Data Breach Notification and Punishing Cyber Criminals Act of 2015 2015-04-21 Introduced in Senate Data Breach Notification and Punishing Cyber Criminals Act of 2015

Requires certain commercial entities that acquire, maintain, store, or utilize individuals' nonpublic personal information to protect and secure any such data that is held unencrypted in electronic form.

Directs entities that own or license such data, following discovery of a security breach, to notify each individual U.S. citizen or resident: (1) whose personal information is reasonably believed to have been accessed and acquired by an unauthorized person; or (2) who may be at risk of identity theft, fraud, actual financial harm, or other unlawful conduct.

Requires the Department of Homeland Security (DHS) to designate a federal entity to receive information from commercial entities regarding breaches, incidents, threats, and vulnerabilities. Requires the DHS-designated entity to provide such information to: (1) the U.S. Secret Service and the Federal Bureau of Investigation; (2) the Federal Trade Commission (FTC) for civil law enforcement purposes; and (3) other federal agencies for law enforcement, national security, or data security purposes.

Directs entities to notify the DHS-designated entity if a breach involves: (1) the personal information of more than 1,000 individuals, (2) a data system containing the personal information of more than 250,000 individuals, (3) federal databases, or (4) the personal information of primarily federal employees and contractors involved in national security or law enforcement.

Provides alternative compliance procedures for: (1) third parties that maintain personal data in electronic form on behalf of another entity, and (2) certain electronic data service providers.

Sets forth FTC enforcement authority.

Exempts from the requirements of this Act: (1) financial institutions subject to the Gramm-Leach-Bliley Act, and (2) entities subject to health information privacy regulations. Provides for the requirements of this Act to apply to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission.

Increases maximum fines or terms of imprisonment for certain cyber-related criminal offenses involving identity theft or fraud.

Directs the Department of State to consult with governments of countries in which international cyber criminals are physically present (if the countries do not have a mutual legal assistance or an extradition treaty with the United States) to determine what actions those governments have taken to prosecute and prevent cyber or intellectual property crimes against U.S. interests or citizens.

Preempts certain state data security laws.

]]> text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain. Congressional Research Service, Library of Congress This file contains bill summaries for federal legislation. A bill summary describes the most significant provisions of a piece of legislation and details the effects the legislative text may have on current law and federal programs. Bill summaries are authored by the Congressional Research Service (CRS) of the Library of Congress. As stated in Public Law 91-510 (2 USC 166 (d)(6)), one of the duties of CRS is "to prepare summaries and digests of bills and resolutions of a public general nature introduced in the Senate or House of Representatives". For more information, refer to the User Guide that accompanies this file.