[House Report 114-908] [From the U.S. Government Publishing Office] 114th Congress } { Report HOUSE OF REPRESENTATIVES 2d Session } { 114-908 ====================================================================== DATA SECURITY AND BREACH NOTIFICATION ACT OF 2015 _______ January 3, 2017.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Upton, from the Committee on Energy and Commerce, submitted the following R E P O R T together with DISSENTING VIEWS [To accompany H.R. 1770] [Including cost estimate of the Congressional Budget Office] The Committee on Energy and Commerce, to whom was referred the bill (H.R. 1770) to require certain entities who collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security involving such information, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 9 Background and Need for Legislation.............................. 9 Hearings......................................................... 10 Committee Consideration.......................................... 10 Committee Votes.................................................. 10 Committee Oversight Findings..................................... 17 Statement of General Performance Goals and Objectives............ 17 New Budget Authority, Entitlement Authority, and Tax Expenditures 17 Earmark, Limited Tax Benefits, and Limited Tariff Benefits....... 17 Committee Cost Estimate.......................................... 17 Congressional Budget Office Estimate............................. 17 Federal Mandates Statement....................................... 21 Duplication of Federal Programs.................................. 21 Disclosure of Directed Rule Makings.............................. 21 Advisory Committee Statement..................................... 21 Applicability to Legislative Branch.............................. 21 Section-by-Section Analysis of the Legislation................... 21 Changes in Existing Law Made by the Bill, as Reported............ 25 Minority, Additional, or Dissenting Views........................ 26 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE; PURPOSES. (a) Short Title.--This Act may be cited as the ``Data Security and Breach Notification Act of 2015''. (b) Purposes.--The purposes of this Act are to-- (1) protect consumers from identity theft, economic loss or economic harm, and financial fraud by establishing strong and uniform national data security and breach notification standards for electronic data in interstate commerce while minimizing State law burdens that may substantially affect interstate commerce; and (2) expressly preempt any related State laws to ensure uniformity of this Act's standards and the consistency of their application across jurisdictions. SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY. A covered entity shall implement and maintain reasonable security measures and practices to protect and secure personal information in electronic form against unauthorized access and acquisition as appropriate for the size and complexity of such covered entity and the nature and scope of its activities. SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH. (a) In General.-- (1) Restoring security.--Except as otherwise provided by this section, a covered entity that uses, accesses, transmits, stores, disposes of, or collects personal information shall, following the discovery of a breach of security restore the reasonable integrity, security, and confidentiality of the data system and identify the impact of the breach pursuant to paragraph (2). (2) Investigation.--A covered entity shall conduct in good faith a reasonable and prompt investigation of the breach of security to determine whether there is a reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was subject to the breach of security. (3) Notification to individuals required.-- (A) Trigger.--Unless there is no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was affected by the breach of security, the covered entity shall notify any resident of the United States that has been affected by the breach of security pursuant to this section. (B) Notification duty.--Unless subject to a delay authorized under subsection (c)-- (i) a breached covered entity shall notify any individual for whom an election was not made under paragraph (4)(C) not later than 25 days after the non-breached covered entity declines or fails to exercise the election under paragraph (4)(C); (ii) a non-breached covered entity shall notify any individual for whom the non-breached covered entity provided personal information to the breached covered entity, and such personal information was affected by the breach of security, not later than 25 days after exercising the election under paragraph (4)(C); and (iii) any other covered entity shall identify the individuals affected by a breach of security and make the notification required under this subsection as expeditiously as possible, without unreasonable delay, and not later than 30 days after completing the requirements of paragraph (1). (C) Notification required upon discovery of additional individuals affected.--If a covered entity, breached covered entity, or non-breached covered entity has provided the notification to individuals required under this subsection and after such notification discovers additional individuals to whom notification is required under this subsection with respect to the same breach of security, the covered entity, breached covered entity, or non-breached covered entity shall make such notification to such individuals as expeditiously as possible and without unreasonable delay. (4) Non-breached covered entity election notice.-- (A) Notice to non-breached covered entity required.-- Subject to the requirements of this paragraph, unless there is no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud related to the personal information provided by the non-breached covered entity to the breached covered entity, the breached covered entity shall, as expeditiously as possible and without unreasonable delay within 10 days after fulfilling the requirements described in paragraph (1), notify in writing each non- breached covered entity of the breach of security. (B) Contents of notice.--The breached covered entity shall include in the notice described in subparagraph (A) the elements of personal information received from the non-breached covered entity pursuant to the contract described in subparagraph (C) reasonably believed to be affected by the breach of security. (C) Election by non-breached covered entity after receiving notice from a breached covered entity.--In the case of a breached covered entity that is a party to a written contract with a non-breached covered entity in which the breached covered entity maintains, stores, transmits, or processes data in electronic form containing personal information, not later than 10 days after receipt of the notice described in subparagraph (A), the non-breached covered entity may elect, in writing to the breached covered entity, to provide notification required by paragraph (3) all individuals whose personal information was provided by the non- breached covered entity to the breached covered entity and was affected by the breach of security. Such election relieves the breached covered entity of the requirements under paragraph (3) with respect to such individuals. (D) Obligation after election.-- (i) Breached covered entity cooperation.--If a non-breached covered entity elects under subparagraph (C) to provide notice under paragraph (3), the breached covered entity shall cooperate in all reasonable respects with the non-breached covered entity and provide any of the information the breached covered entity possesses that is described under subsection (d)(1)(B) and provide all personal information received from the non-breached covered entity that was affected by the breach of security so that the notification to such individuals is made as required under this section. Not later than 10 business days after the non-breached covered entity submits a written request for information requested under this subsection to the breached covered entity, the breached covered entity shall provide such information. (ii) Non-breached covered entity cooperation.--If a non-breached covered entity does not elect to provide notice to individuals under subparagraph (C), the non-breached covered entity shall provide any of the information the non-breached covered entity possesses that is described under subsection (d)(1)(B) for any individual whose personal information was received from the non-breached covered entity that was affected by the breach of security, and cooperate in all reasonable respects with, the breached covered entity so that the notification to such individuals is made as required under this section. Not later than 10 business days after the breached covered entity submits a written request for information requested under this subsection to the non-breached covered entity, the non- breached covered entity shall provide such information. (5) Law enforcement.--A covered entity shall as expeditiously as possible notify the Commission and the Secret Service or the Federal Bureau of Investigation of the fact that a breach of security has occurred if the number of individuals whose personal information was, or there is a reasonable basis to conclude was, accessed and acquired by an unauthorized person exceeds 10,000. Any notification provided to the Secret Service or the Federal Bureau of Investigation pursuant to this paragraph shall be provided not less than 10 days before notification is provided to individuals pursuant to paragraph (3). (b) Special Notification Requirements.-- (1) Non-profit organizations.--In the event of a breach of security involving personal information that would trigger notification under subsection (a), a non-profit organization may complete such notification according to the procedures set forth in subsection (d)(2). (2) Coordination of notification with consumer reporting agencies.--If a covered entity is required to provide notification to more than 10,000 individuals under subsection (a), such covered entity shall also notify a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, of the timing and distribution of the notices. Such notice shall be given to such consumer reporting agencies without unreasonable delay and, if it will not delay notice to the affected individuals, prior to the distribution of notices to the affected individuals. (c) Delay of Notification Authorized for Law Enforcement or National Security Purposes.--Notwithstanding paragraph (1), if a Federal, State, or local law enforcement agency determines that the notification to individuals required under this section would impede a civil or criminal investigation or a Federal agency determines that such notification would threaten national security, such notification shall be delayed upon written request of the law enforcement agency or Federal agency which the law enforcement agency or Federal agency determines is reasonably necessary and requests in writing. A law enforcement agency or Federal agency may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary. If a law enforcement agency or Federal agency requests a delay of notification to individuals under this paragraph, the Commission shall, upon written request of the law enforcement agency or Federal agency, delay any public disclosure of a notification received by the Commission under this section relating to the same breach of security until the delay of notification to individuals is no longer in effect. (d) Method and Content of Notification.-- (1) Direct notification.-- (A) Method of notification.--A covered entity required to provide notification to an individual under subsection (a) shall be in compliance with such requirement if the covered entity provides such notice by one of the following methods (if the selected method can reasonably be expected to reach the intended individual): (i) Written notification by postal mail. (ii) Notification by email or other electronic means, if the covered entity's primary method of communication with the individual is by email or such other electronic means or the individual has consented to receive such notification. (B) Content of notification.--Regardless of the method by which notification is provided to an individual under subparagraph (A) with respect to a breach of security, such notification shall include each of the following: (i) The identity of the covered entity that suffered the breach and, if such covered entity is also a breached covered entity providing notice under section 3(b)(1), the identity of each non-breached covered entity that did not elect to notify affected individuals pursuant to section 3(b)(1)(B) sufficient to show the breached covered entity's commercial relationship to the individual receiving notice. (ii) A description of the personal information that was, or there is a reasonable basis to conclude was, acquired and accessed by an unauthorized person. (iii) The date range of the breach of security, or an approximate date range of the breach of security if a specific date range is unknown based on the information available at the time of the notification. (iv) A telephone number, or toll-free telephone number for any covered entity that does not meet the definition of a small business concern or non-profit organization, that the individual may use to contact the covered entity to inquire about the breach of security or the information the covered entity maintained about that individual. (v) The toll-free contact telephone numbers and addresses for a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis. (vi) The toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft. (2) Substitute notification.-- (A) In general.--If, after making reasonable efforts to contact all individuals to whom notice is required under subsection (a), the covered entity finds that contact information for 500 or more individuals is insufficient or out-of-date, the covered entity shall also provide substitute notice to those individuals, which shall be reasonably calculated to reach the individuals affected by the breach of security. (B) Form of substitute notification.--A covered entity may provide substitute notification by-- (i) email or other electronic notification to the extent that the covered entity has contact information for individuals to whom it is required to provide notification under subsection (a); and (ii) a conspicuous notice on the covered entity's Internet website (if such covered entity maintains such a website) for at least 90 days. (C) Content of substitute notice.--Each form of substitute notice under clauses (i) and (ii) of subparagraph (B) shall include the information required under paragraph (1)(B). (3) Direct notification by a third party.--Nothing in this Act shall be construed to prevent a covered entity from contracting with a third party to provide the notification required under this section, provided such third party issues such notification without unreasonable delay, in accordance with the requirements of this section, and indicates to all individuals in such notification that such third party is sending such notification on behalf of the covered entity. (e) Requirements of Service Providers.-- (1) In general.--If a service provider becomes aware of a breach of security involving data in electronic form containing personal information that is owned or licensed by a covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, such service provider shall notify the covered entity who initiated such connection, transmission, routing, or storage of the data containing personal information breached, if such covered entity can be reasonably identified. If a service provider is acting solely as a service provider for purposes of this subsection, the service provider has no other notification obligations under this section. (2) Covered entities who receive notice from service providers.--Upon receiving notification from a service provider under paragraph (1), a covered entity shall provide notification as required under this section. SEC. 4. ENFORCEMENT. (a) Enforcement by the Federal Trade Commission.-- (1) Unfair or deceptive acts or practices.--A violation of section 2 or 3 shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. (2) Powers of commission.--The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act, and any covered entity who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.), and as provided in clauses (ii) and (iii) of section 5(5)(A). Notwithstanding section 5(m) of the Federal Trade Commission Act, the Commission may impose civil penalties for violations of section 3 in an amount not greater than $1,000 per violation. Each failure to send notification as required under section 3 to a resident of the United States shall be treated as a separate violation. (3) Maximum total liability for first-time violation of section 2.--The maximum total civil penalty for which any covered entity is liable under this subsection for all violations of section 2 resulting from the same related act or omission may not exceed $8,760,000, if such act or omission constitutes the covered entity's first violation of section 2. (4) Maximum total liability for first-time violation of section 3.--The maximum total civil penalty for which any covered entity is liable under this subsection for all violations of section 3 resulting from the same related act or omission may not exceed $17,520,000, if such act or omission constitutes the covered entity's first violation of section 3. (b) Enforcement by State Attorneys General.-- (1) Civil action.--In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any covered entity who violates section 2 or 3 of this Act, the attorney general of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to-- (A) enjoin further violation of such section by the defendant; (B) compel compliance with such section; or (C) obtain civil penalties in the amount determined under paragraph (2). (2) Civil penalties.-- (A) Calculation.-- (i) Treatment of violations of section 2.-- For purposes of paragraph (1)(C) with regard to all violations of section 2 resulting from the same related act or omission, the amount determined under this paragraph is the amount calculated by multiplying the number of days that a covered entity is not in compliance with such section by an amount not greater than $11,000. (ii) Treatment of violations of section 3.-- For purposes of paragraph (1)(C) with regard to a violation of section 3, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $1,000. Each failure to send notification as required under section 3 to a resident of the State shall be treated as a separate violation. (B) Maximum total liability.--Notwithstanding the number of actions which may be brought against a covered entity under this subsection, the maximum civil penalty for which any covered entity may be liable under this subsection shall not exceed-- (i) $2,500,000 for each violation of section 2; and (ii) $2,500,000 for all violations of section 3 resulting from a single breach of security. (C) Adjustment for inflation.--Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after one year after the date of enactment of this Act, and each year thereafter, the amounts specified in clauses (i) and (ii) of subparagraph (A) and clauses (i) and (ii) of subparagraph (B) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year. (D) Penalty factors.--In determining the amount of such a civil penalty, the degree of culpability, any history of prior such conduct, ability to pay, effect on ability to continue to do business, and such other matters as justice may require shall be taken into account. (3) Intervention by the federal trade commission.-- (A) Notice and intervention.--In all cases, the State shall provide prior written notice of any action under paragraph (1) to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Commission shall have the right-- (i) to intervene in the action; (ii) upon so intervening, to be heard on all matters arising therein; and (iii) to file petitions for appeal. (B) Pending proceedings.--If the Federal Trade Commission initiates a Federal civil action for a violation of this Act, no State attorney general may bring an action for a violation of this Act that resulted from the same or related acts or omissions against a defendant named in the civil action initiated by the Federal Trade Commission. (4) Construction.--For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to-- (A) conduct investigations; (B) administer oaths or affirmations; or (C) compel the attendance of witnesses or the production of documentary and other evidence. (c) No Private Cause of Action.--Nothing in this Act shall be construed to establish a private cause of action against a person for a violation of this Act. SEC. 5. DEFINITIONS. In this Act: (1) Breach of security.--The term ``breach of security''-- (A) means a compromise of the security, confidentiality, or integrity of, or loss of, data in electronic form that results in, or there is a reasonable basis to conclude has resulted in, unauthorized access to and acquisition of personal information from a covered entity; and (B) does not include the good faith acquisition of personal information by an employee or agent of the covered entity for the purposes of the covered entity, if the personal information is not used or subject to further unauthorized disclosure. (2) Breached covered entity.--The term ``breached covered entity'' means a covered entity that has incurred a breach of security affecting data in electronic form containing personal information of a non-breached covered entity that has directly contracted the breached covered entity to maintain, store, or process data in electronic form containing personal information on behalf of such non-breached covered entity. For purposes of this definition, the term ``breached covered entity'' shall not include a service provider that is subject to section 3(e). (3) Commission.--The term ``Commission'' means the Federal Trade Commission. (4) Consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.--The term ``consumer reporting agency that compiles and maintains files on consumers on a nationwide basis'' has the meaning given that term in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)). (5) Covered entity.-- (A) In general.--The term ``covered entity'' means-- (i) a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other entity in or affecting commerce that acquires, maintains, stores, sells, or otherwise uses data in electronic form that includes personal information, over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); (ii) notwithstanding section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)), common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.); and (iii) notwithstanding any jurisdictional limitation of the Federal Trade Commission Act (15 U.S.C. 41 et seq.), any non-profit organization. (B) Exceptions.--The term ``covered entity'' does not include-- (i) a covered entity, as defined in section 160.103 of title 45, Code of Federal Regulations; (ii) a business associate, as defined in section 160.103 of title 45, Code of Federal Regulations, acting in its capacity as a business associate; (iii) if a covered entity, as defined in section 160.103 of title 45, Code of Federal Regulations, is a hybrid entity, as defined in section 164.105 of title 45, Code of Federal Regulations, then the health care component of such hybrid entity; (iv) a broker, dealer, investment adviser, futures commission merchant, special purpose vehicle, finance company, or person engaged in providing insurance that is subject to title V of Public Law 106-102 (15 U.S.C. 6801 et seq.); (v) a State-chartered credit union, as defined in section 101(6) of the Federal Credit Union Act (12 U.S.C. 1752(6)), that is not an insured credit union as defined in section 101(7) of such Act (12 U.S.C. 1752(7)); or (vi) a credit union service organization as outlined in section 106(7)(I) of the Federal Credit Union Act (12 U.S.C. 1757(7)(I)). (6) Data in electronic form.--The term ``data in electronic form'' means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices. (7) Encrypted.--The term ``encrypted'', used with respect to data in electronic form, in storage or in transit-- (A) means the data is protected using an encryption technology that has been generally accepted by experts in the field of information security at the time the breach of security occurred that renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and (B) includes appropriate management and safeguards of such cryptographic keys in order to protect the integrity of the encryption. (8) Non-breached covered entity.--The term ``non-breached covered entity'' means a covered entity that has not incurred the breach of security involving data in electronic form containing personal information that it owns or licenses but whose data has been affected by the breach of security incurred by a breached covered entity it directly contracts to maintain, store, or process data in electronic form containing personal information on behalf of the non-breached covered entity. (9) Non-profit organization.--The term ``non-profit organization'' means an organization that is described in section 501(c)(3) of the Internal Revenue Code of 1986 and exempt from tax under section 501(a) of such Code. (10) Personal information.-- (A) In general.--The term ``personal information'' means any information or compilation of information in electronic form that includes the following: (i) An individual's first and last name or first initial and last name in combination with all of the following: (I) Home address or telephone number. (II) Mother's maiden name, if identified as such. (III) Month, day, and year of birth. (ii) A financial account number or credit or debit card number or other identifier, in combination with any security code, access code, or password that is required for an individual to obtain credit, withdraw funds, or engage in a financial transaction. (iii) A unique account identifier (other than for an account described in clause (ii)), electronic identification number, biometric data unique to an individual, user name, or routing code in combination with any associated security code, access code, biometric data unique to an individual, or password that is required for an individual to obtain money, or purchase goods, services, or any other thing of value. (iv) A non-truncated social security number. (v) Any information that pertains to the transmission of specific calls, including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any call. (vi) A user name or email address, in combination with a password or security question and answer that would permit access to an online account. (vii) A driver's license number, passport number, or alien registration number or other government-issued unique identification number. (B) Exceptions.--The term ``personal information'' does not include-- (i) information that is encrypted or rendered unusable, unreadable, or indecipherable through data security technology or methodology that is generally accepted by experts in the field of information security at the time the breach of security occurred, such as redaction or access controls; or (ii) information available in a publicly available source, including information obtained from a news report, periodical, or other widely distributed media, or from Federal, State, or local government records. (11) Service provider.--The term ``service provider'' means a covered entity subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) that provides electronic data transmission, routing, intermediate and transient storage, or connection to its system or network, where such entity providing such service does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and does not differentiate personal information from other information that such entity transmits, routes, stores, or for which such entity provides connections. Any such entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage, or connections. (12) Small business concern.--The term ``small business concern'' has the meaning given such term under section 3 of the Small Business Act (15 U.S.C. 632). (13) State.--The term ``State'' means each of the several States, the District of Columbia, the Commonwealth of Puerto Rico, Guam, American Samoa, the Virgin Islands of the United States, the Commonwealth of the Northern Mariana Islands, any other territory or possession of the United States, and each federally recognized Indian tribe. SEC. 6. EFFECT ON OTHER LAWS. (a) Preemption of State Information Security Laws.--No State or political subdivision of a State shall, with respect to a covered entity subject to this Act, adopt, maintain, enforce, or impose or continue in effect any law, rule, regulation, duty, requirement, standard, or other provision having the force and effect of law relating to or with respect to the security of data in electronic form or notification following a security breach of such data. (b) Common Law.--This section shall not exempt a covered entity from liability under common law. (c) Certain FTC Enforcement Limited to Data Security and Breach Notification.-- (1) Data security and breach notification.--Insofar as sections 201, 202, 222, 338, and 631 of the Communications Act of 1934 (47 U.S.C. 201, 202, 222, 338, and 551), and any regulations promulgated thereunder, apply to covered entities with respect to securing information in electronic form from unauthorized access and acquisition, including notification of unauthorized access and acquisition to data in electronic form containing personal information, such sections and regulations promulgated thereunder shall have no force or effect, unless such regulations pertain solely to 9-1-1 calls. (2) Rule of construction.--Nothing in this subsection otherwise limits the Federal Communications Commission's authority with respect to sections 201, 202, 222, 338, and 631 of the Communications Act of 1934 (47 U.S.C. 201, 202, 222, 338, and 551). (d) Preservation of Commission Authority.--Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law. SEC. 7. EDUCATION AND OUTREACH FOR SMALL BUSINESSES. The Commission shall conduct education and outreach for small business concerns on data security practices and how to prevent hacking and other unauthorized access to, acquisition of, or use of data maintained by such small business concerns. SEC. 8. WEBSITE ON DATA SECURITY BEST PRACTICES. The Commission shall establish and maintain an Internet website containing non-binding best practices for businesses regarding data security and how to prevent hacking and other unauthorized access to, acquisition of, or use of data maintained by such businesses. SEC. 9. EFFECTIVE DATE. This Act shall take effect 1 year after the date of enactment of this Act. PURPOSE AND SUMMARY To require certain entities who collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security involving such information and for other purposes. BACKGROUND AND NEED FOR LEGISLATION Consumers face an increasing risk of identity theft and financial fraud created by criminals with varying motivations, but a common goal: to steal personal information for financial gain. Currently, there are forty-seven different State laws dealing with data breach notification and twelve State laws governing commercial data security. This patchwork of State laws creates confusion for consumers looking for consistency and predictability in breach notices, as well as complex compliance issues for businesses as they secure their systems after a breach. Moreover, this patchwork has not always resulted in better consumer protections and may lead to additional opportunities for cyber criminals to exploit vulnerable individuals with phishing attacks or other schemes because there is no consistent standard for data security or breach notification. Following a breach, consumers must take steps to protect their accounts and their credit by replacing their cards, updating accounts, and monitoring their credit with existing tools. In addition, consumers ultimately bear the costs of the breach through higher fees and prices. H.R. 1770 addresses the growing problem of identity theft and payment fraud by requiring covered entities to implement reasonable security measures for the type of personal information that criminals use for identity theft and payment fraud and to notify individuals in the case of a breach of security for such personal information. H.R. 1770 would establish a single Federal regime enforced by the Federal Trade Commission (FTC) and subject to civil penalties. Additionally, State attorneys general would be authorized to enjoin violations, compel compliance, or seek civil penalties for violations of the Act. H.R. 1770 is limited in scope to address those categories of information that result in identity theft and payment fraud. The bill neither addresses privacy issues nor preempts existing privacy laws. HEARINGS The Subcommittee on Commerce, Manufacturing, and Trade held a hearing on the discussion draft, H.R. __, the Data Security and Breach Notification Act of 2015 on March 18, 2015. The Subcommittee received testimony from:Jessica Rich, Director, Bureau of Consumer Protection, Federal Trade Commission; Clete Johnson, Chief Counsel for Cybersecurity, Public Safety and Homeland Security Bureau, Federal Communications Commission; Mallory Duncan, Senior Vice President and General Counsel, National Retail Federation; Jon Leibowitz, Partner, David Polk & Wardwell LLP, Co-Chairman of, and on behalf of, the 21st Century Privacy Coalition; Laura Moy, Senior Policy Council, Open Technology Institute, New America; Yael Weinman, Vice President, Global Privacy Policy and General Counsel, Information Technology Industry Council; and, Sara Cable, Assistant Attorney General, Office of the Massachusetts Attorney General. COMMITTEE CONSIDERATION On March 25, 2015, the Subcommittee on Commerce, Manufacturing, and Trade met in open markup session and forwarded H.R. __, Data Security and Breach Notification Act of 2015 to the full Committee, as amended, by a voice vote. On April 14, 2015, Rep. Blackburn, Rep. Welch, Rep. Burgess, and Rep. Upton introduced H.R. 1770, which was substantially similar to the bill approved by the Subcommittee. On April 15, 2015, the full Committee on Energy and Commerce met in open markup session and ordered H.R. 1770, Data Security and Breach Notification Act of 2015, reported to the House, as amended, by a record vote of 29 yeas and 20 nays. COMMITTEE VOTES Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the record votes on the motion to report legislation and amendments thereto. A motion by Mr. Upton to order H.R. 1770 reported to the House, as amended, was agreed to by a record vote of 29 ayes and 20 nays. The following reflects the record votes taken during the Committee consideration: [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] COMMITTEE OVERSIGHT FINDINGS Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee held a hearing and made findings that are reflected in this report. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES The goal of H.R. 1770 is to protect consumers from identity theft, economic loss or economic harm, of financial fraud by establishing strong and uniform national data security and breach notification standards for electronic data in interstate commerce while minimizing State law burdens that may substantially affect interstate commerce, and expressly preempt any related State laws to ensure uniformity of this Act's standards and the consistency of their application across jurisdictions. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 1770, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. EARMARK, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS In compliance with clause 9(e), 9(f), and 9(g) of rule XXI of the Rules of the House of Representatives, the Committee finds that H.R. 1770 contains no earmarks, limited tax benefits, or limited tariff benefits. COMMITTEE COST ESTIMATE The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. CONGRESSIONAL BUDGET OFFICE ESTIMATE Pursuant to clause 3(c)(3) of rule XIII of the Rules of the House of Representatives, the following is the cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974: U.S. Congress, Congressional Budget Office, Washington, DC, April 20, 2015. Hon. Fred Upton, Chairman, Committee on Energy and Commerce, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 1770, the Data Security and Breach Notification Act of 2015. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Susan Willie. Sincerely, Keith Hall, Director. Enclosure. H.R. 1770--Data Security and Breach Notification Act of 2015 Summary: H.R. 1770 would establish a new law to require businesses to take reasonable steps to protect personal information they maintain in electronic form. Further, H.R. 1770 would require those entities, in the event of a breach in their security systems, to notify individuals whose personal information has been accessed and acquired as a result of the breach. Forty-seven states have laws that govern data security; H.R. 1770 would pre-empt many of those statutes. The bill would direct the Federal Trade Commission (FTC) to enforce the rules and authorize the agency to collect civil penalties if those rules are violated. CBO estimates that implementing H.R. 1770 would cost $1 million over the 2015-2020 period, assuming appropriation of the necessary amounts. In addition, CBO estimates that enacting the bill would increase revenues by $9 million over the 2015- 2025 period from the collection of civil penalties; therefore pay-as-you-go procedures would apply. Enacting H.R. 1770 would not affect direct spending. H.R. 1770 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates that the cost of complying with the mandates would be small and would not exceed the threshold established in UMRA ($77 million in 2015, adjusted annually for inflation). H.R. 1770 would impose private-sector mandates as defined in UMRA on businesses and non-profits that possess or manage sensitive personal information and on Internet service providers (ISPs). Because most of those businesses already comply with similar requirements in state laws, CBO estimates that the incremental cost to comply with the mandates in the bill would probably fall below the annual threshold established in UMRA for private-sector mandates ($154 million in 2015, adjusted annually for inflation). Estimated cost to the Federal Government: The estimated budgetary effect of H.R. 1770 is shown in the following table. The costs of this legislation fall within budget function 370 (commerce and housing credit). -------------------------------------------------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ----------------------------------------------------------------------------------------------------- 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2016-2020 2016-2025 -------------------------------------------------------------------------------------------------------------------------------------------------------- CHANGES IN REVENUES Estimated Revenues................................ * 1 1 1 1 1 1 1 1 1 4 9 -------------------------------------------------------------------------------------------------------------------------------------------------------- Notes: * = less than $500,000. CBO estimates that implementing H.R. 1770 would cost $1 million over the 2015-2020 period, assuming appropriation of the necessary amounts. Basis of estimate: For this estimate, CBO assumes that the bill will be enacted near the end of fiscal year 2015, that the necessary amounts will be appropriated each year, and that spending will follow historical patterns for similar activities. Spending subject to appropriation H.R. 1770 would direct the FTC to enforce new federal regulations that would require certain businesses and nonprofits to: Establish security measures to protect personal information maintained in electronic form, and Notify individuals if a breach of security measures creates a reasonable risk that they would be exposed to identity theft or economic harm because of the breach. Based on information from the FTC, CBO estimates that implementing H.R. 1770 would cost about $1 million over the 2015-2020 period, assuming appropriation of the necessary amounts. CBO expects the agency would hire 2 additional staff, at a cost of $260,000 per year, on average, to carry out the new regulatory requirements. Revenues Under current law, the FTC has authority under the Federal Trade Commission Act to bring enforcement actions against companies for deceptive and unfair practices that can involve consumers' privacy and personal information. However, the FTC can currently assess civil monetary penalties as part of those actions only in certain privacy related cases, such as for violations of rules established by the Children's Online Privacy Protection Act and the Fair Credit Reporting Act. Under H.R. 1770. the FTC could assess civil penalties in a broader set of privacy related cases. Based on information provided by the FTC, CBO estimates that enacting H.R. 1770 would increase revenues from civil penalties by about $1 million per year and by $9 million over the 2016-2025 period. Those payments of civil penalties would come primarily from covered entities that violate requirements to implement and maintain reasonable security measures to protect personal information. Pay-As-You-Go considerations: The Statutory Pay-As-You-Go Act of 2010 establishes budget-reporting and enforcement procedures for legislation affecting direct spending or revenues. The net changes revenues that are subject to those pay-as-you-go procedures are shown in the following table. CBO ESTIMATE OF PAY-AS-YOU-GO EFFECTS FOR H.R. 1770, AS ORDERED REPORTED BY THE HOUSE COMMITTEE ON ENERGY AND COMMERCE ON APRIL 15, 2015 -------------------------------------------------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ------------------------------------------------------------------------------------------------------------- 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2015-2020 2015-2025 -------------------------------------------------------------------------------------------------------------------------------------------------------- NET DECREASE (-) IN THE DEFICIT Statutory Pay-As-You-Go Impact............ 0 0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -4 -9 -------------------------------------------------------------------------------------------------------------------------------------------------------- Estimated impact on State, local, and tribal governments: H.R. 1770 contains intergovernmental mandates as defined in UMRA. The bill would explicitly preempt laws in at least 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands that require businesses to notify individuals in the event of a security breach. The bill also would impose notification requirements and limitations on state Attorneys General. Because the limits on state authority would impose no duties with costs and because the notification requirements would result in minimal additional spending, CBO estimates the costs of the mandates would be small and would not exceed the threshold established in UMRA for intergovernmental mandates ($77 million in 2015, adjusted annually for inflation). Estimated impact on the private sector: H.R. 1770 would impose private-sector mandates as defined in UMRA on businesses and non-profits that possess or manage sensitive personal information and on ISPs. Because most of those businesses already comply with similar requirements in state laws, CBO estimates that the incremental cost to comply with the mandates in the bill would probably fall below the annual threshold established in UMRA for private-sector mandates ($154 million in 2015, adjusted annually for inflation). Requirements for information security The bill would require businesses to implement and maintain reasonable security measures to protect personal information maintained in electronic form from unauthorized access. The bill stipulates that such security measures must be appropriate for the size, complexity, and general nature and scope of the activities of the business entity. According to the FTC, it is already enforcing such requirements for businesses covered under the Federal Trade Commission Act. Other businesses covered by the bill that are not currently under FTC's jurisdiction, including telecommunications carriers and non- profits, are currently subject to similar enforcement by the FCC or applicable state agencies under certain state laws. As a result, CBO expects that the incremental cost to comply with this provision would be minimal. Notification of security breaches The bill would require businesses engaged in Interstate commerce that use, access, transmit, store, dispose of, or collect sensitive personal information to notify any individuals whose information has been or may have been unlawfully accessed as a result of a breach. In the event of a breach, businesses would be required to conduct an investigation to determine if there is a reasonable risk the breach resulted in, or could result in, identity theft, economic loss or harm, or financial fraud to individuals whose personal information was compromised. Upon determining there was sufficient risk, businesses would be required to notify individuals in the United States affected by the breach using written letters, or email. Notifications would be required to include certain information about the breach, as well as toll- tree numbers for the affected business, consumer reporting agencies, and the FTC. If a breach requires notification of over 10,000 individuals, businesses would have to notify consumer reporting agencies, the FTC and either the Secret Service or the Federal Bureau of Investigation. After a business has made reasonable efforts to contact all individuals affected by a breach, and determines that the contact information of at least 500 such individuals is insufficient or out-of-date, the bill would require such businesses to attempt to contact the individuals through either email (if it was not the primary method of contact), or by posting a conspicuous notice detailing information about the breach on the business's website for at least 90 days. The bill also would impose requirements on ISPs. Should an ISP become aware of a breach affecting personal information that is owned or licensed by a business that connects to the ISP's networks, it must notify the affected business, if the business can be reasonably identified. The ISP would have no further notification requirements upon notifying the affected business under the bill, provided their relationship with the affected business was strictly for the purpose of transmitting, routing, or providing intermediate transient storage of data. Nearly all states already have laws requiring notification in the event of a security breach. In addition, it is the standard practice of most businesses to notify individuals if a security breach occurs. Therefore, CBO expects that the incremental costs incurred by businesses to comply with the notification requirements in the bill would not be substantial. Estimate prepared by: Federal costs: Susan Willie; Federal revenues: Nathaniel Frentz; Impact on state, local, and tribal governments: Melissa Merrell; Impact on the private sector: Logan Smith. Estimate approved by: Theresa Gullo, Assistant Director for Budget Analysis. FEDERAL MANDATES STATEMENT The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. DUPLICATION OF FEDERAL PROGRAMS No provision of H.R. 1770 establishes or reauthorizes a program of the Federal Government known to be duplicative of another Federal program, a program that was included in any report from the Government Accountability Office to Congress pursuant to section 21 of Public Law 111-139, or a program related to a program identified in the most recent Catalog of Federal Domestic Assistance. DISCLOSURE OF DIRECTED RULE MAKINGS The Committee estimates that enacting H.R. 1770 specifically directs to be completed no rule making within the meaning of 5 U.S.C. 551. ADVISORY COMMITTEE STATEMENT No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. APPLICABILITY TO LEGISLATIVE BRANCH The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short title; purposes Section 1 provides that the Act may be cited as the ``Data Security and Breach Notification Act of 2015,'' and that its purpose is to protect consumers from identity theft, economic loss or economic harm, and financial fraud by establishing uniform national data security and breach notification standards for electronic data in interstate commerce. Section 2. Requirements for information security This section requires covered entities to implement and maintain reasonable security measures and practices that are appropriate to the size and complexity of the entity and the nature and scope of its activities, and to protect and secure electronic personal information against unauthorized access and acquisition. Section 3. Notification of information security breach Following a breach of security, this section requires a covered entity that uses, accesses, transmits, stores, disposes of, or collects personal information to restore the reasonable integrity, security, and confidentiality of the data system, and conduct a reasonable and prompt investigation of the breach to determine whether there is a reasonable risk that the breach has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud. This section requires covered entities to notify individuals affected by, or reasonably believed to have been affected by, the breach of security unless there is no reasonable risk that the breach has resulted in, or will result in identity theft, economic loss or economic harm, or financial fraud. A breached covered entity shall notify any individual for whom an election was not made under this section not later than twenty-five days after the non-breached covered entity declines or fails to make an election. A non-breached covered entity shall notify any individual for whom it provided personal information to the breached covered entity that was affected by the breach of security within twenty-five days after exercising the election under this section. Any other covered entity shall identify the individuals affected by the breach of security and notify them within thirty days after restoring the reasonable integrity, security, and confidentiality of the data system and identifying the impact of the breach of security pursuant to this section. If a covered entity, breached covered entity, or non- breached covered entity discovers additional individuals to whom notification is required after providing notice under this section, the covered entity shall notify such individuals as expeditiously as possible and without unreasonable delay. This section requires breached covered entities to notify in writing a non-breached covered entity of a breach of security within ten days after restoring the reasonable integrity, security, and confidentiality of the data system and identifying the impact of the breach pursuant to this section. The breached covered entity shall include in the notice information about the elements of personal information received from the non-breached covered entity pursuant to their contract reasonably believed to be affected by the breach of security. A non-breached covered entity may elect in writing to provide notice to all individuals included in the notice whose personal information was affected by the breach of security within ten days of receiving the notice. Such election relieves the breached covered entity of its notification obligation under this section for those individuals. After an election by a non- breached covered entity, the breached covered entity shall cooperate in all reasonable respects with the non-breached covered entity and provide any of the information the breached covered entity possesses that is described in the notice to individuals so that notification to individuals is made in compliance with this section. A breached covered entity shall reply within ten business days to a request for such information by a non-breached covered entity. If a non-breached covered entity declines or fails to elect, it shall cooperate in all respects with the breached covered entity and provide any information it possesses that is described in the notice to individuals so that notification to individuals is made in compliance with this section. A non-breached covered entity shall reply within 10 business days to a request for such information by a breached covered entity. This section requires a covered entity to also notify the FTC and the Secret Service or Federal Bureau of Investigation of a breach of security if more than 10,000 individuals' personal information was, or there is reasonable basis to conclude was, accessed and acquired by an unauthorized person. This section allows Federal, State, or local law enforcement to delay notification to affected individuals if it would impede a civil or criminal investigation. This section provides certain accommodations for non- profits or where there is limited contact information for an individual. This section requires covered entities to notify a consumer reporting agency of a breach of security affecting more than 10,000 individuals. This section requires that any notice to affected individuals about a breach of security must include: 1) a description of the personal information that was, or reasonably believed to be, accessed and acquired by an unauthorized person; 2) the date range or approximate date range of the breach; 3) a telephone number or toll-free number (if the covered entity does not meet the definition of a small business concern or non-profit organization) that an affected individual may use to inquire about the breach; 4) the toll-free contact telephone number and addresses for a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis; and 5) the toll-free telephone number and Internet website for the FTC where individuals can get more information about identity theft. A covered entity may contract out its notice obligation as long it is clear that the notice is sent on behalf of the covered entity. This section requires a service provider to notify a covered entity if it becomes aware of a breach of security involving electronic data containing personal information and can reasonably identify the sender. Section 4. Enforcement This section establishes that a violation of this Act will be treated as an unfair or deceptive act or practice under the Federal Trade Commission Act and violations will be enforced by the FTC. Any covered entity that violates this Act shall be subject to the penalties and immunities provided in the Federal Trade Commission Act and as extended by this Act to common carriers and non-profit organizations. Notwithstanding section 5(m) of the FTC Act, the Commission may impose civil penalties for violations of section 3 in an amount not greater than $1,000 per violation and each failure to send a notification shall be a separate violation. This section sets a maximum total liability for first-time violations of section 2 resulting from the same related act or omission at $8,760,000, and for first-time violations of section 3 resulting from the same related act or omission at $17,520,000. This section allows for State attorneys general to bring enforcement actions for violations of either the security or notification requirements of this draft. They may bring civil penalties of up to $11,000 per violation of section 2 and $1,000 per violation of section 3. This section establishes a maximum civil penalty of $2.5 million in cases filed by a State attorney general. Civil penalties will be annually adjusted for inflation. This section requires that the covered entity's degree of culpability, history of prior conduct, ability to pay, effect on ability to continue to do business, and any other matters must be taken into account in determining the amount of a civil penalty. This section provides certain process requirements so that there is not redundant enforcement between State attorneys general and the FTC. This section also provides that nothing in this Act establishes a private cause of action against a person for a violation of this Act. Section 5. Definitions This section provides definitions for the following terms: breach of security, breached covered entity, Commission, consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, covered entity, data in electronic form, encrypted, non-breached covered entity, non- profit organization, personal information, service provider, small business concern, and State. Section 6. Effect on other laws This section prevents States from adopting, maintaining, enforcing, or imposing or continuing in effect any law, rule, regulation, duty, requirement, standard, or other provision related to the security of data in electronic form or notification following a breach of security with respect to a covered entity. This section would not exempt a covered entity from liability under common law. This section provides that any regulations in sections 201, 202, 222, 338, and 631 of the Communications Act of 1934 that pertain to information security or breach notification practices of covered entities are superseded by this Act. This section provides that nothing in this subsection otherwise limits the Federal Communications Commission's authority with respect to sections 201, 202, 222, 338, and 631 of the Communications Act of 1934. This section also provides that nothing in this Act should be construed in any way to limit or affect the FTC's authority under any other provision of law. Section 7. Education and outreach for small businesses This section requires the Commission to conduct education and outreach for small business concerns on data security practices and how to prevent hacking and other unauthorized access to, acquisition of, or use of data maintained by such small business concerns. Section 8. Website on data security best practices This section requires the Commission to establish and maintain a website with non-binding best practices for businesses regarding data security and how to prevent hacking and other unauthorized access to, acquisition of, or use of data maintained by such small businesses. Section 9. Effective date This section provides that the Act will take effect one year after the date of enactment of this Act. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED This legislation does not amend any existing Federal statute. DISSENTING VIEWS We agree that there is a need for legislation requiring entities that hold and collect consumer information be required to secure such information and provide notice to consumers in the case of a breach of security of that information. Unfortunately, we cannot support H.R. 1770, the Data Security and Breach Notification Act of 2015, as reported by the Committee on Energy and Commerce on April 15, 2015. This bill does not enhance consumer protections. And it many ways, it puts consumers in a worse place with regard to data security and breach notification than they are today. Our views on specific provisions in H.R. 1770 and the Committee's consideration of the bill are set forth below. I. H.R. 1770, AS REPORTED H.R. 1770 fails to meet the dual purposes of reducing breaches and mitigating their adverse effects. Federal data breach legislation should enhance protections against data breaches and provide consumers with relevant information following a breach. Instead, H.R. 1770 weakens existing consumer protections by preempting often stronger state and territorial data breach laws without an adequate replacement for those provisions. H.R. 1770 fails to require sufficient protections of consumers' personal information. Robust data security is critical to any data breach bill. Federal legislation cannot be foolproof, but it should be focused on stopping breaches from happening, before consumers' personal information is compromised and before consumers see the negative effects. H.R. 1770 also fails to provide strong data breach notification to consumers whose data has been subject to a breach. Many of the 51 state and territorial breach notification laws provide greater protections for consumers. Thirty-eight of those state laws require notice of a breach to be provided in more circumstances than H.R. 1770, thereby allowing consumers to prevent harms instead of waiting for harms to occur before taking action. In contrast, H.R. 1770 requires a financial harm analysis before notification is required to be provided to consumers. Consumers should know when their personal information has been hacked, and have the ability to decide whether a breach of their personal information may cause them harm and react as they see fit. Consumers have not reported confusion because of the variation in notice requirements in the state laws. In addition, H.R. 1770 is narrow in scope, providing a limited and inflexible definition of personal information. Although the bill purports to focus on personal information that leads to financial harms, the definition of personal information does not include some types of personal information that could lead directly to financial harm, such as payroll information. Moreover, it does not cover any other types of personal information that indirectly lead to financial harm through phishing scams or other fraud schemes. Nor does H.R. 1770 cover the types of personal information that lead to other harms, such as physical or emotional harms. Many state laws that would be preempted by this bill cover broader personal information, such as an individual's medical history or health insurance information. These types of information are not covered by H.R. 1770. Moreover, H.R. 1770 limits the civil penalties that can be sought by the Federal Trade Commission (FTC) and the state attorneys general in enforcing the provisions of this bill, again limiting consumer protections available under current law. Both the FTC and the state attorneys general need the ability to match the scope of these breaches with adequate penalties. The FTC and state attorneys general should have the flexibility to seek fair penalties that are commensurate with the damage that has been done. This bill caps total fine the FTC can impose for first offenses at $8,760,000 for violations of the security requirements and at $17,520,000 for violations of breach notification requirements. The bill also caps the total fine state attorneys general, collectively, can impose in all cases at $2.5 million of the security requirements and at $2.5 million for violations of breach notification requirements. Under the maximum penalty provision for state attorneys general, therefore, if one state attorney general collects $2.5 million from an entity for a violation of the breach notification provision, no other state attorney general will be permitted to impose a fine at all, even if a breach affected millions of consumers in his or her state. Further, while this bill provides state attorneys general with the ability to bring civil actions against companies that violate the act, it does not provide that they receive any notification of a breach. There is simply no good reason to delay, and perhaps prevent, the facts of a data breach from reaching state attorneys general, who often have relationships and connections in states that are critical to disseminating information to consumers and businesses quickly. And while the FTC, which also has authority to enforce the provisions of this bill, does receive notification of a breach so that it can respond effectively, it is not notified unless there is a very high threshold of affected consumers. Finally, H.R. 1770 preempts provisions of the Communications Act regarding telecommunications, cable, and satellite services, as well as the regulations promulgated thereunder, to the extent they apply to information security practices and breach notification. And because data security is inextricably linked to privacy and competition, the ability of the Federal Communications Commission (FCC) to protect consumers in those areas also would be adversely affected. H.R. 1770 only requires the reasonable securing of personal information as the bill defines personal information, i.e., narrowly. The bill then preempts the Communications Act broadly, with regard to all information. Since H.R. 1770's breach notification is exclusively linked to financial harm, notifications currently required under the Communication Act also would become void and unenforceable. The bill moves jurisdiction over these communications services for data security and breach notification from the FCC to the FTC. The FTC has expertise in general data breach issues. But, as primarily an enforcement agency, the FTC lacks the tools to effectively handle the unique data security, breach notification, and privacy issues of communications services. Under H.R. 1770, these services will no longer be subject to the before-the-fact security and privacy requirements under the Communications Act and its associated regulations. Instead, they will only be subject to after-the-fact enforcement. This system does not adequately protect consumers' valuable communications-related personal information, such as telecommunications subscribers' customer proprietary network information (CPNI), which includes virtually all information about a customer's use of the service, or cable or satellite subscribers' viewing histories. II. COMMITTEE CONSIDERATION A. Amendments Offered in Subcommittee Four amendments were adopted at the Subcommittee markup. A manager's amendment offered by Representatives Burgess and Welch made minor changes to the definition of encryption and made broader an exception to the definition of covered entities for entities subject to GLB. The change to the GLB exception was mostly reversed in the bill considered by the full committee. An amendment offered by Representative Pompeo and Welch established procedures for breached covered entities and non-breached covered entities to provide notice to individuals. The language added by this amendment was also significantly changed in the bill considered by the full committee. Two amendments offered by Representatives Cardenas and Blackburn were adopted at the Subcommittee markup adding sections 7 and 8 to the bill regarding education and outreach for small businesses through the FTC. In addition, five amendments were offered by other minority members, all of which were voted down along party lines. Representative Clarke offered an amendment to give the FTC rulemaking authority to change the definition of personal information as necessary. Representative Rush offered two amendments to address concerns with the preemption of the Communications Act. The first amendment struck the preemption language entirely. The second amendment was intended to transfer as much enforcement authority from the Federal Communications Commission (FCC) to the FTC as the FCC loses in the underlying bill text. Representative Kennedy offered two amendments intended to address state preemption and the conflict in the common law preemption language. B. Amendments Offered in Full Committee On April 14-15, 2015, the full Committee on Energy and Commerce voted in favor of H.R. 1770, the Data Security and Breach Notification Act of 2015, strictly along party lines. Four amendments were adopted at full Committee. An amendment offered by Representative Kinzinger slightly expanded the definition of personal information to include a user name or email address in combination with password or security question and answer. Representative Barton offered an amendment making a minor technical correction to a reference to notification by breached or non-breached covered entities. Representative Olson offered an amendment that lowered the per-violation fine from $11,000 to $1,000 for a violation of the notice requirements in section 3. The Olson amendment also placed limits on the total penalties for first-time violations of section 2 at $8,760,000 and for first-time violations of section 3 at $17,520,000. These limits on first-time penalties only apply to enforcement by the FTC. An amendment offered by Representative Blackburn further weakened the consumer protections afforded by this bill. The amendment, among other things, limited the definition of breach of security to relate to information that was accessed and acquired instead of accessed or acquired; added a requirement that a covered entity suffering a breach identify the impact of the breach as part of its required investigation into the breach (which would occur before notice is given to consumers); and changed the requirement that to be considered personal information a name must be connected with all three (not two of three) of the following: (1) home address and telephone number, (2) mother's maiden name, (3) birthday. The Blackburn amendment also made changes to the notification duties that a breached covered entity has with respect to a non-breached covered entity and changed the definition of call information that is considered personal information. In addition, five amendments were offered by minority members, four of which were voted down along party lines. An amendment in the nature of a substitute offered by Representatives Rush and Schakowsky, which was intended to protect consumers without overburdening businesses, received bipartisan support but failed to get enough votes to be adopted. The amendment would have provided a strong security standard with needed specificity, while ensuring that it is technology-neutral and allows for flexibility for businesses to implement appropriate security procedures. It also would have given the FTC rulemaking authority to flesh out the needed details and allowed those details to change overtime as criminals get more and more creative. This amendment would not have a financial harm trigger for notification to consumers but would have added to the definition of personal information because unauthorized access to all kinds of personal information can harm people whose information is stolen. Additionally, it would have given the FTC authority to change the definition of personal information. This amendment also acknowledges the important role of the states and would have eliminated the limitations on state enforcement that are in the underlying bill by requiring notice to state attorneys general and removing the caps on civil penalties that can be sought by state attorneys general. Moreover, the amendment would have preempted state laws, replacing them with strong security and breach notification standards, to avoid burdening businesses with a 51 law with which they must comply. Furthermore, the amendment would have preserved the FCC's authority to regulate the privacy, data security, and breach notification with regard to telecommunications, satellite, cable, and broadband services. Representative Eshoo also offered an amendment in the nature of a substitute, which, among other things, would have directed the FTC to promulgate a rule creating security standards consistent with California state security standards, making the California standards the floor for the nation. The bill would have preempted state breach notification laws that failed to meet the California standards, would have allowed states to innovate by passing stronger state laws. The amendment provides an expanded definition of personal information compared to the underlying bill, including health and medical information. It also eliminates the cap on the ability of state attorneys general to seek civil penalties. It would have ensured notice to consumers of a breach whether or not there is financial harm and gives consumers a private right of action for violations of the security or breach notification requirements. The amendment would have also preserved the FCC's authority to regulate the privacy, data security, and breach notification with regard to telecommunications, satellite, cable, and broadband services. Representative McNerney offered an amendment that would have provided that in the event of a breach that affects 500 consumers or more, a covered entity must provide notice to the state attorneys general of those states whose resident were affected. Representative Kennedy offered two amendments intended to protect states' abilities to use their unfair and deceptive practices authority and address the conflict in the common law preemption language. For the reasons stated above, we dissent from the views contained in the Committee's report. Frank Pallone, Jr., Ranking Member, Committee on Energy and Commerce. Jan Schakowsky, Ranking Member, Subcommittee on Commerce, Manufacturing and Trade.