[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2124 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  1st Session
                                S. 2124

 To ensure the privacy and security of sensitive personal information, 
 to prevent and mitigate identity theft, to provide notice of security 
 breaches involving sensitive personal information, and to enhance law 
enforcement assistance and other protections against security breaches, 
         fraudulent access, and misuse of personal information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           November 14, 2017

  Mr. Leahy (for himself, Mr. Markey, Mr. Blumenthal, Mr. Wyden, Mr. 
 Franken, Ms. Baldwin, and Ms. Harris) introduced the following bill; 
  which was read twice and referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
 To ensure the privacy and security of sensitive personal information, 
 to prevent and mitigate identity theft, to provide notice of security 
 breaches involving sensitive personal information, and to enhance law 
enforcement assistance and other protections against security breaches, 
         fraudulent access, and misuse of personal information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Consumer Privacy 
Protection Act of 2017''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
 TITLE I--PUNISHMENT FOR CONCEALMENT OF SECURITY BREACHES AND TOOLS TO 
                           COMBAT CYBERCRIME

Sec. 101. Concealment of security breaches involving sensitive 
                            personally identifiable information.
Sec. 102. Reporting of certain cybercrimes.
Sec. 103. Authority to shut down botnets.
Sec. 104. Deterring the development and sale of computer and cell phone 
                            spying devices.
    TITLE II--CONSUMER PRIVACY AND SECURITY OF SENSITIVE PERSONALLY 
                        IDENTIFIABLE INFORMATION

         Subtitle A--Consumer Privacy and Data Security Program

Sec. 201. Purpose and applicability of consumer privacy and data 
                            security program.
Sec. 202. Requirements for consumer privacy and data security program.
Sec. 203. Federal enforcement.
Sec. 204. Enforcement by State attorneys general.
Sec. 205. Relation to other laws.
        Subtitle B--Security Breach Notification and Protection

Sec. 211. Notice to individuals; protection.
Sec. 212. Exemptions.
Sec. 213. Methods of notice.
Sec. 214. Content of notification.
Sec. 215. Coordination of notification with credit reporting agencies.
Sec. 216. Notice to the Federal Trade Commission.
Sec. 217. Notice to law enforcement.
Sec. 218. Federal enforcement.
Sec. 219. Enforcement by State attorneys general.
Sec. 220. Effect on Federal and State law.
Sec. 221. Reporting on exemptions.
Sec. 222. Effective date.
         TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

Sec. 301. Budget compliance.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) databases of sensitive personally identifiable 
        information are increasingly prime targets of hackers, nation-
        state actors, identity thieves, rogue employees, and other 
        criminals, including organized and sophisticated criminal 
        operations;
            (2) security breaches caused by such criminal acts are a 
        serious threat to consumer privacy, consumer confidence, 
        homeland security, national security, e-commerce, and economic 
        stability;
            (3) misuse of sensitive personally identifiable information 
        has the potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government operations;
            (4) identity theft is a serious threat to the Nation's 
        economic stability, national security, homeland security, 
        cybersecurity, the development of e-commerce, and the privacy 
        rights of Americans;
            (5) it is important for business entities that own, use, 
        store, or license sensitive personally identifiable information 
        to adopt reasonable policies and procedures to help ensure the 
        security and privacy of sensitive personally identifiable 
        information; and
            (6) individuals whose personal information has been 
        compromised or who have been victims of identity theft should 
        receive the necessary information and assistance to mitigate 
        any potential damage.

SEC. 3. DEFINITIONS.

    In this Act, the following definitions shall apply:
            (1) Affiliate.--The term ``affiliate'' means persons 
        related by common ownership or by corporate control.
            (2) Agency.--The term ``agency'' has the same meaning given 
        such term in section 551 of title 5, United States Code.
            (3) Business entity.--The term ``business entity'' means 
        any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or venture 
        established to make a profit, or a nonprofit organization.
            (4) Consumer privacy and data security program.--The term 
        ``consumer privacy and data security program'' means the 
        program described in section 202(a).
            (5) Consumer reporting agency.--The term ``consumer 
        reporting agency'' means a consumer reporting agency described 
        in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 
        1681a(p)).
            (6) Covered entity.--The term ``covered entity'' means any 
        business entity, other than a service provider, that collects, 
        uses, accesses, transmits, stores, or disposes of sensitive 
        personally identifiable information, including a consumer 
        reporting agency.
            (7) Designated entity.--The term ``designated entity'' 
        means the Federal Government entity designated by the Secretary 
        of Homeland Security under section 217(a).
            (8) Encryption.--The term ``encryption''--
                    (A) means the protection of data in electronic 
                form, in storage or in transit, using an encryption 
                technology that has been generally accepted by experts 
                in the field of information security that renders such 
                data indecipherable in the absence of associated 
                cryptographic keys necessary to enable decryption of 
                such data; and
                    (B) includes appropriate management and safeguards 
                of such cryptographic keys so as to protect the 
                integrity of the encryption.
            (9) Identity theft.--The term ``identity theft'' means a 
        violation of section 1028(a)(7) of title 18, United States 
        Code.
            (10) Security breach.--
                    (A) In general.--The term ``security breach'' means 
                compromise of the privacy, integrity, or security of 
                computerized data that results in, or that there is a 
                reasonable basis to conclude has resulted in, 
                unauthorized access to or acquisition of sensitive 
                personally identifiable information.
                    (B) Exclusion.--The term ``security breach'' does 
                not include--
                            (i) a good faith access or acquisition of 
                        sensitive personally identifiable information 
                        by a business entity, or an employee or agent 
                        of a business entity, if the sensitive 
                        personally identifiable information is not 
                        subject to further unauthorized disclosure;
                            (ii) the release of a public record not 
                        otherwise subject to confidentiality or 
                        nondisclosure requirements; or
                            (iii) any lawfully authorized 
                        investigative, protective, or intelligence 
                        activity of a law enforcement or intelligence 
                        agency of the United States, a State, or a 
                        political subdivision of a State.
            (11) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        any information or compilation of information, in electronic or 
        digital form that identifies or could be used to identify a 
        particular person, including the following:
                    (A) A non-truncated Social Security number, a 
                driver's license number, passport number, or alien 
                registration number or other government-issued unique 
                identification number.
                    (B) A financial account number or credit or debit 
                card number in combination with any security code, 
                access code, or password if required for an individual 
                to obtain credit, withdraw funds, or engage in 
                financial transactions.
                    (C) A unique electronic account identifier, 
                including an online user name or e-mail address, in 
                combination with any security code, access code, 
                password, or security question and answer, if required 
                for an individual to obtain money, goods, services, 
                access to digital photographs, digital videos or 
                electronic communications, or any other thing of value.
                    (D) Unique biometric data, such as faceprint, 
                fingerprint, voice print, a retina or iris image, or 
                any other unique physical representation.
                    (E) An individual's first and last name or first 
                initial and last name in combination with any 
                information that relates to the individual's past, 
                present, or future physical or mental health or 
                condition, or to the provision of health care to or 
                diagnosis of the individual, including health insurance 
                information such as a health insurance policy number or 
                subscriber identification number, or any information in 
                an individual's health insurance application and claims 
                history.
                    (F) Information about an individual's geographic 
                location generated by or derived from the operation or 
                use of an electronic communications device that is 
                sufficient to identify the street and name of the city 
                or town in which the device is located, excluding 
                telephone numbers or network or internet protocol 
                addresses.
                    (G) Password-protected digital photographs and 
                digital videos not otherwise available to the public.
            (12) Service provider.--The term ``service provider'' means 
        a business entity that provides electronic data transmission, 
        routing, intermediate and transient storage, or connections to 
        its system or network, where the business entity providing such 
        services does not select or modify the content of the 
        electronic data, is not the sender or the intended recipient of 
        the data, and the business entity transmits, routes, or 
        provides connections for sensitive personally identifiable 
        information in a manner that sensitive personally identifiable 
        information is undifferentiated from other types of data that 
        such business entity transmits, routes, or provides 
        connections. Any such business entity shall be treated as a 
        service provider under this Act only to the extent that it is 
        engaged in the provision of such transmission, routing, 
        intermediate and transient storage or connections.

 TITLE I--PUNISHMENT FOR CONCEALMENT OF SECURITY BREACHES AND TOOLS TO 
                           COMBAT CYBERCRIME

SEC. 101. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 1041. Concealment of security breaches involving sensitive 
              personally identifiable information
    ``(a) In General.--Whoever, having knowledge of a security breach 
and of the fact that notice of such security breach is required under 
title II of the Consumer Privacy Protection Act of 2017, intentionally 
and willfully conceals the fact of such security breach, shall, in the 
event that such security breach results in economic harm to any 
individual in the amount of $1,000 or more, be fined under this title 
or imprisoned for not more than 5 years, or both.
    ``(b) Person Defined.--For purposes of subsection (a), the term 
`person' has the meaning given the term in section 1030(e)(12).''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

``1041. Concealment of security breaches involving sensitive personally 
                            identifiable information.''.
    (c) Enforcement Authority.--
            (1) In general.--The United States Secret Service and the 
        Federal Bureau of Investigation shall have the authority to 
        investigate offenses under section 1041 of title 18, United 
        States Code, as added by subsection (a).
            (2) Nonexclusivity.--The authority granted in paragraph (1) 
        shall not be exclusive of any existing authority held by any 
        other Federal agency.

SEC. 102. REPORTING OF CERTAIN CYBERCRIMES.

    Section 1030 of title 18, United States Code, is amended by 
striking subsection (h) and inserting the following:
    ``(h) Reporting Certain Criminal Cases.--Not later than 1 year 
after the date of the enactment of this subsection, and annually 
thereafter, the Attorney General shall report to the Committee on the 
Judiciary of the Senate and the Committee on the Judiciary of the House 
of Representatives the number of criminal cases brought under 
subsection (a) that involve conduct in which--
            ``(1) the defendant--
                    ``(A) exceeded authorized access to a 
                nongovernmental computer; or
                    ``(B) accessed a nongovernmental computer without 
                authorization; and
            ``(2) the sole basis for the Government determining that 
        access to the nongovernmental computer was unauthorized, or in 
        excess of authorization, was that the defendant violated a 
        contractual obligation or agreement with a service provider or 
        employer, such as an acceptable use policy or terms of service 
        agreement.''.

SEC. 103. AUTHORITY TO SHUT DOWN BOTNETS.

    (a) Amendment.--Section 1345 of title 18, United States Code, is 
amended--
            (1) in the heading, by inserting ``and abuse'' after 
        ``fraud'';
            (2) in subsection (a)--
                    (A) in paragraph (1)--
                            (i) in subparagraph (B), by striking ``or'' 
                        at the end;
                            (ii) in subparagraph (C), by inserting 
                        ``or'' after the semicolon; and
                            (iii) by inserting after subparagraph (C) 
                        the following:
            ``(D) violating section 1030(a)(5) where such conduct would 
        damage (as defined in section 1030), 100 or more protected 
        computers (as defined in section 1030) during any 1-year 
        period, including by denying access to or operation of the 
        computers, installing unwanted software on the computers, using 
        the computers without authorization, or obtaining information 
        from the computers without authorization;''; and
                    (B) in paragraph (2), by inserting ``, a violation 
                of section 1030(a)(5) as described in subsection 
                (a)(1)(D),'' before ``or a Federal'';
            (3) in subsection (b), by adding ``, except in the case of 
        a person violating section 1030(a)(5) in the manner described 
        in subsection (a)(1)(D),'' before ``take such other action''; 
        and
            (4) by adding at the end the following:
    ``(c) A restraining order or prohibition described in subsection 
(b), if issued in circumstances described in subsection (a)(1)(D)--
            ``(1) may only authorize action that solely affects persons 
        violating section 1030 in the manner described in subsection 
        (a)(1)(D); and
            ``(2) may, upon application of the Attorney General--
                    ``(A) specify that no cause of action shall lie in 
                any court against a person for complying with the 
                restraining order, prohibition, or other action; and
                    ``(B) provide that the United States shall pay to 
                such person a fee for reimbursement for such costs as 
                are reasonably necessary and which have been directly 
                incurred in complying with the restraining order, 
                prohibition, or other action.
    ``(d) There are authorized to be appropriated to the Department of 
Justice, the Department of Homeland Security, and the Department of the 
Treasury such sums as are necessary to implement this section, 
including payments made by the United States of a fee for 
reimbursement.''.
    (b) Technical and Conforming Amendment.--The table of sections for 
chapter 63 is amended by striking the item relating to section 1345 and 
inserting the following:

``1345. Injunctions against fraud and abuse.''.

SEC. 104. DETERRING THE DEVELOPMENT AND SALE OF COMPUTER AND CELL PHONE 
              SPYING DEVICES.

    Section 1956(c)(7)(D) of title 18, United States Code, is amended 
by inserting ``section 2512 (relating to the manufacture, distribution, 
possession, and advertising of wire, oral, or electronic communication 
intercepting devices),'' before ``section 46502''.

    TITLE II--CONSUMER PRIVACY AND SECURITY OF SENSITIVE PERSONALLY 
                        IDENTIFIABLE INFORMATION

         Subtitle A--Consumer Privacy and Data Security Program

SEC. 201. PURPOSE AND APPLICABILITY OF CONSUMER PRIVACY AND DATA 
              SECURITY PROGRAM.

    (a) Purpose.--The purpose of this subtitle is to ensure standards 
for developing and implementing administrative, technical, and physical 
safeguards to protect the security of sensitive personally identifiable 
information.
    (b) Applicability.--A covered entity engaging in interstate 
commerce that collects, uses, accesses, transmits, stores, or disposes 
of sensitive personally identifiable information in electronic or 
digital form of not less than 10,000 United States persons during any 
12-month period is subject to the requirements for a consumer privacy 
and data security program for protecting sensitive personally 
identifiable information.
    (c) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to the following:
            (1) Financial institutions.--Financial institutions--
                    (A) subject to and in compliance with the data 
                security requirements and standards under section 
                501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
                6801(b)); and
                    (B) subject to the jurisdiction of an agency or 
                authority described in section 505(a) of the Gramm-
                Leach-Bliley Act (15 U.S.C. 6805(a)).
            (2) HIPAA and hitech regulated entities.--An entity that is 
        subject to and in compliance with the data security 
        requirements of the following, with respect to data that is 
        subject to such requirements:
                    (A) Section 13401 of the Health Information 
                Technology for Economic and Clinical Health Act (42 
                U.S.C. 17931).
                    (B) Part 160 or 164 of title 45, Code of Federal 
                Regulations (or any successor regulations).
                    (C) The regulations promulgated under section 
                264(c) of the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1320d-2 note).
                    (D) In the case of a business associate, as defined 
                in section 13400 of the Health Information Technology 
                for Economic and Clinical Health Act (42 U.S.C. 17921), 
                the applicable privacy and data security requirements 
                of part 1 of subtitle D of title XIII of division A of 
                the American Reinvestment and Recovery Act of 2009 (42 
                U.S.C. 17931 et seq.).
            (3) Service providers.--A service provider for any 
        electronic communication by a third party, to the extent that 
        the service provider is engaged solely in the transmission, 
        routing, or temporary, intermediate, or transient storage of 
        that communication.

SEC. 202. REQUIREMENTS FOR CONSUMER PRIVACY AND DATA SECURITY PROGRAM.

    (a) Consumer Privacy and Data Security Program.--A covered entity 
subject to this subtitle shall comply with the following safeguards and 
any other administrative, technical, or physical safeguards identified 
by the Federal Trade Commission for the protection of sensitive 
personally identifiable information:
            (1) Scope.--A covered entity shall implement a 
        comprehensive consumer privacy and data security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity, and the nature and 
        scope, of the activities of the covered entity.
            (2) Design.--The consumer privacy and data security program 
        shall be designed to--
                    (A) ensure the privacy and security of sensitive 
                personally identifying information;
                    (B) protect against any anticipated vulnerabilities 
                to the privacy and security of sensitive personally 
                identifying information; and
                    (C) protect against unauthorized access, 
                destruction, acquisition, disclosure, or use of 
                sensitive personally identifying information.
            (3) Risk assessment.--A covered entity shall--
                    (A) identify reasonably foreseeable internal and 
                external vulnerabilities and internal and external 
                threats that could result in unauthorized access, 
                destruction, acquisition, disclosure, or use of 
                sensitive personally identifiable information or of 
                systems containing sensitive personally identifiable 
                information;
                    (B) assess the likelihood of and potential damage 
                from unauthorized access, destruction, acquisition, 
                disclosure, or use of sensitive personally identifiable 
                information;
                    (C) assess the sufficiency of its technical, 
                physical, and administrative controls in place to 
                control and minimize risks from unauthorized access, 
                destruction, acquisition, disclosure, or use of 
                sensitive personally identifiable information; and
                    (D) assess the vulnerability of sensitive 
                personally identifiable information during destruction 
                and disposal of such information, including through the 
                disposal or retirement of hardware.
            (4) Risk management and control.--Each covered entity 
        shall--
                    (A) design its consumer privacy and data security 
                program to control the risks identified under paragraph 
                (3);
                    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, nature, and scope of the activities of the 
                covered entity that--
                            (i) controls access to sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;
                            (ii) detect, record, and preserve 
                        information relevant to actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        acquisition, disclosure, or use of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access;
                            (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption, redaction, disclosure limitation 
                        methodologies, or access controls, that are 
                        widely accepted as an effective industry 
                        practice or industry standard, or other 
                        reasonable means;
                            (iv) ensure that sensitive personally 
                        identifiable information is properly destroyed 
                        and disposed of, including during the 
                        destruction of computers and other electronic 
                        media that contain sensitive personally 
                        identifiable information; and
                            (v) ensure that no third party is 
                        authorized to access or acquire sensitive 
                        personally identifiable information in its 
                        possession without the covered entity first 
                        performing sufficient due diligence to 
                        ascertain, with reasonable certainty, that such 
                        information is being sought for a valid legal 
                        purpose; and
                    (C) establish a plan and procedures for minimizing 
                the amount of sensitive personally identifiable 
                information maintained by the covered entity and the 
                length of time such information is retained, which 
                shall provide for the retention of sensitive personally 
                identifiable information only as reasonably needed for 
                the business purposes of such business entity or as 
                necessary to comply with any legal obligation and only 
                as long as so needed.
            (5) Limitation.--Nothing in this subsection shall be 
        construed to permit, and nothing does permit, the Federal Trade 
        Commission to issue regulations requiring, or according greater 
        legal status to, the implementation of or application of a 
        specific technology or technological specifications for meeting 
        the requirements of this title.
    (b) Training.--Covered entities subject to this subtitle shall take 
steps to ensure employee training and supervision for implementation of 
the consumer privacy and data security program of the covered entity.
    (c) Vulnerability Testing.--
            (1) In general.--Covered entities subject to this subtitle 
        shall take steps to ensure regular testing of key technical, 
        physical, and administrative controls for information and 
        information systems of the consumer privacy and data security 
        program to detect, prevent, and respond to attacks or 
        intrusions, or other system failures.
            (2) Frequency.--The frequency and nature of the tests 
        required under paragraph (1) shall be determined by the risk 
        assessment of the covered entity under subsection (a)(3).
    (d) Relationship to Certain Providers of Services.--In the event a 
covered entity subject to this subtitle engages a person or entity not 
subject to this subtitle (other than a service provider) to receive 
sensitive personally identifiable information in performing services or 
functions (other than the services or functions provided by a service 
provider) on behalf of and under the instruction of such covered 
entity, the covered entity shall--
            (1) exercise appropriate due diligence in selecting the 
        person or entity for responsibilities related to sensitive 
        personally identifiable information, and take reasonable steps 
        to select and retain a person or entity that is capable of 
        maintaining appropriate controls for the privacy and security 
        of the sensitive personally identifiable information at issue; 
        and
            (2) require the person or entity by contract to implement 
        and maintain appropriate measures designed to meet the 
        objectives and requirements governing subtitle A.
    (e) Periodic Assessment and Consumer Privacy and Data Security 
Modernization.--Each covered entity subject to this subtitle shall on a 
regular basis monitor, evaluate, and adjust, as appropriate its 
consumer privacy and data security program in light of any relevant 
changes in--
            (1) technology;
            (2) internal or external threats and vulnerabilities to 
        sensitive personally identifiable information; and
            (3) the changing business arrangements of the covered 
        entity, such as--
                    (A) mergers and acquisitions;
                    (B) alliances and joint ventures;
                    (C) outsourcing arrangements;
                    (D) bankruptcy; and
                    (E) changes to sensitive personally identifiable 
                information systems.
    (f) Consumer Notice.--Not less frequently than once every calendar 
year, a covered entity shall provide, upon request of a United States 
resident and at no cost to that individual, notice to that individual 
of what sensitive personally identifiable information of that 
individual is maintained or shared by the covered entity.
    (g) Consumer Opt-Out.--
            (1) Definitions.--In this subsection, the terms 
        ``consumer'' and ``file'' have the meanings given the terms in 
        section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a).
            (2) Credit freeze.--Upon the request of a consumer, a 
        covered entity that is a consumer reporting agency that 
        compiles or maintains a file on the consumer and has received 
        appropriate proof of the identity of the requester shall place 
        or lift a credit freeze in the file of the consumer without 
        charge to the consumer.
    (h) Rulemaking.--Not later than 1 year after the date of enactment 
of this Act, the Federal Trade Commission shall issue regulations in 
accordance with section 553 of title 5, United States Code, to 
implement subsections (a) through (g).
    (i) Implementation Timeline.--Not later than 1 year after the date 
on which the Federal Trade Commission issues the final regulations 
required under subsection (h), a covered entity subject to the 
provisions of this subtitle shall implement a consumer privacy and data 
security program pursuant to this subtitle.

SEC. 203. FEDERAL ENFORCEMENT.

    (a) In General.--The Attorney General and the Federal Trade 
Commission may enforce civil violations of section 201 or 202.
    (b) Civil Actions by the Attorney General of the United States.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any covered entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, such covered entity shall be 
        subject to a civil penalty in an amount that is not greater 
        than the product of the number of individuals whose sensitive 
        personally identifiable information was placed at risk as a 
        result of the violation and $16,500.
            (2) Determinations.--The determination of whether a 
        violation of a provision of this subtitle has occurred, and if 
        so, the amount of the penalty to be imposed, if any, shall be 
        made by the court sitting as the finder of fact. The 
        determination of whether a violation of a provision of this 
        subtitle was willful or intentional, and if so, the amount of 
        the additional penalty to be imposed, if any, shall be made by 
        the court sitting as the finder of fact.
            (3) Additional penalty limit.--If a court determines under 
        paragraph (2) that a violation of a provision of this subtitle 
        was willful or intentional and imposes an additional penalty, 
        the court may not impose an additional penalty in an amount 
        that exceeds $10,000,000.
    (c) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a covered entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (d) Civil Actions by the Federal Trade Commission.--
            (1) In general.--Compliance with the requirements imposed 
        under this subtitle may be enforced under the Federal Trade 
        Commission Act (15 U.S.C. 41 et seq.) by the Federal Trade 
        Commission with respect to business entities subject to this 
        Act. All of the functions and powers of the Federal Trade 
        Commission under the Federal Trade Commission Act are available 
        to the Commission to enforce compliance by any person with the 
        requirements imposed under this title.
            (2) Civil penalties.--
                    (A) In general.--Any covered entity that violates 
                the provisions of this subtitle shall be subject to a 
                civil penalty in the amount that is not greater than 
                the product of the number of individuals whose 
                sensitive personally identifiable information was 
                placed at risk as a result of the violation and 
                $16,500.
                    (B) Determinations.--The determination of whether a 
                violation of a provision of this subtitle has occurred, 
                and if so, the amount of the penalty to be imposed, if 
                any, shall be made by the court sitting as the finder 
                of fact. The determination of whether a violation of a 
                provision of this subtitle was willful or intentional, 
                and if so, the amount of the additional penalty to be 
                imposed, if any, shall be made by the court sitting as 
                the finder of fact.
                    (C) Additional penalty limit.--If a court 
                determines under subparagraph (B) that a violation of a 
                provision of this subtitle was willful or intentional 
                and imposes an additional penalty, the court may not 
                impose an additional penalty in an amount that exceeds 
                $10,000,000.
            (3) Unfair or deceptive acts or practices.--For the purpose 
        of the exercise by the Federal Trade Commission of its 
        functions and powers under the Federal Trade Commission Act, a 
        violation of any requirement or prohibition imposed under this 
        title shall constitute an unfair or deceptive act or practice 
        in commerce in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(I)(B)) regarding unfair or deceptive acts or practices 
        and shall be subject to enforcement by the Federal Trade 
        Commission under that Act with respect to any business entity, 
        irrespective of whether that business entity is engaged in 
        commerce or meets any other jurisdictional tests in the Federal 
        Trade Commission Act.
    (e) Coordination of Enforcement.--
            (1) In general.--When opening an investigation, the Federal 
        Trade Commission shall consult with the Attorney General.
            (2) Limitation.--The Federal Trade Commission may initiate 
        investigations under this subsection unless the Attorney 
        General determines that such an investigation would impede an 
        ongoing criminal investigation or national security activity.
            (3) Coordination agreement.--
                    (A) In general.--In order to avoid conflicts and 
                promote consistency regarding the enforcement and 
                litigation of matters under this Act, not later than 
                180 days after the date of enactment of this Act, the 
                Attorney General and the Federal Trade Commission shall 
                enter into an agreement for coordination regarding the 
                enforcement of this Act.
                    (B) Requirement.--The coordination agreement 
                entered into under subparagraph (A) shall include 
                provisions to ensure that parallel investigations and 
                proceedings under this section are conducted in a 
                manner that avoids conflicts and does not impede the 
                ability of the Attorney General to prosecute violations 
                of Federal criminal laws.
    (f) Other Rights and Remedies.--The rights and remedies available 
under this section are cumulative and shall not affect any other rights 
and remedies available under law.

SEC. 204. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) State Enforcement.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that a covered entity has violated section 201 or 202, 
        the State, as parens patriae, may bring a civil action on 
        behalf of the residents of that State to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with section 201 or 202; or
                    (C) impose a civil penalty in an amount that is not 
                greater than the product of the number of individuals 
                whose sensitive personally identifiable information was 
                placed at risk as a result of the violation and 
                $16,500.
            (2) Penalty determination.--
                    (A) Determinations.--The determination of whether a 
                violation of a provision of this subtitle has occurred, 
                and if so, the amount of the penalty to be imposed, if 
                any, shall be made by the court sitting as the finder 
                of fact. The determination of whether a violation of a 
                provision of this subtitle was willful or intentional, 
                and if so, the amount of the additional penalty to be 
                imposed, if any, shall be made by the court sitting as 
                the finder of fact.
                    (B) Additional penalty limit.--If a court 
                determines under subparagraph (A) that a violation of a 
                provision of this subtitle was willful or intentional 
                and imposes an additional penalty, the court may not 
                impose an additional penalty in an amount that exceeds 
                $10,000,000.
            (3) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Attorney General of the United 
                States and the Federal Trade Commission--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in this 
                subparagraph before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described under subparagraph (B), the attorney general 
                of a State shall provide the written notice and the 
                copy of the complaint to the Attorney General of the 
                United States and the Federal Trade Commission as soon 
                after the filing of the complaint as practicable.
            (4) Federal proceedings.--Upon receiving notice under 
        paragraph (2), the Attorney General of the United States and 
        the Federal Trade Commission shall have the right to--
                    (A) move to stay the action, pending the final 
                disposition of a pending Federal proceeding or action 
                as described in section 203;
                    (B) initiate an action in the appropriate United 
                States district court under section 203 and move to 
                consolidate all pending actions, including State 
                actions, in such court;
                    (C) intervene in an action brought under paragraph 
                (1); and
                    (D) file petitions for appeal.
            (5) Pending proceedings.--If the Attorney General of the 
        United States or the Federal Trade Commission initiates a 
        Federal civil action for a violation of this subtitle, or any 
        regulations thereunder, no attorney general of a State may 
        bring an action for a violation of this subtitle that resulted 
        from the same or related acts or omissions against a defendant 
        named in the Federal civil action initiated by the Attorney 
        General of the United States or the Federal Trade Commission.
            (6) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1) nothing in this subtitle shall 
        be construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths and affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (7) Venue; service of process.--
                    (A) Venue.--Any action brought under subsection (a) 
                may be brought in--
                            (i) the district court of the United States 
                        that meets applicable requirements relating to 
                        venue under section 1391 of title 28, United 
                        States Code; or
                            (ii) another court of competent 
                        jurisdiction.
                    (B) Service of process.--In an action brought under 
                subsection (a), process may be served in any district 
                in which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (b) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.

SEC. 205. RELATION TO OTHER LAWS.

    (a) Preemption.--For any covered entity that is subject to this 
subtitle, the provisions of this subtitle shall supersede any other 
provision of Federal law, or any provisions of the law of any State or 
political subdivision of a State, requiring data security practices 
that are less stringent than the requirements of this subtitle.
    (b) Consumer Protection Laws.--Except as provided in subsection 
(a), this section shall not be construed to limit the enforcement of 
any State consumer protection law by an attorney general of a State.
    (c) Protection of Certain State Laws.--Nothing in this Act shall be 
construed to preempt the applicability of--
            (1) State trespass, contract, or tort law; or
            (2) any other State law to the extent that the law relates 
        to acts of fraud.
    (d) Preservation of FTC Authority.--Nothing in this Act may be 
construed in any way to limit the authority of the Federal Trade 
Commission under any other provision of law.
    (e) Preservation of FCC Authority.--Nothing in this Act may be 
construed in any way to limit the authority of the Federal 
Communications Commission under any other provision of law.

        Subtitle B--Security Breach Notification and Protection

SEC. 211. NOTICE TO INDIVIDUALS; PROTECTION.

    (a) In General.--Except as provided in section 212, a covered 
entity shall, following the discovery of a security breach of sensitive 
personally identifiable information held by that covered entity or any 
third-party entity contracted to maintain or process data in electronic 
form containing sensitive personally identifiable information for that 
covered entity--
            (1) notify any resident of the United States whose 
        sensitive personally identifiable information has been, or is 
        reasonably believed to have been, accessed or acquired; and
            (2) provide 5 years of appropriate identity theft 
        prevention and mitigation services, if any, to any individual 
        notified under paragraph (1), upon request of the individual 
        and at no cost to the individual, under which the individual 
        shall not be--
                    (A) automatically enrolled, without the consent of 
                the individual, into a fee-based identity theft 
                prevention and mitigation service at the end of the 5-
                year period; or
                    (B) required to seek arbitration of any claim 
                arising from the identity theft prevention and 
                mitigation service described in subparagraph (A).
    (b) Obligation of Third-Party Entities.--
            (1) In general.--In the event of a breach of security of a 
        system maintained by a third-party entity that has been 
        contracted to maintain or process data in electronic form 
        containing sensitive personally identifiable information on 
        behalf of a covered entity who owns or possesses such data, the 
        third-party entity shall notify the covered entity of the 
        breach of security. Upon receiving notification from the third-
        party entity, such covered entity shall provide the 
        notification and identify theft prevention and mitigation 
        service required under subsection (a).
            (2) Notice by third-party entities.--Nothing in this 
        subtitle shall prevent or abrogate an agreement between a 
        covered entity required to give notice under this section and a 
        third-party entity that has been contracted to maintain or 
        process data in electronic form containing sensitive personally 
        identifiable information for a covered entity, to provide the 
        notifications required under subsection (a)(1) or the identity 
        theft prevention and mitigation service required under 
        subsection (a)(2).
            (3) Service providers.--If a service provider becomes aware 
        of a security breach containing sensitive personally 
        identifiable information that is owned or possessed by a 
        covered entity that connects to or uses a system or network 
        provided by the service provider for the purpose of 
        transmitting, routing, or providing intermediate or transient 
        storage of such data, the service provider shall be required to 
        promptly notify the covered entity who initiated such 
        connection, transmission, routing, or storage of the security 
        breach if the covered entity can be reasonably identified. Upon 
        receiving such notification from a service provider, the 
        covered entity shall be required to provide the notification 
        and identity theft prevention and mitigation service required 
        under subsection (a).
    (c) Timeliness of Notification.--
            (1) In general.--All notifications and identity theft 
        prevention and mitigation services required under this section 
        shall be made as expediently as possible and without 
        unreasonable delay following the discovery by the covered 
        entity of a security breach.
            (2) Reasonable delay.--Reasonable delay under this 
        subsection may include any reasonable time necessary to 
        determine the scope of the security breach, prevent further 
        disclosures, and provide notice to law enforcement when 
        required. Except as provided in subsection (d), delay of 
        notification or provision of identity theft prevention and 
        mitigation service shall not exceed 7 days following the 
        discovery of a security breach.
            (3) Burden of production.--The covered entity required to 
        provide notice and identity theft prevention and mitigation 
        service under this subtitle shall, upon the request of the 
        Attorney General of the United States or the Federal Trade 
        Commission provide records or other evidence of the 
        notifications and identity theft prevention and mitigation 
        service required under this subtitle, including to the extent 
        applicable, the reasons for any delay of notification or 
        provision of identity theft prevention and mitigation service.
    (d) Delay Authorized for Law Enforcement or National Security 
Purposes.--
            (1) In general.--If a Federal law enforcement agency or 
        intelligence agency determines that the notification or 
        provision of identity theft prevention and mitigation service 
        required under this section would impede a criminal 
        investigation, or national security activity, such notification 
        or provision of identity theft prevention and mitigation 
        service, as the case may be, shall be delayed upon written 
        notice from a Federal law enforcement agency or intelligence 
        agency to the covered entity that experienced the security 
        breach. The notification from a Federal law enforcement agency 
        or intelligence agency shall specify in writing the period of 
        delay requested for law enforcement or national security 
        purposes.
            (2) Extended delay.--If the notification or provision of 
        identity theft prevention and mitigation service required under 
        subsection (a) is delayed pursuant to paragraph (1), a covered 
        entity shall give notice or identity theft prevention and 
        mitigation service, as the case may be, 15 days after the day 
        such law enforcement or national security delay was invoked 
        unless a Federal law enforcement or intelligence agency 
        provides written notification that further delay is necessary.
            (3) Law enforcement immunity.--No nonconstitutional cause 
        of action shall lie in any court against any agency for acts 
        relating to the delay of notification for law enforcement or 
        national security purposes under this subtitle.
    (e) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to the following:
            (1) Financial institutions.--Financial institutions--
                    (A) subject to and in compliance with the data 
                security requirements and standards under section 
                501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
                6801(b)); and
                    (B) subject to the jurisdiction of an agency or 
                authority described in section 505(a) of the Gramm-
                Leach-Bliley Act (15 U.S.C. 6805(a)).
            (2) HIPAA and hitech regulated entities.--An entity that is 
        subject to and in compliance with the data breach notification 
        of the following, with respect to data that is subject to such 
        requirements:
                    (A) Section 13401 of the Health Information 
                Technology for Economic and Clinical Health Act (42 
                U.S.C. 17931).
                    (B) Part 160 or 164 of title 45, Code of Federal 
                Regulations (or any successor regulations).
                    (C) The regulations promulgated under section 
                264(c) of the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1320d-2 note).
                    (D) In the case of a business entity, the 
                applicable data breach notification requirements of 
                part 1 of subtitle D of title XIII of division A of the 
                American Reinvestment and Recovery Act of 2009 (42 
                U.S.C. 17931 et seq.), if such business entity is 
                acting as a covered entity, a business associate, or a 
                vendor of personal health records, as those terms are 
                defined in section 13400 of the Health Information 
                Technology for Economic and Clinical Health Act (42 
                U.S.C. 17921).
                    (E) In the case of a third-party service provider, 
                section 13407 of the Health Information Technology for 
                Economic and Clinical Health Act (42 U.S.C. 17937).

SEC. 212. EXEMPTIONS.

    (a) National Security and Law Enforcement Exemption.--
            (1) In general.--Section 211 shall not apply to a covered 
        entity if a Federal law enforcement agency or intelligence 
        agency--
                    (A) determines that notification of the security 
                breach--
                            (i) could be expected to reveal sensitive 
                        sources and methods or similarly impede the 
                        ability of the Government to conduct law 
                        enforcement investigations; or
                            (ii) could be expected to cause damage to 
                        the national security;
                    (B) communicates the determination made under 
                subparagraph (A) to the covered entity; and
                    (C) orders that notification required under section 
                211 not be made.
            (2) Immunity.--No nonconstitutional cause of action shall 
        lie in any court against any Federal agency for acts relating 
        to the exemption from notification for law enforcement or 
        national security purposes under this title.
    (b) Safe Harbor Exemption.--A covered entity shall be exempt from 
the notice and identity theft prevention and mitigation service 
requirements under section 211 if the covered entity reasonably 
determines that sensitive personally identifiable information is 
rendered unusable, unreadable, or indecipherable through data security 
technology or methodology, including encryption or redaction, that is 
generally accepted by experts in the field of information security, 
such that there is no reasonable likelihood that a security breach has 
resulted in, or will result in, the misuse of data.

SEC. 213. METHODS OF NOTICE.

    A covered entity shall be in compliance with section 211 if the 
covered entity provides the following:
            (1) Individual notice.--Notice to individuals by one of the 
        following means if the method of notification selected can most 
        likely be expected to reach the intended individual:
                    (A) Written notification to the last known home 
                mailing address of the individual in the records of the 
                covered entity.
                    (B) Telephone notice to the individual personally, 
                provided that the telephone notice is made directly to 
                each affected consumer, and is not made through a 
                prerecorded message.
                    (C) E-mail notice, if--
                            (i)(I) the covered entity's primary method 
                        of communication with the individual is by e-
                        mail; or
                            (II) the individual has consented to 
                        receive such notice and the notice is 
                        consistent with the provisions permitting 
                        electronic transmission of notices under 
                        section 101 of the Electronic Signatures in 
                        Global and National Commerce Act (15 U.S.C. 
                        7001); and
                            (ii) the e-mail notice does not request, or 
                        contain a hypertext link to a request, that the 
                        consumer provide personal information in 
                        response to the notice.
            (2) Media, website, and social media notice.--In the event 
        notice is required to more than 5,000 individuals in 1 State 
        and individual notice is not feasible due to lack of sufficient 
        contact information for the individuals required to be 
        notified, a covered entity shall--
                    (A) provide notice to the major media outlets 
                serving the State or jurisdiction of the individuals 
                believed to be affected;
                    (B) place notice in a clear and conspicuous place 
                on the website of the covered entity if the covered 
                entity operates a website; and
                    (C) place notice on each social media platform on 
                which the covered entity maintains a social media 
                presence, if any.

SEC. 214. CONTENT OF NOTIFICATION.

    (a) In General.--Regardless of the method by which notice is 
provided to individuals under section 213, such notice shall include, 
to the extent possible--
            (1) a general description of the incident and the date or 
        estimated date of the security breach and the date range during 
        which the sensitive personally identifiable information was 
        compromised;
            (2) a description of the categories of sensitive personally 
        identifiable information that was, or is reasonably believed to 
        have been, accessed or acquired by an unauthorized person;
            (3) the acts the covered entity, or the agent of the 
        covered entity, has taken to protect sensitive personally 
        identifiable information from further security breach;
            (4) at the discretion of the covered entity, reasonable 
        advice on steps the individual may take to protect himself or 
        herself;
            (5) if applicable, an offer to provide appropriate identity 
        theft prevention and mitigation services, as described in 
        section 211(a)(2);
            (6) a toll-free number--
                    (A) that the individual may use to contact the 
                covered entity, or the agent of the covered entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                covered entity maintained about that individual; and
            (7) the toll-free contact telephone numbers and addresses 
        for the major credit reporting agencies if the sensitive 
        personally identifiable information that was breached could be 
        used to commit financial fraud or identity theft.
    (b) Direct Business Relationship.--Regardless of whether a covered 
entity or a designated third party provides the notice required 
pursuant to section 211(b), such notice shall include the name of the 
covered entity that has the most direct relationship with the 
individual being notified.

SEC. 215. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.

    If a covered entity is required to provide notification to more 
than 5,000 individuals under section 211(a) and the sensitive 
personally identifiable information that was breached could be used to 
commit financial fraud or identity theft, the covered entity shall also 
notify all consumer reporting agencies that compile and maintain files 
on consumers on a nationwide basis (as defined in section 603(p) of the 
Fair Credit Reporting Act (15 U.S.C. 1681a(p))) of the timing and 
distribution of the notices. Such notice shall be given to the consumer 
credit reporting agencies without unreasonable delay and, if it will 
not delay notice to the affected individuals, prior to the distribution 
of notices to the affected individuals.

SEC. 216. NOTICE TO THE FEDERAL TRADE COMMISSION.

    (a) In General.--A covered entity required to provide notification 
under section 211(a) shall provide a copy of the notification to the 
Federal Trade Commission not later than the date on which notice is 
provided to individuals required to be notified. The Federal Trade 
Commission shall establish procedures to ensure the attorneys general 
of each State with affected residents receives a copy of the notice 
provided to it under this section.
    (b) Public Database and Report to Congress.--The Federal Trade 
Commission shall--
            (1) maintain a public database on the website of the 
        Federal Trade Commission of notifications received under 
        subsection (a); and
            (2) on an annual basis, submit a report to Congress on the 
        notifications received under subsection (a).

SEC. 217. NOTICE TO LAW ENFORCEMENT.

    (a) Designation of Government Entity To Receive Notice.--
            (1) In general.--Not later than 60 days after the date of 
        enactment of this Act, the Secretary of Homeland Security, in 
        consultation with the Attorney General, shall designate a 
        Federal Government entity to receive the notices required under 
        section 211 and this section.
            (2) Responsibilities of the designated entity.--The 
        designated entity shall--
                    (A) promptly provide the information that it 
                receives to the United States Secret Service or the 
                Federal Bureau of Investigation for law enforcement 
                purposes; and
                    (B) provide the information described in 
                subparagraph (A) as appropriate to other Federal 
                agencies for law enforcement, national security, or 
                data security purposes.
    (b) Notice.--A covered entity shall notify the designated entity of 
the fact that a security breach has occurred if--
            (1) the number of individuals whose sensitive personally 
        identifying information was, or is reasonably believed to have 
        been, accessed or acquired by an unauthorized person exceeds 
        5,000;
            (2) the security breach involves a database, networked or 
        integrated databases, or other data system containing the 
        sensitive personally identifiable information of more than 
        500,000 individuals nationwide;
            (3) the security breach involves databases owned by the 
        Federal Government; or
            (4) the security breach involves primarily sensitive 
        personally identifiable information of individuals known to the 
        covered entity to be employees and contractors of the Federal 
        Government involved in national security or law enforcement.
    (c) Department of Justice Review of Thresholds for Notice.--The 
Attorney General, in consultation with the Secretary of Homeland 
Security, after notice and the opportunity for public comment, and in a 
manner consistent with this section, shall promulgate regulations, as 
necessary, under section 553 of title 5, United States Code, to adjust 
the thresholds for notice to law enforcement and national security 
authorities under subsection (a) and to facilitate the purposes of this 
section.
    (d) Timing.--The notice required under subsection (b) shall be 
provided as promptly as possible, but such notice must be provided not 
less than 48 hours before notice is provided to an individual pursuant 
to section 211, or not later than 7 days after the discovery of the 
events requiring notice, whichever occurs first. For each breach 
requiring notice under this subsection, a copy of the notice to 
individuals required under section 211 shall also be provided to the 
designated entity not later than the date on which the notice is 
provided to affected individuals.

SEC. 218. FEDERAL ENFORCEMENT.

    (a) In General.--The Attorney General and the Federal Trade 
Commission may enforce civil violations of this subtitle.
    (b) Civil Actions by the Attorney General of the United States.--
            (1) In general.--The Attorney General may bring a civil 
        action in the appropriate United States district court against 
        any covered entity that engages in conduct constituting a 
        violation of this subtitle and, upon proof of such conduct by a 
        preponderance of the evidence, the covered entity shall be 
        subject to a civil penalty in an amount not greater than the 
        product of the number of violations of this subtitle and 
        $16,500. Each failure to provide notification to an individual 
        as required under this subtitle shall be treated as a separate 
        violation.
            (2) Determinations.--The determination of whether a 
        violation of a provision of this subtitle has occurred, and if 
        so, the amount of the penalty to be imposed, if any, shall be 
        made by the court sitting as the finder of fact. The 
        determination of whether a violation of a provision of this 
        subtitle was willful or intentional, and if so, the amount of 
        the additional penalty to be imposed, if any, shall be made by 
        the court sitting as the finder of fact.
            (3) Additional penalty limit.--If a court determines under 
        paragraph (2) that a violation of a provision of this subtitle 
        was willful or intentional and imposes an additional penalty, 
        the court may not impose an additional penalty in an amount 
        that exceeds $10,000,000.
    (c) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a covered entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (d) Civil Actions by the Federal Trade Commission.--
            (1) In general.--Compliance with the requirements imposed 
        under this subtitle may be enforced under the Federal Trade 
        Commission Act (15 U.S.C. 41 et seq.) by the Federal Trade 
        Commission with respect to business entities subject to this 
        Act. All of the functions and powers of the Federal Trade 
        Commission under the Federal Trade Commission Act are available 
        to the Commission to enforce compliance by any person with the 
        requirements imposed under this title.
            (2) Civil penalties.--
                    (A) In general.--Any covered entity that violates 
                this subtitle shall be subject to a civil penalty in 
                the amount that is not greater than the product of the 
                number of violations of this subtitle and $16,500. Each 
                failure to provide notification to an individual as 
                required under this subtitle shall be treated as a 
                separate violation.
                    (B) Determinations.--The determination of whether a 
                violation of a provision of this subtitle has occurred, 
                and if so, the amount of the penalty to be imposed, if 
                any, shall be made by the court sitting as the finder 
                of fact. The determination of whether a violation of a 
                provision of this subtitle was willful or intentional, 
                and if so, the amount of the additional penalty to be 
                imposed, if any, shall be made by the court sitting as 
                the finder of fact.
                    (C) Additional penalty limit.--If a court 
                determines under subparagraph (B) that a violation of a 
                provision of this subtitle was willful or intentional 
                and imposes an additional penalty, the court may not 
                impose an additional penalty in an amount that exceeds 
                $10,000,000.
            (3) Unfair or deceptive acts or practices.--For the purpose 
        of the exercise by the Federal Trade Commission of its 
        functions and powers under the Federal Trade Commission Act, a 
        violation of any requirement or prohibition imposed under this 
        title shall constitute an unfair or deceptive act or practice 
        in commerce in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(I)(B)) regarding unfair or deceptive acts or practices 
        and shall be subject to enforcement by the Federal Trade 
        Commission under that Act with respect to any business entity, 
        irrespective of whether that business entity is engaged in 
        commerce or meets any other jurisdictional tests in the Federal 
        Trade Commission Act.
    (e) Coordination of Enforcement.--
            (1) In general.--When opening an investigation, the Federal 
        Trade Commission shall consult with the Attorney General.
            (2) Limitation.--The Federal Trade Commission may initiate 
        investigations under this subsection unless the Attorney 
        General determines that such an investigation would impede an 
        ongoing criminal investigation or national security activity.
            (3) Coordination agreement.--
                    (A) In general.--In order to avoid conflicts and 
                promote consistency regarding the enforcement and 
                litigation of matters under this Act, not later than 
                180 days after the enactment of this Act, the Attorney 
                General and the Federal Trade Commission shall enter 
                into an agreement for coordination regarding the 
                enforcement of this Act.
                    (B) Requirement.--The coordination agreement 
                entered into under subparagraph (A) shall include 
                provisions to ensure that parallel investigations and 
                proceedings under this section are conducted in a 
                manner that avoids conflicts and does not impede the 
                ability of the Attorney General to prosecute violations 
                of Federal criminal laws.
    (f) Rulemaking.--The Federal Trade Commission may, in consultation 
with the Attorney General, issue such other regulations as it 
determines to be necessary to carry out this subtitle. All regulations 
promulgated under this Act shall be issued in accordance with section 
553 of title 5, United States Code.
    (g) Other Rights and Remedies.--The rights and remedies available 
under this subtitle are cumulative and shall not affect any other 
rights and remedies available under law.
    (h) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence 
that the consumer has received notice that the consumer's financial 
information has or may have been compromised,'' after ``identity theft 
report''.

SEC. 219. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--
                    (A) In general.--In any case in which the attorney 
                general of a State or any State or local law 
                enforcement agency authorized by the State attorney 
                general or by State statute to prosecute violations of 
                consumer protection law, has reason to believe that a 
                covered entity has violated this subtitle, the State, 
                as parens patriae, may bring a civil action on behalf 
                of the residents of the State to--
                            (i) enjoin that practice;
                            (ii) enforce compliance with this subtitle; 
                        or
                            (iii) impose a civil penalty in an amount 
                        not greater than the product of the number of 
                        violations of this subtitle and $16,500.
                    (B) Failure to provide notification.--For purposes 
                of subparagraph (A)(iii), each failure to provide 
                notification to an individual as required under this 
                subtitle shall be treated as a separate violation.
            (2) Penalty determinations.--
                    (A) Determinations.--The determination of whether a 
                violation of a provision of this subtitle has occurred, 
                and if so, the amount of the penalty to be imposed, if 
                any, shall be made by the court sitting as the finder 
                of fact. The determination of whether a violation of a 
                provision of this subtitle was willful or intentional, 
                and if so, the amount of the additional penalty to be 
                imposed, if any, shall be made by the court sitting as 
                the finder of fact.
                    (B) Additional penalty limit.--If a court 
                determines under subparagraph (A) that a violation of a 
                provision of this subtitle was willful or intentional 
                and imposes an additional penalty, the court may not 
                impose an additional penalty in an amount that exceeds 
                $10,000,000.
            (3) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States and the Federal Trade Commission--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subtitle, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General of the United 
                        States and the Federal Trade Commission at the 
                        time the State attorney general files the 
                        action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General and the Federal Trade Commission shall 
have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) initiate an action in the appropriate United States 
        district court under section 218 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General or the Federal 
Trade Commission initiates a criminal proceeding or civil action for a 
violation of a provision of this subtitle, or any regulations 
thereunder, no attorney general of a State may bring an action for a 
violation of a provision of this subtitle against a defendant named in 
the Federal criminal proceeding or civil action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.
    (f) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.

SEC. 220. EFFECT ON FEDERAL AND STATE LAW.

    (a) Preemption.--For a covered entity that is subject to this 
subtitle, the provisions of this subtitle shall supersede any other 
provision of Federal law, or any provisions of the law of any State or 
political subdivision of a State requiring notification of a security 
breach of sensitive personally identifiable information, which is less 
stringent than the requirements of this subtitle.
    (b) Consumer Protection Laws.--Except as provided in subsection 
(a), this section shall not be construed to limit the enforcement of 
any State consumer protection law by an attorney general of a State.
    (c) Protection of Certain State Laws.--Nothing in this Act shall be 
construed to preempt the applicability of--
            (1) State trespass, contract, or tort law; or
            (2) any other State law to the extent that the law relates 
        to acts of fraud.
    (d) Preservation of FTC Authority.--Nothing in this Act may be 
construed in any way to limit the authority of the Federal Trade 
Commission under any other provision of law.
    (e) Preservation of FCC Authority.--Nothing in this Act may be 
construed in any way to limit the authority of the Federal 
Communications Commission under any other provision of law.

SEC. 221. REPORTING ON EXEMPTIONS.

    Not later than 18 months after the date of enactment of this Act, 
and upon the request by Congress thereafter, the Attorney General, in 
consultation with the Secretary of Homeland Security, shall submit a 
report to Congress on the number and nature of security breaches 
subject to the national security and law enforcement exemptions under 
section 212(a).

SEC. 222. EFFECTIVE DATE.

    This subtitle shall take effect on the expiration of the date that 
is 90 days after the date of enactment of this Act.

         TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

SEC. 301. BUDGET COMPLIANCE.

    The budgetary effects of this Act, for the purpose of complying 
with the Statutory Pay-As-You-Go Act of 2010, shall be determined by 
reference to the latest statement titled ``Budgetary Effects of PAYGO 
Legislation'' for this Act, submitted for printing in the Congressional 
Record by the Chairman of the Senate Budget Committee, provided that 
such statement has been submitted prior to the vote on passage.
                                 <all>