Short title

This Act may be cited as the

Protecting Consumer Information Act of 2021

Standards for cybersecurity safeguards for certain consumer reporting agencies and service providers

(a)

Review of standards; potential revision

(1)

Review

Not later than 90 days after the date of the enactment of this Act, the Commission shall complete a review of the standards contained in the regulations issued by the Commission under section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) to determine whether such standards require covered consumer reporting agencies and covered service providers to maintain sufficient safeguards to protect customer records and information against cyber attacks and related threats.(2)

Revision

If the Commission determines in the review completed under paragraph (1) that the standards contained in the regulations issued by the Commission under section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) do not require covered consumer reporting agencies and covered service providers to maintain sufficient safeguards to protect customer records and information against cyber attacks and related threats, not later than 180 days after the date of the completion of the review, the Commission shall, pursuant to section 553 of title 5, United States Code, revise such regulations so as to provide for standards applicable to covered consumer reporting agencies and covered service providers that require such agencies and providers to maintain sufficient safeguards to protect customer records and information against cyber attacks and related threats.(b)

Investigations

(1)

Initial investigation

(A)

In general

Not later than 18 months after the date described in subparagraph (B), the Commission shall complete an investigation of each person or entity that, as of the date described in such subparagraph, is a covered consumer reporting agency or covered service provider, to determine whether such agency or provider is in compliance with the regulations issued by the Commission under section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801).(B)

Date described

The date described in this subparagraph is—(i)if no revision of such regulations is required by paragraph (2) of subsection (a), the date of the completion of the review required by paragraph (1) of such subsection; or(ii)if revision of such regulations is required by paragraph (2) of such subsection, the date on which the Commission issues the revised regulations.(2)

Subsequent investigations

From time to time after the date that is 18 months after the date described in paragraph (1)(B), the Commission shall complete an investigation of each covered consumer reporting agency and each covered service provider to determine whether such agency or provider is in compliance with the regulations issued by the Commission under section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801).

Enforcement by Federal Trade Commission

(a)

Unfair or deceptive acts or practices

A violation of a regulation issued by the Commission under section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) by a covered consumer reporting agency or a covered service provider shall be treated as a violation of a rule under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.(b)

Powers of Commission

The Commission shall enforce, with respect to covered consumer reporting agencies and covered service providers, the regulations issued by the Commission under section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of such section. Any covered consumer reporting agency or covered service provider that violates such a regulation shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

Enforcement by State attorneys general

(a)

In general

In any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of such State has been or is threatened or adversely affected by an act or practice by a covered consumer reporting agency or covered service provider in violation of a regulation issued by the Commission under section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to—(1)enjoin such act or practice;(2)enforce compliance with such regulation;(3)obtain damages, restitution, or other compensation on behalf of residents of the State; or(4)obtain such other legal and equitable relief as the court may consider to be appropriate.(b)

Notice

Before filing an action under this section, the attorney general, official, or agency of the State involved shall provide to the Commission a written notice of such action and a copy of the complaint for such action. If the attorney general, official, or agency determines that it is not feasible to provide the notice described in this subsection before the filing of the action, the attorney general, official, or agency shall provide written notice of the action and a copy of the complaint to the Commission immediately upon the filing of the action.(c)

Authority of Commission

(1)

In general

On receiving notice under subsection (b) of an action under this section, the Commission shall have the right—(A)to intervene in the action;(B)upon so intervening, to be heard on all matters arising therein; and(C)to file petitions for appeal.(2)

Limitation on State action while Federal action is pending

If the Commission or the Attorney General of the United States has instituted a civil action for violation of a regulation issued by the Commission under section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) by a covered consumer reporting agency or covered service provider (referred to in this paragraph as the Federal action), no State attorney general, official, or agency may bring an action under this section during the pendency of the Federal action against any defendant named in the complaint in the Federal action for any violation of such regulation alleged in such complaint.(d)

Rule of construction

For purposes of bringing a civil action under this section, nothing in this Act shall be construed to prevent an attorney general, official, or agency of a State from exercising the powers conferred on the attorney general, official, or agency by the laws of such State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence.

Definitions

In this Act:(1)

Commission

The term Commission means the Federal Trade Commission.(2)

Covered consumer reporting agency

The term covered consumer reporting agency means a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis (as defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p))).(3)

Covered service provider

The term covered service provider means any person or entity that is a service provider (as defined in section 314.2 of title 16, Code of Federal Regulations) through provision of services to a covered consumer reporting agency.