[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1770 Introduced in House (IH)]

114th CONGRESS
  1st Session
                                H. R. 1770

     To require certain entities who collect and maintain personal 
 information of individuals to secure such information and to provide 
    notice to such individuals in the case of a breach of security 
          involving such information, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 14, 2015

  Mrs. Blackburn (for herself, Mr. Welch, Mr. Burgess, and Mr. Upton) 
 introduced the following bill; which was referred to the Committee on 
                          Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
     To require certain entities who collect and maintain personal 
 information of individuals to secure such information and to provide 
    notice to such individuals in the case of a breach of security 
          involving such information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; PURPOSES.

    (a) Short Title.--This Act may be cited as the ``Data Security and 
Breach Notification Act of 2015''.
    (b) Purposes.--The purposes of this Act are to--
            (1) protect consumers from identity theft, economic loss or 
        economic harm, and financial fraud by establishing strong and 
        uniform national data security and breach notification 
        standards for electronic data in interstate commerce while 
        minimizing State law burdens that may substantially affect 
        interstate commerce; and
            (2) expressly preempt any related State laws to ensure 
        uniformity of this Act's standards and the consistency of their 
        application across jurisdictions.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

    A covered entity shall implement and maintain reasonable security 
measures and practices to protect and secure personal information in 
electronic form against unauthorized access as appropriate for the size 
and complexity of such covered entity and the nature and scope of its 
activities.

SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.

    (a) In General.--
            (1) Restoring security.--Except as otherwise provided by 
        this section, a covered entity that uses, accesses, transmits, 
        stores, disposes of, or collects personal information shall, 
        following the discovery of a breach of security restore the 
        reasonable integrity, security, and confidentiality of the data 
        system.
            (2) Investigation.--A covered entity or breached covered 
        entity shall conduct in good faith a reasonable and prompt 
        investigation of the breach of security to determine whether 
        there is a reasonable risk that the breach of security has 
        resulted in, or will result in, identity theft, economic loss 
        or economic harm, or financial fraud to the individuals whose 
        personal information was subject to the breach of security.
            (3) Notification to individuals required.--Unless there is 
        no reasonable risk that the breach of security has resulted in, 
        or will result in, identity theft, economic loss or economic 
        harm, or financial fraud to the individuals whose personal 
        information was affected by the breach of security, the covered 
        entity, breached covered entity, or non-breached covered 
        entity, as the case may be, shall notify any resident of the 
        United States that has been affected by the breach of security 
        within the time specified in subsection (c).
            (4) Non-breached covered entity election notice.--
                    (A) Notice to non-breached covered entity 
                required.--Subject to the requirements of this 
                paragraph, in the event of a breach of security that 
                presents a reasonable risk that the breach of security 
                has resulted in, or will result in, identity theft, 
                economic loss or economic harm, or financial fraud to 
                individuals whose personal information or record is 
                described in the notice provided under this paragraph 
                the breached covered entity shall, as expeditiously as 
                possible and without unreasonable delay within 10 days 
                after fulfilling the requirements described in 
                paragraph (1), notify in writing each non-breached 
                covered entity of the breach of security.
                    (B) Contents of notice.--The breached covered 
                entity shall include in the notice described in 
                subparagraph (A)--
                            (i) the elements of personal information 
                        reasonably believed to be affected by the 
                        breach of security;
                            (ii) an identification of the records 
                        received from the non-breached entity that have 
                        been, or are reasonably believed to have been, 
                        affected by the breach of security; and
                            (iii) whether there is a reasonable risk 
                        that the breach of security relating to such 
                        information and records has resulted in, or 
                        will result in, identity theft, economic loss 
                        or economic harm, or financial fraud.
                    (C) Election by non-breached covered entity after 
                receiving notice from a breached covered entity.--In 
                the case of a breached covered entity that is a party 
                to a written contract with a non-breached covered 
                entity in which the breached covered entity maintains, 
                stores, transmits, or processes data in electronic form 
                containing personal information identified in 
                subparagraph (B), not later than 10 days after receipt 
                of the notice described in subparagraph (A), the non-
                breached covered entity may elect, in writing to the 
                breached covered entity, to provide notification 
                required by paragraph (3) to the individuals described 
                in the notice. Such election relieves the breached 
                covered entity of the requirements under paragraph (3) 
                with respect to the individuals described in the 
                notice.
                    (D) Obligation after election.--
                            (i) Breached covered entity cooperation.--
                        If a non-breached covered entity elects under 
                        subparagraph (C) to provide notice under 
                        paragraph (3), the breached covered entity 
                        shall cooperate in all reasonable respects with 
                        the non-breached covered entity so that the 
                        notification to such individuals is made as 
                        required under this section. Not later than 10 
                        business days after the non-breached covered 
                        entity submits a written request for necessary 
                        information to the breached covered entity, the 
                        breached covered entity shall provide such 
                        information.
                            (ii) Non-breached covered entity 
                        cooperation.--If a non-breached covered entity 
                        does not elect to provide notice to individuals 
                        under subparagraph (C), the non-breached 
                        covered entity shall provide all required 
                        information about such individuals to, and 
                        cooperate in all reasonable respects with, the 
                        breached covered entity so that the 
                        notification to such individuals is made as 
                        required under this section. Not later than 10 
                        business days after the breached covered entity 
                        submits a written request for necessary 
                        information to the non-breached covered entity, 
                        the non-breached covered entity shall provide 
                        such information.
            (5) Law enforcement.--A covered entity shall as 
        expeditiously as possible notify the Commission and the Secret 
        Service or the Federal Bureau of Investigation of the fact that 
        a breach of security has occurred if the number of individuals 
        whose personal information was, or there is a reasonable basis 
        to conclude was, accessed or acquired by an unauthorized person 
        exceeds 10,000. Any notification provided to the Secret Service 
        or the Federal Bureau of Investigation pursuant to this 
        paragraph shall be provided not less than 10 days before 
        notification is provided to individuals pursuant to paragraph 
        (3).
    (b) Special Notification Requirements.--
            (1) Non-profit organizations.--In the event of a breach of 
        security involving personal information that would trigger 
        notification under subsection (a), a non-profit organization 
        may complete such notification according to the procedures set 
        forth in subsection (d)(2).
            (2) Coordination of notification with consumer reporting 
        agencies.--If a covered entity is required to provide 
        notification to more than 10,000 individuals under subsection 
        (a), such covered entity shall also notify a consumer reporting 
        agency that compiles and maintains files on consumers on a 
        nationwide basis, of the timing and distribution of the 
        notices. Such notice shall be given to such consumer reporting 
        agencies without unreasonable delay and, if it will not delay 
        notice to the affected individuals, prior to the distribution 
        of notices to the affected individuals.
    (c) Timeliness of Notification.--
            (1) In general.--Unless subject to a delay authorized under 
        paragraph (2), a breached covered entity shall make the 
        notification required under subsection (a)(3) within 25 days 
        after the non-breached covered entity declines or fails to 
        exercise the election under subsection (a)(4)(C), a non-
        breached covered entity shall make the notification required 
        under subsection (a)(3) within 25 days after exercising the 
        election under subsection (a)(4)(C), and any other covered 
        entity shall identify the individuals affected by a breach of 
        security and make the notification required under subsection 
        (a) as expeditiously as possible and without unreasonable 
        delay, not later than 30 days after completing the requirements 
        of subsection (a)(1). If a covered entity has provided the 
        notification to individuals required under subsection (a) and 
        after such notification discovers additional individuals to 
        whom notification is required under such subsection with 
        respect to the same breach of security, the covered entity 
        shall make such notification to such individuals as 
        expeditiously as possible and without unreasonable delay.
            (2) Delay of notification authorized for law enforcement or 
        national security purposes.--Notwithstanding paragraph (1), if 
        a Federal, State, or local law enforcement agency determines 
        that the notification to individuals required under this 
        section would impede a civil or criminal investigation or a 
        Federal agency determines that such notification would threaten 
        national security, such notification shall be delayed upon 
        written request of the law enforcement agency or Federal agency 
        which the law enforcement agency or Federal agency determines 
        is reasonably necessary and requests in writing. A law 
        enforcement agency or Federal agency may, by a subsequent 
        written request, revoke such delay or extend the period of time 
        set forth in the original request made under this paragraph if 
        further delay is necessary. If a law enforcement agency or 
        Federal agency requests a delay of notification to individuals 
        under this paragraph, the Commission shall, upon written 
        request of the law enforcement agency or Federal agency, delay 
        any public disclosure of a notification received by the 
        Commission under this section relating to the same breach of 
        security until the delay of notification to individuals is no 
        longer in effect.
    (d) Method and Content of Notification.--
            (1) Direct notification.--
                    (A) Method of notification.--A covered entity 
                required to provide notification to an individual under 
                subsection (a) shall be in compliance with such 
                requirement if the covered entity provides such notice 
                by one of the following methods (if the selected method 
                can reasonably be expected to reach the intended 
                individual):
                            (i) Written notification by postal mail.
                            (ii) Notification by email or other 
                        electronic means, if--
                                    (I) the covered entity's primary 
                                method of communication with the 
                                individual is by email or such other 
                                electronic means or the individual has 
                                consented to receive such notification; 
                                and
                                    (II) the email or other electronic 
                                means does not contain a hyperlink.
                    (B) Content of notification.--Regardless of the 
                method by which notification is provided to an 
                individual under subparagraph (A) with respect to a 
                breach of security, such notification shall include 
                each of the following:
                            (i) The identity of the covered entity that 
                        suffered the breach and, if such covered entity 
                        is also a breached covered entity providing 
                        notice under section 3(b)(1), the identity of 
                        each non-breached covered entity that did not 
                        elect to notify affected individuals pursuant 
                        to section 3(b)(1)(B) sufficient to show the 
                        breached covered entity's commercial 
                        relationship to the individual receiving 
                        notice.
                            (ii) A description of the personal 
                        information that was, or there is a reasonable 
                        basis to conclude was, acquired or accessed by 
                        an unauthorized person.
                            (iii) The date range of the breach of 
                        security, or an approximate date range of the 
                        breach of security if a specific date range is 
                        unknown based on the information available at 
                        the time of the notification.
                            (iv) A telephone number, or toll-free 
                        telephone number for any covered entity that 
                        does not meet the definition of a small 
                        business concern or non-profit organization, 
                        that the individual may use to contact the 
                        covered entity to inquire about the breach of 
                        security or the information the covered entity 
                        maintained about that individual.
                            (v) The toll-free contact telephone numbers 
                        and addresses for a consumer reporting agency 
                        that compiles and maintains files on consumers 
                        on a nationwide basis.
                            (vi) The toll-free telephone number and 
                        Internet website address for the Commission 
                        whereby the individual may obtain information 
                        regarding identity theft.
            (2) Substitute notification.--
                    (A) In general.--If, after making reasonable 
                efforts to contact all individuals to whom notice is 
                required under subsection (a), the covered entity finds 
                that contact information for 500 or more individuals is 
                insufficient or out-of-date, the covered entity shall 
                also provide substitute notice to those individuals, 
                which shall be reasonably calculated to reach the 
                individuals affected by the breach of security.
                    (B) Form of substitute notification.--A covered 
                entity may provide substitute notification by--
                            (i) email or other electronic notification 
                        to the extent that the covered entity has 
                        contact information for individuals to whom it 
                        is required to provide notification under 
                        subsection (a) and provided such email or 
                        electronic means does not contain a hyperlink; 
                        and
                            (ii) a conspicuous notice on the covered 
                        entity's Internet website (if such covered 
                        entity maintains such a website) for at least 
                        90 days.
                    (C) Content of substitute notice.--Each form of 
                substitute notice under clauses (i) and (ii) of 
                subparagraph (B) shall include the information required 
                under paragraph (1)(B).
            (3) Direct notification by a third party.--Nothing in this 
        Act shall be construed to prevent a covered entity from 
        contracting with a third party to provide the notification 
        required under this section, provided such third party issues 
        such notification without unreasonable delay, in accordance 
        with the requirements of this section, and indicates to all 
        individuals in such notification that such third party is 
        sending such notification on behalf of the covered entity.
    (e) Requirements of Service Providers.--
            (1) In general.--If a service provider becomes aware of a 
        breach of security involving data in electronic form containing 
        personal information that is owned or licensed by a covered 
        entity that connects to or uses a system or network provided by 
        the service provider for the purpose of transmitting, routing, 
        or providing intermediate or transient storage of such data, 
        such service provider shall notify the covered entity who 
        initiated such connection, transmission, routing, or storage of 
        the data containing personal information breached, if such 
        covered entity can be reasonably identified. If a service 
        provider is acting solely as a service provider for purposes of 
        this subsection, the service provider has no other notification 
        obligations under this section.
            (2) Covered entities who receive notice from service 
        providers.--Upon receiving notification from a service provider 
        under paragraph (1), a covered entity shall provide 
        notification as required under this section.

SEC. 4. ENFORCEMENT.

    (a) Enforcement by the Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 2 or 3 shall be treated as an unfair and deceptive act 
        or practice in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of commission.--The Commission shall enforce 
        this Act in the same manner, by the same means, and with the 
        same jurisdiction, powers, and duties as though all applicable 
        terms and provisions of the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.) were incorporated into and made a part of 
        this Act, and any covered entity who violates this Act shall be 
        subject to the penalties and entitled to the privileges and 
        immunities provided in the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.), and as provided in clauses (ii) and (iii) 
        of section 5(4)(A).
    (b) Enforcement by State Attorneys General.--
            (1) Civil action.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by any covered entity who violates section 2 
        or 3 of this Act, the attorney general of the State, as parens 
        patriae, may bring a civil action on behalf of the residents of 
        the State in a district court of the United States of 
        appropriate jurisdiction to--
                    (A) enjoin further violation of such section by the 
                defendant;
                    (B) compel compliance with such section; or
                    (C) obtain civil penalties in the amount determined 
                under paragraph (2).
            (2) Civil penalties.--
                    (A) Calculation.--
                            (i) Treatment of violations of section 2.--
                        For purposes of paragraph (1)(C) with regard to 
                        a violation of section 2, the amount determined 
                        under this paragraph is the amount calculated 
                        by multiplying the number of days that a 
                        covered entity is not in compliance with such 
                        section by an amount not greater than $11,000.
                            (ii) Treatment of violations of section 
                        3.--For purposes of paragraph (1)(C) with 
                        regard to a violation of section 3, the amount 
                        determined under this paragraph is the amount 
                        calculated by multiplying the number of 
                        violations of such section by an amount not 
                        greater than $11,000. Each failure to send 
                        notification as required under section 3 to a 
                        resident of the State shall be treated as a 
                        separate violation.
                    (B) Maximum total liability.--Notwithstanding the 
                number of actions which may be brought against a 
                covered entity under this subsection, the maximum civil 
                penalty for which any covered entity may be liable 
                under this subsection shall not exceed--
                            (i) $2,500,000 for each violation of 
                        section 2; and
                            (ii) $2,500,000 for all violations of 
                        section 3 resulting from a single breach of 
                        security.
                    (C) Adjustment for inflation.--Beginning on the 
                date that the Consumer Price Index is first published 
                by the Bureau of Labor Statistics that is after one 
                year after the date of enactment of this Act, and each 
                year thereafter, the amounts specified in clauses (i) 
                and (ii) of subparagraph (A) and clauses (i) and (ii) 
                of subparagraph (B) shall be increased by the 
                percentage increase in the Consumer Price Index 
                published on that date from the Consumer Price Index 
                published the previous year.
                    (D) Penalty factors.--In determining the amount of 
                such a civil penalty, the degree of culpability, any 
                history of prior such conduct, ability to pay, effect 
                on ability to continue to do business, and such other 
                matters as justice may require shall be taken into 
                account.
            (3) Intervention by the federal trade commission.--
                    (A) Notice and intervention.--In all cases, the 
                State shall provide prior written notice of any action 
                under paragraph (1) to the Commission and provide the 
                Commission with a copy of its complaint, except in any 
                case in which such prior notice is not feasible, in 
                which case the State shall serve such notice 
                immediately upon instituting such action. The 
                Commission shall have the right--
                            (i) to intervene in the action;
                            (ii) upon so intervening, to be heard on 
                        all matters arising therein; and
                            (iii) to file petitions for appeal.
                    (B) Pending proceedings.--If the Federal Trade 
                Commission initiates a Federal civil action for a 
                violation of this Act, no State attorney general may 
                bring an action for a violation of this Act that 
                resulted from the same or related acts or omissions 
                against a defendant named in the civil action initiated 
                by the Federal Trade Commission.
            (4) Construction.--For purposes of bringing any civil 
        action under paragraph (1), nothing in this Act shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
    (c) No Private Cause of Action.--Nothing in this Act shall be 
construed to establish a private cause of action against a person for a 
violation of this Act.

SEC. 5. DEFINITIONS.

    In this Act:
            (1) Breach of security.--The term ``breach of security''--
                    (A) means a compromise of the security, 
                confidentiality, or integrity of, or loss of, data in 
                electronic form that results in, or there is a 
                reasonable basis to conclude has resulted in, 
                unauthorized access to or acquisition of personal 
                information from a covered entity; and
                    (B) does not include the good faith acquisition of 
                personal information by an employee or agent of the 
                covered entity for the purposes of the covered entity, 
                if the personal information is not used or subject to 
                further unauthorized disclosure.
            (2) Breached covered entity.--The term ``breached covered 
        entity'' means a covered entity that has incurred a breach of 
        security affecting data in electronic form containing personal 
        information of a non-breached covered entity that has directly 
        contracted the breached covered entity to maintain, store, or 
        process data in electronic form containing personal information 
        on behalf of such non-breached covered entity. For purposes of 
        this definition, the term ``breached covered entity'' shall not 
        include a service provider.
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Consumer reporting agency that compiles and maintains 
        files on consumers on a nationwide basis.--The term ``consumer 
        reporting agency that compiles and maintains files on consumers 
        on a nationwide basis'' has the meaning given that term in 
        section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 
        1681a(p)).
            (5) Covered entity.--
                    (A) In general.--The term ``covered entity'' 
                means--
                            (i) a sole proprietorship, partnership, 
                        corporation, trust, estate, cooperative, 
                        association, or other entity in or affecting 
                        commerce that acquires, maintains, stores, 
                        sells, or otherwise uses data in electronic 
                        form that includes personal information, over 
                        which the Commission has authority pursuant to 
                        section 5(a)(2) of the Federal Trade Commission 
                        Act (15 U.S.C. 45(a)(2));
                            (ii) notwithstanding section 5(a)(2) of the 
                        Federal Trade Commission Act (15 U.S.C. 
                        45(a)(2)), common carriers subject to the 
                        Communications Act of 1934 (47 U.S.C. 151 et 
                        seq.); and
                            (iii) notwithstanding any jurisdictional 
                        limitation of the Federal Trade Commission Act 
                        (15 U.S.C. 41 et seq.), any non-profit 
                        organization.
                    (B) Exceptions.--The term ``covered entity'' does 
                not include--
                            (i) a covered entity, as defined in section 
                        160.103 of title 45, Code of Federal 
                        Regulations;
                            (ii) a business associate, as defined in 
                        section 160.103 of title 45, Code of Federal 
                        Regulations, acting in its capacity as a 
                        business associate;
                            (iii) if a covered entity, as defined in 
                        section 160.103 of title 45, Code of Federal 
                        Regulations, is a hybrid entity, as defined in 
                        section 164.105 of title 45, Code of Federal 
                        Regulations, then the health care component of 
                        such hybrid entity;
                            (iv) a broker, dealer, investment adviser, 
                        or person engaged in providing insurance that 
                        is subject to title V of Public Law 106-102 (15 
                        U.S.C. 6801 et seq.); or
                            (v) a State-chartered credit union, as 
                        defined in section 101(6) of the Federal Credit 
                        Union Act (12 U.S.C. 1752(6)), that is not an 
                        insured credit union as defined in section 
                        101(7) of such Act (12 U.S.C. 1752(7)).
            (6) Data in electronic form.--The term ``data in electronic 
        form'' means any data stored electronically or digitally on any 
        computer system or other database and includes recordable tapes 
        and other mass storage devices.
            (7) Encrypted.--The term ``encrypted'', used with respect 
        to data in electronic form, in storage or in transit--
                    (A) means the data is protected using an encryption 
                technology that has been generally accepted by experts 
                in the field of information security at the time the 
                breach of security occurred that renders such data 
                indecipherable in the absence of associated 
                cryptographic keys necessary to enable decryption of 
                such data; and
                    (B) includes appropriate management and safeguards 
                of such cryptographic keys in order to protect the 
                integrity of the encryption.
            (8) Non-breached covered entity.--The term ``non-breached 
        covered entity'' means a covered entity that has not incurred 
        the breach of security involving data in electronic form 
        containing personal information that it owns or licenses but 
        whose data has been affected by the breach of security incurred 
        by a breached covered entity it directly contracts to maintain, 
        store, or process data in electronic form containing personal 
        information on behalf of the non-breached covered entity.
            (9) Non-profit organization.--The term ``non-profit 
        organization'' means an organization that is described in 
        section 501(c)(3) of the Internal Revenue Code of 1986 and 
        exempt from tax under section 501(a) of such Code.
            (10) Personal information.--
                    (A) In general.--The term ``personal information'' 
                means any information or compilation of information in 
                electronic form that includes the following:
                            (i) An individual's first and last name or 
                        first initial and last name in combination with 
                        any one of the following data elements:
                                    (I) A driver's license number, 
                                passport number, or alien registration 
                                number or other government-issued 
                                unique identification number.
                                    (II) Any two of the following:
                                            (aa) Home address or 
                                        telephone number.
                                            (bb) Mother's maiden name, 
                                        if identified as such.
                                            (cc) Month, day, and year 
                                        of birth.
                            (ii) A financial account number or credit 
                        or debit card number or other identifier, in 
                        combination with any security code, access 
                        code, or password that is required for an 
                        individual to obtain credit, withdraw funds, or 
                        engage in a financial transaction.
                            (iii) A unique account identifier (other 
                        than for an account described in clause (ii)), 
                        electronic identification number, biometric 
                        data unique to an individual, user name, or 
                        routing code in combination with any associated 
                        security code, access code, biometric data 
                        unique to an individual, or password that is 
                        required for an individual to obtain money, or 
                        purchase goods, services, or any other thing of 
                        value.
                            (iv) A non-truncated social security 
                        number.
                            (v) For any telecommunications carrier or 
                        interconnected VoIP provider, the location of, 
                        number from which and to which a call is 
                        placed, and the time and duration of such call.
                    (B) Exceptions.--The term ``personal information'' 
                does not include--
                            (i) information that is encrypted or 
                        rendered unusable, unreadable, or 
                        indecipherable through data security technology 
                        or methodology that is generally accepted by 
                        experts in the field of information security at 
                        the time the breach of security occurred, such 
                        as redaction or access controls; or
                            (ii) information available in a publicly 
                        available source, including information 
                        obtained from a news report, periodical, or 
                        other widely distributed media, or from 
                        Federal, State, or local government records.
            (11) Service provider.--The term ``service provider'' means 
        a covered entity subject to the Communications Act of 1934 (47 
        U.S.C. 151 et seq.) that provides electronic data transmission, 
        routing, intermediate and transient storage, or connection to 
        its system or network, where such entity providing such service 
        does not select or modify the content of the electronic data, 
        is not the sender or the intended recipient of the data, and 
        does not differentiate personal information from other 
        information that such entity transmits, routes, stores, or for 
        which such entity provides connections. Any such entity shall 
        be treated as a service provider under this Act only to the 
        extent that it is engaged in the provision of such 
        transmission, routing, intermediate and transient storage, or 
        connections.
            (12) Small business concern.--The term ``small business 
        concern'' has the meaning given such term under section 3 of 
        the Small Business Act (15 U.S.C. 632).
            (13) State.--The term ``State'' means each of the several 
        States, the District of Columbia, the Commonwealth of Puerto 
        Rico, Guam, American Samoa, the Virgin Islands of the United 
        States, the Commonwealth of the Northern Mariana Islands, any 
        other territory or possession of the United States, and each 
        federally recognized Indian tribe.

SEC. 6. EFFECT ON OTHER LAWS.

    (a) Preemption of State Information Security Laws.--No State or 
political subdivision of a State shall, with respect to a covered 
entity subject to this Act, adopt, maintain, enforce, or impose or 
continue in effect any law, rule, regulation, duty, requirement, 
standard, or other provision having the force and effect of law 
relating to or with respect to the security of data in electronic form 
or notification following a security breach of such data.
    (b) Common Law.--This section shall not exempt a covered entity 
from liability under common law.
    (c) Certain FTC Enforcement Limited to Data Security and Breach 
Notification.--
            (1) Data security and breach notification.--Insofar as 
        sections 201, 202, 222, 338, and 631 of the Communications Act 
        of 1934 (47 U.S.C. 201, 202, 222, 338, and 551), and any 
        regulations promulgated thereunder, apply to covered entities 
        with respect to securing information in electronic form from 
        unauthorized access, including notification of unauthorized 
        access to data in electronic form containing personal 
        information, such sections and regulations promulgated 
        thereunder shall have no force or effect, unless such 
        regulations pertain solely to 9-1-1 calls.
            (2) Rule of construction.--Nothing in this subsection 
        otherwise limits the Federal Communications Commission's 
        authority with respect to sections 201, 202, 222, 338, and 631 
        of the Communications Act of 1934 (47 U.S.C. 201, 202, 222, 
        338, and 551).
    (d) Preservation of Commission Authority.--Nothing in this Act may 
be construed in any way to limit or affect the Commission's authority 
under any other provision of law.

SEC. 7. EDUCATION AND OUTREACH FOR SMALL BUSINESSES.

    The Commission shall conduct education and outreach for small 
business concerns on data security practices and how to prevent hacking 
and other unauthorized access to, acquisition of, or use of data 
maintained by such small business concerns.

SEC. 8. WEBSITE ON DATA SECURITY BEST PRACTICES.

    The Commission shall establish and maintain an Internet website 
containing non-binding best practices for businesses regarding data 
security and how to prevent hacking and other unauthorized access to, 
acquisition of, or use of data maintained by such businesses.

SEC. 9. EFFECTIVE DATE.

    This Act shall take effect 1 year after the date of enactment of 
this Act.
                                 <all>