|
<?xml version="1.0"?> |
|
<?xml-stylesheet type="text/xsl" href="billres.xsl"?> |
|
<!DOCTYPE bill PUBLIC "-//US Congress//DTDs/bill.dtd//EN" "bill.dtd"> |
|
<bill bill-stage="Introduced-in-Senate" public-private="public"><metadata xmlns:dc="http://purl.org/dc/elements/1.1/"> |
|
<dublinCore> |
|
<dc:title>114 S1027 IS: Data Breach Notification and Punishing Cyber Criminals Act of 2015</dc:title> |
|
<dc:publisher>U.S. Senate</dc:publisher> |
|
<dc:date>2015-04-21</dc:date> |
|
<dc:format>text/xml</dc:format> |
|
<dc:language>EN</dc:language> |
|
<dc:rights>Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.</dc:rights> |
|
</dublinCore> |
|
</metadata> |
|
<form> |
|
<distribution-code display="yes">II</distribution-code><congress>114th CONGRESS</congress><session>1st Session</session><legis-num>S. 1027</legis-num><current-chamber>IN THE SENATE OF THE UNITED STATES</current-chamber><action><action-date date="20150421">April 21, 2015</action-date><action-desc><sponsor name-id="S339">Mr. Kirk</sponsor> (for himself and <cosponsor name-id="S331">Mrs. Gillibrand</cosponsor>) introduced the following bill; which was read twice and referred to the <committee-name committee-id="SSCM00">Committee on Commerce, Science, and Transportation</committee-name></action-desc></action><legis-type>A BILL</legis-type><official-title>To require notification of information security breaches and to enhance penalties for cyber |
|
criminals, and for other purposes. </official-title></form> |
|
<legis-body> |
|
<section id="S1" section-type="section-one"><enum>1.</enum><header>Short |
|
title</header><text display-inline="no-display-inline">This Act may be cited as the <quote><short-title>Data Breach Notification and Punishing Cyber Criminals Act of 2015</short-title></quote>.</text> |
|
</section><section id="id980792aa546941ed9f08b557c026ed0f"><enum>2.</enum><header>Requirements for |
|
information security</header><text display-inline="no-display-inline">Each covered entity shall take reasonable measures to protect and secure data in electronic form containing personal information.</text> |
|
</section><section id="idf761a890744b4e25bebec5eb38c3ab39"><enum>3.</enum><header>Notification of |
|
information security breach</header> |
|
<subsection id="id020ce2183df94dfeb7a45707cdb4cb3d"><enum>(a)</enum><header>Notification</header> |
|
<paragraph commented="no" id="id06a6deaca3c241a4985e645d7b4563b2"><enum>(1)</enum><header>In general</header><text>A covered entity that owns or licenses data in electronic form containing personal information shall give notice of any breach of the security of the system following discovery by the covered entity of the breach of the security of the system to each individual who is a citizen or resident of the United States—</text> |
|
<subparagraph commented="no" id="id7C2842E9DCE1429E82EC858546F6C440"><enum>(A)</enum><text>whose personal information was, or that the covered entity reasonably believes to have been, accessed and acquired by an unauthorized person; or</text> |
|
</subparagraph><subparagraph commented="no" id="idA620266825454FAE83934FCD7B93A35A"><enum>(B)</enum><text>who the covered entity reasonably believes may be at risk of identity theft, fraud, actual financial harm, or other unlawful conduct.</text> |
|
</subparagraph></paragraph><paragraph id="id94509db776ab4f70a4a2383d06bff95a"><enum>(2)</enum><header>Law |
|
enforcement</header> |
|
<subparagraph id="IDd3152be81443482e9746258d6135d40d"><enum>(A)</enum><header>Designation of a |
|
government entity To receive notice</header> |
|
<clause id="ID195026c47def4a68981831f7153715fa"><enum>(i)</enum><header>In |
|
general</header><text>Not later than 60 days after the date of enactment of this Act, the Secretary of Homeland Security, in consultation with the Attorney General, shall designate a Federal Government entity to receive the information required to be submitted under this section, and any other reports and information about information security incidents, threats, and vulnerabilities.</text> |
|
</clause><clause id="IDfa51c6bfbdbd49e39a0d53e9436068a2"><enum>(ii)</enum><header>Responsibilities of the |
|
designated entity</header><text>The designated entity shall—</text> <subclause id="IDdc215a0d355348049be0cdee940d64ea"><enum>(I)</enum><text>be responsible for promptly providing the information it receives to the United States Secret Service and the Federal Bureau of Investigation, and to the Federal Trade Commission for civil law enforcement purposes; and</text> |
|
</subclause><subclause commented="no" display-inline="no-display-inline" id="ID9d421ea9468c42a69401807467a8ec47"><enum>(II)</enum><text>provide the information described in subclause (I) as appropriate to other Federal agencies for law enforcement, national security, or data security purposes.</text> |
|
</subclause></clause></subparagraph><subparagraph id="id77FEB3516F2E475D960880CC57344FE7"><enum>(B)</enum><header>Notice</header><text>Not later than 30 days after the date on which a security breach is discovered, a covered entity shall notify the designated entity of the fact that the breach of security has occurred if—</text> |
|
<clause id="idD15166E305934F429EF83ECF2ED023D2"><enum>(i)</enum><text>the number of individuals whose personal information was, or is reasonably believed to be to have been accessed and acquired by an unauthorized person is more than 1,000;</text> |
|
</clause><clause id="id26C067CB429D43A092DC5F11891FBDF8"><enum>(ii)</enum><text>the security breach involves a database, networked or integrated databases, or other data system containing the personal information of more than 250,000 individuals;</text> |
|
</clause><clause commented="no" display-inline="no-display-inline" id="idbcd5f313-1798-431b-841c-07ba39505f5f"><enum>(iii)</enum><text display-inline="yes-display-inline">the security breach involves databases owned by the Federal Government; or</text> |
|
</clause><clause commented="no" display-inline="no-display-inline" id="id53db33df-f06f-4ade-baa4-1cc118c89adb"><enum>(iv)</enum><text display-inline="yes-display-inline">the security breach involves personal information of primarily individuals known to the covered entity to be employees and contractors of the Federal Government involved in national security or law enforcement.</text> |
|
</clause></subparagraph><subparagraph id="id4fd35f19-89d4-44db-aa35-946a710bb896"><enum>(C)</enum><header>FTC review of |
|
thresholds</header> |
|
<clause id="id47F7B3DCA8C34683AC64228AAA89AEEE"><enum>(i)</enum><header>Review</header><text>Not later than 1 year after the date of enactment of this Act, the Federal Trade Commission, in consultation with the Attorney General and the Secretary of Homeland Security, shall promulgate regulations regarding the reports required under subparagraph (A).</text> |
|
</clause><clause commented="no" display-inline="no-display-inline" id="idE7E3E33D13C748DBA4FE22EE81F99EA7"><enum>(ii)</enum><header>Rulemaking</header><text>The Federal Trade Commission, in consultation with the Attorney General and the Secretary of Homeland Security, after notice and the opportunity for public comment, and in a manner consistent with this section, shall promulgate regulations, as necessary, under section 553 of title 5, United States Code, to adjust the thresholds for notice to law enforcement and national security authorities under subparagraph (A) and to facilitate the purposes of this section.</text> |
|
</clause></subparagraph></paragraph></subsection><subsection id="id279a8bd4beec41c98ff9d191dc317cc8"><enum>(b)</enum><header>Special |
|
notification requirements</header> |
|
<paragraph id="id36a560151a4345d1b2473b41e5e35a45"><enum>(1)</enum><header>Third-party |
|
agents</header> |
|
<subparagraph id="id1DF245020C71488397A127E2853235E5"><enum>(A)</enum><header>In |
|
general</header><text>In the event of a breach of security of a system maintained by a third-party entity that has been contracted to maintain, store, or process data in electronic form containing personal information on behalf of a covered entity who owns or possesses such data, the third-party entity shall notify the covered entity of the breach of security.</text> |
|
</subparagraph><subparagraph id="idCB87451CD2024C959348C36B68EAE0F1"><enum>(B)</enum><header>Covered |
|
entities who receive notice from third parties</header><text>Upon receiving notification from a third party under subparagraph (A), a covered entity shall provide notification as required under subsection (a).</text> |
|
</subparagraph><subparagraph id="id04868FEA5B0E4ABDA743686EDCEBEBA5"><enum>(C)</enum><header>Exception for |
|
service providers</header><text>For purposes of this paragraph, a service provider shall not be considered a third-party agent.</text> |
|
</subparagraph></paragraph><paragraph id="idec75bdd5d1494eb6ba95f028ebe15a7f"><enum>(2)</enum><header>Service |
|
providers</header> |
|
<subparagraph id="idC84F95C91DCA46B7A209E207D119F365"><enum>(A)</enum><header>In |
|
general</header><text>If a service provider becomes aware of a breach of security involving data in electronic form containing personal information that is owned or possessed by a covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider shall notify the covered entity who initiated such connection, transmission, routing, or storage if the covered entity can be reasonably identified.</text> |
|
</subparagraph><subparagraph id="id417D0E2337954A7AB5B2171EA2AE4539"><enum>(B)</enum><header>Covered |
|
entities who receive notice from service providers</header><text>Upon receiving notification from a service provider under subparagraph (A), a covered entity shall provide notification as required under subsection (a).</text> |
|
</subparagraph></paragraph></subsection><subsection id="ideb505cdcda8d44d2a61e24aba6afc47d"><enum>(c)</enum><header>Timeliness of |
|
notification</header> |
|
<paragraph id="id1379e188517544f09758e32d175b6936"><enum>(1)</enum><header>Notification to affected individuals</header> |
|
<subparagraph id="id360FC417182D48D0901C1AFD6E795D58"><enum>(A)</enum><header>In general</header><text>Unless subject to a delay authorized under subparagraph (B) or paragraph (2), a notification required under subsection (a)(1) with respect to a security breach shall be made not later than 30 days after the date on which the security breach was discovered, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached.</text> |
|
</subparagraph><subparagraph commented="no" id="id245D9B69F1A44197A9F057481473302C"><enum>(B)</enum><header>Follow-up notification</header><text>Not later than 60 days after the date on which notice is provided under subsection (a)(1), if a covered entity has discovered additional information relating to how a breach of security occurred (as required under subsection (d)(1)(B)(iii) to be included in a notification) the covered entity may provide a follow-up notification to affected individuals that contains the additional information.</text> |
|
</subparagraph></paragraph><paragraph id="idf5e4e7fe9eaa4cf88eed5b409502f02a"><enum>(2)</enum><header>Delay of |
|
notification authorized for law enforcement or national security |
|
purposes</header> |
|
<subparagraph id="id3bac7849ed394f4288ec380ef689a6d6"><enum>(A)</enum><header>Law |
|
enforcement</header><text>If a Federal law enforcement agency determines that the notification required under subsection (a) would impede a civil or criminal investigation, such notification shall be delayed upon the written request of the law enforcement agency for any period which the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay or extend the period set forth in the original request made under this subparagraph by a subsequent request if further delay is necessary.</text> |
|
</subparagraph><subparagraph id="id7467998b661b4ea09b1087b4db1d59ba"><enum>(B)</enum><header>National |
|
security</header><text>If a Federal national security agency or homeland security agency determines that the notification required under this section would threaten national or homeland security, such notification may be delayed upon the written request of the national security agency or homeland security agency for any period which the national security agency or homeland security agency determines is reasonably necessary. A Federal national security agency or homeland security agency may revoke such delay or extend the period set forth in the original request made under this subparagraph by a subsequent written request if further delay is necessary.</text> |
|
</subparagraph></paragraph></subsection><subsection id="idf10a22b11e3046c782b10541436b5275"><enum>(d)</enum><header>Method and |
|
content of notification</header> |
|
<paragraph id="id87ef701c0c63476da7402bedc8fd9e48"><enum>(1)</enum><header>Direct |
|
notification</header> |
|
<subparagraph id="id982f9d89cf8d44cf99dfbda99918b0d8"><enum>(A)</enum><header>Method of |
|
notification</header><text>A covered entity required to provide notification to an individual under subsection (a) shall be in compliance with such requirement if the covered entity provides such notice by any one of the following methods:</text> |
|
<clause id="id62484cedb831466f9d48e9c9ed66c33c"><enum>(i)</enum><text>Written notification, sent to the postal address of the individual in the records of the covered entity.</text> |
|
</clause><clause id="id469666edbf1b44de86f44a8de870838d"><enum>(ii)</enum><text>Telephone.</text> </clause><clause id="ida68259f6ecd749da92f00cae116763ce"><enum>(iii)</enum><text>Email or other electronic means.</text> |
|
</clause></subparagraph><subparagraph id="id52725c4188714234833eb3d863882287"><enum>(B)</enum><header>Content of |
|
notification</header><text>Regardless of the method by which notification is provided to an individual under subparagraph (A) with respect to a security breach, such notification, to the extent practicable, shall include—</text> |
|
<clause id="idc6db4384ee6546fbafec041922bbafae"><enum>(i)</enum><text>the date, estimated date, or estimated date range of the breach of security;</text> |
|
</clause><clause id="id8f1cbf13c0754666a119c182f5ac7536"><enum>(ii)</enum><text>a description of the personal information that was accessed and acquired, or reasonably believed to have been accessed and acquired, by an unauthorized person as a part of the security breach;</text> |
|
</clause><clause id="id2527502E6D774D6C8F5895CF2791CB41"><enum>(iii)</enum><text>a general description of how the breach of security occurred; and</text> </clause><clause id="idee6ff5765c954aca917dc8f48efb5025"><enum>(iv)</enum><text>information that the individual can use to contact the covered entity to inquire about—</text> |
|
<subclause id="idD99D271DB2234AE6AA27A8C08584C637"><enum>(I)</enum><text>the breach of security; or</text> |
|
</subclause><subclause id="idC57E109F32D84D63BFC89222723D0B49"><enum>(II)</enum><text>the information the covered entity maintained about that individual.</text> |
|
</subclause></clause></subparagraph></paragraph><paragraph id="id5463c666922740f6b125be2dc3627e22"><enum>(2)</enum><header>Substitute |
|
notification</header> |
|
<subparagraph id="id5d50e61c7ff54cc1a8da695fb2b9d771"><enum>(A)</enum><header>Circumstances |
|
giving rise to substitute notification</header><text>A covered entity required to provide notification to an individual under subsection (a) may provide substitute notification in lieu of the direct notification required by paragraph (1) if such direct notification is not feasible due to—</text> |
|
<clause id="id3cb6719c4d1743df8ac96c93d2f6397e"><enum>(i)</enum><text>excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity; or</text> |
|
</clause><clause id="idb0777a233e1f4d14b8ceda8553dd5534"><enum>(ii)</enum><text>lack of sufficient contact information for the individual required to be notified.</text> |
|
</clause></subparagraph><subparagraph id="id8fca0bd168484d9e8042a646868cae55"><enum>(B)</enum><header>Form of |
|
substitute notification</header><text>Substitute notification described in subparagraph (A) shall include—</text> |
|
<clause id="id1ff8036c5b124e2291876e1cd8534195"><enum>(i)</enum><text>a conspicuous notice on the Internet Web site of the covered entity (if such covered entity maintains such a Web site); and</text> |
|
</clause><clause id="id00f85bd6709641d3b377cfbcd48301e9"><enum>(ii)</enum><text>notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside.</text> |
|
</clause></subparagraph></paragraph><paragraph id="idE2745F7F471F499F9FE9546A8DAD75D2"><enum>(3)</enum><header>Cost of notification</header><text>A covered entity required to provide notification to an individual under subsection (a) shall provide such notification at no cost to the individual.</text> |
|
</paragraph></subsection><subsection id="id1ef7d76c717f419c8eff4ddb26b542a2"><enum>(e)</enum><header>Treatment of |
|
persons governed by other Federal law</header><text>Except as provided in section 4(b), a covered entity who is in compliance with any other Federal law that requires such covered entity to provide notification to individuals following a breach of security shall be deemed to be in compliance with this section.</text> |
|
</subsection></section><section id="id6389e1e542a34509bafe6d0998ab88a7"><enum>4.</enum><header>Application and |
|
enforcement</header> |
|
<subsection id="idf2235ea53e76401cb9b417aaa2d1d77c"><enum>(a)</enum><header>General |
|
application</header><text>The requirements of sections 2 and 3 apply to—</text> <paragraph id="id4f6416778b124e8f881673acbf7f9d71"><enum>(1)</enum><text>any covered entity over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(2)</external-xref>); and</text> |
|
</paragraph><paragraph id="iddb9094ed890b40c8982194ef9ddb35ba"><enum>(2)</enum><text>notwithstanding section 5(a)(2) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/45">15 U.S.C. 45(a)(2)</external-xref>), common carriers subject to the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/151">47 U.S.C. 151 et seq.</external-xref>).</text> |
|
</paragraph></subsection><subsection id="id348fc39cb5b5405cbd2391bf68371f5e"><enum>(b)</enum><header>Application to |
|
cable operators, satellite operators, and telecommunications |
|
carriers</header><text>Sections 222, 338, and 631 of the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/222">47 U.S.C. 222</external-xref>, 338, and 551), and any regulations promulgated thereunder, shall not apply with respect to the information security practices, including practices relating to the notification of unauthorized access to data in electronic form, of any covered entity otherwise subject to those sections.</text> |
|
</subsection><subsection id="id1ab212c93f0d4499918516d50375c165"><enum>(c)</enum><header>Enforcement by |
|
Federal Trade Commission</header> |
|
<paragraph id="id6e363d25d1f44816929ad41437aa9028"><enum>(1)</enum><header>Unfair or |
|
deceptive acts or practices</header><text>A violation of section 2 or 3 shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>) regarding unfair or deceptive acts or practices.</text> |
|
</paragraph><paragraph id="id61b2c733e0f54b66b2f4ea9f19ad6b55"><enum>(2)</enum><header>Powers of |
|
commission</header> |
|
<subparagraph id="id1FEFF68B6E8D4EB9AE7A2E6222517AB6"><enum>(A)</enum><header>In |
|
general</header><text>Except as provided in subsection (a), the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this Act.</text> |
|
</subparagraph><subparagraph id="idC5114D5766B24B1292E4877CF41A0B35"><enum>(B)</enum><header>Privileges and |
|
immunities</header><text>Any person who violates section 3 or 4 shall be subject to the penalties and entitled to the privileges and immunities provided in such Act.</text> |
|
</subparagraph></paragraph><paragraph id="id56dd4b4acc37405592e1b20baf2a36fe"><enum>(3)</enum><header>Maximum total |
|
liability</header><text>Notwithstanding the number of actions which may be brought against a covered entity under this subsection, the maximum civil penalty for which any covered entity may be liable under this subsection for all actions shall not exceed—</text> |
|
<subparagraph id="idaa85fb5e4e2d46ca9787ee80bb6de661"><enum>(A)</enum><text>$1,000,000 for all violations of section 2 resulting from the same related act or omission; and</text> |
|
</subparagraph><subparagraph id="idab8ae24052df427180b5542b22bbb2ba"><enum>(B)</enum><text>$1,000,000 for all violations of section 3 resulting from a single breach of security.</text> |
|
</subparagraph></paragraph></subsection><subsection id="iddab6f3ad0b284071a7fed1dba66c1c8f"><enum>(d)</enum><header>No private |
|
cause of action</header><text>Nothing in this Act shall be construed to establish a private cause of action against a person for a violation of this Act.</text> |
|
</subsection></section><section id="id820DC844FBC94B93B12DBF52B9931A00"><enum>5.</enum><header>Criminal penalties for cyber crimes</header><text display-inline="no-display-inline">Part I of title 18, United States Code, is amended—</text> <paragraph id="id39C4B39A7E494FD284ED6F924B1E7EF0"><enum>(1)</enum><text>in chapter 47—</text> |
|
<subparagraph id="id401CE66B36A944B6A971D9039E62CA91"><enum>(A)</enum><text>in section 1028(b)—</text> <clause id="idBE5026DD82804F41AC2C0987507834FA"><enum>(i)</enum><text>in paragraph (1)—</text> |
|
<subclause id="id4EE9FE4DE2F24C5B964678D6CC9E1B5D"><enum>(I)</enum><text>in subparagraph (B), by inserting <quote>or</quote> after the semicolon;</text> </subclause><subclause id="id395AFF0B17CF47EAA104E377C490D19E"><enum>(II)</enum><text>in subparagraph (C), by striking <quote>or</quote> after the semicolon; and</text> |
|
</subclause><subclause id="idA47BC0BFF55A4BAFA83FE88C67B1AC34"><enum>(III)</enum><text>by striking subparagraph (D);</text> </subclause></clause><clause id="id1CE23881FC9D4A6E96A1885E6A4A8086"><enum>(ii)</enum><text>by redesignating paragraphs (5) and (6), as paragraphs (6) and (7), respectively; and</text> |
|
</clause><clause id="idB715AD488D7C4353B50F8F090834AB71"><enum>(iii)</enum><text>by inserting after paragraph (4), the following:</text> <quoted-block display-inline="no-display-inline" id="id0C20764236644EA49A396E8DCB7DD97E" style="OLC"> <paragraph id="id89A6530604FF4734B3481D3350636003"><enum>(5)</enum><text>for an offense under paragraph (7) of such subsection, a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 30 years, or both;</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block> |
|
</clause></subparagraph><subparagraph id="idCF95D429022F4869B1F67EF19EA4F02D"><enum>(B)</enum><text>in section 1028A(a)(1), by striking <quote>2 years</quote> and inserting <quote>4 years</quote>;</text> </subparagraph><subparagraph id="idD3EFB7B94E194276966FC30734AA36AE"><enum>(C)</enum><text>in section 1029(c)(1)—</text> |
|
<clause id="id56D962AA22A04278B19A0830942DB2EF"><enum>(i)</enum><text>in subparagraph (A)—</text> <subclause id="id857C98B6C3F04F9B96EF065DBFA6AF86"><enum>(I)</enum><text>in clause (i), by striking <quote>a fine under this title or imprisonment for not more than 10 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 20 years</quote>; and</text> |
|
</subclause><subclause id="id5973F8E61AD1433797D506E1EFF7577F"><enum>(II)</enum><text>in clause (ii), by striking <quote>a fine under this title or imprisonment for not more than 15 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 30 years</quote>; and</text> |
|
</subclause></clause><clause id="idE66FF68552344BA9BEBF9C7B7D88915D"><enum>(ii)</enum><text>in subparagraph (B), by striking <quote>a fine under this title or imprisonment for not more than 20 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 40 years</quote>; and</text> |
|
</clause></subparagraph><subparagraph id="id9B94201B27C8488893100016C3B1A948"><enum>(D)</enum><text>in section 1030(c)—</text> <clause id="id2CBBDACC108647378D7A79CEF1C5E040"><enum>(i)</enum><text>in paragraph (2)—</text> |
|
<subclause id="id4DA71AA4061C424ABCCC4DC14BCAE68B"><enum>(I)</enum><text>in subparagraph (A), by striking <quote>subsection (a)(2), (a)(3),</quote> and inserting <quote>subsection (a)(3)</quote>;</text> </subclause><subclause id="idDBB9B16DD5DC4E9AA08F99DA9C6495A2"><enum>(II)</enum><text>in subparagraph (B)—</text> |
|
<item id="id7767DE5ED95347DE99099BFB3AD8D23A"><enum>(aa)</enum><text>in the matter preceding clause (i), by striking <quote>a fine under this title or imprisonment for not more than 5 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 10 years</quote>; and</text> |
|
</item><item id="id3D10F1720B7D4CB2B419FAD7DBC03C39"><enum>(bb)</enum><text>in clause (iii), by striking <quote>and</quote> at the end;</text> </item></subclause><subclause id="id83280311193044738C3647750471B099"><enum>(III)</enum><text>in subparagraph (C), by striking <quote>(a)(2),</quote>; and</text> |
|
</subclause><subclause id="id2DA4E0ED567542898663176937B2CA1A"><enum>(IV)</enum><text>by adding at the end the following:</text> <quoted-block display-inline="no-display-inline" id="id40775C3315D443A88F287BA28D9BE7AB" style="OLC"> <subparagraph id="id5A8DD4901AAC4E22BBA408E80821EAB3" indent="up1"><enum>(D)</enum><text>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 2 years, or both, in the case of an offense under subsection (a)(2) which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and</text> |
|
</subparagraph><subparagraph id="idB1473FA7158F40BD90ABD2DFE25EDDC9" indent="up1"><enum>(E)</enum><text>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(2) which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;</text></subparagraph><after-quoted-block>; </after-quoted-block></quoted-block> |
|
</subclause></clause><clause id="id7B48C99970D54826982A6FE2B5BBCEF7"><enum>(ii)</enum><text>in paragraph (3)—</text> <subclause id="id0DE5D339BCB743619C2D3D8E296D6034"><enum>(I)</enum><text>in subparagraph (A), by striking <quote>(a)(4) or</quote>; and</text> |
|
</subclause><subclause id="id7F05ABADB5B248B3BA97FBB87F693802"><enum>(II)</enum><text>in subparagraph (B), by striking <quote>(a)(4), or</quote>;</text> </subclause></clause><clause id="idF9B6420CA50340CDBE166E1B9060B998"><enum>(iii)</enum><text>in paragraph (4)—</text> |
|
<subclause id="id173B546410174C0F8B4A26616EED9080"><enum>(I)</enum><text>in subparagraph (A), in the matter preceding clause (i), by striking <quote>a fine under this title, imprisonment for not more than 5 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 10 years</quote>;</text> |
|
</subclause><subclause id="id75D031128A384667BFF5E33BD173279D"><enum>(II)</enum><text>in subparagraph (B), in the matter preceding clause (i), by striking <quote>a fine under this title, imprisonment for not more than 10 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 20 years</quote>;</text> |
|
</subclause><subclause id="id43DD465F70CF4F528E53646F22757D6C"><enum>(III)</enum><text>in subparagraph (C), in the matter preceding clause (i), by striking <quote>a fine under this title, imprisonment for not more than 20 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 40 years</quote>;</text> |
|
</subclause><subclause id="idFFE80F8766D04250AC1F0C897173C7C3"><enum>(IV)</enum><text>in subparagraph (D), in the matter preceding clause (i), by striking <quote>a fine under this title, imprisonment for not more than 10 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 20 years</quote>;</text> |
|
</subclause><subclause id="idAEFB685FAC494E658A64A53D805DC182"><enum>(V)</enum><text>in subparagraph (E), by striking <quote>a fine under this title, imprisonment for not more than 20 years</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 40 years</quote>;</text> |
|
</subclause><subclause id="id581A9BF5EE1D4882BFF909D0CCA4C95D"><enum>(VI)</enum><text>in subparagraph (F)—</text> <item id="idCF49CCC4AE334BB293E42B3CE9C72573"><enum>(aa)</enum><text>by striking <quote>a fine under this title</quote> and inserting <quote>a fine of not more than $500,000 ($1,000,000 if the person is an organization)</quote>; and</text> |
|
</item><item id="idF46FE6AF5F7941088BB787C3DE7FE4F8"><enum>(bb)</enum><text>by striking <quote>or</quote> at the end; and</text> </item></subclause><subclause id="id18C87904F9B04C7DB4B38C31C8D70EC8"><enum>(VII)</enum><text>in subparagraph (G)—</text> |
|
<item id="id90795266A9C14E15B0472EF3B6A7A7F7"><enum>(aa)</enum><text>in the matter preceding clause (i), by striking <quote>under this title, imprisonment for not more than 1 year</quote> and inserting <quote>of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 2 years</quote>; and</text> |
|
</item><item id="idD0B59F6F823A41DE8D484366D8A4C090"><enum>(bb)</enum><text>in clause (ii), by striking the period at the end and inserting <quote>; and</quote>; and</text> </item></subclause></clause><clause id="idC407F4880B5E4603842AEBD2223688FF"><enum>(iv)</enum><text>by adding at the end the following:</text> |
|
<quoted-block display-inline="no-display-inline" id="id7777E355D5084CC29BEB370AA780C064" style="OLC"> |
|
<paragraph id="idA2BBB7DD24FE45BB89513A14A1F110A8"><enum>(5)</enum><subparagraph commented="no" display-inline="yes-display-inline" id="id90B35261666C46E5B0D8B76CAC6020E1"><enum>(A)</enum><text>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(4) which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and</text> |
|
</subparagraph><subparagraph id="id3002E70AA24741EBABDCF2C4877EA7B0" indent="up1"><enum>(B)</enum><text>a fine of not more than $500,000 ($1,000,000 if the person is an organization), imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(4) which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph.</text></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block> |
|
</clause></subparagraph></paragraph><paragraph id="idE98506C19973443A944A97FA75D6E5E5"><enum>(2)</enum><text>in chapter 63—</text> <subparagraph id="idD8E153D018EA470C9A07682A67FF3B74"><enum>(A)</enum><text>in section 1343—</text> |
|
<clause id="id2F0FFE491EEB4B45AD54721B4B610217"><enum>(i)</enum><text>in the first sentence, by striking <quote>fined under this title or imprisoned not more than 20 years</quote> and inserting <quote>fined not more than $500,000 ($1,000,000 if the person is an organization), imprisoned not more than 40 years</quote>; and</text> |
|
</clause><clause id="id30F4E89F48364B50B8AE180F4F745EE5"><enum>(ii)</enum><text>in the second sentence, by striking <quote>$1,000,000 or imprisoned not more than 30 years</quote> and inserting <quote>$2,000,000, imprisoned for any term of years or for life</quote>; and</text> </clause></subparagraph><subparagraph id="id5C11D395598F4C6282480E395EB2367E"><enum>(B)</enum><text>in section 1344, by striking <quote>$1,000,000 or imprisoned not more than 30 years</quote> and inserting <quote>$2,000,000 or imprisoned for any term of years or for life</quote>; and</text> |
|
</subparagraph></paragraph><paragraph id="idBD824A1B15094FB9BFAC7829FE37D8D2"><enum>(3)</enum><text>in section 1519, by striking <quote>fined under this title, imprisoned not more than 20 years</quote> and inserting <quote>fined not more than $500,000 ($1,000,000 if the person is an organization), imprisoned not more than 40 years</quote>.</text> |
|
</paragraph></section><section id="idD02CE5AC5A354263BAC8441E41E234B7"><enum>6.</enum><header>Apprehension and prosecution of international cyber criminals</header> |
|
<subsection id="idC0636D4FB4FC496E8DF5531209F6B0D5"><enum>(a)</enum><header>International cyber criminal defined</header><text>In this section, the term <term>international cyber criminal</term> means an individual—</text> <paragraph id="idB15B0103E2164114975B81458EC0C4DD"><enum>(1)</enum><text>who is physically present within a country with which the United States does not have a mutual legal assistance treaty or an extradition treaty;</text> |
|
</paragraph><paragraph id="id2FF808042C7B4E37B97ABAD1F4A6C118"><enum>(2)</enum><text>who is believed to have committed a cybercrime or intellectual property crime against the interests of the United States or its citizens; and</text> |
|
</paragraph><paragraph id="id9E848DE482FB467287E151D490DF1A41"><enum>(3)</enum><text>for whom—</text> <subparagraph id="idFDC10751F4B6474786D0ABF2A39C3C1E"><enum>(A)</enum><text>an arrest warrant has been issued by a judge in the United States; or</text> |
|
</subparagraph><subparagraph id="id43D29EB1447C48D8BED2AA44B7A880BD"><enum>(B)</enum><text>an international wanted notice (commonly referred to as a <quote>Red Notice</quote>) has been circulated by Interpol.</text> </subparagraph></paragraph></subsection><subsection id="idACD2DE53DD304A60A6D595CAF8FBB4F6"><enum>(b)</enum><header>Bilateral consultations</header><text>The Secretary of State, or designee, shall consult with the appropriate government official of each country in which one or more international cyber criminals are physically present to determine what actions the government of such country has taken—</text> |
|
<paragraph id="id45BEFD4265E04E0EAF2334726DF1DF96"><enum>(1)</enum><text>to apprehend and prosecute such criminals; and</text> </paragraph><paragraph commented="no" display-inline="no-display-inline" id="idAFD60C7D24CB4AA09E3F3FC72285420F"><enum>(2)</enum><text>to prevent such criminals from carrying out cybercrimes or intellectual property crimes against the interests of the United States or its citizens.</text> |
|
</paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id8CC2C6BA7EEA44D7925468E6BB3BB9B8"><enum>(c)</enum><header>Annual report</header> |
|
<paragraph commented="no" display-inline="no-display-inline" id="idEFD863BC02D145B1A49DB068CA559B87"><enum>(1)</enum><header>In general</header><text>The Secretary of State shall submit to the appropriate congressional committees an annual report that identifies—</text> |
|
<subparagraph commented="no" display-inline="no-display-inline" id="idEE5DE3EB3A1A44E68010F14713250123"><enum>(A)</enum><text>the number of international cyber criminals who are located in countries that do not have an extradition treaty or mutual legal assistance treaty with the United States, broken down by country;</text> |
|
</subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idC285512A817E4420891A88911F3DCAE1"><enum>(B)</enum><text>the dates on which an official of the Department of State, as a result of this Act, discussed ways to thwart or prosecute international cyber criminals in a bilateral conversation with an official of another country, including the name of each such country; and</text> |
|
</subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id720F70969E474DB0920346DF7714B127"><enum>(C)</enum><text>for each international cyber criminal who was extradited into the United States during the most recently completed calendar year—</text> |
|
<clause commented="no" display-inline="no-display-inline" id="id946F52709C084CE18FBFB6D6B0DDA495"><enum>(i)</enum><text>his or her name;</text> </clause><clause commented="no" display-inline="no-display-inline" id="idEEE3AFE1B0DD47F4A9D8F7193EE530A4"><enum>(ii)</enum><text>the crimes for which he or she was charged;</text> |
|
</clause><clause commented="no" display-inline="no-display-inline" id="id0A93162D63444A12899ED70E3ADBD1AC"><enum>(iii)</enum><text>his or her previous country of residence; and</text> </clause><clause commented="no" display-inline="no-display-inline" id="id846BB81C60B04E2299AE488E6FD02900"><enum>(iv)</enum><text>the country from which he or she was extradited into the United States.</text> |
|
</clause></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id2E1FFC212DED4E9BB015CD683103CFD2"><enum>(2)</enum><header>Appropriate congressional committees</header><text>For purposes of this subsection, the term <quote>appropriate congressional committees</quote> means—</text> <subparagraph commented="no" display-inline="no-display-inline" id="id5D11E788CEEC4FEBA6140499AEEAC38F"><enum>(A)</enum><text>the Committee on Foreign Relations of the Senate;</text> |
|
</subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id654126C253BA4D67A83921E166CB3622"><enum>(B)</enum><text>the Committee on Appropriations of the Senate;</text> </subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id9AC5E6BC50464449B3B660CE8DAC4ECC"><enum>(C)</enum><text>the Committee on Homeland Security and Governmental Affairs of the Senate;</text> |
|
</subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id0BAE6A3B6C6D4331B55C7751D250F110"><enum>(D)</enum><text>the Committee on Banking, Housing, and Urban Affairs of the Senate;</text> </subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id752B34E30B164AFEB2289EFA0E22A786"><enum>(E)</enum><text>the Committee on Foreign Affairs of the House of Representatives;</text> |
|
</subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id12F025B2728B40A4ABEC90796E137453"><enum>(F)</enum><text>the Committee on Appropriations of the House of Representatives;</text> </subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id36BC6D69AD604645B4BA49A1F7AAF958"><enum>(G)</enum><text>the Committee on Homeland Security of the House of Representatives; and</text> |
|
</subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id745C637B37E64EDF98D54DA66B2D6598"><enum>(H)</enum><text>the Committee on Financial Services of the House of Representatives.</text> </subparagraph></paragraph></subsection></section><section id="id98592eabe0b84899bed3e5ff4e1515bc"><enum>7.</enum><header>Definitions</header><text display-inline="no-display-inline">In this Act:</text> |
|
<paragraph id="idd4cdeb9afe284ab6bb500afbf9b1ec96"><enum>(1)</enum><header>Breach of |
|
security</header><text>The term <term>breach of security</term> means unauthorized access and acquisition of data in electronic form containing personal information.</text> |
|
</paragraph><paragraph id="id73118e991ac54ed3802469eef6c3e11f"><enum>(2)</enum><header>Commission</header><text>The term <term>Commission</term> means the Federal Trade Commission.</text> |
|
</paragraph><paragraph id="id07fd8f77fb234d33a8106f1025a0d1e7"><enum>(3)</enum><header>Covered |
|
entity</header> |
|
<subparagraph id="idBC1CD8D0D622498D92350F78D8D6EB46"><enum>(A)</enum><header>In |
|
general</header><text>The term <term>covered entity</term> means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or utilizes personal information.</text> |
|
</subparagraph><subparagraph id="id7e8595a5af124adaab9e9249a9e38d42"><enum>(B)</enum><header>Exemptions</header><text>The term <term>covered entity</term> does not include the following:</text> |
|
<clause id="id490b290f529541b3aac819a1a4149445"><enum>(i)</enum><text>Financial institutions subject to title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>).</text> |
|
</clause><clause id="id48aa687d5d63427b8bccf97e5c634516"><enum>(ii)</enum><text>An entity covered by the regulations issued under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (<external-xref legal-doc="public-law" parsable-cite="pl/104/191">Public Law 104–191</external-xref>) to the extent that such entity is subject to the requirements of such regulations with respect to protected health information.</text> |
|
</clause></subparagraph></paragraph><paragraph id="id561d8ab2b5e349d28510633bcc27a4e9"><enum>(4)</enum><header>Data in |
|
electronic form</header><text>The term <term>data in electronic form</term> means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.</text> |
|
</paragraph><paragraph id="id367BE61D0F75491B9B1A4FBB436FF88C"><enum>(5)</enum><header>Designated entity</header><text>The term <term>designated entity</term> means the Federal Government entity designated under section 3(a)(2)(A).</text> </paragraph><paragraph id="idcacd6e8de597496bb353229816078881"><enum>(6)</enum><header>Personal information</header> <subparagraph id="id89383797b4c64f0395d13de517a5b11d"><enum>(A)</enum><header>In general</header><text>The term <term>personal information</term> means an individual's first name or first initial and last name in combination with any one or more of the following data elements for that individual:</text> |
|
<clause id="id985C3BAF5FD9408BB29B14941C8578EB"><enum>(i)</enum><text>Social Security number.</text> |
|
</clause><clause id="id084d8f71bac44076b6dced9d83bacb36"><enum>(ii)</enum><text>Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity.</text> |
|
</clause><clause id="id60917b887b354f9297faa07f8d90c9c4"><enum>(iii)</enum><text>Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.</text> |
|
</clause><clause id="id41CDA770FDEB4E5EAFDC5F65EBA0782D"><enum>(iv)</enum><text>Federal or State government issued identification card.</text> </clause><clause id="id788011F923354F9D8006E46F41709347"><enum>(v)</enum><text>A username or email address, in combination with a password or security question and answer that would allow access to an online account.</text> |
|
</clause><clause id="id8A8DBB4F93FE48329CC7E95E6934DEAD"><enum>(vi)</enum><text>Medical information, including the medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional of the individual.</text> |
|
</clause><clause id="id6FCCCFB87943480393FE5FEB4885D85F"><enum>(vii)</enum><text>Health insurance information, including a health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual, or any information in a health insurance application or claim history filed by the individual.</text> |
|
</clause><clause id="id2918692516F84616AF00F71A266574D5"><enum>(viii)</enum><text>An individual taxpayer identification number.</text> </clause></subparagraph><subparagraph id="idd18683c840ac42719e2c71717b2e0096"><enum>(B)</enum><header>Exclusions</header> <clause id="id1663483BD9FC488CAE12CCB7DAA7E0D6"><enum>(i)</enum><header>Public record information</header><text>Personal information does not include information obtained about an individual which has been lawfully made publicly available by a Federal, State, or local government entity or widely distributed by media.</text> |
|
</clause><clause id="id5CD371CA8A9D4EB2A755F225CEF27C0A"><enum>(ii)</enum><header>Encrypted, |
|
redacted, or secured data</header><text>Personal information does not include information that is encrypted, redacted, or secured by any other method or technology that renders the data elements unusable.</text> |
|
</clause></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id3934c4cd121047489c05552fe86eef6a"><enum>(7)</enum><header>Service |
|
provider</header><text>The term <term>service provider</term> means an entity that provides electronic data transmission, routing, intermediate, and transient storage, or connections to its system or network, where such entity providing such services does not select or modify the content of the electronic data, is not the sender or the intended recipient of the data, and does not differentiate personal information from other information that such entity transmits, routes, stores, or for which such entity provides connections. Any such entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage, or connections.</text> |
|
</paragraph></section><section id="id3b4cf26b3f314132a5a01eba538b8479"><enum>8.</enum><header>Effect on other |
|
laws</header><text display-inline="no-display-inline">This Act preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, or political subdivision of a State, relating to the protection or security of data in electronic form containing personal information or the notification of a breach of security.</text> |
|
</section><section id="idd151fa99f89f4069ae9dd132b9fd6dcc"><enum>9.</enum><header>Effective |
|
date</header><text display-inline="no-display-inline">This Act shall take effect on the date that is 1 year after the date of enactment of this Act.</text></section></legis-body></bill> |
|
|
|
|
|
|
