Ask AI
Bill114th CongressFiled Apr 14, 2015Commerce
H.R. 1770

Data Security and Breach Notification Act of 2015

Bill journey · stage 2 of 5

Under committee review

Filed
Comm.
Floor
Both
Law

What it doesSummary reported to house with amendment(s) (Jan 3, 2017)

Data Security and Breach Notification Act of 2015

This bill requires certain commercial entities regulated by the Federal Trade Commission (FTC), common carriers subject to the Communications Act of 1934, and nonprofit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to: (1) implement security measures to protect electronic information against unauthorized access and acquisition; (2) restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach; and (3) determine whether there is a risk that a breach will result in identity theft, economic loss or harm, or financial fraud to individuals' personal information.

Notification of a breach must be sent to: (1) affected U.S. residents; (2) the FTC and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses and acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.

The bill establishes special procedures to coordinate notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach.

The bill provides different sets of civil penalties that the FTC and states may impose to enforce against violations of this bill.

The FTC must educate small businesses about data security and establish an Internet website containing non-binding best practices.

The bill preempts state information security and notification laws, but does not exempt an entity from liability under common law. The bill applies to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.

What just happenedJan 3, 2017

Placed on the Union Calendar, Calendar No. 719.

Who’s behind it

Rep. Blackburn, Marsha [R-TN-7](R-TN)Sponsor
3 cosponsors1 D2 R
Read on Congress.gov
3cosponsors1committees10actions10subjects
  1. Jan 3, 2017CalendarsH12410

    Placed on the Union Calendar, Calendar No. 719.

  2. Jan 3, 2017CommitteeH12200

    Reported (Amended) by the Committee on Energy and Commerce. H. Rept. 114-908.

    Energy and Commerce Committee
  3. Jan 3, 2017Committee5000

    Reported (Amended) by the Committee on Energy and Commerce. H. Rept. 114-908.

    Energy and Commerce Committee
  4. Apr 17, 2015Committee

    Referred to the Subcommittee on Commerce, Manufacturing, and Trade.

    Innovation, Data, and Commerce Subcommittee
  5. Apr 15, 2015Committee

    Ordered to be Reported (Amended) by the Yeas and Nays: 29 - 20.

    Energy and Commerce Committee
  6. Apr 15, 2015Committee

    Committee Consideration and Mark-up Session Held.

    Energy and Commerce Committee
  7. Apr 14, 2015IntroReferralH11100

    Referred to the House Committee on Energy and Commerce.

    Energy and Commerce Committee
  8. Apr 14, 2015Committee

    Committee Consideration and Mark-up Session Held.

    Energy and Commerce Committee
  9. Apr 14, 2015IntroReferralIntro-H

    Introduced in House

  10. Apr 14, 2015IntroReferral1000

    Introduced in House

Reported to House with amendment(s)Jan 3, 201717

Data Security and Breach Notification Act of 2015

This bill requires certain commercial entities regulated by the Federal Trade Commission (FTC), common carriers subject to the Communications Act of 1934, and nonprofit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to: (1) implement security measures to protect electronic information against unauthorized access and acquisition; (2) restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach; and (3) determine whether there is a risk that a breach will result in identity theft, economic loss or harm, or financial fraud to individuals' personal information.

Notification of a breach must be sent to: (1) affected U.S. residents; (2) the FTC and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses and acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.

The bill establishes special procedures to coordinate notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach.

The bill provides different sets of civil penalties that the FTC and states may impose to enforce against violations of this bill.

The FTC must educate small businesses about data security and establish an Internet website containing non-binding best practices.

The bill preempts state information security and notification laws, but does not exempt an entity from liability under common law. The bill applies to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.

Introduced in HouseApr 14, 2015

Data Security and Breach Notification Act of 2015

Requires certain commercial entities and non-profit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach.

Requires notification to: (1) affected U.S. residents when there is a reasonable risk that such a breach has resulted in, or will result in, identity theft, economic harm, or financial fraud; (2) the Federal Trade Commission (FTC) and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses or acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.

Establishes special procedures to coordinate the notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach.

Provides authority to the FTC and states to enforce against violations of this Act.

Directs the FTC to educate small businesses about data security and establish an Internet website containing non-binding best practices.

Preempts state information security and notification laws, but does not exempt an entity from liability under common law. Provides for the requirements of this Act to apply to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.

Data Security and Breach Notification Act of 2015 — Informed