[Congressional Record Volume 160, Number 4 (Wednesday, January 8, 2014)]
[Senate]
[Pages S134-S142]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Schumer, Mr. Franken, and Mr. 
        Blumenthal):
  S. 1897. A bill to prevent and mitigate identity theft, to ensure 
privacy, to provide notice of security breaches, and to enhance 
criminal penalties, law enforcement assistance, and other protections 
against security breaches, fraudulent access, and misuse of personally 
identifiable information; to the Committee on the Judiciary.
  Mr. LEAHY. Mr. President, today, I am reintroducing the Personal Data 
Privacy and Security Act. The recent data breach at Target involving 
the debit and credit card data of as many as 40 million customers 
during the Christmas holidays is a reminder that developing a 
comprehensive national strategy to protect data privacy and 
cybersecurity remains one of the most challenging and important issues 
facing our Nation. The Personal Data Privacy and Security Act will help 
to meet this challenge, by better protecting Americans from the growing 
threats of data breaches and identity theft. I thank Senators Franken, 
Schumer and Blumenthal for cosponsoring this important privacy 
legislation.
  When I first introduced this bill 9 years ago, I had high hopes of 
bringing urgently needed data privacy reforms to the American people. 
Although the Judiciary Committee favorably reported this bill numerous 
times this legislation has languished on the Senate calendar.
  In the meantime, the dangers to Americans' privacy, economic 
prosperity and national security posed by data breaches have not gone 
away. According to the Privacy Rights Clearinghouse, more than 662 
million records have been involved in data security breaches since 
2005. According to Verizon's 2013 Data Breach Investigations Report, 
there were more than 600 publicly disclosed data breaches last year. 
These data security breaches have become all too common and these 
cyberthreats have placed Americans' privacy rights at great risk.
  In 2011, the Obama administration released several proposals to 
enhance cybersecurity, including a data breach proposal that adopted 
the carefully balanced framework of our legislation. I am happy that 
many of the sound privacy principles in this bill have been embraced by 
the administration.
  The Personal Data Privacy and Security Act requires companies that 
have databases with sensitive personal information on Americans 
establish and implement data privacy and security programs. The bill 
would also establish a single nationwide standard for data breach 
notification and require notice to consumers when their sensitive 
personal information has been compromised.
  This bill also provides for tough criminal penalties for anyone who 
would intentionally and willfully conceal the fact that a data breach 
has occurred when the breach causes economic damage to consumers. The 
bill also includes the Obama administration's proposal to update the 
Computer Fraud and Abuse Act, so that attempted computer hacking and 
conspiracy to commit computer hacking offenses are subject to the same 
criminal penalties, as the underlying offenses.
  I have drafted this bill after long and thoughtful consultation with 
many of the stakeholders on this issue, including the privacy, consumer 
protection and business communities. I have also consulted with the 
Departments of Justice and Homeland Security, and with the Federal 
Trade Commission.
  This is a comprehensive bill that not only addresses the need to 
provide Americans with notice when they have been victims of a data 
breach, but that also deals with the underlying problem of lax security 
and lack of accountability to help prevent data breaches from occurring 
in the first place. Enacting this comprehensive data privacy 
legislation remains one of my legislative priorities as Chairman of the 
Judiciary Committee.
  Protecting privacy rights is of critical importance to all of us, 
regardless of party or ideology. I hope that all Senators will support 
this measure to better protect Americans' privacy.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 1897

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Personal 
     Data Privacy and Security Act of 2014''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Organized criminal activity in connection with unauthorized 
              access to personally identifiable information.
Sec. 102. Concealment of security breaches involving sensitive 
              personally identifiable information.
Sec. 103. Penalties for fraud and related activity in connection with 
              computers.
Sec. 104. Trafficking in passwords.
Sec. 105. Conspiracy and attempted computer fraud offenses.
Sec. 106. Criminal and civil forfeiture for fraud and related activity 
              in connection with computers.

[[Page S135]]

Sec. 107. Limitation on civil actions involving unauthorized use.
Sec. 108. Reporting of certain criminal cases.
Sec. 109. Damage to critical infrastructure computers.
Sec. 110. Limitation on actions involving unauthorized use.

 TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

Sec. 201. Purpose and applicability of data privacy and security 
              program.
Sec. 202. Requirements for a personal data privacy and security 
              program.
Sec. 203. Enforcement.
Sec. 204. Relation to other laws.

                Subtitle B--Security Breach Notification

Sec. 211. Notice to individuals.
Sec. 212. Exemptions.
Sec. 213. Methods of notice.
Sec. 214. Content of notification.
Sec. 215. Coordination of notification with credit reporting agencies.
Sec. 216. Notice to law enforcement.
Sec. 217. Enforcement.
Sec. 218. Enforcement by State attorneys general.
Sec. 219. Effect on Federal and State law.
Sec. 220. Reporting on exemptions.
Sec. 221. Effective date.

         TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

Sec. 301. Budget compliance.

     SEC. 2. FINDINGS.

       Congress finds that--
       (1) databases of personally identifiable information are 
     increasingly prime targets of hackers, identity thieves, 
     rogue employees, and other criminals, including organized and 
     sophisticated criminal operations;
       (2) identity theft is a serious threat to the Nation's 
     economic stability, national security, homeland security, 
     cybersecurity, the development of e-commerce, and the privacy 
     rights of Americans;
       (3) security breaches are a serious threat to consumer 
     confidence, homeland security, national security, e-commerce, 
     and economic stability;
       (4) it is important for business entities that own, use, or 
     license personally identifiable information to adopt 
     reasonable procedures to ensure the security, privacy, and 
     confidentiality of that personally identifiable information;
       (5) individuals whose personal information has been 
     compromised or who have been victims of identity theft should 
     receive the necessary information and assistance to mitigate 
     their damages and to restore the integrity of their personal 
     information and identities;
       (6) data misuse and use of inaccurate data have the 
     potential to cause serious or irreparable harm to an 
     individual's livelihood, privacy, and liberty and undermine 
     efficient and effective business and government operations;
       (7) government access to commercial data can potentially 
     improve safety, law enforcement, and national security; and
       (8) because government use of commercial data containing 
     personal information potentially affects individual privacy, 
     and law enforcement and national security operations, there 
     is a need for Congress to exercise oversight over government 
     use of commercial data.

     SEC. 3. DEFINITIONS.

       In this Act, the following definitions shall apply:
       (1) Affiliate.--The term ``affiliate'' means persons 
     related by common ownership or by corporate control.
       (2) Agency.--The term ``agency'' has the same meaning given 
     such term in section 551 of title 5, United States Code.
       (3) Business entity.--The term ``business entity'' means 
     any organization, corporation, trust, partnership, sole 
     proprietorship, unincorporated association, or venture 
     established to make a profit, or nonprofit.
       (4) Data system communication information.--The term ``data 
     system communication information'' means dialing, routing, 
     addressing, or signaling information that identifies the 
     origin, direction, destination, processing, transmission, or 
     termination of each communication initiated, attempted, or 
     received.
       (5) Designated entity.--The term ``designated entity'' 
     means the Federal Government entity designated by the 
     Secretary of Homeland Security under section 216(a).
       (6) Encryption.--The term ``encryption''--
       (A) means the protection of data in electronic form, in 
     storage or in transit, using an encryption technology that 
     has been generally accepted by experts in the field of 
     information security that renders such data indecipherable in 
     the absence of associated cryptographic keys necessary to 
     enable decryption of such data; and
       (B) includes appropriate management and safeguards of such 
     cryptographic keys so as to protect the integrity of the 
     encryption.
       (7) Identity theft.--The term ``identity theft'' means a 
     violation of section 1028(a)(7) of title 18, United States 
     Code.
       (8) Personally identifiable information.--The term 
     ``personally identifiable information'' means any 
     information, or compilation of information, in electronic or 
     digital form that is a means of identification, as defined by 
     section 1028(d)(7) of title 18, United State Code.
       (9) Public record source.--The term ``public record 
     source'' means the Congress, any agency, any State or local 
     government agency, the government of the District of Columbia 
     and governments of the territories or possessions of the 
     United States, and Federal, State or local courts, courts 
     martial and military commissions, that maintain personally 
     identifiable information in records available to the public.
       (10) Security breach.--
       (A) In general.--The term ``security breach'' means 
     compromise of the security, confidentiality, or integrity of, 
     or the loss of, computerized data that result in, or that 
     there is a reasonable basis to conclude has resulted in--
       (i) the unauthorized acquisition of sensitive personally 
     identifiable information; and
       (ii) access to sensitive personally identifiable 
     information that is for an unauthorized purpose, or in excess 
     of authorization.
       (B) Exclusion.--The term ``security breach'' does not 
     include--
       (i) a good faith acquisition of sensitive personally 
     identifiable information by a business entity or agency, or 
     an employee or agent of a business entity or agency, if the 
     sensitive personally identifiable information is not subject 
     to further unauthorized disclosure;
       (ii) the release of a public record not otherwise subject 
     to confidentiality or nondisclosure requirements or the 
     release of information obtained from a public record, 
     including information obtained from a news report or 
     periodical; or
       (iii) any lawfully authorized investigative, protective, or 
     intelligence activity of a law enforcement or intelligence 
     agency of the United States, a State, or a political 
     subdivision of a State.
       (11) Sensitive personally identifiable information.--The 
     term ``sensitive personally identifiable information'' means 
     any information or compilation of information, in electronic 
     or digital form that includes the following:
       (A) An individual's first and last name or first initial 
     and last name in combination with any two of the following 
     data elements:
       (i) Home address or telephone number.
       (ii) Mother's maiden name.
       (iii) Month, day, and year of birth.
       (B) A non-truncated social security number, driver's 
     license number, passport number, or alien registration number 
     or other government-issued unique identification number.
       (C) Unique biometric data such as a finger print, voice 
     print, a retina or iris image, or any other unique physical 
     representation.
       (D) A unique account identifier, including a financial 
     account number or credit or debit card number, electronic 
     identification number, user name, or routing code.
       (E) Any combination of the following data elements:
       (i) An individual's first and last name or first initial 
     and last name.
       (ii) A unique account identifier, including a financial 
     account number or credit or debit card number, electronic 
     identification number, user name, or routing code.
       (iii) Any security code, access code, or password, or 
     source code that could be used to generate such codes or 
     passwords.
       (12) Service provider.--The term ``service provider'' means 
     a business entity that provides electronic data transmission, 
     routing, intermediate and transient storage, or connections 
     to its system or network, where the business entity providing 
     such services does not select or modify the content of the 
     electronic data, is not the sender or the intended recipient 
     of the data, and the business entity transmits, routes, 
     stores, or provides connections for personal information in a 
     manner that personal information is undifferentiated from 
     other types of data that such business entity transmits, 
     routes, stores, or provides connections. Any such business 
     entity shall be treated as a service provider under this Act 
     only to the extent that it is engaged in the provision of 
     such transmission, routing, intermediate and transient 
     storage or connections.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

     SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH 
                   UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
                   INFORMATION.

       Section 1961(1) of title 18, United States Code, is amended 
     by inserting ``section 1030 (relating to fraud and related 
     activity in connection with computers) if the act is a 
     felony,'' before ``section 1084''.

     SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING 
                   SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding at the end the following:

     ``Sec. 1041. Concealment of security breaches involving 
       sensitive personally identifiable information

       ``(a) In General.--Whoever, having knowledge of a security 
     breach and of the fact that notice of such security breach is 
     required under title II of the Personal Data Privacy and 
     Security Act of 2014, intentionally and willfully conceals 
     the fact of such security breach, shall, in the event that 
     such security breach results in economic harm to any 
     individual in the amount of $1,000 or more, be fined under 
     this tile or imprisoned for not more than 5 years, or both.
       ``(b) Person Defined.--For purposes of subsection (a), the 
     term `person' has the

[[Page S136]]

     meaning given the term in section 1030(e)(12).
       ``(c) Notice Requirement.--Any person seeking an exemption 
     under section 212(b) of the Personal Data Privacy and 
     Security Act of 2014 shall be immune from prosecution under 
     this section if the Federal Trade Commission does not 
     indicate, in writing, that such notice be given under section 
     212(b)(3) of such Act.''.
       (b) Conforming and Technical Amendments.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by adding at the end the following:

``1041. Concealment of security breaches involving sensitive personally 
              identifiable information.''.
       (c) Enforcement Authority.--
       (1) In general.--The United States Secret Service and 
     Federal Bureau of Investigation shall have the authority to 
     investigate offenses under section 1041 of title 18, United 
     States Code, as added by subsection (a).
       (2) Nonexclusivity.--The authority granted in paragraph (1) 
     shall not be exclusive of any existing authority held by any 
     other Federal agency.

     SEC. 103. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN 
                   CONNECTION WITH COMPUTERS.

       Section 1030(c) of title 18, United States Code, is amended 
     to read as follows:
       ``(c) The punishment for an offense under subsection (a) or 
     (b) of this section is--
       ``(1) a fine under this title or imprisonment for not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(1) of this section;
       ``(2)(A) except as provided in subparagraph (B), a fine 
     under this title or imprisonment for not more than 3 years, 
     or both, in the case of an offense under subsection (a)(2); 
     or
       ``(B) a fine under this title or imprisonment for not more 
     than ten years, or both, in the case of an offense under 
     paragraph (a)(2) of this section, if--
       ``(i) the offense was committed for purposes of commercial 
     advantage or private financial gain;
       ``(ii) the offense was committed in the furtherance of any 
     criminal or tortious act in violation of the Constitution or 
     laws of the United States, or of any State; or
       ``(iii) the value of the information obtained, or that 
     would have been obtained if the offense was completed, 
     exceeds $5,000;
       ``(3) a fine under this title or imprisonment for not more 
     than 1 year, or both, in the case of an offense under 
     subsection (a)(3) of this section;
       ``(4) a fine under this title or imprisonment of not more 
     than 20 years, or both, in the case of an offense under 
     subsection (a)(4) of this section;
       ``(5)(A) except as provided in subparagraph (D), a fine 
     under this title, imprisonment for not more than 20 years, or 
     both, in the case of an offense under subsection (a)(5)(A) of 
     this section, if the offense caused--
       ``(i) loss to 1 or more persons during any 1-year period 
     (and, for purposes of an investigation, prosecution, or other 
     proceeding brought by the United States only, loss resulting 
     from a related course of conduct affecting 1 or more other 
     protected computers) aggregating at least $5,000 in value;
       ``(ii) the modification or impairment, or potential 
     modification or impairment, of the medical examination, 
     diagnosis, treatment, or care of 1 or more individuals;
       ``(iii) physical injury to any person;
       ``(iv) a threat to public health or safety;
       ``(v) damage affecting a computer used by, or on behalf of, 
     an entity of the United States Government in furtherance of 
     the administration of justice, national defense, or national 
     security; or
       ``(vi) damage affecting 10 or more protected computers 
     during any 1-year period;
       ``(B) a fine under this title, imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(5)(B), if the offense caused a harm provided 
     in clause (i) through (vi) of subparagraph (A) of this 
     subsection;
       ``(C) if the offender attempts to cause or knowingly or 
     recklessly causes death from conduct in violation of 
     subsection (a)(5)(A), a fine under this title, imprisonment 
     for any term of years or for life, or both; or
       ``(D) a fine under this title, imprisonment for not more 
     than 1 year, or both, for any other offense under subsection 
     (a)(5);
       ``(6) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(6) of this section; or
       ``(7) a fine under this title or imprisonment for not more 
     than 10 years, or both, in the case of an offense under 
     subsection (a)(7) of this section.''.

     SEC. 104. TRAFFICKING IN PASSWORDS.

       Section 1030(a) of title 18, United States Code, is amended 
     by striking paragraph (6) and inserting the following:
       ``(6) knowingly and with intent to defraud traffics (as 
     defined in section 1029) in--
       ``(A) any password or similar information through which a 
     protected computer as defined in subparagraphs (A) and (B) of 
     subsection (e)(2) may be accessed without authorization; or
       ``(B) any means of access through which a protected 
     computer as defined in subsection (e)(2)(A) may be accessed 
     without authorization.''.

     SEC. 105. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.

       Section 1030(b) of title 18, United States Code, is amended 
     by inserting ``for the completed offense'' after ``punished 
     as provided''.

     SEC. 106. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED 
                   ACTIVITY IN CONNECTION WITH COMPUTERS.

       Section 1030 of title 18, United States Code, is amended by 
     striking subsections (i) and (j) and inserting the following:
       ``(i) Criminal Forfeiture.--
       ``(1) The court, in imposing sentence on any person 
     convicted of a violation of this section, or convicted of 
     conspiracy to violate this section, shall order, in addition 
     to any other sentence imposed and irrespective of any 
     provision of State law, that such person forfeit to the 
     United States--
       ``(A) such person's interest in any property, real or 
     personal, that was used, or intended to be used, to commit or 
     facilitate the commission of such violation; and
       ``(B) any property, real or personal, constituting or 
     derived from any gross proceeds, or any property traceable to 
     such property, that such person obtained, directly or 
     indirectly, as a result of such violation.
       ``(2) The criminal forfeiture of property under this 
     subsection, including any seizure and disposition of the 
     property, and any related judicial or administrative 
     proceeding, shall be governed by the provisions of section 
     413 of the Comprehensive Drug Abuse Prevention and Control 
     Act of 1970 (21 U.S.C. 853), except subsection (d) of that 
     section.
       ``(j) Civil Forfeiture.--
       ``(1) The following shall be subject to forfeiture to the 
     United States and no property right, real or personal, shall 
     exist in them:
       ``(A) Any property, real or personal, that was used, or 
     intended to be used, to commit or facilitate the commission 
     of any violation of this section, or a conspiracy to violate 
     this section.
       ``(B) Any property, real or personal, constituting or 
     derived from any gross proceeds obtained directly or 
     indirectly, or any property traceable to such property, as a 
     result of the commission of any violation of this section, or 
     a conspiracy to violate this section.
       ``(2) Seizures and forfeitures under this subsection shall 
     be governed by the provisions in chapter 46 relating to civil 
     forfeitures, except that such duties as are imposed on the 
     Secretary of the Treasury under the customs laws described in 
     section 981(d) shall be performed by such officers, agents 
     and other persons as may be designated for that purpose by 
     the Secretary of Homeland Security or the Attorney 
     General.''.

     SEC. 107. LIMITATION ON CIVIL ACTIONS INVOLVING UNAUTHORIZED 
                   USE.

       Section 1030(g) of title 18, United States Code, is 
     amended--
       (1) by inserting ``(1)'' before ``Any person''; and
       (2) by adding at the end the following:
       ``(2) No action may be brought under this subsection if a 
     violation of a contractual obligation or agreement, such as 
     an acceptable use policy or terms of service agreement, 
     constitutes the sole basis for determining that access to the 
     protected computer is unauthorized, or in excess of 
     authorization.''.

     SEC. 108. REPORTING OF CERTAIN CRIMINAL CASES.

       Section 1030 of title 18, United States Code, is amended by 
     adding at the end the following:
       ``(k) Reporting Certain Criminal Cases.--Not later than 1 
     year after the date of the enactment of this Act, and 
     annually thereafter, the Attorney General shall report to the 
     Committee on the Judiciary of the Senate and the Committee on 
     the Judiciary of the House of Representatives the number of 
     criminal cases brought under subsection (a) that involve 
     conduct in which --
       ``(1) the defendant--
       ``(A) exceeded authorized access to a non-governmental 
     computer; or
       ``(B) accessed a non-governmental computer without 
     authorization; and
       ``(2) the sole basis for the Government determining that 
     access to the non-governmental computer was unauthorized, or 
     in excess of authorization was that the defendant violated a 
     contractual obligation or agreement with a service provider 
     or employer, such as an acceptable use policy or terms of 
     service agreement.''.

     SEC. 109. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by inserting after section 1030 the 
     following:

     ``Sec. 1030A. Aggravated damage to a critical infrastructure 
       computer

       ``(a) Definitions.--In this section--
       ``(1) the terms `computer' and `damage' have the meanings 
     given such terms in section 1030; and
       ``(2) the term `critical infrastructure computer' means a 
     computer that manages or controls systems or assets vital to 
     national defense, national security, national economic 
     security, public health or safety, or any combination of 
     those matters, whether publicly or privately owned or 
     operated, including--
       ``(A) gas and oil production, storage, and delivery 
     systems;
       ``(B) water supply systems;
       ``(C) telecommunication networks;
       ``(D) electrical power delivery systems;
       ``(E) finance and banking systems;
       ``(F) emergency services;
       ``(G) transportation systems and services; and
       ``(H) government operations that provide essential services 
     to the public
       ``(b) Offense.--It shall be unlawful to, during and in 
     relation to a felony violation of section 1030, intentionally 
     cause or attempt

[[Page S137]]

     to cause damage to a critical infrastructure computer, and 
     such damage results in (or, in the case of an attempt, would, 
     if completed have resulted in) the substantial impairment--
       ``(1) of the operation of the critical infrastructure 
     computer; or
       ``(2) of the critical infrastructure associated with the 
     computer.
       ``(c) Penalty.--Any person who violates subsection (b) 
     shall be fined under this title, imprisoned for not less than 
     3 years nor more than 20 years, or both.
       ``(d) Consecutive Sentence.--Notwithstanding any other 
     provision of law--
       ``(1) a court shall not place on probation any person 
     convicted of a violation of this section;
       ``(2) except as provided in paragraph (4), no term of 
     imprisonment imposed on a person under this section shall run 
     concurrently with any other term of imprisonment, including 
     any term of imprisonment imposed on the person under any 
     other provision of law, including any term of imprisonment 
     imposed for the felony violation section 1030;
       ``(3) in determining any term of imprisonment to be imposed 
     for a felony violation of section 1030, a court shall not in 
     any way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(4) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section, provided that such discretion shall be 
     exercised in accordance with any applicable guidelines and 
     policy statements issued by the United States Sentencing 
     Commission pursuant to section 994 of title 28.''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following:

``1030A. Aggravated damage to a critical infrastructure computer.''.

     SEC. 110. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.

       Section 1030(e)(6) of title 18, United States Code, is 
     amended by striking ``alter;'' and inserting ``alter, but 
     does not include access in violation of a contractual 
     obligation or agreement, such as an acceptable use policy or 
     terms of service agreement, with an Internet service 
     provider, Internet website, or non-government employer, if 
     such violation constitutes the sole basis for determining 
     that access to a protected computer is unauthorized;''.

 TITLE II--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

     SEC. 201. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Purpose.--The purpose of this subtitle is to ensure 
     standards for developing and implementing administrative, 
     technical, and physical safeguards to protect the security of 
     sensitive personally identifiable information.
       (b) Applicability.--A business entity engaging in 
     interstate commerce that involves collecting, accessing, 
     transmitting, using, storing, or disposing of sensitive 
     personally identifiable information in electronic or digital 
     form on 10,000 or more United States persons is subject to 
     the requirements for a data privacy and security program 
     under section 202 for protecting sensitive personally 
     identifiable information.
       (c) Limitations.--Notwithstanding any other obligation 
     under this subtitle, this subtitle does not apply to the 
     following:
       (1) Financial institutions.--Financial institutions--
       (A) subject to the data security requirements and standards 
     under section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6801(b)); and
       (B) subject to the jurisdiction of an agency or authority 
     described in section 505(a) of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6805(a)).
       (2) Hipaa regulated entities.--
       (A) Covered entities.--Covered entities subject to the 
     Health Insurance Portability and Accountability Act of 1996 
     (42 U.S.C. 1301 et seq.), including the data security 
     requirements and implementing regulations of that Act.
       (B) Business entities.--A Business entity shall be deemed 
     in compliance with this Act if the business entity--
       (i) is acting as a business associate, as that term is 
     defined under the Health Insurance Portability and 
     Accountability Act of 1996 (42 U.S.C. 1301 et seq.) and is in 
     compliance with the requirements imposed under that Act and 
     implementing regulations promulgated under that Act; and
       (ii) is subject to, and currently in compliance, with the 
     privacy and data security requirements under sections 13401 
     and 13404 of division A of the American Reinvestment and 
     Recovery Act of 2009 (42 U.S.C. 17931 and 17934) and 
     implementing regulations promulgated under such sections.
       (3) Service providers.--A service provider for any 
     electronic communication by a third-party, to the extent that 
     the service provider is exclusively engaged in the 
     transmission, routing, or temporary, intermediate, or 
     transient storage of that communication.
       (4) Public records.--Public records not otherwise subject 
     to a confidentiality or nondisclosure requirement, or 
     information obtained from a public record, including 
     information obtained from a news report or periodical.
       (d) Safe Harbors.--
       (1) In general.--A business entity shall be deemed in 
     compliance with the privacy and security program requirements 
     under section 202 if the business entity complies with or 
     provides protection equal to industry standards or standards 
     widely accepted as an effective industry practice, as 
     identified by the Federal Trade Commission, that are 
     applicable to the type of sensitive personally identifiable 
     information involved in the ordinary course of business of 
     such business entity.
       (2) Limitation.--Nothing in this subsection shall be 
     construed to permit, and nothing does permit, the Federal 
     Trade Commission to issue regulations requiring, or according 
     greater legal status to, the implementation of or application 
     of a specific technology or technological specifications for 
     meeting the requirements of this title.

     SEC. 202. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Personal Data Privacy and Security Program.--A business 
     entity subject to this subtitle shall comply with the 
     following safeguards and any other administrative, technical, 
     or physical safeguards identified by the Federal Trade 
     Commission in a rulemaking process pursuant to section 553 of 
     title 5, United States Code, for the protection of sensitive 
     personally identifiable information:
       (1) Scope.--A business entity shall implement a 
     comprehensive personal data privacy and security program that 
     includes administrative, technical, and physical safeguards 
     appropriate to the size and complexity of the business entity 
     and the nature and scope of its activities.
       (2) Design.--The personal data privacy and security program 
     shall be designed to--
       (A) ensure the privacy, security, and confidentiality of 
     sensitive personally identifying information;
       (B) protect against any anticipated vulnerabilities to the 
     privacy, security, or integrity of sensitive personally 
     identifying information; and
       (C) protect against unauthorized access to use of sensitive 
     personally identifying information that could create a 
     significant risk of harm or fraud to any individual.
       (3) Risk assessment.--A business entity shall--
       (A) identify reasonably foreseeable internal and external 
     vulnerabilities that could result in unauthorized access, 
     disclosure, use, or alteration of sensitive personally 
     identifiable information or systems containing sensitive 
     personally identifiable information;
       (B) assess the likelihood of and potential damage from 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information;
       (C) assess the sufficiency of its policies, technologies, 
     and safeguards in place to control and minimize risks from 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information; and
       (D) assess the vulnerability of sensitive personally 
     identifiable information during destruction and disposal of 
     such information, including through the disposal or 
     retirement of hardware.
       (4) Risk management and control.--Each business entity 
     shall--
       (A) design its personal data privacy and security program 
     to control the risks identified under paragraph (3);
       (B) adopt measures commensurate with the sensitivity of the 
     data as well as the size, complexity, and scope of the 
     activities of the business entity that--
       (i) control access to systems and facilities containing 
     sensitive personally identifiable information, including 
     controls to authenticate and permit access only to authorized 
     individuals;
       (ii) detect, record, and preserve information relevant to 
     actual and attempted fraudulent, unlawful, or unauthorized 
     access, disclosure, use, or alteration of sensitive 
     personally identifiable information, including by employees 
     and other individuals otherwise authorized to have access;
       (iii) protect sensitive personally identifiable information 
     during use, transmission, storage, and disposal by 
     encryption, redaction, or access controls that are widely 
     accepted as an effective industry practice or industry 
     standard, or other reasonable means (including as directed 
     for disposal of records under section 628 of the Fair Credit 
     Reporting Act (15 U.S.C. 1681w) and the implementing 
     regulations of such Act as set forth in section 682 of title 
     16, Code of Federal Regulations);
       (iv) ensure that sensitive personally identifiable 
     information is properly destroyed and disposed of, including 
     during the destruction of computers, diskettes, and other 
     electronic media that contain sensitive personally 
     identifiable information;
       (v) trace access to records containing sensitive personally 
     identifiable information so that the business entity can 
     determine who accessed or acquired such sensitive personally 
     identifiable information pertaining to specific individuals; 
     and
       (vi) ensure that no third party or customer of the business 
     entity is authorized to access or acquire sensitive 
     personally identifiable

[[Page S138]]

     information without the business entity first performing 
     sufficient due diligence to ascertain, with reasonable 
     certainty, that such information is being sought for a valid 
     legal purpose; and
       (C) establish a plan and procedures for minimizing the 
     amount of sensitive personally identifiable information 
     maintained by such business entity, which shall provide for 
     the retention of sensitive personally identifiable 
     information only as reasonably needed for the business 
     purposes of such business entity or as necessary to comply 
     with any legal obligation.
       (b) Training.--Each business entity subject to this 
     subtitle shall take steps to ensure employee training and 
     supervision for implementation of the data security program 
     of the business entity.
       (c) Vulnerability Testing.--
       (1) In general.--Each business entity subject to this 
     subtitle shall take steps to ensure regular testing of key 
     controls, systems, and procedures of the personal data 
     privacy and security program to detect, prevent, and respond 
     to attacks or intrusions, or other system failures.
       (2) Frequency.--The frequency and nature of the tests 
     required under paragraph (1) shall be determined by the risk 
     assessment of the business entity under subsection (a)(3).
       (d) Relationship to Certain Providers of Services.--In the 
     event a business entity subject to this subtitle engages a 
     person or entity not subject to this subtitle (other than a 
     service provider) to receive sensitive personally 
     identifiable information in performing services or functions 
     (other than the services or functions provided by a service 
     provider) on behalf of and under the instruction of such 
     business entity, such business entity shall--
       (1) exercise appropriate due diligence in selecting the 
     person or entity for responsibilities related to sensitive 
     personally identifiable information, and take reasonable 
     steps to select and retain a person or entity that is capable 
     of maintaining appropriate safeguards for the security, 
     privacy, and integrity of the sensitive personally 
     identifiable information at issue; and
       (2) require the person or entity by contract to implement 
     and maintain appropriate measures designed to meet the 
     objectives and requirements governing entities subject to 
     section 201, this section, and subtitle B.
       (e) Periodic Assessment and Personal Data Privacy and 
     Security Modernization.--Each business entity subject to this 
     subtitle shall on a regular basis monitor, evaluate, and 
     adjust, as appropriate its data privacy and security program 
     in light of any relevant changes in--
       (1) technology;
       (2) the sensitivity of personally identifiable information;
       (3) internal or external threats to personally identifiable 
     information; and
       (4) the changing business arrangements of the business 
     entity, such as--
       (A) mergers and acquisitions;
       (B) alliances and joint ventures;
       (C) outsourcing arrangements;
       (D) bankruptcy; and
       (E) changes to sensitive personally identifiable 
     information systems.
       (f) Implementation Timeline.--Not later than 1 year after 
     the date of enactment of this Act, a business entity subject 
     to the provisions of this subtitle shall implement a data 
     privacy and security program pursuant to this subtitle.

     SEC. 203. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) In general.--Any business entity that violates the 
     provisions of sections 201 or 202 shall be subject to civil 
     penalties of not more than $5,000 per violation per day while 
     such a violation exists, with a maximum of $500,000 per 
     violation.
       (2) Intentional or willful violation.--A business entity 
     that intentionally or willfully violates the provisions of 
     sections 201 or 202 shall be subject to additional penalties 
     in the amount of $5,000 per violation per day while such a 
     violation exists, with a maximum of an additional $500,000 
     per violation.
       (3) Penalty limits.--
       (A) In general.--Notwithstanding any other provision of 
     law, the total sum of civil penalties assessed against a 
     business entity for all violations of the provisions of this 
     subtitle resulting from the same or related acts or omissions 
     shall not exceed $500,000, unless such conduct is found to be 
     willful or intentional.
       (B) Determinations.--The determination of whether a 
     violation of a provision of this subtitle has occurred, and 
     if so, the amount of the penalty to be imposed, if any, shall 
     be made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     subtitle was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (C) Additional penalty limit.--If a court determines under 
     subparagraph (B) that a violation of a provision of this 
     subtitle was willful or intentional and imposes an additional 
     penalty, the court may not impose an additional penalty in an 
     amount that exceeds $500,000.
       (4) Equitable relief.--A business entity engaged in 
     interstate commerce that violates this section may be 
     enjoined from further violations by a United States district 
     court.
       (5) Other rights and remedies.--The rights and remedies 
     available under this section are cumulative and shall not 
     affect any other rights and remedies available under law.
       (b) Federal Trade Commission Authority.--Any business 
     entity shall have the provisions of this subtitle enforced 
     against it by the Federal Trade Commission.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the acts or practices of a business entity that violate this 
     subtitle, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this subtitle; or
       (C) obtain civil penalties of not more than $5,000 per 
     violation per day while such violations persist, up to a 
     maximum of $500,000 per violation.
       (2) Penalty limits.--
       (A) In general.--Notwithstanding any other provision of 
     law, the total sum of civil penalties assessed against a 
     business entity for all violations of the provisions of this 
     subtitle resulting from the same or related acts or omissions 
     shall not exceed $500,000, unless such conduct is found to be 
     willful or intentional.
       (B) Determinations.--The determination of whether a 
     violation of a provision of this subtitle has occurred, and 
     if so, the amount of the penalty to be imposed, if any, shall 
     be made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     subtitle was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (C) Additional penalty limit.--If a court determines under 
     subparagraph (B) that a violation of a provision of this 
     subtitle was willful or intentional and imposes an additional 
     penalty, the court may not impose an additional penalty in an 
     amount that exceeds $500,000.
       (3) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Federal Trade Commission--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in this subparagraph before the filing of 
     the action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the written notice and the copy of the complaint to 
     the Federal Trade Commission as soon after the filing of the 
     complaint as practicable.
       (4) Federal trade commission authority.--Upon receiving 
     notice under paragraph (2), the Federal Trade Commission 
     shall have the right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (5) Pending proceedings.--If the Federal Trade Commission 
     initiates a Federal civil action for a violation of this 
     subtitle, or any regulations thereunder, no attorney general 
     of a State may bring an action for a violation of this 
     subtitle that resulted from the same or related acts or 
     omissions against a defendant named in the Federal civil 
     action initiated by the Federal Trade Commission.
       (6) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1) nothing in this subtitle 
     shall be construed to prevent an attorney general of a State 
     from exercising the powers conferred on the attorney general 
     by the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths and affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (7) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection, process may be served in any district in which 
     the defendant--
       (i) is an inhabitant; or
       (ii) may be found.
       (d) No Private Cause of Action.--Nothing in this subtitle 
     establishes a private cause of action against a business 
     entity for violation of any provision of this subtitle.

     SEC. 204. RELATION TO OTHER LAWS.

       (a) In General.--No State may require any business entity 
     subject to this subtitle to comply with any requirements with 
     respect to administrative, technical, and physical safeguards 
     for the protection of personal information.

[[Page S139]]

       (b) Limitations.--Nothing in this subtitle shall be 
     construed to modify, limit, or supersede the operation of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) or its 
     implementing regulations, including those adopted or enforced 
     by States.

                Subtitle B--Security Breach Notification

     SEC. 211. NOTICE TO INDIVIDUALS.

       (a) In General.--Except as provided in section 212, any 
     agency, or business entity engaged in interstate commerce, 
     other than a service provider, that uses, accesses, 
     transmits, stores, disposes of or collects sensitive 
     personally identifiable information shall, following the 
     discovery of a security breach of such information, notify 
     any resident of the United States whose sensitive personally 
     identifiable information has been, or is reasonably believed 
     to have been, accessed, or acquired.
       (b) Obligation of Owner or Licensee.--
       (1) Notice to owner or licensee.--Any agency, or business 
     entity engaged in interstate commerce, that uses, accesses, 
     transmits, stores, disposes of, or collects sensitive 
     personally identifiable information that the agency or 
     business entity does not own or license shall notify the 
     owner or licensee of the information following the discovery 
     of a security breach involving such information.
       (2) Notice by owner, licensee, or other designated third 
     party.--Nothing in this subtitle shall prevent or abrogate an 
     agreement between an agency or business entity required to 
     give notice under this section and a designated third party, 
     including an owner or licensee of the sensitive personally 
     identifiable information subject to the security breach, to 
     provide the notifications required under subsection (a).
       (3) Business entity relieved from giving notice.--A 
     business entity obligated to give notice under subsection (a) 
     shall be relieved of such obligation if an owner or licensee 
     of the sensitive personally identifiable information subject 
     to the security breach, or other designated third party, 
     provides such notification.
       (4) Service providers.--If a service provider becomes aware 
     of a security breach of data in electronic form containing 
     sensitive personal information that is owned or possessed by 
     another business entity that connects to or uses a system or 
     network provided by the service provider for the purpose of 
     transmitting, routing, or providing intermediate or transient 
     storage of such data, the service provider shall be required 
     to notify the business entity who initiated such connection, 
     transmission, routing, or storage of the security breach if 
     the business entity can be reasonably identified. Upon 
     receiving such notification from a service provider, the 
     business entity shall be required to provide the notification 
     required under subsection (a).
       (c) Timeliness of Notification.--
       (1) In general.--All notifications required under this 
     section shall be made without unreasonable delay following 
     the discovery by the agency or business entity of a security 
     breach.
       (2) Reasonable delay.--
       (A) In general.--Reasonable delay under this subsection may 
     include any time necessary to determine the scope of the 
     security breach, prevent further disclosures, conduct the 
     risk assessment described in section 202(a)(3), and restore 
     the reasonable integrity of the data system and provide 
     notice to law enforcement when required.
       (B) Extension.--
       (i) In general.--Except as provided in subsection (d), 
     delay of notification shall not exceed 60 days following the 
     discovery of the security breach, unless the business entity 
     or agency requests an extension of time and the Federal Trade 
     Commission determines in writing that additional time is 
     reasonably necessary to determine the scope of the security 
     breach, prevent further disclosures, conduct the risk 
     assessment, restore the reasonable integrity of the data 
     system, or to provide notice to the designated entity.
       (ii) Approval of request.--If the Federal Trade Commission 
     approves the request for delay, the agency or business entity 
     may delay the time period for notification for additional 
     periods of up to 30 days.
       (3) Burden of production.--The agency, business entity, 
     owner, or licensee required to provide notice under this 
     subtitle shall, upon the request of the Attorney General or 
     the Federal Trade Commission provide records or other 
     evidence of the notifications required under this subtitle, 
     including to the extent applicable, the reasons for any delay 
     of notification.
       (d) Delay of Notification Authorized for Law Enforcement or 
     National Security Purposes.--
       (1) In general.--If the United States Secret Service or the 
     Federal Bureau of Investigation determines that the 
     notification required under this section would impede a 
     criminal investigation, or national security activity, such 
     notification shall be delayed upon written notice from the 
     United States Secret Service or the Federal Bureau of 
     Investigation to the agency or business entity that 
     experienced the breach. The notification from the United 
     States Secret Service or the Federal Bureau of Investigation 
     shall specify in writing the period of delay requested for 
     law enforcement or national security purposes.
       (2) Extended delay of notification.--If the notification 
     required under subsection (a) is delayed pursuant to 
     paragraph (1), an agency or business entity shall give notice 
     30 days after the day such law enforcement or national 
     security delay was invoked unless a Federal law enforcement 
     or intelligence agency provides written notification that 
     further delay is necessary.
       (3) Law enforcement immunity.--No non-constitutional cause 
     of action shall lie in any court against any agency for acts 
     relating to the delay of notification for law enforcement or 
     national security purposes under this subtitle.
       (e) Limitations.--Notwithstanding any other obligation 
     under this subtitle, this subtitle does not apply to the 
     following:
       (1) Financial institutions.--Financial institutions--
       (A) subject to the data security requirements and standards 
     under section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6801(b)); and
       (B) subject to the jurisdiction of an agency or authority 
     described in section 505(a) of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6805(a)).
       (2) Hipaa regulated entities.--
       (A) Covered entities.--Covered entities subject to the 
     Health Insurance Portability and Accountability Act of 1996 
     (42 U.S.C. 1301 et seq.), including the data security 
     requirements and implementing regulations of that Act.
       (B) Business entities.--A Business entity shall be deemed 
     in compliance with this Act if the business entity--
       (i)(I) is acting as a covered entity and as a business 
     associate, as those terms are defined under the Health 
     Insurance Portability and Accountability Act of 1996 (42 
     U.S.C. 1301 et seq.) and is in compliance with the 
     requirements imposed under that Act and implementing 
     regulations promulgated under that Act; and
       (II) is subject to, and currently in compliance, with the 
     data breach notification, privacy and data security 
     requirements under the Health Information Technology for 
     Economic and Clinical Health (HITECH) Act, (42 U.S.C. 17932) 
     and implementing regulations promulgated thereunder; or
       (ii) is acting as a vendor of personal health records and 
     third party service provider, subject to the Health 
     Information Technology for Economic and Clinical Health 
     (HITECH) Act (42 U.S.C. 17937), including the data breach 
     notification requirements and implementing regulations of 
     that Act.

     SEC. 212. EXEMPTIONS.

       (a) Exemption for National Security and Law Enforcement.--
       (1) In general.--Section 211 shall not apply to an agency 
     or business entity if--
       (A) the United States Secret Service or the Federal Bureau 
     of Investigation determines that notification of the security 
     breach could be expected to reveal sensitive sources and 
     methods or similarly impede the ability of the Government to 
     conduct law enforcement investigations; or
       (B) the Federal Bureau of Investigation determines that 
     notification of the security breach could be expected to 
     cause damage to the national security.
       (2) Immunity.--No non-constitutional cause of action shall 
     lie in any court against any Federal agency for acts relating 
     to the exemption from notification for law enforcement or 
     national security purposes under this title.
       (b) Safe Harbor.--
       (1) In general.--An agency or business entity shall be 
     exempt from the notice requirements under section 211, if--
       (A) a risk assessment conducted by the agency or business 
     entity concludes that, based upon the information available, 
     there is no significant risk that a security breach has 
     resulted in, or will result in, identity theft, economic loss 
     or harm, or physical harm to the individuals whose sensitive 
     personally identifiable information was subject to the 
     security breach;
       (B) without unreasonable delay, but not later than 45 days 
     after the discovery of a security breach, unless extended by 
     the Federal Trade Commission, the agency or business entity 
     notifies the Federal Trade Commission, in writing, of--
       (i) the results of the risk assessment; and
       (ii) its decision to invoke the risk assessment exemption; 
     and
       (C) the Federal Trade Commission does not indicate, in 
     writing, within 10 business days from receipt of the 
     decision, that notice should be given.
       (2) Rebuttable presumptions.--For purposes of paragraph 
     (1)--
       (A) the encryption of sensitive personally identifiable 
     information described in paragraph (1)(A)(i) shall establish 
     a rebuttable presumption that no significant risk exists; and
       (B) the rendering of sensitive personally identifiable 
     information described in paragraph (1)(A)(ii) unusable, 
     unreadable, or indecipherable through data security 
     technology or methodology that is generally accepted by 
     experts in the field of information security, such as 
     redaction or access controls shall establish a rebuttable 
     presumption that no significant risk exists.
       (3) Violation.--It shall be a violation of this section 
     to--
       (A) fail to conduct the risk assessment in a reasonable 
     manner, or according to standards generally accepted by 
     experts in the field of information security; or
       (B) submit the results of a risk assessment that contains 
     fraudulent or deliberately misleading information.
       (c) Financial Fraud Prevention Exemption.--
       (1) In general.--A business entity will be exempt from the 
     notice requirement under

[[Page S140]]

     section 211 if the business entity utilizes or participates 
     in a security program that--
       (A) effectively blocks the use of the sensitive personally 
     identifiable information to initiate unauthorized financial 
     transactions before they are charged to the account of the 
     individual; and
       (B) provides for notice to affected individuals after a 
     security breach that has resulted in fraud or unauthorized 
     transactions.
       (2) Limitation.--The exemption in paragraph (1) does not 
     apply if the information subject to the security breach 
     includes an individual's first and last name, or any other 
     type of sensitive personally identifiable information as 
     defined in section 3, unless that information is only a 
     credit card number or credit card security code.

     SEC. 213. METHODS OF NOTICE.

       An agency or business entity shall be in compliance with 
     section 211 if it provides the following:
       (1) Individual notice.--Notice to individuals by 1 of the 
     following means:
       (A) Written notification to the last known home mailing 
     address of the individual in the records of the agency or 
     business entity.
       (B) Telephone notice to the individual personally.
       (C) E-mail notice, if the individual has consented to 
     receive such notice and the notice is consistent with the 
     provisions permitting electronic transmission of notices 
     under section 101 of the Electronic Signatures in Global and 
     National Commerce Act (15 U.S.C. 7001).
       (2) Media notice.--Notice to major media outlets serving a 
     State or jurisdiction, if the number of residents of such 
     State whose sensitive personally identifiable information 
     was, or is reasonably believed to have been, accessed or 
     acquired by an unauthorized person exceeds 5,000.

     SEC. 214. CONTENT OF NOTIFICATION.

       (a) In General.--Regardless of the method by which notice 
     is provided to individuals under section 213, such notice 
     shall include, to the extent possible--
       (1) a description of the categories of sensitive personally 
     identifiable information that was, or is reasonably believed 
     to have been, accessed or acquired by an unauthorized person;
       (2) a toll-free number--
       (A) that the individual may use to contact the agency or 
     business entity, or the agent of the agency or business 
     entity; and
       (B) from which the individual may learn what types of 
     sensitive personally identifiable information the agency or 
     business entity maintained about that individual; and
       (3) the toll-free contact telephone numbers and addresses 
     for the major credit reporting agencies.
       (b) Additional Content.--Notwithstanding section 219, a 
     State may require that a notice under subsection (a) shall 
     also include information regarding victim protection 
     assistance provided for by that State.
       (c) Direct Business Relationship.--Regardless of whether a 
     business entity, agency, or a designated third party provides 
     the notice required pursuant to section 211(b), such notice 
     shall include the name of the business entity or agency that 
     has a direct relationship with the individual being notified.

     SEC. 215. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING 
                   AGENCIES.

       If an agency or business entity is required to provide 
     notification to more than 5,000 individuals under section 
     211(a), the agency or business entity shall also notify all 
     consumer reporting agencies that compile and maintain files 
     on consumers on a nationwide basis (as defined in section 
     603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) 
     of the timing and distribution of the notices. Such notice 
     shall be given to the consumer credit reporting agencies 
     without unreasonable delay and, if it will not delay notice 
     to the affected individuals, prior to the distribution of 
     notices to the affected individuals.

     SEC. 216. NOTICE TO LAW ENFORCEMENT.

       (a) Designation of Government Entity to Receive Notice.--
       (1) In general.--Not later than 60 days after the date of 
     enactment of this Act, the Secretary of Homeland Security 
     shall designate a Federal Government entity to receive the 
     notices required under section 212 and this section, and any 
     other reports and information about information security 
     incidents, threats, and vulnerabilities.
       (2) Responsibilities of the designated entity.--The 
     designated entity shall--
       (A) be responsible for promptly providing the information 
     that it receives to the United States Secret Service and the 
     Federal Bureau of Investigation, and to the Federal Trade 
     Commission for civil law enforcement purposes; and
       (B) provide the information described in subparagraph (A) 
     as appropriate to other Federal agencies for law enforcement, 
     national security, or data security purposes.
       (b) Notice.--Any business entity or agency shall notify the 
     designated entity of the fact that a security breach has 
     occurred if--
       (1) the number of individuals whose sensitive personally 
     identifying information was, or is reasonably believed to 
     have been accessed or acquired by an unauthorized person 
     exceeds 5,000;
       (2) the security breach involves a database, networked or 
     integrated databases, or other data system containing the 
     sensitive personally identifiable information of more than 
     500,000 individuals nationwide;
       (3) the security breach involves databases owned by the 
     Federal Government; or
       (4) the security breach involves primarily sensitive 
     personally identifiable information of individuals known to 
     the agency or business entity to be employees and contractors 
     of the Federal Government involved in national security or 
     law enforcement.
       (c) FTC Rulemaking and Review of Thresholds.--
       (1) Reports.--Not later 1 year after the date of the 
     enactment of this Act, the Federal Trade Commission, in 
     consultation with the Attorney General of the United States 
     and the Secretary of Homeland Security, shall promulgate 
     regulations under section 553 of title 5, United States Code, 
     regarding the reports required under subsection (a).
       (2) Thresholds for notice.--The Federal Trade Commission, 
     in consultation with the Attorney General and the Secretary 
     of Homeland Security, after notice and the opportunity for 
     public comment, and in a manner consistent with this section, 
     shall promulgate regulations, as necessary, under section 553 
     of title 5, United States Code, to adjust the thresholds for 
     notice to law enforcement and national security authorities 
     under subsection (a) and to facilitate the purposes of this 
     section.
       (d) Timing.--The notice required under subsection (a) shall 
     be provided as promptly as possible, but such notice must be 
     provided either 72 hours before notice is provided to an 
     individual pursuant to section 211, or not later than 10 days 
     after the business entity or agency discovers the security 
     breach or discovers that the nature of the security breach 
     requires notice to law enforcement under this section, 
     whichever occurs first.

     SEC. 217. ENFORCEMENT.

       (a) In General.--The Attorney General and the Federal Trade 
     Commission may enforce civil violations of section 211.
       (b) Civil Actions by the Attorney General of the United 
     States.--
       (1) In general.--The Attorney General may bring a civil 
     action in the appropriate United States district court 
     against any business entity that engages in conduct 
     constituting a violation of this subtitle and, upon proof of 
     such conduct by a preponderance of the evidence, such 
     business entity shall be subject to a civil penalty of not 
     more than $11,000 per day per security breach.
       (2) Penalty limitation.--Notwithstanding any other 
     provision of law, the total amount of the civil penalty 
     assessed against a business entity for conduct involving the 
     same or related acts or omissions that results in a violation 
     of this subtitle may not exceed $1,000,000.
       (3) Determinations.--The determination of whether a 
     violation of a provision of this subtitle has occurred, and 
     if so, the amount of the penalty to be imposed, if any, shall 
     be made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     subtitle was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (4) Additional penalty limit.--If a court determines under 
     paragraph (3) that a violation of a provision of this 
     subtitle was willful or intentional and imposes an additional 
     penalty, the court may not impose an additional penalty in an 
     amount that exceeds $1,000,000.
       (c)  Injunctive Actions by the Attorney General.--
       (1) In general.--If it appears that a business entity has 
     engaged, or is engaged, in any act or practice constituting a 
     violation of this subtitle, the Attorney General may petition 
     an appropriate district court of the United States for an 
     order--
       (A) enjoining such act or practice; or
       (B) enforcing compliance with this subtitle.
       (2) Issuance of order.--A court may issue an order under 
     paragraph (1), if the court finds that the conduct in 
     question constitutes a violation of this subtitle.
       (d) Civil Actions by the Federal Trade Commission.--
       (1) In general.--Compliance with the requirements imposed 
     under this subtitle may be enforced under the Federal Trade 
     Commission Act (15 U.S.C. 41 et seq.) by the Federal Trade 
     Commission with respect to business entities subject to this 
     Act. All of the functions and powers of the Federal Trade 
     Commission under the Federal Trade Commission Act are 
     available to the Commission to enforce compliance by any 
     person with the requirements imposed under this title.
       (2) Penalty limitation.--
       (A) In general.--Notwithstanding any other provision of 
     law, the total sum of civil penalties assessed against a 
     business entity for all violations of the provisions of this 
     subtitle resulting from the same or related acts or omissions 
     may not exceed $1,000,000, unless such conduct is found to be 
     willful or intentional.
       (B) Determinations.--The determination of whether a 
     violation of a provision of this subtitle has occurred, and 
     if so, the amount of the penalty to be imposed, if any, shall 
     be made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     subtitle was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (C) Additional penalty limit.--If a court determines under 
     subparagraph (B) that a violation of a provision of this 
     subtitle was

[[Page S141]]

     willful or intentional and imposes an additional penalty, the 
     court may not impose an additional penalty in an amount that 
     exceeds $1,000,000.
       (3) Unfair or deceptive acts or practices.--For the purpose 
     of the exercise by the Federal Trade Commission of its 
     functions and powers under the Federal Trade Commission Act, 
     a violation of any requirement or prohibition imposed under 
     this title shall constitute an unfair or deceptive act or 
     practice in commerce in violation of a regulation under 
     section 18(a)(1)(B) of the Federal Trade Commission Act ( 15 
     U.S.C. 57a(a)(I)(B)) regarding unfair or deceptive acts or 
     practices and shall be subject to enforcement by the Federal 
     Trade Commission under that Act with respect to any business 
     entity, irrespective of whether that business entity is 
     engaged in commerce or meets any other jurisdictional tests 
     in the Federal Trade Commission Act.
       (e) Coordination of Enforcement.--
       (1) In general.--Before opening an investigation, the 
     Federal Trade Commission shall consult with the Attorney 
     General.
       (2) Limitation.--The Federal Trade Commission may initiate 
     investigations under this subsection unless the Attorney 
     General determines that such an investigation would impede an 
     ongoing criminal investigation or national security activity.
       (3) Coordination agreement.--
       (A) In general.--In order to avoid conflicts and promote 
     consistency regarding the enforcement and litigation of 
     matters under this Act, not later than 180 days after the 
     enactment of this Act, the Attorney General and the Federal 
     Trade Commission shall enter into an agreement for 
     coordination regarding the enforcement of this Act.
       (B) Requirement.--The coordination agreement entered into 
     under subparagraph (A) shall include provisions to ensure 
     that parallel investigations and proceedings under this 
     section are conducted in a matter that avoids conflicts and 
     does not impede the ability of the Attorney General to 
     prosecute violations of Federal criminal laws.
       (4) Coordination with the fcc.--If an enforcement action 
     under this Act relates to customer proprietary network 
     information, the Federal Trade Commission shall coordinate 
     the enforcement action with the Federal Communications 
     Commission.
       (f) Rulemaking.--The Federal Trade Commission may, in 
     consultation with the Attorney General, issue such other 
     regulations as it determines to be necessary to carry out 
     this subtitle. All regulations promulgated under this Act 
     shall be issued in accordance with section 553 of title 5, 
     United States Code. Where regulations relate to customer 
     proprietary network information, the promulgation of such 
     regulations will be coordinated with the Federal 
     Communications Commission.
       (g) Other Rights and Remedies.--The rights and remedies 
     available under this subtitle are cumulative and shall not 
     affect any other rights and remedies available under law.
       (h) Fraud Alert.--Section 605A(b)(1) of the Fair Credit 
     Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by 
     inserting ``, or evidence that the consumer has received 
     notice that the consumer's financial information has or may 
     have been compromised,'' after ``identity theft report''.

     SEC. 218. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the engagement of a business entity in a practice that is 
     prohibited under this subtitle, the State or the State or 
     local law enforcement agency on behalf of the residents of 
     the agency's jurisdiction, may bring a civil action on behalf 
     of the residents of the State or jurisdiction in a district 
     court of the United States of appropriate jurisdiction to--
       (A) enjoin that practice;
       (B) enforce compliance with this subtitle; or
       (C) civil penalties of not more than $11,000 per day per 
     security breach up to a maximum of $1,000,000 per violation, 
     unless such conduct is found to be willful or intentional.
       (2) Penalty limitation.--
       (A) In general.--Notwithstanding any other provision of 
     law, the total sum of civil penalties assessed against a 
     business entity for all violations of the provisions of this 
     subtitle resulting from the same or related acts or omissions 
     may not exceed $1,000,000, unless such conduct is found to be 
     willful or intentional.
       (B) Determinations.--The determination of whether a 
     violation of a provision of this subtitle has occurred, and 
     if so, the amount of the penalty to be imposed, if any, shall 
     be made by the court sitting as the finder of fact. The 
     determination of whether a violation of a provision of this 
     subtitle was willful or intentional, and if so, the amount of 
     the additional penalty to be imposed, if any, shall be made 
     by the court sitting as the finder of fact.
       (C) Additional penalty limit.--If a court determines under 
     subparagraph (B) that a violation of a provision of this 
     subtitle was willful or intentional and imposes an additional 
     penalty, the court may not impose an additional penalty in an 
     amount that exceeds $1,000,000.
       (3) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Attorney General of the United States--
       (i) written notice of the action; and
       (ii) a copy of the complaint for the action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subtitle, if the State attorney general 
     determines that it is not feasible to provide the notice 
     described in such subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Attorney General at the time the 
     State attorney general files the action.
       (b) Federal Proceedings.--Upon receiving notice under 
     subsection (a)(2), the Attorney General shall have the right 
     to--
       (1) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action;
       (2) initiate an action in the appropriate United States 
     district court under section 217 and move to consolidate all 
     pending actions, including State actions, in such court;
       (3) intervene in an action brought under subsection (a)(2); 
     and
       (4) file petitions for appeal.
       (c) Pending Proceedings.--If the Attorney General or the 
     Federal Trade Commission initiate a criminal proceeding or 
     civil action for a violation of a provision of this subtitle, 
     or any regulations thereunder, no attorney general of a State 
     may bring an action for a violation of a provision of this 
     subtitle against a defendant named in the Federal criminal 
     proceeding or civil action.
       (d) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this subtitle 
     regarding notification shall be construed to prevent an 
     attorney general of a State from exercising the powers 
     conferred on such attorney general by the laws of that State 
     to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in--
       (A) the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code; or
       (B) another court of competent jurisdiction.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.
       (f) No Private Cause of Action.--Nothing in this subtitle 
     establishes a private cause of action against a business 
     entity for violation of any provision of this subtitle.

     SEC. 219. EFFECT ON FEDERAL AND STATE LAW.

       For any entity, or agency that is subject to this subtitle, 
     the provisions of this subtitle shall supersede any other 
     provision of Federal law, or any provisions of the law of any 
     State, relating to notification of a security breach, except 
     as provided in section 214(b). Nothing in this subtitle shall 
     be construed to modify, limit, or supersede the operation of 
     the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) or its 
     implementing regulations, including those regulations adopted 
     or enforced by States, the Health Insurance Portability and 
     Accountability Act of 1996 (42 U.S.C. 1301 et seq.) or its 
     implementing regulations, or the Health Information 
     Technology for Economic and Clinical Health Act (42 U.S.C. 
     17937) or its implementing regulations.

     SEC. 220. REPORTING ON EXEMPTIONS.

       (a) FTC Report.--Not later than 18 months after the date of 
     enactment of this Act, and upon request by Congress 
     thereafter, the Federal Trade Commission shall submit a 
     report to Congress on the number and nature of the security 
     breaches described in the notices filed by those business 
     entities invoking the risk assessment exemption under section 
     212(b) and their response to such notices.
       (b) Law Enforcement Report.--
       (1) In general.--Not later than 18 months after the date of 
     enactment of this Act, and upon the request by Congress 
     thereafter, the United States Secret Service and Federal 
     Bureau of Investigation shall submit a report to Congress on 
     the number and nature of security breaches subject to the 
     national security and law enforcement exemptions under 
     section 212(a).
       (2) Requirement.--The report required under paragraph (1) 
     shall not include the contents of any risk assessment 
     provided to the United States Secret Service and the Federal 
     Bureau of Investigation under this subtitle.

     SEC. 221. EFFECTIVE DATE.

       This subtitle shall take effect on the expiration of the 
     date which is 90 days after the date of enactment of this 
     Act.

         TITLE III--COMPLIANCE WITH STATUTORY PAY-AS-YOU-GO ACT

     SEC. 301. BUDGET COMPLIANCE.

       The budgetary effects of this Act, for the purpose of 
     complying with the Statutory Pay-As-You-Go Act of 2010, shall 
     be determined by reference to the latest statement

[[Page S142]]

     titled ``Budgetary Effects of PAYGO Legislation'' for this 
     Act, submitted for printing in the Congressional Record by 
     the Chairman of the Senate Budget Committee, provided that 
     such statement has been submitted prior to the vote on 
     passage.

                          ____________________