[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1371 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 1371

  To amend the Small Business Act to require that consumer reporting 
     agencies and other credit reporting companies provide certain 
        protections to small businesses, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 27, 2023

Mr. Rubio (for himself and Mr. Warnock) introduced the following bill; 
 which was read twice and referred to the Committee on Small Business 
                          and Entrepreneurship

_______________________________________________________________________

                                 A BILL


 
  To amend the Small Business Act to require that consumer reporting 
     agencies and other credit reporting companies provide certain 
        protections to small businesses, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Small Business Credit Protection Act 
of 2023''.

SEC. 2. DATA BREACHES.

    (a) In General.--The Small Business Act (15 U.S.C. 631 et seq.) is 
amended--
            (1) by redesignating section 49 (15 U.S.C. 631 note) as 
        section 50; and
            (2) by inserting after section 48 (15 U.S.C. 657u) the 
        following:

``SEC. 49. DATA BREACHES.

    ``(a) Definition.--In this section--
            ``(1) the term `consumer report' has the meaning given the 
        term in section 603 of the Fair Credit Reporting Act (15 U.S.C. 
        1681a); and
            ``(2) the term `credit reporting company'--
                    ``(A) has the meaning given the term `consumer 
                reporting agency' in section 603 of the Fair Credit 
                Reporting Act (15 U.S.C. 1681a); and
                    ``(B) includes any entity that collects commercial 
                credit data.
    ``(b) Requirements for Reporting Breaches.--
            ``(1) Applicable state law.--
                    ``(A) In general.--Except as provided in paragraph 
                (2), if nonpublic data of a small business concern that 
                is collected or stored by a credit reporting company 
                has been breached, the credit reporting company shall 
                report the breach promptly and not later than as 
                required under the law of the State in which the small 
                business concern is located.
                    ``(B) Locations in multiple states.--If a small 
                business concern that is affected by a breach described 
                in subparagraph (A) has locations in more than 1 State, 
                for the purposes of that subparagraph, the law of the 
                State that imposes the shortest period for the 
                reporting of the breach shall apply.
            ``(2) Exception.--
                    ``(A) In general.--If a small business concern that 
                is affected by a breach described in paragraph (1)(A) 
                is located in a State that does not have a law that 
                imposes a set period for the reporting of the breach, 
                the credit reporting company to which the requirement 
                under that paragraph applies shall report the breach in 
                the most expeditious manner practicable and without 
                unreasonable delay.
                    ``(B) Rule of construction regarding a law 
                enforcement request.--For the purposes of subparagraph 
                (A), a delay with respect to the reporting of a breach 
                described in that subparagraph that is caused by a 
                requirement to respond to a request submitted by a law 
                enforcement agency shall be construed to be a 
                reasonable delay.
    ``(c) Prohibition.--During the 180-day period beginning on the date 
on which a breach described in subsection (b)(1)(A) occurs, a credit 
reporting company may not charge a small business concern that is 
affected by that breach for providing the small business concern with 
the consumer report of the small business concern.
    ``(d) No Preemption.--Nothing in this section shall preempt any 
State law with respect to credit reporting companies.''.
    (b) GAO Report.--
            (1) Definitions.--In this subsection--
                    (A) the term ``credit reporting company''--
                            (i) has the meaning given the term 
                        ``consumer reporting agency'' in section 603 of 
                        the Fair Credit Reporting Act (15 U.S.C. 
                        1681a); and
                            (ii) includes any entity that collects 
                        commercial credit data; and
                    (B) the term ``small business concern'' has the 
                meaning given the term in section 3 of the Small 
                Business Act (15 U.S.C. 632).
            (2) Report.--Not later than 1 year after the date of 
        enactment of this Act, the Comptroller General of the United 
        States shall submit to Congress a report regarding the economic 
        harm incurred by small business concerns as a result of data 
        breaches at credit reporting companies.
                                 <all>