[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6743 Reported in House (RH)]

<DOC>





                                                 Union Calendar No. 849
115th CONGRESS
  2d Session
                                H. R. 6743

                         [Report No. 115-1097]

To amend the Gramm-Leach-Bliley Act to provide a national standard for 
 financial institution data security and breach notification on behalf 
               of all consumers, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 7, 2018

 Mr. Luetkemeyer introduced the following bill; which was referred to 
                  the Committee on Financial Services

                           December 21, 2018

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
    [For text of introduced bill, see copy of bill as introduced on 
                           September 7, 2018]


_______________________________________________________________________

                                 A BILL


 
To amend the Gramm-Leach-Bliley Act to provide a national standard for 
 financial institution data security and breach notification on behalf 
               of all consumers, and for other purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Information Notification 
Requirement Act''.

SEC. 2. BREACH NOTIFICATION STANDARDS.

    Section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) is 
amended--
            (1) in subsection (b)(3) by striking the period at the end 
        and inserting ``, including through the provision of a breach 
        notice in the event of unauthorized access that is reasonably 
        likely to result in identity theft, fraud, or economic loss.''; 
        and
            (2) by adding at the end the following:
    ``(c) Standards With Respect to Breach Notification.--Subject to 
section 504(a)(2) and sections 505(b) and 505(c), within 6 months after 
the date of enactment of this subsection, each agency or authority 
required to establish standards described under subsection (b)(3) with 
respect to the provision of a breach notice shall ensure that such 
standards are in compliance with subsection (b).
    ``(d) Insurance.--
            ``(1) Enforcement.--Notwithstanding section 505(a)(6), with 
        respect to an entity engaged in providing insurance, the 
        standards under subsection (b) shall be enforced--
                    ``(A) with respect to any such standards related to 
                data security safeguards, by--
                            ``(i) the State insurance authority of the 
                        State in which the entity is domiciled; or
                            ``(ii) in the case of an insurance agency 
                        or brokerage, the State insurance authority of 
                        the State in which such agency or brokerage has 
                        its principal place of business; and
                    ``(B) with respect to any such standards related to 
                notification of the breach of data security, by the 
                State insurance authority of any State in which 
                customers of the entity are affected by such a breach 
                of data security.
            ``(2) Notification by assuming insurer.--
                    ``(A) In general.--Notwithstanding subsection (b), 
                an assuming insurer that experiences a breach of data 
                security shall only be required to notify the State 
                insurance authority of the State in which the assuming 
                insurer is domiciled.
                    ``(B) Assuming insurer defined.--For purposes of 
                this paragraph, the term `assuming insurer' means an 
                entity engaged in providing insurance that acquires an 
                insurance obligation or risk from another entity 
                engaged in providing insurance pursuant to a 
                reinsurance agreement.
            ``(3) Safeguards for insurance customers.--In carrying out 
        subsection (b) with respect to an entity engaged in providing 
        insurance, a State insurance authority shall establish the 
        standards for safeguarding customer information maintained by 
        entities engaged in activities described in section 4(k)(4)(B) 
        of the Bank Holding Company Act of 1956 (12 U.S.C. 
        1843(4)(k)(4)(B)) that are the same as the standards contained 
        in the interagency guidelines issued by the Comptroller of the 
        Currency, the Board of Governors of the Federal Reserve Board, 
        the Federal Deposit Insurance Corporation, and the Office of 
        Thrift Supervision titled `Interagency Guidelines Establishing 
        Standards for Safeguarding Customer Information', published 
        February 1, 2001 (66 Fed. Reg. 8633), and such standards shall 
        be applied as if the entity engaged in providing insurance was 
        a bank to the extent appropriate and practicable.''.

SEC. 3. PREEMPTION WITH RESPECT TO FINANCIAL INSTITUTION SAFEGUARDS.

    Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is 
amended to read as follows:

``SEC. 507. RELATION TO STATE LAWS.

    ``(a) In General.--This subtitle preempts any law, rule, 
regulation, requirement, standard, or other provision having the force 
and effect of law of any State, or political subdivision of a State, 
with respect to a financial institution or affiliate thereof securing 
personal information from unauthorized access or acquisition, including 
notification of unauthorized access or acquisition of data.
    ``(b) Insurance.--Subsection (a) shall not prevent a State or 
political subdivision of a State from establishing the standards for 
entities engaged in providing insurance required by sections 501(c) and 
501(d), provided the standards established by such State or political 
subdivision do not impose any requirement that is in addition to or 
different from those standards, except where necessary to effectuate 
the purposes of this subtitle.''.
                                                 Union Calendar No. 849

115th CONGRESS

  2d Session

                               H. R. 6743

                         [Report No. 115-1097]

_______________________________________________________________________

                                 A BILL

To amend the Gramm-Leach-Bliley Act to provide a national standard for 
 financial institution data security and breach notification on behalf 
               of all consumers, and for other purposes.

_______________________________________________________________________

                           December 21, 2018

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed