Consumer Privacy Protection Act of 2015

Consumer Privacy Protection Act of 2015

This bill makes it a crime to intentionally and willfully conceal knowledge of a security breach involving sensitive personally identifiable information (PII). If the breach results in economic harm of at least $1,000 to any individual, then a violator is subject to a fine and/or five years in prison.

The legislation authorizes the Department of Justice (DOJ) to seek a civil injunction to prevent ongoing conduct that damages 100 or more protected computers during any one-year period. A protected computer is a government computer, a bank computer, or a computer used in or affecting interstate or foreign commerce or communication.

It also authorizes DOJ to seek an injunction or restraining order to prevent disposition of property obtained as a result of such a violation.

The legislation expands the list of money laundering predicate offenses to include financial transactions that involve proceeds of unlawful manufacturing, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices.

This bill requires certain commercial entities to implement a comprehensive consumer privacy and data security program.

Commercial entities must notify any U.S. resident whose PII has been, or is reasonably believed to have been, accessed or acquired. PII includes electronic or digital forms of personal, financial, health, and biometric data, geographic location, and password-protected photographs and videos.

It sets forth provisions regarding: (1) methods and content of notification of a security breach; (2) entities exempt from notification requirements; and (3) notification to consumer credit reporting agencies, law enforcement entities, and the Federal Trade Commission (FTC).

It authorizes DOJ, the FTC, and states to enforce civil violations. DOJ and states may seek monetary or injunctive relief, and the FTC may seek monetary relief. The bill does not establish a private right of action.