

113 S1976 IS: Data Security and Breach Notification Act of 2014
U.S. Senate
2014-01-30
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



II113th CONGRESS2d SessionS. 1976IN THE SENATE OF THE UNITED STATESJanuary 30, 2014Mr. Rockefeller (for himself, Mrs. Feinstein, Mr. Pryor, and Mr. Nelson) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and TransportationA BILLTo protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.1.Short titleThis Act may be cited as the
		  Data Security and Breach Notification Act of 2014.2.Requirements
		for information security(a)General
		security policies and procedures(1)RegulationsNot
		later than 1 year after the date of enactment of this Act, the Commission shall
		promulgate regulations under section 553 of title 5, United States Code, to
		require each covered entity that owns or possesses data containing personal
		information, or contracts to have any third-party entity maintain such data for
		such covered entity, to establish and implement policies and procedures
		regarding information security practices for the treatment and protection of
		personal information taking into consideration—(A)the size of, and
		the nature, scope, and complexity of the activities engaged in by such covered
		entity;(B)the current state
		of the art in administrative, technical, and physical safeguards for protecting
		such information;(C)the cost of
		implementing the safeguards under subparagraph (B); and(D)the impact on
		small businesses and nonprofits.(2)RequirementsThe
		regulations shall require the policies and procedures to include the
		following:(A)A
		security policy with respect to the collection, use, sale, other dissemination,
		and maintenance of personal information.(B)The
		identification of an officer or other individual as the point of contact with
		responsibility for the management of information security.(C)A
		process for identifying and assessing any reasonably foreseeable
		vulnerabilities in each system maintained by the covered entity that contains
		such personal information, which shall include regular monitoring for a breach
		of security of each such system.(D)A
		process for taking preventive and corrective action to mitigate any
		vulnerabilities identified in the process required by subparagraph (C), which
		may include implementing any changes to security practices and the
		architecture, installation, or implementation of network or operating
		software.(E)A
		process for disposing of data in electronic form containing personal
		information by destroying, permanently erasing, or otherwise modifying the
		personal information contained in such data to make such personal information
		permanently unreadable or indecipherable.(F)A
		standard method or methods for the destruction of paper documents and other
		non-electronic data containing personal information.(b)Limitations(1)Covered
		entities subject to the Gramm-Leach-Bliley ActA financial institution that is subject to
		title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) and is in compliance with information security requirements under that Act shall be deemed in compliance with this section.(2)Applicability
		of other information security requirementsA person who is subject to, and in compliance with, the
		information security requirements of section 13401 of the Health Information
		Technology for Economic and Clinical Health Act (42 U.S.C. 17931) or of section
		1173(d) of title XI, part C of the Social Security Act (42 U.S.C. 1320d–2(d))
		shall be deemed in compliance with this section with
		respect to any data governed by section 13401 of the Health Information
		Technology for Economic and Clinical Health Act (42 U.S.C. 17931) or by the
		Health Insurance Portability and Accountability Act of 1996 Security Rule (45
		C.F.R. 160.103 and Part 164).(3)Certain service
		providersNothing in this section shall apply to a service
		provider for any electronic communication by a third party to the extent that
		the service provider is engaged in the transmission, routing, or temporary,
		intermediate, or transient storage of that communication.3.Notification
		of breach of security(a)Nationwide
		notificationA covered entity that owns or possesses data in
		electronic form containing personal information, following the discovery of a
		breach of security of the system maintained by the covered entity that contains
		such data, shall notify—(1)each
		individual who is a citizen or resident of the United States and whose personal
		information was or is reasonably believed to have been acquired or accessed
		from the covered entity as a result of the breach of security; and(2)the
		Commission, unless the covered entity has notified the designated entity under
		section 4.(b)Special
		notification requirements(1)Third-party
		entitiesIn the event of a breach of security of a system
		maintained by a third-party entity that has been contracted to maintain or
		process data in electronic form containing personal information on behalf of
		any other covered entity who owns or possesses such data, the third-party
		entity shall notify the covered entity of the breach of security. Upon
		receiving notification from the third party entity, such covered entity shall
		provide the notification required under subsection (a).(2)Service
		providersIf a service provider becomes aware of a breach of
		security of data in electronic form containing personal information that is
		owned or possessed by another covered entity that connects to or uses a system
		or network provided by the service provider for the purpose of transmitting,
		routing, or providing intermediate or transient storage of such data, the
		service provider shall notify of the breach of security only the covered entity
		who initiated such connection, transmission, routing, or storage if such
		covered entity can be reasonably identified. Upon receiving the notification
		from the service provider, the covered entity shall provide the notification
		required under subsection (a).(3)Coordination of
		notification with credit reporting agenciesIf a covered entity
		is required to provide notification to more than 5,000 individuals under
		subsection (a)(1), the covered entity also shall notify each major credit
		reporting agency of the timing and distribution of the notices, except when the
		only personal information that is the subject of the breach of security is the
		individual’s first name or initial and last name, or address, or phone number,
		in combination with a credit or debit card number, and any required security
		code. Such notice shall be given to each credit reporting agency without
		unreasonable delay and, if it will not delay notice to the affected
		individuals, prior to the distribution of notices to the affected
		individuals.(c)Timeliness of
		notificationNotification under subsection (a) shall be
		made—(1)not
		later than 30 days after the date of discovery of a breach of security;
		or(2)as
		promptly as possible if the covered entity providing notice can show that
		providing notice within the timeframe under paragraph (1) is not feasible due
		to circumstances necessary—(A)to accurately
		identify affected consumers;(B)to prevent
		further breach or unauthorized disclosures; or(C)to reasonably
		restore the integrity of the data system.(d)Method and
		content of notification(1)Direct
		notification(A)Method of
		direct notificationA covered entity shall be in compliance with
		the notification requirement under subsection (a)(1) if—(i)the
		covered entity provides conspicuous and clearly identified notification—(I)in
		writing; or(II)by
		e-mail or other electronic means if—(aa)the
		covered entity's primary method of communication with the individual is by
		e-mail or such other electronic means; or(bb)the
		individual has consented to receive notification by e-mail or such other
		electronic means and such notification is provided in a manner that is
		consistent with the provisions permitting electronic transmission of notices
		under section 101 of the Electronic Signatures in Global and National Commerce
		Act (15 U.S.C. 7001); and(ii)the
		method of notification selected under clause (i) can reasonably be expected to
		reach the intended individual.(B)Content of
		direct notificationEach method of direct notification under
		subparagraph (A) shall include—(i)the
		date, estimated date, or estimated date range of the breach of security;(ii)a
		description of the personal information that was or is reasonably believed to
		have been acquired or accessed as a result of the breach of security;(iii)a
		telephone number that an individual can use at no cost to the individual to
		contact the covered entity to inquire about the breach of security or the
		information the covered entity maintained about that individual;(iv)notice
		that the individual may be entitled to consumer credit reports under subsection
		(e)(1);(v)instructions how
		an individual can request consumer credit reports under subsection
		(e)(1);(vi)a
		telephone number, that an individual can use at no cost to the individual, and
		an address to contact each major credit reporting agency; and(vii)a
		telephone number, that an individual can use at no cost to the individual, and
		an Internet Web site address to obtain information regarding identity theft
		from the Commission.(2)Substitute
		notification(A)Circumstances
		giving rise to substitute notificationA covered entity required
		to provide notification to individuals under subsection (a)(1) may provide
		substitute notification instead of direct notification under paragraph
		(1)—(i)if
		direct notification is not feasible due to lack of sufficient contact
		information for the individual required to be notified; or(ii)if the
		covered entity owns or possesses data in electronic form containing personal
		information of fewer than 10,000 individuals and direct notification is not
		feasible due to excessive cost to the covered entity required to provide such
		notification relative to the resources of such covered entity, as determined in
		accordance with the regulations issued by the Commission under paragraph
		(3)(A).(B)Method of
		substitute notificationSubstitute notification under this
		paragraph shall include—(i)conspicuous and
		clearly identified notification by e-mail to the extent the covered entity has
		an e-mail address for an individual who is entitled to notification under
		subsection (a)(1);(ii)conspicuous and
		clearly identified notification on the Internet Web site of the covered entity
		if the covered entity maintains an Internet Web site; and(iii)notification to
		print and to broadcast media, including major media in metropolitan and rural
		areas where the individuals whose personal information was acquired
		reside.(C)Content of
		substitute notificationEach method of substitute notification
		under this paragraph shall include—(i)the date,
		estimated date, or estimated date range of the breach of security;(ii)a description of
		the types of personal information that were or are reasonably believed to have
		been acquired or accessed as a result of the breach of security;(iii)notice that an
		individual may be entitled to consumer credit reports under subsection
		(e)(1);(iv)instructions how
		an individual can request consumer credit reports under subsection
		(e)(1);(v)a
		telephone number that an individual can use at no cost to the individual to
		learn whether the individual's personal information is included in the breach
		of security;(vi)a
		telephone number, that an individual can use at no cost to the individual, and
		an address to contact each major credit reporting agency; and(vii)a
		telephone number, that an individual can use at no cost to the individual, and
		an Internet Web site address to obtain information regarding identity theft
		from the Commission.(3)Regulations and
		guidance(A)RegulationsNot
		later than 1 year after the date of enactment of this Act, the Commission, by regulation under section 553 of title 5, United States Code,
		shall establish criteria for determining circumstances under which substitute
		notification may be provided under section 3(d)(2) of this Act, including
		criteria for determining if direct notification under section 3(d)(1) of this
		Act is not feasible due to excessive costs to the covered entity required to
		provide such notification relative to the resources of such covered entity.
		The regulations may also identify other circumstances where substitute
		notification would be appropriate, including
		circumstances under which the cost of providing direct notification exceeds the
		benefits to consumers.(B)GuidanceIn
		addition, the Commission, in consultation with the Small Business
		Administration, shall provide and publish general guidance with respect to
		compliance with this subsection. The guidance shall include—(i)a
		description of written or e-mail notification that complies with paragraph (1);
		and(ii)guidance on the
		content of substitute notification under paragraph (2), including the extent of
		notification to print and broadcast media that complies with paragraph
		(2)(B)(iii).(e)Other
		obligations following breach(1)In
		generalNot later than 60 days after the date of request by an
		individual who received notification under subsection (a)(1) and
		quarterly thereafter for 2 years, a covered entity required to provide
		notification under subsection (a)(1) shall provide, or arrange for the
		provision of, to the individual at no cost, consumer credit reports from at
		least 1 major credit reporting agency.(2)LimitationThis
		subsection shall not apply if the only personal information that is the subject
		of the breach of security is the individual's first name or initial and last
		name, or address, or phone number, in combination with a credit or debit card
		number, and any required security code.(3)RulemakingThe
		Commission's rulemaking under subsection (d)(3) shall include—(A)determination of
		the circumstances under which a covered entity required to provide notification
		under subsection (a)(1) must provide or arrange for the provision of free consumer
		credit reports; and(B)establishment of
		a simple process under which a covered entity that is a small business or small
		non-profit organization may request a full or a partial waiver or a modified or
		an alternative means of complying with this subsection if providing free
		consumer credit reports is not feasible due to excessive costs relative to the
		resources of such covered entity and relative to the level of harm, to affected
		individuals, caused by the breach of security.(f)Delay of
		Notification Authorized for National Security and Law Enforcement
		Purposes(1)In
		generalIf the United States Secret Service or the Federal Bureau
		of Investigation determines that notification under this section would impede a
		criminal investigation or a national security activity, notification shall be
		delayed upon written notice from the United States Secret Service or the
		Federal Bureau of Investigation to the covered entity that experienced the
		breach of security. Written notice from the United States Secret Service or the
		Federal Bureau of Investigation shall specify the period of delay requested for
		national security or law enforcement purposes.(2)Subsequent
		delay of notification(A)In
		generalA covered entity shall provide notification under this
		section not later than 30 days after the day that the delay was invoked unless
		a Federal law enforcement or intelligence agency provides subsequent written
		notice to the covered entity that further delay is necessary.(B)Written
		justification requirements(i)United States
		Secret ServiceIf the United States Secret Service instructs a
		covered entity to delay notification under this section beyond the 30-day
		period under subparagraph (A) (referred to in this clause as subsequent delay), the United
		States Secret Service shall submit written justification for the subsequent
		delay to the Secretary of Homeland Security before the subsequent delay
		begins.(ii)Federal Bureau
		of InvestigationIf the Federal Bureau of Investigation instructs
		a covered entity to delay notification under this section beyond the 30-day
		period under subparagraph (A) (referred to in this clause as subsequent delay), the Federal
		Bureau of Investigation shall submit written justification for the subsequent
		delay to the Attorney General before the subsequent delay begins.(3)Law
		enforcement immunityNo cause of action shall lie in any court
		against any Federal agency for acts relating to the delay of notification for
		national security or law enforcement purposes under this Act.(g)General
		Exemption(1)In
		generalA covered entity shall be exempt from the requirements
		under this section if, following a breach of security, the covered entity
		reasonably concludes that there is no reasonable risk of identity theft, fraud, or other
		unlawful conduct.(2)Presumption(A)In
		generalThere shall be a presumption that no reasonable risk of
		identity theft, fraud, or other unlawful conduct exists following a breach of
		security if—(i)the
		data is rendered unusable, unreadable, or indecipherable through a security
		technology or methodology; and(ii)the
		security technology or methodology under clause (i) is generally accepted by
		experts in the information security field.(B)RebuttalThe
		presumption under subparagraph (A) may be rebutted by facts demonstrating that
		the security technology or methodology in a specific case has been or is
		reasonably likely to be compromised.(3)Technologies or
		MethodologiesNot later than 1 year after the date of enactment
		of this Act, and biennially thereafter, the Commission, after consultation with
		the National Institute of Standards and Technology, shall issue rules (pursuant
		to section 553 of title 5, United States Code) or guidance to identify each
		security technology and methodology under paragraph (2). In identifying each such security technology and methodology, the Commission and the National Institute of Standards and Technology  shall—(A)consult with
		relevant industries, consumer organizations, data security and identity theft
		prevention experts, and established standards setting bodies; and(B)consider whether
		and in what circumstances a security technology or methodology currently in
		use, such as encryption, complies with the standards under paragraph
		(2).(4)FTC
		guidanceNot later than 1 year after the date of enactment of
		this Act, the Commission, after consultation with the National Institute of
		Standards and Technology, shall issue guidance regarding the application of the
		exemption under paragraph (1).(h)Exemptions
		for national security and law enforcement purposes(1)In
		generalA covered entity shall be exempt from the requirements
		under this section if—(A)a
		determination is made—(i)by
		the United States Secret Service or the Federal Bureau of Investigation that
		notification of the breach of security could be reasonably expected to reveal
		sensitive sources and methods or similarly impede the ability of the Government
		to conduct law enforcement or intelligence investigations; or(ii)by
		the Federal Bureau of Investigation that notification of the breach of security
		could be reasonably expected to cause damage to the national security;
		and(B)the United States
		Secret Service or the Federal Bureau of Investigation, as the case may be,
		provides written notice of its determination under subparagraph (A) to the
		covered entity.(2)United States
		Secret ServiceIf the United States Secret Service invokes an
		exemption under paragraph (1), the United States Secret Service shall submit
		written justification for invoking the exemption to the Secretary of Homeland
		Security before the exemption is invoked.(3)Federal Bureau
		of InvestigationIf the Federal Bureau of Investigation invokes
		an exemption under paragraph (1), the Federal Bureau of Investigation shall
		submit written justification for invoking the exemption to the Attorney
		General before the exemption is invoked.(4)ImmunityNo
		cause of action shall lie in any court against any Federal agency for acts
		relating to the exemption from notification for national security or law
		enforcement purposes under this Act.(5)ReportsNot
		later than 18 months after the date of enactment of this Act, and upon request
		by Congress thereafter, the United States Secret Service and Federal Bureau of
		Investigation shall submit to Congress a report on the number and nature of
		breaches of security subject to the exemptions for national security and law
		enforcement purposes under this subsection.(i)Financial
		fraud prevention exemption(1)In
		generalA covered entity shall be exempt from the requirements
		under this section if the covered entity utilizes or participates in a security
		program that—(A)effectively
		blocks the use of the personal information to initiate an unauthorized
		financial transaction before it is charged to the account of the individual;
		and(B)provides
		notice to each affected individual after a breach of security that resulted in
		attempted fraud or an attempted unauthorized transaction.(2)LimitationsAn
		exemption under paragraph (1) shall not apply if—(A)the breach of
		security includes personal information, other than a credit card number or
		credit card security code, of any type; or(B)the breach of
		security includes both the individual’s credit card number and the individual’s
		first and last name.(j)Financial
		institutions regulated by Federal functional regulators(1)In
		generalA covered
		financial institution shall be deemed in compliance with this section if—(A)the Federal functional regulator with jurisdiction
		over the covered financial institution has issued a standard by regulation or
		guideline under title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.)
		that—(i)requires
		financial institutions within its jurisdiction to provide notification to
		individuals following a breach of security; and(ii)provides
		protections substantially similar to, or greater than, those required under
		this Act; and(B)the covered financial institution is in compliance with the standard under subparagraph (A).(2)DefinitionsIn
		this subsection—(A)the term
		covered financial institution means a financial institution that
		is subject to—(i)the data security
		requirements of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.);(ii)any implementing
		standard issued by regulation or guideline issued under that Act; and(iii)the
		jurisdiction of a Federal functional regulator under that Act;(B)the term
		Federal functional regulator has the meaning given the term in
		section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809); and(C)the term
		financial institution has the meaning given the term in section
		509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809).(k)Exemption;
		health privacy(1)Covered entity
		or business associate under HITECH ActTo the extent that a
		covered entity under this Act acts as a covered entity or a business associate
		under section 13402 of the Health Information Technology for Economic and
		Clinical Health Act (42 U.S.C. 17932), has the obligation to provide notification to individuals following a breach of security under that Act or its implementing regulations, and is in compliance with that obligation, the covered entity shall be deemed in compliance with this section.(2)Entity subject
		to HITECH ActTo the extent that a covered entity under this Act
		acts as a vendor of personal health records, a third party service provider, or
		other entity subject to section 13407 of the Health Information Technology for
		Economical and Clinical Health Act (42 U.S.C. 17937), has the obligation to provide notification to individuals following a breach of security under that Act or its implementing regulations, and is in compliance with that obligation, the covered entity shall be deemed in compliance with this section.(3)Limitation of
		statutory constructionNothing in this Act may be construed in
		any way to give effect to the sunset provision under section 13407(g)(2) of the
		Health Information Technology for Economic and Clinical Health Act (42 U.S.C.
		17937(g)(2)) or to otherwise limit or affect the applicability, under section
		13407 of that Act, of the requirement to provide notification to individuals following a breach of security for vendors of
		personal health records and each entity described in clause (ii), (iii), or
		(iv) of section 13424(b)(1)(A) of that Act (42 U.S.C. 17953(b)(1)(A)).(l)Web site notice
		of Federal Trade CommissionIf the Commission, upon receiving
		notification of any breach of security that is reported to the Commission,
		finds that notification of the breach of security via the Commission's Internet
		Web site would be in the public interest or for the protection of consumers,
		the Commission shall place such a notice in a clear and conspicuous location on
		its Internet Web site.(m)FTC study on
		notification in languages in addition to EnglishNot later than 1
		year after the date of enactment of this Act, the Commission shall conduct a
		study on the practicality and cost effectiveness of requiring the direct
		notification required by subsection (d)(1) to be provided in a language in
		addition to English to individuals known to speak only such other
		language.(n)General
		rulemaking authorityThe Commission may promulgate regulations
		necessary under section 553 of title 5, United States Code, to effectively
		enforce the requirements of this section.4.Notice to
		law enforcement(a)Designation of
		government entity To receive noticeNot later than 60 days after
		the date of enactment of this Act, the Secretary of the Department of Homeland
		Security shall designate a Federal Government entity to receive notice under
		this section.(b)NoticeA
		covered entity shall notify the designated entity of a breach of security
		if—(1)the number of
		individuals whose personal information was, or is reasonably believed to have
		been, acquired or assessed as a result of the breach of security exceeds
		10,000;(2)the breach of
		security involves a database, networked or integrated databases, or other data
		system containing the personal information of more than 1,000,000
		individuals;(3)the breach of
		security involves databases owned by the Federal Government; or(4)the breach of
		security involves primarily personal information of individuals known to the
		covered entity to be employees or contractors of the Federal Government
		involved in national security or law enforcement.(c)Content of
		notices(1)In
		generalEach notice under subsection (b) shall contain—(A)the date,
		estimated date, or estimated date range of the breach of security;(B)a description of
		the nature of the breach of security;(C)a description of
		each type of personal information that was or is reasonably believed to have
		been acquired or accessed as a result of the breach of security; and(D)a statement of
		each paragraph under subsection (b) that applies to the breach of
		security.(2)ConstructionNothing
		in this section shall be construed to require a covered entity to reveal
		specific or identifying information about an individual as part of the notice
		under paragraph (1).(d)Responsibilities
		of the designated entityThe designated entity shall promptly
		provide each notice it receives under subsection (b) to—(1)the
		United States Secret Service;(2)the
		Federal Bureau of Investigation;(3)the
		Federal Trade Commission;(4)the
		United States Postal Inspection Service, if the breach of security involves
		mail fraud;(5)the
		attorney general of each State affected by the breach of security; and(6)as
		appropriate, other Federal agencies for law enforcement, national security, or
		data security purposes.(e)Timing of
		noticesNotice under this section shall be delivered as
		follows:(1)Notice under
		subsection (b) shall be delivered as promptly as possible, but—(A)not less than 3
		business days before notification to an individual under section 3;
		and(B)not later than 10
		days after the date of discovery of the events requiring notice.(2)Notice under
		subsection (d) shall be delivered as promptly as possible, but not later than 1
		business day after the date that the designated entity receives notice of a
		breach of security from a covered entity.5.Application
		and enforcement(a)General
		applicationThe requirements of sections 2 and 3 shall apply
		to—(1)those persons,
		partnerships, or corporations over which the Commission has authority under section 5(a)(2) of the Federal Trade
		Commission Act (15 U.S.C. 45(a)(2)); and(2)notwithstanding
		sections 4 and 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 44 and
		45(a)(2)), any non-profit organization, including any organization described in
		section 501(c) of the Internal Revenue Code of 1986 that is exempt from
		taxation under section 501(a) of the Internal Revenue Code of 1986.(b)Opt-In for
		certain other entities(1)In
		generalNotwithstanding
		sections 4 and 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 44 and
		45(a)(2)), the requirements of section 3 shall apply to any other covered entity not included under subsection (a)
		that enters into an agreement with the Commission under which that covered entity would be subject to section 3 with respect to any acts or omissions that
		occur while the agreement is in effect and that may constitute a violation of
		section 3, if—(A)not less than 30
		days prior to entering into the agreement with the person or entity, the
		Commission publishes notice in the Federal Register of the Commission's intent
		to enter into the agreement; and(B)not later than 14
		business days after entering into the agreement with the person or entity, the
		Commission publishes in the Federal Register—(i)notice
		of the agreement;(ii)the
		identity of each person or entity covered by the agreement; and(iii)the
		effective date of the agreement.(2)Construction(A)Other Federal
		lawAn agreement under paragraph (1) shall not effect a covered entity's obligation to provide notice of a breach of security
		or similar event under any other Federal law.(B)No preemption
		prior to valid agreementSubsections (a)(2) and (b) of section
		7 shall not apply to a breach of security that occurs before a valid
		agreement under paragraph (1) is in effect.(c)Enforcement by
		the Federal Trade Commission(1)Unfair or
		deceptive acts or practicesA violation of section 2 or 3 of
		this Act shall be treated as an unfair and deceptive act or practice in
		violation of a regulation under section 18(a)(1)(B) of the
		Federal Trade Commission Act (15
		U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.(2)Powers of
		commissionThe Commission shall enforce this Act in the same
		manner, by the same means, with the same jurisdiction, except as provided in subsections (a)(2) and (b) of this section, and with the same powers and duties
		as though all applicable terms and provisions of the
		Federal Trade Commission Act (15
		U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any
		covered entity who violates such regulations shall be subject to the penalties
		and entitled to the privileges and immunities provided in that Act.(3)LimitationIn
		promulgating rules under this Act, the Commission shall not require the
		deployment or use of any specific products or technologies, including any
		specific computer software or hardware.(d)Enforcement by
		State attorneys general(1)Civil
		actionIn any case in which the attorney general of a State, or
		an official or agency of a State, has reason to believe that an interest of the
		residents of that State has been or is threatened or adversely affected by any
		covered entity who violates section 2 or section 3 of this Act, the attorney
		general, official, or agency of the State, as parens patriae, may bring a civil
		action on behalf of the residents of the State in a district court of the
		United States of appropriate jurisdiction—(A)to enjoin further
		violation of such section by the defendant;(B)to compel
		compliance with such section; or(C)to obtain civil
		penalties in the amount determined under paragraph (2).(2)Civil
		penalties(A)Calculation(i)Treatment of
		violations of section 2For purposes of paragraph (1)(C) with
		regard to a violation of section 2, the amount determined under this
		paragraph is the amount calculated by multiplying the number of days that a
		covered entity is not in compliance with such section by an amount not greater
		than $11,000.(ii)Treatment of
		violations of section 3For purposes of paragraph (1)(C) with
		regard to a violation of section 3, the amount determined under this
		paragraph is the amount calculated by multiplying the number of violations of
		such section by an amount not greater than $11,000. Each failure to send
		notification as required under section 3 to a resident of the State shall be
		treated as a separate violation.(B)Adjustment for
		inflationBeginning on the date that the Consumer Price Index is
		first published by the Bureau of Labor Statistics that is after 1 year after
		the date of enactment of this Act, and each year thereafter, the amounts
		specified in clauses (i) and (ii) of subparagraph (A) and in clauses (i) and
		(ii) of subparagraph (C) shall be increased by the percentage increase in the
		Consumer Price Index published on that date from the Consumer Price Index
		published the previous year.(C)Maximum total
		liabilityNotwithstanding the number of actions which may be
		brought against a covered entity under this subsection, the maximum civil
		penalty for which any covered entity may be liable under this subsection shall
		not exceed—(i)$5,000,000 for
		each violation of section 2; and(ii)$5,000,000 for
		all violations of section 3 resulting from a single breach of
		security.(3)Intervention by
		the FTC(A)Notice and
		interventionThe State shall provide prior written notice of any
		action under paragraph (1) to the Commission and provide the Commission with a
		copy of its complaint, except in any case in which such prior notice is not
		feasible, in which case the State shall serve such notice immediately upon
		commencing such action. The Commission shall have the right—(i)to
		intervene in the action;(ii)upon
		so intervening, to be heard on all matters arising therein; and(iii)to
		file petitions for appeal.(B)Limitation on
		State action while Federal action is pendingIf the Commission
		has instituted a civil action for violation of this Act, no State attorney
		general, or official or agency of a State, may bring an action under this
		subsection during the pendency of that action against any defendant named in
		the complaint of the Commission for any violation of this Act alleged in the
		complaint.(4)ConstructionFor
		purposes of bringing any civil action under paragraph (1), nothing in this Act
		shall be construed to prevent an attorney general of a State from exercising
		the powers conferred on the attorney general by the laws of that State—(A)to conduct
		investigations;(B)to administer
		oaths or affirmations; or(C)to compel the
		attendance of witnesses or the production of documentary and other
		evidence.(e)Notice to Law
		Enforcement; Civil Enforcement by Attorney General(1)In
		generalThe Attorney General may bring a civil action in the
		appropriate United States district court against any covered entity that
		engages in conduct constituting a violation of section 4.(2)Penalties(A)In
		generalUpon proof of such conduct by a preponderance of the
		evidence, a covered entity shall be subject to a civil penalty of not more than
		$1,000 per individual whose personal information was or is reasonably believed
		to have been accessed or acquired as a result of the breach of security that is
		the basis of the violation, up to a maximum of $100,000 per day while such
		violation persists.(B)LimitationsThe
		total amount of the civil penalty assessed under this subsection against a
		covered entity for acts or omissions relating to a single breach of security
		shall not exceed $1,000,000, unless the conduct constituting a violation of
		section 4 was willful or intentional, in which case an additional civil
		penalty of up to $1,000,000 may be imposed.(C)Adjustment for
		inflationBeginning on the date that the Consumer Price Index is
		first published by the Bureau of Labor Statistics that is after 1 year after
		the date of enactment of this Act, and each year thereafter, the amounts
		specified in subparagraphs (A) and (B) shall be increased by the percentage
		increase in the Consumer Price Index published on that date from the Consumer
		Price Index published the previous year.(3)Injunctive
		actionsIf it appears that a covered entity has engaged, or is
		engaged, in any act or practice that constitutes a violation of section 4,
		the Attorney General may petition an appropriate United States district court
		for an order enjoining such practice or enforcing compliance with section
		4.(4)Issuance of
		orderA court may issue such an order under paragraph (3) if it
		finds that the conduct in question constitutes a violation of section
		4.(f)Concealment of
		breaches of security(1)In
		generalChapter 47 of title 18,
		United States Code, is amended by adding at the end the following:1041.Concealment
		  of breaches of security involving personal information(a)In
		  generalAny person who, having knowledge of a breach of security
		  and of the fact that notification of the breach of security is required under
		  the Data Security and Breach Notification Act of 2014, intentionally and willfully conceals the fact of the
		  breach of security, shall, in the event that the breach of security results in
		  economic harm to any individual in the amount of $1,000 or more, be fined under
		  this title, imprisoned for not more than 5 years, or both.(b)Person
		  definedFor purposes of subsection (a), the term
		  person has the same meaning as in
		  section
		  1030(e)(12) of this title.(c)Enforcement
		  authority(1)In
		  generalThe United States Secret Service and the Federal Bureau
		  of Investigation shall have the authority to investigate offenses under this
		  section.(2)ConstructionThe
		  authority granted in paragraph (1) shall not be exclusive of any existing
		  authority held by any other Federal
		  agency..(2)Conforming and
		technical amendmentsThe
		table of sections for
		chapter 47 of title 18,
		United States Code, is amended by adding at the end the following:1041. Concealment of breaches of
		  security involving personal
		  information..6.DefinitionsIn this Act:(1)Breach of
		security(A)In
		generalThe term breach of security means compromise
		of the security, confidentiality, or integrity of, or loss of, data in
		electronic form that results in, or there is a reasonable basis to conclude has
		resulted in, unauthorized access to or acquisition of personal information from
		a covered entity.(B)ExclusionsThe
		term breach of security does not include—(i)a good
		faith acquisition of personal information by a covered entity, or an employee
		or agent of a covered entity, if the personal information is not subject to
		further use or unauthorized disclosure;(ii)any
		lawfully authorized investigative, protective, or intelligence activity of a
		law enforcement or an intelligence agency of the United States, a State, or a
		political subdivision of a State; or(iii)the
		release of a public record not otherwise subject to confidentiality or
		nondisclosure requirements.(2)CommissionThe
		term Commission means the Federal Trade Commission.(3)Covered
		entityThe term covered entity means a sole
		proprietorship, partnership, corporation, trust, estate, cooperative,
		association, or other commercial entity, and any charitable, educational, or
		nonprofit organization, that acquires, maintains, or utilizes personal information.(4)Data in
		electronic formThe term data in electronic form
		means any data stored electronically or digitally on any computer system or
		other database, including recordable tapes and other mass storage
		devices.(5)Designated
		entityThe term designated entity means the Federal
		Government entity designated by the Secretary of Homeland Security under
		section 4.(6)EncryptionThe
		term encryption means the protection of data in electronic form in
		storage or in transit using an encryption technology that has been adopted by
		an established standards setting body which renders such data indecipherable in
		the absence of associated cryptographic keys necessary to enable decryption of
		such data. Such encryption must include appropriate management and safeguards
		of such keys to protect the integrity of the encryption.(7)Identity
		theftThe term identity theft means the unauthorized
		use of another person's personal information for the purpose of engaging in
		commercial transactions under the identity of such other person, including any
		contact that violates section 1028A of title 18, United States Code.(8)Major credit
		reporting agencyThe term major credit reporting
		agency means a consumer reporting agency that compiles and maintains
		files on consumers on a nationwide basis within the meaning of section 603(p)
		of the Fair Credit Reporting Act (15
		U.S.C. 1681a(p)).(9)Personal
		information(A)DefinitionThe
		term personal information means any information or compilation of
		information that includes—(i)a
		non-truncated social security number;(ii)a
		financial account number or credit or debit card number in combination with any
		security code, access code, or password that is required for an individual to
		obtain credit, withdraw funds, or engage in a financial transaction; or(iii)an
		individual’s first and last name or first initial and last name in combination
		with—(I)a driver’s license number, a passport number,
		or an alien registration number, or other similar number issued on a government
		document used to verify identity;(II)unique
		biometric data such as a finger print, voice print, retina or iris image, or
		any other unique physical representation;(III)a
		unique account identifier, electronic identification number, user name, or
		routing code in combination with any associated security code, access code, or
		password that is required for an individual to obtain money, goods, services,
		or any other thing of value; or(IV)2 of the
		following:(aa)Home
		address or telephone number.(bb)Mother’s
		maiden name, if identified as such.(cc)Month, day,
		and year of birth.(B)Modified
		definition by rulemakingIf the Commission determines that the
		definition under subparagraph (A) is not reasonably sufficient to protect
		individuals from identity theft, fraud, or other unlawful conduct, the
		Commission by rule promulgated under section 553 of title 5, United States
		Code, may modify the definition of personal information under
		subparagraph (A) to the extent the modification will not unreasonably impede
		interstate commerce.(10)Service
		providerThe term service provider means a person
		that provides electronic data transmission, routing, intermediate and transient
		storage, or connections to its system or network, where the person providing
		such services does not select or modify the content of the electronic data, is
		not the sender or the intended recipient of the data, and does not
		differentiate personal information from other information that such person
		transmits, routes, or stores, or for which such person provides connections.
		Any such person shall be treated as a service provider under this Act only to
		the extent that it is engaged in the provision of such transmission, routing,
		intermediate and transient storage, or connections.7.Effect on
		other laws(a)Preemption of
		state information security laws(1)Covered entities under section 5(a)With respect to a covered entity subject to the Act under section 5(a), this Act supersedes any provision
		of a statute, regulation, or rule of a State or political subdivision of a
		State that expressly—(A)requires
		information security practices and treatment of data containing personal
		information similar to any of those required under section 2; or(B)requires
		notification to individuals of a breach of security as defined in section
		6.(2)Covered entities under section 5(b)With respect to a covered entity subject to the Act under section 5(b), this Act supersedes any provision
		of a statute, regulation, or rule of a State or political subdivision of a
		State that expressly requires
		notification to individuals of a breach of security as defined in section
		6.(b)Additional
		preemption(1)In
		generalNo person other than a person specified in section 5(d)
		may bring a civil action under the laws of any State if such action is premised
		in whole or in part upon the defendant violating any provision of this
		Act.(2)Protection of
		consumer protection lawsExcept as provided in subsection (a) of
		this section, this subsection shall not be construed to limit the enforcement
		of any State consumer protection law by an attorney general of a State.(c)Protection of
		certain State lawsThis Act shall not be construed to preempt the
		applicability of—(1)State trespass,
		contract, or tort law; or(2)any
		other State laws to the extent that those laws relate to acts of fraud.(d)Preservation of
		FTC authorityNothing in this Act may be construed in any way to
		limit or affect the Commission's authority under any other provision of
		law.8.Effective
		dateThis Act  and the amendments made by this Act shall take
		effect 1 year after the date of enactment of this Act.