[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3975 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 3975

 To require covered entities to provide notification in the case of a 
 breach of unsecured sensitive personally identifiable information in 
          electronic or digital form, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 5, 2017

 Mr. Correa (for himself, Ms. Norton, Ms. Hanabusa, and Mr. Brendan F. 
    Boyle of Pennsylvania) introduced the following bill; which was 
            referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
 To require covered entities to provide notification in the case of a 
 breach of unsecured sensitive personally identifiable information in 
          electronic or digital form, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Breach Notification Act of 
2017''.

SEC. 2. NOTIFICATION OF INFORMATION SECURITY BREACH.

    (a) Notification Required.--
            (1) By covered entity.--A covered entity that collects, 
        uses, accesses, transmits, stores, or disposes of unsecured 
        sensitive personally identifiable information in electronic or 
        digital form shall, in the case of a breach of such information 
        that is discovered by the covered entity, notify--
                    (A) appropriate Federal agencies;
                    (B) each individual whose unsecured sensitive 
                personally identifiable information has been, or is 
                reasonably believed by the covered entity to have been, 
                accessed, acquired, or disclosed as a result of such 
                breach;
                    (C) the attorney general of each State in which an 
                individual described in subparagraph (B) resides; and
                    (D) if there are 500 or more individuals described 
                in subparagraph (B) who reside in a State or other 
                jurisdiction, prominent media outlets serving such 
                State or other jurisdiction.
            (2) By third party.--
                    (A) To covered entity.--A third party that 
                collects, uses, accesses, transmits, stores, or 
                disposes of unsecured sensitive personally identifiable 
                information in electronic or digital form that is owned 
                or licensed by a covered entity shall, following the 
                discovery of a breach of such information, notify the 
                covered entity of such breach. Such notification shall 
                include the identification of each individual whose 
                unsecured sensitive personally identifiable information 
                has been, or is reasonably believed by the third party 
                to have been, accessed, acquired, or disclosed during 
                such breach and the information described in paragraphs 
                (1), (2), and (4) of subsection (d) with respect to 
                such breach. The covered entity shall make the 
                notifications required by paragraph (1) with respect to 
                such breach.
                    (B) To ftc and fbi.--If there are 500 or more 
                individuals described in subparagraph (A) with respect 
                to a breach, the third party shall provide the 
                notification required by such subparagraph to the 
                Commission and the Federal Bureau of Investigation, as 
                well as to the covered entity. Notification by the 
                third party under this subparagraph does not relieve 
                the covered entity of the requirement to notify the 
                Commission and the Federal Bureau of Investigation 
                under paragraph (1)(A).
    (b) Timeliness of Notification.--
            (1) In general.--All notifications required under 
        subsection (a) shall be made in the most expedient time 
        possible and without unreasonable delay, but in no case later 
        than 30 calendar days after the discovery of a breach by the 
        covered entity involved (or by the third party involved in the 
        case of a notification required under subsection (a)(2)(A)).
            (2) Expedited notification to ftc and fbi.--Notwithstanding 
        paragraph (1), if there are 500 or more individuals to which a 
        covered entity is required to provide notification of a breach 
        under subsection (a)(1)(B), the covered entity shall notify the 
        Commission and the Federal Bureau of Investigation of such 
        breach as required under subsection (a)(1)(A) not later than 48 
        hours after the discovery of such breach by the covered entity.
            (3) Expedited notification by third parties.--
        Notwithstanding paragraph (1), a third party subject to 
        subsection (a)(2)(B) with respect to a breach shall make the 
        notifications required by such subsection not later than 48 
        hours after discovery of the breach by the third party.
            (4) Burden of proof.--The covered entity involved (or the 
        third party involved in the case of a notification required 
        under subsection (a)(2)) shall have the burden of demonstrating 
        that all notifications were made as required under subsection 
        (a), including evidence demonstrating the necessity of any 
        delay.
            (5) Breaches treated as discovered.--For purposes of this 
        section, a breach shall be treated as discovered by a covered 
        entity or, in the case of a breach described in subsection 
        (a)(2), by a third party, as of the first day on which such 
        breach is known to such covered entity or third party, 
        respectively (including any person, other than the individual 
        committing the breach, that is an employee, officer, or other 
        agent of such covered entity or third party, respectively) or 
        should reasonably have been known to such covered entity or 
        third party (or person) to have occurred.
    (c) Methods of Individual Notification.--Notification required to 
be provided to an individual under subsection (a)(1)(B) with respect to 
a breach shall be provided in the following form:
            (1) Written notification by first-class mail to the 
        individual (or the next of kin of the individual if the 
        individual is deceased) at the last known address of the 
        individual or the next of kin, respectively, or, if specified 
        as a preference by the individual, by electronic mail. The 
        notification may be provided in one or more mailings as 
        information is available.
            (2) In the case in which there is insufficient or out-of-
        date contact information (including a phone number, email 
        address, or any other form of appropriate communication) that 
        precludes direct written or (if specified by the individual) 
        electronic notification to the individual, a substitute form of 
        notification shall be provided, including, in the case that 
        there are 500 or more individuals for which there is 
        insufficient or out-of-date contact information, a conspicuous 
        posting for a minimum of 30 days on the homepage of the website 
        of the covered entity involved. Such a website posting shall 
        include a toll-free telephone number that an individual can 
        call to learn whether or not the individual's unsecured 
        sensitive personally identifiable information is possibly 
        included in the breach.
            (3) In any case considered by the covered entity involved 
        to require urgency because of possible imminent misuse of 
        unsecured sensitive personally identifiable information, the 
        covered entity, in addition to notification as required by 
        paragraphs (1) and (2), may provide information to individuals 
        by telephone or other means, as appropriate.
    (d) Content of Notification.--Each notification of a breach under 
subsection (a)(1) shall include, to the extent possible, the following:
            (1) A brief description of what happened, including the 
        date of the breach and the date of the discovery of the breach, 
        if known.
            (2) A description of the types of unsecured sensitive 
        personally identifiable information that were involved in the 
        breach.
            (3) The steps individuals should take to protect themselves 
        from potential harm resulting from the breach.
            (4) A brief description of what the entity involved is 
        doing to investigate the breach, to mitigate losses, and to 
        protect against any further breaches.
            (5) Contact procedures for individuals to ask questions or 
        learn additional information, which shall include a toll-free 
        telephone number, an e-mail address, a website, and a postal 
        address.
    (e) Posting on FTC Public Website.--The Commission shall make 
available to the public on the website of the Commission a list that 
identifies each covered entity that is required to notify 500 or more 
individuals of a breach under subsection (a)(1)(B), except to the 
extent notification with respect to such breach is subject to a delay 
for law enforcement or national security purposes under subsection (f).
    (f) Delay of Notification for Law Enforcement or National 
Security.--
            (1) In general.--If the Director of the Federal Bureau of 
        Investigation determines that the notifications required under 
        subparagraphs (B), (C), and (D) of subsection (a)(1) would 
        impede a criminal investigation or national security activity, 
        the time period for such notifications shall be extended 30 
        days upon written notice from the Director to the covered 
        entity that experienced the breach and to the Commission.
            (2) Extended delay of notification.--If the time period for 
        notification required under subparagraphs (B), (C), and (D) of 
        subsection (a)(1) is extended pursuant to paragraph (1), a 
        covered entity shall provide the notification within such time 
        period unless the Director of the Federal Bureau of 
        Investigation provides written notice to the covered entity and 
        to the Commission that further extension of the time period is 
        necessary. The Director may extend the time period for 
        additional periods of up to 30 days each.
            (3) Immunity.--No cause of action for which jurisdiction is 
        based under section 1346(b) of title 28, United States Code, 
        shall lie against any Federal law enforcement agency for acts 
        relating to the extension of the deadline for notification for 
        law enforcement or national security purposes under this 
        subsection.

SEC. 3. ENFORCEMENT BY FEDERAL TRADE COMMISSION; REGULATIONS.

    (a) Unfair or Deceptive Acts or Practices.--A violation of this Act 
or a regulation promulgated under this Act shall be treated as a 
violation of a regulation under section 18(a)(1)(B) of the Federal 
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or 
deceptive acts or practices.
    (b) Powers of Commission.--The Commission shall enforce this Act 
and the regulations promulgated under this Act in the same manner, by 
the same means, and with the same jurisdiction, powers, and duties as 
though all applicable terms and provisions of the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a 
part of this Act. Any person who violates this Act or a regulation 
promulgated under this Act shall be subject to the penalties and 
entitled to the privileges and immunities provided in the Federal Trade 
Commission Act.
    (c) Regulations.--Not later than 180 days after the date of the 
enactment of this Act, the Commission shall promulgate regulations in 
accordance with section 553 of title 5, United States Code, to 
implement this Act.

SEC. 4. REPORTS TO CONGRESS.

    (a) In General.--Not later than 12 months after the date of the 
enactment of this Act and annually thereafter, the Commission shall 
prepare and submit to the Committee on Energy and Commerce of the House 
of Representatives and the Committee on Commerce, Science, and 
Transportation of the Senate a report containing information regarding 
breaches for which notification was provided to the Commission under 
section 2(a)(1)(A).
    (b) Information Required.--Such information shall include--
            (1) the number and nature of such breaches;
            (2) the number of individuals affected; and
            (3) actions taken in response to such breaches.

SEC. 5. EXCLUDED ENTITIES.

    Nothing in this Act, or the regulations promulgated under this Act, 
shall apply to--
            (1) covered entities to the extent that such entities act 
        as covered entities or business associates (as such terms are 
        defined in section 13400 of the Health Information Technology 
        for Economic and Clinical Health Act (42 U.S.C. 17921)) that 
        are subject to section 13402 of such Act (42 U.S.C. 17932); and
            (2) covered entities to the extent that they act as vendors 
        of personal health records (as such term is defined in section 
        13400 of such Act (42 U.S.C. 17921)) and third-party service 
        providers that are subject to section 13407 of such Act (42 
        U.S.C. 17937).

SEC. 6. DEFINITIONS.

    In this Act:
            (1) Appropriate federal agency.--The term ``appropriate 
        Federal agency'' means--
                    (A) the Commission;
                    (B) the Federal Bureau of Investigation; and
                    (C) any other Federal agency specified by the 
                Commission by regulation, which may include a 
                specification of different Federal agencies depending 
                on the types of activities in which covered entities 
                are engaged.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Covered entity.--The term ``covered entity'' means any 
        person, partnership, or corporation over which the Commission 
        has jurisdiction under section 5(a)(2) of the Federal Trade 
        Commission Act (15 U.S.C. 45(a)(2)).
            (4) Sensitive personally identifiable information.--
                    (A) In general.--The term ``sensitive personally 
                identifiable information'' means any information, or 
                compilation of information, in electronic or digital 
                form that includes one or more of the following:
                            (i) An individual's first and last name or 
                        first initial and last name in combination with 
                        any two of the following data elements:
                                    (I) Home address or telephone 
                                number.
                                    (II) Mother's maiden name.
                                    (III) Month, day, and year of 
                                birth.
                            (ii) A Social Security number (but not 
                        including only the last four digits of a Social 
                        Security number), driver's license number, 
                        passport number, or alien registration number 
                        or other Government-issued unique 
                        identification number.
                            (iii) Unique biometric data such as a 
                        finger print, voice print, a retina or iris 
                        image, or any other unique physical 
                        representation.
                            (iv) A unique account identifier, including 
                        a financial account number or credit or debit 
                        card number, electronic identification number, 
                        user name, or routing code.
                            (v) A user name or electronic mail address, 
                        in combination with a password or security 
                        question and answer that would permit access to 
                        an online account.
                            (vi) Any combination of the following data 
                        elements:
                                    (I) An individual's first and last 
                                name or first initial and last name.
                                    (II) A unique account identifier, 
                                including a financial account number or 
                                credit or debit card number, electronic 
                                identification number, user name, or 
                                routing code.
                                    (III) Any security code, access 
                                code, or password, or source code that 
                                could be used to generate such codes or 
                                passwords.
                    (B) Modified definition by rulemaking.--The 
                Commission may, by rule promulgated under section 553 
                of title 5, United States Code, amend the definition of 
                ``sensitive personally identifiable information'' to 
                the extent that such amendment will accomplish the 
                purposes of this Act. In amending the definition, the 
                Commission may determine--
                            (i) that any particular combinations of 
                        information are sensitive personally 
                        identifiable information; or
                            (ii) that any particular piece of 
                        information, on its own, is sensitive 
                        personally identifiable information.
            (5) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian tribe.
            (6) Unsecured sensitive personally identifiable 
        information.--The term ``unsecured sensitive personally 
        identifiable information'' means sensitive personally 
        identifiable information that is not secured by a technology 
        standard that--
                    (A) renders information unusable, unreadable, or 
                indecipherable to unauthorized individuals; and
                    (B) is developed or endorsed by a standards 
                developing organization that is accredited by the 
                American National Standards Institute.

SEC. 7. RELATIONSHIP TO STATE LAW.

    This Act does not annul, alter, or affect, or exempt any person 
subject to the provisions of this Act from complying with, the laws of 
any State with respect to notification of a breach of personal 
information in electronic or digital form, except to the extent that 
those laws are inconsistent with any provision of this Act, and then 
only to the extent of the inconsistency. For purposes of this section, 
a State law is not inconsistent with this Act if the protection such 
law affords any consumer is greater than the protection provided by 
this Act.

SEC. 8. EFFECTIVE DATE.

    This Act shall apply with respect to breaches that are discovered 
on or after the date that is 30 days after the date on which the 
Commission promulgates the regulations required by section 3(c).
                                 <all>