[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 1995 Introduced in Senate (IS)]

113th CONGRESS
  2d Session
                                S. 1995

  To protect consumers by mitigating the vulnerability of personally 
identifiable information to theft through a security breach, providing 
notice and remedies to consumers in the wake of such a breach, holding 
   companies accountable for preventable breaches, facilitating the 
  sharing of post-breach technical information between companies, and 
 enhancing criminal and civil penalties and other protections against 
     the unauthorized collection or use of personally identifiable 
                              information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            February 4, 2014

 Mr. Blumenthal (for himself and Mr. Markey) introduced the following 
    bill; which was read twice and referred to the Committee on the 
                               Judiciary

_______________________________________________________________________

                                 A BILL


 
  To protect consumers by mitigating the vulnerability of personally 
identifiable information to theft through a security breach, providing 
notice and remedies to consumers in the wake of such a breach, holding 
   companies accountable for preventable breaches, facilitating the 
  sharing of post-breach technical information between companies, and 
 enhancing criminal and civil penalties and other protections against 
     the unauthorized collection or use of personally identifiable 
                              information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Personal Data 
Protection and Breach Accountability Act of 2014''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Concealment of security breaches involving sensitive 
                            personally identifiable information.
Sec. 102. Unauthorized manipulation of Internet traffic on a user's 
                            computer.
  TITLE II--PRIVACY AND SECURITY OF SENSITIVE PERSONALLY IDENTIFIABLE 
                              INFORMATION

            Subtitle A--A Data Privacy and Security Program

Sec. 201. Purpose and applicability of data privacy and security 
                            program.
Sec. 202. Requirements for a personal data privacy and security 
                            program.
Sec. 203. Federal enforcement.
Sec. 204. Enforcement by State Attorneys General.
Sec. 205. Supplemental enforcement by individuals.
                Subtitle B--Security Breach Notification

Sec. 211. Notice to individuals.
Sec. 212. Exemptions from notice to individuals.
Sec. 213. Methods of notice to individuals.
Sec. 214. Content of notice to individuals.
Sec. 215. Remedies for security breach.
Sec. 216. Notice to credit reporting agencies.
Sec. 217. Notice to law enforcement.
Sec. 218. Federal enforcement.
Sec. 219. Enforcement by State attorneys general.
Sec. 220. Supplemental enforcement by individuals.
Sec. 221. Relation to other laws.
Sec. 222. Authorization of appropriations.
Sec. 223. Reporting on risk assessment exemptions.
      Subtitle C--Post-Breach Technical Information Clearinghouse

Sec. 230. Clearinghouse information collection, maintenance, and 
                            access.
Sec. 231. Protections for clearinghouse participants.
Sec. 232. Effective date.
            TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 301. General services administration review of contracts.
Sec. 302. Requirement to audit information security practices of 
                            contractors and third-party business 
                            entities.
Sec. 303. Privacy impact assessment of government use of commercial 
                            information services containing sensitive 
                            personally identifiable information.
Sec. 304. FBI report on reported breaches and compliance.
Sec. 305. Department of Justice report on enforcement actions.
Sec. 306. Report on notification effectiveness.
         TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

Sec. 401. Budget compliance.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) databases of personally identifiable information are 
        increasingly prime targets of hackers, identity thieves, rogue 
        employees, and other criminals, including organized and 
        sophisticated criminal operations;
            (2) identity theft is a serious threat to the Nation's 
        economic stability, homeland security, the development of e-
        commerce, and the privacy rights of people in the United 
        States;
            (3) over 9,300,000 individuals were victims of identity 
        theft in the United States in 2010;
            (4) security breaches are a serious threat to consumer 
        confidence, homeland security, e-commerce, and economic 
        stability;
            (5) it is important for business entities that own, use, or 
        license personally identifiable information to adopt reasonable 
        procedures to ensure the security, privacy, and confidentiality 
        of that personally identifiable information;
            (6) individuals whose personal information has been 
        compromised or who have been victims of identity theft should 
        receive the necessary information and assistance to mitigate 
        their damages and to restore the integrity of their personal 
        information and identities;
            (7) data misuse and use of inaccurate data have the 
        potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government operations;
            (8) there is a need to ensure that data brokers conduct 
        their operations in a manner that prioritizes fairness, 
        transparency, accuracy, and respect for the privacy of 
        consumers;
            (9) government access to commercial data can potentially 
        improve safety, law enforcement, and national security;
            (10) because government use of commercial data containing 
        personal information potentially affects individual privacy, 
        and law enforcement and national security operations, there is 
        a need for Congress to exercise oversight over government use 
        of commercial data;
            (11) over 22,960,000 cases of data breaches involving 
        personally identifiable information were reported through July 
        of 2011, and in 2009 through 2010, over 230,900,000 cases of 
        personal data breaches were reported;
            (12) facilitating information sharing among business 
        entities and across sectors in the event of a breach can assist 
        in remediating the breach and preventing similar breaches in 
        the future;
            (13) because the Federal Government has limited resources, 
        consumers themselves play a vital and complementary role in 
        facilitating prompt notification and protecting against future 
        breaches of security;
            (14) in addition to the immediate damages caused by 
        security breaches, the lack of basic remedial requirements 
        often forces individuals whose sensitive personally 
        identifiable information is compromised as a result of a 
        security breach to incur the economic costs of litigation to 
        seek remedies, and the economic costs of fees required in many 
        States to freeze compromised accounts; and
            (15) victims of personal data breaches may suffer 
        debilitating emotional and physical effects and become 
        depressed or anxious, especially in cases of repeated or 
        unresolved instances of data breaches.

SEC. 3. DEFINITIONS.

    (a) In General.--In this Act, the following definitions shall 
apply:
            (1) Affiliate.--The term ``affiliate'' means persons 
        related by common ownership or by corporate control.
            (2) Agency.--The term ``agency'' has the meaning given the 
        term in section 551 of title 5, United States Code.
            (3) Business entity.--The term ``business entity'' means 
        any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or venture 
        established to make a profit, or nonprofit.
            (4) Credit rating agency.--The term ``credit rating 
        agency'' has the meaning given the term in section 3(a)(61) of 
        the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(61)).
            (5) Credit report.--The term ``credit report'' means a 
        consumer report, as that term is defined in section 603(d) of 
        the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).
            (6) Data broker.--The term ``data broker'' means a business 
        entity which for monetary fees or dues regularly engages in the 
        practice of collecting, transmitting, or providing access to 
        sensitive personally identifiable information on more than 
        5,000 individuals who are not the customers or employees of 
        that business entity or affiliate primarily for the purposes of 
        providing such information to nonaffiliated third parties on an 
        interstate basis.
            (7) Designated entity.--The term ``designated entity'' 
        means the Federal Government entity designated under section 
        217(a).
            (8) Encryption.--The term ``encryption''--
                    (A) means the protection of data in electronic 
                form, in storage or in transit, using an encryption 
                technology that has been generally accepted by experts 
                in the field of information security that renders such 
                data indecipherable in the absence of associated 
                cryptographic keys necessary to enable decryption of 
                such data; and
                    (B) includes appropriate management and safeguards 
                of such cryptographic keys so as to protect the 
                integrity of the encryption.
            (9) Identity theft.--The term ``identity theft'' means a 
        violation of section 1028(a)(7) of title 18, United States 
        Code.
            (10) Intelligence community.--The term ``intelligence 
        community'' includes the following:
                    (A) The Office of the Director of National 
                Intelligence.
                    (B) The Central Intelligence Agency.
                    (C) The National Security Agency.
                    (D) The Defense Intelligence Agency.
                    (E) The National Geospatial-Intelligence Agency.
                    (F) The National Reconnaissance Office.
                    (G) Other offices within the Department of Defense 
                for the collection of specialized national intelligence 
                through reconnaissance programs.
                    (H) The intelligence elements of the Army, the 
                Navy, the Air Force, the Marine Corps, the Federal 
                Bureau of Investigation, and the Department of Energy.
                    (I) The Bureau of Intelligence and Research of the 
                Department of State.
                    (J) The Office of Intelligence and Analysis of the 
                Department of the Treasury.
                    (K) The elements of the Department of Homeland 
                Security concerned with the analysis of intelligence 
                information, including the Office of Intelligence of 
                the Coast Guard.
                    (L) Such other elements of any other department or 
                agency as may be designated by the President, or 
                designated jointly by the Director of National 
                Intelligence and the head of the department or agency 
                concerned, as an element of the intelligence community.
            (11) Predispute arbitration agreement.--The term 
        ``predispute arbitration agreement'' means any agreement to 
        arbitrate a dispute that had not yet arisen at the time of the 
        making of the agreement.
            (12) Public record source.--The term ``public record 
        source'' means the Congress, any agency, any State or local 
        government agency, the government of the District of Columbia 
        and governments of the territories or possessions of the United 
        States, and Federal, State or local courts, courts martial and 
        military commissions, that maintain personally identifiable 
        information in records available to the public.
            (13) Security breach.--
                    (A) In general.--The term ``security breach'' means 
                compromise of the security, confidentiality, or 
                integrity of, or the loss of, computerized data through 
                misrepresentation or actions that result in, or that 
                there is a reasonable basis to conclude has resulted 
                in--
                            (i) the unauthorized acquisition of 
                        sensitive personally identifiable information; 
                        or
                            (ii) access to sensitive personally 
                        identifiable information that is for an 
                        unauthorized purpose, or in excess of 
                        authorization.
                    (B) Exclusion.--The term ``security breach'' does 
                not include--
                            (i) a good faith acquisition of sensitive 
                        personally identifiable information by a 
                        business entity or agency, or an employee or 
                        agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure;
                            (ii) the release of a public record not 
                        otherwise subject to confidentiality or 
                        nondisclosure requirements or the release of 
                        information obtained from a public record; or
                            (iii) any lawfully authorized criminal 
                        investigation or authorized investigative, 
                        protective, or intelligence activities that are 
                        carried out by or on behalf of any element of 
                        the intelligence community and conducted in 
                        accordance with the United States laws, 
                        authorities, and regulations governing such 
                        intelligence activities.
            (14) Security freeze.--The term ``security freeze'' means a 
        notice, at the request of the consumer and subject to 
        exceptions in section 215(b), that prohibits the consumer 
        reporting agency from releasing all or any part of the 
        consumer's credit report or any information derived from it 
        without the express authorization of the consumer.
            (15) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        any information or compilation of information, in electronic or 
        digital form that includes the following:
                    (A) An individual's first and last name or first 
                initial and last name in combination with any 2 of the 
                following data elements:
                            (i) Home address.
                            (ii) Telephone number of the individual.
                            (iii) Mother's maiden name.
                            (iv) Month, day, and year of birth.
                    (B) A non-truncated social security number, 
                driver's license number, passport number, or alien 
                registration number or other government-issued unique 
                identification number.
                    (C) Information about an individual's geographic 
                location that is in whole or in part generated by or 
                derived from that individual's use of a wireless 
                communication device or other electronic device, 
                excluding telephone and instrument numbers and network 
                or Internet Protocol addresses.
                    (D) Unique biometric data such as a fingerprint, 
                voice print, face print, a retina or iris image, or any 
                other unique physical representation.
                    (E) A unique account identifier, including a 
                financial account number or credit or debit card 
                number, electronic identification number, user name, 
                health insurance policy or subscriber identification 
                number, or routing code.
                    (F) Not less than 2 of the following data elements:
                            (i) An individual's first and last name or 
                        first initial and last name.
                            (ii) A unique account identifier, including 
                        a financial account number or credit or debit 
                        card number, electronic identification number, 
                        user name, or routing code.
                            (iii) Any security code, access code, or 
                        password, or source code that could be used to 
                        generate such codes and passwords.
                            (iv) Information regarding an individual's 
                        medical history, mental or physical medical 
                        condition, or medical treatment or diagnosis by 
                        a health care professional.
                    (G) Any other combination of data elements that 
                could allow unauthorized access to or acquisition of 
                the information described in subparagraph (A), (B), 
                (C), (D), (E), or (F), including--
                            (i) a unique account identifier;
                            (ii) an electronic identification number;
                            (iii) a user name;
                            (iv) a routing code; or
                            (v) any associated security code, access 
                        code, or password or any associated security 
                        questions and answers that could allow 
                        unauthorized access to the account.
            (16) Service provider.--
                    (A) In general.--The term ``service provider'' 
                means a business entity that--
                            (i) provides electronic data transmission, 
                        routing, intermediate and transient storage, or 
                        connections to the system or network of the 
                        business entity;
                            (ii) is not the sender or the intended 
                        recipient of the data;
                            (iii) is not ordinarily expected to select 
                        or modify the content of the electronic data; 
                        and
                            (iv) transmits, routes, stores, or provides 
                        connections for personal information in a 
                        manner that personal information is 
                        undifferentiated from other types of data that 
                        such business entity transmits, routes, stores, 
                        or provides connections.
                    (B) Savings clause.--Any such business entity shall 
                be treated as a service provider under this Act only to 
                the extent that the business entity is engaged in the 
                provision of the transmission, routing, intermediate 
                and transient storage or connections described in 
                subparagraph (A).
    (b) Modified Definition by Rulemaking.--The Federal Trade 
Commission may, by rule promulgated under section 553 of title 5, 
United States Code, modify the definition of ``sensitive personally 
identifiable information'' in a manner consistent with the purposes of 
this Act and to the extent that such modification will not unreasonably 
impede interstate commerce.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 1041. Concealment of security breaches involving sensitive 
              personally identifiable information
    ``(a) Whoever, having knowledge of a security breach and of the 
fact that notice of such security breach is required under title II of 
the Personal Data Protection and Breach Accountability Act of 2014, 
intentionally or willfully conceals the fact of such security breach 
and which breach, shall, in the event that such security breach results 
in economic harm or substantial emotional distress to 1 or more 
persons, shall be fined under this title or imprisoned not more than 5 
years, or both.
    ``(b) For purposes of subsection (a), the term `person' has the 
meaning given the term in section 1030(e)(12) of title 18, United 
States Code.
    ``(c) Any person seeking an exemption under section 212(b) of the 
Personal Data Protection and Breach Accountability Act of 2014 shall be 
immune from prosecution under this section if the United States Secret 
Service does not indicate, in writing, that such notice be given under 
section 212(b)(1)(B) of the Personal Data Protection and Breach 
Accountability Act of 2014.''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

``1041. Concealment of security breaches involving sensitive personally 
                            identifiable information.''.
    (c) Enforcement Authority.--
            (1) In general.--The United States Secret Service and the 
        Federal Bureau of Investigation shall have the authority to 
        investigate offenses under section 1041 of title 18, United 
        States Code, as added by subsection (a).
            (2) Nonexclusivity.--The authority granted in paragraph (1) 
        shall not be exclusive of any existing authority held by any 
        other Federal agency.

SEC. 102. UNAUTHORIZED MANIPULATION OF INTERNET TRAFFIC ON A USER'S 
              COMPUTER.

    (a) Definition.--In this section, the term ``protected computer'' 
has the meaning given the term in section 1030(e)(2) of title 18, 
United States Code.
    (b) Prohibition.--
            (1) In general.--Unless a service provider provides a clear 
        and conspicuous disclosure of data collected in the process of 
        intercepting a web search or query entered by an authorized 
        user of a protected computer, and obtains the consent of an 
        authorized user of the protected computer prior to any such 
        action, it shall be unlawful for a service provider to 
        knowingly or intentionally--
                    (A) bypass the display of search engine results and 
                redirect web searches or queries entered by an 
                authorized user of a protected computer directly to a 
                commercial website, counterfeit web page, or targeted 
                advertisement and derive an economic benefit from such 
                activity; or
                    (B) monitor, manipulate, aggregate, and market the 
                data collected in the process of intercepting a web 
                search or query entered by an authorized user of a 
                protected computer and derive an economic benefit from 
                such activity.
            (2) Consent.--A service provider may not require consent to 
        perform the collection of data described in paragraph (1) as a 
        condition of providing service to an authorized user of the 
        protected computer.
    (c) Limitations on Liability.--The restrictions imposed under this 
section do not apply to any monitoring of, or interaction with, a 
subscriber's Internet or other network connection or service, or a 
protected computer, by or at the direction of a telecommunications 
carrier, cable operator, computer hardware or software provider, 
financial institution or provider of information services or 
interactive computer service for--
            (1) network or computer security purposes;
            (2) diagnostics;
            (3) technical support;
            (4) repair;
            (5) network management;
            (6) authorized updates of software or system firmware;
            (7) authorized remote system management;
            (8) authorized provision of protection for users of the 
        computer from objectionable content;
            (9) authorized scanning for computer software used in 
        violation of this section for removal by an authorized user; or
            (10) detection or prevention of fraud.
    (d) Enforcement by the Attorney General.--
            (1) Liability and penalty for violations.--Any person who 
        engages in an activity in violation of this section shall be 
        fined not more than $500,000.
            (2) Enhanced liability and penalties for pattern or 
        practice of violations.--
                    (A) In general.--Any person who engages in a 
                pattern or practice of activity that violates the 
                provisions of this section shall be fined not more than 
                $1,000,000.
                    (B) Treatment of single action or conduct.--For 
                purposes of subparagraph (A), any single action or 
                conduct that violates this section with respect to 
                multiple protected computers shall be construed as a 
                single violation.
            (3) Considerations.--In determining the amount of any 
        penalty under paragraph (1) or (2), the court shall take into 
        account--
                    (A) the degree of culpability of the defendant;
                    (B) any history of prior such conduct;
                    (C) the ability of the defendant to pay any fine 
                imposed;
                    (D) the effect on the ability of the defendant to 
                continue to do business; and
                    (E) such other matters as justice may require.

  TITLE II--PRIVACY AND SECURITY OF SENSITIVE PERSONALLY IDENTIFIABLE 
                              INFORMATION

            Subtitle A--A Data Privacy and Security Program

SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Purpose.--The purpose of this subtitle is to ensure standards 
for developing and implementing administrative, technical, and physical 
safeguards to protect the security of sensitive personally identifiable 
information.
    (b) In General.--A business entity engaging in interstate commerce 
that involves collecting, accessing, transmitting, using, storing, or 
disposing of sensitive personally identifiable information in 
electronic or digital form on 10,000 or more United States persons is 
subject to the requirements for a data privacy and security program 
under section 202 for protecting sensitive personally identifiable 
information.
    (c) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to the following:
            (1) Financial institutions.--A financial institution 
        subject to the data security requirements and standards under 
        501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)) and 
        subject to the jurisdiction of an agency or authority described 
        in section 505(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 
        6805(a)), if the Federal functional regulator (as defined in 
        section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)) 
        with jurisdiction over that financial institution has issued a 
        regulation under title V of the Gramm-Leach-Bliley Act (15 
        U.S.C. 6801 et seq.) that requires financial institutions 
        within its jurisdiction to provide notification to individuals 
        following a breach of security.
            (2) HIPAA regulated entities.--
                    (A) Covered entities.--A business entity subject to 
                the Health Insurance Portability and Accountability Act 
                of 1996 (42 U.S.C. 1301 et seq.), including the data 
                security requirements and implementing regulations of 
                that Act.
                    (B) Compliance.--A business entity that--
                            (i) is acting as a business associate, as 
                        that term is defined under the Health Insurance 
                        Portability and Accountability Act of 1996 (42 
                        U.S.C. 1301 et seq.) and is in compliance with 
                        the requirements imposed under that Act and 
                        implementing regulations promulgated under that 
                        Act; and
                            (ii) is subject to, and currently in 
                        compliance, with the privacy and data security 
                        requirements under sections 13401 and 13404 of 
                        division A of the American Reinvestment and 
                        Recovery Act of 2009 (42 U.S.C. 17931 and 
                        17934) and implementing regulations promulgated 
                        under such sections.
            (3) Service providers.--A service provider for any 
        electronic communication by a third party, to the extent that 
        the service provider is exclusively engaged in the 
        transmission, routing, or temporary, intermediate, or transient 
        storage of that communication.
            (4) Public records.--Public records not otherwise subject 
        to a confidentiality or nondisclosure requirement, or 
        information obtained from a public record, including 
        information obtained from a news report or periodical.
    (d) Rule of Construction.--Nothing in this subtitle shall be 
construed to modify, limit, or supersede the operation of the 
provisions of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), or 
its implementing regulations, including such regulations adopted or 
enforced by the States.

SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Personal Data Privacy and Security Program.--A business entity 
subject to this subtitle shall comply with the following safeguards and 
any other administrative, technical, or physical safeguards identified 
by the Federal Trade Commission in a rulemaking process pursuant to 
section 553 of title 5, United States Code, for the protection of 
sensitive personally identifiable information:
            (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.
            (2) Design.--The personal data privacy and security program 
        shall be designed to--
                    (A) ensure the privacy, security, and 
                confidentiality of sensitive personally identifiable 
                information;
                    (B) protect against any anticipated vulnerabilities 
                to the privacy, security, or integrity of sensitive 
                personally identifiable information; and
                    (C) protect against unauthorized access to or use 
                of sensitive personally identifiable information that 
                could create a significant risk of harm to any 
                individual.
            (3) Risk assessment.--A business entity shall--
                    (A) identify reasonably foreseeable internal and 
                external vulnerabilities that could result in 
                unauthorized access, disclosure, use, or alteration of 
                sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;
                    (B) assess the likelihood of and potential damage 
                from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information;
                    (C) assess the sufficiency of its policies, 
                technologies, and safeguards in place to control and 
                minimize risks from unauthorized access, disclosure, 
                use, or alteration of sensitive personally identifiable 
                information; and
                    (D) assess the vulnerability of sensitive 
                personally identifiable information during destruction 
                and disposal of such information, including through the 
                disposal or retirement of hardware.
            (4) Risk management and control.--Each business entity 
        shall--
                    (A) design its personal data privacy and security 
                program to control the risks identified under paragraph 
                (3); and
                    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--
                            (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;
                            (ii) detect, record, and preserve 
                        information relevant to actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access;
                            (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption, redaction, or access controls that 
                        are widely accepted as an effective industry 
                        practice or industry standard, or other 
                        reasonable means (including as directed for 
                        disposal of records under section 628 of the 
                        Fair Credit Reporting Act (15 U.S.C. 1681w) and 
                        the implementing regulations of such Act as set 
                        forth in section 682 of title 16, Code of 
                        Federal Regulations);
                            (iv) ensure that sensitive personally 
                        identifiable information is properly destroyed 
                        and disposed of, including during the 
                        destruction of computers, diskettes, and other 
                        electronic media that contain sensitive 
                        personally identifiable information;
                            (v) trace access to records containing 
                        sensitive personally identifiable information 
                        so that the business entity can determine who 
                        accessed or acquired such sensitive personally 
                        identifiable information pertaining to specific 
                        individuals;
                            (vi) ensure that no third party or customer 
                        of the business entity is authorized to access 
                        or acquire sensitive personally identifiable 
                        information without the business entity first 
                        performing sufficient due diligence to 
                        ascertain, with reasonable certainty, that such 
                        information is being sought for a valid legal 
                        purpose; and
                            (vii) minimize the amount of personal 
                        information maintained by the business entity, 
                        providing for the retention of such personal 
                        information only as reasonably needed for the 
                        business purposes of the business entity or as 
                        necessary to comply with any other provision of 
                        law.
    (b) Training.--Each business entity subject to this subtitle shall 
take steps to ensure employee training and supervision for 
implementation of the data security program of the business entity.
    (c) Vulnerability Testing.--
            (1) In general.--Each business entity subject to this 
        subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.
            (2) Frequency.--The frequency and nature of the tests 
        required under paragraph (1) shall be determined by the risk 
        assessment of the business entity under subsection (a)(3).
    (d) Certain Relationship to Providers of Services.--In the event a 
business entity subject to this subtitle engages a person or entity not 
subject to this subtitle (other than a service provider) to receive 
sensitive personally identifiable information in performing services or 
functions (other than the services or functions provided by a service 
provider) on behalf of and under the instruction of such business 
entity, such business entity shall--
            (1) exercise appropriate due diligence in selecting the 
        person or entity for responsibilities related to sensitive 
        personally identifiable information, and take reasonable steps 
        to select and retain a person or entity that is capable of 
        maintaining appropriate safeguards for the security, privacy, 
        and integrity of the sensitive personally identifiable 
        information at issue; and
            (2) require the person or entity by contract to implement 
        and maintain appropriate measures designed to meet the 
        objectives and requirements governing entities subject to 
        section 201, this section, and subtitle B.
    (e) Periodic Assessment and Personal Data Privacy and Security 
Modernization.--Each business entity subject to this subtitle shall on 
a regular basis monitor, evaluate, and adjust, as appropriate its data 
privacy and security program in light of any relevant changes in--
            (1) technology;
            (2) the sensitivity of sensitive personally identifiable 
        information;
            (3) internal or external threats to sensitive personally 
        identifiable information; and
            (4) the changing business arrangements of the business 
        entity, such as--
                    (A) mergers and acquisitions;
                    (B) alliances and joint ventures;
                    (C) outsourcing arrangements;
                    (D) bankruptcy; and
                    (E) changes to sensitive personally identifiable 
                information systems.
    (f) Implementation Timeline.--Not later than 1 year after the date 
of enactment of this Act, a business entity subject to the provisions 
of this subtitle shall implement a data privacy and security program 
pursuant to this subtitle.

SEC. 203. FEDERAL ENFORCEMENT.

    (a) Civil Penalties.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any business entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, such business entity shall be 
        subject to a civil penalty of not more than $5,000 per 
        violation per day while such a violation exists, with a maximum 
        of $20,000,000 per violation, unless such conduct is found to 
        be willful or intentional.
            (2) Intentional or willful violation.--A business entity 
        that intentionally or willfully violates the provisions of this 
        subtitle shall be subject to additional penalties in the amount 
        of $5,000 per violation per day while such a violation exists.
            (3) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose sensitive 
                personally identifiable information was compromised by 
                the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (c) Other Rights and Remedies.--The rights and remedies available 
under this section are cumulative and shall not affect any other rights 
and remedies available under law.

SEC. 204. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) Civil Actions.--
            (1) In general.--In any case in which the attorney general 
        of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a business entity that violate this subtitle, the 
        State may bring a civil action on behalf of the residents of 
        that State in a district court of the United States of 
        appropriate jurisdiction, or any other court of competent 
        jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this subtitle; or
                    (C) obtain civil penalties of not more than $5,000 
                per violation per day while such violations persist, up 
                to a maximum of $20,000,000 per violation.
            (2) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose sensitive 
                personally identifiable information was compromised by 
                the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
            (3) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Attorney General--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in this 
                subparagraph before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described in subparagraph (B), the attorney general of 
                a State shall provide the written notice and a copy of 
                the complaint to the Attorney General as soon after the 
                filing of the complaint as practicable.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(3), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action described in 
        subsection (c);
            (2) initiate an action in the appropriate United States 
        district court under section 218 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
section against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall be construed to prevent 
an attorney general of a State from exercising the powers conferred on 
such attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 205. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.

    (a) In General.--Any person aggrieved by a violation of the 
provisions of this subtitle by a business entity may bring a civil 
action in a court of appropriate jurisdiction to recover for personal 
injuries sustained as a result of the violation.
    (b) Authority To Bring Civil Action; Jurisdiction.--As provided in 
subsection (c), any person may commence a civil action on his own 
behalf against any business entity who is alleged to have violated the 
provisions of this subtitle.
    (c) Remedies in a Citizen Suit.--
            (1) Damages.--Any individual harmed by a failure of a 
        business entity to comply with the provisions of this subtitle, 
        shall be able to collect damages of not more than $10,000 per 
        violation per day while such violations persist, up to a 
        maximum of $20,000,000 per violation.
            (2) Punitive damages.--A business entity may be liable for 
        punitive damages if the business entity intentionally or 
        willfully violates the provisions of this subtitle.
            (3) Equitable relief.--A business entity that violates the 
        provisions of this subtitle may be enjoined to comply with the 
        provisions of those sections.
    (d) Other Rights and Remedies.--The rights and remedies available 
under this subsection are cumulative and shall not affect any other 
rights and remedies available under law.
    (e) Nonenforceability of Certain Provisions Waiving Rights and 
Remedies or Requiring Arbitration of Disputes.--
            (1) Waiver of rights and remedies.--The rights and remedies 
        provided for in this section may not be waived by any 
        agreement, policy form, or condition of employment including by 
        a predispute arbitration agreement.
            (2) Predispute arbitration agreements.--No predispute 
        arbitration agreement shall be valid or enforceable, if the 
        agreement requires arbitration of a dispute arising under this 
        section.
    (f) Considerations.--In determining the amount of a civil penalty 
under this subsection, the court shall take into account--
            (1) the degree of culpability of the business entity;
            (2) any prior violations of this subtitle by the business 
        entity;
            (3) the ability of the business entity to pay a civil 
        penalty;
            (4) the effect on the ability of the business entity to 
        continue to do business;
            (5) the number of individuals whose sensitive personally 
        identifiable information was compromised by the breach;
            (6) the relative cost of compliance with this subtitle; and
            (7) such other matters as justice may require.

                Subtitle B--Security Breach Notification

SEC. 211. NOTICE TO INDIVIDUALS.

    (a) In General.--Except as provided in section 212, any agency, or 
business entity engaged in interstate commerce other than a service 
provider, that uses, accesses, transmits, stores, disposes of or 
collects sensitive personally identifiable information that experiences 
a security breach of such information, shall, following the discovery 
of such security breach of such information, notify any resident of the 
United States whose sensitive personally identifiable information has 
been, or is reasonably believed to have been, accessed, or acquired.
    (b) Obligation of Owner or Licensee.--
            (1) Notice to owner or licensee.--Any agency, or business 
        entity engaged in interstate commerce, that uses, accesses, 
        transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach involving such information.
            (2) Notice by owner, licensee or other designated third 
        party.--Nothing in this subtitle shall prevent or abrogate an 
        agreement between an agency or business entity required to give 
        notice under this section and a designated third party, 
        including an owner or licensee of the sensitive personally 
        identifiable information subject to the security breach, to 
        provide the notifications required under subsection (a).
            (3) Business entity relieved from giving notice.--A 
        business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.
            (4) Service providers.--If a service provider becomes aware 
        of a security breach containing sensitive personally 
        identifiable information that is owned or possessed by another 
        business entity that connects to or uses a system or network 
        provided by the service provider for the purpose of 
        transmitting, routing, or providing intermediate or transient 
        storage of such data, the service provider shall be required to 
        notify the business entity who initiated such connection, 
        transmission, routing, or storage of the security breach if the 
        business entity can be reasonably identified. Upon receiving 
        such notification from a service provider, the business entity 
        shall be required to provide the notification required under 
        subsection (a).
    (c) Timeliness of Notification.--
            (1) In general.--All notifications required under this 
        section shall be made without unreasonable delay following the 
        discovery by the agency or business entity of a security 
        breach.
            (2) Reasonable delay.--Reasonable delay under this 
        subsection may include any time necessary to determine the 
        scope of the security breach, conduct the risk assessment 
        described in section 212(b)(1), and provide notice to law 
        enforcement when required.
            (3) Burden of production.--The agency, business entity, 
        owner, or licensee required to provide notice under this 
        subtitle shall, upon the request of the Attorney General, the 
        Federal Trade Commission, or the attorney general of a State or 
        any State or local law enforcement agency authorized by the 
        attorney general of the State or by State statute to prosecute 
        violations of consumer protection law, provide records or other 
        evidence of the notifications required under this subtitle, 
        including to the extent applicable, the reasons for any delay 
        of notification.
    (d) Delay of Notification Authorized for Law Enforcement or 
National Security Purposes.--
            (1) In general.--If a Federal law enforcement agency or 
        member of the intelligence community determines that the 
        notification required under this section would impede any 
        lawfully authorized criminal investigation or authorized 
        investigative, protective, or intelligence activities that are 
        carried out by or on behalf of any element of the intelligence 
        community and conducted in accordance with the United States 
        laws, authorities, and regulations governing such intelligence 
        activities, such notification shall be delayed upon written 
        notice from such Federal law enforcement agency or member of 
        the intelligence community to the agency or business entity 
        that experienced the breach. The notification shall specify in 
        writing the period of delay required.
            (2) Extended delay of notification.--If the notification 
        required under subsection (a) is delayed pursuant to paragraph 
        (1), an agency or business entity shall give notice 30 days 
        after the day such law enforcement delay was invoked unless a 
        Federal law enforcement or member of the intelligence community 
        provides written notification that further delay is necessary.
            (3) Law enforcement immunity.--No non-constitutional cause 
        of action shall lie in any court against an agency for acts 
        relating to the delay of notification for law enforcement or 
        intelligence purposes under this subtitle.

SEC. 212. EXEMPTIONS FROM NOTICE TO INDIVIDUALS.

    (a) Exemption for National Security and Law Enforcement.--
            (1) In general.--Section 211 shall not apply to an agency 
        or business entity if--
                    (A) the United States Secret Service or the Federal 
                Bureau of Investigation determines that notification of 
                the security breach could be expected to reveal 
                sensitive sources and methods or similarly impede the 
                ability of the Government to conduct law enforcement 
                investigations; or
                    (B) the Federal Bureau of Investigation determines 
                that notification of the security breach could be 
                expected to cause damage to national security.
            (2) Immunity.--No non-constitutional cause of action shall 
        lie in any court against any Federal agency for acts relating 
        to the exemption from notification under this subtitle.
    (b) Safe Harbor.--
            (1) In general.--An agency or business entity shall be 
        exempt from the notice requirements under section 211, if--
                    (A) a risk assessment conducted by the agency or 
                business entity, in consultation with the Federal Trade 
                Commission, concludes that there is no significant risk 
                that a security breach has resulted in, or will result 
                in harm to the individuals whose sensitive personally 
                identifiable information was subject to the security 
                breach; and
                    (B) the Federal Trade Commission or designated 
                entity does not indicate within 7 business days from 
                the receipt of written notification from an agency or 
                business entity pursuant to subsection 212(b)(2), that 
                the agency or business entity should not be exempt from 
                the notice requirements of section 211.
            (2) Risk assessment requirements.--
                    (A) Conducting a risk assessment.--Upon discovery 
                of a security breach of an agency or business entity, 
                the agency or business entity shall conduct a risk 
                assessment to determine if there is a significant risk 
                that the security breach resulted in, or will result 
                in, harm to the individuals whose sensitive personally 
                identifiable information was subject to the security 
                breach.
                            (i) Presumption of no significant risk.--It 
                        is presumed that there is no significant risk 
                        that the security breach has resulted in, or 
                        will result in, harm to the individuals whose 
                        sensitive personally identifiable data was 
                        subject to the security breach, if the 
                        sensitive personally identifiable information 
                        has been rendered unusable, unreadable, or 
                        indecipherable through a security technology or 
                        methodology (if the technology or methodology 
                        is generally accepted by experts in the 
                        information security field). Any such 
                        presumption may be rebutted by facts 
                        demonstrating that the security technologies or 
                        methodologies in a specific case, have been or 
                        are reasonably likely to be compromised.
                            (ii) Presumption of significant risk.--It 
                        is presumed that there is a significant risk 
                        that the security breach has resulted in, or 
                        will result in, harm to individuals whose 
                        sensitive personally identifiable information 
                        was subject to the security breach if the 
                        agency or business entity failed to render such 
                        sensitive personally identifiable information 
                        indecipherable through a security technology or 
                        methodology (if the technology or methodology 
                        is generally accepted by experts in the 
                        information security field).
                            (iii) Methodologies or technologies.--
                                    (I) Required rulemaking.--Not later 
                                than 1 year after the date of the 
                                enactment of this Act, and biannually 
                                thereafter, the Federal Trade 
                                Commission, after consultation with the 
                                National Institute of Standards and 
                                Technology, shall issue rules (pursuant 
                                to section 553 of title 5, United 
                                States Code) or guidance to identify 
                                security methodologies or technologies, 
                                such as encryption, which render 
                                sensitive personally identifiable 
                                information unusable, unreadable, or 
                                indecipherable, that shall, if applied 
                                to such sensitive personally 
                                identifiable information, establish a 
                                presumption that no significant risk of 
                                harm exists to individuals whose 
                                sensitive personally identifiable 
                                information was subject to a security 
                                breach. Any such presumption may be 
                                rebutted by facts demonstrating that 
                                any such methodology or technology in a 
                                specific case has been or is reasonably 
                                likely to be compromised.
                                    (II) Required consultation.--In 
                                issuing rules or guidance under 
                                subclause (II), the Commission shall 
                                also consult with relevant industries, 
                                consumer organizations, and data 
                                security and identity theft prevention 
                                experts and established standards 
                                setting bodies.
                            (iv) FTC guidance.--Not later than 1 year 
                        after the date of the enactment of this Act, 
                        the Federal Trade Commission, after 
                        consultation with the National Institute of 
                        Standards and Technology, shall issue guidance 
                        regarding the application of the exemption in 
                        clause (i).
                    (B) Written notification.--Without unreasonable 
                delay, but not later than 7 days after the discovery of 
                a security breach, unless extended by the United States 
                Secret Service or the Federal Bureau of Investigation, 
                the agency or business entity must notify the Federal 
                Trade Commission and designated entity, in writing, 
                of--
                            (i) the results of the risk assessment; and
                            (ii) its decision to invoke the risk 
                        assessment exemption.
                    (C) Violations.--It shall be a violation of this 
                section to--
                            (i) fail to conduct a risk assessment in a 
                        reasonable manner, or according to standards 
                        generally accepted by experts in the field of 
                        information security; or
                            (ii) submit results of a risk assessment 
                        that--
                                    (I) conceal violations of law, 
                                inefficiency, or administrative error;
                                    (II) prevent embarrassment to a 
                                business entity, organization, or 
                                agency;
                                    (III) restrain competition;
                                    (IV) contain fraudulent or 
                                deliberately misleading information; or
                                    (V) delay notification under 
                                section 211 for any other reason, 
                                except where the agency or business 
                                entity reasonably believes that the 
                                risk assessment exception may apply.
    (c) Financial Fraud Prevention Exemption.--
            (1) In general.--A business entity shall be exempt from the 
        notice requirements of this subtitle if the business entity 
        utilizes or participates in a security program that--
                    (A) effectively blocks the use of the sensitive 
                personally identifiable information to initiate 
                unauthorized financial transactions before they are 
                charged to the account of the individual; and
                    (B) provides for notice to affected individuals 
                after a security breach that has resulted in fraud or 
                unauthorized transactions.
            (2) Limitation.--Paragraph (1) shall not apply to a 
        business entity if the information subject to the security 
        breach includes an individual's first and last name, or any 
        other type of sensitive personally identifiable information, 
        other than a credit card or credit card security code 
        identified in section 3, unless that information is only a 
        credit card number or a credit card security code.
    (d) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to the following--
            (1) Financial institutions.--A financial institution 
        subject to the data security requirements and standards under 
        501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), 
        and subject to the jurisdiction of an agency or authority 
        described in section 505(a) of the Gramm-Leach-Bliley Act (15 
        U.S.C. 6805(a)), if the Federal functional regulator (as 
        defined by section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 
        6809)) with jurisdiction over that financial institution has 
        issued a regulation under title V of the Gramm-Leach-Bliley Act 
        (15 U.S.C. 6801 et seq.) that requires financial institutions 
        within its jurisdiction to provide notification to individuals 
        following a breach of security.
            (2) HIPAA regulated entities exemption.--
                    (A) In general.--A business entity shall be exempt 
                from the notice requirement under section 211 if the 
                business entity is one of the following:
                            (i) Covered entities.--A business entity 
                        subject to the Health Insurance Portability and 
                        Accountability Act of 1996 (42 U.S.C. 1301 et 
                        seq.), including the data breach notification 
                        requirements and implementing regulations of 
                        that Act.
                            (ii) Business entities.--A business entity 
                        that--
                                    (I) is acting as a business 
                                associate, as that term is defined 
                                under the Health Insurance Portability 
                                and Accountability Act of 1996 (42 
                                U.S.C. 1301 et seq.) and is in 
                                compliance with the requirements 
                                imposed under that Act and implementing 
                                regulations promulgated under that Act; 
                                and
                                    (II) is subject to, and currently 
                                in compliance with, the data breach 
                                notification requirements under section 
                                13402 or 13407 of the American 
                                Reinvestment and Recovery Act of 2009 
                                (42 U.S.C. 17932 and 17937) and 
                                implementing regulations promulgated 
                                under such sections.
                    (B) Limitation.--Paragraph (1) shall not apply to a 
                business entity if the information subject to the 
                security breach includes an individual's first and last 
                name, or any other type of sensitive personally 
                identifiable information other than a health insurance 
                policy or subscriber identification number or 
                information regarding an individual's medical history, 
                mental or physical medical condition, or medical 
                treatment or diagnosis by a health care professional as 
                identified in section 3 unless that information is only 
                a health insurance policy or subscriber identification 
                number or information regarding an individual's medical 
                history, mental or physical medical condition, or 
                medical treatment or diagnosis by a health care 
                professional.

SEC. 213. METHODS OF NOTICE TO INDIVIDUALS.

    To comply with section 211, an agency or business entity shall 
provide the following forms of notice:
            (1) Individual written notice.--Written notice to 
        individuals by 1 of the following means:
                    (A) Individual written notification to the last 
                known home mailing address of the individual in the 
                records of the agency or business entity.
                    (B) E-mail notice, unless the individual has 
                expressly opted not to receive such notices of security 
                breaches or the notice is inconsistent with the 
                provisions permitting electronic transmission of 
                notices under section 101 of the Electronic Signatures 
                in Global and National Commerce Act (15 U.S.C. 7001).
            (2) Telephone notice.--Telephone notice to the individual 
        personally.
            (3) Public notice.--
                    (A) Electronic notice.--Prominent notice via all 
                reasonable means of electronic contact between the 
                individual and the agency or business entity, including 
                any website, networked devices, or other interface 
                through which the agency or business entity regularly 
                interacts with the consumer, if the number of 
                individuals whose sensitive personally identifiable 
                information was or is reasonably believed to have been 
                accessed or acquired by an unauthorized person exceeds 
                5,000.
                    (B) Media notice.--Notice to major media outlets 
                serving a State or jurisdiction, if the number of 
                residents of such State whose sensitive personally 
                identifiable information was, or is reasonably believed 
                to have been, accessed or acquired by an unauthorized 
                person exceeds 5,000.

SEC. 214. CONTENT OF NOTICE TO INDIVIDUALS.

    (a) In General.--Regardless of the method by which individual 
notice is provided to individuals under section 213(1), such notice 
shall include--
            (1) a description of the categories of sensitive personally 
        identifiable information that was, or is reasonably believed to 
        have been, accessed or acquired by an unauthorized person, and 
        how the agency or business entity came into possession of the 
        sensitive personally identifiable information at issue;
            (2) a toll-free number--
                    (A) that the individual may use to contact the 
                agency or business entity, or the agent of the agency 
                or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual;
            (3) the toll-free contact telephone numbers, websites, and 
        addresses for the major credit reporting agencies;
            (4) the telephone numbers and websites for the relevant 
        Federal agencies that provide information regarding identity 
        theft prevention and protection;
            (5) notice that the individual is entitled to receive, at 
        no cost to such individual, consumer credit reports on a 
        quarterly basis for a period of 2 years, credit monitoring or 
        any other service that enables consumers to detect the misuse 
        of sensitive personally identifiable information for a period 
        of 2 years, and instructions to the individual on requesting 
        such reports or service from the agency or business entity;
            (6) notice that the individual is entitled to receive a 
        security freeze and that the agency or business entity will be 
        liable for any costs associated with the security freeze for 2 
        years and the necessary instructions for requesting a security 
        freeze; and
            (7) notice that any costs or damages incurred by an 
        individual as a result of a security breach will be paid by the 
        business entity or agency that experienced the security breach.
    (b) Telephone Notice.--Telephone notice described in section 213(2) 
shall include, to the extent possible--
            (1) notification that a security breach has occurred and 
        that the individual's sensitive personally identifiable 
        information may have been compromised;
            (2) a description of the categories of sensitive personally 
        identifiable information that were, or are reasonably believed 
        to have been, accessed or acquired by an unauthorized person;
            (3) a toll-free number and website--
                    (A) that the individual may use to contact the 
                agency or business entity, or the authorized agent of 
                the agency or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual and remedies available to that individual; 
                and
            (4) an alert to the individual that the agency or business 
        entity is sending or has sent written notification containing 
        additional information as required under section 213(1)(A).
    (c) Public Notice.--Public notice described in section 213(3) shall 
include--
            (1) electronic notice, which includes--
                    (A) notification that a security breach has 
                occurred and that the individual's sensitive personally 
                identifiable information may have been compromised;
                    (B) a description of the categories of sensitive 
                personally identifiable information that were, or are 
                reasonably believed to have been, accessed or acquired 
                by an unauthorized person; and
                    (C) a toll-free number and website--
                            (i) that the individual may use to contact 
                        the agency or business entity, or the 
                        authorized agent of the agency or business 
                        entity; and
                            (ii) from which the individual may learn 
                        what types of sensitive personally identifiable 
                        information the agency or business entity 
                        maintained about that individual and remedies 
                        available to that individual; and
            (2) media notice, which includes--
                    (A) a description of the categories of sensitive 
                personally identifiable information that was, or is 
                reasonably believed to have been, accessed or acquired 
                by an unauthorized person;
                    (B) a toll-free number--
                            (i) that the individual may use to contact 
                        the agency or business entity, or the 
                        authorized agent of the agency or business 
                        entity; and
                            (ii) from which the individual may learn 
                        what types of sensitive personally identifiable 
                        information the agency or business entity 
                        maintained about that individual and remedies 
                        available to that individual;
                    (C) the toll-free contact telephone numbers, 
                websites, and addresses for the major credit reporting 
                agencies;
                    (D) the telephone numbers and websites for the 
                relevant Federal agencies that provide information 
                regarding identity theft prevention and protection;
                    (E) notice that the affected individuals are 
                entitled to receive, at no cost to such individuals, 
                consumer credit reports on a quarterly basis for a 
                period of 2 years, credit monitoring, or any other 
                service that enables consumers to detect the misuse of 
                sensitive personally identifiable information for a 
                period of 2 years;
                    (F) notice that the individual is entitled to 
                receive a security freeze and that the agency or 
                business entity will be liable for any costs associated 
                with the security freeze for 2 years; and
                    (G) notice that the individual is entitled to 
                receive compensation from the business entity or agency 
                for any costs or damages incurred by the individual 
                resulting from the security breach.
    (d) Additional Content.--Notwithstanding section 221, a State may 
require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.
    (e) Direct Business Relationship.--Regardless of whether a business 
entity, agency, or a designated third party provides the notice 
required pursuant to section 211(b), such notice shall include the name 
of the business entity or agency that has a direct relationship with 
the individual being notified.

SEC. 215. REMEDIES FOR SECURITY BREACH.

    (a) Credit Reports and Credit Monitoring.--An agency or business 
entity required to provide notification under this subtitle shall, upon 
request of an individual whose sensitive personally identifiable 
information was included in the security breach, provide or arrange for 
the provision of, to each such individual and at no cost to such 
individual--
            (1) consumer credit reports from not fewer than 1 of the 
        major credit reporting agencies beginning not later than 60 
        days following the request of the individual and continuing on 
        a quarterly basis for a period of 2 years thereafter; and
            (2) a credit monitoring or other service that enables 
        consumers to detect the misuse of their personal information, 
        beginning not later than 60 days following the request of the 
        individual and continuing for a period of 2 years.
    (b) Security Freeze.--
            (1) Request.--Any consumer may submit a written request, by 
        certified mail or such other secure method as authorized by a 
        credit rating agency, to a credit rating agency to place a 
        security freeze on the credit report of the consumer.
            (2) Implementation of security freeze.--Upon receipt of a 
        written request under paragraph (1), a credit rating agency 
        shall--
                    (A) not later than 5 business days after receipt of 
                the request, place a security freeze on the credit 
                report of the consumer; and
                    (B) not later than 10 business days after placing a 
                security freeze, send a written confirmation of such 
                security freeze to the consumer, which shall provide 
                the consumer with a unique personal identification 
                number or password to be used by the consumer when 
                providing authorization for the release of the credit 
                report of the consumer to a third party or for a 
                specified period of time.
            (3) Duration of security freeze.--Except as provided in 
        paragraph (4), any security freeze authorized pursuant to the 
        provisions of this section shall remain in effect until the 
        consumer requests security freeze to be removed.
            (4) Disclosure of credit report to third party.--
                    (A) In general.--If a consumer that has requested a 
                security freeze under this subsection wishes to 
                authorize the disclosure of the credit report of the 
                consumer to a third party, or for a specified period of 
                time, while such security freeze is in effect, the 
                consumer shall contact the credit rating agency and 
                provide--
                            (i) proper identification;
                            (ii) the unique personal identification 
                        number or password described in paragraph 
                        (2)(B); and
                            (iii) proper information regarding the 
                        third party who is to receive the credit report 
                        or the time period for which the credit report 
                        shall be available.
                    (B) Requirement.--Not later than 3 business days 
                after receipt of a request under subparagraph (A), a 
                credit rating agency shall lift the security freeze.
            (5) Procedures.--
                    (A) In general.--A credit rating agency shall 
                develop procedures to receive and process requests from 
                consumers under paragraph (2) of this section.
                    (B) Requirement.--Procedures developed under 
                subparagraph (A), at a minimum, shall include the 
                ability of a consumer to send such temporary lift or 
                removal request by electronic mail, letter, telephone, 
                or facsimile.
            (6) Requests by third party.--If a third party requests 
        access to a credit report of a consumer that has been frozen 
        under this subsection and the consumer has not authorized the 
        disclosure of the credit report of the consumer to the third 
        party, the third party may deem such credit application as 
        incomplete.
            (7) Determination by credit rating agency.--
                    (A) In general.--A credit rating agency may refuse 
                to implement or may remove a security freeze under this 
                subsection if the agency determines, in good faith, 
                that--
                            (i) the request for a security freeze was 
                        made as part of a fraud that the consumer 
                        participated in, had knowledge of, or that can 
                        be demonstrated by circumstantial evidence; or
                            (ii) the consumer credit report was frozen 
                        due to a material misrepresentation of fact by 
                        the consumer.
                    (B) Notice.--If a credit rating agency makes a 
                determination under subparagraph (A) to not implement, 
                or to remove, a security freeze under this subsection, 
                the credit rating agency shall notify the consumer in 
                writing of such determination--
                            (i) in the case of a determination not to 
                        implement a security freeze, not later than 5 
                        business days after the determination is made; 
                        and
                            (ii) in the case of a removal of a security 
                        freeze, prior to removing the freeze on the 
                        credit report of the consumer.
            (8) Rule of construction.--
                    (A) In general.--Nothing in this section shall be 
                construed to prohibit disclosure of a credit report of 
                a consumer to--
                            (i) a person, or the person's subsidiary, 
                        affiliate, agent or assignee with which the 
                        consumer has or, prior to assignment, had an 
                        account, contract or debtor-creditor 
                        relationship for the purpose of reviewing the 
                        account or collecting the financial obligation 
                        owing for the account, contract or debt;
                            (ii) a subsidiary, affiliate, agent, 
                        assignee or prospective assignee of a person to 
                        whom access has been granted under paragraph 
                        (4) for the purpose of facilitating the 
                        extension of credit or other permissible use;
                            (iii) any person acting pursuant to a court 
                        order, warrant, or subpoena;
                            (iv) any person for the purpose of using 
                        such credit information to prescreen as 
                        provided by the Fair Credit Reporting Act (15 
                        U.S.C. 1681 et seq.);
                            (v) any person for the sole purpose of 
                        providing a credit file monitoring subscription 
                        service to which the consumer has subscribed;
                            (vi) a credit rating agency for the sole 
                        purpose of providing a consumer with a copy of 
                        the credit report of the consumer upon the 
                        request of the consumer; or
                            (vii) a Federal, State or local 
                        governmental entity, including a law 
                        enforcement agency, or court, or their agents 
                        or assignees pursuant to their statutory or 
                        regulatory duties; and
                            (viii) any person for the sole purpose of 
                        providing a remedy requested by an individual 
                        under this section.
                    (B) Reviewing the account.--For purposes of this 
                subsection, ``reviewing the account'' shall include 
                activities relating to account maintenance, monitoring, 
                credit line increases, and account upgrades and 
                enhancements.
            (9) Exceptions.--The following persons shall not be 
        required to place a security freeze under this subsection, but 
        shall be subject to any security freeze placed on a credit 
        report by another credit rating agency:
                    (A) A check services or fraud prevention services 
                company that reports on incidents of fraud or issues 
                authorizations for the purpose of approving or 
                processing negotiable instruments, electronic fund 
                transfers or similar methods of payment.
                    (B) A deposit account information service company 
                that issues reports regarding account closures due to 
                fraud, substantial overdrafts, automated teller machine 
                abuse, or similar information regarding a consumer to 
                inquiring banks or other financial institutions for use 
                only in reviewing a consumer request for a deposit 
                account at the inquiring bank or financial institution.
                    (C) A credit rating agency that--
                            (i) acts only to resell credit information 
                        by assembling and merging information contained 
                        in a database of 1 or more credit reporting 
                        agencies; and
                            (ii) does not maintain a permanent database 
                        of credit information from which new credit 
                        reports are produced.
            (10) Fees.--
                    (A) In general.--A credit rating agency may charge 
                reasonable fees for each security freeze, removal of 
                such freeze or temporary lift of such freeze for a 
                period of time, and a temporary lift of such freeze for 
                a specific party.
                    (B) Requirement.--Any fees charged under 
                subparagraph (A) shall be borne by the agency or 
                business entity providing notice under section 214 for 
                2 years following the establishment of the security 
                freeze under this subsection.
    (c) Costs Resulting From a Security Breach.--
            (1) In general.--A business entity or agency that 
        experiences a security breach and is required to provide notice 
        under this subtitle shall pay, upon request, to any individual 
        whose sensitive personally identifiable information has been, 
        or is reasonably believed to have been, accessed or acquired as 
        a result of such security breach, any costs or damages incurred 
        by the individual as a result of such security breach, 
        including costs associated with identity theft suffered as a 
        result of such security breach.
            (2) Compliance.--A business entity or agency shall be 
        deemed in compliance with this subsection if the business 
        entity or agency--
                    (A) provides insurance to any individual whose 
                sensitive personally identifiable information has been, 
                or is reasonably believed to have been, accessed or 
                acquired as a result of a security breach and such 
                insurance is sufficient to compensate the consumer for 
                not less than $25,000 of costs or damages; or
                    (B) pays, without unreasonable delay, any actual 
                costs or damages incurred by an individual as a result 
                of the security breach.

SEC. 216. NOTICE TO CREDIT REPORTING AGENCIES.

    If an agency or business entity is required to provide notification 
to more than 5,000 individuals under section 211(a), the agency or 
business entity shall also notify all consumer reporting agencies that 
compile and maintain files on consumers on a nationwide basis (as 
defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 
1681a(p))) of the timing and distribution of the notices. Such notice 
shall be given to the consumer credit reporting agencies without 
unreasonable delay and, if it will not delay notice to the affected 
individuals, prior to the distribution of notices to the affected 
individuals.

SEC. 217. NOTICE TO LAW ENFORCEMENT.

    (a) Designation of a Government Entity To Receive Notice.--
            (1) In general.--Not later than 60 days after the date of 
        enactment of this Act, the Secretary of Homeland Security, in 
        consultation with the Attorney General, shall designate a 
        Federal Government entity to receive the information required 
        to be submitted under this subtitle, and any other reports and 
        information about information security incidents, threats, and 
        vulnerabilities.
            (2) Responsibilities of the designated entity.--The 
        designated entity shall--
                    (A) be responsible for promptly providing the 
                information it receives to the United States Secret 
                Service and the Federal Bureau of Investigation, and to 
                the Federal Trade Commission for civil law enforcement 
                purposes; and
                    (B) provide the information described in 
                subparagraph (A) as appropriate to other Federal 
                agencies for law enforcement, national security, or 
                data security purposes.
    (b) Notice.--Any business entity or agency shall notify the 
designated entity of the fact that a security breach has occurred if--
            (1) the number of individuals whose sensitive personally 
        identifiable information was, or is reasonably believed to have 
        been, accessed or acquired by an unauthorized person exceeds 
        5,000;
            (2) the security breach involves a database, networked or 
        integrated databases, or other data system containing the 
        sensitive personally identifiable information of more than 
        500,000 individuals nationwide;
            (3) the security breach involves databases owned by the 
        Federal Government; or
            (4) the security breach involves primarily sensitive 
        personally identifiable information of individuals known to the 
        agency or business entity to be employees and contractors of 
        the Federal Government involved in national security or law 
        enforcement.
    (c) FTC Review of Thresholds.--
            (1) Review.--Not later than 1 year after the date of 
        enactment of this Act, the Federal Trade Commission, in 
        consultation with the Attorney General and the Secretary of 
        Homeland Security, shall promulgate regulations regarding the 
        reports required under subsection (a).
            (2) Rulemaking.--The Federal Trade Commission, in 
        consultation with the Attorney General and the Secretary of 
        Homeland Security, after notice and the opportunity for public 
        comment, and in a manner consistent with this section, shall 
        promulgate regulations, as necessary, under section 553 of 
        title 5, United States Code, to adjust the thresholds for 
        notice to law enforcement and national security authorities 
        under subsection (a) and to facilitate the purposes of this 
        section.
    (d) Timing of Notices.--The notices required under this section 
shall be delivered as follows:
            (1) Notice under subsection (a) shall be delivered as 
        promptly as possible, but not later than 10 days after 
        discovery of the security breach.
            (2) Notice under section 211 shall be delivered to 
        individuals not later than 48 hours after the Federal Bureau of 
        Investigation or the Secret Service receives notice of a 
        security breach from an agency or business entity.

SEC. 218. FEDERAL ENFORCEMENT.

    (a) Civil Actions by the Attorney General.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any business entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, such business entity shall be 
        subject to a civil penalty of not more than $500 per day per 
        individual whose sensitive personally identifiable information 
        was, or is reasonably believed to have been, accessed or 
        acquired by an unauthorized person, up to a maximum of 
        $20,000,000 per violation, unless such conduct is found to be 
        willful or intentional.
            (2) Presumption.--A violation of section 212(b)(2)(C) shall 
        be presumed to be willful or intentional conduct.
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (c) Civil Actions by the Federal Trade Commission.--
            (1) In general.--Compliance with the requirements imposed 
        under subtitle A and this subtitle may be enforced under the 
        Federal Trade Commission Act (15 U.S.C. 41 et seq.) by the 
        Federal Trade Commission with respect to business entities 
        subject to this Act. All of the functions and powers of the 
        Federal Trade Commission under the Federal Trade Commission Act 
        are available to the Commission to enforce compliance by any 
        person with the requirements imposed under this title.
            (2) Unfair or deceptive acts or practices.--For the purpose 
        of the exercise by the Federal Trade Commission of its 
        functions and powers under the Federal Trade Commission Act, a 
        violation of any requirement or prohibition imposed under this 
        title shall constitute an unfair or deceptive act or practice 
        in commerce in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(I)(B)) regarding unfair or deceptive acts or practices 
        and shall be subject to enforcement by the Federal Trade 
        Commission under that Act with respect to any business entity, 
        irrespective of whether that business entity is engaged in 
        commerce or meets any other jurisdictional tests in the Federal 
        Trade Commission.
    (d) Considerations.--In determining the amount of a civil penalty 
under this subsection, the court shall take into account--
            (1) the degree of culpability of the business entity;
            (2) any prior violations of this subtitle by the business 
        entity;
            (3) the ability of the business entity to pay a civil 
        penalty;
            (4) the effect on the ability of the business entity to 
        continue to do business;
            (5) the number of individuals whose sensitive personally 
        identifiable information was compromised by the breach;
            (6) the relative cost of compliance with this subtitle; and
            (7) such other matters as justice may require.
    (e) Coordination of Enforcement.--
            (1) In general.--Before opening an investigation, the 
        Federal Trade Commission shall consult with the Attorney 
        General.
            (2) Limitation.--The Federal Trade Commission may initiate 
        investigations under this subsection unless the Attorney 
        General determines that such an investigation would impede an 
        ongoing criminal investigation or national security activity.
            (3) Coordination agreement.--
                    (A) In general.--In order to avoid conflicts and 
                promote consistency regarding the enforcement and 
                litigation of matters under this Act, not later than 
                180 days after the enactment of this Act, the Attorney 
                General and the Commission shall enter into an 
                agreement for coordination regarding the enforcement of 
                this Act.
                    (B) Requirement.--The coordination agreement 
                entered into under subparagraph (A) shall include 
                provisions to ensure that parallel investigations and 
                proceedings under this section are conducted in a 
                manner that avoids conflicts and does not impede the 
                ability of the Attorney General to prosecute violations 
                of Federal criminal laws.
            (4) Coordination with the fcc.--If an enforcement action 
        under this Act relates to customer proprietary network 
        information, the Federal Trade Commission shall coordinate the 
        enforcement action with the Federal Communications Commission.
    (f) Rulemaking.--The Federal Trade Commission may, in consultation 
with the Attorney General, issue such other regulations as it 
determines to be necessary to carry out this subtitle. All regulations 
promulgated under this Act shall be issued in accordance with section 
553 of title 5, United States Code. Where regulations relate to 
customer proprietary network information, the promulgation of such 
regulations will be coordinated with the Federal Communications 
Commission.
    (g) Other Rights and Remedies.--The rights and remedies available 
under this subtitle are cumulative and shall not affect any other 
rights and remedies available under law.
    (h) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended in the matter preceding 
subparagraph (A) by inserting ``, or evidence that the consumer has 
received notice that the consumer's financial information has or may 
have been compromised,'' after ``identity theft report''.

SEC. 219. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--
                    (A) In general.--In any case in which the attorney 
                general of a State or any State or local law 
                enforcement agency authorized by the State attorney 
                general or by State statute to prosecute violations of 
                consumer protection law, has reason to believe that an 
                interest of the residents of that State has been or is 
                threatened or adversely affected by the engagement of a 
                business entity in a practice that is prohibited under 
                this subtitle, the State or the State or local law 
                enforcement agency on behalf of the residents of the 
                agency's jurisdiction, may bring a civil action on 
                behalf of the residents of the State or jurisdiction in 
                a district court of the United States of appropriate 
                jurisdiction or any other court of competent 
                jurisdiction, including a State court, to--
                            (i) enjoin that practice;
                            (ii) enforce compliance with this subtitle; 
                        or
                            (iii) obtain civil penalties of not more 
                        than $500 per day per individual whose 
                        sensitive personally identifiable information 
                        was, or is reasonably believed to have been, 
                        accessed or acquired by an unauthorized person, 
                        up to a maximum of $20,000,000 per violation, 
                        unless such conduct is found to be willful or 
                        intentional.
                    (B) Presumption.--A violation of section 
                212(b)(2)(C) shall be presumed to be willful or 
                intentional.
            (2) Considerations.--In determining the amount of a civil 
        penalty under this subsection, the court shall take into 
        account--
                    (A) the degree of culpability of the business 
                entity;
                    (B) any prior violations of this subtitle by the 
                business entity;
                    (C) the ability of the business entity to pay a 
                civil penalty;
                    (D) the effect on the ability of the business 
                entity to continue to do business;
                    (E) the number of individuals whose sensitive 
                personally identifiable information was compromised by 
                the breach;
                    (F) the relative cost of compliance with this 
                subtitle; and
                    (G) such other matters as justice may require.
            (3) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subtitle, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) initiate an action in the appropriate United States 
        district court under section 218 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 220. SUPPLEMENTAL ENFORCEMENT BY INDIVIDUALS.

    (a) In General.--Any person aggrieved by a violation of the 
provisions of section 211, 213, 214, 215, or 216 by a business entity 
may bring a civil action in a court of appropriate jurisdiction to 
recover for personal injuries sustained as a result of the violation.
    (b) Authority To Bring Civil Action; Jurisdiction.--As provided in 
subsection (c), an individual may commence a civil action on his own 
behalf against any business entity who is alleged to have violated the 
provisions of this subtitle.
    (c) Remedies in a Citizen Suit.--
            (1) Damages.--Any individual harmed by a failure of a 
        business entity to comply with the provisions of section 211, 
        213, 214, 215, or 216 shall be able to collect damages of not 
        more than $500 per day per individual whose sensitive 
        personally identifiable information was, or is reasonably 
        believed to have been, accessed or acquired by an unauthorized 
        person, up to a maximum of $20,000,000 per violation.
            (2) Punitive damages.--A business entity may be liable for 
        punitive damages if the business entity--
                    (A) intentionally or willfully violates the 
                provisions of section 211, 213, 214, 215, or 216; or
                    (B) failed to comply with the requirements of 
                subsections (a) through (d) of section 202.
            (3) Equitable relief.--A business entity that violates the 
        provisions of section 211, 213, 214, 215, or 216 may be 
        enjoined to provide required remedies under section 215 by a 
        court of competent jurisdiction.
    (d) Other Rights and Remedies.--The rights and remedies available 
under this subsection are cumulative and shall not affect any other 
rights and remedies available under law.
    (e) Nonenforceability of Certain Provisions Waiving Rights and 
Remedies or Requiring Arbitration of Disputes.--
            (1) Waiver of rights and remedies.--The rights and remedies 
        provided for in this section may not be waived by any 
        agreement, policy form, or condition of employment including by 
        a predispute arbitration agreement.
            (2) Predispute arbitration agreements.--No predispute 
        arbitration agreement shall be valid or enforceable, if the 
        agreement requires arbitration of a dispute arising under this 
        section.
    (f) Considerations.--In determining the amount of a civil penalty 
under this subsection, the court shall take into account--
            (1) the degree of culpability of the business entity;
            (2) any prior violations of this subtitle by the business 
        entity;
            (3) the ability of the business entity to pay a civil 
        penalty;
            (4) the effect on the ability of the business entity to 
        continue to do business;
            (5) the number of individuals whose sensitive personally 
        identifiable information was compromised by the breach;
            (6) the relative cost of compliance with this subtitle; and
            (7) such other matters as justice may require.

SEC. 221. RELATION TO OTHER LAWS.

    (a) In General.--The provisions of this subtitle shall supersede 
any other provision of Federal law or any provision of law of any State 
relating to notification by a business entity engaged in interstate 
commerce or an agency of a security breach, except as provided in this 
subsection.
    (b) Limitations.--
            (1) State common law.--Nothing in this subtitle shall be 
        construed to exempt any entity from liability under common law, 
        including through the operation of ordinary preemption 
        principles, and including liability through State trespass, 
        contract, or tort law, for damages caused by the failure to 
        notify an individual following a security breach.
            (2) Gramm-leach-bliley act.--Nothing in this Act shall 
        supersede the data security requirements of the Gramm-Leach-
        Bliley Act (15 U.S.C. 6801 et seq.), or implementing 
        regulations based on that Act.
            (3) Health privacy.--
                    (A) To the extent that a business entity acts as a 
                covered entity or a business associate under the Health 
                Information Technology for Economic and Clinical Health 
                Act (42 U.S.C. 17932), and has the obligation to 
                provide breach notification under that Act or its 
                implementing regulations, the requirements of this Act 
                shall not apply.
                    (B) To the extent that a business entity acts as a 
                vendor of personal health records, a third-party 
                service provider, or other entity subject to the Health 
                Information Technology for Economical and Clinical 
                Health Act (42 U.S.C. 17937), and has the obligation to 
                provide breach notification under that Act or its 
                implementing regulations, the requirements of this Act 
                shall not apply.

SEC. 222. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated such sums as may be 
necessary to cover the costs incurred by the United States Secret 
Service to carry out investigations and risk assessments of security 
breaches as required under this subtitle.

SEC. 223. REPORTING ON RISK ASSESSMENT EXEMPTIONS.

    The United States Secret Service and the Federal Bureau of 
Investigation shall report to Congress not later than 18 months after 
the date of enactment of this Act, and upon the request by Congress 
thereafter, on--
            (1) the number and nature of the security breaches 
        described in the notices filed by those business entities 
        invoking the risk assessment exemption under section 212(b) and 
        the response of the United States Secret Service and the 
        Federal Bureau of Investigation to such notices; and
            (2) the number and nature of security breaches subject to 
        the national security and law enforcement exemptions under 
        section 212(a), provided that such report may not disclose the 
        contents of any risk assessment provided to the United States 
        Secret Service and the Federal Bureau of Investigation pursuant 
        to this subtitle.

      Subtitle C--Post-Breach Technical Information Clearinghouse

SEC. 230. CLEARINGHOUSE INFORMATION COLLECTION, MAINTENANCE, AND 
              ACCESS.

    (a) In General.--The designated entity shall maintain a 
clearinghouse of technical information concerning system 
vulnerabilities identified in the wake of security breaches, which 
shall--
            (1) contain information disclosed by agencies or business 
        entities under subsection (b); and
            (2) be accessible to certified entities under subsection 
        (c).
    (b) Post-Breach Technical Notification.--In any instance in which 
an agency or business entity is required to notify the designated 
entity under section 217, the agency or business entity shall also 
provide the designated entity with technical information concerning the 
nature of the security breach, including--
            (1) technical information regarding any system 
        vulnerabilities of the agency or business entity revealed by or 
        identified as a consequence of the security breach;
            (2) technical information regarding any system 
        vulnerabilities of the agency or business entity actually 
        exploited during the security breach; and
            (3) any other technical information concerning the nature 
        of the security breach deemed appropriate for collection by the 
        designated entity in furtherance of this subtitle.
    (c) Access to Clearinghouse.--Any entity certified under subsection 
(d) may review information maintained by the technical information 
clearinghouse for the purpose of preventing security breaches that 
threaten the security of sensitive personally identifiable information.
    (d) Certification for Access.--The designated entity shall issue 
and revoke certifications to agencies and business entities wishing to 
review information maintained by the technical information 
clearinghouse and shall establish conditions for obtaining and 
maintaining such certifications, including agreement that any 
information obtained directly or derived indirectly from the review of 
information maintained by the technical information clearinghouse--
            (1) shall only be used to improve the security and reduce 
        the vulnerability of networks that collect, access, transmit, 
        use, store, or dispose of sensitive personally identifiable 
        information;
            (2) may not be used for any competitive commercial purpose; 
        and
            (3) may not be shared with any third party, including other 
        parties certified for access to the information clearinghouse, 
        without the express written consent of the designated entity.
    (e) Rulemaking.--In consultation with the private sector, 
appropriate representatives of State and local governments, and other 
appropriate Federal agencies, the designated entity may issue such 
regulations as it determines to be necessary to carry out this 
subtitle. All regulations promulgated under this Act shall be issued in 
accordance with section 553 of title 5, United States Code.

SEC. 231. PROTECTIONS FOR CLEARINGHOUSE PARTICIPANTS.

    (a) Protection of Proprietary Information.--To the extent feasible, 
the designated entity shall ensure that any technical information 
disclosed to the designated entity under this subtitle shall be stored 
in a format designed to protect proprietary business information from 
inadvertent disclosure.
    (b) Anonymous Data Release.--To the extent feasible, the designated 
entity shall ensure that all information stored in the technical 
information clearinghouse and accessed by certified parties is 
presented in a form that minimizes the potential for such information 
to be traced to a particular network, company, or security breach 
incident.
    (c) Protection From Public Disclosure.--Except as otherwise 
provided in this subtitle--
            (1) security and vulnerability information collected under 
        this section and provided to the Federal Government, including 
        aggregated analysis and data, shall be exempt from disclosure 
        under section 552(b)(3) of title 5, United States Code; and
            (2) under section 230(e), security and vulnerability-
        related information provided to the Federal Government under 
        this section, including aggregated analysis and data, shall be 
        protected from public disclosure, except that this paragraph--
                    (A) does not prohibit the sharing of such 
                information, as the designated entity determines to be 
                appropriate, in order to mitigate cybersecurity threats 
                or further the official functions of a government 
                agency; and
                    (B) does not authorized such information to be 
                withheld from a committee of Congress authorized to 
                request the information.
    (d) Protection of Classified Information.--Nothing in this subtitle 
permits the unauthorized disclosure of classified information.

SEC. 232. EFFECTIVE DATE.

    This subtitle shall take effect on the expiration of the date that 
is 90 days after the date of enactment of this Act.

            TITLE III--ACCESS TO AND USE OF COMMERCIAL DATA

SEC. 301. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.

    (a) In General.--In considering contract awards totaling more than 
$500,000 and entered into after the date of enactment of this Act with 
data brokers, the Administrator of the General Services Administration 
shall evaluate--
            (1) the data privacy and security program of a data broker 
        to ensure the privacy and security of data containing sensitive 
        personally identifiable information, including whether such 
        program adequately addresses privacy and security threats 
        created by malicious software or code, or the use of peer-to-
        peer file sharing software;
            (2) the compliance of a data broker with such program;
            (3) the extent to which the databases and systems 
        containing sensitive personally identifiable information of a 
        data broker have been compromised by security breaches; and
            (4) the response by a data broker to such breaches, 
        including the efforts by such data broker to mitigate the 
        impact of such security breaches.
    (b) Compliance Safe Harbor.--The data privacy and security program 
of a data broker shall be deemed sufficient for the purposes of 
subsection (a), if the data broker complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of sensitive personally 
identifiable information involved in the ordinary course of business of 
such data broker.
    (c) Penalties.--In awarding contracts with data brokers for 
products or services related to access, use, compilation, distribution, 
processing, analyzing, or evaluating sensitive personally identifiable 
information, the Administrator of the General Services Administration 
shall--
            (1) include monetary or other penalties--
                    (A) for failure to comply with subtitles A and B of 
                title II; or
                    (B) if a contractor knows or has reason to know 
                that the sensitive personally identifiable information 
                being provided is inaccurate, and provides such 
                inaccurate information; and
            (2) require a data broker that engages service providers 
        not subject to subtitle A of title II for responsibilities 
        related to sensitive personally identifiable information to--
                    (A) exercise appropriate due diligence in selecting 
                those service providers for responsibilities related to 
                sensitive personally identifiable information;
                    (B) take reasonable steps to select and retain 
                service providers that are capable of maintaining 
                appropriate safeguards for the security, privacy, and 
                integrity of the sensitive personally identifiable 
                information at issue; and
                    (C) require such service providers, by contract, to 
                implement and maintain appropriate measures designed to 
                meet the objectives and requirements in title II.
    (d) Limitation.--The penalties under subsection (c) shall not apply 
to a data broker providing information that is accurately and 
completely recorded from a public record source or licensor.

SEC. 302. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF 
              CONTRACTORS AND THIRD-PARTY BUSINESS ENTITIES.

    Section 3544(b) of title 44, United States Code, is amended--
            (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (8), by striking the period and inserting 
        ``; and''; and
            (3) by adding at the end the following:
            ``(9) procedures for evaluating and auditing the 
        information security practices of contractors or third-party 
        business entities supporting the information systems or 
        operations of the agency involving sensitive personally 
        identifiable information (as that term is defined in section 3 
        of the Personal Data Protection and Breach Accountability Act 
        of 2014) and ensuring remedial action to address any 
        significant deficiencies.''.

SEC. 303. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL 
              INFORMATION SERVICES CONTAINING SENSITIVE PERSONALLY 
              IDENTIFIABLE INFORMATION.

    (a) In General.--Section 208(b)(1) of the E-Government Act of 2002 
(44 U.S.C. 3501 note) is amended in subparagraph (A)--
            (1) in clause (i), by striking ``or'';
            (2) in clause (ii)(II), by striking the period and 
        inserting ``; or''; and
            (3) by adding at the end the following:
                            ``(iii) purchasing or subscribing for a fee 
                        to sensitive personally identifiable 
                        information from a data broker (as such terms 
                        are defined in section 3 of the Personal Data 
                        Protection and Breach Accountability Act of 
                        2014).''.
    (b) Limitation.--Notwithstanding any other provision of law, 
beginning 1 year after the date of enactment of this Act, no Federal 
agency may enter into a contract with a data broker to access for a fee 
any database consisting primarily of sensitive personally identifiable 
information concerning United States persons (other than news reporting 
or telephone directories) unless the head of the agency--
            (1) completes a privacy impact assessment under section 208 
        of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
        shall subject to the provision in that Act pertaining to 
        sensitive information, include a description of--
                    (A) such database;
                    (B) the name of the data broker from whom it is 
                obtained; and
                    (C) the amount of the contract for use;
            (2) adopts regulations that specify--
                    (A) the personnel permitted to access, analyze, or 
                otherwise use such databases;
                    (B) standards governing the access, analysis, or 
                use of such databases;
                    (C) any standards used to ensure that the sensitive 
                personally identifiable information accessed, analyzed, 
                or used is the minimum necessary to accomplish the 
                intended legitimate purpose of the Federal agency;
                    (D) standards limiting the retention and 
                redisclosure of sensitive personally identifiable 
                information obtained from such databases;
                    (E) procedures ensuring that such data meet 
                standards of accuracy, relevance, completeness, and 
                timeliness;
                    (F) the auditing and security measures to protect 
                against unauthorized access, analysis, use, or 
                modification of data in such databases;
                    (G) applicable mechanisms by which individuals may 
                secure timely redress for any adverse consequences 
                wrongly incurred due to the access, analysis, or use of 
                such databases;
                    (H) mechanisms, if any, for the enforcement and 
                independent oversight of existing or planned 
                procedures, policies, or guidelines; and
                    (I) an outline of enforcement mechanisms for 
                accountability to protect individuals and the public 
                against unlawful or illegitimate access or use of 
                databases; and
            (3) incorporates into the contract or other agreement 
        totaling more than $500,000, provisions--
                    (A) providing for penalties--
                            (i) for failure to comply with title II of 
                        this Act; or
                            (ii) if the entity knows or has reason to 
                        know that the sensitive personally identifiable 
                        information being provided to the Federal 
                        department or agency is inaccurate, and 
                        provides such inaccurate information; and
                    (B) requiring a data broker that engages service 
                providers not subject to subtitle A of title II of this 
                Act for responsibilities related to sensitive 
                personally identifiable information to--
                            (i) exercise appropriate due diligence in 
                        selecting those service providers for 
                        responsibilities related to sensitive 
                        personally identifiable information;
                            (ii) take reasonable steps to select and 
                        retain service providers that are capable of 
                        maintaining appropriate safeguards for the 
                        security, privacy, and integrity of the 
                        sensitive personally identifiable information 
                        at issue; and
                            (iii) require such service providers, by 
                        contract, to implement and maintain appropriate 
                        measures designed to meet the objectives and 
                        requirements in title II of this Act.
    (c) Limitation on Penalties.--The penalties under subsection 
(b)(3)(A) shall not apply to a data broker providing information that 
is accurately and completely recorded from a public record source.
    (d) Study of Government Use.--
            (1) Scope of study.--Not later than 180 days after the date 
        of enactment of this Act, the Comptroller General of the United 
        States shall conduct a study and audit and prepare a report on 
        Federal agency actions to address the recommendations in the 
        Government Accountability Office's April 2006 report on agency 
        adherence to key privacy principles in using data brokers or 
        commercial databases containing sensitive personally 
        identifiable information.
            (2) Report.--A copy of the report required under paragraph 
        (1) shall be submitted to Congress.

SEC. 304. FBI REPORT ON REPORTED BREACHES AND COMPLIANCE.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, and each year thereafter, the Federal Bureau of 
Investigation, in coordination with the Secret Service, shall submit to 
the Committee on the Judiciary of the Senate and the Committee on the 
Judiciary of the House of Representatives a report regarding any 
reported breaches at agencies or business entities during the preceding 
year.
    (b) Report Content.--Such reporting shall include--
            (1) the total instances of breaches of security in the 
        previous year;
            (2) the percentage of breaches described in subsection (a) 
        that occurred at an agency or business entity that did not 
        comply with the personal data privacy and security program 
        under section 202; and
            (3) recommendations, if any, for modifying or amending this 
        Act to increase its effectiveness.

SEC. 305. DEPARTMENT OF JUSTICE REPORT ON ENFORCEMENT ACTIONS.

    Section 529 of title 28, United States Code, is amended by adding 
at the end the following:
    ``(c) Not later than 1 year after the date of enactment of the 
Personal Data Protection and Breach Accountability Act of 2014, and 
every fiscal year thereafter, the Attorney General shall submit to 
Congress a report on Federal enforcement actions, State attorneys 
general enforcement actions, and private enforcement actions, 
undertaken pursuant to the Personal Data Protection and Breach 
Accountability Act of 2014 that shall include a description of the best 
practices for enforcement of such Act as well as recommendations, if 
any, for modifying or amending this Act to increase the effectiveness 
of such enforcement actions.''.

SEC. 306. REPORT ON NOTIFICATION EFFECTIVENESS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, and each year thereafter, the designated entity, in 
coordination with the Attorney General and the Federal Trade 
Commission, shall submit to the Committee on the Judiciary of the 
Senate and the Committee on the Judiciary of the House of 
Representatives a report regarding the effectiveness of post-breach 
notification practices by agencies and business entities.
    (b) Report Content.--The report required under subsection (a) shall 
include--
            (1) in each instance of a breach of security, the amount of 
        time between the instance of the breach and the discovery of 
        the breach by the affected business entity;
            (2) in each instance of a breach of security, the amount of 
        time between the discovery of the breach by the affected 
        business entity and the notification to the Federal Bureau of 
        Investigation and the United States Secret Service; and
            (3) in each instance of a breach of security, the amount of 
        time between the discovery of the breach by the affected 
        business entity and the notification to individuals whose 
        sensitive personally identifiable information was compromised.

         TITLE IV--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

SEC. 401. BUDGET COMPLIANCE.

    The budgetary effects of this Act, for the purpose of complying 
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by 
reference to the latest statement titled ``Budgetary Effects of PAYGO 
Legislation'' for this Act, submitted for printing in the Congressional 
Record by the Chairman of the Senate Budget Committee, provided that 
such statement has been submitted prior to the vote on passage.
                                 <all>