[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5388 Introduced in House (IH)]
<DOC>
115th CONGRESS
2d Session
H. R. 5388
To require certain entities who collect and maintain personal
information of individuals to secure such information and to provide
notice to such individuals in the case of a breach of security
involving such information, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 22, 2018
Mr. Rush introduced the following bill; which was referred to the
Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To require certain entities who collect and maintain personal
information of individuals to secure such information and to provide
notice to such individuals in the case of a breach of security
involving such information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Accountability and Trust Act''.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
(a) General Security Policies and Procedures.--
(1) Regulations.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code,
to require each covered entity to establish and implement
policies and procedures regarding information security
practices for the treatment and protection of personal
information taking into consideration--
(A) the size of, and the nature, scope, and
complexity of the activities engaged in by such covered
entity;
(B) the sensitivity of any personal information at
issue;
(C) the current state of the art in administrative,
technical, and physical safeguards for protecting such
information; and
(D) the cost of implementing such safeguards.
(2) Requirements.--Such regulations shall require the
policies and procedures to include the following:
(A) A written security policy with respect to the
collection, use, sale, other dissemination, and
maintenance of such personal information.
(B) The identification of an officer or other
individual as the point of contact with responsibility
for the management of information security.
(C) A process for identifying and assessing any
reasonably foreseeable vulnerabilities in the system or
systems maintained by such covered entity that contains
such data, which shall include regular monitoring for a
breach of security of such system or systems.
(D) A process for taking preventive and corrective
action to mitigate against any vulnerabilities
identified in the process required by subparagraph (C),
which may include implementing any changes to security
practices and the architecture, installation, or
implementation of network or operating software, and
for regularly testing or otherwise monitoring the
effectiveness of the safeguards' key controls, systems,
and procedures.
(E) A process for disposing of data containing
personal information by shredding, permanently erasing,
or otherwise modifying the personal information
contained in such data to make such personal
information permanently unreadable or undecipherable.
(F) A process for overseeing persons to whom
personal information is disclosed, or who have access
to internet-connected devices, by--
(i) taking reasonable steps to select and
retain persons that are capable of maintaining
appropriate safeguards for the personal
information or internet-connected devices at
issue; and
(ii) requiring all such persons to
implement and maintain such security measures.
(3) Treatment of entities governed by other federal law.--
Any covered entity who is in compliance with any other Federal
law that requires such covered entity to maintain standards and
safeguards for information security and protection of personal
information that, taken as a whole and as the Commission shall
determine in the rulemaking required under this subsection,
provide protections substantially similar to, or greater than,
those required under this subsection, shall be deemed to be in
compliance with this subsection.
(b) Special Requirements for Information Brokers.--
(1) Submission of policies to the ftc.--The regulations
promulgated under subsection (a) shall require each information
broker to submit its security policies to the Commission in
conjunction with a notification of a breach of security under
section 3 or upon request of the Commission.
(2) Post-breach audit.--For any information broker required
to provide notification under section 3, the Commission may
conduct audits of the information security practices of such
information broker, or require the information broker to
conduct independent audits of such practices (by an independent
auditor who has not audited such information broker's security
practices during the preceding 5 years).
(3) Accuracy of and individual access to personal
information.--
(A) Accuracy.--
(i) In general.--Each information broker
shall establish reasonable procedures to assure
the maximum possible accuracy of the personal
information the information broker collects,
assembles, or maintains, and any other
information the information broker collects,
assembles, or maintains that specifically
identifies an individual, other than
information which merely identifies an
individual's name or address.
(ii) Limited exception for fraud
databases.--The requirement in clause (i) shall
not prevent the collection or maintenance of
information that may be inaccurate with respect
to a particular individual when that
information is being collected or maintained
solely--
(I) for the purpose of indicating
whether there may be a discrepancy or
irregularity in the personal
information that is associated with an
individual; and
(II) to help identify, or
authenticate the identity of, an
individual, or to protect against or
investigate fraud or other unlawful
conduct.
(B) Consumer access to information.--Each
information broker shall--
(i) provide to each individual whose
personal information the information broker
maintains, at the individual's request at least
once per year and at no cost to the individual,
and after verifying the identity of such
individual, a means for the individual to
review any personal information regarding such
individual maintained by the information broker
and any other information maintained by the
information broker that specifically identifies
such individual, other than information which
merely identifies an individual's name or
address; and
(ii) place a conspicuous notice on the
Internet website of the information broker (if
the information broker maintains such a
website) instructing individuals how to request
access to the information required to be
provided under clause (i), and, as applicable,
how to express a preference with respect to the
use of personal information for marketing
purposes under subparagraph (D).
(C) Disputed information.--Whenever an individual
whose information the information broker maintains
makes a written request disputing the accuracy of any
such information, the information broker, after
verifying the identity of the individual making such
request and unless there are reasonable grounds to
believe such request is frivolous or irrelevant,
shall--
(i) correct any inaccuracy; or
(ii) in the case of information that is--
(I) public record information,
inform the individual of the source of
the information, and, if reasonably
available, where a request for
correction may be directed and, if the
individual provides proof that the
public record has been corrected or
that the information broker was
reporting the information incorrectly,
correct the inaccuracy in the
information broker's records; or
(II) nonpublic information, note
the information that is disputed,
including the individual's statement
disputing such information, and take
reasonable steps to independently
verify such information under the
procedures outlined in subparagraph (A)
if such information can be
independently verified.
(D) Alternative procedure for certain marketing
information.--In accordance with regulations issued
under subparagraph (F), an information broker that
maintains any information described in subparagraph (A)
which is used, shared, or sold by such information
broker for marketing purposes, may, in lieu of
complying with the access and dispute requirements set
forth in subparagraphs (B) and (C), provide each
individual whose information the information broker
maintains with a reasonable means of expressing a
preference not to have his or her information used for
such purposes. If the individual expresses such a
preference, the information broker may not use, share,
or sell the individual's information for marketing
purposes.
(E) Limitations.--An information broker may limit
the access to information required under subparagraph
(B)(i) and is not required to provide notice to
individuals as required under subparagraph (B)(ii) in
the following circumstances:
(i) If access of the individual to the
information is limited by law or legally
recognized privilege.
(ii) If the information is used for a
legitimate governmental or fraud prevention
purpose that would be compromised by such
access.
(iii) If the information consists of a
published media record, unless that record has
been included in a report about an individual
shared with a third party.
(F) Rulemaking.--Not later than 1 year after the
date of enactment of this Act, the Commission shall
promulgate regulations under section 553 of title 5,
United States Code, to carry out this paragraph and to
facilitate the purposes of this Act. In addition, the
Commission shall issue regulations, as necessary, under
section 553 of title 5, United States Code, on the
scope of the application of the limitations in
subparagraph (E), including any additional
circumstances in which an information broker may limit
access to information under such clause that the
Commission determines to be appropriate.
(G) FCRA regulated persons.--Any information broker
who is engaged in activities subject to the Fair Credit
Reporting Act and who is in compliance with sections
609, 610, and 611 of such Act (15 U.S.C. 1681g; 1681h;
1681i) with respect to information subject to such Act,
shall be deemed to be in compliance with this paragraph
with respect to such information.
(4) Requirement of audit log of accessed and transmitted
information.--Not later than 1 year after the date of enactment
of this Act, the Commission shall promulgate regulations under
section 553 of title 5, United States Code, to require
information brokers to establish measures which facilitate the
auditing or retracing of any internal or external access to, or
transmissions of, any data containing personal information
collected, assembled, or maintained by such information broker.
(5) Prohibition on pretexting by information brokers.--
(A) Prohibition on obtaining personal information
by false pretenses.--It shall be unlawful for an
information broker to obtain or attempt to obtain, or
cause to be disclosed or attempt to cause to be
disclosed to any person, personal information or any
other information relating to any person by--
(i) making a false, fictitious, or
fraudulent statement or representation to any
person; or
(ii) providing any document or other
information to any person that the information
broker knows or should know to be forged,
counterfeit, lost, stolen, or fraudulently
obtained, or to contain a false, fictitious, or
fraudulent statement or representation.
(B) Prohibition on solicitation to obtain personal
information under false pretenses.--It shall be
unlawful for an information broker to request a person
to obtain personal information or any other information
relating to any other person, if the information broker
knew or should have known that the person to whom such
a request is made will obtain or attempt to obtain such
information in the manner described in subparagraph
(A).
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Individual Notification.--
(1) In general.--Each covered entity shall, following the
discovery of a breach of security, notify each individual who
is a citizen or resident of the United States whose personal
information was, or is reasonably believed to have been,
acquired or accessed by an unauthorized person, or used for an
unauthorized purpose.
(2) Timeliness of notification.--
(A) In general.--Unless subject to a delay
authorized under subparagraph (B), a notification
required under paragraph (1) shall be made as
expeditiously as practicable and without unreasonable
delay, but not later than 30 days following the
discovery of a breach of security.
(B) Delay of notification authorized for law
enforcement or national security purposes.--
(i) Law enforcement.--If a Federal or State
law enforcement agency, including an attorney
general of a State, determines that the
notification required under this section would
impede a civil or criminal investigation, such
notification shall be delayed upon the written
request of the law enforcement agency for 30
days or such lesser period of time which the
law enforcement agency determines is reasonably
necessary and requests in writing. Such law
enforcement agency may, by a subsequent written
request, revoke such delay or extend the period
of time set forth in the original request made
under this paragraph if further delay is
necessary.
(ii) National security.--If a Federal
national security agency or homeland security
agency determines that the notification
required under this section would threaten
national or homeland security, such
notification may be delayed for a period of
time which the national security agency or
homeland security agency determines is
reasonably necessary and requests in writing. A
Federal national security agency or homeland
security agency may revoke such delay or extend
the period of time set forth in the original
request made under this paragraph by a
subsequent written request if further delay is
necessary.
(b) Coordination of Notification With Credit Reporting Agencies.--
If a covered entity is required to provide notification to more than
5,000 individuals under subsection (a)(1), the covered entity shall
also notify the major consumer reporting agencies that compile and
maintain files on consumers on a nationwide basis, of the timing and
distribution of the notifications. Such notification shall be given to
the credit reporting agencies without unreasonable delay and, if such
notification will not delay notification to the affected individuals,
prior to the distribution of notifications to the affected individuals.
(c) Method and Content of Notification.--
(1) General notification.--A covered entity required to
provide notification to individuals under subsection (a)(1)
shall be in compliance with such requirement if the covered
entity provides conspicuous and clearly identified notification
by one of the following methods (provided the selected method
can reasonably be expected to reach the intended individual):
(A) Written notification to the last known home
mailing address of the individual in the records of the
covered entity.
(B) Notification by email or other electronic
means, if--
(i) the covered entity's primary method of
communication with the individual is by email
or such other electronic means; or
(ii) the individual has consented to
receive such notification and the notification
is provided in a manner that is consistent with
the provisions permitting electronic
transmission of notifications under section 101
of the Electronic Signatures in Global Commerce
Act (15 U.S.C. 7001).
(2) Website notification.--The covered entity shall also
provide conspicuous notification on the Internet website of the
covered entity (if such covered entity maintains such a
website) for a period of not less than 90 days.
(3) Media notification.--If the number of residents of a
State whose personal information was, or is reasonably believed
to have been acquired or accessed by an unauthorized person, or
used for an unauthorized purpose exceeds 5,000, the covered
entity shall also provide notification in print and to
broadcast media, including major media in metropolitan and
rural areas where the individuals whose personal information
was, or is reasonably believed to have been, acquired or
accessed by an unauthorized person, or used for an unauthorized
purpose, reside.
(4) Content of notification.--
(A) In general.--Regardless of the method by which
notification is provided to an individual under
paragraphs (1), (2), and (3), such notification shall
include--
(i) a description of the personal
information that was, or is reasonably believed
to have been, acquired or accessed by an
unauthorized person, or used for an
unauthorized purpose;
(ii) a telephone number that the individual
may use, at no cost to such individual, to
contact the covered entity, or agent of the
covered entity, to inquire about the breach of
security or the information the covered entity
maintained about that individual;
(iii) notification that the individual is
entitled to receive, at no cost to such
individual, consumer credit reports on a
quarterly basis for a period of 5 years, or
credit monitoring or other service that enables
consumers to detect the misuse of their
personal information for a period of 5 years,
and instructions to the individual on
requesting such reports or service from the
covered entity;
(iv) the toll-free contact telephone
numbers and addresses for the major credit
reporting agencies; and
(v) a toll-free telephone number and
Internet website address for the Commission
whereby the individual may obtain information
regarding identity theft.
(B) Direct business relationship.--Regardless of
whether the covered entity or a designated third party
provides notification under this subsection, such
notification shall identify the covered entity that has
a direct business relationship with the individual.
(5) Regulations for substitute notification.--Not later
than 1 year after the date of enactment of this Act, the
Commission shall, by regulation under section 553 of title 5,
United States Code--
(A) establish criteria for determining
circumstances under which substitute notification may
be provided in lieu of direct notification required by
paragraph (1), including criteria for determining if
notification under paragraph (1) is not feasible due to
excessive costs to the covered entity required to
provided such notification relative to the resources of
such covered entity; and
(B) establish the form and content of substitute
notification.
(d) Notification for Law Enforcement and Other Purposes.--A covered
entity shall, as expeditiously as practicable and without unreasonable
delay, but not later than 14 days following the discovery of a breach
of security, provide notification of the breach to--
(1) the Commission;
(2) the Federal Bureau of Investigation;
(3) the Secret Service;
(4) for common carriers, the Federal Communications
Commission;
(5) the Consumer Financial Protection Bureau; and
(6) the attorney general of each State in which the
personal information of a resident or residents of the State
was, or is reasonably believed to have been, acquired or
accessed by an unauthorized person, or used for an unauthorized
purpose.
(e) Other Obligations Following Breach.--
(1) In general.--A covered entity required to provide
notification under subsection (a) shall, upon request of an
individual whose personal information was included in the
breach of security, provide or arrange for the provision of, to
each such individual and at no cost to such individual--
(A) consumer credit reports from the major credit
reporting agencies beginning not later than 60 days
following the individual's request and continuing on a
quarterly basis for a period of 5 years thereafter; or
(B) a credit monitoring or other service that
enables consumers to detect the misuse of their
personal information, beginning not later than 60 days
following the individual's request and continuing for a
period of 5 years.
(2) Rulemaking.--As part of the Commission's rulemaking
described in subsection (c)(5), the Commission shall determine
the circumstances under which a covered entity required to
provide notification under subsection (a) shall provide or
arrange for the provision of free consumer credit reports or
credit monitoring or other service to affected individuals.
(f) Website Notification of Federal Trade Commission.--If the
Commission, upon receiving notification of any breach of security that
is reported to the Commission under subsection (d)(1), finds that
notification of such a breach of security via the Commission's Internet
website would be in the public interest or for the protection of
consumers, the Commission shall place such a notification in a clear
and conspicuous location on its Internet website.
(g) Website Notification of State Attorneys General.--If a State
attorney general, upon receiving notification of any breach of security
that is reported to the Commission under subsection (d)(5), finds that
notification of such a breach of security through the State attorney
general's Internet website would be in the public interest or for the
protection of consumers, the State attorney general shall place such a
notification in a clear and conspicuous location on its Internet
website.
(h) FTC Study on Notification in Languages in Addition to
English.--Not later than 1 year after the date of enactment of this
Act, the Commission shall conduct a study on the practicality and cost
effectiveness of requiring the notification required by subsection
(c)(1) to be provided in a language in addition to English to
individuals known to speak only such other language.
(i) Education and Outreach for Small Businesses.--The Commission
shall conduct education and outreach for small business concerns on
data security practices and how to prevent hacking and other
unauthorized access to, acquisition of, or use of data maintained by
such small business concerns.
(j) Website on Data Security Best Practices.--The Commission shall
establish and maintain an Internet website containing non-binding best
practices for businesses regarding data security and how to prevent
hacking and other unauthorized access to, acquisition of, or use of
data maintained by such businesses.
(k) General Rulemaking Authority.--
(1) In general.--The Commission may promulgate regulations
necessary under section 553 of title 5, United States Code, to
effectively enforce the requirements of this section.
(2) Limitation.--In promulgating rules under this Act, the
Commission shall not require the deployment or use of any
specific products or technologies, including any specific
computer software or hardware.
(l) Treatment of Persons Governed by Other Law.--A covered entity
who is in compliance with any other Federal law that requires such
covered entity to provide notification to individuals following a
breach of security, shall be deemed to be in compliance with this
section with respect to activities and information covered under such
Federal law.
SEC. 4. APPLICATION AND ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 or 3 shall be treated as an unfair and deceptive act
or practice in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices
and shall be subject to enforcement by the Commission under
that Act with respect to any covered entity. All of the
functions and powers of the Commission under the Federal Trade
Commission Act are available to the Commission to enforce
compliance by any person with the requirements imposed under
this title, irrespective of whether that person is engaged in
commerce or meets any other jurisdictional tests under the
Federal Trade Commission Act.
(2) Coordination with federal communications commission.--
Where enforcement relates to entities subject to the authority
of the Federal Communications Commission, enforcement actions
by the Commission will be coordinated with the Federal
Communications Commission.
(3) Coordination with consumer financial protection
bureau.--Where enforcement relates to financial information or
information associated with the provision of financial products
or services, enforcement actions by the Commission will be
coordinated with the Consumer Financial Protection Bureau.
(b) Enforcement by State Attorneys General.--
(1) In general.--If the chief law enforcement officer of a
State, or an official or agency designated by a State, has
reason to believe that any covered entity has violated or is
violating section 2 or 3 of this Act, the attorney general,
official, or agency of the State, in addition to any authority
it may have to bring an action in State court under its
consumer protection law, may bring a civil action in any
appropriate United States district court or in any other court
of competent jurisdiction, including a State court, to--
(A) enjoin further such violation by the defendant;
(B) enforce compliance with this such section;
(C) obtain civil penalties in the amount determined
under paragraph (2); and
(D) obtain damages, restitution, or other
compensation on behalf of residents of the State.
(2) Civil penalties.--
(A) Calculation.--
(i) Treatment of violations of section 2.--
For purposes of paragraph (1)(C) with regard to
a violation of section 2, the amount determined
under this paragraph is the amount calculated
by multiplying the number of days that a
covered entity is not in compliance with such
section by an amount to be determined by the
Commission. Such amount determined by the
Commission shall be adjusted as described in
the Federal Civil Penalties Inflation
Adjustment Act of 1990 (Public Law 101-410; 28
U.S.C. 2461 note).
(ii) Treatment of violations of section
3.--For purposes of paragraph (1)(C) with
regard to a violation of section 3, the amount
determined under this paragraph is the amount
calculated by multiplying the number of
violations of such section by an amount to be
determined by the Commission. Each failure to
send notification as required under section 3
to a citizen or resident of the United States
shall be treated as a separate violation.
(B) Adjustment for inflation.--Beginning on the
date that the Consumer Price Index is first published
by the Bureau of Labor Statistics that is after 1 year
after the date of enactment of this Act, and each year
thereafter, the amounts specified in clauses (i) and
(ii) of subparagraph (A) shall be increased by the
percentage increase in the Consumer Price Index
published on that date from the Consumer Price Index
published the previous year.
(3) Notice and intervention by the ftc.--
(A) The attorney general of a State shall provide
prior written notice of any action under paragraph (1)
to the Commission and provide the Commission with a
copy of the complaint in the action, except in any case
in which such prior notice is not feasible, in which
case the attorney general shall serve such notice
immediately upon instituting such action. The
Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on
all matters arising therein; and
(iii) to file petitions for appeal.
(B) Limitation on state action while federal action
is pending.--If the Commission has instituted a civil
action for violation of this Act, no State attorney
general, or official or agency of a State, may bring an
action under this subsection during the pendency of
that action against any defendant named in the
complaint of the Commission for any violation of this
Act alleged in the complaint.
(4) Relationship with state-law claims.--If the attorney
general of a State has authority to bring an action under State
law directed at acts or practices that also violate this Act,
the attorney general may assert the State-law claim and a claim
under this Act in the same civil action.
SEC. 5. DEFINITIONS.
In this Act:
(1) Breach of security.--The term ``breach of security''
means unauthorized access to, acquisition of, sale of, or use
of data containing personal information.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Covered entity.--The term ``covered entity'' means--
(A) any organization, corporation, trust,
partnership, sole proprietorship, unincorporated
association, or venture over which the Commission has
authority pursuant to section 5(a)(2) of the Federal
Trade Commission Act (15 U.S.C. 45(a)(2));
(B) notwithstanding section 5(a)(2) of the Federal
Trade Commission Act (15 U.S.C. 45(a)(2)), common
carriers subject to the Communications Act of 1934 (47
U.S.C. 151 et seq.); and
(C) notwithstanding sections 4 and 5(a)(2) of the
Federal Trade Commission Act (15 U.S.C. 44 and
45(a)(2)), any non-profit organization, including any
organization described in section 501(c) of the
Internal Revenue Code of 1986 that is exempt from
taxation under section 501(a) of the Internal Revenue
Code of 1986.
(4) Personal information.--
(A) Definition.--The term ``personal information''
means any information or compilation of information
that includes any of the following:
(i) An individual's first name or initial
and last name in combination with any of the
following data elements for that individual:
(I) Home address or telephone
number.
(II) Mother's maiden name.
(III) Month, day, and year of
birth.
(IV) User name or electronic mail
address.
(ii) Driver's license number, passport
number, military identification number, alien
registration number, or other similar number
issued on a government document used to verify
identity.
(iii) Unique account identifier, including
a financial account number, or credit or debit
card number, electronic identification number,
user name, or routing code.
(iv) Partial or complete Social Security
number.
(v) Unique biometric or genetic data such
as a fingerprint, voice print, a retina or iris
image, or any other unique physical
representations.
(vi) Information that could be used to
access an individual's account, such as user
name and password or e-mail address and
password.
(vii) Any two or more of the following data
elements:
(I) An individual's first and last
name or first initial and last name.
(II) A unique account identifier,
including a financial account number or
credit or debit card number, electronic
identification number, user name, or
routing code.
(III) Any security code, access
code, or password, or source code that
could be used to generate such codes or
passwords.
(viii) Information generated or derived
from the operation or use of an electronic
communications device that is sufficient to
identify the street name and name of the city
or town in which the device is located.
(ix) Any information regarding an
individual's medical history, mental or
physical condition, medical treatment or
diagnosis by a health care professional, or the
provision of health care to the individual,
including health information provided to a
website or mobile application.
(x) A health insurance policy number or
subscriber identification number and any unique
identifier used by a health insurer to identify
the individual, or any information in an
individual's health insurance application and
claims history, including any appeals records.
(xi) Digitized or other electronic
signature.
(xii) Nonpublic communications or other
user-created content such as emails,
photographs, or videos.
(xiii) Any record or information concerning
payroll, income, financial accounts, mortgages,
loans, lines of credit, utility bills,
accumulated purchases, or any other information
regarding financial assets, obligations, or
spending habits.
(xiv) Any additional element the Commission
defines as personal information.
(B) Modified definition by rulemaking.--The
Commission may, by rule promulgated under section 553
of title 5, United States Code, modify the definition
of ``personal information'' under subparagraph (A).
(5) State.--The term ``State'' means each of the several
States, the District of Columbia, the Commonwealth of Puerto
Rico, Guam, American Samoa, the United States Virgin Islands,
the Commonwealth of the Northern Mariana Islands, any other
territory or possession of the United States, and each
federally recognized Indian tribe.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Effect on State Data Security and Breach Notification Laws.--
This Act supersedes any provision of a statute or regulation of a State
or political subdivision of a State, with respect to a covered entity,
that expressly--
(1) requires information security practices for the
treatment and protection of personal information similar to any
of those required under section 2; or
(2) requires notification to individuals of a breach of
security of personal information.
(b) Effect on Other State Laws.--Nothing in this Act shall be
construed to--
(1) preempt or limit any provision of any law, rule,
regulation, requirement, standard, or other provision having
the force and effect of law of any State, including any State
consumer protection law, any State law relating to acts of
fraud or deception, and any State trespass, contract, or tort
law;
(2) prevent or limit the attorney general of a State from
exercising the powers conferred upon the attorney general by
the laws of the State, including conducting investigations,
administering oaths or affirmations, or compelling the
attendance of witnesses or the production of documentary and
other evidence; or
(3) preempt or limit any provision of any law, rule,
regulation, requirement, standard, or other provision having
the force and effect of law of any State with respect to any
person that is not a covered entity.
(c) Preservation of Authority.--
(1) Federal trade commission.--Nothing in this Act may be
construed in any way to limit the Commission's authority under
any other provision of law.
(2) Federal communications commission.--Nothing in this Act
may be construed in any way to limit or affect the Federal
Communication Commission's authority under any other provision
of law.
(3) Consumer financial protection bureau.--Nothing in this
Act may be construed in any way to limit or affect the Consumer
Financial Protection Bureau's authority under any other
provision of law.
SEC. 7. EFFECTIVE DATE.
This Act shall take effect 90 days after the date of enactment of
this Act.
<all>