IN THE SENATE OF THE UNITED STATES
June 20, 2013
Mr. Toomey (for himself, Mr. King, Mr. Thune, Mr. Heller, Mr. Blunt, Mr. Rubio, Mr. Coats, and Mr. Roberts) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
To require certain entities that collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security involving such information, and for other purposes.
This Act may be cited as
Data Security and Breach
Notification Act of 2013
Requirements for information security
Each covered entity shall take reasonable measures to protect and secure data in electronic form containing personal information.
Notification of information security breach
A covered entity that owns or licenses data in electronic form containing personal information shall give notice of any breach of security following discovery by the covered entity of the breach of security to each individual who is a citizen or resident of the United States whose personal information was or that the covered entity reasonably believes to have been accessed and acquired by an unauthorized person and that the covered entity reasonably believes has caused or will cause identity theft or other actual financial harm.
A covered entity shall notify the Secret Service or the Federal Bureau of Investigation of the fact that a breach of security has occurred if the number of individuals whose personal information the covered entity reasonably believes to have been accessed and acquired by an unauthorized person exceeds 10,000.
Special notification requirements
In the event of a breach of security of a system maintained by a third-party entity that has been contracted to maintain, store, or process data in electronic form containing personal information on behalf of a covered entity who owns or possesses such data, such third-party entity shall notify such covered entity of the breach of security.
Covered entities who receive notice from third parties
Upon receiving notification from a third party under subparagraph (A), a covered entity shall provide notification as required under subsection (a).
Exception for service providers
A service provider shall not be considered a third-party agent for purposes of this paragraph.
If a service provider becomes aware of a breach of security involving data in electronic form containing personal information that is owned or possessed by a covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, such service provider shall notify the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.
Covered entities who receive notice from service providers
Upon receiving notification from a service provider under subparagraph (A), a covered entity shall provide notification as required under subsection (a).
Timeliness of notification
Unless subject to a delay authorized under paragraph (3), a notification required under subsection (a) with respect to a breach of security shall be made as expeditiously as practicable and without unreasonable delay.
For purposes of paragraph (1), a delay for the purpose of allowing the covered entity time to determine the scope of the breach of security, to identify individuals affected by the breach of security, and to restore the reasonable integrity of the data system that was breached, shall be considered reasonable.
Delay of notification authorized for law enforcement or national security purposes
If a Federal law enforcement agency determines that the notification required under subsection (a) would interfere with a civil or criminal investigation, such notification shall be delayed upon the written request of the law enforcement agency for any period which the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay or extend the period set forth in the original request made under this subparagraph by a subsequent request if further delay is necessary.
If a Federal national security agency or homeland security agency determines that the notification required under this section would threaten national or homeland security, such notification may be delayed upon the written request of the national security agency or homeland security agency for any period which the national security agency or homeland security agency determines is reasonably necessary. A Federal national security agency or homeland security agency may revoke such delay or extend the period set forth in the original request made under this subparagraph by a subsequent written request if further delay is necessary.
Method and content of notification
Method of notification
A covered entity required to provide notification to an individual under subsection (a) shall be in compliance with such requirement if the covered entity provides such notice by one of the following methods:
Written notification, sent to the postal address of the individual in the records of the covered entity.
Email or other electronic means.
Content of notification
Regardless of the method by which notification is provided to an individual under subparagraph (A) with respect to a breach of security, such notification, to the extent practicable, shall include—
the date, estimated date, or estimated date range of the breach of security;
a description of the personal information that was accessed and acquired, or reasonably believed to have been accessed and acquired, by an unauthorized person as a part of the breach of security; and
information that the individual can use to contact the covered entity to inquire about—
the breach of security; or
the personal information the covered entity maintained about that individual.
Circumstances giving rise to substitute notification
A covered entity required to provide notification to an individual under subsection (a) may provide substitute notification in lieu of the direct notification required by paragraph (1) if such direct notification is not feasible due to—
excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity; or
lack of sufficient contact information for the individual required to be notified.
Form of substitute notification
Such substitute notification shall include at least one of the following:
A conspicuous notice on the Internet website of the covered entity (if such covered entity maintains such a website).
Notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside.
Treatment of persons governed by other Federal law
Except as provided in section 4(b), a covered entity who is in compliance with any other Federal law that requires such covered entity to provide notification to individuals following a breach of security shall be deemed to be in compliance with this section.
Application and enforcement
The requirements of sections 2 and 3 apply to—
those persons, partnerships, or corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act ( 15 U.S.C. 45(a)(2) ); and
notwithstanding section 5(a)(2) of the Federal Trade Commission Act ( 15 U.S.C. 45(a)(2) ), common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.).
Application to cable operators, satellite operators, and telecommunications carriers
Sections 222, 338, and 631 of the Communications Act of 1934 ( 47 U.S.C. 222 , 338 , and 551 ), and any regulations promulgated thereunder, shall not apply with respect to the information security practices, including practices relating to the notification of unauthorized access to data in electronic form, of any covered entity otherwise subject to those sections.
Enforcement by Federal Trade Commission
Unfair or deceptive acts or practices
A violation of section 2 or 3 shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
Powers of commission
Except as provided in subsection (a), the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ) were incorporated into and made a part of this Act.
Privileges and immunities
Any person who violates section 2 or 3 shall be subject to the penalties and entitled to the privileges and immunities provided in such Act.
Maximum total liability
Notwithstanding the number of actions which may be brought against a covered entity under this subsection, the maximum civil penalty for which any covered entity may be liable under this subsection for all actions shall not exceed—
$500,000 for all violations of section 2 resulting from the same related act or omission; and
$500,000 for all violations of section 3 resulting from a single breach of security.
No private cause of action
Nothing in this Act shall be construed to establish a private cause of action against a person for a violation of this Act.
In this Act:
Breach of security
The term breach of security means unauthorized access and acquisition of data in electronic form containing personal information.
The term Commission means the Federal Trade Commission.
The term covered entity means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or utilizes personal information.
The term covered entity does not include the following:
Financial institutions subject to title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
An entity covered by the regulations issued under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( Public Law 104–191 ) to the extent that such entity is subject to the requirements of such regulations with respect to protected health information.
Data in electronic form
The term data in electronic form means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.
The term personal information means an individual's first name or first initial and last name in combination with any 1 or more of the following data elements for that individual:
Social Security number.
Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
Financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
public record information
Personal information does not include information obtained about an individual which has been lawfully made publicly available by a Federal, State, or local government entity or widely distributed by media.
Encrypted, redacted, or secured data
Personal information does not include information that is encrypted, redacted, or secured by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
The term service provider means an entity that provides electronic data transmission, routing, intermediate, and transient storage, or connections to its system or network, where such entity providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and does not differentiate personal information from other information that such entity transmits, routes, stores, or for which such entity provides connections. Any such entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage, or connections.
Effect on other laws
This Act preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, or political subdivision of a State, relating to the protection or security of data in electronic form containing personal information or the notification of a breach of security.
This Act shall take effect on the date that is 1 year after the date of enactment of this Act.