US Congress Senate Bill 1995 (Prior Session Legislation)

---

Spectrum: Partisan Bill (Democrat 2-0)
Status: Introduced on February 4 2014 - 25% progression, died in committee
Action: 2014-02-04 - Read twice and referred to the Committee on the Judiciary.
Pending: Senate Judiciary Committee
Text: Latest bill text (Introduced) [PDF]

Personal Data Protection and Breach Accountability Act of 2014 - Title I: Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security - Amends the federal criminal code to impose a fine and/or prison term of up to five years for intentionally or willfully concealing a security breach involving sensitive personally identifiable information when such breach results in economic harm or substantial emotional distress to one or more persons. Makes it unlawful for a service provider to knowingly or intentionally redirect web searches or otherwise monitor, manipulate, aggregate, and market data from websites without the consent of the Internet user. Imposes a civil fine of up to $500,000 for a violation of this provision and an increased fine of up to $1 million for engaging in a pattern or practice of activity that violates this provision. Title II: Privacy and Security of Sensitive Personally Identifiable Information - Makes any interstate business entity that collects, accesses, transmits, uses, stores, or disposes of sensitive personally identifiable information on 10,000 or more U.S. persons subject to the requirements for a data privacy and security program under this Act. Exempts public records not otherwise subject to a confidentiality or nondisclosure requirement, certain financial institutions subject to the Gramm-Leach-Bliley Act, business entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and service providers exclusively engaged in the transmission, routing, or storage of data. Requires business entities that are subject to personal data privacy and security requirements of this Act to implement a comprehensive program that: (1) ensures the privacy, security, and confidentiality of sensitive personally identifiable information; (2) protects against any anticipated vulnerabilities to the privacy, security, or integrity of such information; and (3) protects against unauthorized access to such information that could create a significant risk of harm. Requires such entities to: (1) assess risks of future security breaches and design a personal data privacy and security program to control such risks; (2) ensure employee training for implementing a security program; (3) ensure regular testing of key controls, systems, and procedures of such program; and (4) monitor, evaluate, and adjust the security program to reflect relevant changes in technology and other considerations. Authorizes the Attorney General to bring a civil action or request injunctive relief against any business entity that violates the requirements of this title and obtain fines against such entity for violations, including enhanced penalties for intentional or willful violations. Authorizes a state attorney general to bring a civil action or request injunctive relief against a business entity that adversely threatens or affects the residents of the state by violating the requirements of this title. Allows individuals aggrieved by a violation of the data privacy and security requirements of this title to bring a civil action to recover for personal injuries sustained as a result of such violation. Allows punitive damages against a business entity that intentionally or willfully violates the provisions of this title. Requires any agency or interstate business entity that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information to notify without unreasonable delay any U.S. resident whose information has been, or is reasonably believed to have been, accessed or acquired. Allows a federal law enforcement agency or member of the intelligence community to delay notification if it determines that such notification would impede a lawful criminal investigation or authorized intelligence activity. Exempts an agency or business entity from the notification requirement if: (1) the U.S. Secret Service or the Federal Bureau of Investigation (FBI) determines that notification of a security breach would reveal sensitive sources, impede law enforcement investigations, or cause damage to national security; or (2) the agency or entity conducts a risk assessment in consultation with the Federal Trade Commission (FTC) and concludes that there is no significant risk of a security breach and the FTC does not act to deny an exemption. Exempts certain financial institutions subject to the Gramm-Leach-Bliley Act and business entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Sets forth the method of notice required for informing individuals of a security breach, including written notice to the last known home mailing address or e-mail address of such individuals and public notice by electronic means or by general media if the sensitive personally identifiable information of more than 5,000 individuals is involved. Establishes requirements for the content of a notice to an individual whose sensitive personally identifiable information has been breached, including a description of the categories of such information, contact information, and a notice that such individual is entitled to a free consumer credit report on a quarterly basis for two years. Requires an agency or business entity that is required to provide notice of a security breach to provide at no cost to an individual whose sensitive personally identifiable information was breached a consumer credit report on a quarterly basis for a two-year period, a credit monitoring service, a security freeze on the individual's credit report, and compensation for damages incurred by an individual resulting from the security breach. Requires any agency or business entity that is required to notify more than 5,000 individuals of a security breach to also notify consumer credit reporting agencies without unreasonable delay. Requires the Secretary of Homeland Security (DHS), in consultation with the Attorney General, to designate a federal entity (designated entity) to receive information and reports about information security incidents, threats, and vulnerabilities. Requires the designated entity to provide such information to the Secret Service, to the FBI, to the FTC for civil law enforcement purposes, and to other federal agencies for law enforcement, national security, or data security purposes. Requires business entities and agencies to notify the designated entity of a security breach within 10 days of discovery. Authorizes the Attorney General to bring a civil action or request injunctive relief against any business entity that violates such notification requirements. Grants the FTC authority for enforcing compliance with such requirements. Authorizes a state attorney general to bring a civil action or request injunctive relief against a business entity that adversely threatens or affects the residents of the state by violating such requirements. Allows individuals aggrieved by a violation of the notification requirements to bring a civil action to recover for personal injuries sustained as a result of such violation or obtain injunctive relief. Allows punitive damages against a business entity that intentionally or willfully violates such requirements. Provides that the provisions of this title supersede other provisions of federal or state law relating to notification, but do not exempt any entity from liability under common law for damages caused by failure to notify an individual following a security breach. Authorizes appropriations to the Secret Service to carry out investigations and risk assessments of security breaches. Requires the Secret Service and the FBI to report on the number and nature of the security breaches described in notices filed by entities seeking a risk assessment exemption and the response of the Secret Service and FBI to such notices. Requires the entity designated by DHS under this Act to maintain a clearinghouse of technical information concerning system vulnerabilities identified in the wake of security breaches. Allows agencies and business entities that are certified to review information in the clearinghouse to access such information to improve the security and reduce the vulnerability of networks that contain sensitive personally identifiable information. Requires the DHS designated entity to ensure that: (1) technical information disclosed to it is stored in a format designed to protect proprietary business information from inadvertent disclosure; and (2) all information stored in the technical information clearinghouse is presented in a form that minimizes the potential for such information to be traced to a particular network, company, or security breach incident. Exempts information in the technical information clearinghouse from disclosure under the Freedom of Information Act. Title III: Access to and Use of Commercial Data - Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate: (1) the data privacy and security program of a data broker and the broker's compliance with such program, (2) the extent to which databases and systems have been compromised by security breaches, and (3) data broker responses to such breaches. Defines a "data broker" as a business entity that regularly collects, transmits, or provides access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity for purposes of providing such information to non-affiliated third parties on an interstate basis. Requires federal agencies to: (1) evaluate and audit the information security practices of contractors or third party business entities that support the information systems or operations of such agencies involving sensitive personally identifiable information, and (2) ensure remedial action to address any significant deficiencies. Requires federal agencies to conduct a privacy impact assessment before purchasing or subscribing to personally identifiable information from a data broker. Requires the Comptroller General to report on federal agency adherence to key privacy principles in using data brokers of commercial databases containing sensitive personally identifiable information. Requires the FBI, in coordination with the Secret Service, to report to the Judiciary Committees of Congress on any reported security breaches at agencies or business entities during the year preceding enactment of this Act. Requires the Attorney General to submit annual reports on federal, state, and private enforcement of this Act, with recommendations for increasing the effectiveness of such enforcement actions. Requires the FBI, in coordination with the Attorney General and the FTC to report to the Judiciary Committees on the effectiveness of post-breach notification practices by agencies and business entities. Title IV: Compliance with Statutory Pay-As-You-Go Act - Provides for compliance of the budgetary effects of this Act with the Statutory Pay-As-You-Go Act of 2010.

Personal Data Protection and Breach Accountability Act of 2014

Sen. Richard Blumenthal [D-CT]

Sen. Edward Markey [D-MA]

Date	Chamber	Action
2014-02-04	Senate	Read twice and referred to the Committee on the Judiciary.

Type	Source
Summary	https://www.congress.gov/bill/113th-congress/senate-bill/1995/all-info
Text	https://www.congress.gov/113/bills/s1995/BILLS-113s1995is.pdf