Strengthening the BOTS Act

(a)

In general

Section 2 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c) is amended—(1)in subsection (a)(1)—(A)in subparagraph (A), by striking ; or and inserting a semicolon;(B)in subparagraph (B), by striking the period at the end and inserting ; or; and(C)by adding at the end the following new subparagraph:

(C)to use or cause to be used an application that performs automated tasks to purchase event tickets from an Internet website or online service in circumvention of posted online ticket purchasing order rules of the Internet website or online service, including a software application that circumvents an access control system, security measure, or other technological control or measure.

;

(2)by redesignating subsections (b) and (c) as subsections (c) and (d), respectively;(3)by inserting after subsection (a) the following new subsection:

(b)

Requiring online ticket issuers To put in place site policies and establish safeguards To protect site security

(1)

Requirement to enforce site policies

Each ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall ensure that such website or service has in place an access control system, security measure, or other technological control or measure to enforce posted event ticket purchasing limits.(2)

Requirement to establish site security safeguards

(A)

In general

Each ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall establish, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, integrity, or availability of the website or service. (B)

Considerations

In establishing the safeguards described in subparagraph (A), each ticket issuer described in such paragraph shall consider—(i)the administrative, technical, and physical safeguards that are appropriate to the size and complexity of the ticket issuer; (ii)the nature and scope of the activities of the ticket issuer;(iii)the sensitivity of any customer information at issue; and(iv)the range of security risks and vulnerabilities that are reasonably foreseeable or known to the ticket issuer.(C)

Third parties and service providers

(i)

In general

Where applicable, a ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall implement and maintain procedures to require that any third party or service provider that performs services with respect to the sale of event tickets or has access to data regarding event ticket purchasing on the website or service maintains reasonable administrative, technical, and physical safeguards to protect the security and integrity of the website or service and that data. (ii)

Oversight procedure requirements

The procedures implemented and maintained by a ticket issuer in accordance with clause (i) shall include the following:(I)Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue.(II)Requiring service providers by contract to implement and maintain adequate safeguards.(III)Periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. (D)

Updates

A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall regularly evaluate and make adjustments to the safeguards described in subparagraph (A) in light of any material changes in technology, internal or external threats to system security, confidentiality, integrity, and availability, and the changing business arrangements or operations of the ticket issuer. (3)

Requirement to report incidents of circumvention; consumer complaints

(A)

In general

A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall report to the Commission any incidents of circumvention of which the ticket issuer has actual knowledge.(B)

Consumer complaint website

Not later than 180 days after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall create a publicly available website (or modify an existing publicly available website of the Commission) to allow individuals to report violations of this subsection to the Commission. (C)

Reporting timeline and process

(i)

Timeline

A ticket issuer shall report known incidents of circumvention within a reasonable period of time after the incident of circumvention is discovered by the ticket issuer, and in no case later than 30 days after an incident of circumvention is discovered by the ticket issuer.(ii)

Automated submission

The Commission may establish a reporting mechanism to provide for the automatic submission of reports required under this subsection.(iii)

Coordination with state attorneys general

The Commission shall—(I)share reports received from ticket issuers under subparagraph (A) with State attorneys general as appropriate; and(II)share consumer complaints submitted through the website established under subparagraph (B) with State attorneys general as appropriate.(4)

Duty to address causes of circumvention

A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets must take reasonable steps to improve its access control systems, security measures, and other technological controls or measures to address any incidents of circumvention of which the ticket issuer has actual knowledge.(5)

FTC guidance

Not later than 1 year after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall publish guidance for ticket issuers on compliance with the requirements of this subsection.

;

(4)in subsection (c), as redesignated by paragraph (1) of this subsection—(A)by striking subsection (a) each place it appears and inserting subsection (a) or (b);(B)in paragraph (2)—(i)in subparagraph (A), by striking The Commission and inserting Except as provided in paragraph (3), the Commission; and(ii)in subparagraph (B), by striking Any person and inserting Subject to paragraph (3), any person; and(C)by adding at the end the following new paragraphs:

(3)

Civil action

(A)

In general

If the Commission has reason to believe that any person has committed a violation of subsection (a) or (b), the Commission may bring a civil action in an appropriate district court of the United States to—(i)recover a civil penalty under paragraph (4); and(ii)seek other appropriate relief, including injunctive relief and other equitable relief.(B)

Litigation authority

Except as otherwise provided in section 16(a)(3) of the Federal Trade Commission Act (15 U.S.C. 56(a)(3)), the Commission shall have exclusive authority to commence or defend, and supervise the litigation of, any civil action authorized under this paragraph and any appeal of such action in its own name by any of its attorneys designated by it for such purpose, unless the Commission authorizes the Attorney General to do so. The Commission shall inform the Attorney General of the exercise of such authority and such exercise shall not preclude the Attorney General from intervening on behalf of the United States in such action and any appeal of such action as may be otherwise provided by law.(C)

Rule of construction

Any civil penalty or relief sought through a civil action under this paragraph shall be in addition to other penalties and relief as may be prescribed by law. (4)

Civil penalties

(A)

In general

Any person who violates subsection (a) or (b) shall be liable for—(i)a civil penalty of not less than $10,000 for each day during which the violation occurs or continues to occur; and(ii)an additional civil penalty of not less than $1,000 per violation.(B)

Enhanced civil penalty for intentional violations

In addition to the civil penalties under subparagraph (A), a person that intentionally violates subsection (a) or (b) shall be liable for a civil penalty of not less than $10,000 per violation.

;

(5)in subsection (d), as redesignated by paragraph (1) of this subsection, by striking subsection (a) each place it appears and inserting subsection (a) or (b); and(6)by adding at the end the following new subsections:

(e)

Law enforcement coordination

(1)

In general

The Federal Bureau of Investigation, the Department of Justice, and other relevant State or local law enforcement officials shall coordinate as appropriate with the Commission to share information about known instances of cyberattacks on security measures, access control systems, or other technological controls or measures on an Internet website or online service that are used by ticket issuers to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. Such coordination may include providing information about ongoing investigations but may exclude classified information or information that could compromise a law enforcement or national security effort, as appropriate.(2)

Cyberattack defined

In this paragraph, the term cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of— (A)disrupting, disabling, destroying, or maliciously controlling a computing environment or computing infrastructure; or(B)destroying the integrity of data or stealing controlled information.(f)

Congressional report

Not later than 1 year after the date of enactment of this paragraph, the Commission shall report to Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives on the status of enforcement actions taken pursuant to this Act, as well as any identified limitations to the Commission’s ability to pursue incidents of circumvention described in subsection (a)(1)(A).

(b)

Additional definition

Section 3 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at the end the following new paragraph:

(4)

Circumvention

The term circumvention means the act of avoiding, bypassing, removing, deactivating, or otherwise impairing an access control system, security measure, safeguard, or other technological control or measure described in section 2(b)(1).