[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 5449 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
2d Session
S. 5449
To create an Office of Cybersecurity at the Federal Trade Commission
for supervision of data security at consumer reporting agencies, to
require the promulgation of regulations establishing standards for
effective cybersecurity at consumer reporting agencies, to impose
penalties on credit reporting agencies for cybersecurity breaches that
put sensitive consumer data at risk, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
December 5, 2024
Ms. Warren (for herself, Mr. Warner, and Mrs. Shaheen) introduced the
following bill; which was read twice and referred to the Committee on
Banking, Housing, and Urban Affairs
_______________________________________________________________________
A BILL
To create an Office of Cybersecurity at the Federal Trade Commission
for supervision of data security at consumer reporting agencies, to
require the promulgation of regulations establishing standards for
effective cybersecurity at consumer reporting agencies, to impose
penalties on credit reporting agencies for cybersecurity breaches that
put sensitive consumer data at risk, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Breach Prevention and
Compensation Act of 2024''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Affected consumer.--The term ``affected consumer''
means any individual to whom personally identifying information
pertains that was, or that may have been, affected by a covered
breach.
(2) Agency.--The term ``agency'' has the meaning given the
term in section 551 of title 5, United States Code.
(3) Career appointee.--The term ``career appointee'' has
the meaning given the term in section 3132(a) of title 5,
United States Code.
(4) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(5) Consumer report; consumer reporting agency.--The terms
``consumer report'' and ``consumer reporting agency'' have the
meanings given the terms in section 603 of the Fair Credit
Reporting Act (15 U.S.C. 1681a).
(6) Covered breach.--The term ``covered breach'' means any
instance in which not less than 1 piece of personally
identifying information held by a covered consumer reporting
agency is exposed, or is reasonably likely to have been
exposed, to an unauthorized party.
(7) Covered consumer reporting agency.--The term ``covered
consumer reporting agency'' means--
(A) a consumer reporting agency described in
section 603(p) of the Fair Credit Reporting Act (15
U.S.C. 1681a(p)); or
(B) a consumer reporting agency that earns not less
than $7,000,000 in annual revenue from the sale of
consumer reports.
(8) Detail.--The term ``detail'' means a temporary
assignment of an employee to a different position for a
specified period, with the employee returning to the regular
duties of the employee at the end of the specified period.
(9) Director.--The term ``Director'' means the Director of
the Office.
(10) Office.--The term ``Office'' means the Office of
Cybersecurity established under section 3(a).
(11) Personally identifying information.--The term
``personally identifying information'' means, with respect to
an individual--
(A) the social security number of the individual;
(B) a driver's license number of the individual;
(C) a passport number of the individual;
(D) an alien registration number or other
government-issued unique identification number of the
individual;
(E) unique biometric data, such as a faceprint, a
fingerprint, a voice print, an iris image, or any other
unique physical representation of the individual;
(F) the first and last name of the individual, or
the first initial of the first name and the last name
of the individual, in combination with any information
that relates to--
(i) the past, present, or future physical
or mental health or condition of the
individual; or
(ii) the provision of health care to, or a
diagnosis of, the individual;
(G)(i) a financial account number, debit card
number, or credit card number of the individual; or
(ii) any passcode required to access an account
described in clause (i); and
(H) such additional information, as determined by
the Director.
SEC. 3. CYBERSECURITY STANDARDS AND FTC AUTHORITY.
(a) Establishment.--There is established in the Commission an
Office of Cybersecurity, which shall be headed by a Director, who shall
be a career appointee.
(b) Duties.--The Office--
(1) shall--
(A) supervise covered consumer reporting agencies
with respect to data security;
(B) promulgate regulations, through notice and
comment rulemaking that complies with section 553 of
title 5, United States Code, for effective data
security for covered consumer reporting agencies,
including requirements for a covered consumer reporting
agency to--
(i) provide the Commission with
descriptions of technical and organizational
security measures of the consumer reporting
agency, including--
(I) system and network security
measures, including--
(aa) asset management,
including--
(AA) an inventory
of devices of the
covered consumer
reporting agency that
are authorized to
access data maintained
by the covered consumer
reporting agency;
(BB) an inventory
of software that is
authorized by the
covered consumer
reporting agency to
access data maintained
by the covered consumer
reporting agency,
including application
whitelisting; and
(CC) secure
configurations for
hardware and software
of the covered consumer
reporting agency;
(bb) network management and
monitoring, including--
(AA) mapped data
flows, including
functional mission
mapping;
(BB) maintenance,
monitoring, and
analysis of audit logs;
(CC) network
segmentation; and
(DD) local and
remote access
privileges, defined and
managed; and
(cc) application
management, including--
(AA) continuous
vulnerability
assessment and
remediation;
(BB) server
application hardening;
(CC) vulnerability
handling, such as
coordinated
vulnerability
disclosure policy; and
(DD) patch
management, including
at, or near, real-time
dashboards of patch
implementation across
network hosts; and
(II) data security measures,
including--
(aa) data-centric security
mechanisms such as format-
preserving encryption,
cryptographic data-splitting,
and data-tagging and lineage;
(bb) encryption for data at
rest;
(cc) encryption for data in
transit;
(dd) systemwide data
minimization evaluations and
policies; and
(ee) data recovery
capability;
(ii) employ reasonable technical measures
and corporate governance processes for
continuous monitoring of data, intrusion
detection, and continuous evaluation and timely
patching of vulnerabilities;
(iii) employ reasonable technical measures
and corporate governance processes that satisfy
and exceed all relevant data security policy
recommendations contained in the framework of
the National Institute of Standards and
Technology entitled ``Framework for Improving
Critical Infrastructure Cybersecurity'', dated
February 12, 2014, or any successor thereto, as
determined appropriate by the Office; and
(iv) create and maintain documentation
demonstrating that the covered consumer
reporting agency is employing the technical
measures and corporate governance processes
described in clauses (ii) and (iii);
(C) annually examine the data security measures of
covered consumer reporting agencies for compliance with
the requirements described in clauses (ii) and (iii) of
subparagraph (B);
(D) investigate any covered consumer reporting
agency if the Office has reason to suspect--
(i) a covered breach has occurred and the
covered consumer reporting agency was subject
to the covered breach; or
(ii) the covered consumer reporting agency
is not in compliance with the requirements
described in clauses (ii) and (iii) of
subparagraph (B);
(E) after consultation with members of the
technical and academic communities, develop a rigorous,
repeatable methodology--
(i) for evaluating, testing, and measuring
effective data security practices of covered
consumer reporting agencies; and
(ii) that employs forms of static and
dynamic software analysis and penetration
testing;
(F) submit to Congress an annual report on the
findings of each investigation carried out under
subparagraph (D) during the year covered by the report
that includes a statement of how Congress could enhance
the authorities of the Office in order to assist the
Office in carrying out the duties of the Office under
this Act;
(G) determine whether covered consumer reporting
agencies are complying with the requirements described
in clauses (ii) and (iii) of subparagraph (B); and
(H) coordinate with the National Institute of
Standards and Technology and the National Cybersecurity
and Communications Integration Center of the Department
of Homeland Security; and
(2) may--
(A) investigate any covered breach to determine if
the covered consumer reporting agency that was subject
to the covered breach was in compliance with the
requirements described in clauses (ii) and (iii) of
paragraph (1)(B) as of the date on which the covered
breach occurred; and
(B) if the Director has reason to believe that any
covered consumer reporting agency is violating, or in
the immediate future will violate, a requirement
described in clause (ii) or (iii) of paragraph (1),
bring a suit in an appropriate district court of the
United States to enjoin any such act or practice.
(c) Staff.--
(1) In general.--The Director shall, without regard to the
civil service laws and regulations, appoint such personnel,
including computer security researchers and practitioners with
technical expertise in computer science, engineering, and
cybersecurity, as the Director determines are necessary to
carry out the duties of the Office.
(2) Details.--
(A) In general.--An employee of the National
Institute of Standards and Technology, the Bureau of
Consumer Financial Protection, or the National
Cybersecurity and Communications Integration Center of
the Department of Homeland Security may be detailed to
the Office, without reimbursement.
(B) Civil service status and privilege.--Detail
under subparagraph (A) shall be without interruption or
loss of the civil service status or privilege of the
employee who is detailed to the Office.
SEC. 4. NOTIFICATION AND ENFORCEMENT.
(a) Notification.--
(1) Notification to the commission and relevant federal law
enforcement and intelligence agencies.--
(A) Notification to the commission.--Except as
provided in paragraph (3), not later than 10 days after
the date on which a covered breach occurs, any covered
consumer reporting agency that was subject to the
covered breach shall notify the Commission of the
covered breach.
(B) Notification to relevant federal law
enforcement and intelligence agencies.--Not later than
10 days after the date on which the Commission receives
a notification under subparagraph (A) that a covered
breach has occurred, the Commission shall--
(i) notify the relevant Federal law
enforcement agencies and intelligence agencies
that the covered breach has occurred; and
(ii) with respect to the covered breach,
consult with the relevant Federal law
enforcement agencies and intelligence agencies,
as appropriate.
(2) Notification to affected consumers and the public.--
(A) In general.--Except as provided in paragraph
(3), on an expeditious and practical timeline, as
determined appropriate by the Commission, a covered
consumer reporting agency that is subject to a covered
breach shall--
(i) submit to each affected consumer with
respect to whom the covered consumer reporting
agency holds a piece of personally identifying
information a notification regarding the
covered breach that complies with subparagraph
(B); and
(ii) publish on the internet website of the
covered consumer reporting agency a notice that
contains a statement of--
(I) the information described in
clauses (i) and (ii) of subparagraph
(B) and subclauses (I) and (II) of
clause (iii) of that subparagraph; and
(II) the steps that the covered
consumer reporting agency is taking to
notify the affected consumers described
in clause (i) regarding the covered
breach.
(B) Notification to affected consumers.--In a
notification to affected consumers under subparagraph
(A)(i), the covered consumer reporting agency
submitting the notification shall include a statement
of--
(i) the fact that the covered breach
occurred;
(ii) the approximate date on which the
covered breach occurred; and
(iii) with respect to the covered breach--
(I) the number of affected
consumers;
(II) the measures that the covered
consumer reporting agency is taking to
remedy the covered breach; and
(III) the potential risks created
by the covered breach, a list of which
the covered consumer reporting agency
shall develop in consultation with the
Office.
(3) Delay of notification authorized for law enforcement or
national security purposes.--
(A) Notification by law enforcement agency or
intelligence agency.--If a Federal law enforcement
agency or intelligence agency to which the Commission
has provided notice under paragraph (1)(B)(i)
determines that the notification required under
paragraph (2) may impede a criminal investigation or
national security activity--
(i) the Federal law enforcement agency or
intelligence agency shall provide written
notice to the Commission and the covered
consumer reporting agency that was subject to
the covered breach that is the subject of the
notification that states--
(I) that the notification required
under paragraph (2) shall be delayed
for law enforcement or national
security purposes; and
(II) the date on which the delay
imposed under subclause (I) shall end;
and
(ii) subject to subparagraph (B), the
covered consumer reporting agency that was
subject to the covered breach shall delay
notification under paragraph (2) until the date
described in clause (i)(II) of this
subparagraph.
(B) Extended delay of notification.--If the
notification required under paragraph (2) is delayed
under subparagraph (A) of this paragraph, a covered
consumer reporting agency that is required to provide
notice under paragraph (2) shall provide that notice on
an expeditious and practical timeline, as determined
appropriate by the Commission, after the date on which
the law enforcement or national security delay under
subparagraph (A) of this paragraph ends, unless a
Federal law enforcement or intelligence agency to which
the Commission has provided notice under paragraph
(1)(B)(i) provides written notification to the
Commission and the covered consumer reporting agency
that states--
(i) that further delay is necessary; and
(ii) the date on which the further delay
shall end.
(C) Law enforcement immunity.--No nonconstitutional
cause of action shall lie in any court against any
agency for acts relating to the delay of notification
under subparagraph (A), or the extended delay of
notification under subparagraph (B), for law
enforcement or national security purposes.
(b) Penalty.--
(1) In general.--In the event of a covered breach, the
Commission shall, not later than 30 days after the date on
which the Commission receives notification of the covered
breach under subsection (a)(1)(A), commence a civil action to
recover a civil penalty in an appropriate district court of the
United States against the covered consumer reporting agency
that was subject to the covered breach.
(2) Determining penalty amount.--
(A) In general.--Except as provided in subparagraph
(B), in determining the amount of a civil penalty under
paragraph (1), the court shall impose a civil penalty
on a covered consumer reporting agency of--
(i) $100 for each consumer for whom the
first and last name, or the first initial of
the first name and last name, and 1 other item
of personally identifying information were
exposed to an unauthorized party; and
(ii) in addition to the penalty imposed
under clause (i), an additional $50 for each
item of personally identifying information of
the consumer, other than an item described in
that clause, that was exposed to an
unauthorized party.
(B) Exception.--
(i) In general.--Except as provided in
clause (ii), in an action commenced under this
subsection, a court may not impose a civil
penalty in an amount that is more than 50
percent of the gross revenue of the covered
consumer reporting agency against which the
action is brought for the fiscal year before
the fiscal year in which the covered consumer
reporting agency became aware of the covered
breach that is the subject of the action.
(ii) Penalty doubled.--In an action
commenced under this subsection, the court
shall impose a civil penalty on a covered
consumer reporting agency in an amount that is
2 times the amount of the penalty described in
subparagraph (A), but not greater than 75
percent of the gross revenue of the covered
consumer reporting agency for the fiscal year
before the fiscal year in which the covered
consumer reporting agency became aware of the
covered breach that is subject to the action,
if--
(I) the covered consumer reporting
agency fails to notify the Commission
of the covered breach before the
deadline established under subsection
(a)(1)(A); or
(II) the covered consumer reporting
agency violates any requirement
described in clause (ii) or (iii) of
section 3(b)(1)(B).
(3) Proceeds of the penalties.--Of the penalties imposed
under this subsection--
(A) 50 percent shall be used for cybersecurity
research and inspections by the Office; and
(B) 50 percent shall be used by the Office to be
divided fairly among consumers affected by the covered
breach.
(4) No preemption.--Nothing in this subsection shall
preclude an action by a consumer under State or other Federal
law.
(c) Injunctive Relief.--The Commission, acting through the Office,
may bring suit in an appropriate district court of the United States or
in the United States court of any territory to require a covered
consumer reporting agency to implement or correct a particular security
measure in order to promote effective security in accordance with the
requirements described in clauses (ii) and (iii) of section 3(b)(1)(B).
SEC. 5. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated $100,000,000 to carry out
this Act, to remain available until expended.
<all>