[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 3191 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 3191

  To improve online ticket sales and protect consumers, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            November 1, 2023

  Mrs. Blackburn (for herself and Mr. Lujan) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
  To improve online ticket sales and protect consumers, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Mitigating Automated Internet 
Networks for Event Ticketing Act'' or the ``MAIN Event Ticketing Act''.

SEC. 2. STRENGTHENING THE BOTS ACT.

    (a) In General.--Section 2 of the Better Online Ticket Sales Act of 
2016 (15 U.S.C. 45c) is amended--
            (1) in subsection (a)(1)--
                    (A) in subparagraph (A), by striking ``; or'' and 
                inserting a semicolon;
                    (B) in subparagraph (B), by striking the period at 
                the end and inserting ``; or''; and
                    (C) by adding at the end the following new 
                subparagraph:
                    ``(C) to use or cause to be used an application 
                that performs automated tasks to purchase event tickets 
                from an Internet website or online service in 
                circumvention of posted online ticket purchasing order 
                rules of the Internet website or online service, 
                including a software application that circumvents an 
                access control system, security measure, or other 
                technological control or measure.'';
            (2) by redesignating subsections (b) and (c) as subsections 
        (c) and (d), respectively;
            (3) by inserting after subsection (a) the following new 
        subsection:
    ``(b) Requiring Online Ticket Issuers To Put in Place Site Policies 
and Establish Safeguards To Protect Site Security.--
            ``(1) Requirement to enforce site policies.--Each ticket 
        issuer that owns or operates an Internet website or online 
        service that facilitates or executes the sale of event tickets 
        shall ensure that such website or service has in place an 
        access control system, security measure, or other technological 
        control or measure to enforce posted event ticket purchasing 
        limits.
            ``(2) Requirement to establish site security safeguards.--
                    ``(A) In general.--Each ticket issuer that owns or 
                operates an Internet website or online service that 
                facilitates or executes the sale of event tickets shall 
                establish, implement, and maintain reasonable 
                administrative, technical, and physical safeguards to 
                protect the security, confidentiality, integrity, or 
                availability of the website or service.
                    ``(B) Considerations.--In establishing the 
                safeguards described in subparagraph (A), each ticket 
                issuer described in such paragraph shall consider--
                            ``(i) the administrative, technical, and 
                        physical safeguards that are appropriate to the 
                        size and complexity of the ticket issuer;
                            ``(ii) the nature and scope of the 
                        activities of the ticket issuer;
                            ``(iii) the sensitivity of any customer 
                        information at issue; and
                            ``(iv) the range of security risks and 
                        vulnerabilities that are reasonably foreseeable 
                        or known to the ticket issuer.
                    ``(C) Third parties and service providers.--
                            ``(i) In general.--Where applicable, a 
                        ticket issuer that owns or operates an Internet 
                        website or online service that facilitates or 
                        executes the sale of event tickets shall 
                        implement and maintain procedures to require 
                        that any third party or service provider that 
                        performs services with respect to the sale of 
                        event tickets or has access to data regarding 
                        event ticket purchasing on the website or 
                        service maintains reasonable administrative, 
                        technical, and physical safeguards to protect 
                        the security and integrity of the website or 
                        service and that data.
                            ``(ii) Oversight procedure requirements.--
                        The procedures implemented and maintained by a 
                        ticket issuer in accordance with clause (i) 
                        shall include the following:
                                    ``(I) Taking reasonable steps to 
                                select and retain service providers 
                                that are capable of maintaining 
                                appropriate safeguards for the customer 
                                information at issue.
                                    ``(II) Requiring service providers 
                                by contract to implement and maintain 
                                adequate safeguards.
                                    ``(III) Periodically assessing 
                                service providers based on the risk 
                                they present and the continued adequacy 
                                of their safeguards.
                    ``(D) Updates.--A ticket issuer that owns or 
                operates an Internet website or online service that 
                facilitates or executes the sale of event tickets shall 
                regularly evaluate and make adjustments to the 
                safeguards described in subparagraph (A) in light of 
                any material changes in technology, internal or 
                external threats to system security, confidentiality, 
                integrity, and availability, and the changing business 
                arrangements or operations of the ticket issuer.
            ``(3) Requirement to report incidents of circumvention; 
        consumer complaints.--
                    ``(A) In general.--A ticket issuer that owns or 
                operates an Internet website or online service that 
                facilitates or executes the sale of event tickets shall 
                report to the Commission any incidents of circumvention 
                of which the ticket issuer has actual knowledge.
                    ``(B) Consumer complaint website.--Not later than 
                180 days after the date of enactment of the Mitigating 
                Automated Internet Networks for Event Ticketing Act, 
                the Commission shall create a publicly available 
                website (or modify an existing publicly available 
                website of the Commission) to allow individuals to 
                report violations of this subsection to the Commission.
                    ``(C) Reporting timeline and process.--
                            ``(i) Timeline.--A ticket issuer shall 
                        report known incidents of circumvention within 
                        a reasonable period of time after the incident 
                        of circumvention is discovered by the ticket 
                        issuer, and in no case later than 30 days after 
                        an incident of circumvention is discovered by 
                        the ticket issuer.
                            ``(ii) Automated submission.--The 
                        Commission may establish a reporting mechanism 
                        to provide for the automatic submission of 
                        reports required under this subsection.
                            ``(iii) Coordination with state attorneys 
                        general.--The Commission shall--
                                    ``(I) share reports received from 
                                ticket issuers under subparagraph (A) 
                                with State attorneys general as 
                                appropriate; and
                                    ``(II) share consumer complaints 
                                submitted through the website 
                                established under subparagraph (B) with 
                                State attorneys general as appropriate.
            ``(4) Duty to address causes of circumvention.--A ticket 
        issuer that owns or operates an Internet website or online 
        service that facilitates or executes the sale of event tickets 
        must take reasonable steps to improve its access control 
        systems, security measures, and other technological controls or 
        measures to address any incidents of circumvention of which the 
        ticket issuer has actual knowledge.
            ``(5) FTC guidance.--Not later than 1 year after the date 
        of enactment of the Mitigating Automated Internet Networks for 
        Event Ticketing Act, the Commission shall publish guidance for 
        ticket issuers on compliance with the requirements of this 
        subsection.'';
            (4) in subsection (c), as redesignated by paragraph (1) of 
        this subsection--
                    (A) by striking ``subsection (a)'' each place it 
                appears and inserting ``subsection (a) or (b)'';
                    (B) in paragraph (2)--
                            (i) in subparagraph (A), by striking ``The 
                        Commission'' and inserting ``Except as provided 
                        in paragraph (3), the Commission''; and
                            (ii) in subparagraph (B), by striking ``Any 
                        person'' and inserting ``Subject to paragraph 
                        (3), any person''; and
                    (C) by adding at the end the following new 
                paragraphs:
            ``(3) Civil action.--
                    ``(A) In general.--If the Commission has reason to 
                believe that any person has committed a violation of 
                subsection (a) or (b), the Commission may bring a civil 
                action in an appropriate district court of the United 
                States to--
                            ``(i) recover a civil penalty under 
                        paragraph (4); and
                            ``(ii) seek other appropriate relief, 
                        including injunctive relief and other equitable 
                        relief.
                    ``(B) Litigation authority.--Except as otherwise 
                provided in section 16(a)(3) of the Federal Trade 
                Commission Act (15 U.S.C. 56(a)(3)), the Commission 
                shall have exclusive authority to commence or defend, 
                and supervise the litigation of, any civil action 
                authorized under this paragraph and any appeal of such 
                action in its own name by any of its attorneys 
                designated by it for such purpose, unless the 
                Commission authorizes the Attorney General to do so. 
                The Commission shall inform the Attorney General of the 
                exercise of such authority and such exercise shall not 
                preclude the Attorney General from intervening on 
                behalf of the United States in such action and any 
                appeal of such action as may be otherwise provided by 
                law.
                    ``(C) Rule of construction.--Any civil penalty or 
                relief sought through a civil action under this 
                paragraph shall be in addition to other penalties and 
                relief as may be prescribed by law.
            ``(4) Civil penalties.--
                    ``(A) In general.--Any person who violates 
                subsection (a) or (b) shall be liable for--
                            ``(i) a civil penalty of not less than 
                        $10,000 for each day during which the violation 
                        occurs or continues to occur; and
                            ``(ii) an additional civil penalty of not 
                        less than $1,000 per violation.
                    ``(B) Enhanced civil penalty for intentional 
                violations.--In addition to the civil penalties under 
                subparagraph (A), a person that intentionally violates 
                subsection (a) or (b) shall be liable for a civil 
                penalty of not less than $10,000 per violation.'';
            (5) in subsection (d), as redesignated by paragraph (1) of 
        this subsection, by striking ``subsection (a)'' each place it 
        appears and inserting ``subsection (a) or (b)''; and
            (6) by adding at the end the following new subsections:
    ``(e) Law Enforcement Coordination.--
            ``(1) In general.--The Federal Bureau of Investigation, the 
        Department of Justice, and other relevant State or local law 
        enforcement officials shall coordinate as appropriate with the 
        Commission to share information about known instances of 
        cyberattacks on security measures, access control systems, or 
        other technological controls or measures on an Internet website 
        or online service that are used by ticket issuers to enforce 
        posted event ticket purchasing limits or to maintain the 
        integrity of posted online ticket purchasing order rules. Such 
        coordination may include providing information about ongoing 
        investigations but may exclude classified information or 
        information that could compromise a law enforcement or national 
        security effort, as appropriate.
            ``(2) Cyberattack defined.--In this paragraph, the term 
        `cyberattack' means an attack, via cyberspace, targeting an 
        enterprise's use of cyberspace for the purpose of--
                    ``(A) disrupting, disabling, destroying, or 
                maliciously controlling a computing environment or 
                computing infrastructure; or
                    ``(B) destroying the integrity of data or stealing 
                controlled information.
    ``(f) Congressional Report.--Not later than 1 year after the date 
of enactment of this paragraph, the Commission shall report to 
Committee on Commerce, Science, and Transportation of the Senate and 
the Committee on Energy and Commerce of the House of Representatives on 
the status of enforcement actions taken pursuant to this Act, as well 
as any identified limitations to the Commission's ability to pursue 
incidents of circumvention described in subsection (a)(1)(A).''.
    (b) Additional Definition.--Section 3 of the Better Online Ticket 
Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at the end 
the following new paragraph:
            ``(4) Circumvention.--The term `circumvention' means the 
        act of avoiding, bypassing, removing, deactivating, or 
        otherwise impairing an access control system, security measure, 
        safeguard, or other technological control or measure described 
        in section 2(b)(1).''.
                                 <all>