Bill > S1976

This bill, known as the Data Security and Breach Notification Act of 2014, aims to protect consumers by establishing nationwide standards for data security and breach notification. It requires "covered entities" – which include businesses, non-profits, and other commercial organizations that handle personal information – to implement reasonable security policies and procedures to safeguard data containing "personal information," defined broadly to include Social Security numbers, financial account details, and certain combinations of identifying information. In the event of a "breach of security," meaning the compromise of data leading to unauthorized access or acquisition of personal information, covered entities must notify affected individuals and the Federal Trade Commission (FTC), with specific notification requirements for large-scale breaches or those involving government databases. The bill also outlines procedures for third-party service providers and includes exemptions for certain situations, such as when there's no reasonable risk of identity theft or for national security and law enforcement purposes. Enforcement is primarily handled by the FTC, with provisions for state attorneys general to bring civil actions, and penalties for violations, including concealment of breaches. Existing federal laws like the Gramm-Leach-Bliley Act and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) are recognized, and the bill preempts conflicting state laws regarding data security and breach notification, while preserving other state consumer protection laws.