Skip to main content
HR 1770 114th Congress House Commerce Bank accounts, deposits, capital Business education Civil actions and liability Computer security and identity theft Consumer credit Criminal investigation, prosecution, interrogation Federal preemption Fraud offenses and financial crimes Small business State and local government operations

Data Security and Breach Notification Act of 2015

Introduced: April 14, 2015 Introduced by: Blackburn, Marsha Republican · Tennessee See on congress.gov
Sign in to write a letter Sign in to watch
 Everywhere this bill has been 8 steps
Introduced
In committee
Reported out
Passed House
Passed Senate
To President
Became law
Jan 3, 2017
Placed on the Union Calendar, Calendar No. 719.
Jan 3, 2017
Reported (Amended) by the Committee on Energy and Commerce. H. Rept. 114-908.
Apr 17, 2015
Referred to the Subcommittee on Commerce, Manufacturing, and Trade.
Apr 15, 2015
Ordered to be Reported (Amended) by the Yeas and Nays: 29 - 20.
Apr 15, 2015
Committee Consideration and Mark-up Session Held.
Apr 14, 2015
Referred to the House Committee on Energy and Commerce.
Apr 14, 2015
Committee Consideration and Mark-up Session Held.
Apr 14, 2015
Introduced in House
 Plain-English summary Congressional Research Service

Data Security and Breach Notification Act of 2015

This bill requires certain commercial entities regulated by the Federal Trade Commission (FTC), common carriers subject to the Communications Act of 1934, and nonprofit organizations that use, access, transmit, store, dispose of, or collect unencrypted nonpublic personal information to: (1) implement security measures to protect electronic information against unauthorized access and acquisition; (2) restore the integrity, security, and confidentiality of their data systems following the discovery of a security breach; and (3) determine whether there is a risk that a breach will result in identity theft, economic loss or harm, or financial fraud to individuals' personal information.

Notification of a breach must be sent to: (1) affected U.S. residents; (2) the FTC and the U.S. Secret Service or the Federal Bureau of Investigation if an unauthorized person accesses and acquires the personal information of more than 10,000 individuals; and (3) consumer reporting agencies if notice must be provided to more than 10,000 individuals.

The bill establishes special procedures to coordinate notices that must be provided when: (1) a breached entity processes personal data on behalf of a non-breached entity; or (2) a provider of electronic data transmission, storage, or network connection services becomes aware of a breach.

The bill provides different sets of civil penalties that the FTC and states may impose to enforce against violations of this bill.

The FTC must educate small businesses about data security and establish an Internet website containing non-binding best practices.

The bill preempts state information security and notification laws, but does not exempt an entity from liability under common law. The bill applies to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission (FCC), except for FCC regulations that pertain solely to 9-1-1 calls.

What's happening now January 3, 2017

Placed on the Union Calendar, Calendar No. 719.

 Committees of jurisdiction 2
 Cosponsors 1
All 1 Democratic 1