S. 1535 (112^th): Personal Data Protection and Breach Accountability Act of 2011

Introduced:: Sep 08, 2011 (112^th Congress, 2011–2013)
Sponsor:: Sen. Richard Blumenthal [D-CT]
Status:: Died (Reported by Committee)

The bill’s title was written by the bill’s sponsor. S. stands for Senate bill.

Overview
Summaries
Related
Citations

Status

This bill was introduced on September 22, 2011, in a previous session of Congress, but was not enacted.

Progress

Introduced	Sep 08, 2011
Referred to Committee	Sep 08, 2011
Reported by Committee	Sep 22, 2011

Cosponsors: 1 cosponsors (1D) (show)

Franken, Alan “Al” [D-MN]

(joined Sep 21, 2011)

Committees

Senate Judiciary

The committee chair determines whether a bill will move past the committee stage.

Full Title: A bill to protect consumers by mitigating the vulnerability of personally identifiable information to theft through a security breach, providing notice and remedies to consumers in the wake of such a breach, holding companies accountable for preventable breaches, facilitating the sharing of post-breach technical information between companies, and enhancing criminal and civil penalties and other protections against the unauthorized collection or use of personally identifiable information.

Summary: No summaries available.

Text

Read Bill Text »

Last updated Sep 08, 2011.
200 pages

Primary Source

View on THOMAS (The Library of Congress)

GovTrack gets most information from THOMAS, which is updated generally one day after events occur. Activity since the last update may not be reflected here.

Citation

Click a format for a citation suggestion:

Our Summary
Library of Congress
House Republicans
House Democrats

GovTrack’s Bill Summary

We don’t have a summary available yet.

Library of Congress Summary

The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress.

9/22/2011.

Title I - Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security

Section 101 -

Amends the federal criminal code to impose a fine and/or prison term of up to five years for intentionally or willfully concealing a security breach involving sensitive personally identifiable information when such breach results in economic harm or substantial emotional distress to one or more persons.

Section 102 -

Makes it unlawful for a service provider, as defined by this Act, to knowingly or intentionally redirect web searches or otherwise monitor, manipulate, aggregate, and market data from websites without the consent of the Internet user. Imposes a civil fine of up to $500,000 for a violation of this provision and an increased fine of up to $1 million for engaging in a pattern or practice of activity that violates this provision.

Title II - Privacy and Security of Sensitive Personally Identifiable Information

Subtitle A - Data Privacy and Security Program

Section 201 -

Makes any interstate business entity that collects, accesses, transmits, uses, stores, or disposes of sensitive personally identifiable information on 10,000 or more U.S. persons subject to the requirements for a data privacy and security program under this Act. Exempts public records not otherwise subject to a confidentiality or nondisclosure requirement, certain financial institutions subject to the Gramm-Leach-Bliley Act, business entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and service providers exclusively engaged in the transmission, routing, or storage of data.

Section 202 -

Requires business entities that are subject to personal data privacy and security requirements of this Act to implement a comprehensive program that:

(1) ensures the privacy, security, and confidentiality of sensitive personally identifiable information;

(2) protects against any anticipated vulnerabilities to the privacy, security, or integrity of such information; and

(3) protects against unauthorized access to such information that could create a significant risk of harm.

Requires such entities to:

(1) assess risks of future security breaches and design a personal data privacy and security program to control such risks;

(2) ensure employee training for implementing a security program;

(3) ensure regular testing of key controls, systems, and procedures of such program; and

(4) monitor, evaluate, and adjust the security program to reflect relevant changes in technology and other considerations.

Section 203 -

Authorizes the Attorney General to bring a civil action or request injunctive relief against any business entity that violates the requirements of this subtitle and obtain fines against such entity for violations, including enhanced penalties for intentional or willful violations.

Section 204 -

Authorizes a state attorney general to bring a civil action or request injunctive relief against a business entity that adversely threatens or affects the residents of the state by violating the requirements of this subtitle.

Section 205 -

Allows individuals aggrieved by a violation of the data privacy and security requirements of this subtitle to bring a civil action to recover for personal injuries sustained as a result of such violation. Allows punitive damages against a business entity that intentionally or willfully violates the provisions of this subtitle.

Subtitle B - Security Breach Notification

Section 211 -

Requires any agency or interstate business entity that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information to notify without unreasonable delay any U.S. resident whose information has been, or is reasonably believed to have been, accessed or acquired.

Allows a federal law enforcement agency or member of the intelligence community to delay notification if it determines that such notification would impede a lawful criminal investigation or authorized intelligence activity.

Section 212 -

Exempts an agency or business entity from the notification requirement if:

(1) the U.S. Secret Service or the Federal Bureau of Investigation (FBI) determines that notification of a security breach would reveal sensitive sources, impede law enforcement investigations, or cause damage to national security; or

(2) the agency or entity conducts a risk assessment in consultation with the Federal Trade Commission (FTC) and concludes that there is no significant risk of a security breach and the FTC does not act to deny an exemption.

Exempts from the requirements of this subtitle certain financial institutions subject to the Gramm-Leach-Bliley Act and business entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Section 213 -

Sets forth the method of notice required for informing individuals of a security breach, including written notice to the last known home mailing address or email address of such individuals and public notice by electronic means or by general media if the sensitive personally identifiable information of more than 5,000 individuals is involved.

Section 214 -

Establishes requirements for the content of a notice to an individual whose sensitive personally identifiable information has been breached, including a description of the categories of such information, contact information, and a notice that such individual is entitled to a free consumer credit report on a quarterly basis for two years.

Section 215 -

Requires an agency or business entity that is required to provide notice of a security breach to provide at no cost to an individual whose sensitive personally identifiable information was breached a consumer credit report on a quarterly basis for a two-year period, a credit monitoring service, a security freeze on the individual's credit report, and compensation for damages incurred by an individual resulting from the security breach.

Section 216 -

Requires any agency or business entity that is required to notify more than 5,000 individuals of a security breach to also notify consumer credit reporting agencies without unreasonable delay.

Section 217 -

Requires the Secretary of Homeland Security (DHS), in consultation with the Attorney General, to designate a federal entity (designated entity) to receive information and reports about information security incidents, threats, and vulnerabilities.

Requires the designated entity to provide such information to the Secret Service, to the FBI, to the FTC for civil law enforcement purposes, and to other federal agencies for law enforcement, national security, or data security purposes.

Requires business entities and agencies to notify the designated entity of a security breach within 10 days of discovery.

Section 218 -

Authorizes the Attorney General to bring a civil action or request injunctive relief against any business entity that violates the requirements of this subtitle. Grants the FTC authority for enforcing compliance with the requirements of this subtitle.

Section 219 -

Section 220 -

Allows individuals aggrieved by a violation of the notice requirements of this subtitle to bring a civil action to recover for personal injuries sustained as a result of such violation or obtain injunctive relief. Allows punitive damages against a business entity that intentionally or willfully violates the provisions of this subtitle.

Section 221 -

Provides that the provisions of this subtitle supersede other provisions of federal or state law relating to notification, but do not exempt any entity from liability under common law for damages caused by failure to notify an individual following a security breach.

Section 222 -

Authorizes appropriations to the Secret Service to carry out investigations and risk assessments of security breaches.

Section 223 -

Requires the Secret Service and the FBI to report to Congress, not later than 18 months after the enactment of this Act, on the number and nature of the security breaches described in notices filed by entities seeking a risk assessment exemption and the response of the Secret Service and FBI to such notices.

Subtitle C - Post-Breach Technical Information Clearinghouse

Section 230 -

Requires the entity designated by DHS under this Act to maintain a clearinghouse of technical information concerning system vulnerabilities identified in the wake of security breaches. Allow agencies and business entities that are certified to review information in the clearinghouse to access such information to improve the security and reduce the vulnerability of networks that contain sensitive personally identifiable information.

Section 231 -

Requires the DHS designated entity to ensure that:

(1) technical information disclosed to it is stored in a format designed to protect proprietary business information from inadvertent disclosure; and

(2) all information stored in the technical information clearinghouse is presented in a form that minimizes the potential for such information to be traced to a particular network, company, or security breach incident.

Exempts information in the technical information clearinghouse from disclosure under the Freedom of Information Act.

Title III - Access to and Use of Commercial Data

Section 301 -

Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate:

(1) the data privacy and security program of a data broker and the broker's compliance with such program,

(2) the extent to which databases and systems have been compromised by security breaches, and

(3) data broker responses to such breaches.

Defines a "data broker" as a business entity that regularly collects, transmits, or provides access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity for purposes of providing such information to non-affiliated third parties on an interstate basis.

Section 302 -

Requires federal agencies to: (1) evaluate and audit the information security practices of contractors or third party business entities that support the information systems or operations of such agencies involving sensitive personally identifiable information, and (2) ensure remedial action to address any significant deficiencies.

Section 303 -

Requires federal agencies to conduct a privacy impact assessment before purchasing or subscribing to personally identifiable information from a data broker. Requires the Comptroller General to study and report on federal agency adherence to key privacy principles in using data brokers of commercial databases containing sensitive personally identifiable information.

Section 304 -

Requires the FBI, in coordination with the Secret Service, to submit to the Judiciary Committees of Congress within one year after the enactment of this Act a report on any reported security breaches at agencies or business entities during the preceding year.

Section 305 -

Requires the Attorney General to submit annual reports to Congress on federal, state, and private enforcement of this Act with recommendations for increasing the effectiveness of such enforcement actions.

Section 306 -

Requires the FBI, in coordination with the Attorney General and the FTC to report to the Judiciary Committees of Congress within one year after the enactment of this Act on the effectiveness of post-breach notification practices by agencies and business entities.

Title IV - Compliance with Statutory Pay-As-You-Go Act

Section 401 -

Provides for compliance of the budgetary effects of this Act with the Statutory Pay-As-You-Go Act of 2010.

House Republican Conference Summary

The summary below was written by the House Republican Conference, which is the caucus of Republicans in the House of Representatives.

No summary available.

House Democratic Caucus Summary

The House Democratic Caucus does not provide summaries of bills.

So, yes, we display the House Republican Conference’s summaries when available even if we do not have a Democratic summary available. That’s because we feel it is better to give you as much information as possible, even if we cannot provide every viewpoint.

We’ll be looking for a source of summaries from the other side in the meanwhile.

The bill contains the following citations to other parts of U.S. law:

United States Code

The United States Code is the compilation of permanent laws enacted by Congress. Temporary and other non-permanent laws do not appear in the United States Code. (About half of the United States Code is the law itself, called positive law. The other half is merely a compilation of the laws but has no legal significance.)

Title 5: GOVERNMENT ORGANIZATION AND EMPLOYEES
Part I: THE AGENCIES GENERALLY
Chapter 5: ADMINISTRATIVE PROCEDURE
Subchapter II: ADMINISTRATIVE PROCEDURE
Section 551: Definitions
Section 552: Public information; agency rules, opinions, orders, records, and proceedings
Section 553: Rule making
Title 15: COMMERCE AND TRADE
Chapter 2: FEDERAL TRADE COMMISSION; PROMOTION OF EXPORT TRADE AND PREVENTION OF UNFAIR METHODS OF COMPETITION
Subchapter I: FEDERAL TRADE COMMISSION
Section 41: Federal Trade Commission established; membership; vacancies; seal
Section 57a: Unfair or deceptive acts or practices rulemaking proceedings
Chapter 41: CONSUMER CREDIT PROTECTION
Subchapter III: CREDIT REPORTING AGENCIES
Section 1681: Congressional findings and statement of purpose
Section 1681a: Definitions; rules of construction
Section 1681c-1: Identity theft prevention; fraud alerts and active duty alerts
Section 1681w: Disposal of records
Chapter 94: PRIVACY
Subchapter I: DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION
Section 6801: Protection of nonpublic personal information
Section 6805: Enforcement
Section 6809: Definitions
Chapter 96: ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE
Subchapter I: ELECTRONIC RECORDS AND SIGNATURES IN COMMERCE
Section 7001: General rule of validity
Title 18: CRIMES AND CRIMINAL PROCEDURE
Part I: CRIMES
Chapter 47: FRAUD AND FALSE STATEMENTS
Section 1028: Fraud and related activity in connection with identification documents, authentication features, and information
Section 1030: Fraud and related activity in connection with computers
Chapter 96: RACKETEER INFLUENCED AND CORRUPT ORGANIZATIONS
Section 1961: Definitions
Title 28: JUDICIARY AND JUDICIAL PROCEDURE
Part II: DEPARTMENT OF JUSTICE
Chapter 31: THE ATTORNEY GENERAL
Section 529: Annual report of Attorney General
Part IV: JURISDICTION AND VENUE
Chapter 87: DISTRICT COURTS; VENUE
Section 1391: Venue generally
Title 42: THE PUBLIC HEALTH AND WELFARE
Chapter 7: SOCIAL SECURITY
Subchapter XI: GENERAL PROVISIONS, PEER REVIEW, AND ADMINISTRATIVE SIMPLIFICATION
Part A: General Provisions
Section 1301: Definitions
Chapter 156: HEALTH INFORMATION TECHNOLOGY
Subchapter III: PRIVACY
Part A: Improved Privacy Provisions and Security Provisions
Section 17931: Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions
Section 17932: Notification in the case of breach
Section 17934: Application of privacy provisions and penalties to business associates of covered entities
Section 17937: Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities
Title 44: PUBLIC PRINTING AND DOCUMENTS
Chapter 35: COORDINATION OF FEDERAL INFORMATION POLICY
Subchapter I: FEDERAL INFORMATION POLICY
Section 3501: Purposes
Subchapter III: INFORMATION SECURITY
Section 3544: Federal agency responsibilities
Other Citations
12 U.S.C. 78c(a)(61)

Other Citations

18 U.S.C. Chapter 47