skip to main content

H.R. 6743 (115th): Consumer Information Notification Requirement Act

The text of the bill below is as of Dec 21, 2018 (Reported by House Committee).


IB

Union Calendar No. 849

115th CONGRESS

2d Session

H. R. 6743

[Report No. 115–1097]

IN THE HOUSE OF REPRESENTATIVES

September 7, 2018

introduced the following bill; which was referred to the Committee on Financial Services

December 21, 2018

Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed

Strike out all after the enacting clause and insert the part printed in italic

For text of introduced bill, see copy of bill as introduced on September 7, 2018


A BILL

To amend the Gramm-Leach-Bliley Act to provide a national standard for financial institution data security and breach notification on behalf of all consumers, and for other purposes.


1.

Short title

This Act may be cited as the Consumer Information Notification Requirement Act.

2.

Breach notification standards

Section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) is amended—

(1)

in subsection (b)(3) by striking the period at the end and inserting , including through the provision of a breach notice in the event of unauthorized access that is reasonably likely to result in identity theft, fraud, or economic loss.; and

(2)

by adding at the end the following:

(c)

Standards with respect to breach notification

Subject to section 504(a)(2) and sections 505(b) and 505(c), within 6 months after the date of enactment of this subsection, each agency or authority required to establish standards described under subsection (b)(3) with respect to the provision of a breach notice shall ensure that such standards are in compliance with subsection (b).

(d)

Insurance

(1)

Enforcement

Notwithstanding section 505(a)(6), with respect to an entity engaged in providing insurance, the standards under subsection (b) shall be enforced—

(A)

with respect to any such standards related to data security safeguards, by—

(i)

the State insurance authority of the State in which the entity is domiciled; or

(ii)

in the case of an insurance agency or brokerage, the State insurance authority of the State in which such agency or brokerage has its principal place of business; and

(B)

with respect to any such standards related to notification of the breach of data security, by the State insurance authority of any State in which customers of the entity are affected by such a breach of data security.

(2)

Notification by assuming insurer

(A)

In general

Notwithstanding subsection (b), an assuming insurer that experiences a breach of data security shall only be required to notify the State insurance authority of the State in which the assuming insurer is domiciled.

(B)

Assuming insurer defined

For purposes of this paragraph, the term assuming insurer means an entity engaged in providing insurance that acquires an insurance obligation or risk from another entity engaged in providing insurance pursuant to a reinsurance agreement.

(3)

Safeguards for insurance customers

In carrying out subsection (b) with respect to an entity engaged in providing insurance, a State insurance authority shall establish the standards for safeguarding customer information maintained by entities engaged in activities described in section 4(k)(4)(B) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(4)(k)(4)(B)) that are the same as the standards contained in the interagency guidelines issued by the Comptroller of the Currency, the Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision titled Interagency Guidelines Establishing Standards for Safeguarding Customer Information, published February 1, 2001 (66 Fed. Reg. 8633), and such standards shall be applied as if the entity engaged in providing insurance was a bank to the extent appropriate and practicable.

.

3.

Preemption with respect to financial institution safeguards

Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is amended to read as follows:

507.

Relation to State laws

(a)

In general

This subtitle preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, or political subdivision of a State, with respect to a financial institution or affiliate thereof securing personal information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data.

(b)

Insurance

Subsection (a) shall not prevent a State or political subdivision of a State from establishing the standards for entities engaged in providing insurance required by sections 501(c) and 501(d), provided the standards established by such State or political subdivision do not impose any requirement that is in addition to or different from those standards, except where necessary to effectuate the purposes of this subtitle.

.

December 21, 2018

Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed