IN THE SENATE OF THE UNITED STATES
January 10, 2018
Ms. Warren (for herself and Mr. Warner) introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban Affairs
To create an Office of Cybersecurity at the Federal Trade Commission for supervision of data security at consumer reporting agencies, to require the promulgation of regulations establishing standards for effective cybersecurity at consumer reporting agencies, to impose penalties on credit reporting agencies for cybersecurity breaches that put sensitive consumer data at risk, and for other purposes.
This Act may be cited as the
Data Breach Prevention and Compensation Act of 2018.
In this Act:
The term career appointee has the meaning given the term in section 3132(a) of title 5, United States Code.
The term Commission means the Federal Trade Commission.
The term covered breach means any instance in which at least 1 piece of personally identifying information is exposed or is reasonably likely to have been exposed to an unauthorized party.
Covered consumer reporting agency
The term covered consumer reporting agency means—
a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)); or
a consumer reporting agency that earns not less than $7,000,000 in annual revenue from the sales of consumer reports.
The term Director means the Director of the Office of Cybersecurity.
The term detail means a temporary assignment of an employee to a different position for a specified period, with the employee returning to his or her regular duties at the end of the detail.
Personally identifying information
The term personally identifying information means—
a Social Security number;
a driver’s license number;
a passport number;
an alien registration number or other government-issued unique identification number;
unique biometric data, such as faceprint, fingerprint, voice print, iris image, or other unique physical representations;
an individual’s first and last name or first initial and last name in combination with any information that relates to the individual’s past, present, or future physical or mental health or condition, or to the provision of health care to or diagnosis of the individual;
a financial account number, debit card number, or credit card number of the consumer; or
any passcode required to access an account described in clause (i); and
such additional information, as determined by the Director.
Cybersecurity standards and FTC authority
There is established in the Commission an Office of Cybersecurity, which shall be headed by a Director, who shall be a career appointee.
The Office of Cybersecurity—
supervise covered consumer reporting agencies with respect to data security;
promulgate regulations for effective data security for covered consumer reporting agencies, including regulations that require covered consumer reporting agencies to—
provide the Commission with descriptions of technical and organizational security measures, including—
system and network security measures, including—
asset management, including—
an inventory of authorized and unauthorized devices;
an inventory of authorized and unauthorized software, including application whitelisting; and
secure configurations for hardware and software;
network management and monitoring, including—
mapped data flows, including functional mission mapping;
maintenance, monitoring, and analysis of audit logs;
network segmentation; and
local and remote access privileges, defined and managed; and
application management, including—
continuous vulnerability assessment and remediation;
server application hardening;
vulnerability handling such as coordinated vulnerability disclosure policy; and
patch management, including at, or near, real-time dashboards of patch implementation across network hosts; and
data security, including—
data-centric security mechanisms such as format-preserving encryption, cryptographic data-splitting, and data-tagging and lineage;
encryption for data at rest;
encryption for data in transit;
systemwide data minimization evaluations and policies; and
data recovery capability; and
create and maintain documentation demonstrating that the covered consumer reporting agency is employing reasonable technical measures and corporate governance processes for continuous monitoring of data, intrusion detection, and continuous evaluation and timely patching of vulnerabilities;
annually examine the data security measures of covered consumer reporting agencies for compliance with the standards promulgated under subparagraph (B);
investigate any covered consumer reporting agency if the Office has reason to suspect a potential covered breach or noncompliance with the standards promulgated under subparagraph (B);
after consultation with members of the technical and academic communities, develop a rigorous, repeatable methodology for evaluating, testing, and measuring effective data security practices of covered consumer reporting agencies, that employs forms of static and dynamic software analysis and penetration testing;
submit to Congress an annual report on the findings on any investigation under subparagraph (C);
determine whether covered consumer reporting agencies are complying with the regulations promulgated under subparagraph (B); and
coordinate with the National Institute of Standards and Technology and the National Cybersecurity and Communications Integration Center of the Department of Homeland Security; and
investigate any breach to determine if the covered consumer reporting agency was in compliance with the regulations promulgated under paragraph (1)(B); and
if the Commission has reason to believe that any covered consumer reporting agency is violating, or is about to violate, a regulation promulgated under paragraph (1)(B), bring a suit in a district court of the United States to enjoin any such act or practice.
The Director shall, without regard to the civil service laws and regulations, appoint such personnel, including computer security researchers and practitioners with technical expertise in computer science, engineering, and cybersecurity, as the Director determines are necessary to carry out the duties of the Office.
An employee of the National Institute of Standards and Technology, the Bureau of Consumer Financial Protection, or the National Cybersecurity and Communications Integration Center of the Department of Homeland Security may be detailed to the Office, without reimbursement, and such detail shall be without interruption or loss of civil service status or privilege.
Notification and enforcement
Not later than 10 days after a covered breach, the covered consumer reporting agency that was subject to the covered breach shall notify the Commission of the covered breach.
In the event of a covered breach, the Commission shall, not later than 30 days after the date on which the Commission receives notification of the covered breach, commence a civil action to recover a civil penalty in a district court of the United States against the covered consumer reporting agency that was subject to the covered breach.
Determining penalty amount
Except as provided in subparagraph (B), in determining the amount of a civil penalty under paragraph (1), the court shall impose a civil penalty on a covered consumer reporting agency of—
$100 for each consumer whose first and last name, or first initial and last name, and at least 1 item of personally identifying information was compromised; and
an additional $50 for each additional item of personally identifying information compromised for each consumer.
Except as provided in clause (ii), a court may not impose a civil penalty under this subsection in an amount greater than 50 percent of the gross revenue of the covered consumer reporting agency for the previous fiscal year before the date on which the covered consumer reporting agency became aware of the covered breach.
A court shall impose a civil penalty on a covered consumer reporting agency double the penalty described in subparagraph (A), but not greater than 75 percent of the gross revenue of the covered consumer reporting agency for the previous fiscal year before the date on which the covered consumer reporting agency became aware of the covered breach if—
the covered consumer reporting agency fails to notify the Commission of a covered breach before the deadline established under subsection (a); or
the covered consumer reporting agency violates any regulation promulgated under section 3(b)(1)(C).
Proceeds of the penalties
Of the penalties assessed under this subsection—
50 percent shall be used for cybersecurity research and inspections by the Office of Cybersecurity; and
50 percent shall be used by the Commission to be divided fairly among consumers affected by the covered breach.
Nothing in this subsection shall preclude an action by a consumer under State or other Federal law.
The Commission may bring suit in a district court of the United States or in the United States court of any Territory to enjoin a covered consumer reporting agency to implement or correct a particular security measure in order to promote effective security.
Authorization of appropriations
There are authorized to be appropriated $100,000,000 to carry out this Act, to remain available until expended.