You are on page 1of 29

ALB15691

S.L.C.

114TH CONGRESS
1ST SESSION

S. ll

To require notification of information security breaches and to enhance


penalties for cyber criminals, and for other purposes.

IN THE SENATE OF THE UNITED STATES


llllllllll
Mr. KIRK (for himself and Mrs. GILLIBRAND) introduced the following bill;
which was read twice and referred to the Committee on
llllllllll

A BILL
To require notification of information security breaches and
to enhance penalties for cyber criminals, and for other
purposes.
1

Be it enacted by the Senate and House of Representa-

2 tives of the United States of America in Congress assembled,


3
4

SECTION 1. SHORT TITLE.

This Act may be cited as the Data Breach Notifica-

5 tion and Punishing Cyber Criminals Act of 2015.


6
7

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

Each covered entity shall take reasonable measures

8 to protect and secure data in electronic form containing


9 personal information.

ALB15691

S.L.C.

2
1
2
3
4

SEC.

3.

NOTIFICATION

OF

INFORMATION

SECURITY

BREACH.

(a) NOTIFICATION.
(1) IN

GENERAL.A

covered entity that owns

or licenses data in electronic form containing per-

sonal information shall give notice of any breach of

the security of the system following discovery by the

covered entity of the breach of the security of the

system to each individual who is a citizen or resident

10

of the United States

11

(A) whose personal information was, or

12

that the covered entity reasonably believes to

13

have been, accessed and acquired by an unau-

14

thorized person; or

15

(B) who the covered entity reasonably be-

16

lieves may be at risk of identity theft, fraud, ac-

17

tual financial harm, or other unlawful conduct.

18

(2) LAW

ENFORCEMENT.

19

(A) DESIGNATION

20

TITY TO RECEIVE NOTICE.

21

(i) IN

OF A GOVERNMENT EN-

GENERAL.Not

later than 60

22

days after the date of enactment of this

23

Act, the Secretary of Homeland Security,

24

in consultation with the Attorney General,

25

shall designate a Federal Government enti-

26

ty to receive the information required to be

ALB15691

S.L.C.

3
1

submitted under this section, and any

other reports and information about infor-

mation security incidents, threats, and

vulnerabilities.

(ii) RESPONSIBILITIES

IGNATED ENTITY.The

shall

OF THE DES-

designated entity

(I) be responsible for promptly

providing the information it receives

10

to the United States Secret Service

11

and the Federal Bureau of Investiga-

12

tion, and to the Federal Trade Com-

13

mission for civil law enforcement pur-

14

poses; and

15

(II) provide the information de-

16

scribed in subclause (I) as appropriate

17

to other Federal agencies for law en-

18

forcement, national security, or data

19

security purposes.

20

(B) NOTICE.Not later than 30 days

21

after the date on which a security breach is dis-

22

covered, a covered entity shall notify the des-

23

ignated entity of the fact that the breach of se-

24

curity has occurred if

ALB15691

S.L.C.

4
1

(i) the number of individuals whose

personal information was, or is reasonably

believed to be to have been accessed and

acquired by an unauthorized person is

more than 1,000;

(ii) the security breach involves a

database, networked or integrated data-

bases, or other data system containing the

personal information of more than 250,000

10

individuals;

11

(iii) the security breach involves data-

12

bases owned by the Federal Government;

13

or

14

(iv) the security breach involves per-

15

sonal information of primarily individuals

16

known to the covered entity to be employ-

17

ees and contractors of the Federal Govern-

18

ment involved in national security or law

19

enforcement.

20

(C) FTC

REVIEW OF THRESHOLDS.

21

(i) REVIEW.Not later than 1 year

22

after the date of enactment of this Act, the

23

Federal Trade Commission, in consultation

24

with the Attorney General and the Sec-

25

retary of Homeland Security, shall promul-

ALB15691

S.L.C.

5
1

gate regulations regarding the reports re-

quired under subparagraph (A).

(ii)

RULEMAKING.The

Federal

Trade Commission, in consultation with

the Attorney General and the Secretary of

Homeland Security, after notice and the

opportunity for public comment, and in a

manner consistent with this section, shall

promulgate

regulations,

as

necessary,

10

under section 553 of title 5, United States

11

Code, to adjust the thresholds for notice to

12

law enforcement and national security au-

13

thorities under subparagraph (A) and to

14

facilitate the purposes of this section.

15

(b) SPECIAL NOTIFICATION REQUIREMENTS.

16

(1) THIRD-PARTY

17

(A) IN

AGENTS.

GENERAL.In

the event of a

18

breach of security of a system maintained by a

19

third-party entity that has been contracted to

20

maintain, store, or process data in electronic

21

form containing personal information on behalf

22

of a covered entity who owns or possesses such

23

data, the third-party entity shall notify the cov-

24

ered entity of the breach of security.

ALB15691

S.L.C.

6
1

(B) COVERED

ENTITIES WHO RECEIVE NO-

TICE FROM THIRD PARTIES.Upon

notification from a third party under subpara-

graph (A), a covered entity shall provide notifi-

cation as required under subsection (a).

(C)

VIDERS.For

service provider shall not be considered a third-

party agent.

10

(2) SERVICE

11

EXCEPTION

receiving

(A) IN

FOR

SERVICE

PRO-

purposes of this paragraph, a

PROVIDERS.

GENERAL.If

a service provider be-

12

comes aware of a breach of security involving

13

data in electronic form containing personal in-

14

formation that is owned or possessed by a cov-

15

ered entity that connects to or uses a system or

16

network provided by the service provider for the

17

purpose of transmitting, routing, or providing

18

intermediate or transient storage of such data,

19

the service provider shall notify the covered en-

20

tity who initiated such connection, transmission,

21

routing, or storage if the covered entity can be

22

reasonably identified.

23

(B) COVERED

ENTITIES WHO RECEIVE NO-

24

TICE FROM SERVICE PROVIDERS.Upon

receiv-

25

ing notification from a service provider under

ALB15691

S.L.C.

7
1

subparagraph (A), a covered entity shall provide

notification as required under subsection (a).

3
4
5
6

(c) TIMELINESS OF NOTIFICATION.


(1) NOTIFICATION

TO

AFFECTED

INDIVID-

UALS.

(A) IN

GENERAL.Unless

subject to a

delay authorized under subparagraph (B) or

paragraph (2), a notification required under

subsection (a)(1) with respect to a security

10

breach shall be made not later than 30 days

11

after date on which the security breach was dis-

12

covered, consistent with any measures necessary

13

to determine the scope of the security breach

14

and restore the reasonable integrity of the data

15

system that was breached.

16

(B) FOLLOW-UP

NOTIFICATION.Not

later

17

than 60 days after the date on which notice is

18

provided under subsection (a)(1), if a covered

19

entity has discovered additional information re-

20

lating to how a breach of security occurred (as

21

required under subsection (d)(1)(B)(iii) to be

22

included in a notification) the covered entity

23

may provide a follow-up notification to affected

24

individuals that contains the additional infor-

25

mation.

ALB15691

S.L.C.

8
1

(2) DELAY

OF NOTIFICATION AUTHORIZED FOR

LAW ENFORCEMENT OR NATIONAL SECURITY PUR-

POSES.

(A) LAW

ENFORCEMENT.If

a Federal

law enforcement agency determines that the no-

tification required under subsection (a) would

impede a civil or criminal investigation, such

notification shall be delayed upon the written

request of the law enforcement agency for any

10

period which the law enforcement agency deter-

11

mines is reasonably necessary. A law enforce-

12

ment agency may, by a subsequent written re-

13

quest, revoke such delay or extend the period

14

set forth in the original request made under

15

this subparagraph by a subsequent request if

16

further delay is necessary.

17

(B) NATIONAL

SECURITY.If

a Federal

18

national security agency or homeland security

19

agency determines that the notification required

20

under this section would threaten national or

21

homeland security, such notification may be de-

22

layed upon the written request of the national

23

security agency or homeland security agency for

24

any period which the national security agency

25

or homeland security agency determines is rea-

ALB15691

S.L.C.

9
1

sonably necessary. A Federal national security

agency or homeland security agency may revoke

such delay or extend the period set forth in the

original request made under this subparagraph

by a subsequent written request if further delay

is necessary.

7
8
9

(d) METHOD AND CONTENT OF NOTIFICATION.


(1) DIRECT

NOTIFICATION.

(A) METHOD

OF NOTIFICATION.A

cov-

10

ered entity required to provide notification to

11

an individual under subsection (a) shall be in

12

compliance with such requirement if the covered

13

entity provides such notice by any one of the

14

following methods:

15

(i) Written notification, sent to the

16

postal address of the individual in the

17

records of the covered entity.

18

(ii) Telephone.

19

(iii) Email or other electronic means.

20

(B) CONTENT

OF NOTIFICATION.Regard-

21

less of the method by which notification is pro-

22

vided to an individual under subparagraph (A)

23

with respect to a security breach, such notifica-

24

tion, to the extent practicable, shall include

ALB15691

S.L.C.

10
1

(i) the date, estimated date, or esti-

mated date range of the breach of security;

(ii) a description of the personal infor-

mation that was accessed and acquired, or

reasonably believed to have been accessed

and acquired, by an unauthorized person

as a part of the security breach;

8
9

(iii) a general description of how the


breach of security occurred; and

10

(iv) information that the individual

11

can use to contact the covered entity to in-

12

quire about

13

(I) the breach of security; or

14

(II) the information the covered

15

entity maintained about that indi-

16

vidual.

17

(2) SUBSTITUTE

18

NOTIFICATION.

(A) CIRCUMSTANCES

GIVING RISE TO SUB-

19

STITUTE NOTIFICATION.A

covered entity re-

20

quired to provide notification to an individual

21

under subsection (a) may provide substitute no-

22

tification in lieu of the direct notification re-

23

quired by paragraph (1) if such direct notifica-

24

tion is not feasible due to

ALB15691

S.L.C.

11
1

(i) excessive cost to the covered entity

required to provide such notification rel-

ative to the resources of such covered enti-

ty; or

(ii) lack of sufficient contact informa-

tion for the individual required to be noti-

fied.

(B) FORM

9
10

TION.Substitute

OF

SUBSTITUTE

NOTIFICA-

notification described in sub-

paragraph (A) shall include

11

(i) a conspicuous notice on the Inter-

12

net Web site of the covered entity (if such

13

covered entity maintains such a Web site);

14

and

15

(ii) notification in print and to broad-

16

cast media, including major media in met-

17

ropolitan and rural areas where the indi-

18

viduals whose personal information was ac-

19

quired reside.

20

(3) COST

OF NOTIFICATION.A

covered entity

21

required to provide notification to an individual

22

under subsection (a) shall provide such notification

23

at no cost to the individual.

24

(e) TREATMENT

OF

PERSONS GOVERNED

BY

OTHER

25 FEDERAL LAW.Except as provided in section 4(b), a

ALB15691

S.L.C.

12
1 covered entity who is in compliance with any other Federal
2 law that requires such covered entity to provide notifica3 tion to individuals following a breach of security shall be
4 deemed to be in compliance with this section.
5
6

SEC. 4. APPLICATION AND ENFORCEMENT.

(a) GENERAL APPLICATION.The requirements of

7 sections 2 and 3 apply to


8

(1) any covered entity over which the Commis-

sion has authority pursuant to section 5(a)(2) of the

10

Federal

Trade

11

45(a)(2)); and

Commission

Act

(15

U.S.C.

12

(2) notwithstanding section 5(a)(2) of the Fed-

13

eral Trade Commission Act (15 U.S.C. 45(a)(2)),

14

common carriers subject to the Communications Act

15

of 1934 (47 U.S.C. 151 et seq.).

16

(b) APPLICATION

17 OPERATORS,

AND

TO

CABLE OPERATORS, SATELLITE

TELECOMMUNICATIONS CARRIERS.

18 Sections 222, 338, and 631 of the Communications Act


19 of 1934 (47 U.S.C. 222, 338, and 551), and any regula20 tions promulgated thereunder, shall not apply with respect
21 to the information security practices, including practices
22 relating to the notification of unauthorized access to data
23 in electronic form, of any covered entity otherwise subject
24 to those sections.

ALB15691

S.L.C.

13
1
2
3

(c) ENFORCEMENT

BY

FEDERAL TRADE COMMIS-

SION.

(1) UNFAIR

OR DECEPTIVE ACTS OR PRAC-

TICES.A

violation of section 2 or 3 shall be treated

as an unfair or deceptive act or practice in violation

of a regulation under section 18(a)(1)(B) of the

Federal

57a(a)(1)(B)) regarding unfair or deceptive acts or

practices.

Trade

Commission

Act

10

(2) POWERS

OF COMMISSION.

11

(A) IN

GENERAL.Except

(15

U.S.C.

as provided in

12

subsection (a), the Commission shall enforce

13

this Act in the same manner, by the same

14

means, and with the same jurisdiction, powers,

15

and duties as though all applicable terms and

16

provisions of the Federal Trade Commission

17

Act (15 U.S.C. 41 et seq.) were incorporated

18

into and made a part of this Act.

19

(B) PRIVILEGES

AND IMMUNITIES.Any

20

person who violates section 3 or 4 shall be sub-

21

ject to the penalties and entitled to the privi-

22

leges and immunities provided in such Act.

23

(3) MAXIMUM

TOTAL

LIABILITY.Notwith-

24

standing the number of actions which may be

25

brought against a covered entity under this sub-

ALB15691

S.L.C.

14
1

section, the maximum civil penalty for which any

covered entity may be liable under this subsection

for all actions shall not exceed

(A) $1,000,000 for all violations of section

2 resulting from the same related act or omis-

sion; and

7
8
9

(B) $1,000,000 for all violations of section


3 resulting from a single breach of security.
(d) NO PRIVATE CAUSE

OF

ACTION.Nothing in

10 this Act shall be construed to establish a private cause


11 of action against a person for a violation of this Act.
12
13
14
15
16
17
18

SEC. 5. CRIMINAL PENALTIES FOR CYBER CRIMES.

Part I of title 18, United States Code, is amended


(1) in chapter 47
(A) in section 1028(b)
(i) in paragraph (1)
(I) in subparagraph (B), by inserting or after the semicolon;

19

(II) in subparagraph (C), by

20

striking or after the semicolon; and

21

(III) by striking subparagraph

22

(D); and

23

(ii) by redesignating paragraphs (5)

24

and (6), as paragraphs (6) and (7), respec-

25

tively; and

ALB15691

S.L.C.

15
1
2

(iii) by inserting after paragraph (4),


the following:

(5) for an offense under paragraph (7) of such

subsection, a fine of not more than $500,000

($1,000,000 if the person is an organization), im-

prisonment for not more than 30 years, or both;;

(B) in section 1028A(a)(1), by striking 2

8
9
10

years and inserting 4 years;


(C) in section 1029(c)(1)
(i) in subparagraph (A)

11

(I) in clause (i), by striking a

12

fine under this title or imprisonment

13

for not more than 10 years and in-

14

serting a fine of not more than

15

$500,000 ($1,000,000 if the person is

16

an organization), imprisonment for

17

not more than 20 years; and

18

(II) in clause (ii), by striking a

19

fine under this title or imprisonment

20

for not more than 15 years and in-

21

serting a fine of not more than

22

$500,000 ($1,000,000 if the person is

23

an organization), imprisonment for

24

not more than 30 years; and

ALB15691

S.L.C.

16
1

(ii) in subparagraph (B), by striking

a fine under this title or imprisonment for

not more than 20 years and inserting a

fine

($1,000,000 if the person is an organiza-

tion), imprisonment for not more than 40

years; and

(D) in section 1030(c)

of

not

more

than

$500,000

(i) in paragraph (2)

10

(I) in subparagraph (A), by strik-

11

ing subsection (a)(2), (a)(3), and

12

inserting subsection (a)(3);

13

(II) in subparagraph (B)

14

(aa) in the matter preceding

15

clause (i), by striking a fine

16

under this title or imprisonment

17

for not more than 5 years and

18

inserting a fine of not more

19

than $500,000 ($1,000,000 if the

20

person is an organization), im-

21

prisonment for not more than 10

22

years; and

23
24

(bb) in clause (iii), by striking and at the end;

ALB15691

S.L.C.

17
1
2
3
4

(III) in subparagraph (C), by


striking (a)(2),; and
(IV) by adding at the end the following:

(D) a fine of not more than $500,000

($1,000,000 if the person is an organization), im-

prisonment for not more than 2 years, or both, in

the case of an offense under subsection (a)(2) which

does not occur after a conviction for another offense

10

under this section, or an attempt to commit an of-

11

fense punishable under this subparagraph; and

12

(E) a fine of not more than $500,000

13

($1,000,000 if the person is an organization), im-

14

prisonment for not more than 20 years, or both, in

15

the case of an offense under subsection (a)(2) which

16

occurs after a conviction for another offense under

17

this section, or an attempt to commit an offense

18

punishable under this subparagraph;;

19
20
21
22

(ii) in paragraph (3)


(I) in subparagraph (A), by striking (a)(4) or; and
(II) in subparagraph (B), by

23

striking (a)(4), or;

24

(iii) in paragraph (4)

ALB15691

S.L.C.

18
1

(I) in subparagraph (A), in the

matter preceding clause (i), by strik-

ing a fine under this title, imprison-

ment for not more than 5 years and

inserting a fine of not more than

$500,000 ($1,000,000 if the person is

an organization), imprisonment for

not more than 10 years;

(II) in subparagraph (B), in the

10

matter preceding clause (i), by strik-

11

ing a fine under this title, imprison-

12

ment for not more than 10 years and

13

inserting a fine of not more than

14

$500,000 ($1,000,000 if the person is

15

an organization), imprisonment for

16

not more than 20 years;

17

(III) in subparagraph (C), in the

18

matter preceding clause (i), by strik-

19

ing a fine under this title, imprison-

20

ment for not more than 20 years and

21

inserting a fine of not more than

22

$500,000 ($1,000,000 if the person is

23

an organization), imprisonment for

24

not more than 40 years;

ALB15691

S.L.C.

19
1

(IV) in subparagraph (D), in the

matter preceding clause (i), by strik-

ing a fine under this title, imprison-

ment for not more than 10 years and

inserting a fine of not more than

$500,000 ($1,000,000 if the person is

an organization), imprisonment for

not more than 20 years;

(V) in subparagraph (E), by

10

striking a fine under this title, im-

11

prisonment for not more than 20

12

years and inserting a fine of not

13

more than $500,000 ($1,000,000 if

14

the person is an organization), impris-

15

onment for not more than 40 years;

16

(VI) in subparagraph (F)

17

(aa) by striking a fine

18

under this title and inserting a

19

fine of not more than $500,000

20

($1,000,000 if the person is an

21

organization); and

22

(bb) by striking or at the

23

end; and

24

(VII) in subparagraph (G)

ALB15691

S.L.C.

20
1

(aa) in the matter preceding

clause (i), by striking under this

title, imprisonment for not more

than 1 year and inserting of

not

($1,000,000 if the person is an

organization), imprisonment for

not more than 2 years; and

more

than

$500,000

(bb) in clause (ii), by strik-

10

ing the period at the end and in-

11

serting ; and; and

12
13

(iv) by adding at the end the following:

14

(5)(A) a fine of not more than $500,000

15

($1,000,000 if the person is an organization), im-

16

prisonment for not more than 10 years, or both, in

17

the case of an offense under subsection (a)(4) which

18

does not occur after a conviction for another offense

19

under this section, or an attempt to commit an of-

20

fense punishable under this subparagraph; and

21

(B) a fine of not more than $500,000

22

($1,000,000 if the person is an organization), im-

23

prisonment for not more than 20 years, or both, in

24

the case of an offense under subsection (a)(4) which

25

occurs after a conviction for another offense under

ALB15691

S.L.C.

21
1

this section, or an attempt to commit an offense

punishable under this subparagraph.;

(2) in chapter 63
(A) in section 1343

4
5

(i) in the first sentence, by striking

fined under this title or imprisoned not

more than 20 years and inserting fined

not more than $500,000 ($1,000,000 if the

person is an organization), imprisoned not


more than 40 years; and

10
11

(ii) in the second sentence, by striking

12

$1,000,000 or imprisoned not more than

13

30 years and inserting $2,000,000, im-

14

prisoned for any term of years or for life;

15

and

16

(B)

in

section

1344,

by

striking

17

$1,000,000 or imprisoned not more than 30

18

years and inserting $2,000,000 or imprisoned

19

for any term of years or for life; and

20

(3) in section 1519, by striking fined under

21

this title, imprisoned not more than 20 years and

22

inserting

23

($1,000,000 if the person is an organization), im-

24

prisoned not more than 40 years.

fined

not

more

than

$500,000

ALB15691

S.L.C.

22
1

SEC. 6. APPREHENSION AND PROSECUTION OF INTER-

2
3

NATIONAL CYBER CRIMINALS.

(a) INTERNATIONAL CYBER CRIMINAL DEFINED.

4 In this section, the term international cyber criminal


5 means an individual
6

(1) who is physically present with in a country

with which the United States does not have a mu-

tual legal assistance treaty or an extradition treaty;

(2) who is believed to have committed a

10

cybercrime or intellectual property crime against the

11

interests of the United States or its citizens; and


(3) for whom

12

(A) an arrest warrant has been issued by

13

a judge in the United States; or

14
15

(B) an international wanted notice (com-

16

monly referred to as a Red Notice) has been

17

circulated by Interpol.

18

(b) BILATERAL CONSULTATIONS.The Secretary of

19 State, or designee, shall consult with the appropriate gov20 ernment official of each country in which 1 or more inter21 national cyber criminals are physically present to deter22 mine what actions the government of such country has
23 taken
(1) to apprehend and prosecute such criminals;

24
25

and

ALB15691

S.L.C.

23
1

(2) to prevent such criminals from carrying out

cybercrimes or intellectual property crimes against

the interests of the United States or its citizens.

(c) ANNUAL REPORT.

(1) IN

GENERAL.The

Secretary of State shall

submit to the appropriate congressional committees

an annual report that identifies

(A) the number of international cyber

criminals who are located in countries that do

10

not have an extradition treaty or mutual legal

11

assistance treaty with the United States, broken

12

down by country;

13

(B) the dates on which an official of the

14

Department of State, as a result of this Act,

15

discussed ways to thwart or prosecute inter-

16

national cyber criminals in a bilateral conversa-

17

tion with an official of another country, includ-

18

ing the name of each such country; and

19

(C) for each international cyber criminal

20

who was extradited into the United States dur-

21

ing the most recently completed calendar

22

year

23

(i) his or her name;

24

(ii) the crimes for which he or she was

25

charged;

ALB15691

S.L.C.

24
(iii) his or her previous country of res-

1
2

idence; and
(iv) the country from which he or she

3
4
5

was extradited into the United States.


(2) APPROPRIATE

CONGRESSIONAL

COMMIT-

TEES.For

appropriate congressional committees means

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

purposes of this subsection, the term

(A) the Committee on Foreign Relations of


the Senate;
(B) the Committee on Appropriations of
the Senate;
(C) the Committee on Homeland Security
and Governmental Affairs of the Senate;
(D) the Committee on Banking, Housing,
and Urban Affairs of the Senate;
(E) the Committee on Foreign Affairs of
the House of Representatives;
(F) the Committee on Appropriations of
the House of Representatives;
(G) the Committee on Homeland Security
of the House of Representatives; and
(H) the Committee on Financial Services
of the House of Representatives.

24

SEC. 7. DEFINITIONS.

25

In this Act:

ALB15691

S.L.C.

25
1

(1) BREACH

OF SECURITY.The

term breach

of security means unauthorized access and acquisi-

tion of data in electronic form containing personal

information.

5
6
7

(2) COMMISSION.The term Commission


means the Federal Trade Commission.
(3) COVERED
(A) IN

ENTITY.

GENERAL.The

term covered en-

tity means a sole proprietorship, partnership,

10

corporation, trust, estate, cooperative, associa-

11

tion, or other commercial entity that acquires,

12

maintains, stores, or utilizes personal informa-

13

tion.

14
15

(B) EXEMPTIONS.The term covered entity does not include the following:

16

(i) Financial institutions subject to

17

title V of the Gramm-Leach-Bliley Act (15

18

U.S.C. 6801 et seq.).

19

(ii) An entity covered by the regula-

20

tions issued under section 264(c) of the

21

Health Insurance Portability and Account-

22

ability Act of 1996 (Public Law 104191)

23

to the extent that such entity is subject to

24

the requirements of such regulations with

25

respect to protected health information.

ALB15691

S.L.C.

26
1

(4) DATA

IN ELECTRONIC FORM.The

term

data in electronic form means any data stored

electronically or digitally on any computer system or

other database and includes recordable tapes and

other mass storage devices.

(5) DESIGNATED

ENTITY.The

term des-

ignated entity means the Federal Government enti-

ty designated under section 3(a)(2)(A).

9
10

(6) PERSONAL
(A) IN

INFORMATION.

GENERAL.The

term personal in-

11

formation means an individuals first name or

12

first initial and last name in combination with

13

any 1 or more of the following data elements

14

for that individual:

15

(i) Social Security number.

16

(ii) Drivers license number, passport

17

number, military identification number, or

18

other similar number issued on a govern-

19

ment document used to verify identity.

20

(iii) Financial account number, or

21

credit or debit card number, and any re-

22

quired security code, access code, or pass-

23

word that is necessary to permit access to

24

an individuals financial account.

ALB15691

S.L.C.

27
1
2

(iv) Federal or State government


issued identification card.

(v) A username or email address, in

combination with a password or security

question and answer that would allow ac-

cess to an online account.

(vi) Medical information, including the

medical history, mental or physical condi-

tion, or medical treatment or diagnosis by

10

a health care professional of the individual.

11

(vii) Health insurance information, in-

12

cluding a health insurance policy number

13

or subscriber identification number, any

14

unique identifier used by a health insurer

15

to identify an individual, or any informa-

16

tion in a health insurance application or

17

claim history filed by the individual.

18

(viii) An individual taxpayer identi-

19

fication number.

20

(B) EXCLUSIONS.

21

(i) PUBLIC

RECORD INFORMATION.

22

Personal information does not include in-

23

formation obtained about an individual

24

which has been lawfully made publicly

25

available by a Federal, State, or local gov-

ALB15691

S.L.C.

28
1

ernment entity or widely distributed by

media.

(ii) ENCRYPTED,

REDACTED, OR SE-

CURED DATA.Personal

not include information that is encrypted,

redacted, or secured by any other method

or technology that renders the data ele-

ments unusable.

(7) SERVICE

information does

PROVIDER.The

term service

10

provider means an entity that provides electronic

11

data transmission, routing, intermediate, and tran-

12

sient storage, or connections to its system or net-

13

work, where such entity providing such services does

14

not select or modify the content of the electronic

15

data, is not the sender or the intended recipient of

16

the data, and does not differentiate personal infor-

17

mation from other information that such entity

18

transmits, routes, stores, or for which such entity

19

provides connections. Any such entity shall be treat-

20

ed as a service provider under this Act only to the

21

extent that it is engaged in the provision of such

22

transmission, routing, intermediate and transient

23

storage, or connections.

ALB15691

S.L.C.

29
1
2

SEC. 8. EFFECT ON OTHER LAWS.

This Act preempts any law, rule, regulation, require-

3 ment, standard, or other provision having the force and


4 effect of law of any State, or political subdivision of a
5 State, relating to the protection or security of data in elec6 tronic form containing personal information or the notifi7 cation of a breach of security.
8
9

SEC. 9. EFFECTIVE DATE.

This Act shall take effect on the date that is 1 year

10 after the date of enactment of this Act.