DBFDD ZDNet

ALB15691
S.L.C.
114TH CONGRESS
1ST SESSION
S. ll
To require notification of information security breaches and to enhance

penalties for cyber criminals, and for other purposes.
IN THE SENATE OF THE UNITED STATES

llllllllll
Mr. KIRK (for himself and Mrs. GILLIBRAND) introduced the following bill;
which was read twice and referred to the Committee on
llllllllll
A BILL
To require notification of information security breaches and
to enhance penalties for cyber criminals, and for other
purposes.
1
Be it enacted by the Senate and House of Representa-
2 tives of the United States of America in Congress assembled,

3
4
SECTION 1. SHORT TITLE.
This Act may be cited as the Data Breach Notifica-
5 tion and Punishing Cyber Criminals Act of 2015.

6
7
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
Each covered entity shall take reasonable measures
8 to protect and secure data in electronic form containing

9 personal information.
ALB15691
S.L.C.
2
1
2
3
4
SEC.
3.
NOTIFICATION
OF
INFORMATION
SECURITY
BREACH.
(a) NOTIFICATION.
(1) IN
GENERAL.A
covered entity that owns
or licenses data in electronic form containing per-
sonal information shall give notice of any breach of
the security of the system following discovery by the
covered entity of the breach of the security of the
system to each individual who is a citizen or resident
10
of the United States
11
(A) whose personal information was, or
12
that the covered entity reasonably believes to
13
have been, accessed and acquired by an unau-
14
thorized person; or
15
(B) who the covered entity reasonably be-
16
lieves may be at risk of identity theft, fraud, ac-
17
tual financial harm, or other unlawful conduct.
18
(2) LAW
ENFORCEMENT.
19
(A) DESIGNATION
20
TITY TO RECEIVE NOTICE.
21
(i) IN
OF A GOVERNMENT EN-
GENERAL.Not
later than 60
22
days after the date of enactment of this
23
Act, the Secretary of Homeland Security,
24
in consultation with the Attorney General,
25
shall designate a Federal Government enti-
26
ty to receive the information required to be
ALB15691
S.L.C.
3
1
submitted under this section, and any
other reports and information about infor-
mation security incidents, threats, and
vulnerabilities.
(ii) RESPONSIBILITIES
IGNATED ENTITY.The
shall
OF THE DES-
designated entity
(I) be responsible for promptly
providing the information it receives
10
to the United States Secret Service
11
and the Federal Bureau of Investiga-
12
tion, and to the Federal Trade Com-
13
mission for civil law enforcement pur-
14
poses; and
15
(II) provide the information de-
16
scribed in subclause (I) as appropriate
17
to other Federal agencies for law en-
18
forcement, national security, or data
19
security purposes.
20
(B) NOTICE.Not later than 30 days
21
after the date on which a security breach is dis-
22
covered, a covered entity shall notify the des-
23
ignated entity of the fact that the breach of se-
24
curity has occurred if
ALB15691
S.L.C.
4
1
(i) the number of individuals whose
personal information was, or is reasonably
believed to be to have been accessed and
acquired by an unauthorized person is
more than 1,000;
(ii) the security breach involves a
database, networked or integrated data-
bases, or other data system containing the
personal information of more than 250,000
10
individuals;
11
(iii) the security breach involves data-
12
bases owned by the Federal Government;
13
or
14
(iv) the security breach involves per-
15
sonal information of primarily individuals
16
known to the covered entity to be employ-
17
ees and contractors of the Federal Govern-
18
ment involved in national security or law
19
enforcement.
20
(C) FTC
REVIEW OF THRESHOLDS.
21
(i) REVIEW.Not later than 1 year
22
after the date of enactment of this Act, the
23
Federal Trade Commission, in consultation
24
with the Attorney General and the Sec-
25
retary of Homeland Security, shall promul-
ALB15691
S.L.C.
5
1
gate regulations regarding the reports re-
quired under subparagraph (A).
(ii)
RULEMAKING.The
Federal
Trade Commission, in consultation with
the Attorney General and the Secretary of
Homeland Security, after notice and the
opportunity for public comment, and in a
manner consistent with this section, shall
promulgate
regulations,
as
necessary,
10
under section 553 of title 5, United States
11
Code, to adjust the thresholds for notice to
12
law enforcement and national security au-
13
thorities under subparagraph (A) and to
14
facilitate the purposes of this section.
15
(b) SPECIAL NOTIFICATION REQUIREMENTS.
16
(1) THIRD-PARTY
17
(A) IN
AGENTS.
GENERAL.In
the event of a
18
breach of security of a system maintained by a
19
third-party entity that has been contracted to
20
maintain, store, or process data in electronic
21
form containing personal information on behalf
22
of a covered entity who owns or possesses such
23
data, the third-party entity shall notify the cov-
24
ered entity of the breach of security.
ALB15691
S.L.C.
6
1
(B) COVERED
ENTITIES WHO RECEIVE NO-
TICE FROM THIRD PARTIES.Upon
notification from a third party under subpara-
graph (A), a covered entity shall provide notifi-
cation as required under subsection (a).
(C)
VIDERS.For
service provider shall not be considered a third-
party agent.
10
(2) SERVICE
11
EXCEPTION
receiving
(A) IN
FOR
SERVICE
PRO-
purposes of this paragraph, a
PROVIDERS.
GENERAL.If
a service provider be-
12
comes aware of a breach of security involving
13
data in electronic form containing personal in-
14
formation that is owned or possessed by a cov-
15
ered entity that connects to or uses a system or
16
network provided by the service provider for the
17
purpose of transmitting, routing, or providing
18
intermediate or transient storage of such data,
19
the service provider shall notify the covered en-
20
tity who initiated such connection, transmission,
21
routing, or storage if the covered entity can be
22
reasonably identified.
23
(B) COVERED
ENTITIES WHO RECEIVE NO-
24
TICE FROM SERVICE PROVIDERS.Upon
receiv-
25
ing notification from a service provider under
ALB15691
S.L.C.
7
1
subparagraph (A), a covered entity shall provide
notification as required under subsection (a).
3
4
5
6
(c) TIMELINESS OF NOTIFICATION.

(1) NOTIFICATION
TO
AFFECTED
INDIVID-
UALS.
(A) IN
GENERAL.Unless
subject to a
delay authorized under subparagraph (B) or
paragraph (2), a notification required under
subsection (a)(1) with respect to a security
10
breach shall be made not later than 30 days
11
after date on which the security breach was dis-
12
covered, consistent with any measures necessary
13
to determine the scope of the security breach
14
and restore the reasonable integrity of the data
15
system that was breached.
16
(B) FOLLOW-UP
NOTIFICATION.Not
later
17
than 60 days after the date on which notice is
18
provided under subsection (a)(1), if a covered
19
entity has discovered additional information re-
20
lating to how a breach of security occurred (as
21
required under subsection (d)(1)(B)(iii) to be
22
included in a notification) the covered entity
23
may provide a follow-up notification to affected
24
individuals that contains the additional infor-
25
mation.
ALB15691
S.L.C.
8
1
(2) DELAY
OF NOTIFICATION AUTHORIZED FOR
LAW ENFORCEMENT OR NATIONAL SECURITY PUR-
POSES.
(A) LAW
ENFORCEMENT.If
a Federal
law enforcement agency determines that the no-
tification required under subsection (a) would
impede a civil or criminal investigation, such
notification shall be delayed upon the written
request of the law enforcement agency for any
10
period which the law enforcement agency deter-
11
mines is reasonably necessary. A law enforce-
12
ment agency may, by a subsequent written re-
13
quest, revoke such delay or extend the period
14
set forth in the original request made under
15
this subparagraph by a subsequent request if
16
further delay is necessary.
17
(B) NATIONAL
SECURITY.If
a Federal
18
national security agency or homeland security
19
agency determines that the notification required
20
under this section would threaten national or
21
homeland security, such notification may be de-
22
layed upon the written request of the national
23
security agency or homeland security agency for
24
any period which the national security agency
25
or homeland security agency determines is rea-
ALB15691
S.L.C.
9
1
sonably necessary. A Federal national security
agency or homeland security agency may revoke
such delay or extend the period set forth in the
original request made under this subparagraph
by a subsequent written request if further delay
is necessary.
7
8
9
(d) METHOD AND CONTENT OF NOTIFICATION.

(1) DIRECT
NOTIFICATION.
(A) METHOD
OF NOTIFICATION.A
cov-
10
ered entity required to provide notification to
11
an individual under subsection (a) shall be in
12
compliance with such requirement if the covered
13
entity provides such notice by any one of the
14
following methods:
15
(i) Written notification, sent to the
16
postal address of the individual in the
17
records of the covered entity.
18
(ii) Telephone.
19
(iii) Email or other electronic means.
20
(B) CONTENT
OF NOTIFICATION.Regard-
21
less of the method by which notification is pro-
22
vided to an individual under subparagraph (A)
23
with respect to a security breach, such notifica-
24
tion, to the extent practicable, shall include
ALB15691
S.L.C.
10
1
(i) the date, estimated date, or esti-
mated date range of the breach of security;
(ii) a description of the personal infor-
mation that was accessed and acquired, or
reasonably believed to have been accessed
and acquired, by an unauthorized person
as a part of the security breach;
8
9
(iii) a general description of how the

breach of security occurred; and
10
(iv) information that the individual
11
can use to contact the covered entity to in-
12
quire about
13
(I) the breach of security; or
14
(II) the information the covered
15
entity maintained about that indi-
16
vidual.
17
(2) SUBSTITUTE
18
NOTIFICATION.
(A) CIRCUMSTANCES
GIVING RISE TO SUB-
19
STITUTE NOTIFICATION.A
covered entity re-
20
quired to provide notification to an individual
21
under subsection (a) may provide substitute no-
22
tification in lieu of the direct notification re-
23
quired by paragraph (1) if such direct notifica-
24
tion is not feasible due to
ALB15691
S.L.C.
11
1
(i) excessive cost to the covered entity
required to provide such notification rel-
ative to the resources of such covered enti-
ty; or
(ii) lack of sufficient contact informa-
tion for the individual required to be noti-
fied.
(B) FORM
9
10
TION.Substitute
OF
SUBSTITUTE
NOTIFICA-
notification described in sub-
paragraph (A) shall include
11
(i) a conspicuous notice on the Inter-
12
net Web site of the covered entity (if such
13
covered entity maintains such a Web site);
14
and
15
(ii) notification in print and to broad-
16
cast media, including major media in met-
17
ropolitan and rural areas where the indi-
18
viduals whose personal information was ac-
19
quired reside.
20
(3) COST
OF NOTIFICATION.A
covered entity
21
required to provide notification to an individual
22
under subsection (a) shall provide such notification
23
at no cost to the individual.
24
(e) TREATMENT
OF
PERSONS GOVERNED
BY
OTHER
25 FEDERAL LAW.Except as provided in section 4(b), a
ALB15691
S.L.C.
12
1 covered entity who is in compliance with any other Federal
2 law that requires such covered entity to provide notifica3 tion to individuals following a breach of security shall be
4 deemed to be in compliance with this section.
5
6
SEC. 4. APPLICATION AND ENFORCEMENT.
(a) GENERAL APPLICATION.The requirements of
7 sections 2 and 3 apply to

8
(1) any covered entity over which the Commis-
sion has authority pursuant to section 5(a)(2) of the
10
Federal
Trade
11
45(a)(2)); and
Commission
Act
(15
U.S.C.
12
(2) notwithstanding section 5(a)(2) of the Fed-
13
eral Trade Commission Act (15 U.S.C. 45(a)(2)),
14
common carriers subject to the Communications Act
15
of 1934 (47 U.S.C. 151 et seq.).
16
(b) APPLICATION
17 OPERATORS,
AND
TO
CABLE OPERATORS, SATELLITE
TELECOMMUNICATIONS CARRIERS.
18 Sections 222, 338, and 631 of the Communications Act

19 of 1934 (47 U.S.C. 222, 338, and 551), and any regula20 tions promulgated thereunder, shall not apply with respect
21 to the information security practices, including practices
22 relating to the notification of unauthorized access to data
23 in electronic form, of any covered entity otherwise subject
24 to those sections.
ALB15691
S.L.C.
13
1
2
3
(c) ENFORCEMENT
BY
FEDERAL TRADE COMMIS-
SION.
(1) UNFAIR
OR DECEPTIVE ACTS OR PRAC-
TICES.A
violation of section 2 or 3 shall be treated
as an unfair or deceptive act or practice in violation
of a regulation under section 18(a)(1)(B) of the
Federal
57a(a)(1)(B)) regarding unfair or deceptive acts or
practices.
Trade
Commission
Act
10
(2) POWERS
OF COMMISSION.
11
(A) IN
GENERAL.Except
(15
U.S.C.
as provided in
12
subsection (a), the Commission shall enforce
13
this Act in the same manner, by the same
14
means, and with the same jurisdiction, powers,
15
and duties as though all applicable terms and
16
provisions of the Federal Trade Commission
17
Act (15 U.S.C. 41 et seq.) were incorporated
18
into and made a part of this Act.
19
(B) PRIVILEGES
AND IMMUNITIES.Any
20
person who violates section 3 or 4 shall be sub-
21
ject to the penalties and entitled to the privi-
22
leges and immunities provided in such Act.
23
(3) MAXIMUM
TOTAL
LIABILITY.Notwith-
24
standing the number of actions which may be
25
brought against a covered entity under this sub-
ALB15691
S.L.C.
14
1
section, the maximum civil penalty for which any
covered entity may be liable under this subsection
for all actions shall not exceed
(A) $1,000,000 for all violations of section
2 resulting from the same related act or omis-
sion; and
7
8
9
(B) $1,000,000 for all violations of section

3 resulting from a single breach of security.
(d) NO PRIVATE CAUSE
OF
ACTION.Nothing in
10 this Act shall be construed to establish a private cause

11 of action against a person for a violation of this Act.
12
13
14
15
16
17
18
SEC. 5. CRIMINAL PENALTIES FOR CYBER CRIMES.
Part I of title 18, United States Code, is amended

(1) in chapter 47
(A) in section 1028(b)
(i) in paragraph (1)
(I) in subparagraph (B), by inserting or after the semicolon;
19
(II) in subparagraph (C), by
20
striking or after the semicolon; and
21
(III) by striking subparagraph
22
(D); and
23
(ii) by redesignating paragraphs (5)
24
and (6), as paragraphs (6) and (7), respec-
25
tively; and
ALB15691
S.L.C.
15
1
2
(iii) by inserting after paragraph (4),

the following:
(5) for an offense under paragraph (7) of such
subsection, a fine of not more than $500,000
($1,000,000 if the person is an organization), im-
prisonment for not more than 30 years, or both;;
(B) in section 1028A(a)(1), by striking 2
8
9
10
years and inserting 4 years;

(C) in section 1029(c)(1)
(i) in subparagraph (A)
11
(I) in clause (i), by striking a
12
fine under this title or imprisonment
13
for not more than 10 years and in-
14
serting a fine of not more than
15
$500,000 ($1,000,000 if the person is
16
an organization), imprisonment for
17
not more than 20 years; and
18
(II) in clause (ii), by striking a
19
fine under this title or imprisonment
20
for not more than 15 years and in-
21
serting a fine of not more than
22
$500,000 ($1,000,000 if the person is
23
24
ALB15691
S.L.C.
16
1
(ii) in subparagraph (B), by striking
a fine under this title or imprisonment for
not more than 20 years and inserting a
fine
($1,000,000 if the person is an organiza-
tion), imprisonment for not more than 40
years; and
(D) in section 1030(c)
of
not
more
than
$500,000
(i) in paragraph (2)
10
(I) in subparagraph (A), by strik-
11
ing subsection (a)(2), (a)(3), and
12
inserting subsection (a)(3);
13
(II) in subparagraph (B)
14
(aa) in the matter preceding
15
clause (i), by striking a fine
16
under this title or imprisonment
17
for not more than 5 years and
18
inserting a fine of not more
19
than $500,000 ($1,000,000 if the
20
person is an organization), im-
21
prisonment for not more than 10
22
years; and
23
24
(bb) in clause (iii), by striking and at the end;
ALB15691
S.L.C.
17
1
2
3
4
(III) in subparagraph (C), by

striking (a)(2),; and
(IV) by adding at the end the following:
(D) a fine of not more than $500,000
prisonment for not more than 2 years, or both, in
the case of an offense under subsection (a)(2) which
does not occur after a conviction for another offense
10
under this section, or an attempt to commit an of-
11
fense punishable under this subparagraph; and
12
(E) a fine of not more than $500,000
13
14
15
16
occurs after a conviction for another offense under
17
this section, or an attempt to commit an offense
18
punishable under this subparagraph;;
19
20
21
22
(ii) in paragraph (3)

(I) in subparagraph (A), by striking (a)(4) or; and
(II) in subparagraph (B), by
23
striking (a)(4), or;
24
(iii) in paragraph (4)
ALB15691
S.L.C.
18
1
(I) in subparagraph (A), in the
matter preceding clause (i), by strik-
ing a fine under this title, imprison-
ment for not more than 5 years and
inserting a fine of not more than
$500,000 ($1,000,000 if the person is
not more than 10 years;
(II) in subparagraph (B), in the
10
11
12
13
14
$500,000 ($1,000,000 if the person is
15
16
17
(III) in subparagraph (C), in the
18
19
20
21
22
$500,000 ($1,000,000 if the person is
23
24
ALB15691
S.L.C.
19
1
(IV) in subparagraph (D), in the
$500,000 ($1,000,000 if the person is
(V) in subparagraph (E), by
10
striking a fine under this title, im-
11
prisonment for not more than 20
12
years and inserting a fine of not
13
more than $500,000 ($1,000,000 if
14
the person is an organization), impris-
15
onment for not more than 40 years;
16
(VI) in subparagraph (F)
17
(aa) by striking a fine
18
under this title and inserting a
19
fine of not more than $500,000
20
($1,000,000 if the person is an
21
organization); and
22
(bb) by striking or at the
23
end; and
24
(VII) in subparagraph (G)
ALB15691
S.L.C.
20
1
(aa) in the matter preceding
clause (i), by striking under this
title, imprisonment for not more
than 1 year and inserting of
not
($1,000,000 if the person is an
organization), imprisonment for
more
than
$500,000
(bb) in clause (ii), by strik-
10
ing the period at the end and in-
11
serting ; and; and
12
13
(iv) by adding at the end the following:
14
(5)(A) a fine of not more than $500,000
15
16
17
18
does not occur after a conviction for another offense
19
under this section, or an attempt to commit an of-
20
fense punishable under this subparagraph; and
21
(B) a fine of not more than $500,000
22
23
24
25
occurs after a conviction for another offense under
ALB15691
S.L.C.
21
1
this section, or an attempt to commit an offense
punishable under this subparagraph.;
(2) in chapter 63
(A) in section 1343
4
5
(i) in the first sentence, by striking
fined under this title or imprisoned not
more than 20 years and inserting fined
not more than $500,000 ($1,000,000 if the
person is an organization), imprisoned not

more than 40 years; and
10
11
(ii) in the second sentence, by striking
12
$1,000,000 or imprisoned not more than
13
30 years and inserting $2,000,000, im-
14
prisoned for any term of years or for life;
15
and
16
(B)
in
section
1344,
by
striking
17
$1,000,000 or imprisoned not more than 30
18
years and inserting $2,000,000 or imprisoned
19
for any term of years or for life; and
20
(3) in section 1519, by striking fined under
21
this title, imprisoned not more than 20 years and
22
inserting
23
24
prisoned not more than 40 years.
fined
not
more
than
$500,000
ALB15691
S.L.C.
22
1
SEC. 6. APPREHENSION AND PROSECUTION OF INTER-
2
3
NATIONAL CYBER CRIMINALS.
(a) INTERNATIONAL CYBER CRIMINAL DEFINED.
4 In this section, the term international cyber criminal

5 means an individual
6
(1) who is physically present with in a country
with which the United States does not have a mu-
tual legal assistance treaty or an extradition treaty;
(2) who is believed to have committed a
10
cybercrime or intellectual property crime against the
11
interests of the United States or its citizens; and

(3) for whom
12
(A) an arrest warrant has been issued by
13
a judge in the United States; or
14
15
(B) an international wanted notice (com-
16
monly referred to as a Red Notice) has been
17
circulated by Interpol.
18
(b) BILATERAL CONSULTATIONS.The Secretary of
19 State, or designee, shall consult with the appropriate gov20 ernment official of each country in which 1 or more inter21 national cyber criminals are physically present to deter22 mine what actions the government of such country has
23 taken
(1) to apprehend and prosecute such criminals;
24
25
and
ALB15691
S.L.C.
23
1
(2) to prevent such criminals from carrying out
cybercrimes or intellectual property crimes against
the interests of the United States or its citizens.
(c) ANNUAL REPORT.
(1) IN
GENERAL.The
Secretary of State shall
submit to the appropriate congressional committees
an annual report that identifies
(A) the number of international cyber
criminals who are located in countries that do
10
not have an extradition treaty or mutual legal
11
assistance treaty with the United States, broken
12
down by country;
13
(B) the dates on which an official of the
14
Department of State, as a result of this Act,
15
discussed ways to thwart or prosecute inter-
16
national cyber criminals in a bilateral conversa-
17
tion with an official of another country, includ-
18
ing the name of each such country; and
19
(C) for each international cyber criminal
20
who was extradited into the United States dur-
21
ing the most recently completed calendar
22
year
23
(i) his or her name;
24
(ii) the crimes for which he or she was
25
charged;
ALB15691
S.L.C.
24
(iii) his or her previous country of res-
1
2
idence; and
(iv) the country from which he or she
3
4
5
was extradited into the United States.

(2) APPROPRIATE
CONGRESSIONAL
COMMIT-
TEES.For
appropriate congressional committees means
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
purposes of this subsection, the term
(A) the Committee on Foreign Relations of

the Senate;
(B) the Committee on Appropriations of
the Senate;
(C) the Committee on Homeland Security
and Governmental Affairs of the Senate;
(D) the Committee on Banking, Housing,
and Urban Affairs of the Senate;
(E) the Committee on Foreign Affairs of
the House of Representatives;
(F) the Committee on Appropriations of
the House of Representatives;
(G) the Committee on Homeland Security
of the House of Representatives; and
(H) the Committee on Financial Services
of the House of Representatives.
24
SEC. 7. DEFINITIONS.
25
In this Act:
ALB15691
S.L.C.
25
1
(1) BREACH
OF SECURITY.The
term breach
of security means unauthorized access and acquisi-
tion of data in electronic form containing personal
information.
5
6
7
(2) COMMISSION.The term Commission

means the Federal Trade Commission.
(3) COVERED
(A) IN
ENTITY.
GENERAL.The
term covered en-
tity means a sole proprietorship, partnership,
10
corporation, trust, estate, cooperative, associa-
11
tion, or other commercial entity that acquires,
12
maintains, stores, or utilizes personal informa-
13
tion.
14
15
(B) EXEMPTIONS.The term covered entity does not include the following:
16
(i) Financial institutions subject to
17
title V of the Gramm-Leach-Bliley Act (15
18
U.S.C. 6801 et seq.).
19
(ii) An entity covered by the regula-
20
tions issued under section 264(c) of the
21
Health Insurance Portability and Account-
22
ability Act of 1996 (Public Law 104191)
23
to the extent that such entity is subject to
24
the requirements of such regulations with
25
respect to protected health information.
ALB15691
S.L.C.
26
1
(4) DATA
IN ELECTRONIC FORM.The
term
data in electronic form means any data stored
electronically or digitally on any computer system or
other database and includes recordable tapes and
other mass storage devices.
(5) DESIGNATED
ENTITY.The
term des-
ignated entity means the Federal Government enti-
ty designated under section 3(a)(2)(A).
9
10
(6) PERSONAL
(A) IN
INFORMATION.
GENERAL.The
term personal in-
11
formation means an individuals first name or
12
first initial and last name in combination with
13
any 1 or more of the following data elements
14
for that individual:
15
(i) Social Security number.
16
(ii) Drivers license number, passport
17
number, military identification number, or
18
other similar number issued on a govern-
19
ment document used to verify identity.
20
(iii) Financial account number, or
21
credit or debit card number, and any re-
22
quired security code, access code, or pass-
23
word that is necessary to permit access to
24
an individuals financial account.
ALB15691
S.L.C.
27
1
2
(iv) Federal or State government

issued identification card.
(v) A username or email address, in
combination with a password or security
question and answer that would allow ac-
cess to an online account.
(vi) Medical information, including the
medical history, mental or physical condi-
tion, or medical treatment or diagnosis by
10
a health care professional of the individual.
11
(vii) Health insurance information, in-
12
cluding a health insurance policy number
13
or subscriber identification number, any
14
unique identifier used by a health insurer
15
to identify an individual, or any informa-
16
tion in a health insurance application or
17
claim history filed by the individual.
18
(viii) An individual taxpayer identi-
19
fication number.
20
(B) EXCLUSIONS.
21
(i) PUBLIC
RECORD INFORMATION.
22
Personal information does not include in-
23
formation obtained about an individual
24
which has been lawfully made publicly
25
available by a Federal, State, or local gov-
ALB15691
S.L.C.
28
1
ernment entity or widely distributed by
media.
(ii) ENCRYPTED,
REDACTED, OR SE-
CURED DATA.Personal
not include information that is encrypted,
redacted, or secured by any other method
or technology that renders the data ele-
ments unusable.
(7) SERVICE
information does
PROVIDER.The
term service
10
provider means an entity that provides electronic
11
data transmission, routing, intermediate, and tran-
12
sient storage, or connections to its system or net-
13
work, where such entity providing such services does
14
not select or modify the content of the electronic
15
data, is not the sender or the intended recipient of
16
the data, and does not differentiate personal infor-
17
mation from other information that such entity
18
transmits, routes, stores, or for which such entity
19
provides connections. Any such entity shall be treat-
20
ed as a service provider under this Act only to the
21
extent that it is engaged in the provision of such
22
transmission, routing, intermediate and transient
23
storage, or connections.
ALB15691
S.L.C.
29
1
2
SEC. 8. EFFECT ON OTHER LAWS.
This Act preempts any law, rule, regulation, require-
3 ment, standard, or other provision having the force and

4 effect of law of any State, or political subdivision of a
5 State, relating to the protection or security of data in elec6 tronic form containing personal information or the notifi7 cation of a breach of security.
8
9
SEC. 9. EFFECTIVE DATE.
This Act shall take effect on the date that is 1 year
10 after the date of enactment of this Act.

DBFDD ZDNet

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DBFDD ZDNet

Uploaded by

Copyright:

Available Formats

ALB15691

To require notification of information security breaches and to enhance

IN THE SENATE OF THE UNITED STATES

Be it enacted by the Senate and House of Representa-

2 tives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the Data Breach Notifica-

5 tion and Punishing Cyber Criminals Act of 2015.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

Each covered entity shall take reasonable measures

8 to protect and secure data in electronic form containing

covered entity that owns

or licenses data in electronic form containing per-

sonal information shall give notice of any breach of

the security of the system following discovery by the

covered entity of the breach of the security of the

system to each individual who is a citizen or resident

of the United States

(A) whose personal information was, or

that the covered entity reasonably believes to

have been, accessed and acquired by an unau-

(B) who the covered entity reasonably be-

lieves may be at risk of identity theft, fraud, ac-

tual financial harm, or other unlawful conduct.

TITY TO RECEIVE NOTICE.

days after the date of enactment of this

Act, the Secretary of Homeland Security,

in consultation with the Attorney General,

shall designate a Federal Government enti-

ty to receive the information required to be

submitted under this section, and any

other reports and information about infor-

mation security incidents, threats, and

(I) be responsible for promptly

providing the information it receives

to the United States Secret Service

and the Federal Bureau of Investiga-

tion, and to the Federal Trade Com-

mission for civil law enforcement pur-

(II) provide the information de-

scribed in subclause (I) as appropriate

to other Federal agencies for law en-

forcement, national security, or data

(B) NOTICE.Not later than 30 days

after the date on which a security breach is dis-

covered, a covered entity shall notify the des-

ignated entity of the fact that the breach of se-

curity has occurred if

(i) the number of individuals whose

personal information was, or is reasonably

believed to be to have been accessed and

acquired by an unauthorized person is

more than 1,000;

(ii) the security breach involves a

database, networked or integrated data-

bases, or other data system containing the

personal information of more than 250,000

(iii) the security breach involves data-

bases owned by the Federal Government;

(iv) the security breach involves per-

sonal information of primarily individuals

known to the covered entity to be employ-

ees and contractors of the Federal Govern-