[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 1927 Introduced in Senate (IS)]

113th CONGRESS
  2d Session
                                S. 1927

  To protect information relating to consumers, to require notice of 
               security breaches, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 15, 2014

 Mr. Carper (for himself and Mr. Blunt) introduced the following bill; 
which was read twice and referred to the Committee on Banking, Housing, 
                           and Urban Affairs

_______________________________________________________________________

                                 A BILL


 
  To protect information relating to consumers, to require notice of 
               security breaches, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Security Act of 2014''.

SEC. 2. DEFINITIONS.

    For purposes of this Act, the following definitions shall apply:
            (1) Affiliate.--The term ``affiliate'' means any company 
        that controls, is controlled by, or is under common control 
        with another company.
            (2) Agency.--The term ``agency'' has the same meaning as in 
        section 551(1) of title 5, United States Code.
            (3) Breach of data security.--
                    (A) In general.--The term ``breach of data 
                security'' means the unauthorized acquisition of 
                sensitive account information or sensitive personal 
                information.
                    (B) Exception for data that is not in usable 
                form.--
                            (i) In general.--The term ``breach of data 
                        security'' does not include the unauthorized 
                        acquisition of sensitive account information or 
                        sensitive personal information that is 
                        maintained or communicated in a manner that is 
                        not usable--
                                    (I) to commit identity theft; or
                                    (II) to make fraudulent 
                                transactions on financial accounts.
                            (ii) Rule of construction.--For purposes of 
                        this subparagraph, information that is 
                        maintained or communicated in a manner that is 
                        not usable includes any information that is 
                        maintained or communicated in an encrypted, 
                        redacted, altered, edited, or coded form.
            (4) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (5) Consumer.--The term ``consumer'' means an individual.
            (6) Consumer reporting agency that compiles and maintains 
        files on consumers on a nationwide basis.--The term ``consumer 
        reporting agency that compiles and maintains files on consumers 
        on a nationwide basis'' has the same meaning as in section 
        603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).
            (7) Covered entity.--
                    (A) In general.--The term ``covered entity'' means 
                any--
                            (i) entity, the business of which is 
                        engaging in financial activities, as described 
                        in section 4(k) of the Bank Holding Company Act 
                        of 1956 (12 U.S.C. 1843(k));
                            (ii) financial institution, including any 
                        institution described in section 313.3(k) of 
                        title 16, Code of Federal Regulations, as in 
                        effect on the date of enactment of this Act;
                            (iii) entity that maintains or otherwise 
                        possesses information that is subject to 
                        section 628 of the Fair Credit Reporting Act 
                        (15 U.S.C. 1681w); or
                            (iv) other individual, partnership, 
                        corporation, trust, estate, cooperative, 
                        association, or entity that maintains or 
                        communicates sensitive account information or 
                        sensitive personal information.
                    (B) Exception.--The term ``covered entity'' does 
                not include any agency or any other unit of Federal, 
                State, or local government or any subdivision of the 
                unit.
            (8) Financial institution.--The term ``financial 
        institution'' has the same meaning as in section 509(3) of the 
        Gramm-Leach-Bliley Act (15 U.S.C. 6809(3)).
            (9) Sensitive account information.--The term ``sensitive 
        account information'' means a financial account number relating 
        to a consumer, including a credit card number or debit card 
        number, in combination with any security code, access code, 
        password, or other personal identification information required 
        to access the financial account.
            (10) Sensitive personal information.--
                    (A) In general.--The term ``sensitive personal 
                information'' means the first and last name, address, 
                or telephone number of a consumer, in combination with 
                any of the following relating to the consumer:
                            (i) Social security account number.
                            (ii) Driver's license number or equivalent 
                        State identification number.
                            (iii) Taxpayer identification number.
                    (B) Exception.--The term ``sensitive personal 
                information'' does not include publicly available 
                information that is lawfully made available to the 
                general public from--
                            (i) Federal, State, or local government 
                        records; or
                            (ii) widely distributed media.
            (11) Substantial harm or inconvenience.--
                    (A) In general.--The term ``substantial harm or 
                inconvenience'' means--
                            (i) material financial loss to, or civil or 
                        criminal penalties imposed on, a consumer, due 
                        to the unauthorized use of sensitive account 
                        information or sensitive personal information 
                        relating to the consumer; or
                            (ii) the need for a consumer to expend 
                        significant time and effort to correct 
                        erroneous information relating to the consumer, 
                        including information maintained by a consumer 
                        reporting agency, financial institution, or 
                        government entity, in order to avoid material 
                        financial loss, increased costs, or civil or 
                        criminal penalties, due to the unauthorized use 
                        of sensitive account information or sensitive 
                        personal information relating to the consumer.
                    (B) Exception.--The term ``substantial harm or 
                inconvenience'' does not include--
                            (i) changing a financial account number or 
                        closing a financial account; or
                            (ii) harm or inconvenience that does not 
                        result from identity theft or account fraud.

SEC. 3. PROTECTION OF INFORMATION AND SECURITY BREACH NOTIFICATION.

    (a) Security Procedures Required.--
            (1) In general.--Each covered entity shall implement, 
        maintain, and enforce reasonable policies and procedures to 
        protect the confidentiality and security of, sensitive account 
        information and sensitive personal information that is 
        maintained or is being communicated by or on behalf of a 
        covered entity from the unauthorized use of the information 
        that is reasonably likely to result in substantial harm or 
        inconvenience to the consumer to whom the information relates.
            (2) Limitation.--Any policy or procedure implemented or 
        maintained under paragraph (1) shall be appropriate to--
                    (A) the size and complexity of the covered entity;
                    (B) the nature and scope of the activities of the 
                covered entity; and
                    (C) the sensitivity of the consumer information to 
                be protected.
    (b) Investigation Required.--
            (1) In general.--If a covered entity determines that a 
        breach of data security has or may have occurred in relation to 
        sensitive account information or sensitive personal information 
        that is maintained or is being communicated by, or on behalf 
        of, the covered entity, the covered entity shall conduct an 
        investigation to--
                    (A) assess the nature and scope of the breach;
                    (B) identify any sensitive account information or 
                sensitive personal information that may have been 
                involved in the breach; and
                    (C) determine if the sensitive account information 
                or sensitive personal information is reasonably likely 
                to be misused in a manner causing substantial harm or 
                inconvenience to the consumers to whom the information 
                relates.
            (2) Neural networks and information security programs.--In 
        determining the likelihood of misuse of sensitive account 
        information under paragraph (1)(C), a covered entity shall 
        consider whether any neural network or security program has 
        detected, or is likely to detect or prevent, fraudulent 
        transactions resulting from the breach of security.
    (c) Notice Required.--If a covered entity determines under 
subsection (b)(1)(C) that sensitive account information or sensitive 
personal information involved in a breach of data security is 
reasonably likely to be misused in a manner causing substantial harm or 
inconvenience to the consumers to whom the information relates, the 
covered entity, or a third party acting on behalf of the covered 
entity, shall--
            (1) notify, in the following order--
                    (A) the appropriate agency or authority identified 
                in section 5;
                    (B) an appropriate law enforcement agency;
                    (C) any entity that owns, or is obligated on, a 
                financial account to which the sensitive account 
                information relates, if the breach involves a breach of 
                sensitive account information;
                    (D) each consumer reporting agency that compiles 
                and maintains files on consumers on a nationwide basis, 
                if the breach involves sensitive personal information 
                relating to 5,000 or more consumers; and
                    (E) all consumers to whom the sensitive account 
                information or sensitive personal information relates; 
                and
            (2) take reasonable measures to restore the security and 
        confidentiality of the sensitive account information or 
        sensitive personal information involved in the breach.
    (d) Compliance.--
            (1) In general.--An entity shall be deemed to be in 
        compliance with--
                    (A) in the case of a financial institution--
                            (i) subsection (a), and any regulations 
                        prescribed under subsection (a), if the 
                        financial institution maintains policies and 
                        procedures to protect the confidentiality and 
                        security of sensitive account information and 
                        sensitive personal information that are 
                        consistent with the policies and procedures of 
                        the financial institution that are designed to 
                        comply with the requirements of section 501(b) 
                        of the Gramm-Leach-Bliley Act (15 U.S.C. 
                        6801(b)) and any regulations or guidance 
                        prescribed under that section that are 
                        applicable to the financial institution; and
                            (ii) subsections (b) and (c), and any 
                        regulations prescribed under subsections (b) 
                        and (c), if the financial institution--
                                    (I)(aa) maintains policies and 
                                procedures to investigate and provide 
                                notice to consumers of breaches of data 
                                security that are consistent with the 
                                policies and procedures of the 
                                financial institution that are designed 
                                to comply with the investigation and 
                                notice requirements established by 
                                regulations or guidance under section 
                                501(b) of the Gramm-Leach-Bliley Act 
                                (15 U.S.C. 6801(b)) that are applicable 
                                to the financial institution; or
                                    (bb) is an affiliate of a bank 
                                holding company that maintains policies 
                                and procedures to investigate and 
                                provide notice to consumers of breaches 
                                of data security that are consistent 
                                with the policies and procedures of a 
                                bank that is an affiliate of the 
                                financial institution, and the policies 
                                and procedures of the bank are designed 
                                to comply with the investigation and 
                                notice requirements established by any 
                                regulations or guidance under section 
                                501(b) of the Gramm-Leach-Bliley Act 
                                (15 U.S.C. 6801(b)) that are applicable 
                                to the bank; and
                                    (II) provides for notice to the 
                                entities described under subparagraphs 
                                (B), (C), and (D) of subsection (c)(1), 
                                if notice is provided to consumers 
                                pursuant to the policies and procedures 
                                of the financial institution described 
                                in subclause (I); and
                    (B) subsections (a), (b), and (c), if the entity is 
                a covered entity for purposes of the regulations 
                promulgated under section 264(c) of the Health 
                Insurance Portability and Accountability Act of 1996 
                (42 U.S.C. 1320d-2 note), to the extent that the entity 
                is in compliance with such regulations.
            (2) Definitions.--For purposes of this subsection, the 
        terms ``bank holding company'' and ``bank'' shall have the same 
        meaning given the terms under section 2 of the Bank Holding 
        Company Act of 1956 (12 U.S.C. 1841).

SEC. 4. IMPLEMENTING REGULATIONS.

    (a) In General.--Notwithstanding any other provision of law, and 
except as provided in section 6, the agencies and authorities 
identified in section 5, with respect to the covered entities that are 
subject to the respective enforcement authority of the agencies and 
authorities, shall prescribe regulations to implement this Act.
    (b) Coordination.--Each agency and authority required to prescribe 
regulations under subsection (a) shall consult and coordinate with each 
other agency and authority identified in section 5 so that, to the 
extent possible, the regulations prescribed by each agency and 
authority are consistent and comparable.
    (c) Method of Providing Notice to Consumers.--The regulations 
required under subsection (a) shall--
            (1) prescribe the methods by which a covered entity shall 
        notify a consumer of a breach of data security under section 3; 
        and
            (2) allow a covered entity to provide the notice by--
                    (A) written, telephonic, or e-mail notification; or
                    (B) substitute notification, if providing written, 
                telephonic, or e-mail notification is not feasible due 
                to--
                            (i) lack of sufficient contact information 
                        for the consumers that must be notified; or
                            (ii) excessive cost to the covered entity.
    (d) Content of Consumer Notice.--The regulations required under 
subsection (a) shall--
            (1) prescribe the content that shall be included in a 
        notice of a breach of data security that is required to be 
        provided to consumers under section 3; and
            (2) require the notice to include--
                    (A) a description of the type of sensitive account 
                information or sensitive personal information involved 
                in the breach of data security;
                    (B) a general description of the actions taken by 
                the covered entity to restore the security and 
                confidentiality of the sensitive account information or 
                sensitive personal information involved in the breach 
                of data security; and
                    (C) the summary of rights of victims of identity 
                theft prepared by the Commission under section 609(d) 
                of the Fair Credit Reporting Act (15 U.S.C. 1681g(d)), 
                if the breach of data security involves sensitive 
                personal information.
    (e) Timing of Notice.--The regulations required under subsection 
(a) shall establish standards for when a covered entity shall provide 
any notice required under section 3.
    (f) Law Enforcement Delay.--The regulations required under 
subsection (a) shall allow a covered entity to delay providing notice 
of a breach of data security to consumers under section 3 if a law 
enforcement agency requests such a delay in writing.
    (g) Service Providers.--The regulations required under subsection 
(a) shall--
            (1) require any party that maintains or communicates 
        sensitive account information or sensitive personal information 
        on behalf of a covered entity to provide notice to that covered 
        entity if the party determines that a breach of data security 
        has, or may have, occurred with respect to the sensitive 
        account information or sensitive personal information; and
            (2) ensure that there is only 1 notification responsibility 
        with respect to a breach of data security.
    (h) Timing of Regulations.--The regulations required under 
subsection (a) shall--
            (1) be issued in final form not later than 6 months after 
        the date of enactment of this Act; and
            (2) take effect not later than 6 months after the date on 
        which they are issued in final form.

SEC. 5. ADMINISTRATIVE ENFORCEMENT.

    (a) In General.--Notwithstanding any other provision of law, 
section 3, and the regulations required under section 4, shall be 
enforced exclusively under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) a national bank, a Federal branch or Federal 
                agency of a foreign bank, or any subsidiary thereof 
                (other than a broker, dealer, person providing 
                insurance, investment company, or investment adviser), 
                or a savings association, the deposits of which are 
                insured by the Federal Deposit Insurance Corporation, 
                or any subsidiary thereof (other than a broker, dealer, 
                person providing insurance, investment company, or 
                investment adviser), by the Office of the Comptroller 
                of the Currency;
                    (B) a member bank of the Federal Reserve System 
                (other than a national bank), a branch or agency of a 
                foreign bank (other than a Federal branch, Federal 
                agency, or insured State branch of a foreign bank), a 
                commercial lending company owned or controlled by a 
                foreign bank, an organization operating under section 
                25 or 25A of the Federal Reserve Act (12 U.S.C. 601, 
                611), or a bank holding company and its nonbank 
                subsidiary or affiliate (other than a broker, dealer, 
                person providing insurance, investment company, or 
                investment adviser), by the Board of Governors of the 
                Federal Reserve System; and
                    (C) a bank, the deposits of which are insured by 
                the Federal Deposit Insurance Corporation (other than a 
                member of the Federal Reserve System), an insured State 
                branch of a foreign bank, or any subsidiary thereof 
                (other than a broker, dealer, person providing 
                insurance, investment company, or investment adviser), 
                by the Board of Directors of the Federal Deposit 
                Insurance Corporation;
            (2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.), 
        by the National Credit Union Administration Board with respect 
        to any federally insured credit union;
            (3) the Securities Exchange Act of 1934 (15 U.S.C. 78a et 
        seq.), by the Securities and Exchange Commission with respect 
        to any broker or dealer;
            (4) the Investment Company Act of 1940 (15 U.S.C. 80a-1 et 
        seq.), by the Securities and Exchange Commission with respect 
        to any investment company;
            (5) the Investment Advisers Act of 1940 (15 U.S.C. 80b-1 et 
        seq.), by the Securities and Exchange Commission with respect 
        to any investment adviser registered with the Securities and 
        Exchange Commission under that Act;
            (6) the Commodity Exchange Act (7 U.S.C. 1 et seq.), by the 
        Commodity Futures Trading Commission with respect to any 
        futures commission merchant, commodity trading advisor, 
        commodity pool operator, or introducing broker;
            (7) the provisions of title XIII of the Housing and 
        Community Development Act of 1992 (12 U.S.C. 4501 et seq.), by 
        the Director of Federal Housing Enterprise Oversight (and any 
        successor to the functional regulatory agency) with respect to 
        the Federal National Mortgage Association, the Federal Home 
        Loan Mortgage Corporation, and any other entity or enterprise 
        (as defined in that title) subject to the jurisdiction of the 
        functional regulatory agency under that title, including any 
        affiliate of any the enterprise;
            (8) State insurance law, in the case of any person engaged 
        in providing insurance, by the applicable State insurance 
        authority of the State in which the person is domiciled; and
            (9) the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.), by the Commission for any other covered entity that is 
        not subject to the jurisdiction of any agency or authority 
        described under paragraphs (1) through (8).
    (b) Extension of Federal Trade Commission Enforcement Authority.--
The authority of the Commission to enforce compliance with section 3, 
and the regulations required under section 4, under subsection (a)(8) 
shall--
            (1) notwithstanding the Federal Aviation Act of 1958 (49 
        U.S.C. App. 1301 et seq.), include the authority to enforce 
        compliance by air carriers and foreign air carriers; and
            (2) notwithstanding the Packers and Stockyards Act (7 
        U.S.C. 181 et seq.), include the authority to enforce 
        compliance by persons, partnerships, and corporations subject 
        to the provisions of that Act.
    (c) No Private Right of Action.--
            (1) In general.--This Act, and the regulations prescribed 
        under this Act, may not be construed to provide a private right 
        of action, including a class action with respect to any act or 
        practice regulated under this Act.
            (2) Civil and criminal actions.--No civil or criminal 
        action relating to any act or practice governed under this Act, 
        or the regulations prescribed under this Act, shall be 
        commenced or maintained in any State court or under State law, 
        including a pendent State claim to an action under Federal law.

SEC. 6. PROTECTION OF INFORMATION AT FEDERAL AGENCIES.

    (a) Data Security Standards.--Each agency shall implement 
appropriate standards relating to administrative, technical, and 
physical safeguards--
            (1) to insure the security and confidentiality of the 
        sensitive account information and sensitive personal 
        information that is maintained or is being communicated by, or 
        on behalf of, that agency;
            (2) to protect against any anticipated threats or hazards 
        to the security of the sensitive account information and 
        sensitive personal information; and
            (3) to protect against misuse of the sensitive account 
        information and sensitive personal information that could 
        result in substantial harm or inconvenience to a consumer.
    (b) Security Breach Notification Standards.--Each agency shall 
implement appropriate standards providing for notification of consumers 
when the agency determines that sensitive account information or 
sensitive personal information that is maintained or is being 
communicated by, or on behalf of, the agency--
            (1) has been acquired without authorization; and
            (2) is reasonably likely to be misused in a manner causing 
        substantial harm or inconvenience to the consumers to whom the 
        information relates.

SEC. 7. RELATION TO STATE LAW.

    No requirement or prohibition may be imposed under the laws of any 
State with respect to the responsibilities of any person to--
            (1) protect the security of information relating to 
        consumers that is maintained or communicated by, or on behalf 
        of, the person;
            (2) safeguard information relating to consumers from 
        potential misuse;
            (3) investigate or provide notice of the unauthorized 
        access to information relating to consumers, or the potential 
        misuse of the information, for fraudulent, illegal, or other 
        purposes; or
            (4) mitigate any loss or harm resulting from the 
        unauthorized access or misuse of information relating to 
        consumers.

SEC. 8. DELAYED EFFECTIVE DATE FOR CERTAIN PROVISIONS.

    (a) Covered Entities.--Sections 3 and 7 shall take effect on the 
later of--
            (1) 1 year after the date of enactment of this Act; or
            (2) the effective date of the final regulations required 
        under section 4.
    (b) Agencies.--Section 6 shall take effect 1 year after the date of 
enactment of this Act.
                                 <all>