Short title

This Act may be cited as the

Ending Forced Arbitration for Victims of Data Breaches Act of 2021

Protection of data security breach victims

An entity may not require, as part of a customer or other similar agreement, an individual to agree to submit any dispute related to a security breach, including any dispute related to identity theft, to arbitration.

Applicability

A provision of an agreement entered into prior to the date of the enactment of this Act, that violates section 2, is void.

Enforcement by the Federal Trade Commission

(a)

Unfair or deceptive acts or practices

A violation of section 2 shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.(b)

Powers of commission

The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates section 2 shall be subject to the penalties and entitled to the privileges and immunities provided in that Act.(c)

Rules

The Commission shall promulgate, under section 553 of title 5, United States Code, such rules as may be necessary to carry out the provisions of this Act.

Enforcement by States

(a)

In general

If the attorney general of a State has reason to believe that an interest of the residents of the State has been or is being threatened or adversely affected by a practice that violates section 2, the attorney general of the State may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to obtain appropriate relief.(b)

Rights of Federal Trade Commission

(1)

Notice to Federal Trade Commission

(A)

In general

Except as provided in clause (iii), the attorney general of a State, before initiating a civil action under paragraph (1), shall provide written notification to the Federal Trade Commission that the attorney general intends to bring such civil action.(B)

Contents

The notification required under clause (i) shall include a copy of the complaint to be filed to initiate the civil action.(C)

Exception

If it is not feasible for the attorney general of a State to provide the notification required under clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the Commission immediately upon instituting the civil action.(2)

Intervention by Federal Trade Commission

The Commission may—(A)intervene in any civil action brought by the attorney general of a State under paragraph (1); and(B)upon intervening—(i)be heard on all matters arising in the civil action; and(ii)file petitions for appeal of a decision in the civil action.(c)

Investigatory powers

Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.(d)

Preemptive action by Federal Trade Commission

If the Federal Trade Commission institutes a civil action or an administrative action with respect to a violation of section 2, the attorney general of a State may not, during the pendency of such action, bring a civil action under paragraph (1) against any defendant named in the complaint of the Commission for the violation with respect to which the Commission instituted such action.(e)

Venue; service of process

(1)

Venue

Any action brought under paragraph (1) may be brought in—(A)the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or(B)another court of competent jurisdiction.(2)

Service of process

In an action brought under paragraph (1), process may be served in any district in which—(A)the defendant is an inhabitant, may be found, or transacts business; or(B)venue is proper under section 1391 of title 28, United States Code.

Private right of action

(a)

In general

An individual who is injured by a violation of section 2 may bring a private right of action in any court of appropriate jurisdiction for rescission and restitution, as well as for all damages and may be awarded injunctive relief against a violation of such section. The individual shall also be entitled to recover its costs of litigation and reasonable attorney’s fees and expert witness fees, against any entity or person found to be liable for such violation.(b)

Liability

Every person who directly or indirectly controls a person liable under subsection (a), every partner in a firm so liable, every principal executive officer or director of a corporation so liable, every person occupying a similar status or performing similar functions and every employee of a person so liable who materially aids in the act or transaction constituting the violation is also liable jointly and severally with and to the same extent as such person, unless the person who would otherwise be liable hereunder had no knowledge of or reasonable grounds to know of the existence of the facts by reason of which the liability is alleged to exist.(c)

Statute of limitations

No action may be commenced pursuant to this section more than the later of—(1)2 years after the date on which the violation occurs; or(2)2 years after the date on which the violation is discovered or should have been discovered through exercise of reasonable diligence.(d)

Venue

An action under this section may be brought in—(1)the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or(2)another court of competent jurisdiction.(e)

Cumulative right

The private rights provided for in this section are in addition to and not in lieu of other rights or remedies created by Federal or State law.

Definitions

In this Act—(1)the term security breach—(A)means a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in—(i)the unauthorized acquisition of sensitive personally identifiable information; or(ii)access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization;(B)does not include any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an element of the intelligence community; and(2)the term sensitive personally identifiable information means any information or compilation of information, in electronic or digital form that includes one or more of the following:(A)An individual’s first and last name or first initial and last name in combination with any two of the following data elements:(i)Home address or telephone number.(ii)Mother’s maiden name.(iii)Month, day, and year of birth.(B)A Social Security number (but not including only the last four digits of a Social Security number), driver’s license number, passport number, or alien registration number or other Government-issued unique identification number.(C)Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation.(D)A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code.(E)A user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.(F)Any combination of the following data elements:(i)An individual’s first and last name or first initial and last name.(ii)A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code.(iii)Any security code, access code, or password, or source code that could be used to generate such codes or passwords.