Skip to main content
HR 4187 114th Congress House Commerce Administrative law and regulatory procedures Business records Civil actions and liability Computer security and identity theft Computers and information technology Consumer affairs Consumer credit Federal Trade Commission (FTC) Federal preemption Fraud offenses and financial crimes Internet and video services Internet, web applications, social media Marketing and advertising Right of privacy State and local government operations

Secure and Protect Americans' Data Act

Introduced: December 8, 2015 Introduced by: Schakowsky, Janice D. Democratic · Illinois See on congress.gov
Sign in to write a letter Sign in to watch
 Everywhere this bill has been 3 steps
Introduced
In committee
Reported out
Passed House
Passed Senate
To President
Became law
Dec 11, 2015
Referred to the Subcommittee on Commerce, Manufacturing, and Trade.
Dec 8, 2015
Referred to the House Committee on Energy and Commerce.
Dec 8, 2015
Introduced in House
 Plain-English summary Congressional Research Service

Secure and Protect Americans' Data Act

This bill requires the Federal Trade Commission (FTC) to promulgate regulations requiring entities regulated by the FTC, common carriers, and nonprofit organizations to establish information security practices for the treatment and protection of personal information.

At least annually, such entities must evaluate their consumer privacy programs to make any appropriate adjustments for changing technologies, threats or vulnerabilities, or business arrangements.

The bill sets forth special procedures for information brokers to: (1) submit security policies to the FTC, (2) provide for post-breach audits, and (3) establish procedures for individuals to review and correct inaccuracies in their personal information. In lieu of procedures that allow individuals to dispute information, an information broker may provide individuals a means of expressing a preference not to have their information used for marketing purposes.

The bill prohibits information brokers from obtaining or disclosing personal information by false pretenses.

Within 10 days following discovery of a security breach, entities must notify:

  • the FTC;
  • the Federal Bureau of Investigation;
  • the U.S. Secret Service;
  • for common carriers, the Federal Communications Commission (FCC); and
  • attorneys general of affected states.

Within 30 days following a breach, entities must notify individuals who are U.S. citizens or residents whose personal information was, or is reasonably believed to have been, acquired or accessed by an unauthorized person, or used for an unauthorized purpose.

If an entity is required to notify more than 5,000 individuals, the entity must also notify major consumer reporting agencies. An entity must provide notices in print and broadcast media if the affected residents of a state exceed 5,000.

Notices must include information on affected individuals' entitlement to consumer credit reports or credit monitoring services.

The bill exempts entities from notification requirements if the data is unusable, unreadable, or indecipherable.

Entities complying with other federal laws that require substantially similar information security procedures or breach notifications are deemed to be in compliance with the FTC's procedures or the notification requirements of this Act.

Enforcement authority is provided to the FTC and states. States may obtain civil penalties for certain violations.

What's happening now December 11, 2015

Referred to the Subcommittee on Commerce, Manufacturing, and Trade.

 Committees of jurisdiction 2
 Cosponsors 4
All 4 Democratic 4