Bill > HR1704

Introduced Session

Personal Data Notification and Protection Act of 2015 Requires certain businesses that use, access, transmit, store, dispose of, or collect sensitive personally identifiable information about more than 10,000 individuals during any 12-month period to notify individuals whose information is believed to have been accessed or acquired through a discovered security breach. Directs businesses, within 30 days after discovery of a breach, to notify: (1) affected individuals by mail, telephone, or email; and (2) major media outlets if the number of affected residents of a state exceeds 5,000. Allows the Federal Trade Commission (FTC) to extend the notification period if a business seeks additional time. Requires the Department of Homeland Security (DHS) to designate a federal government entity to receive notices about security incidents, threats, and vulnerabilities. Directs businesses to notify the DHS-designated entity, and requires the DHS-designated entity to then notify the U.S. Secret Service, the Federal Bureau of Investigation (FBI), and the FTC, if a security breach affects: (1) more than 5,000 individuals, (2) a database that contains the sensitive information of more than 500,000 individuals, (3) federal government databases, or (4) federal employees or contractors involved in national security or law enforcement. Requires the DHS-designated entity to also make the information available to other appropriate federal agencies for law enforcement, national security, or computer security purposes. Authorizes the Secret Service or the FBI to require businesses to delay or exempt individuals from notifications for national security or law enforcement purposes. Requires businesses to notify consumer reporting agencies if more than 5,000 individuals must be notified of a breach. Exempts a business from individual notification requirements if the business: (1) conducts and notifies the FTC of a risk assessment finding no reasonable risk that a breach resulted in, or will result in, harm to the affected individuals, provided that the FTC is given 10 days to determine whether individual notification should be provided before the exemption automatically becomes effective; or (2) uses or participates in a security program that blocks the use of certain sensitive personal information to initiate financial transactions if the program also notifies affected individuals after a breach that results in fraud or unauthorized transactions. Sets forth authority for the FTC and states to enforce against violations of this Act. Amends the federal criminal code to extend extraterritorially the application of penalties for fraud offenses involving an access device issued, owned, managed, or controlled by a financial institution, credit card system member, or other entity organized under the laws of the United States or any U.S. state or territory. (An access device is any card, code, electronic serial number, telecommunications service, or other means of account access that can be used to initiate a transfer of funds or to obtain money, goods, or services.) Removes a condition under current law that subjects a person to such penalties only if the underlying articles, property, or proceeds are held within or have transferred through U.S. jurisdiction.

AI Summary

Committee Categories

James Langevin (D)*, 

Referred to the Subcommittee on the Constitution and Civil Justice. (on 04/29/2015)

Official Document