data security and breach notification act
TRANSCRIPT
-
8/6/2019 Data Security and Breach Notification Act
1/41
II
[STAFF WORKING DRAFT]
JUNE 15, 2011
112TH CONGRESS1ST SESSION S.
To protect consumers by requiring reasonable security policies and procedures
to protect data containing personal information, and to provide for na-
tionwide notice in the event of a security breach.
IN THE SENATE OF THE UNITED STATES
JUNE , 2011
Mr. PRYOR (for himself and Mr. ROCKEFELLER) introduced the following bill;
which was read twice and referred to the Committee on
A BILL
To protect consumers by requiring reasonable security poli-
cies and procedures to protect data containing personal
information, and to provide for nationwide notice in the
event of a security breach.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled,2
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
2/41
2
S IS
SECTION 1. SHORT TITLE.1
This Act may be cited as the Data Security and2
Breach Notification Act of 2011.3
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.4
(a) GENERAL SECURITY POLICIES AND PROCE-5
DURES.6
(1) REGULATIONS.Not later than 1 year after7
the date of enactment of this Act, the Commission8
shall promulgate regulations under section 553 of9
title 5, United States Code, to require every covered10
entity that owns or possesses data containing per-11
sonal information, or contracts to have any third12
party entity maintain such data for such covered en-13
tity, to establish and implement policies and proce-14
dures regarding information security practices for15
the treatment and protection of personal information16
taking into consideration17
(A) the size of, and the nature, scope, and18
complexity of the activities engaged in by, such19
covered entity;20
(B) the current state of the art in adminis-21
trative, technical, and physical safeguards for22
protecting such information; and23
(C) the cost of implementing such safe-24
guards.25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
3/41
3
S IS
(2) REQUIREMENTS.Such regulations shall1
require the policies and procedures to include the2
following:3
(A) A security policy with respect to the4
collection, use, sale, other dissemination, and5
maintenance of such personal information.6
(B) The identification of an officer or7
other individual as the point of contact with re-8
sponsibility for the management of information9
security.10
(C) A process for identifying and assessing11
any reasonably foreseeable vulnerabilities in the12
system or systems maintained by such covered13
entity that contains such data, which shall in-14
clude regular monitoring for a breach of secu-15
rity of such system or systems.16
(D) A process for taking preventive and17
corrective action to mitigate against any18
vulnerabilities identified in the process required19
by subparagraph (C), which may include imple-20
menting any changes to security practices and21
the architecture, installation, or implementation22
of network or operating software.23
(E) A process for disposing of data in elec-24
tronic form containing personal information by25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
4/41
4
S IS
shredding, permanently erasing, or otherwise1
modifying the personal information contained in2
such data to make such personal information3
permanently unreadable or indecipherable.4
(F) A standard method or methods for the5
destruction of paper documents and other non-6
electronic data containing personal information.7
(3) TREATMENT OF ENTITIES GOVERNED BY8
OTHER LAW.Any covered entity that is in compli-9
ance with any other Federal law that requires such10
covered entity to maintain standards and safeguards11
for information security and protection of personal12
information that, taken as a whole and as the Com-13
mission shall determine in the rulemaking required14
under paragraph (1), provide protections substan-15
tially similar to, or greater than, those required16
under this subsection, shall be deemed to be in com-17
pliance with this subsection.18
(b) SPECIAL REQUIREMENTS FOR INFORMATION19
BROKERS.20
(1) SUBMISSION OF POLICIES TO THE FTC.21
The regulations promulgated under subsection (a)22
shall require each information broker to submit its23
security policies to the Commission in conjunction24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
5/41
5
S IS
with a notification of a breach of security under sec-1
tion 3 or upon request of the Commission.2
(2) POST-BREACH AUDIT.For any information3
broker required to provide notification of a security4
breach under section 3, the Commission may con-5
duct audits of the information security practices of6
such information broker, or require the information7
broker to conduct independent audits of such prac-8
tices (by an independent auditor who has not au-9
dited such information brokers security practices10
during the preceding 5 years).11
(3) ACCURACY OF AND INDIVIDUAL ACCESS TO12
PERSONAL INFORMATION.13
(A) ACCURACY.14
(i) IN GENERAL.Each information15
broker shall establish reasonable proce-16
dures to assure the maximum possible ac-17
curacy of the personal information it col-18
lects, assembles, or maintains, and any19
other information it collects, assembles, or20
maintains that specifically identifies an in-21
dividual, other than information which22
merely identifies an individuals name or23
address.24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
6/41
6
S IS
(ii) LIMITED EXCEPTION FOR FRAUD1
DATABASES.The requirement in clause2
(i) shall not prevent the collection or main-3
tenance of information that may be inac-4
curate with respect to a particular indi-5
vidual when that information is being col-6
lected or maintained solely7
(I) for the purpose of indicating8
whether there may be a discrepancy9
or irregularity in the personal infor-10
mation that is associated with an indi-11
vidual; and12
(II) to help identify, or authen-13
ticate the identity of, an individual, or14
to protect against or investigate fraud15
or other unlawful conduct.16
(B) CONSUMER ACCESS TO INFORMA-17
TION.18
(i) ACCESS.Each information broker19
shall20
(I) provide to each individual21
whose personal information it main-22
tains, at the individuals request at23
least 1 time per year and at no cost24
to the individual, and after verifying25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
7/41
7
S IS
the identity of such individual, a1
means for the individual to review any2
personal information regarding such3
individual maintained by the informa-4
tion broker and any other information5
maintained by the information broker6
that specifically identifies such indi-7
vidual, other than information which8
merely identifies an individuals name9
or address; and10
(II) place a conspicuous notice on11
its Internet website (if the informa-12
tion broker maintains such a website)13
instructing individuals how to request14
access to the information required to15
be provided under subclause (I), and,16
as applicable, how to express a pref-17
erence with respect to the use of per-18
sonal information for marketing pur-19
poses under clause (iii).20
(ii) DISPUTED INFORMATION.When-21
ever an individual whose information the22
information broker maintains makes a23
written request disputing the accuracy of24
any such information, the information25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
8/41
8
S IS
broker, after verifying the identity of the1
individual making such request and unless2
there are reasonable grounds to believe3
such request is frivolous or irrelevant,4
shall5
(I) correct any inaccuracy; or6
(II)(aa) in the case of informa-7
tion that is public record information,8
inform the individual of the source of9
the information, and, if reasonably10
available, where a request for correc-11
tion may be directed and, if the indi-12
vidual provides proof that the public13
record has been corrected or that the14
information broker was reporting the15
information incorrectly, correct the in-16
accuracy in the information brokers17
records; or18
(bb) in the case of information19
that is non-public information, note20
the information that is disputed, in-21
cluding the individuals statement dis-22
puting such information, and take23
reasonable steps to independently24
verify such information under the pro-25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
9/41
9
S IS
cedures outlined in subparagraph (A)1
if such information can be independ-2
ently verified.3
(iii) ALTERNATIVE PROCEDURE FOR4
CERTAIN MARKETING INFORMATION.In5
accordance with regulations issued under6
clause (v), an information broker that7
maintains any information described in8
clause (i) which is used, shared, or sold by9
such information broker for marketing10
purposes, may, in lieu of complying with11
the access and dispute requirements set12
forth in clauses (i) and (ii), provide each13
individual whose information it maintains14
with a reasonable means of expressing a15
preference not to have his or her informa-16
tion used for such purposes. If the indi-17
vidual expresses such a preference, the in-18
formation broker may not use, share, or19
sell the individuals information for mar-20
keting purposes.21
(iv) LIMITATIONS.An information22
broker may limit the access to information23
required under subparagraph (B)(i)(I) and24
is not required to provide notice to individ-25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
10/41
10
S IS
uals as required under subparagraph1
(B)(i)(II) in the following circumstances:2
(I) If access of the individual to3
the information is limited by law or4
legally recognized privilege.5
(II) If the information is used for6
a legitimate governmental, child pro-7
tection, or fraud prevention purpose8
that would be compromised by such9
access.10
(III) If the information consists11
of a published media record, unless12
that record has been included in a re-13
port about an individual shared with a14
third party.15
(v) RULEMAKING.Not later than 116
year after the date of the enactment of this17
Act, the Commission shall promulgate reg-18
ulations under section 553 of title 5,19
United States Code, to carry out this para-20
graph and to facilitate the purposes of this21
Act. In addition, the Commission shall22
issue regulations, as necessary, under sec-23
tion 553 of title 5, United States Code, on24
the scope of the application of the limita-25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
11/41
11
S IS
tions in clause (iv), including any addi-1
tional circumstances in which an informa-2
tion broker may limit access to information3
under such clause that the Commission de-4
termines to be appropriate.5
(C) FCRA REGULATED PERSONS.Any6
information broker who is engaged in activities7
subject to the Fair Credit Reporting Act and8
who is in compliance with sections 609, 610,9
and 611 of such Act with respect to information10
subject to such Act, shall be deemed to be in11
compliance with this paragraph with respect to12
such information.13
(4) REQUIREMENT OF AUDIT LOG OF ACCESSED14
AND TRANSMITTED INFORMATION.Not later than15
1 year after the date of the enactment of this Act,16
the Commission shall promulgate regulations under17
section 553 of title 5, United States Code, to require18
information brokers to establish measures which fa-19
cilitate the auditing or retracing of any internal or20
external access to, or transmission of, any data con-21
taining personal information collected, assembled, or22
maintained by such information broker. The Com-23
mission may provide exceptions to such requirements24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
12/41
12
S IS
for the purposes of furthering or protecting law en-1
forcement or national security activities.2
(5) PROHIBITION ON PRETEXTING BY INFOR-3
MATION BROKERS.4
(A) PROHIBITION ON OBTAINING PER-5
SONAL INFORMATION BY FALSE PRETENSES.6
It shall be unlawful for an information broker7
to obtain or attempt to obtain, or cause to be8
disclosed or attempt to cause to be disclosed to9
any person, personal information or any other10
information relating to any person by11
(i) making a false, fictitious, or fraud-12
ulent statement or representation to any13
person; or14
(ii) providing any document or other15
information to any person that the infor-16
mation broker knows or should know to be17
forged, counterfeit, lost, stolen, or fraudu-18
lently obtained, or to contain a false, ficti-19
tious, or fraudulent statement or represen-20
tation.21
(B) PROHIBITION ON SOLICITATION TO22
OBTAIN PERSONAL INFORMATION UNDER FALSE23
PRETENSES.It shall be unlawful for an infor-24
mation broker to request a person to obtain25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
13/41
13
S IS
personal information or any other information1
relating to any other person, if the information2
broker knew or should have known that the per-3
son to whom such a request is made will obtain4
or attempt to obtain such information in the5
manner described in subparagraph (A).6
(c) E XEMPTION FOR CERTAIN SERVICE PRO-7
VIDERS.Nothing in this section shall apply to a service8
provider for any electronic communication by a third party9
to the extent that the service provider is exclusively en-10
gaged in the transmission, routing, or temporary, inter-11
mediate, or transient storage of that communication.12
SEC. 3. NOTIFICATION OF INFORMATION SECURITY13
BREACH.14
(a) NATIONWIDE NOTIFICATION.Any covered enti-15
ty that owns or possesses data in electronic form con-16
taining personal information shall, following the discovery17
of a breach of security of the system maintained by such18
covered entity that contains such data19
(1) notify each individual who is a citizen or20
resident of the United States whose personal infor-21
mation was acquired or accessed as a result of such22
a breach of security; and23
(2) notify the Commission.24
(b) SPECIAL NOTIFICATION REQUIREMENTS.25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
14/41
14
S IS
(1) THIRD PARTY AGENTS.In the event of a1
breach of security of the system maintained by any2
third party entity that has been contracted to main-3
tain or process data in electronic form containing4
personal information on behalf of any other covered5
entity who owns or possesses such data, such third6
party entity shall be required to notify such covered7
entity of the breach of security. Upon receiving such8
notification from such third party, such covered enti-9
ty shall provide the notification required under sub-10
section (a).11
(2) SERVICE PROVIDERS.If a service provider12
becomes aware of a breach of security of data in13
electronic form containing personal information that14
is owned or possessed by another covered entity that15
connects to or uses a system or network provided by16
the service provider for the purpose of transmitting,17
routing, or providing intermediate or transient stor-18
age of such data, such service provider shall be re-19
quired to notify of such a breach of security only the20
covered entity who initiated such connection, trans-21
mission, routing, or storage if such covered entity22
can be reasonably identified. Upon receiving such23
notification from a service provider, such covered en-24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
15/41
15
S IS
tity shall provide the notification required under1
subsection (a).2
(3) COORDINATION OF NOTIFICATION WITH3
CREDIT REPORTING AGENCIES.If a covered entity4
is required to provide notification to more than5
5,000 individuals under subsection (a)(1), the cov-6
ered entity also shall notify the major credit report-7
ing agencies that compile and maintain files on con-8
sumers on a nationwide basis, of the timing and dis-9
tribution of the notices. Such notice shall be given10
to the credit reporting agencies without unreason-11
able delay and, if it will not delay notice to the af-12
fected individuals, prior to the distribution of notices13
to the affected individuals.14
(c) TIMELINESS OF NOTIFICATION.15
(1) IN GENERAL.Unless subject to a delay au-16
thorized under paragraph (2), a notification required17
under subsection (a) shall be made not later than 6018
days following the discovery of a breach of security,19
unless the covered entity providing notice can show20
that providing notice within such a time frame is not21
feasible due to circumstances necessary to accurately22
identify affected consumers, or to prevent further23
breach or unauthorized disclosures, and reasonably24
restore the integrity of the data system, in which25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
16/41
16
S IS
case such notification shall be made as promptly as1
possible.2
(2) DELAY OF NOTIFICATION AUTHORIZED FOR3
LAW ENFORCEMENT OR NATIONAL SECURITY PUR-4
POSES.5
(A) L AW ENFORCEMENT.If a Federal,6
State, or local law enforcement agency deter-7
mines that the notification required under this8
section would impede a civil or criminal inves-9
tigation, such notification shall be delayed upon10
the written request of the law enforcement11
agency for 30 days or such lesser period of time12
which the law enforcement agency determines is13
reasonably necessary and requests in writing. A14
law enforcement agency may, by a subsequent15
written request, revoke such delay or extend the16
period of time set forth in the original request17
made under this paragraph if further delay is18
necessary.19
(B) N ATIONAL SECURITY.If a Federal20
national security agency or homeland security21
agency determines that the notification required22
under this section would threaten national or23
homeland security, such notification may be de-24
layed for a period of time which the national se-25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
17/41
17
S IS
curity agency or homeland security agency de-1
termines is reasonably necessary and requests2
in writing. A Federal national security agency3
or homeland security agency may revoke such4
delay or extend the period of time set forth in5
the original request made under this paragraph6
by a subsequent written request if further delay7
is necessary.8
(d) METHOD AND CONTENT OF NOTIFICATION.9
(1) DIRECT NOTIFICATION.10
(A) METHOD OF NOTIFICATION.A cov-11
ered entity required to provide notification to12
individuals under subsection (a)(1) shall be in13
compliance with such requirement if the covered14
entity provides conspicuous and clearly identi-15
fied notification by one of the following methods16
(provided the selected method can reasonably be17
expected to reach the intended individual):18
(i) Written notification.19
(ii) Notification by e-mail or other20
electronic means, if21
(I) the covered entitys primary22
method of communication with the in-23
dividual is by e-mail or such other24
electronic means; or25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
18/41
18
S IS
(II) the individual has consented1
to receive such notification and the2
notification is provided in a manner3
that is consistent with the provisions4
permitting electronic transmission of5
notices under section 101 of the Elec-6
tronic Signatures in Global Commerce7
Act (15 U.S.C. 7001).8
(B) CONTENT OF NOTIFICATION.Regard-9
less of the method by which notification is pro-10
vided to an individual under subparagraph (A),11
such notification shall include12
(i) the date, estimated date, or esti-13
mated date range of the breach of security;14
(ii) a description of the personal infor-15
mation that was acquired or accessed by16
an unauthorized person;17
(iii) a telephone number that the indi-18
vidual may use, at no cost to such indi-19
vidual, to contact the covered entity to in-20
quire about the breach of security or the21
information the covered entity maintained22
about that individual;23
(iv) notice that the individual is enti-24
tled to receive, at no cost to such indi-25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
19/41
19
S IS
vidual, consumer credit reports on a quar-1
terly basis for a period of 2 years, or credit2
monitoring or other service that enables3
consumers to detect the misuse of their4
personal information for a period of 25
years, and instructions to the individual on6
requesting such reports or service from the7
covered entity, except when the only infor-8
mation which has been the subject of the9
security breach is the individuals first10
name or initial and last name, or address,11
or phone number, in combination with a12
credit or debit card number, and any re-13
quired security code;14
(v) the toll-free contact telephone15
numbers and addresses for the major cred-16
it reporting agencies; and17
(vi) a toll-free telephone number and18
Internet website address for the Commis-19
sion whereby the individual may obtain in-20
formation regarding identity theft.21
(2) SUBSTITUTE NOTIFICATION.22
(A) CIRCUMSTANCES GIVING RISE TO SUB-23
STITUTE NOTIFICATION.A covered entity re-24
quired to provide notification to individuals25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
20/41
20
S IS
under subsection (a)(1) may provide substitute1
notification in lieu of the direct notification re-2
quired by paragraph (1) if the covered entity3
owns or possesses data in electronic form con-4
taining personal information of fewer than5
1,000 individuals and such direct notification is6
not feasible due to7
(i) excessive cost to the covered entity8
required to provide such notification rel-9
ative to the resources of such covered enti-10
ty, as determined in accordance with the11
regulations issued by the Commission12
under paragraph (3)(A); or13
(ii) lack of sufficient contact informa-14
tion for the individual required to be noti-15
fied.16
(B) FORM OF SUBSTITUTE NOTIFICA-17
TION.Such substitute notification shall in-18
clude19
(i) e-mail notification to the extent20
that the covered entity has e-mail address-21
es of individuals to whom it is required to22
provide notification under subsection23
(a)(1);24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
21/41
21
S IS
(ii) a conspicuous notice on the Inter-1
net website of the covered entity (if such2
covered entity maintains such a website);3
and4
(iii) notification in print and to broad-5
cast media, including major media in met-6
ropolitan and rural areas where the indi-7
viduals whose personal information was ac-8
quired reside.9
(C) CONTENT OF SUBSTITUTE NOTICE.10
Each form of substitute notice under this para-11
graph shall include12
(i) notice that individuals whose per-13
sonal information is included in the breach14
of security are entitled to receive, at no15
cost to the individuals, consumer credit re-16
ports on a quarterly basis for a period of17
2 years, or credit monitoring or other serv-18
ice that enables consumers to detect the19
misuse of their personal information for a20
period of 2 years, and instructions on re-21
questing such reports or service from the22
covered entity, except when the only infor-23
mation which has been the subject of the24
security breach is the individuals first25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
22/41
22
S IS
name or initial and last name, or address,1
or phone number, in combination with a2
credit or debit card number, and any re-3
quired security code; and4
(ii) a telephone number by which an5
individual can, at no cost to such indi-6
vidual, learn whether that individuals per-7
sonal information is included in the breach8
of security.9
(3) REGULATIONS AND GUIDANCE.10
(A) REGULATIONS.Not later than 1 year11
after the date of enactment of this Act, the12
Commission shall, by regulation under section13
553 of title 5, United States Code, establish cri-14
teria for determining circumstances under15
which substitute notification may be provided16
under paragraph (2), including criteria for de-17
termining if notification under paragraph (1) is18
not feasible due to excessive costs to the cov-19
ered entity required to provided such notifica-20
tion relative to the resources of such covered21
entity. Such regulations may also identify other22
circumstances where substitute notification23
would be appropriate for any covered entity, in-24
cluding circumstances under which the cost of25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
23/41
23
S IS
providing notification exceeds the benefits to1
consumers.2
(B) GUIDANCE.In addition, the Commis-3
sion shall provide and publish general guidance4
with respect to compliance with this subsection.5
Such guidance shall include6
(i) a description of written or e-mail7
notification that complies with the require-8
ments of paragraph (1); and9
(ii) guidance on the content of sub-10
stitute notification under paragraph (2),11
including the extent of notification to print12
and broadcast media that complies with13
the requirements of such paragraph.14
(e) OTHER OBLIGATIONS FOLLOWING BREACH.15
(1) IN GENERAL.A covered entity required to16
provide notification under subsection (a) shall, upon17
request of an individual whose personal information18
was included in the breach of security, provide or ar-19
range for the provision of, to each such individual20
and at no cost to such individual21
(A) consumer credit reports from at least22
one of the major credit reporting agencies be-23
ginning not later than 60 days following the in-24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
24/41
24
S IS
dividuals request and continuing on a quarterly1
basis for a period of 2 years thereafter; or2
(B) a credit monitoring or other service3
that enables consumers to detect the misuse of4
their personal information, beginning not later5
than 60 days following the individuals request6
and continuing for a period of 2 years.7
(2) LIMITATION.This subsection shall not8
apply if the only personal information which has9
been the subject of the security breach is the individ-10
uals first name or initial and last name, or address,11
or phone number, in combination with a credit or12
debit card number, and any required security code.13
(3) RULEMAKING.As part of the Commis-14
sions rulemaking described in subsection (d)(3), the15
Commission shall16
(A) determine the circumstances under17
which a covered entity required to provide noti-18
fication under subsection (a)(1) shall provide or19
arrange for the provision of free consumer cred-20
it reports or credit monitoring or other service21
to affected individuals; and22
(B) establish a simple process under which23
a covered entity that is a small business or24
small non-profit organization may request a25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
25/41
25
S IS
partial waiver or a modified or alternative1
means of responding if providing or arranging2
for such reports, monitoring, or service is not3
feasible due to excessive costs relative to the re-4
sources of the small business or small non-prof-5
it entity and the level of harm to consumers6
caused by the data breach.7
(f) EXEMPTION.8
(1) GENERAL EXEMPTION.A covered entity9
shall be exempt from the requirements under this10
section if, following a breach of security, such cov-11
ered entity determines that there is no reasonable12
risk of identity theft, fraud, or other unlawful con-13
duct.14
(2) PRESUMPTION.15
(A) IN GENERAL.If the data in electronic16
form containing personal information is ren-17
dered unusable, unreadable, or indecipherable18
through a security technology or methodology19
(if the technology or methodology is generally20
accepted by experts in the information security21
field), there shall be a presumption that no rea-22
sonable risk of identity theft, fraud, or other23
unlawful conduct exists following a breach of24
security of such data. Any such presumption25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
26/41
26
S IS
may be rebutted by facts demonstrating that1
the security technologies or methodologies in a2
specific case, have been or are reasonably likely3
to be compromised.4
(B) METHODOLOGIES OR TECH-5
NOLOGIES.Not later than 1 year after the6
date of the enactment of this Act and bian-7
nually thereafter, the Commission, after con-8
sultation with the National Institute of Stand-9
ards and Technology, shall issue rules (pursu-10
ant to section 553 of title 5, United States11
Code) or guidance to identify security meth-12
odologies or technologies, such as encryption,13
which render data in electronic form unusable,14
unreadable, or indecipherable, that shall, if ap-15
plied to such data, establish a presumption that16
no reasonable risk of identity theft, fraud, or17
other unlawful conduct exists following a breach18
of security of such data. Any such presumption19
may be rebutted by facts demonstrating that20
any such methodology or technology in a spe-21
cific case has been or is reasonably likely to be22
compromised. In issuing such rules or guidance,23
the Commission also shall consult with relevant24
industries, consumer organizations, and data25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
27/41
27
S IS
security and identity theft prevention experts1
and established standards setting bodies.2
(3) FTC GUIDANCE.Not later than 1 year3
after the date of the enactment of this Act the Com-4
mission, after consultation with the National Insti-5
tute of Standards and Technology, shall issue guid-6
ance regarding the application of the exemption in7
paragraph (1).8
(g) WEBSITE NOTICE OF FEDERAL TRADE COMMIS-9
SION.If the Commission, upon receiving notification of10
any breach of security that is reported to the Commission11
under subsection (a)(2), finds that notification of such a12
breach of security via the Commissions Internet website13
would be in the public interest or for the protection of14
consumers, the Commission shall place such a notice in15
a clear and conspicuous location on its Internet website.16
(h) FTC STUDY ON NOTIFICATION IN LANGUAGES17
IN ADDITION TO ENGLISH.Not later than 1 year after18
the date of enactment of this Act, the Commission shall19
conduct a study on the practicality and cost effectiveness20
of requiring the notification required by subsection (d)(1)21
to be provided in a language in addition to English to indi-22
viduals known to speak only such other language.23
(i) GENERAL RULEMAKING AUTHORITY.The Com-24
mission may promulgate regulations necessary under sec-25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
28/41
28
S IS
tion 553 of title 5, United States Code, to effectively en-1
force the requirements of this section.2
(j) TREATMENT OF PERSONS GOVERNED BY OTHER3
LAW.A covered entity who is in compliance with any4
other Federal law that requires such covered entity to pro-5
vide notification to individuals following a breach of secu-6
rity, and that, taken as a whole, provides protections sub-7
stantially similar to, or greater than, those required under8
this section, as the Commission shall determine by rule9
(under section 553 of title 5, United States Code), shall10
be deemed to be in compliance with this section.11
SEC. 4. APPLICATION AND ENFORCEMENT.12
(a) GENERAL APPLICATION.The requirements of13
sections 2 and 3 apply to14
(1) those persons, partnerships, or corporations15
over which the Commission has authority pursuant16
to section 5(a)(2) of the Federal Trade Commission17
Act (15 U.S.C. 45(a)(2)); and18
(2) notwithstanding section 4 and section19
5(a)(2) of that Act (15 U.S.C. 44 and 45(a)(2)),20
any non-profit organization, including any organiza-21
tion described in section 501(c) of the Internal Rev-22
enue Code of 1986 that is exempt from taxation23
under section 501(a) of such Code.24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
29/41
29
S IS
(b) ENFORCEMENT BY THE FEDERAL TRADE COM-1
MISSION.2
(1) UNFAIR OR DECEPTIVE ACTS OR PRAC-3
TICES.A violation of section 2 or 3 shall be treated4
as an unfair and deceptive act or practice in viola-5
tion of a regulation under section 18(a)(1)(B) of the6
Federal Trade Commission Act (15 U.S.C.7
57a(a)(1)(B)) regarding unfair or deceptive acts or8
practices.9
(2) POWERS OF COMMISSION.The Commis-10
sion shall enforce this Act in the same manner, by11
the same means, and with the same jurisdiction,12
powers, and duties as though all applicable terms13
and provisions of the Federal Trade Commission Act14
(15 U.S.C. 41 et seq.) were incorporated into and15
made a part of this Act. Any covered entity who vio-16
lates such regulations shall be subject to the pen-17
alties and entitled to the privileges and immunities18
provided in that Act.19
(3) LIMITATION.In promulgating rules under20
this Act, the Commission shall not require the de-21
ployment or use of any specific products or tech-22
nologies, including any specific computer software or23
hardware.24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
30/41
30
S IS
(c) ENFORCEMENT BY STATE ATTORNEYS GEN-1
ERAL.2
(1) CIVIL ACTION.In any case in which the3
attorney general of a State, or an official or agency4
of a State, has reason to believe that an interest of5
the residents of that State has been or is threatened6
or adversely affected by any covered entity who vio-7
lates section 2 or 3 of this Act, the attorney general,8
official, or agency of the State, as parens patriae,9
may bring a civil action on behalf of the residents10
of the State in a district court of the United States11
of appropriate jurisdiction12
(A) to enjoin further violation of such sec-13
tion by the defendant;14
(B) to compel compliance with such sec-15
tion;16
(C) to obtain damages, restitution, or other17
compensation on behalf of such residents, or to18
obtain such further and other relief as the court19
may deem appropriate; or20
(D) to obtain civil penalties in the amount21
determined under paragraph (2).22
(2) CIVIL PENALTIES.23
(A) CALCULATION.24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
31/41
31
S IS
(i) TREATMENT OF VIOLATIONS OF1
SECTION 2.For purposes of paragraph2
(1)(D) with regard to a violation of section3
2, the amount determined under this para-4
graph is the amount calculated by multi-5
plying the number of days that a covered6
entity is not in compliance with such sec-7
tion by an amount not greater than8
$11,000.9
(ii) TREATMENT OF VIOLATIONS OF10
SECTION 3.For purposes of paragraph11
(1)(D) with regard to a violation of section12
3, the amount determined under this para-13
graph is the amount calculated by multi-14
plying the number of violations of such15
section by an amount not greater than16
$11,000. Each failure to send notification17
as required under section 3 to a resident of18
the State shall be treated as a separate19
violation.20
(B) ADJUSTMENT FOR INFLATION.Be-21
ginning on the date that the Consumer Price22
Index is first published by the Bureau of Labor23
Statistics that is after 1 year after the date of24
enactment of this Act, and each year thereafter,25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
32/41
-
8/6/2019 Data Security and Breach Notification Act
33/41
33
S IS
instituting such action. The Commission shall1
have the right2
(i) to intervene in the action;3
(ii) upon so intervening, to be heard4
on all matters arising therein; and5
(iii) to file petitions for appeal.6
(B) LIMITATION ON STATE ACTION WHILE7
FEDERAL ACTION IS PENDING.If the Commis-8
sion has instituted a civil action for violation of9
this Act, no State attorney general, or official10
or agency of a State, may bring an action under11
this subsection during the pendency of that ac-12
tion against any defendant named in the com-13
plaint of the Commission for any violation of14
this Act alleged in the complaint.15
(4) CONSTRUCTION.For purposes of bringing16
any civil action under paragraph (1), nothing in this17
Act shall be construed to prevent an attorney gen-18
eral of a State from exercising the powers conferred19
on the attorney general by the laws of that State20
to21
(A) conduct investigations;22
(B) administer oaths or affirmations; or23
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
34/41
34
S IS
(C) compel the attendance of witnesses or1
the production of documentary and other evi-2
dence.3
(d) AFFIRMATIVE DEFENSE FOR A VIOLATION OF4
SECTION 3.5
(1) IN GENERAL.It shall be an affirmative de-6
fense to an enforcement action brought under sub-7
section (b), or a civil action brought under sub-8
section (c), based on a violation of section 3, that all9
of the personal information contained in the data in10
electronic form that was acquired or accessed as a11
result of a breach of security of the defendant is12
public record information that is lawfully made13
available to the general public from Federal, State,14
or local government records and was acquired by the15
defendant from such records.16
(2) NO EFFECT ON OTHER REQUIREMENTS.17
Nothing in this subsection shall be construed to ex-18
empt any covered entity from the requirement to no-19
tify the Commission of a breach of security as re-20
quired under section 3(a).21
SEC. 5. DEFINITIONS.22
In this Act the following definitions apply:23
(1) BREACH OF SECURITY.The term breach24
of security means unauthorized access to or acqui-25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
35/41
35
S IS
sition of data in electronic form containing personal1
information.2
(2) COMMISSION.The term Commission3
means the Federal Trade Commission.4
(3) COVERED ENTITY.The term covered en-5
tity means a sole proprietorship, partnership, cor-6
poration, trust, estate, cooperative, association, or7
other commercial entity, and any charitable, edu-8
cational, or nonprofit organization, that acquires,9
maintains, or utilizes personal information.10
(4) D ATA IN ELECTRONIC FORM.The term11
data in electronic form means any data stored12
electronically or digitally on any computer system or13
other database and includes recordable tapes and14
other mass storage devices.15
(5) ENCRYPTION.The term encryption16
means the protection of data in electronic form in17
storage or in transit using an encryption technology18
that has been adopted by an established standards19
setting body which renders such data indecipherable20
in the absence of associated cryptographic keys nec-21
essary to enable decryption of such data. Such22
encryption must include appropriate management23
and safeguards of such keys to protect the integrity24
of the encryption.25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
36/41
36
S IS
(6) IDENTITY THEFT.The term identity1
theft means the unauthorized use of another per-2
sons personal information for the purpose of engag-3
ing in commercial transactions under the name of4
such other person.5
(7) INFORMATION BROKER.The term infor-6
mation broker7
(A) means a commercial entity whose busi-8
ness is to collect, assemble, or maintain per-9
sonal information concerning individuals who10
are not current or former customers of such en-11
tity in order to sell such information or provide12
access to such information to any nonaffiliated13
third party in exchange for consideration,14
whether such collection, assembly, or mainte-15
nance of personal information is performed by16
the information broker directly, or by contract17
or subcontract with any other entity; and18
(B) does not include a commercial entity to19
the extent that such entity processes informa-20
tion collected by or on behalf of and received21
from or on behalf of a nonaffiliated third party22
concerning individuals who are current or23
former customers or employees of such third24
party to enable such third party directly or25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
37/41
37
S IS
through parties acting on its behalf to: (1) pro-1
vide benefits for its employees; or (2) directly2
transact business with its customers.3
(8) M AJOR CREDIT REPORTING AGENCY.The4
term major credit reporting agency means a con-5
sumer reporting agency that compiles and maintains6
files on consumers on a nationwide basis within the7
meaning of section 603(p) of the Fair Credit Re-8
porting Act (5 U.S.C. 1681a(p)).9
(9) PERSONAL INFORMATION.10
(A) DEFINITION.The term personal in-11
formation means an individuals first name or12
initial and last name, or address, or phone13
number, in combination with any 1 or more of14
the following data elements for that individual:15
(i) Social Security number.16
(ii) Drivers license number, passport17
number, military identification number, or18
other similar number issued on a govern-19
ment document used to verify identity.20
(iii) Financial account number, or21
credit or debit card number, and any re-22
quired security code, access code, or pass-23
word that is necessary to permit access to24
an individuals financial account.25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
38/41
38
S IS
(B) MODIFIED DEFINITION BY RULE-1
MAKING.The Commission may, by rule pro-2
mulgated under section 553 of title 5, United3
States Code, modify the definition of personal4
information under subparagraph (A)5
(i) for the purpose of section 2 to the6
extent that such modification will not un-7
reasonably impede interstate commerce,8
and will accomplish the purposes of this9
Act; or10
(ii) for the purpose of section 3, to the11
extent that such modification is necessary12
to accommodate changes in technology or13
practices, will not unreasonably impede14
interstate commerce, and will accomplish15
the purposes of this Act.16
(10) PUBLIC RECORD INFORMATION.The17
term public record information means information18
about an individual which has been obtained origi-19
nally from records of a Federal, State, or local gov-20
ernment entity that are available for public inspec-21
tion.22
(11) NON-PUBLIC INFORMATION.The term23
non-public information means information about24
an individual that is of a private nature and neither25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
39/41
39
S IS
available to the general public nor obtained from a1
public record.2
(12) SERVICE PROVIDER.The term service3
provider means a covered entity that provides elec-4
tronic data transmission, routing, intermediate and5
transient storage, or connections to its system or6
network, where the covered entity providing such7
services does not select or modify the content of the8
electronic data, is not the sender or the intended re-9
cipient of the data, and such covered entity trans-10
mits, routes, stores, or provides connections for per-11
sonal information in a manner that personal infor-12
mation is undifferentiated from other types of data13
that such covered entity transmits, routes, stores, or14
provides connections. Any such covered entity shall15
be treated as a service provider under this Act only16
to the extent that it is engaged in the provision of17
such transmission, routing, intermediate and tran-18
sient storage or connections.19
SEC. 6. EFFECT ON OTHER LAWS.20
(a) PREEMPTION OF STATE INFORMATION SECURITY21
LAWS.This Act supersedes any provision of a statute,22
regulation, or rule of a State or political subdivision of23
a State, with respect to those entities covered by the regu-24
lations issued pursuant to this Act, that expressly25
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
40/41
40
S IS
(1) requires information security practices and1
treatment of data containing personal information2
similar to any of those required under section 2; and3
(2) requires notification to individuals of a4
breach of security resulting in unauthorized access5
to or acquisition of data in electronic form con-6
taining personal information.7
(b) ADDITIONAL PREEMPTION.8
(1) IN GENERAL.No person other than a per-9
son specified in section 4(c) may bring a civil action10
under the laws of any State if such action is pre-11
mised in whole or in part upon the defendant vio-12
lating any provision of this Act.13
(2) PROTECTION OF CONSUMER PROTECTION14
LAWS.Except as provided in subsection (a) of this15
section, this subsection shall not be construed to16
limit the enforcement of any State consumer protec-17
tion law by an Attorney General of a State.18
(c) PROTECTION OF CERTAIN STATE LAWS.This19
Act shall not be construed to preempt the applicability20
of21
(1) State trespass, contract, or tort law; or22
(2) other State laws to the extent that those23
laws relate to acts of fraud.24
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE
June 15, 2011 (2:01 p.m.)
-
8/6/2019 Data Security and Breach Notification Act
41/41
41
(d) PRESERVATION OF FTC AUTHORITY.Nothing1
in this Act may be construed in any way to limit or affect2
the Commissions authority under any other provision of3
law.4
SEC. 7. EFFECTIVE DATE.5
This Act shall take effect 1 year after the date of6
enactment of this Act.7
SEC. 8. AUTHORIZATION OF APPROPRIATIONS.8
There are authorized to be appropriated to the Com-9
mission $1,000,000 for each of fiscal years 2012 through10
2016 to carry out this Act.11
S:\LEGCNSL\XYWRITE\DOR11\CN\BILL\DATASAFE