Data Breach Notification and Punishing Cyber Criminals Act of 2015

Data Breach Notification and Punishing Cyber Criminals Act of 2015

Requires certain commercial entities that acquire, maintain, store, or utilize individuals' nonpublic personal information to protect and secure any such data that is held unencrypted in electronic form.

Directs entities that own or license such data, following discovery of a security breach, to notify each individual U.S. citizen or resident: (1) whose personal information is reasonably believed to have been accessed and acquired by an unauthorized person; or (2) who may be at risk of identity theft, fraud, actual financial harm, or other unlawful conduct.

Requires the Department of Homeland Security (DHS) to designate a federal entity to receive information from commercial entities regarding breaches, incidents, threats, and vulnerabilities. Requires the DHS-designated entity to provide such information to: (1) the U.S. Secret Service and the Federal Bureau of Investigation; (2) the Federal Trade Commission (FTC) for civil law enforcement purposes; and (3) other federal agencies for law enforcement, national security, or data security purposes.

Directs entities to notify the DHS-designated entity if a breach involves: (1) the personal information of more than 1,000 individuals, (2) a data system containing the personal information of more than 250,000 individuals, (3) federal databases, or (4) the personal information of primarily federal employees and contractors involved in national security or law enforcement.

Provides alternative compliance procedures for: (1) third parties that maintain personal data in electronic form on behalf of another entity, and (2) certain electronic data service providers.

Sets forth FTC enforcement authority.

Exempts from the requirements of this Act: (1) financial institutions subject to the Gramm-Leach-Bliley Act, and (2) entities subject to health information privacy regulations. Provides for the requirements of this Act to apply to certain entities in place of security practices and notification standards currently enforced by the Federal Communications Commission.

Increases maximum fines or terms of imprisonment for certain cyber-related criminal offenses involving identity theft or fraud.

Directs the Department of State to consult with governments of countries in which international cyber criminals are physically present (if the countries do not have a mutual legal assistance or an extradition treaty with the United States) to determine what actions those governments have taken to prosecute and prevent cyber or intellectual property crimes against U.S. interests or citizens.

Preempts certain state data security laws.