[House Report 114-908]
[From the U.S. Government Publishing Office]


114th Congress   }                                           {    Report
                         HOUSE OF REPRESENTATIVES
 2d Session      }                                           {   114-908

======================================================================



 
           DATA SECURITY AND BREACH NOTIFICATION ACT OF 2015

                                _______
                                

January 3, 2017.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

  Mr. Upton, from the Committee on Energy and Commerce, submitted the 
                               following

                              R E P O R T

                             together with

                            DISSENTING VIEWS

                        [To accompany H.R. 1770]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Energy and Commerce, to whom was referred 
the bill (H.R. 1770) to require certain entities who collect 
and maintain personal information of individuals to secure such 
information and to provide notice to such individuals in the 
case of a breach of security involving such information, and 
for other purposes, having considered the same, report 
favorably thereon with an amendment and recommend that the bill 
as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     9
Background and Need for Legislation..............................     9
Hearings.........................................................    10
Committee Consideration..........................................    10
Committee Votes..................................................    10
Committee Oversight Findings.....................................    17
Statement of General Performance Goals and Objectives............    17
New Budget Authority, Entitlement Authority, and Tax Expenditures    17
Earmark, Limited Tax Benefits, and Limited Tariff Benefits.......    17
Committee Cost Estimate..........................................    17
Congressional Budget Office Estimate.............................    17
Federal Mandates Statement.......................................    21
Duplication of Federal Programs..................................    21
Disclosure of Directed Rule Makings..............................    21
Advisory Committee Statement.....................................    21
Applicability to Legislative Branch..............................    21
Section-by-Section Analysis of the Legislation...................    21
Changes in Existing Law Made by the Bill, as Reported............    25
Minority, Additional, or Dissenting Views........................    26

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE; PURPOSES.

  (a) Short Title.--This Act may be cited as the ``Data Security and 
Breach Notification Act of 2015''.
  (b) Purposes.--The purposes of this Act are to--
          (1) protect consumers from identity theft, economic loss or 
        economic harm, and financial fraud by establishing strong and 
        uniform national data security and breach notification 
        standards for electronic data in interstate commerce while 
        minimizing State law burdens that may substantially affect 
        interstate commerce; and
          (2) expressly preempt any related State laws to ensure 
        uniformity of this Act's standards and the consistency of their 
        application across jurisdictions.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

  A covered entity shall implement and maintain reasonable security 
measures and practices to protect and secure personal information in 
electronic form against unauthorized access and acquisition as 
appropriate for the size and complexity of such covered entity and the 
nature and scope of its activities.

SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.

  (a) In General.--
          (1) Restoring security.--Except as otherwise provided by this 
        section, a covered entity that uses, accesses, transmits, 
        stores, disposes of, or collects personal information shall, 
        following the discovery of a breach of security restore the 
        reasonable integrity, security, and confidentiality of the data 
        system and identify the impact of the breach pursuant to 
        paragraph (2).
          (2) Investigation.--A covered entity shall conduct in good 
        faith a reasonable and prompt investigation of the breach of 
        security to determine whether there is a reasonable risk that 
        the breach of security has resulted in, or will result in, 
        identity theft, economic loss or economic harm, or financial 
        fraud to the individuals whose personal information was subject 
        to the breach of security.
          (3) Notification to individuals required.--
                  (A) Trigger.--Unless there is no reasonable risk that 
                the breach of security has resulted in, or will result 
                in, identity theft, economic loss or economic harm, or 
                financial fraud to the individuals whose personal 
                information was affected by the breach of security, the 
                covered entity shall notify any resident of the United 
                States that has been affected by the breach of security 
                pursuant to this section.
                  (B) Notification duty.--Unless subject to a delay 
                authorized under subsection (c)--
                          (i) a breached covered entity shall notify 
                        any individual for whom an election was not 
                        made under paragraph (4)(C) not later than 25 
                        days after the non-breached covered entity 
                        declines or fails to exercise the election 
                        under paragraph (4)(C);
                          (ii) a non-breached covered entity shall 
                        notify any individual for whom the non-breached 
                        covered entity provided personal information to 
                        the breached covered entity, and such personal 
                        information was affected by the breach of 
                        security, not later than 25 days after 
                        exercising the election under paragraph (4)(C); 
                        and
                          (iii) any other covered entity shall identify 
                        the individuals affected by a breach of 
                        security and make the notification required 
                        under this subsection as expeditiously as 
                        possible, without unreasonable delay, and not 
                        later than 30 days after completing the 
                        requirements of paragraph (1).
                  (C) Notification required upon discovery of 
                additional individuals affected.--If a covered entity, 
                breached covered entity, or non-breached covered entity 
                has provided the notification to individuals required 
                under this subsection and after such notification 
                discovers additional individuals to whom notification 
                is required under this subsection with respect to the 
                same breach of security, the covered entity, breached 
                covered entity, or non-breached covered entity shall 
                make such notification to such individuals as 
                expeditiously as possible and without unreasonable 
                delay.
          (4) Non-breached covered entity election notice.--
                  (A) Notice to non-breached covered entity required.--
                Subject to the requirements of this paragraph, unless 
                there is no reasonable risk that the breach of security 
                has resulted in, or will result in, identity theft, 
                economic loss or economic harm, or financial fraud 
                related to the personal information provided by the 
                non-breached covered entity to the breached covered 
                entity, the breached covered entity shall, as 
                expeditiously as possible and without unreasonable 
                delay within 10 days after fulfilling the requirements 
                described in paragraph (1), notify in writing each non-
                breached covered entity of the breach of security.
                  (B) Contents of notice.--The breached covered entity 
                shall include in the notice described in subparagraph 
                (A) the elements of personal information received from 
                the non-breached covered entity pursuant to the 
                contract described in subparagraph (C) reasonably 
                believed to be affected by the breach of security.
                  (C) Election by non-breached covered entity after 
                receiving notice from a breached covered entity.--In 
                the case of a breached covered entity that is a party 
                to a written contract with a non-breached covered 
                entity in which the breached covered entity maintains, 
                stores, transmits, or processes data in electronic form 
                containing personal information, not later than 10 days 
                after receipt of the notice described in subparagraph 
                (A), the non-breached covered entity may elect, in 
                writing to the breached covered entity, to provide 
                notification required by paragraph (3) all individuals 
                whose personal information was provided by the non-
                breached covered entity to the breached covered entity 
                and was affected by the breach of security. Such 
                election relieves the breached covered entity of the 
                requirements under paragraph (3) with respect to such 
                individuals.
                  (D) Obligation after election.--
                          (i) Breached covered entity cooperation.--If 
                        a non-breached covered entity elects under 
                        subparagraph (C) to provide notice under 
                        paragraph (3), the breached covered entity 
                        shall cooperate in all reasonable respects with 
                        the non-breached covered entity and provide any 
                        of the information the breached covered entity 
                        possesses that is described under subsection 
                        (d)(1)(B) and provide all personal information 
                        received from the non-breached covered entity 
                        that was affected by the breach of security so 
                        that the notification to such individuals is 
                        made as required under this section. Not later 
                        than 10 business days after the non-breached 
                        covered entity submits a written request for 
                        information requested under this subsection to 
                        the breached covered entity, the breached 
                        covered entity shall provide such information.
                          (ii) Non-breached covered entity 
                        cooperation.--If a non-breached covered entity 
                        does not elect to provide notice to individuals 
                        under subparagraph (C), the non-breached 
                        covered entity shall provide any of the 
                        information the non-breached covered entity 
                        possesses that is described under subsection 
                        (d)(1)(B) for any individual whose personal 
                        information was received from the non-breached 
                        covered entity that was affected by the breach 
                        of security, and cooperate in all reasonable 
                        respects with, the breached covered entity so 
                        that the notification to such individuals is 
                        made as required under this section. Not later 
                        than 10 business days after the breached 
                        covered entity submits a written request for 
                        information requested under this subsection to 
                        the non-breached covered entity, the non-
                        breached covered entity shall provide such 
                        information.
          (5) Law enforcement.--A covered entity shall as expeditiously 
        as possible notify the Commission and the Secret Service or the 
        Federal Bureau of Investigation of the fact that a breach of 
        security has occurred if the number of individuals whose 
        personal information was, or there is a reasonable basis to 
        conclude was, accessed and acquired by an unauthorized person 
        exceeds 10,000. Any notification provided to the Secret Service 
        or the Federal Bureau of Investigation pursuant to this 
        paragraph shall be provided not less than 10 days before 
        notification is provided to individuals pursuant to paragraph 
        (3).
  (b) Special Notification Requirements.--
          (1) Non-profit organizations.--In the event of a breach of 
        security involving personal information that would trigger 
        notification under subsection (a), a non-profit organization 
        may complete such notification according to the procedures set 
        forth in subsection (d)(2).
          (2) Coordination of notification with consumer reporting 
        agencies.--If a covered entity is required to provide 
        notification to more than 10,000 individuals under subsection 
        (a), such covered entity shall also notify a consumer reporting 
        agency that compiles and maintains files on consumers on a 
        nationwide basis, of the timing and distribution of the 
        notices. Such notice shall be given to such consumer reporting 
        agencies without unreasonable delay and, if it will not delay 
        notice to the affected individuals, prior to the distribution 
        of notices to the affected individuals.
  (c) Delay of Notification Authorized for Law Enforcement or National 
Security Purposes.--Notwithstanding paragraph (1), if a Federal, State, 
or local law enforcement agency determines that the notification to 
individuals required under this section would impede a civil or 
criminal investigation or a Federal agency determines that such 
notification would threaten national security, such notification shall 
be delayed upon written request of the law enforcement agency or 
Federal agency which the law enforcement agency or Federal agency 
determines is reasonably necessary and requests in writing. A law 
enforcement agency or Federal agency may, by a subsequent written 
request, revoke such delay or extend the period of time set forth in 
the original request made under this paragraph if further delay is 
necessary. If a law enforcement agency or Federal agency requests a 
delay of notification to individuals under this paragraph, the 
Commission shall, upon written request of the law enforcement agency or 
Federal agency, delay any public disclosure of a notification received 
by the Commission under this section relating to the same breach of 
security until the delay of notification to individuals is no longer in 
effect.
  (d) Method and Content of Notification.--
          (1) Direct notification.--
                  (A) Method of notification.--A covered entity 
                required to provide notification to an individual under 
                subsection (a) shall be in compliance with such 
                requirement if the covered entity provides such notice 
                by one of the following methods (if the selected method 
                can reasonably be expected to reach the intended 
                individual):
                          (i) Written notification by postal mail.
                          (ii) Notification by email or other 
                        electronic means, if the covered entity's 
                        primary method of communication with the 
                        individual is by email or such other electronic 
                        means or the individual has consented to 
                        receive such notification.
                  (B) Content of notification.--Regardless of the 
                method by which notification is provided to an 
                individual under subparagraph (A) with respect to a 
                breach of security, such notification shall include 
                each of the following:
                          (i) The identity of the covered entity that 
                        suffered the breach and, if such covered entity 
                        is also a breached covered entity providing 
                        notice under section 3(b)(1), the identity of 
                        each non-breached covered entity that did not 
                        elect to notify affected individuals pursuant 
                        to section 3(b)(1)(B) sufficient to show the 
                        breached covered entity's commercial 
                        relationship to the individual receiving 
                        notice.
                          (ii) A description of the personal 
                        information that was, or there is a reasonable 
                        basis to conclude was, acquired and accessed by 
                        an unauthorized person.
                          (iii) The date range of the breach of 
                        security, or an approximate date range of the 
                        breach of security if a specific date range is 
                        unknown based on the information available at 
                        the time of the notification.
                          (iv) A telephone number, or toll-free 
                        telephone number for any covered entity that 
                        does not meet the definition of a small 
                        business concern or non-profit organization, 
                        that the individual may use to contact the 
                        covered entity to inquire about the breach of 
                        security or the information the covered entity 
                        maintained about that individual.
                          (v) The toll-free contact telephone numbers 
                        and addresses for a consumer reporting agency 
                        that compiles and maintains files on consumers 
                        on a nationwide basis.
                          (vi) The toll-free telephone number and 
                        Internet website address for the Commission 
                        whereby the individual may obtain information 
                        regarding identity theft.
          (2) Substitute notification.--
                  (A) In general.--If, after making reasonable efforts 
                to contact all individuals to whom notice is required 
                under subsection (a), the covered entity finds that 
                contact information for 500 or more individuals is 
                insufficient or out-of-date, the covered entity shall 
                also provide substitute notice to those individuals, 
                which shall be reasonably calculated to reach the 
                individuals affected by the breach of security.
                  (B) Form of substitute notification.--A covered 
                entity may provide substitute notification by--
                          (i) email or other electronic notification to 
                        the extent that the covered entity has contact 
                        information for individuals to whom it is 
                        required to provide notification under 
                        subsection (a); and
                          (ii) a conspicuous notice on the covered 
                        entity's Internet website (if such covered 
                        entity maintains such a website) for at least 
                        90 days.
                  (C) Content of substitute notice.--Each form of 
                substitute notice under clauses (i) and (ii) of 
                subparagraph (B) shall include the information required 
                under paragraph (1)(B).
          (3) Direct notification by a third party.--Nothing in this 
        Act shall be construed to prevent a covered entity from 
        contracting with a third party to provide the notification 
        required under this section, provided such third party issues 
        such notification without unreasonable delay, in accordance 
        with the requirements of this section, and indicates to all 
        individuals in such notification that such third party is 
        sending such notification on behalf of the covered entity.
  (e) Requirements of Service Providers.--
          (1) In general.--If a service provider becomes aware of a 
        breach of security involving data in electronic form containing 
        personal information that is owned or licensed by a covered 
        entity that connects to or uses a system or network provided by 
        the service provider for the purpose of transmitting, routing, 
        or providing intermediate or transient storage of such data, 
        such service provider shall notify the covered entity who 
        initiated such connection, transmission, routing, or storage of 
        the data containing personal information breached, if such 
        covered entity can be reasonably identified. If a service 
        provider is acting solely as a service provider for purposes of 
        this subsection, the service provider has no other notification 
        obligations under this section.
          (2) Covered entities who receive notice from service 
        providers.--Upon receiving notification from a service provider 
        under paragraph (1), a covered entity shall provide 
        notification as required under this section.

SEC. 4. ENFORCEMENT.

  (a) Enforcement by the Federal Trade Commission.--
          (1) Unfair or deceptive acts or practices.--A violation of 
        section 2 or 3 shall be treated as an unfair and deceptive act 
        or practice in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
          (2) Powers of commission.--The Commission shall enforce this 
        Act in the same manner, by the same means, and with the same 
        jurisdiction, powers, and duties as though all applicable terms 
        and provisions of the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) were incorporated into and made a part of this Act, 
        and any covered entity who violates this Act shall be subject 
        to the penalties and entitled to the privileges and immunities 
        provided in the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.), and as provided in clauses (ii) and (iii) of section 
        5(5)(A). Notwithstanding section 5(m) of the Federal Trade 
        Commission Act, the Commission may impose civil penalties for 
        violations of section 3 in an amount not greater than $1,000 
        per violation. Each failure to send notification as required 
        under section 3 to a resident of the United States shall be 
        treated as a separate violation.
          (3) Maximum total liability for first-time violation of 
        section 2.--The maximum total civil penalty for which any 
        covered entity is liable under this subsection for all 
        violations of section 2 resulting from the same related act or 
        omission may not exceed $8,760,000, if such act or omission 
        constitutes the covered entity's first violation of section 2.
          (4) Maximum total liability for first-time violation of 
        section 3.--The maximum total civil penalty for which any 
        covered entity is liable under this subsection for all 
        violations of section 3 resulting from the same related act or 
        omission may not exceed $17,520,000, if such act or omission 
        constitutes the covered entity's first violation of section 3.
  (b) Enforcement by State Attorneys General.--
          (1) Civil action.--In any case in which the attorney general 
        of a State has reason to believe that an interest of the 
        residents of that State has been or is threatened or adversely 
        affected by any covered entity who violates section 2 or 3 of 
        this Act, the attorney general of the State, as parens patriae, 
        may bring a civil action on behalf of the residents of the 
        State in a district court of the United States of appropriate 
        jurisdiction to--
                  (A) enjoin further violation of such section by the 
                defendant;
                  (B) compel compliance with such section; or
                  (C) obtain civil penalties in the amount determined 
                under paragraph (2).
          (2) Civil penalties.--
                  (A) Calculation.--
                          (i) Treatment of violations of section 2.--
                        For purposes of paragraph (1)(C) with regard to 
                        all violations of section 2 resulting from the 
                        same related act or omission, the amount 
                        determined under this paragraph is the amount 
                        calculated by multiplying the number of days 
                        that a covered entity is not in compliance with 
                        such section by an amount not greater than 
                        $11,000.
                          (ii) Treatment of violations of section 3.--
                        For purposes of paragraph (1)(C) with regard to 
                        a violation of section 3, the amount determined 
                        under this paragraph is the amount calculated 
                        by multiplying the number of violations of such 
                        section by an amount not greater than $1,000. 
                        Each failure to send notification as required 
                        under section 3 to a resident of the State 
                        shall be treated as a separate violation.
                  (B) Maximum total liability.--Notwithstanding the 
                number of actions which may be brought against a 
                covered entity under this subsection, the maximum civil 
                penalty for which any covered entity may be liable 
                under this subsection shall not exceed--
                          (i) $2,500,000 for each violation of section 
                        2; and
                          (ii) $2,500,000 for all violations of section 
                        3 resulting from a single breach of security.
                  (C) Adjustment for inflation.--Beginning on the date 
                that the Consumer Price Index is first published by the 
                Bureau of Labor Statistics that is after one year after 
                the date of enactment of this Act, and each year 
                thereafter, the amounts specified in clauses (i) and 
                (ii) of subparagraph (A) and clauses (i) and (ii) of 
                subparagraph (B) shall be increased by the percentage 
                increase in the Consumer Price Index published on that 
                date from the Consumer Price Index published the 
                previous year.
                  (D) Penalty factors.--In determining the amount of 
                such a civil penalty, the degree of culpability, any 
                history of prior such conduct, ability to pay, effect 
                on ability to continue to do business, and such other 
                matters as justice may require shall be taken into 
                account.
          (3) Intervention by the federal trade commission.--
                  (A) Notice and intervention.--In all cases, the State 
                shall provide prior written notice of any action under 
                paragraph (1) to the Commission and provide the 
                Commission with a copy of its complaint, except in any 
                case in which such prior notice is not feasible, in 
                which case the State shall serve such notice 
                immediately upon instituting such action. The 
                Commission shall have the right--
                          (i) to intervene in the action;
                          (ii) upon so intervening, to be heard on all 
                        matters arising therein; and
                          (iii) to file petitions for appeal.
                  (B) Pending proceedings.--If the Federal Trade 
                Commission initiates a Federal civil action for a 
                violation of this Act, no State attorney general may 
                bring an action for a violation of this Act that 
                resulted from the same or related acts or omissions 
                against a defendant named in the civil action initiated 
                by the Federal Trade Commission.
          (4) Construction.--For purposes of bringing any civil action 
        under paragraph (1), nothing in this Act shall be construed to 
        prevent an attorney general of a State from exercising the 
        powers conferred on the attorney general by the laws of that 
        State to--
                  (A) conduct investigations;
                  (B) administer oaths or affirmations; or
                  (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
  (c) No Private Cause of Action.--Nothing in this Act shall be 
construed to establish a private cause of action against a person for a 
violation of this Act.

SEC. 5. DEFINITIONS.

  In this Act:
          (1) Breach of security.--The term ``breach of security''--
                  (A) means a compromise of the security, 
                confidentiality, or integrity of, or loss of, data in 
                electronic form that results in, or there is a 
                reasonable basis to conclude has resulted in, 
                unauthorized access to and acquisition of personal 
                information from a covered entity; and
                  (B) does not include the good faith acquisition of 
                personal information by an employee or agent of the 
                covered entity for the purposes of the covered entity, 
                if the personal information is not used or subject to 
                further unauthorized disclosure.
          (2) Breached covered entity.--The term ``breached covered 
        entity'' means a covered entity that has incurred a breach of 
        security affecting data in electronic form containing personal 
        information of a non-breached covered entity that has directly 
        contracted the breached covered entity to maintain, store, or 
        process data in electronic form containing personal information 
        on behalf of such non-breached covered entity. For purposes of 
        this definition, the term ``breached covered entity'' shall not 
        include a service provider that is subject to section 3(e).
          (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
          (4) Consumer reporting agency that compiles and maintains 
        files on consumers on a nationwide basis.--The term ``consumer 
        reporting agency that compiles and maintains files on consumers 
        on a nationwide basis'' has the meaning given that term in 
        section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 
        1681a(p)).
          (5) Covered entity.--
                  (A) In general.--The term ``covered entity'' means--
                          (i) a sole proprietorship, partnership, 
                        corporation, trust, estate, cooperative, 
                        association, or other entity in or affecting 
                        commerce that acquires, maintains, stores, 
                        sells, or otherwise uses data in electronic 
                        form that includes personal information, over 
                        which the Commission has authority pursuant to 
                        section 5(a)(2) of the Federal Trade Commission 
                        Act (15 U.S.C. 45(a)(2));
                          (ii) notwithstanding section 5(a)(2) of the 
                        Federal Trade Commission Act (15 U.S.C. 
                        45(a)(2)), common carriers subject to the 
                        Communications Act of 1934 (47 U.S.C. 151 et 
                        seq.); and
                          (iii) notwithstanding any jurisdictional 
                        limitation of the Federal Trade Commission Act 
                        (15 U.S.C. 41 et seq.), any non-profit 
                        organization.
                  (B) Exceptions.--The term ``covered entity'' does not 
                include--
                          (i) a covered entity, as defined in section 
                        160.103 of title 45, Code of Federal 
                        Regulations;
                          (ii) a business associate, as defined in 
                        section 160.103 of title 45, Code of Federal 
                        Regulations, acting in its capacity as a 
                        business associate;
                          (iii) if a covered entity, as defined in 
                        section 160.103 of title 45, Code of Federal 
                        Regulations, is a hybrid entity, as defined in 
                        section 164.105 of title 45, Code of Federal 
                        Regulations, then the health care component of 
                        such hybrid entity;
                          (iv) a broker, dealer, investment adviser, 
                        futures commission merchant, special purpose 
                        vehicle, finance company, or person engaged in 
                        providing insurance that is subject to title V 
                        of Public Law 106-102 (15 U.S.C. 6801 et seq.);
                          (v) a State-chartered credit union, as 
                        defined in section 101(6) of the Federal Credit 
                        Union Act (12 U.S.C. 1752(6)), that is not an 
                        insured credit union as defined in section 
                        101(7) of such Act (12 U.S.C. 1752(7)); or
                          (vi) a credit union service organization as 
                        outlined in section 106(7)(I) of the Federal 
                        Credit Union Act (12 U.S.C. 1757(7)(I)).
          (6) Data in electronic form.--The term ``data in electronic 
        form'' means any data stored electronically or digitally on any 
        computer system or other database and includes recordable tapes 
        and other mass storage devices.
          (7) Encrypted.--The term ``encrypted'', used with respect to 
        data in electronic form, in storage or in transit--
                  (A) means the data is protected using an encryption 
                technology that has been generally accepted by experts 
                in the field of information security at the time the 
                breach of security occurred that renders such data 
                indecipherable in the absence of associated 
                cryptographic keys necessary to enable decryption of 
                such data; and
                  (B) includes appropriate management and safeguards of 
                such cryptographic keys in order to protect the 
                integrity of the encryption.
          (8) Non-breached covered entity.--The term ``non-breached 
        covered entity'' means a covered entity that has not incurred 
        the breach of security involving data in electronic form 
        containing personal information that it owns or licenses but 
        whose data has been affected by the breach of security incurred 
        by a breached covered entity it directly contracts to maintain, 
        store, or process data in electronic form containing personal 
        information on behalf of the non-breached covered entity.
          (9) Non-profit organization.--The term ``non-profit 
        organization'' means an organization that is described in 
        section 501(c)(3) of the Internal Revenue Code of 1986 and 
        exempt from tax under section 501(a) of such Code.
          (10) Personal information.--
                  (A) In general.--The term ``personal information'' 
                means any information or compilation of information in 
                electronic form that includes the following:
                          (i) An individual's first and last name or 
                        first initial and last name in combination with 
                        all of the following:
                                  (I) Home address or telephone number.
                                  (II) Mother's maiden name, if 
                                identified as such.
                                  (III) Month, day, and year of birth.
                          (ii) A financial account number or credit or 
                        debit card number or other identifier, in 
                        combination with any security code, access 
                        code, or password that is required for an 
                        individual to obtain credit, withdraw funds, or 
                        engage in a financial transaction.
                          (iii) A unique account identifier (other than 
                        for an account described in clause (ii)), 
                        electronic identification number, biometric 
                        data unique to an individual, user name, or 
                        routing code in combination with any associated 
                        security code, access code, biometric data 
                        unique to an individual, or password that is 
                        required for an individual to obtain money, or 
                        purchase goods, services, or any other thing of 
                        value.
                          (iv) A non-truncated social security number.
                          (v) Any information that pertains to the 
                        transmission of specific calls, including, for 
                        outbound calls, the number called, and the 
                        time, location, or duration of any call and, 
                        for inbound calls, the number from which the 
                        call was placed, and the time, location, or 
                        duration of any call.
                          (vi) A user name or email address, in 
                        combination with a password or security 
                        question and answer that would permit access to 
                        an online account.
                          (vii) A driver's license number, passport 
                        number, or alien registration number or other 
                        government-issued unique identification number.
                  (B) Exceptions.--The term ``personal information'' 
                does not include--
                          (i) information that is encrypted or rendered 
                        unusable, unreadable, or indecipherable through 
                        data security technology or methodology that is 
                        generally accepted by experts in the field of 
                        information security at the time the breach of 
                        security occurred, such as redaction or access 
                        controls; or
                          (ii) information available in a publicly 
                        available source, including information 
                        obtained from a news report, periodical, or 
                        other widely distributed media, or from 
                        Federal, State, or local government records.
          (11) Service provider.--The term ``service provider'' means a 
        covered entity subject to the Communications Act of 1934 (47 
        U.S.C. 151 et seq.) that provides electronic data transmission, 
        routing, intermediate and transient storage, or connection to 
        its system or network, where such entity providing such service 
        does not select or modify the content of the electronic data, 
        is not the sender or the intended recipient of the data, and 
        does not differentiate personal information from other 
        information that such entity transmits, routes, stores, or for 
        which such entity provides connections. Any such entity shall 
        be treated as a service provider under this Act only to the 
        extent that it is engaged in the provision of such 
        transmission, routing, intermediate and transient storage, or 
        connections.
          (12) Small business concern.--The term ``small business 
        concern'' has the meaning given such term under section 3 of 
        the Small Business Act (15 U.S.C. 632).
          (13) State.--The term ``State'' means each of the several 
        States, the District of Columbia, the Commonwealth of Puerto 
        Rico, Guam, American Samoa, the Virgin Islands of the United 
        States, the Commonwealth of the Northern Mariana Islands, any 
        other territory or possession of the United States, and each 
        federally recognized Indian tribe.

SEC. 6. EFFECT ON OTHER LAWS.

  (a) Preemption of State Information Security Laws.--No State or 
political subdivision of a State shall, with respect to a covered 
entity subject to this Act, adopt, maintain, enforce, or impose or 
continue in effect any law, rule, regulation, duty, requirement, 
standard, or other provision having the force and effect of law 
relating to or with respect to the security of data in electronic form 
or notification following a security breach of such data.
  (b) Common Law.--This section shall not exempt a covered entity from 
liability under common law.
  (c) Certain FTC Enforcement Limited to Data Security and Breach 
Notification.--
          (1) Data security and breach notification.--Insofar as 
        sections 201, 202, 222, 338, and 631 of the Communications Act 
        of 1934 (47 U.S.C. 201, 202, 222, 338, and 551), and any 
        regulations promulgated thereunder, apply to covered entities 
        with respect to securing information in electronic form from 
        unauthorized access and acquisition, including notification of 
        unauthorized access and acquisition to data in electronic form 
        containing personal information, such sections and regulations 
        promulgated thereunder shall have no force or effect, unless 
        such regulations pertain solely to 9-1-1 calls.
          (2) Rule of construction.--Nothing in this subsection 
        otherwise limits the Federal Communications Commission's 
        authority with respect to sections 201, 202, 222, 338, and 631 
        of the Communications Act of 1934 (47 U.S.C. 201, 202, 222, 
        338, and 551).
  (d) Preservation of Commission Authority.--Nothing in this Act may be 
construed in any way to limit or affect the Commission's authority 
under any other provision of law.

SEC. 7. EDUCATION AND OUTREACH FOR SMALL BUSINESSES.

  The Commission shall conduct education and outreach for small 
business concerns on data security practices and how to prevent hacking 
and other unauthorized access to, acquisition of, or use of data 
maintained by such small business concerns.

SEC. 8. WEBSITE ON DATA SECURITY BEST PRACTICES.

  The Commission shall establish and maintain an Internet website 
containing non-binding best practices for businesses regarding data 
security and how to prevent hacking and other unauthorized access to, 
acquisition of, or use of data maintained by such businesses.

SEC. 9. EFFECTIVE DATE.

  This Act shall take effect 1 year after the date of enactment of this 
Act.

                          PURPOSE AND SUMMARY

    To require certain entities who collect and maintain 
personal information of individuals to secure such information 
and to provide notice to such individuals in the case of a 
breach of security involving such information and for other 
purposes.

                  BACKGROUND AND NEED FOR LEGISLATION

    Consumers face an increasing risk of identity theft and 
financial fraud created by criminals with varying motivations, 
but a common goal: to steal personal information for financial 
gain.
    Currently, there are forty-seven different State laws 
dealing with data breach notification and twelve State laws 
governing commercial data security. This patchwork of State 
laws creates confusion for consumers looking for consistency 
and predictability in breach notices, as well as complex 
compliance issues for businesses as they secure their systems 
after a breach. Moreover, this patchwork has not always 
resulted in better consumer protections and may lead to 
additional opportunities for cyber criminals to exploit 
vulnerable individuals with phishing attacks or other schemes 
because there is no consistent standard for data security or 
breach notification. Following a breach, consumers must take 
steps to protect their accounts and their credit by replacing 
their cards, updating accounts, and monitoring their credit 
with existing tools. In addition, consumers ultimately bear the 
costs of the breach through higher fees and prices.
    H.R. 1770 addresses the growing problem of identity theft 
and payment fraud by requiring covered entities to implement 
reasonable security measures for the type of personal 
information that criminals use for identity theft and payment 
fraud and to notify individuals in the case of a breach of 
security for such personal information. H.R. 1770 would 
establish a single Federal regime enforced by the Federal Trade 
Commission (FTC) and subject to civil penalties. Additionally, 
State attorneys general would be authorized to enjoin 
violations, compel compliance, or seek civil penalties for 
violations of the Act. H.R. 1770 is limited in scope to address 
those categories of information that result in identity theft 
and payment fraud. The bill neither addresses privacy issues 
nor preempts existing privacy laws.

                                HEARINGS

    The Subcommittee on Commerce, Manufacturing, and Trade held 
a hearing on the discussion draft, H.R. __, the Data Security 
and Breach Notification Act of 2015 on March 18, 2015. The 
Subcommittee received testimony from:
           Jessica Rich, Director, Bureau of Consumer 
        Protection, Federal Trade Commission;
           Clete Johnson, Chief Counsel for 
        Cybersecurity, Public Safety and Homeland Security 
        Bureau, Federal Communications Commission;
           Mallory Duncan, Senior Vice President and 
        General Counsel, National Retail Federation;
           Jon Leibowitz, Partner, David Polk & 
        Wardwell LLP, Co-Chairman of, and on behalf of, the 
        21st Century Privacy Coalition;
           Laura Moy, Senior Policy Council, Open 
        Technology Institute, New America;
           Yael Weinman, Vice President, Global Privacy 
        Policy and General Counsel, Information Technology 
        Industry Council; and,
           Sara Cable, Assistant Attorney General, 
        Office of the Massachusetts Attorney General.

                        COMMITTEE CONSIDERATION

    On March 25, 2015, the Subcommittee on Commerce, 
Manufacturing, and Trade met in open markup session and 
forwarded H.R. __, Data Security and Breach Notification Act of 
2015 to the full Committee, as amended, by a voice vote. On 
April 14, 2015, Rep. Blackburn, Rep. Welch, Rep. Burgess, and 
Rep. Upton introduced H.R. 1770, which was substantially 
similar to the bill approved by the Subcommittee. On April 15, 
2015, the full Committee on Energy and Commerce met in open 
markup session and ordered H.R. 1770, Data Security and Breach 
Notification Act of 2015, reported to the House, as amended, by 
a record vote of 29 yeas and 20 nays.

                            COMMITTEE VOTES

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the record votes 
on the motion to report legislation and amendments thereto. A 
motion by Mr. Upton to order H.R. 1770 reported to the House, 
as amended, was agreed to by a record vote of 29 ayes and 20 
nays. The following reflects the record votes taken during the 
Committee consideration:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                      COMMITTEE OVERSIGHT FINDINGS

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee held a hearing and made 
findings that are reflected in this report.

         STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    The goal of H.R. 1770 is to protect consumers from identity 
theft, economic loss or economic harm, of financial fraud by 
establishing strong and uniform national data security and 
breach notification standards for electronic data in interstate 
commerce while minimizing State law burdens that may 
substantially affect interstate commerce, and expressly preempt 
any related State laws to ensure uniformity of this Act's 
standards and the consistency of their application across 
jurisdictions.

   NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
1770, would result in no new or increased budget authority, 
entitlement authority, or tax expenditures or revenues.

       EARMARK, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS

    In compliance with clause 9(e), 9(f), and 9(g) of rule XXI 
of the Rules of the House of Representatives, the Committee 
finds that H.R. 1770 contains no earmarks, limited tax 
benefits, or limited tariff benefits.

                        COMMITTEE COST ESTIMATE

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.

                  CONGRESSIONAL BUDGET OFFICE ESTIMATE

    Pursuant to clause 3(c)(3) of rule XIII of the Rules of the 
House of Representatives, the following is the cost estimate 
provided by the Congressional Budget Office pursuant to section 
402 of the Congressional Budget Act of 1974:

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, April 20, 2015.
Hon. Fred Upton,
Chairman, Committee on Energy and Commerce,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 1770, the Data 
Security and Breach Notification Act of 2015.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Susan Willie.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 1770--Data Security and Breach Notification Act of 2015

    Summary: H.R. 1770 would establish a new law to require 
businesses to take reasonable steps to protect personal 
information they maintain in electronic form. Further, H.R. 
1770 would require those entities, in the event of a breach in 
their security systems, to notify individuals whose personal 
information has been accessed and acquired as a result of the 
breach. Forty-seven states have laws that govern data security; 
H.R. 1770 would pre-empt many of those statutes. The bill would 
direct the Federal Trade Commission (FTC) to enforce the rules 
and authorize the agency to collect civil penalties if those 
rules are violated.
    CBO estimates that implementing H.R. 1770 would cost $1 
million over the 2015-2020 period, assuming appropriation of 
the necessary amounts. In addition, CBO estimates that enacting 
the bill would increase revenues by $9 million over the 2015-
2025 period from the collection of civil penalties; therefore 
pay-as-you-go procedures would apply. Enacting H.R. 1770 would 
not affect direct spending.
    H.R. 1770 contains intergovernmental mandates as defined in 
the Unfunded Mandates Reform Act (UMRA), but CBO estimates that 
the cost of complying with the mandates would be small and 
would not exceed the threshold established in UMRA ($77 million 
in 2015, adjusted annually for inflation).
    H.R. 1770 would impose private-sector mandates as defined 
in UMRA on businesses and non-profits that possess or manage 
sensitive personal information and on Internet service 
providers (ISPs). Because most of those businesses already 
comply with similar requirements in state laws, CBO estimates 
that the incremental cost to comply with the mandates in the 
bill would probably fall below the annual threshold established 
in UMRA for private-sector mandates ($154 million in 2015, 
adjusted annually for inflation).
    Estimated cost to the Federal Government: The estimated 
budgetary effect of H.R. 1770 is shown in the following table. 
The costs of this legislation fall within budget function 370 
(commerce and housing credit).

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                  By fiscal year, in millions of dollars--
                                                   -----------------------------------------------------------------------------------------------------
                                                     2016    2017    2018    2019    2020    2021    2022    2023    2024    2025   2016-2020  2016-2025
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   CHANGES IN REVENUES
 
Estimated Revenues................................       *       1       1       1       1       1       1       1       1       1         4          9
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes: * = less than $500,000.
CBO estimates that implementing H.R. 1770 would cost $1 million over the 2015-2020 period, assuming appropriation of the necessary amounts.

    Basis of estimate: For this estimate, CBO assumes that the 
bill will be enacted near the end of fiscal year 2015, that the 
necessary amounts will be appropriated each year, and that 
spending will follow historical patterns for similar 
activities.

Spending subject to appropriation

    H.R. 1770 would direct the FTC to enforce new federal 
regulations that would require certain businesses and 
nonprofits to:
           Establish security measures to protect 
        personal information maintained in electronic form, and
           Notify individuals if a breach of security 
        measures creates a reasonable risk that they would be 
        exposed to identity theft or economic harm because of 
        the breach.
    Based on information from the FTC, CBO estimates that 
implementing H.R. 1770 would cost about $1 million over the 
2015-2020 period, assuming appropriation of the necessary 
amounts. CBO expects the agency would hire 2 additional staff, 
at a cost of $260,000 per year, on average, to carry out the 
new regulatory requirements.

Revenues

    Under current law, the FTC has authority under the Federal 
Trade Commission Act to bring enforcement actions against 
companies for deceptive and unfair practices that can involve 
consumers' privacy and personal information. However, the FTC 
can currently assess civil monetary penalties as part of those 
actions only in certain privacy related cases, such as for 
violations of rules established by the Children's Online 
Privacy Protection Act and the Fair Credit Reporting Act.
    Under H.R. 1770. the FTC could assess civil penalties in a 
broader set of privacy related cases. Based on information 
provided by the FTC, CBO estimates that enacting H.R. 1770 
would increase revenues from civil penalties by about $1 
million per year and by $9 million over the 2016-2025 period. 
Those payments of civil penalties would come primarily from 
covered entities that violate requirements to implement and 
maintain reasonable security measures to protect personal 
information.
    Pay-As-You-Go considerations: The Statutory Pay-As-You-Go 
Act of 2010 establishes budget-reporting and enforcement 
procedures for legislation affecting direct spending or 
revenues. The net changes revenues that are subject to those 
pay-as-you-go procedures are shown in the following table.

        CBO ESTIMATE OF PAY-AS-YOU-GO EFFECTS FOR H.R. 1770, AS ORDERED REPORTED BY THE HOUSE COMMITTEE ON ENERGY AND COMMERCE ON APRIL 15, 2015
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                              By fiscal year, in millions of dollars--
                                           -------------------------------------------------------------------------------------------------------------
                                             2015    2016    2017    2018    2019    2020    2021    2022    2023    2024    2025   2015-2020  2015-2025
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                             NET DECREASE (-) IN THE DEFICIT
 
Statutory Pay-As-You-Go Impact............       0       0      -1      -1      -1      -1      -1      -1      -1      -1      -1        -4         -9
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Estimated impact on State, local, and tribal governments: 
H.R. 1770 contains intergovernmental mandates as defined in 
UMRA. The bill would explicitly preempt laws in at least 47 
states, the District of Columbia, Guam, Puerto Rico, and the 
Virgin Islands that require businesses to notify individuals in 
the event of a security breach. The bill also would impose 
notification requirements and limitations on state Attorneys 
General. Because the limits on state authority would impose no 
duties with costs and because the notification requirements 
would result in minimal additional spending, CBO estimates the 
costs of the mandates would be small and would not exceed the 
threshold established in UMRA for intergovernmental mandates 
($77 million in 2015, adjusted annually for inflation).
    Estimated impact on the private sector: H.R. 1770 would 
impose private-sector mandates as defined in UMRA on businesses 
and non-profits that possess or manage sensitive personal 
information and on ISPs. Because most of those businesses 
already comply with similar requirements in state laws, CBO 
estimates that the incremental cost to comply with the mandates 
in the bill would probably fall below the annual threshold 
established in UMRA for private-sector mandates ($154 million 
in 2015, adjusted annually for inflation).

Requirements for information security

    The bill would require businesses to implement and maintain 
reasonable security measures to protect personal information 
maintained in electronic form from unauthorized access. The 
bill stipulates that such security measures must be appropriate 
for the size, complexity, and general nature and scope of the 
activities of the business entity. According to the FTC, it is 
already enforcing such requirements for businesses covered 
under the Federal Trade Commission Act. Other businesses 
covered by the bill that are not currently under FTC's 
jurisdiction, including telecommunications carriers and non-
profits, are currently subject to similar enforcement by the 
FCC or applicable state agencies under certain state laws. As a 
result, CBO expects that the incremental cost to comply with 
this provision would be minimal.

Notification of security breaches

    The bill would require businesses engaged in Interstate 
commerce that use, access, transmit, store, dispose of, or 
collect sensitive personal information to notify any 
individuals whose information has been or may have been 
unlawfully accessed as a result of a breach. In the event of a 
breach, businesses would be required to conduct an 
investigation to determine if there is a reasonable risk the 
breach resulted in, or could result in, identity theft, 
economic loss or harm, or financial fraud to individuals whose 
personal information was compromised. Upon determining there 
was sufficient risk, businesses would be required to notify 
individuals in the United States affected by the breach using 
written letters, or email. Notifications would be required to 
include certain information about the breach, as well as toll-
tree numbers for the affected business, consumer reporting 
agencies, and the FTC. If a breach requires notification of 
over 10,000 individuals, businesses would have to notify 
consumer reporting agencies, the FTC and either the Secret 
Service or the Federal Bureau of Investigation.
    After a business has made reasonable efforts to contact all 
individuals affected by a breach, and determines that the 
contact information of at least 500 such individuals is 
insufficient or out-of-date, the bill would require such 
businesses to attempt to contact the individuals through either 
email (if it was not the primary method of contact), or by 
posting a conspicuous notice detailing information about the 
breach on the business's website for at least 90 days.
    The bill also would impose requirements on ISPs. Should an 
ISP become aware of a breach affecting personal information 
that is owned or licensed by a business that connects to the 
ISP's networks, it must notify the affected business, if the 
business can be reasonably identified. The ISP would have no 
further notification requirements upon notifying the affected 
business under the bill, provided their relationship with the 
affected business was strictly for the purpose of transmitting, 
routing, or providing intermediate transient storage of data.
    Nearly all states already have laws requiring notification 
in the event of a security breach. In addition, it is the 
standard practice of most businesses to notify individuals if a 
security breach occurs. Therefore, CBO expects that the 
incremental costs incurred by businesses to comply with the 
notification requirements in the bill would not be substantial.
    Estimate prepared by: Federal costs: Susan Willie; Federal 
revenues: Nathaniel Frentz; Impact on state, local, and tribal 
governments: Melissa Merrell; Impact on the private sector: 
Logan Smith.
    Estimate approved by: Theresa Gullo, Assistant Director for 
Budget Analysis.

                       FEDERAL MANDATES STATEMENT

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                    DUPLICATION OF FEDERAL PROGRAMS

    No provision of H.R. 1770 establishes or reauthorizes a 
program of the Federal Government known to be duplicative of 
another Federal program, a program that was included in any 
report from the Government Accountability Office to Congress 
pursuant to section 21 of Public Law 111-139, or a program 
related to a program identified in the most recent Catalog of 
Federal Domestic Assistance.

                  DISCLOSURE OF DIRECTED RULE MAKINGS

    The Committee estimates that enacting H.R. 1770 
specifically directs to be completed no rule making within the 
meaning of 5 U.S.C. 551.

                      ADVISORY COMMITTEE STATEMENT

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  APPLICABILITY TO LEGISLATIVE BRANCH

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION

Section 1. Short title; purposes

    Section 1 provides that the Act may be cited as the ``Data 
Security and Breach Notification Act of 2015,'' and that its 
purpose is to protect consumers from identity theft, economic 
loss or economic harm, and financial fraud by establishing 
uniform national data security and breach notification 
standards for electronic data in interstate commerce.

Section 2. Requirements for information security

    This section requires covered entities to implement and 
maintain reasonable security measures and practices that are 
appropriate to the size and complexity of the entity and the 
nature and scope of its activities, and to protect and secure 
electronic personal information against unauthorized access and 
acquisition.

Section 3. Notification of information security breach

    Following a breach of security, this section requires a 
covered entity that uses, accesses, transmits, stores, disposes 
of, or collects personal information to restore the reasonable 
integrity, security, and confidentiality of the data system, 
and conduct a reasonable and prompt investigation of the breach 
to determine whether there is a reasonable risk that the breach 
has resulted in, or will result in, identity theft, economic 
loss or economic harm, or financial fraud.
    This section requires covered entities to notify 
individuals affected by, or reasonably believed to have been 
affected by, the breach of security unless there is no 
reasonable risk that the breach has resulted in, or will result 
in identity theft, economic loss or economic harm, or financial 
fraud. A breached covered entity shall notify any individual 
for whom an election was not made under this section not later 
than twenty-five days after the non-breached covered entity 
declines or fails to make an election. A non-breached covered 
entity shall notify any individual for whom it provided 
personal information to the breached covered entity that was 
affected by the breach of security within twenty-five days 
after exercising the election under this section. Any other 
covered entity shall identify the individuals affected by the 
breach of security and notify them within thirty days after 
restoring the reasonable integrity, security, and 
confidentiality of the data system and identifying the impact 
of the breach of security pursuant to this section.
    If a covered entity, breached covered entity, or non-
breached covered entity discovers additional individuals to 
whom notification is required after providing notice under this 
section, the covered entity shall notify such individuals as 
expeditiously as possible and without unreasonable delay.
    This section requires breached covered entities to notify 
in writing a non-breached covered entity of a breach of 
security within ten days after restoring the reasonable 
integrity, security, and confidentiality of the data system and 
identifying the impact of the breach pursuant to this section. 
The breached covered entity shall include in the notice 
information about the elements of personal information received 
from the non-breached covered entity pursuant to their contract 
reasonably believed to be affected by the breach of security. A 
non-breached covered entity may elect in writing to provide 
notice to all individuals included in the notice whose personal 
information was affected by the breach of security within ten 
days of receiving the notice. Such election relieves the 
breached covered entity of its notification obligation under 
this section for those individuals. After an election by a non-
breached covered entity, the breached covered entity shall 
cooperate in all reasonable respects with the non-breached 
covered entity and provide any of the information the breached 
covered entity possesses that is described in the notice to 
individuals so that notification to individuals is made in 
compliance with this section. A breached covered entity shall 
reply within ten business days to a request for such 
information by a non-breached covered entity. If a non-breached 
covered entity declines or fails to elect, it shall cooperate 
in all respects with the breached covered entity and provide 
any information it possesses that is described in the notice to 
individuals so that notification to individuals is made in 
compliance with this section. A non-breached covered entity 
shall reply within 10 business days to a request for such 
information by a breached covered entity.
    This section requires a covered entity to also notify the 
FTC and the Secret Service or Federal Bureau of Investigation 
of a breach of security if more than 10,000 individuals' 
personal information was, or there is reasonable basis to 
conclude was, accessed and acquired by an unauthorized person. 
This section allows Federal, State, or local law enforcement to 
delay notification to affected individuals if it would impede a 
civil or criminal investigation.
    This section provides certain accommodations for non-
profits or where there is limited contact information for an 
individual. This section requires covered entities to notify a 
consumer reporting agency of a breach of security affecting 
more than 10,000 individuals.
    This section requires that any notice to affected 
individuals about a breach of security must include: 1) a 
description of the personal information that was, or reasonably 
believed to be, accessed and acquired by an unauthorized 
person; 2) the date range or approximate date range of the 
breach; 3) a telephone number or toll-free number (if the 
covered entity does not meet the definition of a small business 
concern or non-profit organization) that an affected individual 
may use to inquire about the breach; 4) the toll-free contact 
telephone number and addresses for a consumer reporting agency 
that compiles and maintains files on consumers on a nationwide 
basis; and 5) the toll-free telephone number and Internet 
website for the FTC where individuals can get more information 
about identity theft.
    A covered entity may contract out its notice obligation as 
long it is clear that the notice is sent on behalf of the 
covered entity.
    This section requires a service provider to notify a 
covered entity if it becomes aware of a breach of security 
involving electronic data containing personal information and 
can reasonably identify the sender.

Section 4. Enforcement

    This section establishes that a violation of this Act will 
be treated as an unfair or deceptive act or practice under the 
Federal Trade Commission Act and violations will be enforced by 
the FTC. Any covered entity that violates this Act shall be 
subject to the penalties and immunities provided in the Federal 
Trade Commission Act and as extended by this Act to common 
carriers and non-profit organizations. Notwithstanding section 
5(m) of the FTC Act, the Commission may impose civil penalties 
for violations of section 3 in an amount not greater than 
$1,000 per violation and each failure to send a notification 
shall be a separate violation.
    This section sets a maximum total liability for first-time 
violations of section 2 resulting from the same related act or 
omission at $8,760,000, and for first-time violations of 
section 3 resulting from the same related act or omission at 
$17,520,000.
    This section allows for State attorneys general to bring 
enforcement actions for violations of either the security or 
notification requirements of this draft. They may bring civil 
penalties of up to $11,000 per violation of section 2 and 
$1,000 per violation of section 3.
    This section establishes a maximum civil penalty of $2.5 
million in cases filed by a State attorney general. Civil 
penalties will be annually adjusted for inflation.
    This section requires that the covered entity's degree of 
culpability, history of prior conduct, ability to pay, effect 
on ability to continue to do business, and any other matters 
must be taken into account in determining the amount of a civil 
penalty.
    This section provides certain process requirements so that 
there is not redundant enforcement between State attorneys 
general and the FTC.
    This section also provides that nothing in this Act 
establishes a private cause of action against a person for a 
violation of this Act.

Section 5. Definitions

    This section provides definitions for the following terms: 
breach of security, breached covered entity, Commission, 
consumer reporting agency that compiles and maintains files on 
consumers on a nationwide basis, covered entity, data in 
electronic form, encrypted, non-breached covered entity, non-
profit organization, personal information, service provider, 
small business concern, and State.

Section 6. Effect on other laws

    This section prevents States from adopting, maintaining, 
enforcing, or imposing or continuing in effect any law, rule, 
regulation, duty, requirement, standard, or other provision 
related to the security of data in electronic form or 
notification following a breach of security with respect to a 
covered entity.
    This section would not exempt a covered entity from 
liability under common law.
    This section provides that any regulations in sections 201, 
202, 222, 338, and 631 of the Communications Act of 1934 that 
pertain to information security or breach notification 
practices of covered entities are superseded by this Act.
    This section provides that nothing in this subsection 
otherwise limits the Federal Communications Commission's 
authority with respect to sections 201, 202, 222, 338, and 631 
of the Communications Act of 1934.
    This section also provides that nothing in this Act should 
be construed in any way to limit or affect the FTC's authority 
under any other provision of law.

Section 7. Education and outreach for small businesses

    This section requires the Commission to conduct education 
and outreach for small business concerns on data security 
practices and how to prevent hacking and other unauthorized 
access to, acquisition of, or use of data maintained by such 
small business concerns.

Section 8. Website on data security best practices

    This section requires the Commission to establish and 
maintain a website with non-binding best practices for 
businesses regarding data security and how to prevent hacking 
and other unauthorized access to, acquisition of, or use of 
data maintained by such small businesses.

Section 9. Effective date

    This section provides that the Act will take effect one 
year after the date of enactment of this Act.

         CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    This legislation does not amend any existing Federal 
statute.

                            DISSENTING VIEWS

    We agree that there is a need for legislation requiring 
entities that hold and collect consumer information be required 
to secure such information and provide notice to consumers in 
the case of a breach of security of that information. 
Unfortunately, we cannot support H.R. 1770, the Data Security 
and Breach Notification Act of 2015, as reported by the 
Committee on Energy and Commerce on April 15, 2015. This bill 
does not enhance consumer protections. And it many ways, it 
puts consumers in a worse place with regard to data security 
and breach notification than they are today.
    Our views on specific provisions in H.R. 1770 and the 
Committee's consideration of the bill are set forth below.

                       I. H.R. 1770, AS REPORTED

    H.R. 1770 fails to meet the dual purposes of reducing 
breaches and mitigating their adverse effects. Federal data 
breach legislation should enhance protections against data 
breaches and provide consumers with relevant information 
following a breach. Instead, H.R. 1770 weakens existing 
consumer protections by preempting often stronger state and 
territorial data breach laws without an adequate replacement 
for those provisions.
    H.R. 1770 fails to require sufficient protections of 
consumers' personal information. Robust data security is 
critical to any data breach bill. Federal legislation cannot be 
foolproof, but it should be focused on stopping breaches from 
happening, before consumers' personal information is 
compromised and before consumers see the negative effects.
    H.R. 1770 also fails to provide strong data breach 
notification to consumers whose data has been subject to a 
breach. Many of the 51 state and territorial breach 
notification laws provide greater protections for consumers. 
Thirty-eight of those state laws require notice of a breach to 
be provided in more circumstances than H.R. 1770, thereby 
allowing consumers to prevent harms instead of waiting for 
harms to occur before taking action. In contrast, H.R. 1770 
requires a financial harm analysis before notification is 
required to be provided to consumers. Consumers should know 
when their personal information has been hacked, and have the 
ability to decide whether a breach of their personal 
information may cause them harm and react as they see fit. 
Consumers have not reported confusion because of the variation 
in notice requirements in the state laws.
    In addition, H.R. 1770 is narrow in scope, providing a 
limited and inflexible definition of personal information. 
Although the bill purports to focus on personal information 
that leads to financial harms, the definition of personal 
information does not include some types of personal information 
that could lead directly to financial harm, such as payroll 
information. Moreover, it does not cover any other types of 
personal information that indirectly lead to financial harm 
through phishing scams or other fraud schemes. Nor does H.R. 
1770 cover the types of personal information that lead to other 
harms, such as physical or emotional harms. Many state laws 
that would be preempted by this bill cover broader personal 
information, such as an individual's medical history or health 
insurance information. These types of information are not 
covered by H.R. 1770.
    Moreover, H.R. 1770 limits the civil penalties that can be 
sought by the Federal Trade Commission (FTC) and the state 
attorneys general in enforcing the provisions of this bill, 
again limiting consumer protections available under current 
law. Both the FTC and the state attorneys general need the 
ability to match the scope of these breaches with adequate 
penalties. The FTC and state attorneys general should have the 
flexibility to seek fair penalties that are commensurate with 
the damage that has been done. This bill caps total fine the 
FTC can impose for first offenses at $8,760,000 for violations 
of the security requirements and at $17,520,000 for violations 
of breach notification requirements. The bill also caps the 
total fine state attorneys general, collectively, can impose in 
all cases at $2.5 million of the security requirements and at 
$2.5 million for violations of breach notification 
requirements. Under the maximum penalty provision for state 
attorneys general, therefore, if one state attorney general 
collects $2.5 million from an entity for a violation of the 
breach notification provision, no other state attorney general 
will be permitted to impose a fine at all, even if a breach 
affected millions of consumers in his or her state.
    Further, while this bill provides state attorneys general 
with the ability to bring civil actions against companies that 
violate the act, it does not provide that they receive any 
notification of a breach. There is simply no good reason to 
delay, and perhaps prevent, the facts of a data breach from 
reaching state attorneys general, who often have relationships 
and connections in states that are critical to disseminating 
information to consumers and businesses quickly. And while the 
FTC, which also has authority to enforce the provisions of this 
bill, does receive notification of a breach so that it can 
respond effectively, it is not notified unless there is a very 
high threshold of affected consumers.
    Finally, H.R. 1770 preempts provisions of the 
Communications Act regarding telecommunications, cable, and 
satellite services, as well as the regulations promulgated 
thereunder, to the extent they apply to information security 
practices and breach notification. And because data security is 
inextricably linked to privacy and competition, the ability of 
the Federal Communications Commission (FCC) to protect 
consumers in those areas also would be adversely affected. H.R. 
1770 only requires the reasonable securing of personal 
information as the bill defines personal information, i.e., 
narrowly. The bill then preempts the Communications Act 
broadly, with regard to all information. Since H.R. 1770's 
breach notification is exclusively linked to financial harm, 
notifications currently required under the Communication Act 
also would become void and unenforceable. The bill moves 
jurisdiction over these communications services for data 
security and breach notification from the FCC to the FTC. The 
FTC has expertise in general data breach issues. But, as 
primarily an enforcement agency, the FTC lacks the tools to 
effectively handle the unique data security, breach 
notification, and privacy issues of communications services. 
Under H.R. 1770, these services will no longer be subject to 
the before-the-fact security and privacy requirements under the 
Communications Act and its associated regulations. Instead, 
they will only be subject to after-the-fact enforcement. This 
system does not adequately protect consumers' valuable 
communications-related personal information, such as 
telecommunications subscribers' customer proprietary network 
information (CPNI), which includes virtually all information 
about a customer's use of the service, or cable or satellite 
subscribers' viewing histories.

                      II. COMMITTEE CONSIDERATION

                 A. Amendments Offered in Subcommittee

    Four amendments were adopted at the Subcommittee markup. A 
manager's amendment offered by Representatives Burgess and 
Welch made minor changes to the definition of encryption and 
made broader an exception to the definition of covered entities 
for entities subject to GLB. The change to the GLB exception 
was mostly reversed in the bill considered by the full 
committee. An amendment offered by Representative Pompeo and 
Welch established procedures for breached covered entities and 
non-breached covered entities to provide notice to individuals. 
The language added by this amendment was also significantly 
changed in the bill considered by the full committee. Two 
amendments offered by Representatives Cardenas and Blackburn 
were adopted at the Subcommittee markup adding sections 7 and 8 
to the bill regarding education and outreach for small 
businesses through the FTC.
    In addition, five amendments were offered by other minority 
members, all of which were voted down along party lines. 
Representative Clarke offered an amendment to give the FTC 
rulemaking authority to change the definition of personal 
information as necessary. Representative Rush offered two 
amendments to address concerns with the preemption of the 
Communications Act. The first amendment struck the preemption 
language entirely. The second amendment was intended to 
transfer as much enforcement authority from the Federal 
Communications Commission (FCC) to the FTC as the FCC loses in 
the underlying bill text. Representative Kennedy offered two 
amendments intended to address state preemption and the 
conflict in the common law preemption language.

                B. Amendments Offered in Full Committee

    On April 14-15, 2015, the full Committee on Energy and 
Commerce voted in favor of H.R. 1770, the Data Security and 
Breach Notification Act of 2015, strictly along party lines. 
Four amendments were adopted at full Committee. An amendment 
offered by Representative Kinzinger slightly expanded the 
definition of personal information to include a user name or 
email address in combination with password or security question 
and answer. Representative Barton offered an amendment making a 
minor technical correction to a reference to notification by 
breached or non-breached covered entities. Representative Olson 
offered an amendment that lowered the per-violation fine from 
$11,000 to $1,000 for a violation of the notice requirements in 
section 3. The Olson amendment also placed limits on the total 
penalties for first-time violations of section 2 at $8,760,000 
and for first-time violations of section 3 at $17,520,000. 
These limits on first-time penalties only apply to enforcement 
by the FTC.
    An amendment offered by Representative Blackburn further 
weakened the consumer protections afforded by this bill. The 
amendment, among other things, limited the definition of breach 
of security to relate to information that was accessed and 
acquired instead of accessed or acquired; added a requirement 
that a covered entity suffering a breach identify the impact of 
the breach as part of its required investigation into the 
breach (which would occur before notice is given to consumers); 
and changed the requirement that to be considered personal 
information a name must be connected with all three (not two of 
three) of the following: (1) home address and telephone number, 
(2) mother's maiden name, (3) birthday. The Blackburn amendment 
also made changes to the notification duties that a breached 
covered entity has with respect to a non-breached covered 
entity and changed the definition of call information that is 
considered personal information.
    In addition, five amendments were offered by minority 
members, four of which were voted down along party lines. An 
amendment in the nature of a substitute offered by 
Representatives Rush and Schakowsky, which was intended to 
protect consumers without overburdening businesses, received 
bipartisan support but failed to get enough votes to be 
adopted. The amendment would have provided a strong security 
standard with needed specificity, while ensuring that it is 
technology-neutral and allows for flexibility for businesses to 
implement appropriate security procedures. It also would have 
given the FTC rulemaking authority to flesh out the needed 
details and allowed those details to change overtime as 
criminals get more and more creative. This amendment would not 
have a financial harm trigger for notification to consumers but 
would have added to the definition of personal information 
because unauthorized access to all kinds of personal 
information can harm people whose information is stolen. 
Additionally, it would have given the FTC authority to change 
the definition of personal information. This amendment also 
acknowledges the important role of the states and would have 
eliminated the limitations on state enforcement that are in the 
underlying bill by requiring notice to state attorneys general 
and removing the caps on civil penalties that can be sought by 
state attorneys general. Moreover, the amendment would have 
preempted state laws, replacing them with strong security and 
breach notification standards, to avoid burdening businesses 
with a 51 law with which they must comply. Furthermore, the 
amendment would have preserved the FCC's authority to regulate 
the privacy, data security, and breach notification with regard 
to telecommunications, satellite, cable, and broadband 
services.
    Representative Eshoo also offered an amendment in the 
nature of a substitute, which, among other things, would have 
directed the FTC to promulgate a rule creating security 
standards consistent with California state security standards, 
making the California standards the floor for the nation. The 
bill would have preempted state breach notification laws that 
failed to meet the California standards, would have allowed 
states to innovate by passing stronger state laws. The 
amendment provides an expanded definition of personal 
information compared to the underlying bill, including health 
and medical information. It also eliminates the cap on the 
ability of state attorneys general to seek civil penalties. It 
would have ensured notice to consumers of a breach whether or 
not there is financial harm and gives consumers a private right 
of action for violations of the security or breach notification 
requirements. The amendment would have also preserved the FCC's 
authority to regulate the privacy, data security, and breach 
notification with regard to telecommunications, satellite, 
cable, and broadband services.
    Representative McNerney offered an amendment that would 
have provided that in the event of a breach that affects 500 
consumers or more, a covered entity must provide notice to the 
state attorneys general of those states whose resident were 
affected. Representative Kennedy offered two amendments 
intended to protect states' abilities to use their unfair and 
deceptive practices authority and address the conflict in the 
common law preemption language.
    For the reasons stated above, we dissent from the views 
contained in the Committee's report.

                                   Frank Pallone, Jr.,
                                           Ranking Member, Committee on 
                                               Energy and Commerce.
                                   Jan Schakowsky,
                                           Ranking Member, Subcommittee 
                                               on Commerce, 
                                               Manufacturing and Trade.