skip to main content

H.R. 1704 (114th): Personal Data Notification and Protection Act of 2015

The text of the bill below is as of Mar 26, 2015 (Introduced).


I

114th CONGRESS

1st Session

H. R. 1704

IN THE HOUSE OF REPRESENTATIVES

March 26, 2015

introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committee on the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

To establish a national data breach notification standard, and for other purposes.

1.

Short title; table of contents

(a)

Short title

This Act may be cited as the Personal Data Notification and Protection Act of 2015.

(b)

Table of contents

The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Title I—National Data Breach Notification Standard

Sec. 101. Notification to individuals.

Sec. 102. Exemptions from notification to individuals.

Sec. 103. Methods of notification.

Sec. 104. Content of notification.

Sec. 105. Coordination of notification with credit reporting agencies.

Sec. 106. Notification for law enforcement and other purposes.

Sec. 107. Enforcement by the Federal Trade Commission.

Sec. 108. Enforcement by State attorneys general.

Sec. 109. Effect on State law.

Sec. 110. Reporting on security breaches.

Sec. 111. Excluded business entities.

Sec. 112. Definitions.

Sec. 113. Effective date.

Title II—Extraterritorial Application of Cyber Crime Law

Sec. 201. Extraterritorial jurisdiction.

I

National Data Breach Notification Standard

101.

Notification to individuals

(a)

In general

Except as provided for in section 102, any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify, in accordance with sections 103 and 104, any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.

(b)

Obligations of and to owner or licensee

(1)

Notification to owner or licensee

Any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information, unless there is no reasonable risk of harm or fraud to such owner or licensee.

(2)

Notification by owner, licensee, or other designated third party

Nothing in this title shall prevent or abrogate an agreement between a business entity required to provide notification under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a).

(3)

Business entity relieved from giving notification

A business entity required to provide notification under subsection (a) shall not be required to provide such notification if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification.

(c)

Timeliness of notification

(1)

In general

All notifications required under this section shall be made without unreasonable delay following the discovery by the business entity of a security breach. A business entity shall, upon the request of the Commission, provide records or other evidence of the notifications required under this section.

(2)

Reasonable delay

(A)

In general

Except as provided in subsection (d), reasonable delay under this subsection shall not exceed 30 days, unless the business entity seeking additional time requests an extension of time and the Commission determines that additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, or provide notice to the breach notification entity.

(B)

Extension

If the Commission determines that additional time is reasonably necessary as described in subparagraph (A), the Commission may extend the time period for notification for additional periods of up to 30 days each. Any such extension shall be provided in writing by the Commission.

(3)

Burden of production

If a business entity requires additional time under paragraph (2), the business entity shall provide the Commission with records or other evidence of the reasons necessitating delay of notification.

(d)

Delay of notification for law enforcement or national security

(1)

In general

If the Director of the United States Secret Service or the Director of the Federal Bureau of Investigation determines that the notification required under this section would impede a criminal investigation or national security activity, the time period for notification shall be extended 30 days upon written notice from such Director to the business entity that experienced the breach.

(2)

Extended delay of notification

If the time period for notification required under subsection (a) is extended pursuant to paragraph (1), a business entity shall provide the notification within such time period unless the Director of the United States Secret Service or the Director of the Federal Bureau of Investigation provides written notification that further extension of the time period is necessary. The Director of the United States Secret Service or the Director of the Federal Bureau of Investigation may extend the time period for additional periods of up to 30 days each.

(3)

Immunity

No cause of action for which jurisdiction is based under section 1346(b) of title 28, United States Code, shall lie against any Federal law enforcement agency for acts relating to the extension of the deadline for notification for law enforcement or national security purposes under this section.

(e)

Designation of breach notification entity

Not later than 60 days after the date of the enactment of this Act, the Secretary of Homeland Security shall designate a Federal Government entity to receive notices, reports, and information about information security incidents, threats, and vulnerabilities under this title.

102.

Exemptions from notification to individuals

(a)

Exemption for national security and law enforcement

(1)

In general

Notwithstanding section 101, if the Director of the United States Secret Service or the Director of the Federal Bureau of Investigation determines that notification of the security breach required by such section could be expected to reveal sensitive sources and methods or similarly impede the ability of a Federal, State, or local law enforcement agency to conduct law enforcement investigations, or if the Director of the Federal Bureau of Investigation determines that notification of the security breach could be expected to cause damage to national security, such notification is not required.

(2)

Immunity

No cause of action for which jurisdiction is based under section 1346(b) of title 28, United States Code, shall lie against any Federal law enforcement agency for acts relating to the extension of the deadline for notification for law enforcement or national security purposes under this section.

(b)

Safe harbor

(1)

In general

A business entity is exempt from the notification requirement under section 101, if the following requirements are met:

(A)

Risk assessment

A risk assessment, in accordance with paragraph (3), is conducted by or on behalf of the business entity that concludes that there is no reasonable risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.

(B)

Notice to Commission

Without unreasonable delay and not later than 30 days after the discovery of a security breach, unless extended by the Commission, the Director of the United States Secret Service, or the Director of the Federal Bureau of Investigation under section 101 (in which case, before the extended deadline), the business entity notifies the Commission, in writing, of—

(i)

the results of the risk assessment; and

(ii)

the decision by the business entity to invoke the risk assessment exemption described under subparagraph (A).

(C)

Determination by Commission

During the period beginning on the date on which the notification described in subparagraph (B) is submitted and ending 10 days after such date, the Commission has not issued a determination in writing that a notification should be provided under section 101.

(2)

Rebuttable presumption

For purposes of paragraph (1)—

(A)

the rendering of sensitive personally identifiable information at issue unusable, unreadable, or indecipherable through a security technology generally accepted by experts in the field of information security shall establish a rebuttable presumption that such reasonable risk does not exist; and

(B)

any such presumption shall be rebuttable by facts demonstrating that the security technologies or methodologies in a specific case have been, or are reasonably likely to have been, compromised.

(3)

Risk assessment requirements

A risk assessment is in accordance with this paragraph if the following requirements are met:

(A)

Properly conducted

The risk assessment is conducted in a reasonable manner or according to standards generally accepted by experts in the field of information security.

(B)

Logging data required

The risk assessment includes logging data, as applicable and to the extent available, for a period of at least six months before the discovery of a security breach described in section 101(a)—

(i)

for each communication or attempted communication with a database or data system containing sensitive personally identifiable information, the data system communication information for the communication or attempted communication, including any Internet addresses, and the date and time associated with the communication or attempted communication; and

(ii)

all log-in information associated with databases or data systems containing sensitive personally identifiable information, including both administrator and user log-in information.

(C)

Fraudulent or misleading information

The risk assessment does not contain fraudulent or deliberately misleading information.

(c)

Financial fraud prevention exemption

(1)

In general

A business entity is exempt from the notification requirement under section 101 if the business entity uses or participates in a security program that—

(A)

effectively blocks the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and

(B)

provides notification to affected individuals after a security breach that has resulted in fraud or unauthorized transactions.

(2)

Limitation

The exemption in paragraph (1) does not apply if the information subject to the security breach includes the individual’s first and last name or any other type of sensitive personally identifiable information other than a credit card number or credit card security code.

103.

Methods of notification

A business entity shall be in compliance with the requirements of this section if, with respect to the method of notification as required under section 101, the following requirements are met:

(1)

Individual notification

Notification to an individual is by one of the following means:

(A)

Written notification to the last known home mailing address of the individual in the records of the business entity.

(B)

Telephone notification to the individual personally.

(C)

E-mail notification, if the individual has consented to receive such notification and the notification is consistent with the provisions permitting electronic transmission of notifications under section 101 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001).

(2)

Media notification

If the number of residents of a State whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000, notification is provided to media reasonably calculated to reach such individuals, such as major media outlets serving a State or jurisdiction.

104.

Content of notification

The notification provided to individuals required by section 101 shall include, to the extent possible, the following:

(1)

A description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person.

(2)

A toll-free number—

(A)

that the individual may use to contact the business entity, or the agent of the business entity; and

(B)

from which the individual may learn what types of sensitive personally identifiable information the business entity maintained about that individual.

(3)

The toll-free contact telephone numbers and addresses for the major credit reporting agencies and the Commission.

(4)

The name of the business entity that has a direct business relationship with the individual.

(5)

Notwithstanding section 109, any information regarding victim protection assistance required by the State in which the individual resides.

105.

Coordination of notification with credit reporting agencies

(a)

Requirement To notify credit reporting agencies

If a business entity is required to notify more than 5,000 individuals under section 101, the business entity shall also notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis (as defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p))) of the timing and distribution of the notifications. Such notification shall be given to the consumer credit reporting agencies without unreasonable delay and, if it will not delay notification to the affected individuals, prior to the distribution of notifications to the affected individuals.

(b)

Reasonable delay

Reasonable delay under subsection (a) shall not exceed 30 days following the discovery of a security breach, except as provided in subsection (c) or (d) of section 101 (in which case, before the extended deadline), or unless the business entity providing notification can demonstrate to the Commission that additional time is reasonably necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, and provide notice to the breach notification entity. If the Commission determines that additional time is necessary, the Commission may extend the time period for notification for additional periods of up to 30 days each. Any such extension shall be provided in writing.

106.

Notification for law enforcement and other purposes

(a)

Notification to law enforcement and national security authorities

Any business entity shall notify the breach notification entity, and the breach notification entity shall promptly notify and provide that information to the United States Secret Service, the Federal Bureau of Investigation, and the Commission for civil law enforcement purposes, and shall make it available as appropriate to other Federal agencies for law enforcement, national security, or computer security purposes, if—

(1)

the number of individuals whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000;

(2)

the security breach involves a database, networked or integrated databases, or other data system containing the sensitive personally identifiable information of more than 500,000 individuals nationwide;

(3)

the security breach involves databases owned by the Federal Government; or

(4)

the security breach involves primarily sensitive personally identifiable information of individuals known to the business entity to be employees and contractors of the Federal Government involved in national security or law enforcement.

(b)

Regulations

Not later than one year after the date of enactment of this Act, the Commission shall promulgate regulations (in accordance with section 553 of title 5, United States Code) in consultation with the Attorney General and the Secretary of Homeland Security, that describe what information is required to be included in the notification under subsection (a). In addition the Commission shall promulgate regulations, as necessary, (in accordance with section 553 of title 5, United States Code) in consultation with the Attorney General, to adjust the thresholds for notification to law enforcement and national security authorities under subsection (a) and to facilitate the purposes of this section.

(c)

Timing of notification

The notification required under this section shall be provided as promptly as possible and at least 72 hours before notification of an individual pursuant to section 101 or 10 days after discovery of the breach requiring notification, whichever comes first.

107.

Enforcement by the Federal Trade Commission

(a)

Unfair or deceptive acts or practices

A violation of this title or a regulation promulgated under this title shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

(b)

Powers of Commission

The Federal Trade Commission shall enforce this title and the regulations promulgated under this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act, except that the exceptions described in section 5(a)(2) of such Act (15 U.S.C. 45(a)(2)) shall not apply. Any business entity who violates this title or a regulation promulgated under this title shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

(c)

Federal Communications Commission

In a case in which enforcement under this title involves a business entity that is subject to the authority of the Federal Communications Commission, enforcement actions by the Commission, the Commission shall consult with the Federal Communications Commission.

(d)

Consumer Financial Protection Bureau

In a case in which enforcement under this title relates to financial information or information associated with the provision of a consumer financial product or service, enforcement actions by the Commission, the Commission shall consult with the Consumer Financial Protection Bureau.

(e)

Consultation with the Attorney General required

The Commission shall consult with the Attorney General before opening an investigation. If the Attorney General determines that such an investigation would impede an ongoing criminal investigation or national security activity, the Commission may not open such investigation.

(f)

Regulations

(1)

In general

The Commission may promulgate regulations, in addition to the regulations promulgated pursuant to section 106(b), relating to the duties of the Commission under this title, in accordance with section 553 of title 5, United States Code, as the Commission determines to be necessary to carry out this title.

(2)

Federal Communications Commission

With regard to a regulation promulgated under this section that relates to an entity subject to the authority of the Federal Communications Commission, the Commission may only promulgate such regulation after consultation with the Federal Communications Commission.

(3)

Consumer Financial Protection Bureau

With regard to a regulation promulgated under this section that relates to financial information or information associated with the provision of a consumer financial product or service, the Commission may only promulgate such regulation after consultation with the Consumer Financial Protection Bureau.

108.

Enforcement by State attorneys general

(a)

In general

(1)

Civil actions

In any case in which the attorney general of a State or an official or agency of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice in violation of this title or a regulation promulgated under this title, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate State court or an appropriate district court of the United States to—

(A)

enjoin that practice;

(B)

enforce compliance with this title; or

(C)

impose civil penalties of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.

(2)

Notice

Before filing an action under paragraph (1), the attorney general, official, or agency of the State involved shall provide to the Attorney General and the Commission—

(A)

a written notice of the action; and

(B)

a copy of the complaint for the action.

(3)

Attorney General certification

An action may not be filed under paragraph (1) if the Attorney General determines that the filing would impede a criminal investigation or national security activity.

(b)

Authority of Federal Trade Commission

Upon receiving notice under subsection (a)(2), the Commission may—

(1)

move to stay the action, pending the final disposition of a pending Federal proceeding or action;

(2)

initiate an action in the appropriate United States district court under section 107 and move to consolidate all pending actions, including State actions, in such court;

(3)

intervene in the action brought under subsection (a); or

(4)

file petitions for appeal.

(c)

Pending proceedings

If the Commission has instituted a proceeding or action for a violation of this title or any regulations promulgated under this title, a State attorney general, official, or agency may not bring an action under this title during the pendency of the Federal action against any defendant named in such proceeding or action for any violation that is alleged in that proceeding or action.

(d)

Construction

For purposes of bringing any civil action under subsection (a), nothing in this title shall be construed to prevent an attorney general, official, or agency of a State from exercising the powers conferred on such attorney general, official, or agency by the laws of that State to—

(1)

conduct investigations;

(2)

administer oaths or affirmations; or

(3)

compel the attendance of witnesses or the production of documentary and other evidence.

(e)

Venue; service of process

(1)

Venue

Any action brought under subsection (a) may be brought in—

(A)

the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or

(B)

another court of competent jurisdiction.

(2)

Service of process

In an action brought under subsection (a), process may be served in any district in which the defendant—

(A)

is an inhabitant; or

(B)

may be found.

109.

Effect on State law

The provisions of this title shall supersede any provision of the law of any State, or a political subdivision thereof, relating to notification by a business entity engaged in interstate commerce of a security breach, except as provided in section 104(5).

110.

Reporting on security breaches

(a)

Report required on national security and law enforcement exemptions

Not later than 18 months after the date of enactment of this title, and annually thereafter, the Director of the United States Secret Service and the Director of the Federal Bureau of Investigation shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on a report on the number and nature of security breaches subject to the national security and law enforcement exemptions under section 102(a).

(b)

Report required on safe harbor exemptions

Not later than 18 months after the date of enactment of this title, and annually thereafter, the Commission shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report on the number and nature of the security breaches described in the notices filed by business entities invoking the risk assessment exemption under section 102(b) and the response of the Commission to such notices.

111.

Excluded business entities

Nothing in this title, or the regulations promulgated under this title, shall apply to—

(1)

business entities to the extent that such entities act as covered entities or business associates (as such terms are defined in section 13400 of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17921)) subject to section 13402 of such Act (42 U.S.C. 17932); and

(2)

business entities to the extent that they act as vendors of personal health records (as such term is defined in section 13400 of such Act (42 U.S.C. 17921)) and third-party service providers subject to section 13407 of such Act (42 U.S.C. 17937).

112.

Definitions

In this title:

(1)

Affiliate

The term affiliate means persons related by common ownership or by corporate control.

(2)

Breach notification entity

The term breach notification entity means the Federal Government entity designated pursuant to section 101(e).

(3)

Business entity

The term business entity means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture, whether or not established to make a profit.

(4)

Commission

The term Commission means the Federal Trade Commission.

(5)

Consumer financial product or service

The term consumer financial product or service has the meaning given that term in section 1002 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. 5481).

(6)

Data system communication information

The term data system communication information means dialing, routing, addressing, or signaling information that identifies the origin, direction, destination, processing, transmission, or termination of each communication initiated, attempted, or received.

(7)

Date and time

The term date and time includes the date, time, and specification of the time zone offset from Coordinated Universal Time.

(8)

Federal agency

The term Federal agency has the meaning given the term agency in section 3502 of title 44, United States Code.

(9)

Intelligence community

The term intelligence community has the meaning given that term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)).

(10)

Internet address

The term Internet address means an Internet Protocol address as specified by the Internet Protocol version 4 or 6 protocol, or any successor protocol or any unique number for a specific host on the Internet.

(11)

Security breach

(A)

In general

The term security breach means a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in—

(i)

the unauthorized acquisition of sensitive personally identifiable information; or

(ii)

access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.

(B)

Exclusion

The term security breach does not include any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an element of the intelligence community.

(12)

Sensitive personally identifiable information

The term sensitive personally identifiable information means any information or compilation of information, in electronic or digital form that includes one or more of the following:

(A)

An individual’s first and last name or first initial and last name in combination with any two of the following data elements:

(i)

Home address or telephone number.

(ii)

Mother’s maiden name.

(iii)

Month, day, and year of birth.

(B)

A social security number (but not including only the last four digits of a social security number), driver’s license number, passport number, or alien registration number or other government-issued unique identification number.

(C)

Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation.

(D)

A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code.

(E)

A user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.

(F)

Any combination of the following data elements:

(i)

An individual’s first and last name or first initial and last name.

(ii)

A unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code.

(iii)

Any security code, access code, or password, or source code that could be used to generate such codes or passwords.

(13)

Modified definition by rulemaking

The Commission may, by rule promulgated under section 553 of title 5, United States Code, amend the definition of sensitive personally identifiable information to the extent that such amendment will accomplish the purposes of this title. In amending the definition, the Commission may determine—

(A)

that any particular combinations of information are sensitive personally identifiable information; or

(B)

that any particular piece of information, on its own, is sensitive personally identifiable information.

113.

Effective date

This title shall take effect 90 days after the date of enactment of this Act.

II

Extraterritorial Application of Cyber Crime Law

201.

Extraterritorial jurisdiction

Subsection (h) of section 1029 of title 18, United States Code, is amended to read as follows:

(h)

Any person who, outside the jurisdiction of the United States, engages in any act that, if committed within the jurisdiction of the United States, would constitute an offense under subsection (a) or (b), shall be subject to the fines, penalties, imprisonment, and forfeiture provided in this title if the offense involves an access device issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity organized under the laws of the United States, or any State, the District of Columbia, or other territory of the United States.

.