Data Security and Breach Notification Act

8/6/2019 Data Security and Breach Notification Act

1/41

II

[STAFF WORKING DRAFT]

JUNE 15, 2011

112TH CONGRESS1ST SESSION S.

To protect consumers by requiring reasonable security policies and procedures

to protect data containing personal information, and to provide for na-

tionwide notice in the event of a security breach.

IN THE SENATE OF THE UNITED STATES

JUNE , 2011

Mr. PRYOR (for himself and Mr. ROCKEFELLER) introduced the following bill;

which was read twice and referred to the Committee on

A BILL

To protect consumers by requiring reasonable security poli-

cies and procedures to protect data containing personal

information, and to provide for nationwide notice in the

event of a security breach.

Be it enacted by the Senate and House of Representa-1

tives of the United States of America in Congress assembled,2

S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE

June 15, 2011 (2:01 p.m.)


2/41

2

S IS

SECTION 1. SHORT TITLE.1

This Act may be cited as the Data Security and2

Breach Notification Act of 2011.3

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.4

(a) GENERAL SECURITY POLICIES AND PROCE-5

DURES.6

(1) REGULATIONS.Not later than 1 year after7

the date of enactment of this Act, the Commission8

shall promulgate regulations under section 553 of9

title 5, United States Code, to require every covered10

entity that owns or possesses data containing per-11

sonal information, or contracts to have any third12

party entity maintain such data for such covered en-13

tity, to establish and implement policies and proce-14

dures regarding information security practices for15

the treatment and protection of personal information16

taking into consideration17

(A) the size of, and the nature, scope, and18

complexity of the activities engaged in by, such19

covered entity;20

(B) the current state of the art in adminis-21

trative, technical, and physical safeguards for22

protecting such information; and23

(C) the cost of implementing such safe-24

guards.25


June 15, 2011 (2:01 p.m.)


3/41

3

S IS

(2) REQUIREMENTS.Such regulations shall1

require the policies and procedures to include the2

following:3

(A) A security policy with respect to the4

collection, use, sale, other dissemination, and5

maintenance of such personal information.6

(B) The identification of an officer or7

other individual as the point of contact with re-8

sponsibility for the management of information9

security.10

(C) A process for identifying and assessing11

any reasonably foreseeable vulnerabilities in the12

system or systems maintained by such covered13

entity that contains such data, which shall in-14

clude regular monitoring for a breach of secu-15

rity of such system or systems.16

(D) A process for taking preventive and17

corrective action to mitigate against any18

vulnerabilities identified in the process required19

by subparagraph (C), which may include imple-20

menting any changes to security practices and21

the architecture, installation, or implementation22

of network or operating software.23

(E) A process for disposing of data in elec-24

tronic form containing personal information by25


June 15, 2011 (2:01 p.m.)


4/41

4

S IS

shredding, permanently erasing, or otherwise1

modifying the personal information contained in2

such data to make such personal information3

permanently unreadable or indecipherable.4

(F) A standard method or methods for the5

destruction of paper documents and other non-6

electronic data containing personal information.7

(3) TREATMENT OF ENTITIES GOVERNED BY8

OTHER LAW.Any covered entity that is in compli-9

ance with any other Federal law that requires such10

covered entity to maintain standards and safeguards11

for information security and protection of personal12

information that, taken as a whole and as the Com-13

mission shall determine in the rulemaking required14

under paragraph (1), provide protections substan-15

tially similar to, or greater than, those required16

under this subsection, shall be deemed to be in com-17

pliance with this subsection.18

(b) SPECIAL REQUIREMENTS FOR INFORMATION19

BROKERS.20

(1) SUBMISSION OF POLICIES TO THE FTC.21

The regulations promulgated under subsection (a)22

shall require each information broker to submit its23

security policies to the Commission in conjunction24


June 15, 2011 (2:01 p.m.)


5/41

5

S IS

with a notification of a breach of security under sec-1

tion 3 or upon request of the Commission.2

(2) POST-BREACH AUDIT.For any information3

broker required to provide notification of a security4

breach under section 3, the Commission may con-5

duct audits of the information security practices of6

such information broker, or require the information7

broker to conduct independent audits of such prac-8

tices (by an independent auditor who has not au-9

dited such information brokers security practices10

during the preceding 5 years).11

(3) ACCURACY OF AND INDIVIDUAL ACCESS TO12

PERSONAL INFORMATION.13

(A) ACCURACY.14

(i) IN GENERAL.Each information15

broker shall establish reasonable proce-16

dures to assure the maximum possible ac-17

curacy of the personal information it col-18

lects, assembles, or maintains, and any19

other information it collects, assembles, or20

maintains that specifically identifies an in-21

dividual, other than information which22

merely identifies an individuals name or23

address.24


June 15, 2011 (2:01 p.m.)


6/41

6

S IS

(ii) LIMITED EXCEPTION FOR FRAUD1

DATABASES.The requirement in clause2

(i) shall not prevent the collection or main-3

tenance of information that may be inac-4

curate with respect to a particular indi-5

vidual when that information is being col-6

lected or maintained solely7

(I) for the purpose of indicating8

whether there may be a discrepancy9

or irregularity in the personal infor-10

mation that is associated with an indi-11

vidual; and12

(II) to help identify, or authen-13

ticate the identity of, an individual, or14

to protect against or investigate fraud15

or other unlawful conduct.16

(B) CONSUMER ACCESS TO INFORMA-17

TION.18

(i) ACCESS.Each information broker19

shall20

(I) provide to each individual21

whose personal information it main-22

tains, at the individuals request at23

least 1 time per year and at no cost24

to the individual, and after verifying25


June 15, 2011 (2:01 p.m.)


7/41

7

S IS

the identity of such individual, a1

means for the individual to review any2

personal information regarding such3

individual maintained by the informa-4

tion broker and any other information5

maintained by the information broker6

that specifically identifies such indi-7

vidual, other than information which8

merely identifies an individuals name9

or address; and10

(II) place a conspicuous notice on11

its Internet website (if the informa-12

tion broker maintains such a website)13

instructing individuals how to request14

access to the information required to15

be provided under subclause (I), and,16

as applicable, how to express a pref-17

erence with respect to the use of per-18

sonal information for marketing pur-19

poses under clause (iii).20

(ii) DISPUTED INFORMATION.When-21

ever an individual whose information the22

information broker maintains makes a23

written request disputing the accuracy of24

any such information, the information25


June 15, 2011 (2:01 p.m.)


8/41

8

S IS

broker, after verifying the identity of the1

individual making such request and unless2

there are reasonable grounds to believe3

such request is frivolous or irrelevant,4

shall5

(I) correct any inaccuracy; or6

(II)(aa) in the case of informa-7

tion that is public record information,8

inform the individual of the source of9

the information, and, if reasonably10

available, where a request for correc-11

tion may be directed and, if the indi-12

vidual provides proof that the public13

record has been corrected or that the14

information broker was reporting the15

information incorrectly, correct the in-16

accuracy in the information brokers17

records; or18

(bb) in the case of information19

that is non-public information, note20

the information that is disputed, in-21

cluding the individuals statement dis-22

puting such information, and take23

reasonable steps to independently24

verify such information under the pro-25


June 15, 2011 (2:01 p.m.)


9/41

9

S IS

cedures outlined in subparagraph (A)1

if such information can be independ-2

ently verified.3

(iii) ALTERNATIVE PROCEDURE FOR4

CERTAIN MARKETING INFORMATION.In5

accordance with regulations issued under6

clause (v), an information broker that7

maintains any information described in8

clause (i) which is used, shared, or sold by9

such information broker for marketing10

purposes, may, in lieu of complying with11

the access and dispute requirements set12

forth in clauses (i) and (ii), provide each13

individual whose information it maintains14

with a reasonable means of expressing a15

preference not to have his or her informa-16

tion used for such purposes. If the indi-17

vidual expresses such a preference, the in-18

formation broker may not use, share, or19

sell the individuals information for mar-20

keting purposes.21

(iv) LIMITATIONS.An information22

broker may limit the access to information23

required under subparagraph (B)(i)(I) and24

is not required to provide notice to individ-25


June 15, 2011 (2:01 p.m.)


10/41

10

S IS

uals as required under subparagraph1

(B)(i)(II) in the following circumstances:2

(I) If access of the individual to3

the information is limited by law or4

legally recognized privilege.5

(II) If the information is used for6

a legitimate governmental, child pro-7

tection, or fraud prevention purpose8

that would be compromised by such9

access.10

(III) If the information consists11

of a published media record, unless12

that record has been included in a re-13

port about an individual shared with a14

third party.15

(v) RULEMAKING.Not later than 116

year after the date of the enactment of this17

Act, the Commission shall promulgate reg-18

ulations under section 553 of title 5,19

United States Code, to carry out this para-20

graph and to facilitate the purposes of this21

Act. In addition, the Commission shall22

issue regulations, as necessary, under sec-23

tion 553 of title 5, United States Code, on24

the scope of the application of the limita-25


June 15, 2011 (2:01 p.m.)


11/41

11

S IS

tions in clause (iv), including any addi-1

tional circumstances in which an informa-2

tion broker may limit access to information3

under such clause that the Commission de-4

termines to be appropriate.5

(C) FCRA REGULATED PERSONS.Any6

information broker who is engaged in activities7

subject to the Fair Credit Reporting Act and8

who is in compliance with sections 609, 610,9

and 611 of such Act with respect to information10

subject to such Act, shall be deemed to be in11

compliance with this paragraph with respect to12

such information.13

(4) REQUIREMENT OF AUDIT LOG OF ACCESSED14

AND TRANSMITTED INFORMATION.Not later than15

1 year after the date of the enactment of this Act,16

the Commission shall promulgate regulations under17

section 553 of title 5, United States Code, to require18

information brokers to establish measures which fa-19

cilitate the auditing or retracing of any internal or20

external access to, or transmission of, any data con-21

taining personal information collected, assembled, or22

maintained by such information broker. The Com-23

mission may provide exceptions to such requirements24


June 15, 2011 (2:01 p.m.)


12/41

12

S IS

for the purposes of furthering or protecting law en-1

forcement or national security activities.2

(5) PROHIBITION ON PRETEXTING BY INFOR-3

MATION BROKERS.4

(A) PROHIBITION ON OBTAINING PER-5

SONAL INFORMATION BY FALSE PRETENSES.6

It shall be unlawful for an information broker7

to obtain or attempt to obtain, or cause to be8

disclosed or attempt to cause to be disclosed to9

any person, personal information or any other10

information relating to any person by11

(i) making a false, fictitious, or fraud-12

ulent statement or representation to any13

person; or14

(ii) providing any document or other15

information to any person that the infor-16

mation broker knows or should know to be17

forged, counterfeit, lost, stolen, or fraudu-18

lently obtained, or to contain a false, ficti-19

tious, or fraudulent statement or represen-20

tation.21

(B) PROHIBITION ON SOLICITATION TO22

OBTAIN PERSONAL INFORMATION UNDER FALSE23

PRETENSES.It shall be unlawful for an infor-24

mation broker to request a person to obtain25


June 15, 2011 (2:01 p.m.)


13/41

13

S IS

personal information or any other information1

relating to any other person, if the information2

broker knew or should have known that the per-3

son to whom such a request is made will obtain4

or attempt to obtain such information in the5

manner described in subparagraph (A).6

(c) E XEMPTION FOR CERTAIN SERVICE PRO-7

VIDERS.Nothing in this section shall apply to a service8

provider for any electronic communication by a third party9

to the extent that the service provider is exclusively en-10

gaged in the transmission, routing, or temporary, inter-11

mediate, or transient storage of that communication.12

SEC. 3. NOTIFICATION OF INFORMATION SECURITY13

BREACH.14

(a) NATIONWIDE NOTIFICATION.Any covered enti-15

ty that owns or possesses data in electronic form con-16

taining personal information shall, following the discovery17

of a breach of security of the system maintained by such18

covered entity that contains such data19

(1) notify each individual who is a citizen or20

resident of the United States whose personal infor-21

mation was acquired or accessed as a result of such22

a breach of security; and23

(2) notify the Commission.24

(b) SPECIAL NOTIFICATION REQUIREMENTS.25


June 15, 2011 (2:01 p.m.)


14/41

14

S IS

(1) THIRD PARTY AGENTS.In the event of a1

breach of security of the system maintained by any2

third party entity that has been contracted to main-3

tain or process data in electronic form containing4

personal information on behalf of any other covered5

entity who owns or possesses such data, such third6

party entity shall be required to notify such covered7

entity of the breach of security. Upon receiving such8

notification from such third party, such covered enti-9

ty shall provide the notification required under sub-10

section (a).11

(2) SERVICE PROVIDERS.If a service provider12

becomes aware of a breach of security of data in13

electronic form containing personal information that14

is owned or possessed by another covered entity that15

connects to or uses a system or network provided by16

the service provider for the purpose of transmitting,17

routing, or providing intermediate or transient stor-18

age of such data, such service provider shall be re-19

quired to notify of such a breach of security only the20

covered entity who initiated such connection, trans-21

mission, routing, or storage if such covered entity22

can be reasonably identified. Upon receiving such23

notification from a service provider, such covered en-24


June 15, 2011 (2:01 p.m.)


15/41

15

S IS

tity shall provide the notification required under1

subsection (a).2

(3) COORDINATION OF NOTIFICATION WITH3

CREDIT REPORTING AGENCIES.If a covered entity4

is required to provide notification to more than5

5,000 individuals under subsection (a)(1), the cov-6

ered entity also shall notify the major credit report-7

ing agencies that compile and maintain files on con-8

sumers on a nationwide basis, of the timing and dis-9

tribution of the notices. Such notice shall be given10

to the credit reporting agencies without unreason-11

able delay and, if it will not delay notice to the af-12

fected individuals, prior to the distribution of notices13

to the affected individuals.14

(c) TIMELINESS OF NOTIFICATION.15

(1) IN GENERAL.Unless subject to a delay au-16

thorized under paragraph (2), a notification required17

under subsection (a) shall be made not later than 6018

days following the discovery of a breach of security,19

unless the covered entity providing notice can show20

that providing notice within such a time frame is not21

feasible due to circumstances necessary to accurately22

identify affected consumers, or to prevent further23

breach or unauthorized disclosures, and reasonably24

restore the integrity of the data system, in which25


June 15, 2011 (2:01 p.m.)


16/41

16

S IS

case such notification shall be made as promptly as1

possible.2

(2) DELAY OF NOTIFICATION AUTHORIZED FOR3

LAW ENFORCEMENT OR NATIONAL SECURITY PUR-4

POSES.5

(A) L AW ENFORCEMENT.If a Federal,6

State, or local law enforcement agency deter-7

mines that the notification required under this8

section would impede a civil or criminal inves-9

tigation, such notification shall be delayed upon10

the written request of the law enforcement11

agency for 30 days or such lesser period of time12

which the law enforcement agency determines is13

reasonably necessary and requests in writing. A14

law enforcement agency may, by a subsequent15

written request, revoke such delay or extend the16

period of time set forth in the original request17

made under this paragraph if further delay is18

necessary.19

(B) N ATIONAL SECURITY.If a Federal20

national security agency or homeland security21

agency determines that the notification required22

under this section would threaten national or23

homeland security, such notification may be de-24

layed for a period of time which the national se-25


June 15, 2011 (2:01 p.m.)


17/41

17

S IS

curity agency or homeland security agency de-1

termines is reasonably necessary and requests2

in writing. A Federal national security agency3

or homeland security agency may revoke such4

delay or extend the period of time set forth in5

the original request made under this paragraph6

by a subsequent written request if further delay7

is necessary.8

(d) METHOD AND CONTENT OF NOTIFICATION.9

(1) DIRECT NOTIFICATION.10

(A) METHOD OF NOTIFICATION.A cov-11

ered entity required to provide notification to12

individuals under subsection (a)(1) shall be in13

compliance with such requirement if the covered14

entity provides conspicuous and clearly identi-15

fied notification by one of the following methods16

(provided the selected method can reasonably be17

expected to reach the intended individual):18

(i) Written notification.19

(ii) Notification by e-mail or other20

electronic means, if21

(I) the covered entitys primary22

method of communication with the in-23

dividual is by e-mail or such other24

electronic means; or25


June 15, 2011 (2:01 p.m.)


18/41

18

S IS

(II) the individual has consented1

to receive such notification and the2

notification is provided in a manner3

that is consistent with the provisions4

permitting electronic transmission of5

notices under section 101 of the Elec-6

tronic Signatures in Global Commerce7

Act (15 U.S.C. 7001).8

(B) CONTENT OF NOTIFICATION.Regard-9

less of the method by which notification is pro-10

vided to an individual under subparagraph (A),11

such notification shall include12

(i) the date, estimated date, or esti-13

mated date range of the breach of security;14

(ii) a description of the personal infor-15

mation that was acquired or accessed by16

an unauthorized person;17

(iii) a telephone number that the indi-18

vidual may use, at no cost to such indi-19

vidual, to contact the covered entity to in-20

quire about the breach of security or the21

information the covered entity maintained22

about that individual;23

(iv) notice that the individual is enti-24

tled to receive, at no cost to such indi-25


June 15, 2011 (2:01 p.m.)


19/41

19

S IS

vidual, consumer credit reports on a quar-1

terly basis for a period of 2 years, or credit2

monitoring or other service that enables3

consumers to detect the misuse of their4

personal information for a period of 25

years, and instructions to the individual on6

requesting such reports or service from the7

covered entity, except when the only infor-8

mation which has been the subject of the9

security breach is the individuals first10

name or initial and last name, or address,11

or phone number, in combination with a12

credit or debit card number, and any re-13

quired security code;14

(v) the toll-free contact telephone15

numbers and addresses for the major cred-16

it reporting agencies; and17

(vi) a toll-free telephone number and18

Internet website address for the Commis-19

sion whereby the individual may obtain in-20

formation regarding identity theft.21

(2) SUBSTITUTE NOTIFICATION.22

(A) CIRCUMSTANCES GIVING RISE TO SUB-23

STITUTE NOTIFICATION.A covered entity re-24

quired to provide notification to individuals25


June 15, 2011 (2:01 p.m.)


20/41

20

S IS

under subsection (a)(1) may provide substitute1

notification in lieu of the direct notification re-2

quired by paragraph (1) if the covered entity3

owns or possesses data in electronic form con-4

taining personal information of fewer than5

1,000 individuals and such direct notification is6

not feasible due to7

(i) excessive cost to the covered entity8

required to provide such notification rel-9

ative to the resources of such covered enti-10

ty, as determined in accordance with the11

regulations issued by the Commission12

under paragraph (3)(A); or13

(ii) lack of sufficient contact informa-14

tion for the individual required to be noti-15

fied.16

(B) FORM OF SUBSTITUTE NOTIFICA-17

TION.Such substitute notification shall in-18

clude19

(i) e-mail notification to the extent20

that the covered entity has e-mail address-21

es of individuals to whom it is required to22

provide notification under subsection23

(a)(1);24


June 15, 2011 (2:01 p.m.)


21/41

21

S IS

(ii) a conspicuous notice on the Inter-1

net website of the covered entity (if such2

covered entity maintains such a website);3

and4

(iii) notification in print and to broad-5

cast media, including major media in met-6

ropolitan and rural areas where the indi-7

viduals whose personal information was ac-8

quired reside.9

(C) CONTENT OF SUBSTITUTE NOTICE.10

Each form of substitute notice under this para-11

graph shall include12

(i) notice that individuals whose per-13

sonal information is included in the breach14

of security are entitled to receive, at no15

cost to the individuals, consumer credit re-16

ports on a quarterly basis for a period of17

2 years, or credit monitoring or other serv-18

ice that enables consumers to detect the19

misuse of their personal information for a20

period of 2 years, and instructions on re-21

questing such reports or service from the22

covered entity, except when the only infor-23

mation which has been the subject of the24

security breach is the individuals first25


June 15, 2011 (2:01 p.m.)


22/41

22

S IS

name or initial and last name, or address,1

or phone number, in combination with a2


quired security code; and4

(ii) a telephone number by which an5

individual can, at no cost to such indi-6

vidual, learn whether that individuals per-7

sonal information is included in the breach8

of security.9

(3) REGULATIONS AND GUIDANCE.10

(A) REGULATIONS.Not later than 1 year11

after the date of enactment of this Act, the12

Commission shall, by regulation under section13

553 of title 5, United States Code, establish cri-14

teria for determining circumstances under15

which substitute notification may be provided16

under paragraph (2), including criteria for de-17

termining if notification under paragraph (1) is18

not feasible due to excessive costs to the cov-19

ered entity required to provided such notifica-20

tion relative to the resources of such covered21

entity. Such regulations may also identify other22

circumstances where substitute notification23

would be appropriate for any covered entity, in-24

cluding circumstances under which the cost of25


June 15, 2011 (2:01 p.m.)


23/41

23

S IS

providing notification exceeds the benefits to1

consumers.2

(B) GUIDANCE.In addition, the Commis-3

sion shall provide and publish general guidance4

with respect to compliance with this subsection.5

Such guidance shall include6

(i) a description of written or e-mail7

notification that complies with the require-8

ments of paragraph (1); and9

(ii) guidance on the content of sub-10

stitute notification under paragraph (2),11

including the extent of notification to print12

and broadcast media that complies with13

the requirements of such paragraph.14

(e) OTHER OBLIGATIONS FOLLOWING BREACH.15

(1) IN GENERAL.A covered entity required to16

provide notification under subsection (a) shall, upon17

request of an individual whose personal information18

was included in the breach of security, provide or ar-19

range for the provision of, to each such individual20

and at no cost to such individual21

(A) consumer credit reports from at least22

one of the major credit reporting agencies be-23

ginning not later than 60 days following the in-24


June 15, 2011 (2:01 p.m.)


24/41

24

S IS

dividuals request and continuing on a quarterly1

basis for a period of 2 years thereafter; or2

(B) a credit monitoring or other service3

that enables consumers to detect the misuse of4

their personal information, beginning not later5

than 60 days following the individuals request6

and continuing for a period of 2 years.7

(2) LIMITATION.This subsection shall not8

apply if the only personal information which has9

been the subject of the security breach is the individ-10

uals first name or initial and last name, or address,11

or phone number, in combination with a credit or12

debit card number, and any required security code.13

(3) RULEMAKING.As part of the Commis-14

sions rulemaking described in subsection (d)(3), the15

Commission shall16

(A) determine the circumstances under17

which a covered entity required to provide noti-18

fication under subsection (a)(1) shall provide or19

arrange for the provision of free consumer cred-20

it reports or credit monitoring or other service21

to affected individuals; and22

(B) establish a simple process under which23

a covered entity that is a small business or24

small non-profit organization may request a25


June 15, 2011 (2:01 p.m.)


25/41

25

S IS

partial waiver or a modified or alternative1

means of responding if providing or arranging2

for such reports, monitoring, or service is not3

feasible due to excessive costs relative to the re-4

sources of the small business or small non-prof-5

it entity and the level of harm to consumers6

caused by the data breach.7

(f) EXEMPTION.8

(1) GENERAL EXEMPTION.A covered entity9

shall be exempt from the requirements under this10

section if, following a breach of security, such cov-11

ered entity determines that there is no reasonable12

risk of identity theft, fraud, or other unlawful con-13

duct.14

(2) PRESUMPTION.15

(A) IN GENERAL.If the data in electronic16

form containing personal information is ren-17

dered unusable, unreadable, or indecipherable18

through a security technology or methodology19

(if the technology or methodology is generally20

accepted by experts in the information security21

field), there shall be a presumption that no rea-22

sonable risk of identity theft, fraud, or other23

unlawful conduct exists following a breach of24

security of such data. Any such presumption25


June 15, 2011 (2:01 p.m.)


26/41

26

S IS

may be rebutted by facts demonstrating that1

the security technologies or methodologies in a2

specific case, have been or are reasonably likely3

to be compromised.4

(B) METHODOLOGIES OR TECH-5

NOLOGIES.Not later than 1 year after the6

date of the enactment of this Act and bian-7

nually thereafter, the Commission, after con-8

sultation with the National Institute of Stand-9

ards and Technology, shall issue rules (pursu-10

ant to section 553 of title 5, United States11

Code) or guidance to identify security meth-12

odologies or technologies, such as encryption,13

which render data in electronic form unusable,14

unreadable, or indecipherable, that shall, if ap-15

plied to such data, establish a presumption that16

no reasonable risk of identity theft, fraud, or17

other unlawful conduct exists following a breach18

of security of such data. Any such presumption19

may be rebutted by facts demonstrating that20

any such methodology or technology in a spe-21

cific case has been or is reasonably likely to be22

compromised. In issuing such rules or guidance,23

the Commission also shall consult with relevant24

industries, consumer organizations, and data25


June 15, 2011 (2:01 p.m.)


27/41

27

S IS

security and identity theft prevention experts1

and established standards setting bodies.2

(3) FTC GUIDANCE.Not later than 1 year3

after the date of the enactment of this Act the Com-4

mission, after consultation with the National Insti-5

tute of Standards and Technology, shall issue guid-6

ance regarding the application of the exemption in7

paragraph (1).8

(g) WEBSITE NOTICE OF FEDERAL TRADE COMMIS-9

SION.If the Commission, upon receiving notification of10

any breach of security that is reported to the Commission11

under subsection (a)(2), finds that notification of such a12

breach of security via the Commissions Internet website13

would be in the public interest or for the protection of14

consumers, the Commission shall place such a notice in15

a clear and conspicuous location on its Internet website.16

(h) FTC STUDY ON NOTIFICATION IN LANGUAGES17

IN ADDITION TO ENGLISH.Not later than 1 year after18

the date of enactment of this Act, the Commission shall19

conduct a study on the practicality and cost effectiveness20

of requiring the notification required by subsection (d)(1)21

to be provided in a language in addition to English to indi-22

viduals known to speak only such other language.23

(i) GENERAL RULEMAKING AUTHORITY.The Com-24

mission may promulgate regulations necessary under sec-25


June 15, 2011 (2:01 p.m.)


28/41

28

S IS

tion 553 of title 5, United States Code, to effectively en-1

force the requirements of this section.2

(j) TREATMENT OF PERSONS GOVERNED BY OTHER3

LAW.A covered entity who is in compliance with any4

other Federal law that requires such covered entity to pro-5

vide notification to individuals following a breach of secu-6

rity, and that, taken as a whole, provides protections sub-7

stantially similar to, or greater than, those required under8

this section, as the Commission shall determine by rule9

(under section 553 of title 5, United States Code), shall10

be deemed to be in compliance with this section.11

SEC. 4. APPLICATION AND ENFORCEMENT.12

(a) GENERAL APPLICATION.The requirements of13

sections 2 and 3 apply to14

(1) those persons, partnerships, or corporations15

over which the Commission has authority pursuant16

to section 5(a)(2) of the Federal Trade Commission17

Act (15 U.S.C. 45(a)(2)); and18

(2) notwithstanding section 4 and section19

5(a)(2) of that Act (15 U.S.C. 44 and 45(a)(2)),20

any non-profit organization, including any organiza-21

tion described in section 501(c) of the Internal Rev-22

enue Code of 1986 that is exempt from taxation23

under section 501(a) of such Code.24


June 15, 2011 (2:01 p.m.)


29/41

29

S IS

(b) ENFORCEMENT BY THE FEDERAL TRADE COM-1

MISSION.2

(1) UNFAIR OR DECEPTIVE ACTS OR PRAC-3

TICES.A violation of section 2 or 3 shall be treated4

as an unfair and deceptive act or practice in viola-5

tion of a regulation under section 18(a)(1)(B) of the6

Federal Trade Commission Act (15 U.S.C.7

57a(a)(1)(B)) regarding unfair or deceptive acts or8

practices.9

(2) POWERS OF COMMISSION.The Commis-10

sion shall enforce this Act in the same manner, by11

the same means, and with the same jurisdiction,12

powers, and duties as though all applicable terms13

and provisions of the Federal Trade Commission Act14

(15 U.S.C. 41 et seq.) were incorporated into and15

made a part of this Act. Any covered entity who vio-16

lates such regulations shall be subject to the pen-17

alties and entitled to the privileges and immunities18

provided in that Act.19

(3) LIMITATION.In promulgating rules under20

this Act, the Commission shall not require the de-21

ployment or use of any specific products or tech-22

nologies, including any specific computer software or23

hardware.24


June 15, 2011 (2:01 p.m.)


30/41

30

S IS

(c) ENFORCEMENT BY STATE ATTORNEYS GEN-1

ERAL.2

(1) CIVIL ACTION.In any case in which the3

attorney general of a State, or an official or agency4

of a State, has reason to believe that an interest of5

the residents of that State has been or is threatened6

or adversely affected by any covered entity who vio-7

lates section 2 or 3 of this Act, the attorney general,8

official, or agency of the State, as parens patriae,9

may bring a civil action on behalf of the residents10

of the State in a district court of the United States11

of appropriate jurisdiction12

(A) to enjoin further violation of such sec-13

tion by the defendant;14

(B) to compel compliance with such sec-15

tion;16

(C) to obtain damages, restitution, or other17

compensation on behalf of such residents, or to18

obtain such further and other relief as the court19

may deem appropriate; or20

(D) to obtain civil penalties in the amount21

determined under paragraph (2).22

(2) CIVIL PENALTIES.23

(A) CALCULATION.24


June 15, 2011 (2:01 p.m.)


31/41

31

S IS

(i) TREATMENT OF VIOLATIONS OF1

SECTION 2.For purposes of paragraph2

(1)(D) with regard to a violation of section3

2, the amount determined under this para-4

graph is the amount calculated by multi-5

plying the number of days that a covered6

entity is not in compliance with such sec-7

tion by an amount not greater than8

$11,000.9

(ii) TREATMENT OF VIOLATIONS OF10

SECTION 3.For purposes of paragraph11

(1)(D) with regard to a violation of section12

3, the amount determined under this para-13

graph is the amount calculated by multi-14

plying the number of violations of such15

section by an amount not greater than16

$11,000. Each failure to send notification17

as required under section 3 to a resident of18

the State shall be treated as a separate19

violation.20

(B) ADJUSTMENT FOR INFLATION.Be-21

ginning on the date that the Consumer Price22

Index is first published by the Bureau of Labor23

Statistics that is after 1 year after the date of24

enactment of this Act, and each year thereafter,25


June 15, 2011 (2:01 p.m.)


32/41


33/41

33

S IS

instituting such action. The Commission shall1

have the right2

(i) to intervene in the action;3

(ii) upon so intervening, to be heard4

on all matters arising therein; and5

(iii) to file petitions for appeal.6

(B) LIMITATION ON STATE ACTION WHILE7

FEDERAL ACTION IS PENDING.If the Commis-8

sion has instituted a civil action for violation of9

this Act, no State attorney general, or official10

or agency of a State, may bring an action under11

this subsection during the pendency of that ac-12

tion against any defendant named in the com-13

plaint of the Commission for any violation of14

this Act alleged in the complaint.15

(4) CONSTRUCTION.For purposes of bringing16

any civil action under paragraph (1), nothing in this17

Act shall be construed to prevent an attorney gen-18

eral of a State from exercising the powers conferred19

on the attorney general by the laws of that State20

to21

(A) conduct investigations;22

(B) administer oaths or affirmations; or23


June 15, 2011 (2:01 p.m.)


34/41

34

S IS

(C) compel the attendance of witnesses or1

the production of documentary and other evi-2

dence.3

(d) AFFIRMATIVE DEFENSE FOR A VIOLATION OF4

SECTION 3.5

(1) IN GENERAL.It shall be an affirmative de-6

fense to an enforcement action brought under sub-7

section (b), or a civil action brought under sub-8

section (c), based on a violation of section 3, that all9

of the personal information contained in the data in10

electronic form that was acquired or accessed as a11

result of a breach of security of the defendant is12

public record information that is lawfully made13

available to the general public from Federal, State,14

or local government records and was acquired by the15

defendant from such records.16

(2) NO EFFECT ON OTHER REQUIREMENTS.17

Nothing in this subsection shall be construed to ex-18

empt any covered entity from the requirement to no-19

tify the Commission of a breach of security as re-20

quired under section 3(a).21

SEC. 5. DEFINITIONS.22

In this Act the following definitions apply:23

(1) BREACH OF SECURITY.The term breach24

of security means unauthorized access to or acqui-25


June 15, 2011 (2:01 p.m.)


35/41

35

S IS

sition of data in electronic form containing personal1

information.2

(2) COMMISSION.The term Commission3

means the Federal Trade Commission.4

(3) COVERED ENTITY.The term covered en-5

tity means a sole proprietorship, partnership, cor-6

poration, trust, estate, cooperative, association, or7

other commercial entity, and any charitable, edu-8

cational, or nonprofit organization, that acquires,9

maintains, or utilizes personal information.10

(4) D ATA IN ELECTRONIC FORM.The term11

data in electronic form means any data stored12

electronically or digitally on any computer system or13

other database and includes recordable tapes and14

other mass storage devices.15

(5) ENCRYPTION.The term encryption16

means the protection of data in electronic form in17

storage or in transit using an encryption technology18

that has been adopted by an established standards19

setting body which renders such data indecipherable20

in the absence of associated cryptographic keys nec-21

essary to enable decryption of such data. Such22

encryption must include appropriate management23

and safeguards of such keys to protect the integrity24

of the encryption.25


June 15, 2011 (2:01 p.m.)


36/41

36

S IS

(6) IDENTITY THEFT.The term identity1

theft means the unauthorized use of another per-2

sons personal information for the purpose of engag-3

ing in commercial transactions under the name of4

such other person.5

(7) INFORMATION BROKER.The term infor-6

mation broker7

(A) means a commercial entity whose busi-8

ness is to collect, assemble, or maintain per-9

sonal information concerning individuals who10

are not current or former customers of such en-11

tity in order to sell such information or provide12

access to such information to any nonaffiliated13

third party in exchange for consideration,14

whether such collection, assembly, or mainte-15

nance of personal information is performed by16

the information broker directly, or by contract17

or subcontract with any other entity; and18

(B) does not include a commercial entity to19

the extent that such entity processes informa-20

tion collected by or on behalf of and received21

from or on behalf of a nonaffiliated third party22

concerning individuals who are current or23

former customers or employees of such third24

party to enable such third party directly or25


June 15, 2011 (2:01 p.m.)


37/41

37

S IS

through parties acting on its behalf to: (1) pro-1

vide benefits for its employees; or (2) directly2

transact business with its customers.3

(8) M AJOR CREDIT REPORTING AGENCY.The4

term major credit reporting agency means a con-5

sumer reporting agency that compiles and maintains6

files on consumers on a nationwide basis within the7

meaning of section 603(p) of the Fair Credit Re-8

porting Act (5 U.S.C. 1681a(p)).9

(9) PERSONAL INFORMATION.10

(A) DEFINITION.The term personal in-11

formation means an individuals first name or12

initial and last name, or address, or phone13

number, in combination with any 1 or more of14

the following data elements for that individual:15

(i) Social Security number.16

(ii) Drivers license number, passport17

number, military identification number, or18

other similar number issued on a govern-19

ment document used to verify identity.20

(iii) Financial account number, or21


quired security code, access code, or pass-23

word that is necessary to permit access to24

an individuals financial account.25


June 15, 2011 (2:01 p.m.)


38/41

38

S IS

(B) MODIFIED DEFINITION BY RULE-1

MAKING.The Commission may, by rule pro-2

mulgated under section 553 of title 5, United3

States Code, modify the definition of personal4

information under subparagraph (A)5

(i) for the purpose of section 2 to the6

extent that such modification will not un-7

reasonably impede interstate commerce,8

and will accomplish the purposes of this9

Act; or10

(ii) for the purpose of section 3, to the11

extent that such modification is necessary12

to accommodate changes in technology or13

practices, will not unreasonably impede14

interstate commerce, and will accomplish15

the purposes of this Act.16

(10) PUBLIC RECORD INFORMATION.The17

term public record information means information18

about an individual which has been obtained origi-19

nally from records of a Federal, State, or local gov-20

ernment entity that are available for public inspec-21

tion.22

(11) NON-PUBLIC INFORMATION.The term23

non-public information means information about24

an individual that is of a private nature and neither25


June 15, 2011 (2:01 p.m.)


39/41

39

S IS

available to the general public nor obtained from a1

public record.2

(12) SERVICE PROVIDER.The term service3

provider means a covered entity that provides elec-4

tronic data transmission, routing, intermediate and5

transient storage, or connections to its system or6

network, where the covered entity providing such7

services does not select or modify the content of the8

electronic data, is not the sender or the intended re-9

cipient of the data, and such covered entity trans-10

mits, routes, stores, or provides connections for per-11

sonal information in a manner that personal infor-12

mation is undifferentiated from other types of data13

that such covered entity transmits, routes, stores, or14

provides connections. Any such covered entity shall15

be treated as a service provider under this Act only16

to the extent that it is engaged in the provision of17

such transmission, routing, intermediate and tran-18

sient storage or connections.19

SEC. 6. EFFECT ON OTHER LAWS.20

(a) PREEMPTION OF STATE INFORMATION SECURITY21

LAWS.This Act supersedes any provision of a statute,22

regulation, or rule of a State or political subdivision of23

a State, with respect to those entities covered by the regu-24

lations issued pursuant to this Act, that expressly25


June 15, 2011 (2:01 p.m.)


40/41

40

S IS

(1) requires information security practices and1

treatment of data containing personal information2

similar to any of those required under section 2; and3

(2) requires notification to individuals of a4

breach of security resulting in unauthorized access5

to or acquisition of data in electronic form con-6

taining personal information.7

(b) ADDITIONAL PREEMPTION.8

(1) IN GENERAL.No person other than a per-9

son specified in section 4(c) may bring a civil action10

under the laws of any State if such action is pre-11

mised in whole or in part upon the defendant vio-12

lating any provision of this Act.13

(2) PROTECTION OF CONSUMER PROTECTION14

LAWS.Except as provided in subsection (a) of this15

section, this subsection shall not be construed to16

limit the enforcement of any State consumer protec-17

tion law by an Attorney General of a State.18

(c) PROTECTION OF CERTAIN STATE LAWS.This19

Act shall not be construed to preempt the applicability20

of21

(1) State trespass, contract, or tort law; or22

(2) other State laws to the extent that those23

laws relate to acts of fraud.24


June 15, 2011 (2:01 p.m.)


41/41

41

(d) PRESERVATION OF FTC AUTHORITY.Nothing1

in this Act may be construed in any way to limit or affect2

the Commissions authority under any other provision of3

law.4

SEC. 7. EFFECTIVE DATE.5

This Act shall take effect 1 year after the date of6

enactment of this Act.7

SEC. 8. AUTHORIZATION OF APPROPRIATIONS.8

There are authorized to be appropriated to the Com-9

mission $1,000,000 for each of fiscal years 2012 through10

2016 to carry out this Act.11


Data Security and Breach Notification Act

Documents

Transcript of Data Security and Breach Notification Act