[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5166 Introduced in House (IH)]
<DOC>
115th CONGRESS
2d Session
H. R. 5166
To direct the Federal Trade Commission to review and potentially revise
its standards for safeguarding customer information to ensure that such
standards require certain consumer reporting agencies and service
providers of such agencies to maintain sufficient safeguards against
cyber attacks and related threats, to provide for additional authority
to enforce such standards with respect to such agencies and providers,
and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 5, 2018
Mr. Ted Lieu of California introduced the following bill; which was
referred to the Committee on Financial Services, and in addition to the
Committee on Energy and Commerce, for a period to be subsequently
determined by the Speaker, in each case for consideration of such
provisions as fall within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To direct the Federal Trade Commission to review and potentially revise
its standards for safeguarding customer information to ensure that such
standards require certain consumer reporting agencies and service
providers of such agencies to maintain sufficient safeguards against
cyber attacks and related threats, to provide for additional authority
to enforce such standards with respect to such agencies and providers,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protecting Consumer Information Act
of 2018''.
SEC. 2. STANDARDS FOR CYBERSECURITY SAFEGUARDS FOR CERTAIN CONSUMER
REPORTING AGENCIES AND SERVICE PROVIDERS.
(a) Review of Standards; Potential Revision.--
(1) Review.--Not later than 90 days after the date of the
enactment of this Act, the Commission shall complete a review
of the standards contained in the regulations issued by the
Commission under section 501 of the Gramm-Leach-Bliley Act (15
U.S.C. 6801) to determine whether such standards require
covered consumer reporting agencies and covered service
providers to maintain sufficient safeguards to protect customer
records and information against cyber attacks and related
threats.
(2) Revision.--If the Commission determines in the review
completed under paragraph (1) that the standards contained in
the regulations issued by the Commission under section 501 of
the Gramm-Leach-Bliley Act (15 U.S.C. 6801) do not require
covered consumer reporting agencies and covered service
providers to maintain sufficient safeguards to protect customer
records and information against cyber attacks and related
threats, not later than 180 days after the date of the
completion of the review, the Commission shall, pursuant to
section 553 of title 5, United States Code, revise such
regulations so as to provide for standards applicable to
covered consumer reporting agencies and covered service
providers that require such agencies and providers to maintain
sufficient safeguards to protect customer records and
information against cyber attacks and related threats.
(b) Investigations.--
(1) Initial investigation.--
(A) In general.--Not later than 18 months after the
date described in subparagraph (B), the Commission
shall complete an investigation of each person or
entity that, as of the date described in such
subparagraph, is a covered consumer reporting agency or
covered service provider, to determine whether such
agency or provider is in compliance with the
regulations issued by the Commission under section 501
of the Gramm-Leach-Bliley Act (15 U.S.C. 6801).
(B) Date described.--The date described in this
subparagraph is--
(i) if no revision of such regulations is
required by paragraph (2) of subsection (a),
the date of the completion of the review
required by paragraph (1) of such subsection;
or
(ii) if revision of such regulations is
required by paragraph (2) of such subsection,
the date on which the Commission issues the
revised regulations.
(2) Subsequent investigations.--From time to time after the
date that is 18 months after the date described in paragraph
(1)(B), the Commission shall complete an investigation of each
covered consumer reporting agency and each covered service
provider to determine whether such agency or provider is in
compliance with the regulations issued by the Commission under
section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801).
SEC. 3. ENFORCEMENT BY FEDERAL TRADE COMMISSION.
(a) Unfair or Deceptive Acts or Practices.--A violation of a
regulation issued by the Commission under section 501 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801) by a covered consumer reporting
agency or a covered service provider shall be treated as a violation of
a rule under section 18(a)(1)(B) of the Federal Trade Commission Act
(15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or
practices.
(b) Powers of Commission.--The Commission shall enforce, with
respect to covered consumer reporting agencies and covered service
providers, the regulations issued by the Commission under section 501
of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) in the same manner, by
the same means, and with the same jurisdiction, powers, and duties as
though all applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a
part of such section. Any covered consumer reporting agency or covered
service provider that violates such a regulation shall be subject to
the penalties and entitled to the privileges and immunities provided in
the Federal Trade Commission Act.
SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--In any case in which the attorney general of a
State, or an official or agency of a State, has reason to believe that
an interest of the residents of such State has been or is threatened or
adversely affected by an act or practice by a covered consumer
reporting agency or covered service provider in violation of a
regulation issued by the Commission under section 501 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801), the State, as parens patriae, may
bring a civil action on behalf of the residents of the State in an
appropriate district court of the United States to--
(1) enjoin such act or practice;
(2) enforce compliance with such regulation;
(3) obtain damages, restitution, or other compensation on
behalf of residents of the State; or
(4) obtain such other legal and equitable relief as the
court may consider to be appropriate.
(b) Notice.--Before filing an action under this section, the
attorney general, official, or agency of the State involved shall
provide to the Commission a written notice of such action and a copy of
the complaint for such action. If the attorney general, official, or
agency determines that it is not feasible to provide the notice
described in this subsection before the filing of the action, the
attorney general, official, or agency shall provide written notice of
the action and a copy of the complaint to the Commission immediately
upon the filing of the action.
(c) Authority of Commission.--
(1) In general.--On receiving notice under subsection (b)
of an action under this section, the Commission shall have the
right--
(A) to intervene in the action;
(B) upon so intervening, to be heard on all matters
arising therein; and
(C) to file petitions for appeal.
(2) Limitation on state action while federal action is
pending.--If the Commission or the Attorney General of the
United States has instituted a civil action for violation of a
regulation issued by the Commission under section 501 of the
Gramm-Leach-Bliley Act (15 U.S.C. 6801) by a covered consumer
reporting agency or covered service provider (referred to in
this paragraph as the ``Federal action''), no State attorney
general, official, or agency may bring an action under this
section during the pendency of the Federal action against any
defendant named in the complaint in the Federal action for any
violation of such regulation alleged in such complaint.
(d) Rule of Construction.--For purposes of bringing a civil action
under this section, nothing in this Act shall be construed to prevent
an attorney general, official, or agency of a State from exercising the
powers conferred on the attorney general, official, or agency by the
laws of such State to conduct investigations, administer oaths and
affirmations, or compel the attendance of witnesses or the production
of documentary and other evidence.
SEC. 5. DEFINITIONS.
In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Covered consumer reporting agency.--The term ``covered
consumer reporting agency'' means a consumer reporting agency
that compiles and maintains files on consumers on a nationwide
basis (as defined in section 603(p) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(p))).
(3) Covered service provider.--The term ``covered service
provider'' means any person or entity that is a service
provider (as defined in section 314.2 of title 16, Code of
Federal Regulations) through provision of services to a covered
consumer reporting agency.
<all>