[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6743 Introduced in House (IH)]

<DOC>






115th CONGRESS
  2d Session
                                H. R. 6743

To amend the Gramm-Leach-Bliley Act to provide a national standard for 
 financial institution data security and breach notification on behalf 
               of all consumers, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 7, 2018

 Mr. Luetkemeyer introduced the following bill; which was referred to 
                  the Committee on Financial Services

_______________________________________________________________________

                                 A BILL


 
To amend the Gramm-Leach-Bliley Act to provide a national standard for 
 financial institution data security and breach notification on behalf 
               of all consumers, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Information Notification 
Requirement Act''.

SEC. 2. BREACH NOTIFICATION STANDARDS.

    Section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) is 
amended--
            (1) in subsection (b)(3) by striking the period at the end 
        and inserting ``, including through the provision of a breach 
        notice in the event of unauthorized access that is reasonably 
        likely to result in identity theft, fraud, or economic loss.''; 
        and
            (2) by adding at the end the following:
    ``(c) Standards With Respect to Breach Notification.--Each agency 
or authority required to establish standards described under subsection 
(b)(3) with respect to the provision of a breach notice shall establish 
the standards with respect to such notice that are contained in the 
interpretive guidance issued by the Comptroller of the Currency, the 
Board of Governors of the Federal Reserve System, the Federal Deposit 
Insurance Corporation, and the Office of Thrift Supervision titled 
`Interagency Guidance on Response Programs for Unauthorized Access to 
Customer Information and Customer Notice', published March 29, 2005 (70 
Fed. Reg. 15736), and for a financial institution that is not a bank, 
such standards shall be applied to the institution as if the 
institution was a bank to the extent appropriate and practicable.
    ``(d) Insurance.--
            ``(1) Enforcement.--Notwithstanding section 505(a)(6), with 
        respect to an entity engaged in providing insurance, the 
        standards under subsection (b) shall be enforced--
                    ``(A) with respect to any such standards related to 
                data security safeguards, by--
                            ``(i) the State insurance authority of the 
                        State in which the entity is domiciled; or
                            ``(ii) in the case of an insurance agent, 
                        agency, or brokerage, the State insurance 
                        authority of the State in which such agent, 
                        agency, or brokerage has its principal place of 
                        business; and
                    ``(B) with respect to any such standards related to 
                notification of the breach of data security, by the 
                State insurance authority of any State in which 
                customers of the entity are affected by such a breach 
                of data security.
            ``(2) Notification by assuming insurer.--
                    ``(A) In general.--Notwithstanding subsection (b), 
                an assuming insurer that experiences a breach of data 
                security shall only be required to notify the State 
                insurance authority of the State in which the assuming 
                insurer is domiciled.
                    ``(B) Assuming insurer defined.--For purposes of 
                this paragraph, the term `assuming insurer' means an 
                entity engaged in providing insurance that acquires an 
                insurance obligation or risk from another entity 
                engaged in providing insurance pursuant to a 
                reinsurance agreement.
            ``(3) Safeguards for insurance customers.--In carrying out 
        subsection (b) with respect to an entity engaged in providing 
        insurance, a State insurance authority shall establish the 
        standards for safeguarding customer information maintained by 
        entities engaged in activities described in section 4(k)(4)(B) 
        of the Bank Holding Company Act of 1956 (12 U.S.C. 
        1843(4)(k)(4)(B)) that are the same as the standards contained 
        in the interagency guidelines issued by the Comptroller of the 
        Currency, the Board of Governors of the Federal Reserve Board, 
        the Federal Deposit Insurance Corporation, and the Office of 
        Thrift Supervision titled `Interagency Guidelines Establishing 
        Standards for Safeguarding Customer Information', published 
        February 1, 2001 (66 Fed. Reg. 8633), and such standards shall 
        be applied as if the entity engaged in providing insurance was 
        a bank to the extent appropriate and practicable.''.

SEC. 3. PREEMPTION WITH RESPECT TO FINANCIAL INSTITUTION SAFEGUARDS.

    Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is 
amended to read as follows:

``SEC. 507. RELATION TO STATE LAWS.

    ``(a) In General.--This subtitle preempts any law, rule, 
regulation, requirement, standard, or other provision having the force 
and effect of law of any State, or political subdivision of a State, 
with respect to securing personal information from unauthorized access 
or acquisition, including notification of unauthorized access or 
acquisition of data.
    ``(b) Insurance.--Subsection (a) shall not prevent a State or 
political subdivision of a State from establishing the standards for 
entities engaged in providing insurance required by sections 501(c) and 
501(d), provided the standards established by such State or political 
subdivision do not impose any requirement that is in addition to or 
different from those standards, expect where necessary to effectuate 
the purposes of this subtitle.''.
                                 <all>