II
113th CONGRESS
2d Session
S. 1927
IN THE SENATE OF THE UNITED STATES
January 15, 2014
Mr. Carper (for himself and Mr. Blunt) introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban Affairs
A BILL
To protect information relating to consumers, to require notice of security breaches, and for other purposes.
Short title
This Act may be cited as
the
Data Security Act of 2014
.
Definitions
For purposes of this Act, the following definitions shall apply:
Affiliate
The term affiliate means any company that controls, is controlled by, or is under common control with another company.
Agency
The term agency has the same meaning as in section 551(1) of title 5, United States Code.
Breach of data security
In general
The term breach of data security means the unauthorized acquisition of sensitive account information or sensitive personal information.
Exception for data that is not in usable form
In general
The term breach of data security does not include the unauthorized acquisition of sensitive account information or sensitive personal information that is maintained or communicated in a manner that is not usable—
to commit identity theft; or
to make fraudulent transactions on financial accounts.
Rule of Construction
For purposes of this subparagraph, information that is maintained or communicated in a manner that is not usable includes any information that is maintained or communicated in an encrypted, redacted, altered, edited, or coded form.
Commission
The term Commission means the Federal Trade Commission.
Consumer
The term consumer means an individual.
Consumer reporting agency that compiles and maintains files on consumers on a nationwide basis
The term consumer reporting agency that compiles and maintains files on consumers on a nationwide basis has the same meaning as in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).
Covered entity
In general
The term covered entity means any—
entity, the business of which is engaging in financial activities, as described in section 4(k) of the Bank Holding Company Act of 1956 ( 12 U.S.C. 1843(k) );
financial institution, including any institution described in section 313.3(k) of title 16, Code of Federal Regulations, as in effect on the date of enactment of this Act;
entity that maintains or otherwise possesses information that is subject to section 628 of the Fair Credit Reporting Act ( 15 U.S.C. 1681w ); or
other individual, partnership, corporation, trust, estate, cooperative, association, or entity that maintains or communicates sensitive account information or sensitive personal information.
Exception
The term covered entity does not include any agency or any other unit of Federal, State, or local government or any subdivision of the unit.
Financial institution
The term financial institution has the same meaning as in section 509(3) of the Gramm-Leach-Bliley Act (15 U.S.C. 6809(3)).
Sensitive account information
The term sensitive account information means a financial account number relating to a consumer, including a credit card number or debit card number, in combination with any security code, access code, password, or other personal identification information required to access the financial account.
Sensitive personal information
In general
The term sensitive personal information means the first and last name, address, or telephone number of a consumer, in combination with any of the following relating to the consumer:
Social security account number.
Driver’s license number or equivalent State identification number.
Taxpayer identification number.
Exception
The term sensitive personal information does not include publicly available information that is lawfully made available to the general public from—
Federal, State, or local government records; or
widely distributed media.
Substantial harm or inconvenience
In general
The term substantial harm or inconvenience means—
material financial loss to, or civil or criminal penalties imposed on, a consumer, due to the unauthorized use of sensitive account information or sensitive personal information relating to the consumer; or
the need for a consumer to expend significant time and effort to correct erroneous information relating to the consumer, including information maintained by a consumer reporting agency, financial institution, or government entity, in order to avoid material financial loss, increased costs, or civil or criminal penalties, due to the unauthorized use of sensitive account information or sensitive personal information relating to the consumer.
Exception
The term substantial harm or inconvenience does not include—
changing a financial account number or closing a financial account; or
harm or inconvenience that does not result from identity theft or account fraud.
Protection of information and security breach notification
Security procedures required
In general
Each covered entity shall implement, maintain, and enforce reasonable policies and procedures to protect the confidentiality and security of, sensitive account information and sensitive personal information that is maintained or is being communicated by or on behalf of a covered entity from the unauthorized use of the information that is reasonably likely to result in substantial harm or inconvenience to the consumer to whom the information relates.
Limitation
Any policy or procedure implemented or maintained under paragraph (1) shall be appropriate to—
the size and complexity of the covered entity;
the nature and scope of the activities of the covered entity; and
the sensitivity of the consumer information to be protected.
Investigation required
In general
If a covered entity determines that a breach of data security has or may have occurred in relation to sensitive account information or sensitive personal information that is maintained or is being communicated by, or on behalf of, the covered entity, the covered entity shall conduct an investigation to—
assess the nature and scope of the breach;
identify any sensitive account information or sensitive personal information that may have been involved in the breach; and
determine if the sensitive account information or sensitive personal information is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates.
Neural networks and information security programs
In determining the likelihood of misuse of sensitive account information under paragraph (1)(C), a covered entity shall consider whether any neural network or security program has detected, or is likely to detect or prevent, fraudulent transactions resulting from the breach of security.
Notice required
If a covered entity determines under subsection (b)(1)(C) that sensitive account information or sensitive personal information involved in a breach of data security is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates, the covered entity, or a third party acting on behalf of the covered entity, shall—
notify, in the following order—
the appropriate agency or authority identified in section 5;
an appropriate law enforcement agency;
any entity that owns, or is obligated on, a financial account to which the sensitive account information relates, if the breach involves a breach of sensitive account information;
each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, if the breach involves sensitive personal information relating to 5,000 or more consumers; and
all consumers to whom the sensitive account information or sensitive personal information relates; and
take reasonable measures to restore the security and confidentiality of the sensitive account information or sensitive personal information involved in the breach.
Compliance
In general
An entity shall be deemed to be in compliance with—
in the case of a financial institution—
subsection (a), and any regulations prescribed under subsection (a), if the financial institution maintains policies and procedures to protect the confidentiality and security of sensitive account information and sensitive personal information that are consistent with the policies and procedures of the financial institution that are designed to comply with the requirements of section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) and any regulations or guidance prescribed under that section that are applicable to the financial institution; and
subsections (b) and (c), and any regulations prescribed under subsections (b) and (c), if the financial institution—
maintains policies and procedures to investigate and provide notice to consumers of breaches of data security that are consistent with the policies and procedures of the financial institution that are designed to comply with the investigation and notice requirements established by regulations or guidance under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) that are applicable to the financial institution; or
is an affiliate of a bank holding company that maintains policies and procedures to investigate and provide notice to consumers of breaches of data security that are consistent with the policies and procedures of a bank that is an affiliate of the financial institution, and the policies and procedures of the bank are designed to comply with the investigation and notice requirements established by any regulations or guidance under section 501(b) of the Gramm-Leach-Bliley Act ( 15 U.S.C. 6801(b) ) that are applicable to the bank; and
provides for notice to the entities described under subparagraphs (B), (C), and (D) of subsection (c)(1), if notice is provided to consumers pursuant to the policies and procedures of the financial institution described in subclause (I); and
subsections (a), (b), and (c), if the entity is a covered entity for purposes of the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note), to the extent that the entity is in compliance with such regulations.
Definitions
For
purposes of this subsection, the terms bank holding company
and
bank
shall have the same meaning given the terms under
section
2 of the Bank Holding Company Act of 1956 (
12 U.S.C. 1841
).
Implementing regulations
In general
Notwithstanding any other provision of law, and except as provided in section 6, the agencies and authorities identified in section 5, with respect to the covered entities that are subject to the respective enforcement authority of the agencies and authorities, shall prescribe regulations to implement this Act.
Coordination
Each agency and authority required to prescribe regulations under subsection (a) shall consult and coordinate with each other agency and authority identified in section 5 so that, to the extent possible, the regulations prescribed by each agency and authority are consistent and comparable.
Method of providing notice to consumers
The regulations required under subsection (a) shall—
prescribe the methods by which a covered entity shall notify a consumer of a breach of data security under section 3; and
allow a covered entity to provide the notice by—
written, telephonic, or e-mail notification; or
substitute notification, if providing written, telephonic, or e-mail notification is not feasible due to—
lack of sufficient contact information for the consumers that must be notified; or
excessive cost to the covered entity.
Content of consumer notice
The regulations required under subsection (a) shall—
prescribe the content that shall be included in a notice of a breach of data security that is required to be provided to consumers under section 3; and
require the notice to include—
a description of the type of sensitive account information or sensitive personal information involved in the breach of data security;
a general description of the actions taken by the covered entity to restore the security and confidentiality of the sensitive account information or sensitive personal information involved in the breach of data security; and
the summary of rights of victims of identity theft prepared by the Commission under section 609(d) of the Fair Credit Reporting Act ( 15 U.S.C. 1681g(d) ), if the breach of data security involves sensitive personal information.
Timing of notice
The regulations required under subsection (a) shall establish standards for when a covered entity shall provide any notice required under section 3.
Law enforcement delay
The regulations required under subsection (a) shall allow a covered entity to delay providing notice of a breach of data security to consumers under section 3 if a law enforcement agency requests such a delay in writing.
Service providers
The regulations required under subsection (a) shall—
require any party that maintains or communicates sensitive account information or sensitive personal information on behalf of a covered entity to provide notice to that covered entity if the party determines that a breach of data security has, or may have, occurred with respect to the sensitive account information or sensitive personal information; and
ensure that there is only 1 notification responsibility with respect to a breach of data security.
Timing of regulations
The regulations required under subsection (a) shall—
be issued in final form not later than 6 months after the date of enactment of this Act; and
take effect not later than 6 months after the date on which they are issued in final form.
Administrative enforcement
In general
Notwithstanding any other provision of law, section 3, and the regulations required under section 4, shall be enforced exclusively under—
section 8 of the Federal Deposit Insurance Act ( 12 U.S.C. 1818 ), in the case of—
a national bank, a Federal branch or Federal agency of a foreign bank, or any subsidiary thereof (other than a broker, dealer, person providing insurance, investment company, or investment adviser), or a savings association, the deposits of which are insured by the Federal Deposit Insurance Corporation, or any subsidiary thereof (other than a broker, dealer, person providing insurance, investment company, or investment adviser), by the Office of the Comptroller of the Currency;
a member bank of the Federal Reserve System (other than a national bank), a branch or agency of a foreign bank (other than a Federal branch, Federal agency, or insured State branch of a foreign bank), a commercial lending company owned or controlled by a foreign bank, an organization operating under section 25 or 25A of the Federal Reserve Act ( 12 U.S.C. 601 , 611), or a bank holding company and its nonbank subsidiary or affiliate (other than a broker, dealer, person providing insurance, investment company, or investment adviser), by the Board of Governors of the Federal Reserve System; and
a bank, the deposits of which are insured by the Federal Deposit Insurance Corporation (other than a member of the Federal Reserve System), an insured State branch of a foreign bank, or any subsidiary thereof (other than a broker, dealer, person providing insurance, investment company, or investment adviser), by the Board of Directors of the Federal Deposit Insurance Corporation;
the Federal Credit Union Act ( 12 U.S.C. 1751 et seq. ), by the National Credit Union Administration Board with respect to any federally insured credit union;
the Securities Exchange Act of 1934 ( 15 U.S.C. 78a et seq. ), by the Securities and Exchange Commission with respect to any broker or dealer;
the Investment Company Act of 1940 ( 15 U.S.C. 80a–1 et seq. ), by the Securities and Exchange Commission with respect to any investment company;
the Investment Advisers Act of 1940 ( 15 U.S.C. 80b–1 et seq. ), by the Securities and Exchange Commission with respect to any investment adviser registered with the Securities and Exchange Commission under that Act;
the Commodity Exchange Act ( 7 U.S.C. 1 et seq. ), by the Commodity Futures Trading Commission with respect to any futures commission merchant, commodity trading advisor, commodity pool operator, or introducing broker;
the provisions of title XIII of the Housing and Community Development Act of 1992 (12 U.S.C. 4501 et seq.), by the Director of Federal Housing Enterprise Oversight (and any successor to the functional regulatory agency) with respect to the Federal National Mortgage Association, the Federal Home Loan Mortgage Corporation, and any other entity or enterprise (as defined in that title) subject to the jurisdiction of the functional regulatory agency under that title, including any affiliate of any the enterprise;
State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled; and
the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ), by the Commission for any other covered entity that is not subject to the jurisdiction of any agency or authority described under paragraphs (1) through (8).
Extension of Federal Trade Commission enforcement authority
The authority of the Commission to enforce compliance with section 3, and the regulations required under section 4, under subsection (a)(8) shall—
notwithstanding the Federal Aviation Act of 1958 (49 U.S.C. App. 1301 et seq.), include the authority to enforce compliance by air carriers and foreign air carriers; and
notwithstanding the Packers and Stockyards Act ( 7 U.S.C. 181 et seq. ), include the authority to enforce compliance by persons, partnerships, and corporations subject to the provisions of that Act.
No private right of Action
In general
This Act, and the regulations prescribed under this Act, may not be construed to provide a private right of action, including a class action with respect to any act or practice regulated under this Act.
Civil and criminal Actions
No civil or criminal action relating to any act or practice governed under this Act, or the regulations prescribed under this Act, shall be commenced or maintained in any State court or under State law, including a pendent State claim to an action under Federal law.
Protection of information at Federal agencies
Data security standards
Each agency shall implement appropriate standards relating to administrative, technical, and physical safeguards—
to insure the security and confidentiality of the sensitive account information and sensitive personal information that is maintained or is being communicated by, or on behalf of, that agency;
to protect against any anticipated threats or hazards to the security of the sensitive account information and sensitive personal information; and
to protect against misuse of the sensitive account information and sensitive personal information that could result in substantial harm or inconvenience to a consumer.
Security breach notification standards
Each agency shall implement appropriate standards providing for notification of consumers when the agency determines that sensitive account information or sensitive personal information that is maintained or is being communicated by, or on behalf of, the agency—
has been acquired without authorization; and
is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates.
Relation to State law
No requirement or prohibition may be imposed under the laws of any State with respect to the responsibilities of any person to—
protect the security of information relating to consumers that is maintained or communicated by, or on behalf of, the person;
safeguard information relating to consumers from potential misuse;
investigate or provide notice of the unauthorized access to information relating to consumers, or the potential misuse of the information, for fraudulent, illegal, or other purposes; or
mitigate any loss or harm resulting from the unauthorized access or misuse of information relating to consumers.
Delayed effective date for certain provisions
Covered entities
Sections 3 and 7 shall take effect on the later of—
1 year after the date of enactment of this Act; or
the effective date of the final regulations required under section 4.
Agencies
Section 6 shall take effect 1 year after the date of enactment of this Act.
