Secure and Protect Americans' Data Act

This bill requires the Federal Trade Commission (FTC) to promulgate regulations requiring entities regulated by the FTC, common carriers, and nonprofit organizations to establish information security practices for the treatment and protection of personal information.

At least annually, such entities must evaluate their consumer privacy programs to make any appropriate adjustments for changing technologies, threats or vulnerabilities, or business arrangements.

The bill sets forth special procedures for information brokers to: (1) submit security policies to the FTC, (2) provide for post-breach audits, and (3) establish procedures for individuals to review and correct inaccuracies in their personal information. In lieu of procedures that allow individuals to dispute information, an information broker may provide individuals a means of expressing a preference not to have their information used for marketing purposes.

The bill prohibits information brokers from obtaining or disclosing personal information by false pretenses.

Within 10 days following discovery of a security breach, entities must notify:

• the FTC;
• the Federal Bureau of Investigation;
• the U.S. Secret Service;
• for common carriers, the Federal Communications Commission (FCC); and
• attorneys general of affected states.

Within 30 days following a breach, entities must notify individuals who are U.S. citizens or residents whose personal information was, or is reasonably believed to have been, acquired or accessed by an unauthorized person, or used for an unauthorized purpose.

If an entity is required to notify more than 5,000 individuals, the entity must also notify major consumer reporting agencies. An entity must provide notices in print and broadcast media if the affected residents of a state exceed 5,000.

Notices must include information on affected individuals' entitlement to consumer credit reports or credit monitoring services.

The bill exempts entities from notification requirements if the data is unusable, unreadable, or indecipherable.

Entities complying with other federal laws that require substantially similar information security procedures or breach notifications are deemed to be in compliance with the FTC's procedures or the notification requirements of this Act.

Enforcement authority is provided to the FTC and states. States may obtain civil penalties for certain violations.