Code, to adjust the thresholds for 
        notice to law enforcement and national security authorities 
        under subsection (a) and to facilitate the purposes of this 
        section.
    (d) Timing of Notices.--The notices required under this section 
shall be delivered as follows:
            (1) Notice under subsection (a) shall be delivered as 
        promptly as possible, but not later than 10 days after 
        discovery of the security breach.
            (2) Notice under section 211 shall be delivered to 
        individuals not later than 48 hours after the Federal Bureau of 
        Investigation or the Secret Service receives notice of a 
        security breach from an agency or business entity.

SEC. 218. FEDERAL ENFORCEMENT.

    (a) Civil Actions by the Attorney General.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any business entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, such business entity shall be 
        subject to a civil penalty of not more than $500 per day per 
        individual whose sensitive personally identifiable information 
        was, or is reasonably believed to have been, accessed or 
        acquired by an unauthorized person, up to a maximum of 
        $20,000,000 per violation, unless such conduct is found to be 
        willful or intentional.
            (2) Presumption.--A violation of section 212(b)(2)(C) shall 
        be presumed to be willful or intentional conduct.
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (c) Civil Actions by the Federal Trade Commission.--
            (1) In general.--Compliance with the requirements imposed 
        under this subtitle may be enforced under the Federal Trade 
        Commission Act (15 U.S.C. 41 et seq.) by the Federal Trade 
        Commission with respect to business entities subject to this 
        Act. All of the functions and powers of the Federal Trade 
        Commission under the Federal Trade Commission Act are available 
        to the Commission to enforce compliance by any person with the 
        requirements imposed under this title.
            (2) Unfair or deceptive acts or practices.--For the purpose 
        of the exercise by the Federal Trade Commission of its 
        functions and powers under the Federal Trade Commission Act, a 
        violation of any requirement or prohibition imposed under this 
        title shall constitute an unfair or deceptive act or practice 
        in commerce in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(I)(B)) regarding unfair or deceptive acts or practices 
        and shall be subject to enforcement by the Federal Trade 
        Commission under that Act with respect to any business entity, 
        irrespective of whether that business entity is engaged in 
        commerce or meets any other jurisdictional tests in the Federal 
        Trade Commission.
    (d) Considerations.--In determining the amount of a civil penalty 
under this subsection, the court shall take into account--
            (1) the degree of culpability of the business entity;
            (2) any prior violations of this subtitle by the business 
        entity;
            (3) the ability of the business entity to pay a civil 
        penalty;
            (4) the effect on the ability of the business entity to 
        continue to do business;
            (5) the number of individuals whose sensitive personally 
        identifiable information was compromised by the breach;
            (6) the relative cost of compliance with this subtitle; and
            (7) such other matters as justice may require.
    (e) Coordination of Enforcement.--
            (1) In general.--Before opening an investigation, the 
        Federal Trade Commission shall consult with the Attorney 
        General.
            (2) Limitation.--The Federal Trade Commission may initiate 
        investigations under this subsection unless the Attorney 
        General determines that such an investigation would impede an 
        ongoing criminal investigation or national security activity.
            (3) Coordination agreement.--
                    (A) In general.--In order to avoid conflicts and 
                promote consistency regarding the enforcement and 
                litigation of matters under this Act, not later than 
                180 days after the enactment of this Act, the Attorney 
                General and the Commission shall enter into an 
                agreement for coordination regarding the enforcement of 
                this Act.
                    (B) Requirement.--The coordination agreement 
                entered into under subparagraph (A) shall include 
                provisions to ensure that parallel investigations and 
                proceedings under this section are conducted in a 
                manner that avoids conflicts and does not impede the 
                ability of the Attorney General to prosecute violations 
                of Federal criminal laws.
            (4) Coordination with the fcc.--If an enforcement action 
        under this Act relates to customer proprietary network 
        information, the Federal Trade Commission shall coordinate the 
        enforcement action with the Federal Communications Commission.
    (f) Rulemaking.--The Federal Trade Commission may, in consultation 
with the Attorney General, issue such other regulations as it 
determines to be necessary to carry out this subtitle. All regulations 
promulgated under this Act shall be issued in accordance with section 
553 of title 5, United States Code. Where regulations relate to 
customer proprietary network information, the promulgation of such 
regulations will be coordinated with the Federal Communications 
Commission.
    (g) Other Rights and Remedies.--The rights and remedies available 
under this subtitle are cumulative and shall not affect any other 
rights and remedies available under law.
    (h) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence 
that the consumer has received notice that the consumer's financial 
information has or may have been compromised,'' after ``identity theft 
report''.

SEC. 219. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--
                    (A) In general.--In any case in which the attorney 
                general of a State or any State or local law 
                enforcement agency authorized by the State attorney 
                general or by State statute to prosecute violations of 
                consumer protection law, has reason to believe that an 
                interest of the residents of that State has been or is 
                threatened or adversely affected by the engagement of a 
                business entity in a practice that is prohibited under 
                this subtitle, the State or the State or local law 
                enforcement agency on behalf of the residents of the 
                agency's jurisdiction, may bring a civil action on 
                behalf of the residents of the State or jurisdiction in 
                a district court of the United States of appropriate 
                jurisdiction or any other court of competent 
                jurisdiction, including a State court, to--
                            (i) enjoin that practice;
                            (ii) enforce compliance with this subtitle; 
                        or
                            (iii) obtain civil penalties of not more 
                        than $500 per day per individual whose 
                        sensitive personally identifiable information 
                        was, or is reasonably believed to have been, 
                        accessed or acquired by an unauthorized person, 
                        up to a maximum of $20,000,000 per violation, 
                        unless such conduct is found to be willful or 
                        intentional.
                    (B) Presumption.--A violation of section 
                212(b)(2)(C) shall be presumed to be willful or 
                intentional.
            (2) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose sensitive 
                personally identifiable information was compromised by 
                the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
            (3) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subtitle, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) initiate an action in the appropriate United States 
        district court under section 218 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 220. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.

    (a) In General.--Any person aggrieved by a violation of the 
provisions of section 211, 213, 214, 215, or 216 by a business entity 
may bring a civil action in a court of appropriate jurisdiction to 
recover for personal injuries sustained as a result of the violation.
    (b) Authority to Bring Civil Action; Jurisdiction.--As provided in 
subsection (c), an individual may commence a civil action on his own 
behalf against any business entity who is alleged to have violated the 
provisions of this subtitle.
    (c) Remedies in a Citizen Suit.--
            (1) Damages.--Any individual harmed by a failure of a 
        business entity to comply with the provisions of section 211, 
        213, 214, 215, or 216, shall be able to collect damages of not 
        more than $500 per day per individual whose sensitive 
        personally identifiable information was, or is reasonably 
        believed to have been, accessed or acquired by an unauthorized 
        person, up to a maximum of $20,000,000 per violation
            (2) Punitive damages.--A business entity may be liable for 
        punitive damages if it--
                    (A) intentionally or willfully violates the 
                provisions of section 211, 213, 214, 215, or 216; or
                    (B) failed to comply with the requirements of 
                subsections (a) through (d) of section 202.
            (3) Equitable relief.--A business entity that violates the 
        provisions of section 211, 213, 214, 215, or 216 may be 
        enjoined to provide required remedies under section 215 by a 
        court of competent jurisdiction.
    (d) Other Rights and Remedies.--The rights and remedies available 
under this subsection are cumulative and shall not affect any other 
rights and remedies available under law.
    (e) Nonenforceability of Certain Provisions Waiving Rights and 
Remedies or Requiring Arbitration of Disputes.--
            (1) Waiver of rights and remedies.--The rights and remedies 
        provided for in this section may not be waived by any 
        agreement, policy form, or condition of employment including by 
        a predispute arbitration agreement.
            (2) Predispute arbitration agreements.--No predispute 
        arbitration agreement shall be valid or enforceable, if the 
        agreement requires arbitration of a dispute arising under this 
        section.
    (f) Considerations.--In determining the amount of a civil penalty 
under this subsection, the court shall take into account--
            (1) the degree of culpability of the business entity;
            (2) any prior violations of this subtitle by the business 
        entity;
            (3) the ability of the business entity to pay a civil 
        penalty;
            (4) the effect on the ability of the business entity to 
        continue to do business;
            (5) the number of individuals whose sensitive personally 
        identifiable information was compromised by the breach;
            (6) the relative cost of compliance with this subtitle; and
            (7) such other matters as justice may require.

SEC. 221. RELATION TO OTHER LAWS.

    (a) In General.--The provisions of this subtitle shall supersede 
any other provision of Federal law or any provision of law of any State 
relating to notification by a business entity engaged in interstate 
commerce or an agency of a security breach, except as provided in this 
subsection.
    (b) Limitations.--
            (1) State common law.--Nothing in this subtitle shall be 
        construed to exempt any entity from liability under common law, 
        including through the operation of ordinary preemption 
        principles, and including liability through state trespass, 
        contract, or tort law, for damages caused by the failure to 
        notify an individual following a security breach.
            (2) Gramm-Leach-Bliley act.--Nothing in this Act shall 
        supersede the data security requirements of the Gramm-Leach-
        Bliley Act (15 U.S.C. 6801 et seq.), or implementing 
        regulations based on that Act.
            (3) Health privacy.--
                    (A) To the extent that a business entity acts as a 
                covered entity or a business associate under the Health 
                Information Technology for Economic and Clinical Health 
                Act (42 U.S.C. 17932), and has the obligation to 
                provide breach notification under that Act or its 
                implementing regulations, the requirements of this Act 
                shall not apply.
                    (B) To the extent that a business entity acts as a 
                vendor of personal health records, a third party 
                service provider, or other entity subject to the Health 
                Information Technology for Economical and Clinical 
                Health Act (42 U.S.C. 17937), and has the obligation to 
                provide breach notification under that Act or its 
                implementing regulations, the requirements of this Act 
                shall not apply.

SEC. 222. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated such sums as may be 
necessary to cover the costs incurred by the United States Secret 
Service to carry out investigations and risk assessments of security 
breaches as required under this subtitle.

SEC. 223. REPORTING ON RISK ASSESSMENT EXEMPTIONS.

    The United States Secret Service and the Federal Bureau of 
Investigation shall report to Congress not later than 18 months after 
the date of enactment of this Act, and upon the request by Congress 
thereafter, on--
            (1) the number and nature of the security breaches 
        described in the notices filed by those business entities 
        invoking the risk assessment exemption under section 212(b) and 
        the response of the United States Secret Service and the 
        Federal Bureau of Investigation to such notices; and
            (2) the number and nature of security breaches subject to 
        the national security and law enforcement exemptions under 
        section 212(a), provided that such report may not disclose the 
        contents of any risk assessment provided to the United States 
        Secret Service and the Federal Bureau of Investigation pursuant 
        to this subtitle.

      Subtitle C--Post-Breach Technical Information Clearinghouse

SEC. 230. CLEARINGHOUSE INFORMATION COLLECTION, MAINTENANCE, AND 
              ACCESS.

    (a) In General.--The designated entity shall maintain a 
clearinghouse of technical information concerning system 
vulnerabilities identified in the wake of security breaches, which 
shall--
            (1) contain information disclosed by agencies or business 
        entities under subsection (b); and
            (2) be accessible to certified entities under subsection 
        (c).
    (b) Post-breach Technical Notification.--In any instance where an 
agency or business entity is required to notify the designated entity 
under section 217, the agency or business entity shall also provide the 
designated entity with technical information concerning the nature of 
the security breach, including--
            (1) technical information regarding any system 
        vulnerabilities of the agency or business entity revealed by or 
        identified as a consequence of the security breach;
            (2) technical information regarding any system 
        vulnerabilities of the agency or business entity actually 
        exploited during the security breach; and
            (3) any other technical information concerning the nature 
        of the security breach deemed appropriate for collection by the 
        designated entity in furtherance of this subtitle.
    (c) Access to Clearinghouse.--Any entity certified under subsection 
(d) may review information maintained by the technical information 
clearinghouse for the purpose of preventing security breaches that 
threaten the security of sensitive personally identifiable information.
    (d) Certification for Access.--The designated entity shall issue 
and revoke certifications to agencies and business entities wishing to 
review information maintained by the technical information 
clearinghouse and shall establish conditions for obtaining and 
maintaining such certifications, including agreement that any 
information obtained directly or derived indirectly from the review of 
information maintained by the technical information clearinghouse--
            (1) shall only be used to improve the security and reduce 
        the vulnerability of networks that collect, access, transmit, 
        use, store, or dispose of sensitive personally identifiable 
        information;
            (2) may not be used for any competitive commercial purpose; 
        and
            (3) may not be shared with any third party, including other 
        parties certified for access to the information clearinghouse, 
        without the express written consent of the designated entity.
    (e) Rulemaking.--In consultation with the private sector, 
appropriate representatives of State and local governments, and other 
appropriate Federal agencies, the designated entity may issue such 
regulations as it determines to be necessary to carry out this 
subtitle. All regulations promulgated under this Act shall be issued in 
accordance with section 553 of title 5, United States Code.

SEC. 231. PROTECTIONS FOR CLEARINGHOUSE PARTICIPANTS.

    (a) Protection of Proprietary Information.--To the extent feasible, 
the designated entity shall ensure that any technical information 
disclosed to the designated entity under this subtitle shall be stored 
in a format designed to protect proprietary business information from 
inadvertent disclosure.
    (b) Anonymous Data Release.--To the extent feasible, the designated 
entity shall ensure that all information stored in the technical 
information clearinghouse and accessed by certified parties is 
presented in a form that minimizes the potential for such information 
to be traced to a particular network, company, or security breach 
incident.
    (c) Protection From Public Disclosure.--Except as otherwise 
provided in this subtitle--
            (1) security and vulnerability information collected under 
        this section and provided to the Federal Government, including 
        aggregated analysis and data, shall be exempt from disclosure 
        under section 552(b)(3) of title 5, United States Code; and
            (2) under section 230(e), security and vulnerability-
        related information provided to the Federal Government under 
        this section, including aggregated analysis and data, shall be 
        protected from public disclosure, except that this paragraph--
                    (A) does not prohibit the sharing of such 
                information, as the designated entity determines to be 
                appropriate, in order to mitigate cybersecurity threats 
                or further the official functions of a government 
                agency; and
                    (B) does not authorized such information to be 
                withheld from a committee of Congress authorized to 
                request the information.
    (d) Protection of Classified Information.--Nothing in this subtitle 
permits the unauthorized disclosure of classified information.

SEC. 232. EFFECTIVE DATE.

    This subtitle shall take effect on the expiration of the date which 
is 90 days after the date of enactment of this Act.

            TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA

SEC. 301. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.

    (a) In General.--In considering contract awards totaling more than 
$500,000 and entered into after the date of enactment of this Act with 
data brokers, the Administrator of the General Services Administration 
shall evaluate--
            (1) the data privacy and security program of a data broker 
        to ensure the privacy and security of data containing sensitive 
        personally identifiable information, including whether such 
        program adequately addresses privacy and security threats 
        created by malicious software or code, or the use of peer-to-
        peer file sharing software;
            (2) the compliance of a data broker with such program;
            (3) the extent to which the databases and systems 
        containing sensitive personally identifiable information of a 
        data broker have been compromised by security breaches; and
            (4) the response by a data broker to such breaches, 
        including the efforts by such data broker to mitigate the 
        impact of such security breaches.
    (b) Compliance Safe Harbor.--The data privacy and security program 
of a data broker shall be deemed sufficient for the purposes of 
subsection (a), if the data broker complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of sensitive personally 
identifiable information involved in the ordinary course of business of 
such data broker.
    (c) Penalties.--In awarding contracts with data brokers for 
products or services related to access, use, compilation, distribution, 
processing, analyzing, or evaluating sensitive personally identifiable 
information, the Administrator of the General Services Administration 
shall--
            (1) include monetary or other penalties--
                    (A) for failure to comply with subtitles A and B of 
                title II; or
                    (B) if a contractor knows or has reason to know 
                that the sensitive personally identifiable information 
                being provided is inaccurate, and provides such 
                inaccurate information; and
            (2) require a data broker that engages service providers 
        not subject to subtitle A of title II for responsibilities 
        related to sensitive personally identifiable information to--
                    (A) exercise appropriate due diligence in selecting 
                those service providers for responsibilities related to 
                sensitive personally identifiable information;
                    (B) take reasonable steps to select and retain 
                service providers that are capable of maintaining 
                appropriate safeguards for the security, privacy, and 
                integrity of the sensitive personally identifiable 
                information at issue; and
                    (C) require such service providers, by contract, to 
                implement and maintain appropriate measures designed to 
                meet the objectives and requirements in title II.
    (d) Limitation.--The penalties under subsection (c) shall not apply 
to a data broker providing information that is accurately and 
completely recorded from a public record source or licensor.

SEC. 302. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF 
              CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.

    Section 3544(b) of title 44, United States Code, is amended--
            (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (8), by striking the period and inserting 
        ``; and''; and
            (3) by adding at the end the following:
            ``(9) procedures for evaluating and auditing the 
        information security practices of contractors or third party 
        business entities supporting the information systems or 
        operations of the agency involving sensitive personally 
        identifiable information (as that term is defined in section 3 
        of the Personal Data Protection and Breach Accountability Act 
        of 2011) and ensuring remedial action to address any 
        significant deficiencies.''.

SEC. 303. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL 
              INFORMATION SERVICES CONTAINING SENSITIVE PERSONALLY 
              IDENTIFIABLE INFORMATION.

    (a) In General.--Section 208(b)(1) of the E-Government Act of 2002 
(44 U.S.C. 3501 note) is amended--
            (1) in subparagraph (A)(i), by striking ``or'';
            (2) in subparagraph (A)(ii), by striking the period and 
        inserting ``; or''; and
            (3) by inserting after clause (ii) the following:
                            ``(iii) purchasing or subscribing for a fee 
                        to sensitive personally identifiable 
                        information from a data broker (as such terms 
                        are defined in section 3 of the Personal Data 
                        Protection and Breach Accountability Act of 
                        2011).''.
    (b) Limitation.--Notwithstanding any other provision of law, 
commencing 1 year after the date of enactment of this Act, no Federal 
agency may enter into a contract with a data broker to access for a fee 
any database consisting primarily of sensitive personally identifiable 
information concerning United States persons (other than news reporting 
or telephone directories) unless the head of such department or 
agency--
            (1) completes a privacy impact assessment under section 208 
        of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
        shall subject to the provision in that Act pertaining to 
        sensitive information, include a description of--
                    (A) such database;
                    (B) the name of the data broker from whom it is 
                obtained; and
                    (C) the amount of the contract for use;
            (2) adopts regulations that specify--
                    (A) the personnel permitted to access, analyze, or 
                otherwise use such databases;
                    (B) standards governing the access, analysis, or 
                use of such databases;
                    (C) any standards used to ensure that the sensitive 
                personally identifiable information accessed, analyzed, 
                or used is the minimum necessary to accomplish the 
                intended legitimate purpose of the Federal agency;
                    (D) standards limiting the retention and 
                redisclosure of sensitive personally identifiable 
                information obtained from such databases;
                    (E) procedures ensuring that such data meet 
                standards of accuracy, relevance, completeness, and 
                timeliness;
                    (F) the auditing and security measures to protect 
                against unauthorized access, analysis, use, or 
                modification of data in such databases;
                    (G) applicable mechanisms by which individuals may 
                secure timely redress for any adverse consequences 
                wrongly incurred due to the access, analysis, or use of 
                such databases;
                    (H) mechanisms, if any, for the enforcement and 
                independent oversight of existing or planned 
                procedures, policies, or guidelines; and
                    (I) an outline of enforcement mechanisms for 
                accountability to protect individuals and the public 
                against unlawful or illegitimate access or use of 
                databases; and
            (3) incorporates into the contract or other agreement 
        totaling more than $500,000, provisions--
                    (A) providing for penalties--
                            (i) for failure to comply with title II of 
                        this Act; or
                            (ii) if the entity knows or has reason to 
                        know that the sensitive personally identifiable 
                        information being provided to the Federal 
                        department or agency is inaccurate, and 
                        provides such inaccurate information; and
                    (B) requiring a data broker that engages service 
                providers not subject to subtitle A of title II for 
                responsibilities related to sensitive personally 
                identifiable information to--
                            (i) exercise appropriate due diligence in 
                        selecting those service providers for 
                        responsibilities related to sensitive 
                        personally identifiable information;
                            (ii) take reasonable steps to select and 
                        retain service providers that are capable of 
                        maintaining appropriate safeguards for the 
                        security, privacy, and integrity of the 
                        sensitive personally identifiable information 
                        at issue; and
                            (iii) require such service providers, by 
                        contract, to implement and maintain appropriate 
                        measures designed to meet the objectives and 
                        requirements in title II.
    (c) Limitation on Penalties.--The penalties under subsection 
(b)(3)(A) shall not apply to a data broker providing information that 
is accurately and completely recorded from a public record source.
    (d) Study of Government Use.--
            (1) Scope of study.--Not later than 180 days after the date 
        of enactment of this Act, the Comptroller General of the United 
        States shall conduct a study and audit and prepare a report on 
        Federal agency actions to address the recommendations in the 
        Government Accountability Office's April 2006 report on agency 
        adherence to key privacy principles in using data brokers or 
        commercial databases containing sensitive personally 
        identifiable information.
            (2) Report.--A copy of the report required under paragraph 
        (1) shall be submitted to Congress.

SEC. 304. FBI REPORT ON REPORTED BREACHES AND COMPLIANCE.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, and each year thereafter, the Federal Bureau of 
Investigation, in coordination with the Secret Service, shall submit to 
the Committee on the Judiciary of the Senate and the Committee on the 
Judiciary of the House of Representatives a report regarding any 
reported breaches at agencies or business entities during the preceding 
year.
    (b) Report Content.--Such reporting shall include--
            (1) the total instances of breaches of security in the 
        previous year;
            (2) the percentage of breaches described in subsection (a) 
        that occurred at an agency or business entity that did not 
        comply with the personal data privacy and security program 
        under section 202; and
            (3) recommendations, if any, for modifying or amending this 
        Act to increase its effectiveness.

SEC. 305. DEPARTMENT OF JUSTICE REPORT ON ENFORCEMENT ACTIONS.

    Section 529 of title 28, United States Code, is amended by adding 
at the end the following:
    ``(c) Not later than 1 year after the date of enactment of the 
Personal Data Protection and Breach Accountability Act of 2011, and 
every fiscal year thereafter, the Attorney General shall submit to 
Congress a report on Federal enforcement actions, State attorneys 
general enforcement actions, and private enforcement actions, 
undertaken pursuant to the Personal Data Protection and Breach 
Accountability Act of 2011 that shall include a description of the best 
practices for enforcement of such Act as well as recommendations, if 
any, for modifying or amending this Act to increase the effectiveness 
of such enforcement actions.''.

SEC. 306. REPORT ON NOTIFICATION EFFECTIVENESS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, and each year thereafter, the designated entity, in 
coordination with the Attorney General and the Federal Trade 
Commission, shall submit to the Committee on the Judiciary of the 
Senate and the Committee on the Judiciary of the House of 
Representatives a report regarding the effectiveness of post-breach 
notification practices by agencies and business entities.
    (b) Report Content.--The report required under subsection (a) shall 
include--
            (1) in each instance of a breach of security, the amount of 
        time between the instance of the breach and the discovery of 
        the breach by the affected business entity;
            (2) in each instance of a breach of security, the amount of 
        time between the discovery of the breach by the affected 
        business entity and the notification to the FBI and Secret 
        Service; and
            (3) in each instance of a breach of security, the amount of 
        time between the discovery of the breach by the affected 
        business entity and the notification to individuals whose 
        sensitive personally identifiable information was compromised.

         TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

SEC. 401. BUDGET COMPLIANCE.

    The budgetary effects of this Act, for the purpose of complying 
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by 
reference to the latest statement titled ``Budgetary Effects of PAYGO 
Legislation'' for this Act, submitted for printing in the Congressional 
Record by the Chairman of the Senate Budget Committee, provided that 
such statement has been submitted prior to the vote on passage.
                                                       Calendar No. 182

112th CONGRESS

  1st Session

                                S. 1535

_______________________________________________________________________

                                 A BILL

  To protect consumers by mitigating the vulnerability of personally 
identifiable information to theft through a security breach, providing 
notice and remedies to consumers in the wake of such a breach, holding 
   companies accountable for preventable breaches, facilitating the 
  sharing of post-breach technical information between companies, and 
 enhancing criminal and civil penalties and other protections against 
     the unauthorized collection or use of personally identifiable 
                              information.

_______________________________________________________________________

                           September 22, 2011

                       Reported with an amendment