[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 1897 Introduced in Senate (IS)]

113th CONGRESS
  2d Session
                                S. 1897

 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 8, 2014

 Mr. Leahy (for himself, Mr. Schumer, Mr. Franken, and Mr. Blumenthal) 
introduced the following bill; which was read twice and referred to the 
                       Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Personal Data 
Privacy and Security Act of 2014''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Organized criminal activity in connection with unauthorized 
                            access to personally identifiable 
                            information.
Sec. 102. Concealment of security breaches involving sensitive 
                            personally identifiable information.
Sec. 103. Penalties for fraud and related activity in connection with 
                            computers.
Sec. 104. Trafficking in passwords.
Sec. 105. Conspiracy and attempted computer fraud offenses.
Sec. 106. Criminal and civil forfeiture for fraud and related activity 
                            in connection with computers.
Sec. 107. Limitation on civil actions involving unauthorized use.
Sec. 108. Reporting of certain criminal cases.
Sec. 109. Damage to critical infrastructure computers.
Sec. 110. Limitation on actions involving unauthorized use.
 TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

Sec. 201. Purpose and applicability of data privacy and security 
                            program.
Sec. 202. Requirements for a personal data privacy and security 
                            program.
Sec. 203. Enforcement.
Sec. 204. Relation to other laws.
                Subtitle B--Security Breach Notification

Sec. 211. Notice to individuals.
Sec. 212. Exemptions.
Sec. 213. Methods of notice.
Sec. 214. Content of notification.
Sec. 215. Coordination of notification with credit reporting agencies.
Sec. 216. Notice to law enforcement.
Sec. 217. Enforcement.
Sec. 218. Enforcement by State attorneys general.
Sec. 219. Effect on Federal and State law.
Sec. 220. Reporting on exemptions.
Sec. 221. Effective date.
         TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

Sec. 301. Budget compliance.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) databases of personally identifiable information are 
        increasingly prime targets of hackers, identity thieves, rogue 
        employees, and other criminals, including organized and 
        sophisticated criminal operations;
            (2) identity theft is a serious threat to the Nation's 
        economic stability, national security, homeland security, 
        cybersecurity, the development of e-commerce, and the privacy 
        rights of Americans;
            (3) security breaches are a serious threat to consumer 
        confidence, homeland security, national security, e-commerce, 
        and economic stability;
            (4) it is important for business entities that own, use, or 
        license personally identifiable information to adopt reasonable 
        procedures to ensure the security, privacy, and confidentiality 
        of that personally identifiable information;
            (5) individuals whose personal information has been 
        compromised or who have been victims of identity theft should 
        receive the necessary information and assistance to mitigate 
        their damages and to restore the integrity of their personal 
        information and identities;
            (6) data misuse and use of inaccurate data have the 
        potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government operations;
            (7) government access to commercial data can potentially 
        improve safety, law enforcement, and national security; and
            (8) because government use of commercial data containing 
        personal information potentially affects individual privacy, 
        and law enforcement and national security operations, there is 
        a need for Congress to exercise oversight over government use 
        of commercial data.

SEC. 3. DEFINITIONS.

    In this Act, the following definitions shall apply:
            (1) Affiliate.--The term ``affiliate'' means persons 
        related by common ownership or by corporate control.
            (2) Agency.--The term ``agency'' has the same meaning given 
        such term in section 551 of title 5, United States Code.
            (3) Business entity.--The term ``business entity'' means 
        any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or venture 
        established to make a profit, or nonprofit.
            (4) Data system communication information.--The term ``data 
        system communication information'' means dialing, routing, 
        addressing, or signaling information that identifies the 
        origin, direction, destination, processing, transmission, or 
        termination of each communication initiated, attempted, or 
        received.
            (5) Designated entity.--The term ``designated entity'' 
        means the Federal Government entity designated by the Secretary 
        of Homeland Security under section 216(a).
            (6) Encryption.--The term ``encryption''--
                    (A) means the protection of data in electronic 
                form, in storage or in transit, using an encryption 
                technology that has been generally accepted by experts 
                in the field of information security that renders such 
                data indecipherable in the absence of associated 
                cryptographic keys necessary to enable decryption of 
                such data; and
                    (B) includes appropriate management and safeguards 
                of such cryptographic keys so as to protect the 
                integrity of the encryption.
            (7) Identity theft.--The term ``identity theft'' means a 
        violation of section 1028(a)(7) of title 18, United States 
        Code.
            (8) Personally identifiable information.--The term 
        ``personally identifiable information'' means any information, 
        or compilation of information, in electronic or digital form 
        that is a means of identification, as defined by section 
        1028(d)(7) of title 18, United States Code.
            (9) Public record source.--The term ``public record 
        source'' means the Congress, any agency, any State or local 
        government agency, the government of the District of Columbia 
        and governments of the territories or possessions of the United 
        States, and Federal, State or local courts, courts martial and 
        military commissions, that maintain personally identifiable 
        information in records available to the public.
            (10) Security breach.--
                    (A) In general.--The term ``security breach'' means 
                compromise of the security, confidentiality, or 
                integrity of, or the loss of, computerized data that 
                result in, or that there is a reasonable basis to 
                conclude has resulted in--
                            (i) the unauthorized acquisition of 
                        sensitive personally identifiable information; 
                        and
                            (ii) access to sensitive personally 
                        identifiable information that is for an 
                        unauthorized purpose, or in excess of 
                        authorization.
                    (B) Exclusion.--The term ``security breach'' does 
                not include--
                            (i) a good faith acquisition of sensitive 
                        personally identifiable information by a 
                        business entity or agency, or an employee or 
                        agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure;
                            (ii) the release of a public record not 
                        otherwise subject to confidentiality or 
                        nondisclosure requirements or the release of 
                        information obtained from a public record, 
                        including information obtained from a news 
                        report or periodical; or
                            (iii) any lawfully authorized 
                        investigative, protective, or intelligence 
                        activity of a law enforcement or intelligence 
                        agency of the United States, a State, or a 
                        political subdivision of a State.
            (11) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        any information or compilation of information, in electronic or 
        digital form that includes the following:
                    (A) An individual's first and last name or first 
                initial and last name in combination with any two of 
                the following data elements:
                            (i) Home address or telephone number.
                            (ii) Mother's maiden name.
                            (iii) Month, day, and year of birth.
                    (B) A non-truncated social security number, 
                driver's license number, passport number, or alien 
                registration number or other government-issued unique 
                identification number.
                    (C) Unique biometric data such as a fingerprint, 
                voice print, a retina or iris image, or any other 
                unique physical representation.
                    (D) A unique account identifier, including a 
                financial account number or credit or debit card 
                number, electronic identification number, user name, or 
                routing code.
                    (E) Any combination of the following data elements:
                            (i) An individual's first and last name or 
                        first initial and last name.
                            (ii) A unique account identifier, including 
                        a financial account number or credit or debit 
                        card number, electronic identification number, 
                        user name, or routing code.
                            (iii) Any security code, access code, or 
                        password, or source code that could be used to 
                        generate such codes or passwords.
            (12) Service provider.--The term ``service provider'' means 
        a business entity that provides electronic data transmission, 
        routing, intermediate and transient storage, or connections to 
        its system or network, where the business entity providing such 
        services does not select or modify the content of the 
        electronic data, is not the sender or the intended recipient of 
        the data, and the business entity transmits, routes, stores, or 
        provides connections for personal information in a manner that 
        personal information is undifferentiated from other types of 
        data that such business entity transmits, routes, stores, or 
        provides connections. Any such business entity shall be treated 
        as a service provider under this Act only to the extent that it 
        is engaged in the provision of such transmission, routing, 
        intermediate and transient storage or connections.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED 
              ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.

    Section 1961(1) of title 18, United States Code, is amended by 
inserting ``section 1030 (relating to fraud and related activity in 
connection with computers) if the act is a felony,'' before ``section 
1084''.

SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 1041. Concealment of security breaches involving sensitive 
              personally identifiable information
    ``(a) In General.--Whoever, having knowledge of a security breach 
and of the fact that notice of such security breach is required under 
title II of the Personal Data Privacy and Security Act of 2014, 
intentionally and willfully conceals the fact of such security breach, 
shall, in the event that such security breach results in economic harm 
to any individual in the amount of $1,000 or more, be fined under this 
tile or imprisoned for not more than 5 years, or both.
    ``(b) Person Defined.--For purposes of subsection (a), the term 
`person' has the meaning given the term in section 1030(e)(12).
    ``(c) Notice Requirement.--Any person seeking an exemption under 
section 212(b) of the Personal Data Privacy and Security Act of 2014 
shall be immune from prosecution under this section if the Federal 
Trade Commission does not indicate, in writing, that such notice be 
given under section 212(b)(3) of such Act.''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

``1041. Concealment of security breaches involving sensitive personally 
                            identifiable information.''.
    (c) Enforcement Authority.--
            (1) In general.--The United States Secret Service and 
        Federal Bureau of Investigation shall have the authority to 
        investigate offenses under section 1041 of title 18, United 
        States Code, as added by subsection (a).
            (2) Nonexclusivity.--The authority granted in paragraph (1) 
        shall not be exclusive of any existing authority held by any 
        other Federal agency.

SEC. 103. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH 
              COMPUTERS.

    Section 1030(c) of title 18, United States Code, is amended to read 
as follows:
    ``(c) The punishment for an offense under subsection (a) or (b) of 
this section is--
            ``(1) a fine under this title or imprisonment for not more 
        than 20 years, or both, in the case of an offense under 
        subsection (a)(1) of this section;
            ``(2)(A) except as provided in subparagraph (B), a fine 
        under this title or imprisonment for not more than 3 years, or 
        both, in the case of an offense under subsection (a)(2); or
            ``(B) a fine under this title or imprisonment for not more 
        than ten years, or both, in the case of an offense under 
        paragraph (a)(2) of this section, if--
                    ``(i) the offense was committed for purposes of 
                commercial advantage or private financial gain;
                    ``(ii) the offense was committed in the furtherance 
                of any criminal or tortious act in violation of the 
                Constitution or laws of the United States, or of any 
                State; or
                    ``(iii) the value of the information obtained, or 
                that would have been obtained if the offense was 
                completed, exceeds $5,000;
            ``(3) a fine under this title or imprisonment for not more 
        than 1 year, or both, in the case of an offense under 
        subsection (a)(3) of this section;
            ``(4) a fine under this title or imprisonment of not more 
        than 20 years, or both, in the case of an offense under 
        subsection (a)(4) of this section;
            ``(5)(A) except as provided in subparagraph (D), a fine 
        under this title, imprisonment for not more than 20 years, or 
        both, in the case of an offense under subsection (a)(5)(A) of 
        this section, if the offense caused--
                    ``(i) loss to 1 or more persons during any 1-year 
                period (and, for purposes of an investigation, 
                prosecution, or other proceeding brought by the United 
                States only, loss resulting from a related course of 
                conduct affecting 1 or more other protected computers) 
                aggregating at least $5,000 in value;
                    ``(ii) the modification or impairment, or potential 
                modification or impairment, of the medical examination, 
                diagnosis, treatment, or care of 1 or more individuals;
                    ``(iii) physical injury to any person;
                    ``(iv) a threat to public health or safety;
                    ``(v) damage affecting a computer used by, or on 
                behalf of, an entity of the United States Government in 
                furtherance of the administration of justice, national 
                defense, or national security; or
                    ``(vi) damage affecting 10 or more protected 
                computers during any 1-year period;
            ``(B) a fine under this title, imprisonment for not more 
        than 10 years, or both, in the case of an offense under 
        subsection (a)(5)(B), if the offense caused a harm provided in 
        clauses (i) through (vi) of subparagraph (A) of this 
        subsection;
            ``(C) if the offender attempts to cause or knowingly or 
        recklessly causes death from conduct in violation of subsection 
        (a)(5)(A), a fine under this title, imprisonment for any term 
        of years or for life, or both; or
            ``(D) a fine under this title, imprisonment for not more 
        than 1 year, or both, for any other offense under subsection 
        (a)(5);
            ``(6) a fine under this title or imprisonment for not more 
        than 10 years, or both, in the case of an offense under 
        subsection (a)(6) of this section; or
            ``(7) a fine under this title or imprisonment for not more 
        than 10 years, or both, in the case of an offense under 
        subsection (a)(7) of this section.''.

SEC. 104. TRAFFICKING IN PASSWORDS.

    Section 1030(a) of title 18, United States Code, is amended by 
striking paragraph (6) and inserting the following:
            ``(6) knowingly and with intent to defraud traffics (as 
        defined in section 1029) in--
                    ``(A) any password or similar information through 
                which a protected computer as defined in subparagraphs 
                (A) and (B) of subsection (e)(2) may be accessed 
                without authorization; or
                    ``(B) any means of access through which a protected 
                computer as defined in subsection (e)(2)(A) may be 
                accessed without authorization.''.

SEC. 105. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

    Section 1030(b) of title 18, United States Code, is amended by 
inserting ``for the completed offense'' after ``punished as provided''.

SEC. 106. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY 
              IN CONNECTION WITH COMPUTERS.

    Section 1030 of title 18, United States Code, is amended by 
striking subsections (i) and (j) and inserting the following:
    ``(i) Criminal Forfeiture.--
            ``(1) The court, in imposing sentence on any person 
        convicted of a violation of this section, or convicted of 
        conspiracy to violate this section, shall order, in addition to 
        any other sentence imposed and irrespective of any provision of 
        State law, that such person forfeit to the United States--
                    ``(A) such person's interest in any property, real 
                or personal, that was used, or intended to be used, to 
                commit or facilitate the commission of such violation; 
                and
                    ``(B) any property, real or personal, constituting 
                or derived from any gross proceeds, or any property 
                traceable to such property, that such person obtained, 
                directly or indirectly, as a result of such violation.
            ``(2) The criminal forfeiture of property under this 
        subsection, including any seizure and disposition of the 
        property, and any related judicial or administrative 
        proceeding, shall be governed by the provisions of section 413 
        of the Comprehensive Drug Abuse Prevention and Control Act of 
        1970 (21 U.S.C. 853), except subsection (d) of that section.
    ``(j) Civil Forfeiture.--
            ``(1) The following shall be subject to forfeiture to the 
        United States and no property right, real or personal, shall 
        exist in them:
                    ``(A) Any property, real or personal, that was 
                used, or intended to be used, to commit or facilitate 
                the commission of any violation of this section, or a 
                conspiracy to violate this section.
                    ``(B) Any property, real or personal, constituting 
                or derived from any gross proceeds obtained directly or 
                indirectly, or any property traceable to such property, 
                as a result of the commission of any violation of this 
                section, or a conspiracy to violate this section.
            ``(2) Seizures and forfeitures under this subsection shall 
        be governed by the provisions in chapter 46 relating to civil 
        forfeitures, except that such duties as are imposed on the 
        Secretary of the Treasury under the customs laws described in 
        section 981(d) shall be performed by such officers, agents and 
        other persons as may be designated for that purpose by the 
        Secretary of Homeland Security or the Attorney General.''.

SEC. 107. LIMITATION ON CIVIL ACTIONS INVOLVING UNAUTHORIZED USE.

    Section 1030(g) of title 18, United States Code, is amended--
            (1) by inserting ``(1)'' before ``Any person''; and
            (2) by adding at the end the following:
    ``(2) No action may be brought under this subsection if a violation 
of a contractual obligation or agreement, such as an acceptable use 
policy or terms of service agreement, constitutes the sole basis for 
determining that access to the protected computer is unauthorized, or 
in excess of authorization.''.

SEC. 108. REPORTING OF CERTAIN CRIMINAL CASES.

    Section 1030 of title 18, United States Code, is amended by adding 
at the end the following:
    ``(k) Reporting Certain Criminal Cases.--Not later than 1 year 
after the date of the enactment of this Act, and annually thereafter, 
the Attorney General shall report to the Committee on the Judiciary of 
the Senate and the Committee on the Judiciary of the House of 
Representatives the number of criminal cases brought under subsection 
(a) that involve conduct in which--
            ``(1) the defendant--
                    ``(A) exceeded authorized access to a non-
                governmental computer; or
                    ``(B) accessed a non-governmental computer without 
                authorization; and
            ``(2) the sole basis for the Government determining that 
        access to the non-governmental computer was unauthorized, or in 
        excess of authorization was that the defendant violated a 
        contractual obligation or agreement with a service provider or 
        employer, such as an acceptable use policy or terms of service 
        agreement.''.

SEC. 109. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by inserting after section 1030 the following:
``Sec. 1030A. Aggravated damage to a critical infrastructure computer
    ``(a) Definitions.--In this section--
            ``(1) the terms `computer' and `damage' have the meanings 
        given such terms in section 1030; and
            ``(2) the term `critical infrastructure computer' means a 
        computer that manages or controls systems or assets vital to 
        national defense, national security, national economic 
        security, public health or safety, or any combination of those 
        matters, whether publicly or privately owned or operated, 
        including--
                    ``(A) gas and oil production, storage, and delivery 
                systems;
                    ``(B) water supply systems;
                    ``(C) telecommunication networks;
                    ``(D) electrical power delivery systems;
                    ``(E) finance and banking systems;
                    ``(F) emergency services;
                    ``(G) transportation systems and services; and
                    ``(H) government operations that provide essential 
                services to the public.
    ``(b) Offense.--It shall be unlawful to, during and in relation to 
a felony violation of section 1030, intentionally cause or attempt to 
cause damage to a critical infrastructure computer, and such damage 
results in (or, in the case of an attempt, would, if completed have 
resulted in) the substantial impairment--
            ``(1) of the operation of the critical infrastructure 
        computer; or
            ``(2) of the critical infrastructure associated with the 
        computer.
    ``(c) Penalty.--Any person who violates subsection (b) shall be 
fined under this title, imprisoned for not less than 3 years nor more 
than 20 years, or both.
    ``(d) Consecutive Sentence.--Notwithstanding any other provision of 
law--
            ``(1) a court shall not place on probation any person 
        convicted of a violation of this section;
            ``(2) except as provided in paragraph (4), no term of 
        imprisonment imposed on a person under this section shall run 
        concurrently with any other term of imprisonment, including any 
        term of imprisonment imposed on the person under any other 
        provision of law, including any term of imprisonment imposed 
        for the felony violation section 1030;
            ``(3) in determining any term of imprisonment to be imposed 
        for a felony violation of section 1030, a court shall not in 
        any way reduce the term to be imposed for such crime so as to 
        compensate for, or otherwise take into account, any separate 
        term of imprisonment imposed or to be imposed for a violation 
        of this section; and
            ``(4) a term of imprisonment imposed on a person for a 
        violation of this section may, in the discretion of the court, 
        run concurrently, in whole or in part, only with another term 
        of imprisonment that is imposed by the court at the same time 
        on that person for an additional violation of this section, 
        provided that such discretion shall be exercised in accordance 
        with any applicable guidelines and policy statements issued by 
        the United States Sentencing Commission pursuant to section 994 
        of title 28.''.
    (b) Technical and Conforming Amendment.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by inserting 
after the item relating to section 1030 the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

SEC. 110. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

    Section 1030(e)(6) of title 18, United States Code, is amended by 
striking ``alter;'' and inserting ``alter, but does not include access 
in violation of a contractual obligation or agreement, such as an 
acceptable use policy or terms of service agreement, with an Internet 
service provider, Internet website, or non-government employer, if such 
violation constitutes the sole basis for determining that access to a 
protected computer is unauthorized;''.

 TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Purpose.--The purpose of this subtitle is to ensure standards 
for developing and implementing administrative, technical, and physical 
safeguards to protect the security of sensitive personally identifiable 
information.
    (b) Applicability.--A business entity engaging in interstate 
commerce that involves collecting, accessing, transmitting, using, 
storing, or disposing of sensitive personally identifiable information 
in electronic or digital form on 10,000 or more United States persons 
is subject to the requirements for a data privacy and security program 
under section 202 for protecting sensitive personally identifiable 
information.
    (c) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to the following:
            (1) Financial institutions.--Financial institutions--
                    (A) subject to the data security requirements and 
                standards under section 501(b) of the Gramm-Leach-
                Bliley Act (15 U.S.C. 6801(b)); and
                    (B) subject to the jurisdiction of an agency or 
                authority described in section 505(a) of the Gramm-
                Leach-Bliley Act (15 U.S.C. 6805(a)).
            (2) HIPAA regulated entities.--
                    (A) Covered entities.--Covered entities subject to 
                the Health Insurance Portability and Accountability Act 
                of 1996 (42 U.S.C. 1301 et seq.), including the data 
                security requirements and implementing regulations of 
                that Act.
                    (B) Business entities.--A business entity shall be 
                deemed in compliance with this Act if the business 
                entity--
                            (i) is acting as a business associate, as 
                        that term is defined under the Health Insurance 
                        Portability and Accountability Act of 1996 (42 
                        U.S.C. 1301 et seq.) and is in compliance with 
                        the requirements imposed under that Act and 
                        implementing regulations promulgated under that 
                        Act; and
                            (ii) is subject to, and currently in 
                        compliance, with the privacy and data security 
                        requirements under sections 13401 and 13404 of 
                        division A of the American Reinvestment and 
                        Recovery Act of 2009 (42 U.S.C. 17931 and 
                        17934) and implementing regulations promulgated 
                        under such sections.
            (3) Service providers.--A service provider for any 
        electronic communication by a third party, to the extent that 
        the service provider is exclusively engaged in the 
        transmission, routing, or temporary, intermediate, or transient 
        storage of that communication.
            (4) Public records.--Public records not otherwise subject 
        to a confidentiality or nondisclosure requirement, or 
        information obtained from a public record, including 
        information obtained from a news report or periodical.
    (d) Safe Harbors.--
            (1) In general.--A business entity shall be deemed in 
        compliance with the privacy and security program requirements 
        under section 202 if the business entity complies with or 
        provides protection equal to industry standards or standards 
        widely accepted as an effective industry practice, as 
        identified by the Federal Trade Commission, that are applicable 
        to the type of sensitive personally identifiable information 
        involved in the ordinary course of business of such business 
        entity.
            (2) Limitation.--Nothing in this subsection shall be 
        construed to permit, and nothing does permit, the Federal Trade 
        Commission to issue regulations requiring, or according greater 
        legal status to, the implementation of or application of a 
        specific technology or technological specifications for meeting 
        the requirements of this title.

SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Personal Data Privacy and Security Program.--A business entity 
subject to this subtitle shall comply with the following safeguards and 
any other administrative, technical, or physical safeguards identified 
by the Federal Trade Commission in a rulemaking process pursuant to 
section 553 of title 5, United States Code, for the protection of 
sensitive personally identifiable information:
            (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.
            (2) Design.--The personal data privacy and security program 
        shall be designed to--
                    (A) ensure the privacy, security, and 
                confidentiality of sensitive personally identifying 
                information;
                    (B) protect against any anticipated vulnerabilities 
                to the privacy, security, or integrity of sensitive 
                personally identifying information; and
                    (C) protect against unauthorized access to use of 
                sensitive personally identifying information that could 
                create a significant risk of harm or fraud to any 
                individual.
            (3) Risk assessment.--A business entity shall--
                    (A) identify reasonably foreseeable internal and 
                external vulnerabilities that could result in 
                unauthorized access, disclosure, use, or alteration of 
                sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;
                    (B) assess the likelihood of and potential damage 
                from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information;
                    (C) assess the sufficiency of its policies, 
                technologies, and safeguards in place to control and 
                minimize risks from unauthorized access, disclosure, 
                use, or alteration of sensitive personally identifiable 
                information; and
                    (D) assess the vulnerability of sensitive 
                personally identifiable information during destruction 
                and disposal of such information, including through the 
                disposal or retirement of hardware.
            (4) Risk management and control.--Each business entity 
        shall--
                    (A) design its personal data privacy and security 
                program to control the risks identified under paragraph 
                (3);
                    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--
                            (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;
                            (ii) detect, record, and preserve 
                        information relevant to actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access;
                            (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption, redaction, or access controls that 
                        are widely accepted as an effective industry 
                        practice or industry standard, or other 
                        reasonable means (including as directed for 
                        disposal of records under section 628 of the 
                        Fair Credit Reporting Act (15 U.S.C. 1681w) and 
                        the implementing regulations of such Act as set 
                        forth in section 682 of title 16, Code of 
                        Federal Regulations);
                            (iv) ensure that sensitive personally 
                        identifiable information is properly destroyed 
                        and disposed of, including during the 
                        destruction of computers, diskettes, and other 
                        electronic media that contain sensitive 
                        personally identifiable information;
                            (v) trace access to records containing 
                        sensitive personally identifiable information 
                        so that the business entity can determine who 
                        accessed or acquired such sensitive personally 
                        identifiable information pertaining to specific 
                        individuals; and
                            (vi) ensure that no third party or customer 
                        of the business entity is authorized to access 
                        or acquire sensitive personally identifiable 
                        information without the business entity first 
                        performing sufficient due diligence to 
                        ascertain, with reasonable certainty, that such 
                        information is being sought for a valid legal 
                        purpose; and
                    (C) establish a plan and procedures for minimizing 
                the amount of sensitive personally identifiable 
                information maintained by such business entity, which 
                shall provide for the retention of sensitive personally 
                identifiable information only as reasonably needed for 
                the business purposes of such business entity or as 
                necessary to comply with any legal obligation.
    (b) Training.--Each business entity subject to this subtitle shall 
take steps to ensure employee training and supervision for 
implementation of the data security program of the business entity.
    (c) Vulnerability Testing.--
            (1) In general.--Each business entity subject to this 
        subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.
            (2) Frequency.--The frequency and nature of the tests 
        required under paragraph (1) shall be determined by the risk 
        assessment of the business entity under subsection (a)(3).
    (d) Relationship to Certain Providers of Services.--In the event a 
business entity subject to this subtitle engages a person or entity not 
subject to this subtitle (other than a service provider) to receive 
sensitive personally identifiable information in performing services or 
functions (other than the services or functions provided by a service 
provider) on behalf of and under the instruction of such business 
entity, such business entity shall--
            (1) exercise appropriate due diligence in selecting the 
        person or entity for responsibilities related to sensitive 
        personally identifiable information, and take reasonable steps 
        to select and retain a person or entity that is capable of 
        maintaining appropriate safeguards for the security, privacy, 
        and integrity of the sensitive personally identifiable 
        information at issue; and
            (2) require the person or entity by contract to implement 
        and maintain appropriate measures designed to meet the 
        objectives and requirements governing entities subject to 
        section 201, this section, and subtitle B.
    (e) Periodic Assessment and Personal Data Privacy and Security 
Modernization.--Each business entity subject to this subtitle shall on 
a regular basis monitor, evaluate, and adjust, as appropriate its data 
privacy and security program in light of any relevant changes in--
            (1) technology;
            (2) the sensitivity of personally identifiable information;
            (3) internal or external threats to personally identifiable 
        information; and
            (4) the changing business arrangements of the business 
        entity, such as--
                    (A) mergers and acquisitions;
                    (B) alliances and joint ventures;
                    (C) outsourcing arrangements;
                    (D) bankruptcy; and
                    (E) changes to sensitive personally identifiable 
                information systems.
    (f) Implementation Timeline.--Not later than 1 year after the date 
of enactment of this Act, a business entity subject to the provisions 
of this subtitle shall implement a data privacy and security program 
pursuant to this subtitle.

SEC. 203. ENFORCEMENT.

    (a) Civil Penalties.--
            (1) In general.--Any business entity that violates the 
        provisions of section 201 or 202 shall be subject to civil 
        penalties of not more than $5,000 per violation per day while 
        such a violation exists, with a maximum of $500,000 per 
        violation.
            (2) Intentional or willful violation.--A business entity 
        that intentionally or willfully violates the provisions of 
        section 201 or 202 shall be subject to additional penalties in 
        the amount of $5,000 per violation per day while such a 
        violation exists, with a maximum of an additional $500,000 per 
        violation.
            (3) Penalty limits.--
                    (A) In general.--Notwithstanding any other 
                provision of law, the total sum of civil penalties 
                assessed against a business entity for all violations 
                of the provisions of this subtitle resulting from the 
                same or related acts or omissions shall not exceed 
                $500,000, unless such conduct is found to be willful or 
                intentional.
                    (B) Determinations.--The determination of whether a 
                violation of a provision of this subtitle has occurred, 
                and if so, the amount of the penalty to be imposed, if 
                any, shall be made by the court sitting as the finder 
                of fact. The determination of whether a violation of a 
                provision of this subtitle was willful or intentional, 
                and if so, the amount of the additional penalty to be 
                imposed, if any, shall be made by the court sitting as 
                the finder of fact.
                    (C) Additional penalty limit.--If a court 
                determines under subparagraph (B) that a violation of a 
                provision of this subtitle was willful or intentional 
                and imposes an additional penalty, the court may not 
                impose an additional penalty in an amount that exceeds 
                $500,000.
            (4) Equitable relief.--A business entity engaged in 
        interstate commerce that violates this section may be enjoined 
        from further violations by a United States district court.
            (5) Other rights and remedies.--The rights and remedies 
        available under this section are cumulative and shall not 
        affect any other rights and remedies available under law.
    (b) Federal Trade Commission Authority.--Any business entity shall 
have the provisions of this subtitle enforced against it by the Federal 
Trade Commission.
    (c) State Enforcement.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a business entity that violate this subtitle, the 
        State may bring a civil action on behalf of the residents of 
        that State in a district court of the United States of 
        appropriate jurisdiction to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this subtitle; or
                    (C) obtain civil penalties of not more than $5,000 
                per violation per day while such violations persist, up 
                to a maximum of $500,000 per violation.
            (2) Penalty limits.--
                    (A) In general.--Notwithstanding any other 
                provision of law, the total sum of civil penalties 
                assessed against a business entity for all violations 
                of the provisions of this subtitle resulting from the 
                same or related acts or omissions shall not exceed 
                $500,000, unless such conduct is found to be willful or 
                intentional.
                    (B) Determinations.--The determination of whether a 
                violation of a provision of this subtitle has occurred, 
                and if so, the amount of the penalty to be imposed, if 
                any, shall be made by the court sitting as the finder 
                of fact. The determination of whether a violation of a 
                provision of this subtitle was willful or intentional, 
                and if so, the amount of the additional penalty to be 
                imposed, if any, shall be made by the court sitting as 
                the finder of fact.
                    (C) Additional penalty limit.--If a court 
                determines under subparagraph (B) that a violation of a 
                provision of this subtitle was willful or intentional 
                and imposes an additional penalty, the court may not 
                impose an additional penalty in an amount that exceeds 
                $500,000.
            (3) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Federal Trade Commission--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in this 
                subparagraph before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described under subparagraph (B), the attorney general 
                of a State shall provide the written notice and the 
                copy of the complaint to the Federal Trade Commission 
                as soon after the filing of the complaint as 
                practicable.
            (4) Federal trade commission authority.--Upon receiving 
        notice under paragraph (2), the Federal Trade Commission shall 
        have the right to--
                    (A) move to stay the action, pending the final 
                disposition of a pending Federal proceeding or action 
                as described in paragraph (4);
                    (B) intervene in an action brought under paragraph 
                (1); and
                    (C) file petitions for appeal.
            (5) Pending proceedings.--If the Federal Trade Commission 
        initiates a Federal civil action for a violation of this 
        subtitle, or any regulations thereunder, no attorney general of 
        a State may bring an action for a violation of this subtitle 
        that resulted from the same or related acts or omissions 
        against a defendant named in the Federal civil action initiated 
        by the Federal Trade Commission.
            (6) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1) nothing in this subtitle shall 
        be construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths and affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (7) Venue; service of process.--
                    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1391 of title 28, 
                United States Code.
                    (B) Service of process.--In an action brought under 
                this subsection, process may be served in any district 
                in which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (d) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.

SEC. 204. RELATION TO OTHER LAWS.

    (a) In General.--No State may require any business entity subject 
to this subtitle to comply with any requirements with respect to 
administrative, technical, and physical safeguards for the protection 
of personal information.
    (b) Limitations.--Nothing in this subtitle shall be construed to 
modify, limit, or supersede the operation of the Gramm-Leach-Bliley Act 
(15 U.S.C. 6801 et seq.) or its implementing regulations, including 
those adopted or enforced by States.

                Subtitle B--Security Breach Notification

SEC. 211. NOTICE TO INDIVIDUALS.

    (a) In General.--Except as provided in section 212, any agency, or 
business entity engaged in interstate commerce, other than a service 
provider, that uses, accesses, transmits, stores, disposes of or 
collects sensitive personally identifiable information shall, following 
the discovery of a security breach of such information, notify any 
resident of the United States whose sensitive personally identifiable 
information has been, or is reasonably believed to have been, accessed, 
or acquired.
    (b) Obligation of Owner or Licensee.--
            (1) Notice to owner or licensee.--Any agency, or business 
        entity engaged in interstate commerce, that uses, accesses, 
        transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach involving such information.
            (2) Notice by owner, licensee, or other designated third 
        party.--Nothing in this subtitle shall prevent or abrogate an 
        agreement between an agency or business entity required to give 
        notice under this section and a designated third party, 
        including an owner or licensee of the sensitive personally 
        identifiable information subject to the security breach, to 
        provide the notifications required under subsection (a).
            (3) Business entity relieved from giving notice.--A 
        business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.
            (4) Service providers.--If a service provider becomes aware 
        of a security breach of data in electronic form containing 
        sensitive personal information that is owned or possessed by 
        another business entity that connects to or uses a system or 
        network provided by the service provider for the purpose of 
        transmitting, routing, or providing intermediate or transient 
        storage of such data, the service provider shall be required to 
        notify the business entity who initiated such connection, 
        transmission, routing, or storage of the security breach if the 
        business entity can be reasonably identified. Upon receiving 
        such notification from a service provider, the business entity 
        shall be required to provide the notification required under 
        subsection (a).
    (c) Timeliness of Notification.--
            (1) In general.--All notifications required under this 
        section shall be made without unreasonable delay following the 
        discovery by the agency or business entity of a security 
        breach.
            (2) Reasonable delay.--
                    (A) In general.--Reasonable delay under this 
                subsection may include any time necessary to determine 
                the scope of the security breach, prevent further 
                disclosures, conduct the risk assessment described in 
                section 202(a)(3), and restore the reasonable integrity 
                of the data system and provide notice to law 
                enforcement when required.
                    (B) Extension.--
                            (i) In general.--Except as provided in 
                        subsection (d), delay of notification shall not 
                        exceed 60 days following the discovery of the 
                        security breach, unless the business entity or 
                        agency requests an extension of time and the 
                        Federal Trade Commission determines in writing 
                        that additional time is reasonably necessary to 
                        determine the scope of the security breach, 
                        prevent further disclosures, conduct the risk 
                        assessment, restore the reasonable integrity of 
                        the data system, or to provide notice to the 
                        designated entity.
                            (ii) Approval of request.--If the Federal 
                        Trade Commission approves the request for 
                        delay, the agency or business entity may delay 
                        the time period for notification for additional 
                        periods of up to 30 days.
            (3) Burden of production.--The agency, business entity, 
        owner, or licensee required to provide notice under this 
        subtitle shall, upon the request of the Attorney General or the 
        Federal Trade Commission provide records or other evidence of 
        the notifications required under this subtitle, including to 
        the extent applicable, the reasons for any delay of 
        notification.
    (d) Delay of Notification Authorized for Law Enforcement or 
National Security Purposes.--
            (1) In general.--If the United States Secret Service or the 
        Federal Bureau of Investigation determines that the 
        notification required under this section would impede a 
        criminal investigation, or national security activity, such 
        notification shall be delayed upon written notice from the 
        United States Secret Service or the Federal Bureau of 
        Investigation to the agency or business entity that experienced 
        the breach. The notification from the United States Secret 
        Service or the Federal Bureau of Investigation shall specify in 
        writing the period of delay requested for law enforcement or 
        national security purposes.
            (2) Extended delay of notification.--If the notification 
        required under subsection (a) is delayed pursuant to paragraph 
        (1), an agency or business entity shall give notice 30 days 
        after the day such law enforcement or national security delay 
        was invoked unless a Federal law enforcement or intelligence 
        agency provides written notification that further delay is 
        necessary.
            (3) Law enforcement immunity.--No non-constitutional cause 
        of action shall lie in any court against any agency for acts 
        relating to the delay of notification for law enforcement or 
        national security purposes under this subtitle.
    (e) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to the following:
            (1) Financial institutions.--Financial institutions--
                    (A) subject to the data security requirements and 
                standards under section 501(b) of the Gramm-Leach-
                Bliley Act (15 U.S.C. 6801(b)); and
                    (B) subject to the jurisdiction of an agency or 
                authority described in section 505(a) of the Gramm-
                Leach-Bliley Act (15 U.S.C. 6805(a)).
            (2) HIPAA regulated entities.--
                    (A) Covered entities.--Covered entities subject to 
                the Health Insurance Portability and Accountability Act 
                of 1996 (42 U.S.C. 1301 et seq.), including the data 
                security requirements and implementing regulations of 
                that Act.
                    (B) Business entities.--A business entity shall be 
                deemed in compliance with this Act if the business 
                entity--
                            (i)(I) is acting as a covered entity and as 
                        a business associate, as those terms are 
                        defined under the Health Insurance Portability 
                        and Accountability Act of 1996 (42 U.S.C. 1301 
                        et seq.) and is in compliance with the 
                        requirements imposed under that Act and 
                        implementing regulations promulgated under that 
                        Act; and
                            (II) is subject to, and currently in 
                        compliance, with the data breach notification, 
                        privacy and data security requirements under 
                        the Health Information Technology for Economic 
                        and Clinical Health (HITECH) Act, (42 U.S.C. 
                        17932) and implementing regulations promulgated 
                        thereunder; or
                            (ii) is acting as a vendor of personal 
                        health records and third party service 
                        provider, subject to the Health Information 
                        Technology for Economic and Clinical Health 
                        (HITECH) Act (42 U.S.C. 17937), including the 
                        data breach notification requirements and 
                        implementing regulations of that Act.

SEC. 212. EXEMPTIONS.

    (a) Exemption for National Security and Law Enforcement.--
            (1) In general.--Section 211 shall not apply to an agency 
        or business entity if--
                    (A) the United States Secret Service or the Federal 
                Bureau of Investigation determines that notification of 
                the security breach could be expected to reveal 
                sensitive sources and methods or similarly impede the 
                ability of the Government to conduct law enforcement 
                investigations; or
                    (B) the Federal Bureau of Investigation determines 
                that notification of the security breach could be 
                expected to cause damage to the national security.
            (2) Immunity.--No non-constitutional cause of action shall 
        lie in any court against any Federal agency for acts relating 
        to the exemption from notification for law enforcement or 
        national security purposes under this title.
    (b) Safe Harbor.--
            (1) In general.--An agency or business entity shall be 
        exempt from the notice requirements under section 211, if--
                    (A) a risk assessment conducted by the agency or 
                business entity concludes that, based upon the 
                information available, there is no significant risk 
                that a security breach has resulted in, or will result 
                in, identity theft, economic loss or harm, or physical 
                harm to the individuals whose sensitive personally 
                identifiable information was subject to the security 
                breach;
                    (B) without unreasonable delay, but not later than 
                45 days after the discovery of a security breach, 
                unless extended by the Federal Trade Commission, the 
                agency or business entity notifies the Federal Trade 
                Commission, in writing, of--
                            (i) the results of the risk assessment; and
                            (ii) its decision to invoke the risk 
                        assessment exemption; and
                    (C) the Federal Trade Commission does not indicate, 
                in writing, within 10 business days from receipt of the 
                decision, that notice should be given.
            (2) Rebuttable presumptions.--For purposes of paragraph 
        (1)--
                    (A) the encryption of sensitive personally 
                identifiable information described in paragraph 
                (1)(A)(i) shall establish a rebuttable presumption that 
                no significant risk exists; and
                    (B) the rendering of sensitive personally 
                identifiable information described in paragraph 
                (1)(A)(ii) unusable, unreadable, or indecipherable 
                through data security technology or methodology that is 
                generally accepted by experts in the field of 
                information security, such as redaction or access 
                controls shall establish a rebuttable presumption that 
                no significant risk exists.
            (3) Violation.--It shall be a violation of this section 
        to--
                    (A) fail to conduct the risk assessment in a 
                reasonable manner, or according to standards generally 
                accepted by experts in the field of information 
                security; or
                    (B) submit the results of a risk assessment that 
                contains fraudulent or deliberately misleading 
                information.
    (c) Financial Fraud Prevention Exemption.--
            (1) In general.--A business entity will be exempt from the 
        notice requirement under section 211 if the business entity 
        utilizes or participates in a security program that--
                    (A) effectively blocks the use of the sensitive 
                personally identifiable information to initiate 
                unauthorized financial transactions before they are 
                charged to the account of the individual; and
                    (B) provides for notice to affected individuals 
                after a security breach that has resulted in fraud or 
                unauthorized transactions.
            (2) Limitation.--The exemption in paragraph (1) does not 
        apply if the information subject to the security breach 
        includes an individual's first and last name, or any other type 
        of sensitive personally identifiable information as defined in 
        section 3, unless that information is only a credit card number 
        or credit card security code.

SEC. 213. METHODS OF NOTICE.

    An agency or business entity shall be in compliance with section 
211 if it provides the following:
            (1) Individual notice.--Notice to individuals by one of the 
        following means:
                    (A) Written notification to the last known home 
                mailing address of the individual in the records of the 
                agency or business entity.
                    (B) Telephone notice to the individual personally.
                    (C) E-mail notice, if the individual has consented 
                to receive such notice and the notice is consistent 
                with the provisions permitting electronic transmission 
                of notices under section 101 of the Electronic 
                Signatures in Global and National Commerce Act (15 
                U.S.C. 7001).
            (2) Media notice.--Notice to major media outlets serving a 
        State or jurisdiction, if the number of residents of such State 
        whose sensitive personally identifiable information was, or is 
        reasonably believed to have been, accessed or acquired by an 
        unauthorized person exceeds 5,000.

SEC. 214. CONTENT OF NOTIFICATION.

    (a) In General.--Regardless of the method by which notice is 
provided to individuals under section 213, such notice shall include, 
to the extent possible--
            (1) a description of the categories of sensitive personally 
        identifiable information that was, or is reasonably believed to 
        have been, accessed or acquired by an unauthorized person;
            (2) a toll-free number--
                    (A) that the individual may use to contact the 
                agency or business entity, or the agent of the agency 
                or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual; and
            (3) the toll-free contact telephone numbers and addresses 
        for the major credit reporting agencies.
    (b) Additional Content.--Notwithstanding section 219, a State may 
require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.
    (c) Direct Business Relationship.--Regardless of whether a business 
entity, agency, or a designated third party provides the notice 
required pursuant to section 211(b), such notice shall include the name 
of the business entity or agency that has a direct relationship with 
the individual being notified.

SEC. 215. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.

    If an agency or business entity is required to provide notification 
to more than 5,000 individuals under section 211(a), the agency or 
business entity shall also notify all consumer reporting agencies that 
compile and maintain files on consumers on a nationwide basis (as 
defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 
1681a(p))) of the timing and distribution of the notices. Such notice 
shall be given to the consumer credit reporting agencies without 
unreasonable delay and, if it will not delay notice to the affected 
individuals, prior to the distribution of notices to the affected 
individuals.

SEC. 216. NOTICE TO LAW ENFORCEMENT.

    (a) Designation of Government Entity To Receive Notice.--
            (1) In general.--Not later than 60 days after the date of 
        enactment of this Act, the Secretary of Homeland Security shall 
        designate a Federal Government entity to receive the notices 
        required under section 212 and this section, and any other 
        reports and information about information security incidents, 
        threats, and vulnerabilities.
            (2) Responsibilities of the designated entity.--The 
        designated entity shall--
                    (A) be responsible for promptly providing the 
                information that it receives to the United States 
                Secret Service and the Federal Bureau of Investigation, 
                and to the Federal Trade Commission for civil law 
                enforcement purposes; and
                    (B) provide the information described in 
                subparagraph (A) as appropriate to other Federal 
                agencies for law enforcement, national security, or 
                data security purposes.
    (b) Notice.--Any business entity or agency shall notify the 
designated entity of the fact that a security breach has occurred if--
            (1) the number of individuals whose sensitive personally 
        identifying information was, or is reasonably believed to have 
        been accessed or acquired by an unauthorized person exceeds 
        5,000;
            (2) the security breach involves a database, networked or 
        integrated databases, or other data system containing the 
        sensitive personally identifiable information of more than 
        500,000 individuals nationwide;
            (3) the security breach involves databases owned by the 
        Federal Government; or
            (4) the security breach involves primarily sensitive 
        personally identifiable information of individuals known to the 
        agency or business entity to be employees and contractors of 
        the Federal Government involved in national security or law 
        enforcement.
    (c) FTC Rulemaking and Review of Thresholds.--
            (1) Reports.--Not later than 1 year after the date of the 
        enactment of this Act, the Federal Trade Commission, in 
        consultation with the Attorney General of the United States and 
        the Secretary of Homeland Security, shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        regarding the reports required under subsection (a).
            (2) Thresholds for notice.--The Federal Trade Commission, 
        in consultation with the Attorney General and the Secretary of 
        Homeland Security, after notice and the opportunity for public 
        comment, and in a manner consistent with this section, shall 
        promulgate regulations, as necessary, under section 553 of 
        title 5, United States Code, to adjust the thresholds for 
        notice to law enforcement and national security authorities 
        under subsection (a) and to facilitate the purposes of this 
        section.
    (d) Timing.--The notice required under subsection (a) shall be 
provided as promptly as possible, but such notice must be provided 
either 72 hours before notice is provided to an individual pursuant to 
section 211, or not later than 10 days after the business entity or 
agency discovers the security breach or discovers that the nature of 
the security breach requires notice to law enforcement under this 
section, whichever occurs first.

SEC. 217. ENFORCEMENT.

    (a) In General.--The Attorney General and the Federal Trade 
Commission may enforce civil violations of section 211.
    (b) Civil Actions by the Attorney General of the United States.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any business entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, such business entity shall be 
        subject to a civil penalty of not more than $11,000 per day per 
        security breach.
            (2) Penalty limitation.--Notwithstanding any other 
        provision of law, the total amount of the civil penalty 
        assessed against a business entity for conduct involving the 
        same or related acts or omissions that results in a violation 
        of this subtitle may not exceed $1,000,000.
            (3) Determinations.--The determination of whether a 
        violation of a provision of this subtitle has occurred, and if 
        so, the amount of the penalty to be imposed, if any, shall be 
        made by the court sitting as the finder of fact. The 
        determination of whether a violation of a provision of this 
        subtitle was willful or intentional, and if so, the amount of 
        the additional penalty to be imposed, if any, shall be made by 
        the court sitting as the finder of fact.
            (4) Additional penalty limit.--If a court determines under 
        paragraph (3) that a violation of a provision of this subtitle 
        was willful or intentional and imposes an additional penalty, 
        the court may not impose an additional penalty in an amount 
        that exceeds $1,000,000.
    (c)  Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (d) Civil Actions by the Federal Trade Commission.--
            (1) In general.--Compliance with the requirements imposed 
        under this subtitle may be enforced under the Federal Trade 
        Commission Act (15 U.S.C. 41 et seq.) by the Federal Trade 
        Commission with respect to business entities subject to this 
        Act. All of the functions and powers of the Federal Trade 
        Commission under the Federal Trade Commission Act are available 
        to the Commission to enforce compliance by any person with the 
        requirements imposed under this title.
            (2) Penalty limitation.--
                    (A) In general.--Notwithstanding any other 
                provision of law, the total sum of civil penalties 
                assessed against a business entity for all violations 
                of the provisions of this subtitle resulting from the 
                same or related acts or omissions may not exceed 
                $1,000,000, unless such conduct is found to be willful 
                or intentional.
                    (B) Determinations.--The determination of whether a 
                violation of a provision of this subtitle has occurred, 
                and if so, the amount of the penalty to be imposed, if 
                any, shall be made by the court sitting as the finder 
                of fact. The determination of whether a violation of a 
                provision of this subtitle was willful or intentional, 
                and if so, the amount of the additional penalty to be 
                imposed, if any, shall be made by the court sitting as 
                the finder of fact.
                    (C) Additional penalty limit.--If a court 
                determines under subparagraph (B) that a violation of a 
                provision of this subtitle was willful or intentional 
                and imposes an additional penalty, the court may not 
                impose an additional penalty in an amount that exceeds 
                $1,000,000.
            (3) Unfair or deceptive acts or practices.--For the purpose 
        of the exercise by the Federal Trade Commission of its 
        functions and powers under the Federal Trade Commission Act, a 
        violation of any requirement or prohibition imposed under this 
        title shall constitute an unfair or deceptive act or practice 
        in commerce in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(I)(B)) regarding unfair or deceptive acts or practices 
        and shall be subject to enforcement by the Federal Trade 
        Commission under that Act with respect to any business entity, 
        irrespective of whether that business entity is engaged in 
        commerce or meets any other jurisdictional tests in the Federal 
        Trade Commission Act.
    (e) Coordination of Enforcement.--
            (1) In general.--Before opening an investigation, the 
        Federal Trade Commission shall consult with the Attorney 
        General.
            (2) Limitation.--The Federal Trade Commission may initiate 
        investigations under this subsection unless the Attorney 
        General determines that such an investigation would impede an 
        ongoing criminal investigation or national security activity.
            (3) Coordination agreement.--
                    (A) In general.--In order to avoid conflicts and 
                promote consistency regarding the enforcement and 
                litigation of matters under this Act, not later than 
                180 days after the enactment of this Act, the Attorney 
                General and the Federal Trade Commission shall enter 
                into an agreement for coordination regarding the 
                enforcement of this Act.
                    (B) Requirement.--The coordination agreement 
                entered into under subparagraph (A) shall include 
                provisions to ensure that parallel investigations and 
                proceedings under this section are conducted in a 
                matter that avoids conflicts and does not impede the 
                ability of the Attorney General to prosecute violations 
                of Federal criminal laws.
            (4) Coordination with the fcc.--If an enforcement action 
        under this Act relates to customer proprietary network 
        information, the Federal Trade Commission shall coordinate the 
        enforcement action with the Federal Communications Commission.
    (f) Rulemaking.--The Federal Trade Commission may, in consultation 
with the Attorney General, issue such other regulations as it 
determines to be necessary to carry out this subtitle. All regulations 
promulgated under this Act shall be issued in accordance with section 
553 of title 5, United States Code. Where regulations relate to 
customer proprietary network information, the promulgation of such 
regulations will be coordinated with the Federal Communications 
Commission.
    (g) Other Rights and Remedies.--The rights and remedies available 
under this subtitle are cumulative and shall not affect any other 
rights and remedies available under law.
    (h) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence 
that the consumer has received notice that the consumer's financial 
information has or may have been compromised,'' after ``identity theft 
report''.

SEC. 218. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the engagement 
        of a business entity in a practice that is prohibited under 
        this subtitle, the State or the State or local law enforcement 
        agency on behalf of the residents of the agency's jurisdiction, 
        may bring a civil action on behalf of the residents of the 
        State or jurisdiction in a district court of the United States 
        of appropriate jurisdiction to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this subtitle; or
                    (C) civil penalties of not more than $11,000 per 
                day per security breach up to a maximum of $1,000,000 
                per violation, unless such conduct is found to be 
                willful or intentional.
            (2) Penalty limitation.--
                    (A) In general.--Notwithstanding any other 
                provision of law, the total sum of civil penalties 
                assessed against a business entity for all violations 
                of the provisions of this subtitle resulting from the 
                same or related acts or omissions may not exceed 
                $1,000,000, unless such conduct is found to be willful 
                or intentional.
                    (B) Determinations.--The determination of whether a 
                violation of a provision of this subtitle has occurred, 
                and if so, the amount of the penalty to be imposed, if 
                any, shall be made by the court sitting as the finder 
                of fact. The determination of whether a violation of a 
                provision of this subtitle was willful or intentional, 
                and if so, the amount of the additional penalty to be 
                imposed, if any, shall be made by the court sitting as 
                the finder of fact.
                    (C) Additional penalty limit.--If a court 
                determines under subparagraph (B) that a violation of a 
                provision of this subtitle was willful or intentional 
                and imposes an additional penalty, the court may not 
                impose an additional penalty in an amount that exceeds 
                $1,000,000.
            (3) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subtitle, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) initiate an action in the appropriate United States 
        district court under section 217 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General or the Federal 
Trade Commission initiate a criminal proceeding or civil action for a 
violation of a provision of this subtitle, or any regulations 
thereunder, no attorney general of a State may bring an action for a 
violation of a provision of this subtitle against a defendant named in 
the Federal criminal proceeding or civil action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.
    (f) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.

SEC. 219. EFFECT ON FEDERAL AND STATE LAW.

    For any entity, or agency that is subject to this subtitle, the 
provisions of this subtitle shall supersede any other provision of 
Federal law, or any provisions of the law of any State, relating to 
notification of a security breach, except as provided in section 
214(b). Nothing in this subtitle shall be construed to modify, limit, 
or supersede the operation of the Gramm-Leach-Bliley Act (15 U.S.C. 
6801 et seq.) or its implementing regulations, including those 
regulations adopted or enforced by States, the Health Insurance 
Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.) or 
its implementing regulations, or the Health Information Technology for 
Economic and Clinical Health Act (42 U.S.C. 17937) or its implementing 
regulations.

SEC. 220. REPORTING ON EXEMPTIONS.

    (a) FTC Report.--Not later than 18 months after the date of 
enactment of this Act, and upon request by Congress thereafter, the 
Federal Trade Commission shall submit a report to Congress on the 
number and nature of the security breaches described in the notices 
filed by those business entities invoking the risk assessment exemption 
under section 212(b) and their response to such notices.
    (b) Law Enforcement Report.--
            (1) In general.--Not later than 18 months after the date of 
        enactment of this Act, and upon the request by Congress 
        thereafter, the United States Secret Service and Federal Bureau 
        of Investigation shall submit a report to Congress on the 
        number and nature of security breaches subject to the national 
        security and law enforcement exemptions under section 212(a).
            (2) Requirement.--The report required under paragraph (1) 
        shall not include the contents of any risk assessment provided 
        to the United States Secret Service and the Federal Bureau of 
        Investigation under this subtitle.

SEC. 221. EFFECTIVE DATE.

    This subtitle shall take effect on the expiration of the date which 
is 90 days after the date of enactment of this Act.

         TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

SEC. 301. BUDGET COMPLIANCE.

    The budgetary effects of this Act, for the purpose of complying 
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by 
reference to the latest statement titled ``Budgetary Effects of PAYGO 
Legislation'' for this Act, submitted for printing in the Congressional 
Record by the Chairman of the Senate Budget Committee, provided that 
such statement has been submitted prior to the vote on passage.
                                 <all>