Bill > HR1770

Introduced Session

Data Security and Breach Notification Act of 2015 Requires certain commercial entities and non-profit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach. Requires notification to: (1) affected U.S. residents when there is a reasonable risk that such a breach has resulted in, or will result in, identity theft, economic harm, or financial fraud; (2) the Federal Trade Commission (FTC) and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses or acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals. Establishes special procedures to coordinate the notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach. Provides authority to the FTC and states to enforce against violations of this Act. Directs the FTC to educate small businesses about data security and establish an Internet website containing non-binding best practices. Preempts state information security and notification laws, but does not exempt an entity from liability under common law. Provides for the requirements of this Act to apply to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.

AI Summary

Committee Categories

Marsha Blackburn (R)*,  Michael Burgess (R),  Fred Upton (R),  Peter Welch (D), 

Placed on the Union Calendar, Calendar No. 719. (on 01/03/2017)

Official Document