[House Report 111-362] [From the U.S. Government Publishing Office] 111th Congress Report HOUSE OF REPRESENTATIVES 1st Session 111-362 ====================================================================== DATA ACCOUNTABILITY AND TRUST ACT _______ December 8, 2009.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Waxman, from the Committee on Energy and Commerce, submitted the following R E P O R T [To accompany H.R. 2221] [Including cost estimate of the Congressional Budget Office] The Committee on Energy and Commerce, to whom was referred the bill (H.R. 2221) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with amendments and recommend that the bill as amended do pass. CONTENTS Page Amendment........................................................ 2 Purpose and Summary.............................................. 11 Background and Need for Legislation.............................. 11 Legislative History.............................................. 13 Committee Consideration.......................................... 13 Committee Votes.................................................. 13 Statement of Committee Oversight Findings and Recommendations.... 13 New Budget Authority, Entitlement Authority, and Tax Expenditures 14 Statement of General Performance Goals and Objectives............ 14 Constitutional Authority Statement............................... 14 Earmarks and Tax and Tariff Benefits............................. 14 Federal Advisory Committee Statement............................. 14 Applicability of Law to Legislative Branch....................... 14 Federal Mandates Statement....................................... 14 Committee Cost Estimate.......................................... 15 Congressional Budget Office Cost Estimate........................ 15 Section-by-Section Analysis of the Legislation................... 20 Explanation of Amendments........................................ 30 Changes in Existing Law Made by the Bill, as Reported............ 31 AMENDMENT The amendments are as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Data Accountability and Trust Act''. SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY. (a) General Security Policies and Procedures.-- (1) Regulations.--Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require each person engaged in interstate commerce that owns or possesses data containing personal information, or contracts to have any third party entity maintain such data for such person, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information taking into consideration-- (A) the size of, and the nature, scope, and complexity of the activities engaged in by, such person; (B) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and (C) the cost of implementing such safeguards. (2) Requirements.--Such regulations shall require the policies and procedures to include the following: (A) A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information. (B) The identification of an officer or other individual as the point of contact with responsibility for the management of information security. (C) A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by such person that contains such data, which shall include regular monitoring for a breach of security of such system or systems. (D) A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph (C), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software. (E) A process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or undecipherable. (F) A standard method or methods for the destruction of paper documents and other non-electronic data containing personal information. (3) Treatment of entities governed by other law.--Any person who is in compliance with any other Federal law that requires such person to maintain standards and safeguards for information security and protection of personal information that, taken as a whole and as the Commission shall determine in the rulemaking required under paragraph (1), provide protections substantially similar to, or greater than, those required under this subsection, shall be deemed to be in compliance with this subsection. (b) Special Requirements for Information Brokers.-- (1) Submission of policies to the ftc.--The regulations promulgated under subsection (a) shall require each information broker to submit its security policies to the Commission in conjunction with a notification of a breach of security under section 3 or upon request of the Commission. (2) Post-breach audit.--For any information broker required to provide notification under section 3, the Commission may conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker's security practices during the preceding 5 years). (3) Accuracy of and individual access to personal information.-- (A) Accuracy.-- (i) In general.--Each information broker shall establish reasonable procedures to assure the maximum possible accuracy of the personal information it collects, assembles, or maintains, and any other information it collects, assembles, or maintains that specifically identifies an individual, other than information which merely identifies an individual's name or address. (ii) Limited exception for fraud databases.-- The requirement in clause (i) shall not prevent the collection or maintenance of information that may be inaccurate with respect to a particular individual when that information is being collected or maintained solely-- (I) for the purpose of indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual; and (II) to help identify, or authenticate the identity of, an individual, or to protect against or investigate fraud or other unlawful conduct. (B) Consumer access to information.-- (i) Access.--Each information broker shall-- (I) provide to each individual whose personal information it maintains, at the individual's request at least 1 time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review any personal information regarding such individual maintained by the information broker and any other information maintained by the information broker that specifically identifies such individual, other than information which merely identifies an individual's name or address; and (II) place a conspicuous notice on its Internet website (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under subclause (I), and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes under clause (iii). (ii) Disputed information.--Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, shall-- (I) correct any inaccuracy; or (II)(aa) in the case of information that is public record information, inform the individual of the source of the information, and, if reasonably available, where a request for correction may be directed and, if the individual provides proof that the public record has been corrected or that the information broker was reporting the information incorrectly, correct the inaccuracy in the information broker's records; or (bb) in the case of information that is non-public information, note the information that is disputed, including the individual's statement disputing such information, and take reasonable steps to independently verify such information under the procedures outlined in subparagraph (A) if such information can be independently verified. (iii) Alternative procedure for certain marketing information.--In accordance with regulations issued under clause (v), an information broker that maintains any information described in clause (i) which is used, shared, or sold by such information broker for marketing purposes, may, in lieu of complying with the access and dispute requirements set forth in clauses (i) and (ii), provide each individual whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual's information for marketing purposes. (iv) Limitations.--An information broker may limit the access to information required under subparagraph (B)(i)(I) and is not required to provide notice to individuals as required under subparagraph (B)(i)(II) in the following circumstances: (I) If access of the individual to the information is limited by law or legally recognized privilege. (II) If the information is used for a legitimate governmental or fraud prevention purpose that would be compromised by such access. (III) If the information consists of a published media record, unless that record has been included in a report about an individual shared with a third party. (v) Rulemaking.--Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to carry out this paragraph and to facilitate the purposes of this Act. In addition, the Commission shall issue regulations, as necessary, under section 553 of title 5, United States Code, on the scope of the application of the limitations in clause (iv), including any additional circumstances in which an information broker may limit access to information under such clause that the Commission determines to be appropriate. (C) FCRA regulated persons.--Any information broker who is engaged in activities subject to the Fair Credit Reporting Act and who is in compliance with sections 609, 610, and 611 of such Act with respect to information subject to such Act, shall be deemed to be in compliance with this paragraph with respect to such information. (4) Requirement of audit log of accessed and transmitted information.--Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require information brokers to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker. (5) Prohibition on pretexting by information brokers.-- (A) Prohibition on obtaining personal information by false pretenses.--It shall be unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by-- (i) making a false, fictitious, or fraudulent statement or representation to any person; or (ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation. (B) Prohibition on solicitation to obtain personal information under false pretenses.--It shall be unlawful for an information broker to request a person to obtain personal information or any other information relating to any other person, if the information broker knew or should have known that the person to whom such a request is made will obtain or attempt to obtain such information in the manner described in subparagraph (A). (c) Exemption for Certain Service Providers.--Nothing in this section shall apply to a service provider for any electronic communication by a third party that is transmitted, routed, or stored in intermediate or transient storage by such service provider. SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH. (a) Nationwide Notification.--Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data-- (1) notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security; and (2) notify the Commission. (b) Special Notification Requirements.-- (1) Third party agents.--In the event of a breach of security by any third party entity that has been contracted to maintain or process data in electronic form containing personal information on behalf of any other person who owns or possesses such data, such third party entity shall be required to notify such person of the breach of security. Upon receiving such notification from such third party, such person shall provide the notification required under subsection (a). (2) Service providers.--If a service provider becomes aware of a breach of security of data in electronic form containing personal information that is owned or possessed by another person that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, such service provider shall be required to notify of such a breach of security only the person who initiated such connection, transmission, routing, or storage if such person can be reasonably identified. Upon receiving such notification from a service provider, such person shall provide the notification required under subsection (a). (3) Coordination of notification with credit reporting agencies.--If a person is required to provide notification to more than 5,000 individuals under subsection (a)(1), the person shall also notify the major credit reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing and distribution of the notices. Such notice shall be given to the credit reporting agencies without unreasonable delay and, if it will not delay notice to the affected individuals, prior to the distribution of notices to the affected individuals. (c) Timeliness of Notification.-- (1) In general.--Unless subject to a delay authorized under paragraph (2), a notification required under subsection (a) shall be made not later than 60 days following the discovery of a breach of security, unless the person providing notice can show that providing notice within such a time frame is not feasible due to extraordinary circumstances necessary to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system, in which case such notification shall be made as promptly as possible. (2) Delay of notification authorized for law enforcement or national security purposes.-- (A) Law enforcement.--If a Federal, State, or local law enforcement agency determines that the notification required under this section would impede a civil or criminal investigation, such notification shall be delayed upon the written request of the law enforcement agency for 30 days or such lesser period of time which the law enforcement agency determines is reasonably necessary and requests in writing. A law enforcement agency may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary. (B) National security.--If a Federal national security agency or homeland security agency determines that the notification required under this section would threaten national or homeland security, such notification may be delayed for a period of time which the national security agency or homeland security agency determines is reasonably necessary and requests in writing. A Federal national security agency or homeland security agency may revoke such delay or extend the period of time set forth in the original request made under this paragraph by a subsequent written request if further delay is necessary. (d) Method and Content of Notification.-- (1) Direct notification.-- (A) Method of notification.--A person required to provide notification to individuals under subsection (a)(1) shall be in compliance with such requirement if the person provides conspicuous and clearly identified notification by one of the following methods (provided the selected method can reasonably be expected to reach the intended individual): (i) Written notification. (ii) Notification by email or other electronic means , if-- (I) the person's primary method of communication with the individual is by email or such other electronic means; or (II) the individual has consented to receive such notification and the notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global Commerce Act (15 U.S.C. 7001). (B) Content of notification.--Regardless of the method by which notification is provided to an individual under subparagraph (A), such notification shall include-- (i) a description of the personal information that was acquired or accessed by an unauthorized person; (ii) a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the breach of security or the information the person maintained about that individual; (iii) notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, or credit monitoring or other service that enables consumers to detect the misuse of their personal information for a period of 2 years, and instructions to the individual on requesting such reports or service from the person, except when the only information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code; (iv) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and (v) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft. (2) Substitute notification.-- (A) Circumstances giving rise to substitute notification.--A person required to provide notification to individuals under subsection (a)(1) may provide substitute notification in lieu of the direct notification required by paragraph (1) if the person owns or possesses data in electronic form containing personal information of fewer than 1,000 individuals and such direct notification is not feasible due to-- (i) excessive cost to the person required to provide such notification relative to the resources of such person, as determined in accordance with the regulations issued by the Commission under paragraph (3)(A); or (ii) lack of sufficient contact information for the individual required to be notified. (B) Form of substitute notification.--Such substitute notification shall include-- (i) email notification to the extent that the person has email addresses of individuals to whom it is required to provide notification under subsection (a)(1); (ii) a conspicuous notice on the Internet website of the person (if such person maintains such a website); and (iii) notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside. (C) Content of substitute notice.--Each form of substitute notice under this paragraph shall include-- (i) notice that individuals whose personal information is included in the breach of security are entitled to receive, at no cost to the individuals, consumer credit reports on a quarterly basis for a period of 2 years, or credit monitoring or other service that enables consumers to detect the misuse of their personal information for a period of 2 years, and instructions on requesting such reports or service from the person, except when the only information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code; and (ii) a telephone number by which an individual can, at no cost to such individual, learn whether that individual's personal information is included in the breach of security. (3) Regulations and guidance.-- (A) Regulations.--Not later than 1 year after the date of enactment of this Act, the Commission shall, by regulation under section 553 of title 5, United States Code, establish criteria for determining circumstances under which substitute notification may be provided under paragraph (2), including criteria for determining if notification under paragraph (1) is not feasible due to excessive costs to the person required to provided such notification relative to the resources of such person. Such regulations may also identify other circumstances where substitute notification would be appropriate for any person, including circumstances under which the cost of providing notification exceeds the benefits to consumers. (B) Guidance.--In addition, the Commission shall provide and publish general guidance with respect to compliance with this subsection. Such guidance shall include-- (i) a description of written or email notification that complies with the requirements of paragraph (1); and (ii) guidance on the content of substitute notification under paragraph (2), including the extent of notification to print and broadcast media that complies with the requirements of such paragraph. (e) Other Obligations Following Breach.-- (1) In general.--A person required to provide notification under subsection (a) shall, upon request of an individual whose personal information was included in the breach of security, provide or arrange for the provision of, to each such individual and at no cost to such individual-- (A) consumer credit reports from at least one of the major credit reporting agencies beginning not later than 60 days following the individual's request and continuing on a quarterly basis for a period of 2 years thereafter; or (B) a credit monitoring or other service that enables consumers to detect the misuse of their personal information, beginning not later than 60 days following the individual's request and continuing for a period of 2 years. (2) Limitation.--This subsection shall not apply if the only personal information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code. (3) Rulemaking.--As part of the Commission's rulemaking described in subsection (d)(3), the Commission shall determine the circumstances under which a person required to provide notification under subsection (a)(1) shall provide or arrange for the provision of free consumer credit reports or credit monitoring or other service to affected individuals. (f) Exemption.-- (1) General exemption.--A person shall be exempt from the requirements under this section if, following a breach of security, such person determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. (2) Presumption.-- (A) In general.--If the data in electronic form containing personal information is rendered unusable, unreadable, or indecipherable through encryption or other security technology or methodology (if the method of encryption or such other technology or methodology is generally accepted by experts in the information security field), there shall be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption or other security technologies or methodologies in a specific case, have been or are reasonably likely to be compromised. (B) Methodologies or technologies.--Not later than 1 year after the date of the enactment of this Act and biannually thereafter, the Commission shall issue rules (pursuant to section 553 of title 5, United States Code) or guidance to identify security methodologies or technologies which render data in electronic form unusable, unreadable, or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that any such methodology or technology in a specific case has been or is reasonably likely to be compromised. In issuing such rules or guidance, the Commission shall consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies. (3) FTC guidance.--Not later than 1 year after the date of the enactment of this Act the Commission shall issue guidance regarding the application of the exemption in paragraph (1). (g) Website Notice of Federal Trade Commission.--If the Commission, upon receiving notification of any breach of security that is reported to the Commission under subsection (a)(2), finds that notification of such a breach of security via the Commission's Internet website would be in the public interest or for the protection of consumers, the Commission shall place such a notice in a clear and conspicuous location on its Internet website. (h) FTC Study on Notification in Languages in Addition to English.-- Not later than 1 year after the date of enactment of this Act, the Commission shall conduct a study on the practicality and cost effectiveness of requiring the notification required by subsection (d)(1) to be provided in a language in addition to English to individuals known to speak only such other language. (i) General Rulemaking Authority.--The Commission may promulgate regulations necessary under section 553 of title 5, United States Code, to effectively enforce the requirements of this section. (j) Treatment of Persons Governed by Other Law.--A person who is in compliance with any other Federal law that requires such person to provide notification to individuals following a breach of security, and that, taken as a whole, provides protections substantially similar to, or greater than, those required under this section, as the Commission shall determine by rule (under section 553 of title 5, United States Code), shall be deemed to be in compliance with this section. SEC. 4. APPLICATION AND ENFORCEMENT. (a) General Application.--The requirements of sections 2 and 3 shall only apply to those persons, partnerships, or corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act. (b) Enforcement by the Federal Trade Commission.-- (1) Unfair or deceptive acts or practices.--A violation of section 2 or 3 shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. (2) Powers of commission.--The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in that Act. (3) Limitation.--In promulgating rules under this Act, the Commission shall not require the deployment or use of any specific products or technologies, including any specific computer software or hardware. (c) Enforcement by State Attorneys General.-- (1) Civil action.--In any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any person who violates section 2 or 3 of this Act, the attorney general, official, or agency of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction-- (A) to enjoin further violation of such section by the defendant; (B) to compel compliance with such section; or (C) to obtain civil penalties in the amount determined under paragraph (2). (2) Civil penalties.-- (A) Calculation.-- (i) Treatment of violations of section 2.-- For purposes of paragraph (1)(C) with regard to a violation of section 2, the amount determined under this paragraph is the amount calculated by multiplying the number of days that a person is not in compliance with such section by an amount not greater than $11,000. (ii) Treatment of violations of section 3.-- For purposes of paragraph (1)(C) with regard to a violation of section 3, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification as required under section 3 to a resident of the State shall be treated as a separate violation. (B) Adjustment for inflation.--Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amounts specified in clauses (i) and (ii) of subparagraph (A) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year. (C) Maximum total liability.--Notwithstanding the number of actions which may be brought against a person under this subsection the maximum civil penalty for which any person may be liable under this subsection shall not exceed-- (i) $5,000,000 for each violation of section 2; and (ii) $5,000,000 for all violations of section 3 resulting from a single breach of security. (3) Intervention by the ftc.-- (A) Notice and intervention.--The State shall provide prior written notice of any action under paragraph (1) to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Commission shall have the right-- (i) to intervene in the action; (ii) upon so intervening, to be heard on all matters arising therein; and (iii) to file petitions for appeal. (B) Limitation on state action while federal action is pending.--If the Commission has instituted a civil action for violation of this Act, no State attorney general, or official or agency of a State, may bring an action under this subsection during the pendency of that action against any defendant named in the complaint of the Commission for any violation of this Act alleged in the complaint. (4) Construction.--For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to-- (A) conduct investigations; (B) administer oaths or affirmations; or (C) compel the attendance of witnesses or the production of documentary and other evidence. (d) Affirmative Defense for a Violation of Section 3.-- (1) In general.--It shall be an affirmative defense to an enforcement action brought under subsection (b), or a civil action brought under subsection (c), based on a violation of section 3, that all of the personal information contained in the data in electronic form that was acquired or accessed as a result of a breach of security of the defendant is public record information that is lawfully made available to the general public from Federal, State, or local government records and was acquired by the defendant from such records. (2) No effect on other requirements.--Nothing in this subsection shall be construed to exempt any person from the requirement to notify the Commission of a breach of security as required under section 3(a). SEC. 5. DEFINITIONS. In this Act the following definitions apply: (1) Breach of security.--The term ``breach of security'' means unauthorized access to or acquisition of data in electronic form containing personal information. (2) Commission.--The term ``Commission'' means the Federal Trade Commission. (3) Data in electronic form.--The term ``data in electronic form'' means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices. (4) Encryption.--The term ``encryption'' means the protection of data in electronic form in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption. (5) Identity theft.--The term ``identity theft'' means the unauthorized use of another person's personal information for the purpose of engaging in commercial transactions under the name of such other person. (6) Information broker.--The term ``information broker''-- (A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and (B) does not include a commercial entity to the extent that such entity processes information collected by and received from a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to (1) provide benefits for its employees or (2) directly transact business with its customers. (7) Personal information.-- (A) Definition.--The term ``personal information'' means an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number. (ii) Driver's license number, passport number, military identification number, or other similar number issued on a government document used to verify identity. (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account. (B) Modified definition by rulemaking.--The Commission may, by rule promulgated under section 553 of title 5, United States Code, modify the definition of ``personal information'' under subparagraph (A)-- (i) for the purpose of section 2 to the extent that such modification will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act; or (ii) for the purpose of section 3, to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act. (8) Public record information.--The term ``public record information'' means information about an individual which has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection. (9) Non-public information.--The term ``non-public information'' means information about an individual that is of a private nature and neither available to the general public nor obtained from a public record. (10) Service provider.--The term ``service provider'' means an entity that provides to a user transmission, routing, intermediate and transient storage, or connections to its system or network, for electronic communications, between or among points specified by such user of material of the user's choosing, without modification to the content of the material as sent or received . Any such entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage or connections. SEC. 6. EFFECT ON OTHER LAWS. (a) Preemption of State Information Security Laws.--This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly-- (1) requires information security practices and treatment of data containing personal information similar to any of those required under section 2; and (2) requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information. (b) Additional Preemption.-- (1) In general.--No person other than a person specified in section 4(c) may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act. (2) Protection of consumer protection laws.--This subsection shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State. (c) Protection of Certain State Laws.--This Act shall not be construed to preempt the applicability of-- (1) State trespass, contract, or tort law; or (2) other State laws to the extent that those laws relate to acts of fraud. (d) Preservation of FTC Authority.--Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law. SEC. 7. EFFECTIVE DATE. This Act shall take effect 1 year after the date of enactment of this Act. SEC. 8. AUTHORIZATION OF APPROPRIATIONS. There is authorized to be appropriated to the Commission $1,000,000 for each of fiscal years 2010 through 2015 to carry out this Act. Amend the title so as to read: A bill to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach. PURPOSE AND SUMMARY H.R. 2221, the ``Data Accountability and Trust Act'', was introduced on April 30, 2009, by Reps. Bobby L. Rush (D-IL), Cliff Stearns (R-FL), Joe Barton (R-TX), George Radanovich (R- CA), and Janice Schakowsky (D-IL). The goal of H.R. 2221 is to both reduce the number of data breaches and provide new rights to individuals whose personal information is compromised when a breach occurs. The bill has two major requirements: (1) an entity holding data containing personal information must adopt reasonable and appropriate security measures to protect such data; and (2) that same entity must notify affected consumers in the event of a breach unless the entity determines there is ``no reasonable risk of identity theft, fraud, or other unlawful conduct.'' In addition, the bill requires information brokers to implement reasonable procedures that will ensure data accuracy and provide consumers with access to information and the ability to dispute inaccurate information in certain circumstances. BACKGROUND AND NEED FOR LEGISLATION Data breaches can severely compromise the financial well- being of individuals whose personal information is exploited to commit identity theft or fraud. Despite increased publicity surrounding high-profile data breaches, enforcement by the Federal Trade Commission (FTC), and ongoing calls for better data security from Congress and other governmental bodies, data breaches continue at an alarming pace. According to the Privacy Rights Clearinghouse, almost 340 million records containing ``sensitive personal information'' have been ``involved in security breaches since January 2005.''\1\ --------------------------------------------------------------------------- \1\Privacy Rights Clearinghouse, A Chronology of Data Breaches (online at www.privacyrights.org/ar/ChronDataBreaches.htm) (accessed Oct. 6, 2009). --------------------------------------------------------------------------- Data breaches have an impact on every sector of the economy. High-profile data breaches have plagued financial institutions, nationwide retailers, online merchants, information brokers, credit card processors, healthcare institutions, high-tech companies, research facilities, and government agencies. The causes of these breaches range from high-tech hacking and skimming to dumpster diving and simple laptop theft. Data breaches can result in substantial harm to consumers. Personal information that is lost or compromised may be exploited by criminals to commit identity theft, fraud, or other unlawful conduct. According to the FTC's most recent identity theft survey, approximately 8.3 million American adults--3.7% of all American adults--discovered that they were victims of identity theft in 2005.\2\ By some estimates, identity theft is the fastest growing type of fraud in the United States.\3\ Moreover, although identity theft often is associated with financial transactions, it also can take place in other contexts. For example, thieves can steal identities to gain employment, immigrate into this country, obtain medical care, apply for benefits, and evade law enforcement. --------------------------------------------------------------------------- \2\See Federal Trade Commission, Identity Theft Survey Report, prepared by Synovate, at 3 (2007) www.ftc.gov/os/2007/11/ SynovateFinalReportIDTheft2006.pdf. \3\ Congressional Research Service, Identity Theft: Trends and Issues, at 1 (Aug. 2009) (CRS-R40599). --------------------------------------------------------------------------- The best way to prevent identity theft and other harm is for individuals and businesses to properly secure personal information so that it does not fall into the wrong hands in the first place. Currently, several laws address data security requirements for narrow categories of information or specific sectors of the marketplace. These laws include the Gramm-Leach- Bliley Act (``GLB Act'') Safeguards Rule,\4\ which contains data security requirements for financial institutions and the Fair Credit Reporting Act (``FCRA'') Disposal Rule,\5\ which imposes safe disposal obligations on entities that maintain consumer report information. In addition, FTC has used its enforcement authority under the FTC Act\6\ to bring actions against companies that have made misleading claims about data security procedures or failed to employ reasonable security measures in circumstances that caused substantial injury. There is no comprehensive federal law, however, that requires all companies that hold consumer personal information to implement reasonable measures to protect that data. --------------------------------------------------------------------------- \4\16 CFR Part 314, implementing 15 U.S.C. section 6801(b). \5\16 CFR Part 682, implementing 15 U.S.C. section 1681w. \6\15 U.S.C. section 45(a). --------------------------------------------------------------------------- Also, there is no federal law that requires companies that experience a data breach to provide notice to those consumers whose personal information was compromised. Consumers need to know when their sensitive information has been compromised in order to detect and prevent identity theft, fraud, or other unlawful conduct. Timely notice allows consumers to take concrete steps to prevent identity theft such as cancelling accounts or requesting new account numbers, monitoring accounts for unusual activity, and placing alerts on credit reports. Victims of identity theft can spend countless hours attempting to fix the myriad problems that can result from the misuse of personal information. Notice, as well as the provision of services to help consumers monitor their accounts for suspicious activity, would aid consumers with the arduous task of preventing and/or recovering from identity theft. H.R. 2221 is a comprehensive information security regime that will require all companies subject to FTC jurisdiction to implement an information security program to safeguard personal information. This program is applicable to personal information stored electronically and in paper records and would require companies to engage in an ongoing process of evaluating risks and taking reasonable measures to address those risks. H.R. 2221 also requires companies that experience a data breach to provide consumers with timely notice of the breach so that consumers can take steps to prevent harm. The bill creates uniform, nationwide standards for breach notification for all entities subject to FTC jurisdiction. The bill further requires companies to provide individuals with free monitoring services to detect the misuse of their personal information following a breach. In addition to the information security and breach notification requirements that apply to all entities subject to FTC jurisdiction, H.R. 2221 includes additional requirements for information brokers, those companies that are in the business of collecting personal information for the purpose of selling it to third parties. LEGISLATIVE HISTORY The Data Accountability and Trust Act originally was introduced as H.R. 4127 in the 109th Congress on October 25, 2005, by Rep. Stearns, who was then Chairman of the Subcommittee on Commerce, Trade, and Consumer Protection. In the 109th Congress, the Subcommittee on Commerce, Trade, and Consumer Protection held two oversight hearings on data breaches, data security, and information brokers, as well as a legislative hearing on a discussion draft of H.R. 4127. The Subcommittee considered H.R. 4127 in markup session and forwarded the bill, amended, to the full Committee on November 3, 2005. On March 29, 2006, the Committee on Energy and Commerce met in open markup session and ordered H.R. 4127 reported to the House, as amended, by a recorded vote of 41 yeas and 0 nays. In the 110th Congress, H.R. 958 was introduced by Rep. Bobby L. Rush, Chairman of the Subcommittee on Commerce, Trade, and Consumer Protection, with the same language of the bill that passed out of the Committee in the previous Congress. COMMITTEE CONSIDERATION In the 111th Congress, Subcommittee Chairman Rush, on behalf of himself, Reps. Stearns, Barton, Radanovich, and Schakowsky, reintroduced the bill as H.R. 2221 on April 30, 2009. The bill was referred to the Subcommittee on Commerce, Trade, and Consumer Protection on May 1, 2009. The Subcommittee held a legislative hearing on H.R. 2221 on May 5, 2009. Testimony was heard from witnesses representing the Bureau of Consumer Protection of the Federal Trade Commission; the Center for Democracy and Technology; the Business Software Alliance; the Distributed Computing Data Industry Association; the Electronic Privacy Information Center; Tiversa, Inc.; and the Center for the Study of Digital Property of the Progress & Freedom Foundation. On June 3, 2009, the Subcommittee met in open markup session to consider H.R. 2221. The Subcommittee subsequently forwarded H.R. 2221, amended, to the full Committee by a voice vote. The Committee on Energy and Commerce met in open markup session on September 30, 2009, and considered H.R. 2221 as forwarded by the Subcommittee on June 3, 2009. The Committee adopted a manager's amendment to the bill by a voice vote. The full Committee then ordered H.R. 2221 favorably reported to the House, amended, by a voice vote. COMMITTEE VOTES Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. A motion by Mr. Waxman to order H.R. 2221 favorably reported to the House, amended, was agreed to by a voice vote. There were no recorded votes taken during consideration and passage of H.R. 2221. STATEMENT OF COMMITTEE OVERSIGHT FINDINGS AND RECOMMENDATIONS In compliance with clause 3(c)(1) of rule XIII and clause (2)(b)(1) of rule X of the Rules of the House of Representatives, the oversight findings and recommendations of the Committee are reflected in the descriptive portions of this report. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES Pursuant to clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee adopts as its own the estimate of budget authority and revenues regarding H.R. 2221 prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. The Committee finds that H.R. 2221 would result in no new or increased entitlement authority, or tax expenditures or revenues. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES In accordance with clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, the performance goals and objectives of the Committee are reflected in the descriptive portions of this report. CONSTITUTIONAL AUTHORITY STATEMENT Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee must include a statement citing the specific powers granted to Congress to enact the law proposed by H.R. 2221. Article I, section 8, clauses 3 and 18 of the Constitution of the United States grants the Congress the power to enact this law. EARMARKS AND TAX AND TARIFF BENEFITS H.R. 2221 does not contain any congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9 of rule XXI of the Rules of the House of Representatives. FEDERAL ADVISORY COMMITTEE STATEMENT The Committee finds that the legislation does not establish or authorize the establishment of an advisory committee within the definition of 5 U.S.C. App., section 5(b) of the Federal Advisory Committee Act. APPLICABILITY OF LAW TO THE LEGISLATIVE BRANCH Section 102(b)(3) of Public Law 104-1 requires a description of the application of this bill to the legislative branch where the bill relates to terms and conditions of employment or access to public services and accommodations. H.R. 2221 requires commercial entities subject to Federal Trade Commission jurisdiction that own or posses personal information to adopt reasonable and appropriate security measures to protect such data and, in the event such information is breached, that same entity must notify affected consumers of the breach of security. This bill does not relate to employment or access to public services and accommodations in the legislative branch. FEDERAL MANDATES STATEMENT Section 423 of the Congressional Budget and Impoundment Control Act of 1974 (as amended by section 101(a)(2) of the Unfunded Mandates Reform Act, P.L. 104-4) requires a statement on whether the provisions of the report include unfunded mandates. In compliance with this requirement the Committee adopts as its own the estimates of federal mandates prepared by the Director of the Congressional Budget Office. COMMITTEE COST ESTIMATE Pursuant to clause 3(d)(2) of rule XIII of the Rules of the House of Representatives, the Committee adopts as its own the cost estimate of H.R. 2221 prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE With respect to the requirements of clause 3(c)(2) of rule XIII of the Rules of the House of Representatives and section 308(a) of the Congressional Budget Act of 1974 and with respect to requirements of clause (3)(c)(3) of rule XIII of the Rules of the House of Representatives and section 402 of the Congressional Budget Act of 1974, the Committee has received the following cost estimate for H.R. 2221 from the Director of Congressional Budget Office: December 7, 2009. Hon. Henry A. Waxman, Chairman, Committee on Energy and Commerce, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 2221, the Data Accountability and Trust Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Susan Willie. Sincerely, Douglas W. Elmendorf. Enclosure. H.R. 2221--Data Accountability and Trust Act Summary: H.R. 2221 would establish new requirements to protect the personal information of individuals that is collected and maintained by commercial entities. The bill would require companies to adopt procedures to protect personal information from improper access, anticipate and mitigate potential vulnerabilities in security systems intended to prevent improper access, and specify methods for disposing of data that is held in electronic and nonelectronic form. H.R. 2221 would require data brokers (entities that collect and maintain personal information for sale to others) to submit their data security policies to the Federal Trade Commission (FTC) and to establish procedures that consumers may follow to review and, if necessary, dispute the accuracy of their personal data. Finally, the bill would require entities covered by the bill to notify individuals when their personal information has been improperly accessed as the result of a breach of security. H.R. 2221 would require the FTC to develop regulations to implement and enforce the new requirements. Assuming appropriation of the authorized amounts, CBO estimates that implementing H.R. 2221 would cost $5 million over the 2010-2014 period to develop and enforce the new regulations. Enacting H.R. 2221 could increase federal revenues from additional civil penalties assessed for violations of laws related to information security. CBO estimates that any additional revenues would not be significant because of the relatively small number of cases expected to be involved. Enacting H.R. 2221 would not affect direct spending. H.R. 2221 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates that those mandates would impose no costs on state, local, or tribal governments. H.R. 2221 would impose several private-sector mandates as defined in UMRA by requiring certain entities engaged in interstate commerce to establish policies and procedures to keep personal information secure and to notify affected individuals in the event of a security breach. The bill also would impose new requirements on information brokers related to data collection and accuracy. Much of the industry already complies in large part with the many of the bill's requirements. However, some of the requirements in the bill would impose new security standards and notification procedures on millions of entities in the private sector. Based on this information, CBO estimates that the aggregate direct cost of the mandates in the bill would exceed the annual threshold established in UMRA for private- sector mandates ($139 million in 2009, adjusted annually for inflation) in at least one of the first five years the mandates are in effect. Estimated cost to the Federal Government: The estimated budgetary impact of H.R. 2221 is shown in the following table. The costs of this legislation fall within budget function 370 (commerce and housing credit). ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- -------------------------------------------------- 2010 2011 2012 2013 2014 2010-2014 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Authorization Level.......................................... 1 1 1 1 1 5 Estimated Outlays............................................ 1 1 1 1 1 5 ---------------------------------------------------------------------------------------------------------------- Basis of estimate: For this estimate, CBO assumes that the bill will be enacted early in calendar year 2010 and that the $1 million authorized to be appropriated for each of fiscal years 2010 through 2015 will be provided for each year. CBO estimates that implementing H.R. 2221 would cost $5 million over the 2010-2014 period for the FTC to issue regulations and enforce the bill's provisions. Enacting the legislation would not have a significant effect on revenues and would not affect direct spending. Estimated impact on state, local, and tribal governments: H.R. 2221 contains intergovernmental mandates as defined in UMRA. It would preempt state and local laws that require entities that experience security breaches to notify persons whose information is comprised. The bill also would preempt state and local laws that require entities to implement security practices for handling personal information. CBO estimates that because the preemptions would only limit the application of state law, the mandate would impose no costs on state, local, or tribal governments. Estimated impact on the private sector: H.R. 2221 would impose several private-sector mandates as defined in UMRA. It would require entities engaged in interstate commerce that own or possess personal information to implement policies and procedures to keep personal information secure, and to notify individuals when their personal information has been compromised as a result of a security breach. The bill also would require information brokers to establish procedures to verify the accuracy of the data they maintain on individuals and allow those individuals to review and correct their files. Much of the industry already complies in large part with the many of the bill's requirements. However, this legislation would impose new information security requirements and notification procedures and practices on millions of private- sector entities. It also would broaden the definition of ``personal information'' and expand the circumstances under which businesses must notify individuals of a breach of their information as compared to current law. Based on information from the FTC and industry sources, CBO estimates that the aggregate cost of the mandates in the bill would exceed the annual threshold established in UMRA for private-sector mandates ($139 million in 2009, adjusted annually for inflation) in at least one of the first five years that the mandates are in effect. Requirements for information security Section 2 of the bill would require certain entities that own or possess personal information, that are engaged in interstate commerce, or that contract a third party to maintain such data, to establish and implement information security policies and procedures in compliance with regulations to be set by the FTC. Personal information, as defined in the bill, is an individual's first name or initial and last name, or address, or phone number, in combination with any one or more of the following: the individual's social security number, driver's license number, passport number or similar identification number issued on a government document, or a financial account number or credit card number and any security or access code needed to access the account. Covered entities would have to implement a security policy with respect to the use, sale, dissemination, and maintenance of data and conduct periodic vulnerability testing on their security programs. Additionally, those entities would have to identify an officer responsible for the oversight of the information security. Entities also would have to implement a process for disposing of obsolete electronic and non-electronic data containing personal information. Some businesses could be determined by the FTC to be in compliance with the requirements of section 2 if they are currently in compliance similar federal regulations to maintain standards and safeguards for information security. The cost of compliance for the data privacy and security requirements would depend on the rules to be established by the FTC, the size of the entity, and the amount of personal information maintained by the entity. Most businesses are already subject to state or other federal laws regulating security policies, and it is the current practice of many businesses to use security measures to protect sensitive data. However, state laws generally use a more narrow definition of personal information than would apply under the bill. The bill's requirements would apply to varying degrees to millions businesses who own, use, or maintain personal information. Even though the incremental cost per entity of implementing the information security requirements in the bill could be small, the aggregate cost of compliance could be substantial. Notification of information security breach Section 3 would require a covered entity that owns or possesses data in electronic form containing personal information to notify individuals and the FTC following a security breach in which such individuals' personal information was accessed or acquired by an unauthorized person. The bill also includes special notification requirements for third party agents and internet service providers. Notification would have to be written or, in some circumstances, could be sent via email. The bill allows for substitute notification, through postings on the entity's Web site and in print and broadcast media, when the person experiencing the breach owns or possesses the data of fewer than 1,000 individuals, or when direct notification is not feasible due to excessive cost or if the contact information for the individuals is unavailable. Both forms of notification would have to include a description of the information accessed or acquired, certain relevant telephone contact numbers, and notice of the right to receive free credit monitoring services or quarterly credit reports for two years following the breach. Entities would have to provide credit reports or credit monitoring services to individuals affected by a breach at no cost to the individual, if requested. If the breached personal information consists of an individual's name, address, or phone number in combination with a credit or debit card number and the required security code, under the legislation, breach notification would not be required. The bill also would allow an entity to be exempt from notification requirements, if it determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. An allowable presumption that no risk of identity theft or fraud exists includes encryption or similar modification of data so that it is rendered unreadable. Should entities choose to reduce the likelihood of a data breach by encrypting personal information, the total cost could be substantial. Data encryption software can cost between $150 and $600 or more depending on the type of system used and the amount of data. If even a small portion of the millions of entities affected by this bill were to purchase this software, those costs could exceed the annual threshold. In 2006, more than 17 million people's social security numbers were stolen or accessed in security breaches, none of which was encrypted. Since 2006, the number of individuals who have had their information accessed illegally has risen. This legislation would elevate other personally identifying information (such as driver's license numbers and passport IDs) to the level of a social security number for the purposes of data breach notification. Therefore, the number of individuals who would have to be notified about a breach could increase under the bill. The majority of states already have data breach security laws in place; however those laws do not include provisions for mandatory credit monitoring services. The cost of bulk purchases of the credit monitoring services is approximately $60 per person, per year, according to credit industry professionals. Historically, there has been an acceptance rate of such services of about 6 percent to 8 percent. If the large number of security breaches continues, in spite of the requirements for information security programs and encryption, the cost of the notification requirements could be significant. Special requirements for information brokers Security Systems Audit. Information Brokers (companies whose business is to collect, assemble, maintain and sell information about individuals who are not their customers) would be required to submit their information-security policies to the FTC for review upon request or accompanying notification of breach of security. As a part of their information security requirements, following a breach in security, information brokers would be required to allow the FTC to conduct a post- breach audit of their security systems, or to have an independent auditor brought in to review the system. According to industry experts, the cost of a security audit can range from $10,000 to more than $100,000 depending on the thoroughness of the audit and the type of systems being tested. Only 26 audits were required by the FTC between 2001 and 2009. However, the scope of what constitutes a breach could be broadened under the bill, so the number of audits may increase upon enactment of this legislation. Maintaining the Accuracy of Information. Information brokers would also be required to establish accuracy standards for the personal information they broker. The bill would require information brokers annually to provide individuals with their personal information at no cost. The individual would then have to be given the right to dispute any information held by the broker. If that information is found to be incorrect, information brokers who do not use their data for marketing purposes would be obliged to correct the inaccuracy and, in certain cases, to provide the individual with the source of the data. Information brokers who do use data for marketing purposes would be required to allow individuals to decide how their information should be used. The cost of providing records upon request depends on the costs of gathering and distributing the information to individuals and the number of individuals requesting their information. According to information from industry sources some information brokers already correct information based on requests from individuals. Industry experts also indicate that the average cost to large information brokers that currently provide this service is about $8.50 each time a record is disclosed and information is disputed by an individual. However, the cost per record may be higher for information brokers who do not currently have systems in place to handle such disputes. Some evidence exists that many individuals' personal information housed at data brokerage firms is in part incorrect. There were 12 million disputes that lead to investigations in 2006 and providing the means to access and dispute personal information annually could reasonably lead to an increase in the number of requests. The cost would be the incremental cost incurred by brokers as a consequence of an increase in dispute requests. According to industry leaders, there were around 30 data aggregators and 600 to 700 information brokers nationwide in 2006. Those information brokers that do not currently have the capability to resolve disputes would incur a significant cost for establishing the means to comply with this provision. The bill would also require information brokers to maintain an audit log of internal and external access to, or transmission of, any data in electronic form containing personal information. The current industry standard on data security has not reached that level. According to industry experts, information on a particular individual can be collected from several places and, for large companies, can be accessed by thousands of people from several different locations. The ability to trace each transaction of data containing personal information would be a significant enhancement of data management hardware and software for the majority of business entities. The aggregate cost of implementing such changes could be substantial. Previous CBO estimate: On December 2, 2009, CBO transmitted a cost estimate for S. 1490, the Personal Data Privacy and security Act of 2009, as ordered reported by the Senate Committee on the Judiciary on November 5, 2009. H.R. 2221 and S. 1490 are concerned with the security of sensitive personal information and notification requirements in the event such information is disclosed to unauthorized entities. CBO estimates that implementing the provisions of S. 1490 that would require agencies to assess the security of sensitive personal information held by the government and to report to the Congress on those assessments would cost $25 million over the 2010-2014 period. CBO determined that both H.R. 2221 and S. 1490 contain intergovernmental mandates, that would not exceed the threshold established in UMRA ($69 million in 2009, adjusted for inflation). In addition, CBO determined that both bills contain private-sector mandates that would exceed the annual threshold established in UMRA for private-sector mandates ($139 million in 2009, adjusted annually for inflation). Estimate prepared by: Federal Costs: Susan Willie; Impact on State, Local, and Tribal Governments: Elizabeth Cove Delisle; Impact on the Private Sector: Marin Randall. Estimate approved by: Theresa Gullo, Deputy Assistant Director for Budget Analysis. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short title Section 1 provides that the short title of H.R. 2221 is the ``Data Accountability and Trust Act''. Section 2. Requirements for information security Section 2(a)(1) directs the Federal Trade Commission to promulgate rules requiring persons that own or possess ``personal information'' to implement security policies and procedures to safeguard that information. This requirement applies to both electronic data and paper records containing personal information. In implementing the regulations under this section, H.R. 2221 directs the FTC to take into consideration: (1) the size of, and the nature, scope, and complexity of the activities engaged in by such persons; (2) the current state of the art in administrative, technical, and physical safeguards for protecting personal information; and (3) the cost of implementing such safeguards. The Committee intends that the consideration of these factors by the FTC result in reasonable procedures that are flexible, that may be implemented by different business models, and that can accommodate changes in technology and evolving best practices. Section 2(a)(2) sets forth specific requirements for the information security policies that are to be determined by the FTC. For example, the regulations shall require each person to develop a security policy that addresses, at a minimum, the collection, use, sale, other dissemination, and maintenance of paper and electronic personal information. FTC regulations shall require each person to evaluate risks associated with different methods and points of collection for personal information, including the use of terminals or devices to swipe credit and debit cards to purchase goods at unattended locations such as vending machines and fuel pumps. Section 2(a)(3) requires the FTC to conduct a rulemaking to determine which other federal information security statutes or rules provide protections substantially similar to, or greater than, those required under section 2(a). Any person who is in compliance with such a similar law shall be deemed to be in compliance with section 2(a) and the FTC's implementing regulations. The FTC should consider, for example, whether the information security standards promulgated pursuant to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act meet this threshold. Although all persons subject to H.R. 2221 must adequately protect personal information, the Committee also seeks to avoid imposing duplicative, inconsistent, or overlapping data security regulations on a person subject to section 2(a) of H.R. 2221. Section 2(b) imposes special requirements on information brokers. Information brokers, who may collect vast amounts of personal information, provide a wide array of beneficial services to businesses and government entities. Many of the data collection activities of information brokers, however, are largely unregulated.\7\ The high-profile data breaches at information brokers in 2005, which sparked the initial call for this legislation, revealed the problems with the significant gaps in regulation.\8\ --------------------------------------------------------------------------- \7\See Congressional Research Service, Data Brokers: Background and Industry Overview, at 1 (May 2007) (CRS-RS22137). \8\House Committee on Energy and Commerce, Data Accountability and Trust Act (DATA), 109th Cong., at 10 (2006) (H. Rept. 109-453, Part 1). --------------------------------------------------------------------------- The distinction between information brokers and most other commercial entities is the amount of information collected, analyzed, mined, and sold, as well as the lack of transparency to consumers. Data brokers collect information from various public and private sources and use it for a wide variety of purposes. This includes the creation of marketing databases that, for the largest brokers, can be used to analyze hundreds of data elements about nearly every American. In addition, unlike retailers or banks that have direct relationships with the consumers about whom they collect information, consumers have no relationship with information brokers and may not be aware that their profiles are compiled and sold. For those consumers who are concerned about their privacy and personal information, it is difficult, if not impossible, to discover who has what information about them. Section 2(b)(1) directs the FTC to promulgate regulations that require information brokers to submit their information security policies to the FTC any time they are required to notify FTC of a breach of security under section 3. The FTC also may request that an information broker submit such policies to the FTC at any time. Section 2(b)(2) provides the FTC with the ability to conduct audits of the information security practices of an information broker that provides notice pursuant to section 3, or requires such information broker to conduct independent audits of its security practices. Section 2(b)(3) imposes specific requirements concerning accuracy, access, and dispute resolution procedures for information brokers. Section 2(b)(3)(A) requires that an information broker establish reasonable procedures to assure the maximum possible accuracy of the personal information it collects, assembles, or maintains, and any other information it collects, assembles or maintains that specifically identifies an individual. This provision is not limited to personal information as defined in section 5, but expressly covers ``any other information it collects, assembles or maintains that specifically identifies an individual.'' Information, however, which merely identifies an individual's name or address is excluded. This exclusion could include a marketing or mailing list. In addition, section 2(b)(3)(A), which requires ``reasonable procedures'' to assure information accuracy, does not require that accuracy be absolutely proven or, for example, that an information broker verify the accuracy of information obtained from public records. Moreover, clause (ii) provides a limited exception from the accuracy requirements for fraud databases. Section 2(b)(3)(B)(i) requires information brokers to provide consumers with the ability to access information and dispute the accuracy of that information. As with the accuracy requirements in section 2(b)(3)(A), this provision is not limited to personal information, but includes any other information maintained by the information broker that specifically identifies an individual, other than information that merely identifies an individual's name or address. The information broker is required to offer access to the information once a year at no cost to the individual. Section 2(b)(3)(B)(ii) sets forth the procedures that permit an individual to dispute the accuracy of information maintained by an information broker and the actions an information broker must take in response to such a dispute. Upon receiving a consumer request under clause (ii), an information broker must verify the identity of the requesting individual to prevent both fraudulent access to information and the fraudulent alteration of information, which could compromise the integrity of the data and result in harm Section 2(b)(3)(B)(iii) sets forth alternate procedures the information brokers may use regarding certain marketing information. Specifically, clause (iii) provides that in accordance with regulations issued by the FTC, if information is used, shared, or sold for marketing purposes, the information broker may, in lieu of complying with the access and dispute requirements of clause (ii), provide all individuals whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for marketing. If the individual expresses that preference, the information broker may not use, share, or sell the individual's information for marketing purposes. Section 2(b)(3)(B)(iv) provides limitations to the access rights under clause (ii) and website notice requirements under clause (i). Although an information broker must provide conspicuous notice on its website, website notice does not apply to those specific circumstances in which an information broker may limit access to information. Databases that are used to verify an individual's identity for antifraud purposes provide significant benefits to law enforcement, business, and consumers, and access to such databases could undermine the usefulness of the data as a tool against fraud. Pursuant to clause (v), the FTC may implement rules on the scope of the limitations in clause (iv) and add additional circumstances in which an information broker may limit access to information. Section 2(b)(3)(C) provides that if an information broker is in compliance with the relevant provisions of the Fair Credit Reporting Act (FCRA) for FCRA-covered information, the information broker shall be deemed to be in compliance with paragraph (3) with respect to that information. Thus, the information broker will not need to comply with the accuracy, access, and dispute resolution provisions of this Act. This subparagraph reflects the Committee's intent to avoid the imposition of duplicative, inconsistent, or overlapping regulations on an information broker subject to section 2(b) of H.R. 2221. Section 2(b)(4) requires the FTC to promulgate regulations requiring information brokers to establish measures that will allow information brokers to keep track of who obtains access to personal information, such as the maintenance of chronological records or logs. Section 2(b)(5) prohibits information brokers from obtaining personal information or any other information relating to a person by pretexting--making false statements to any person for the purpose of obtaining information. It also prohibits an information broker from soliciting another to pretext for information. Section 2(c) provides a limited exception for certain activities by service providers as that term is defined in section 5(10). Specifically, section 2(c) provides that nothing in section 2 applies to a service provider that is merely serving as the conduit for the transmission (routing or transient storage) of information. In this situation, the entity transmitting the information, the service provider, is neither the sender nor the intended recipient, did not modify the data in any way, and does not treat personal information being transmitted any differently from any other data sent over its pipes. It is the intent of the Committee that this limited exemption only applies to these specific activities where the service provider is merely serving as the conduit for the transmission of information. To the extent a service provider stores electronic personal information outside the provision of transmission or routing services, initiates or is party to a transmission of personal information, maintains paper records, or otherwise owns or possesses personal information, a service provider must comply with the requirements of section 2, unless otherwise exempt from the requirements of this bill. Section 3. Notification of information security breach Section 3(a) requires any person engaged in interstate commerce that owns or possesses data in electronic form to notify, following the discovery of a breach of security, the FTC and each individual whose personal information was acquired or accessed as a result of the breach. Unlike section 2, section 3 only applies to data in electronic form. Section 3(b)(1) limits the breach notification obligations of a third party agent who, pursuant to a contractual relationship, is storing or processing personal information on behalf of another person who owns or possesses such data. In the event of a breach of security, the third party agent must provide notice of the breach to the person who owns or possesses the data. The third party agent must provide notice as soon as reasonably possible and without delay. Upon receiving such notice, the person who contracted with the third party agent and owns or possesses the data must then provide notice to consumers and the FTC pursuant to section 3(a). Section 3(b)(1) should not inhibit or supersede the parties' ability to contract for responsibility in the event of a data breach, therefore, a third party agent's duty is to notify only the owner of the data in the event of a breach, and not the owner's customers or consumers. Notice of a breach from both a third party agent and the owner of the data would be duplicative and may cause confusion for a consumer who neither recognizes nor has a direct relationship with the third party agent. Section 3(b)(2) is a limited exception for service providers when acting solely as a conduit of personal information that is owned or possessed by another person. Section 3(b)(2) provides that if a service provider becomes aware of a breach of security of personal information that is owned or possessed by another person who uses the service provider's system or network for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider only is required to notify the person who initiated the connection or transmission. Notice is required only in those cases where such person reasonably can be identified. Upon receiving notification from a service provider, such person must provide the notice required under subsection (a). Thus, section 3(b)(2) recognizes that in many cases a breach of security, during the course of transmission of information, may not always be discovered and that even when a breach is discovered, a service provider may not always be able to identify the nature of the data being transmitted or the identity of the sender of the information. To the extent a service provider otherwise experiences a breach of security, such service provider must comply with all the requirements of section 3. Section 3(c) provides that, subject to paragraph (2), notice must be provided not later than 60 days following the discovery of the breach unless it can be shown that providing notice within 60 days is not feasible due to extraordinary circumstances necessary to prevent further breach or unauthorized disclosures and reasonably restore the integrity of the data system. In those circumstances, notice shall be provided as promptly as possible and the person providing notice shall have the burden of proving that the extraordinary circumstances warranted the delay. Paragraph (2) provides for a delay of notification for law enforcement or national security purposes upon receipt of a written request from a law enforcement or national security agency. Section 3(d)(1) provides for the method and content of notification. Section 3(d)(2) sets forth the circumstances under which a person may provide substitute notification in lieu of direct notification required under section 3(d)(1). This provision recognizes that small businesses may not have the resources or the ability to comply with the direct notification requirements. Section 3(d)(3) requires the FTC to issue regulations concerning substitute notification. As part of the regulations, the FTC may identify other circumstances where substitute notification would be appropriate for any person, regardless of size or the amount of personal information held by that person, including circumstances under which the cost of providing notification exceeds the benefits to consumers. Section 3(e) requires a person that provides notice to individuals under subsection (a) to provide or arrange for the provision of consumer credit reports, a credit monitoring service, or other service that enables consumers to detect the misuse of their personal information. An individual shall receive these services upon request, at no cost to the individual, and the services must begin not later than 60 days following the request and continue for a period of 2 years thereafter. This provision recognizes that there are a variety of products and services available that may help consumers following a breach of security and provide effective protection for consumers from the risks of identity theft, fraud, or other unlawful conduct. The requirement is limited to providing affected individuals one service, not multiple services. The Committee recognizes, however, that some services available in the marketplace may provide only minimal, if any, benefit to consumers, or may provide benefits in limited circumstances. To address the concern that a person providing notice would provide the least expensive service regardless of its efficacy or benefit to consumers, section 3(e)(3) directs the FTC to determine, through rulemaking, the circumstances under which a person must provide consumer credit reports, credit monitoring, or other service. Section 3(f) provides an exemption from the requirements of section 3 under limited circumstances. Pursuant to paragraph (1), a person will not be required to provide notice if following a breach of security a person determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. The Committee expects that these determinations will require a fact-specific analysis of a particular incident that will take into account the types of information that have been compromised, the cause of the breach, the identity of the party who may have accessed or acquired the information (if known), the usability of the compromised information, and other factors. Section 3(f)(2)(A) establishes a presumption that there is no reasonable risk of identity theft, fraud, or other unlawful conduct in a particular breach of security if the personal information that was the subject of the breach is unusable, unreadable, or indecipherable to an unauthorized third party. The method of rendering information unusable, unreadable, or indecipherable must be generally accepted by experts in the information security field. As of the date of this report, December 2009, encryption is one such method. However, while the statute recognizes encryption as a generally accepted method, it should not be interpreted as to require the use of ``end to end'' encryption. The presumption, of no reasonable risk of identity theft, fraud, or other unlawful conduct, may be rebutted by facts demonstrating that in a particular case the security technologies or methodologies have been, or are reasonably likely to be compromised. Section 3(f)(2)(B) requires the FTC to issue rules or guidance identifying security methodologies or technologies which render data unusable, unreadable, or indecipherable for the purpose of establishing the rebuttable presumption. FTC rules or guidance must be issued one year after the enactment of H.R. 2221 and biannually thereafter. This biannual requirement will ensure that FTC guidance remains relevant, up- to-date, and reflects changes in technology and methodologies over time. Because certain technologies and methodologies will likely become outdated or no longer considered to be an effective information security tool by experts in the information security field, the FTC will update its guidance or regulations to reflect that fact. The FTC could, at any time through this rulemaking process, determine that encryption or any other technology or methodology previously identified in FTC guidance no longer receives a presumption. Importantly, in issuing these rules or guidance, the FTC is required to consult with relevant industries, consumer organizations, data security experts, identity theft prevention experts, and established standard setting bodies. By establishing this rebuttable presumption, the Committee does not intend to deem any technology as the only, preferred or most effective method or technology for securing personal information. To the contrary, the provision expressly recognizes that there may be many technologies and methodologies that render data unusable, unreadable, or indecipherable for the purpose of establishing the rebuttable presumption. The Committee expects that during the rulemaking or guidance process mandated by this paragraph, those stakeholders that the FTC is required to consult with will identify, and the FTC will consider, a broad range of technologies and methodologies including, but not limited to, access controls, data association, data masking, encryption, non-persistent storage on devices, physical anti-tamper devices, redaction, and remotely triggered kill-pill technologies. This ongoing process is intended to encourage innovation and foster the development and adoption of new, information security technologies and methodologies. Section 3(g) provides the FTC with the discretion to place a notice of a breach of security it has received pursuant to section 3(a)(2) on its website if the FTC finds that such notice would be in the public interest or for the protection of consumers. In making a determination, the FTC should consider not only the benefits to consumers and the public interest, but also any possible harm that could result from such publication, including the possible facilitation of phishing attacks or the causing of undue consumer concern and confusion. Section 3(h) requires the FTC to conduct a study on the practicality and cost effectiveness of requiring notice to be provided in a language in addition to English to individuals known to speak only a language other than English. Section 3(i) provides the FTC with discretionary rulemaking authority to issue rules necessary for the FTC to effectively enforce section 3. Section 3(j) provides that the FTC shall determine through rulemaking which other federal laws that require persons subject to H.R. 2221 to provide notice to individuals following a breach of security provide protections substantially similar to, or greater than, those required under section 3. Any person, who is in compliance with the identified federal law, shall be deemed to be in compliance with section 3 and the implementing regulations of the FTC. It is the intent of the Committee to avoid the imposition of duplicative, inconsistent, or overlapping regulations while ensuring that consumers receive notification of information security breaches. Section 4. Application and enforcement Section 4(a) provides that sections 2 and 3 only apply to those persons, partnerships, or corporations over which the FTC has authority pursuant to section 5(a)(2) of the FTC Act. Section 4(b) provides for enforcement by the FTC and establishes that a violation of section 2 or 3 shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18 of the FTC Act. Section 4(b)(3) explicitly prohibits the FTC, when promulgating rules under this Act, from requiring the deployment or use of any specific products or technologies, including any specific hardware or software. Section 4(c)(1) provides for enforcement by the attorney general of a state, or an official or agency of a state, for violations of section 2 and 3. Section 4(c)(2) sets out the specific methods for calculating civil penalties in actions brought by the attorney general of a state, or an official or agency of a state. Section 4(c)(2)(C) limits the maximum total liability for civil penalties. Section 4(c)(3) imposes specific obligations and limitations on state actions. Section 4(d)(1) establishes an affirmative defense to an enforcement action brought under subsection 4(b), or a civil action brought under subsection 4(c), based on a violation of section 3, that all of the personal information compromised in a particular breach of security is public record information acquired from such public records. Section 4(d)(2) provides that the affirmative defense does not exempt any person from the requirement to notify the FTC of a breach of security as required under section 3(a). Section 5. Definitions Section 5 contains the definitions that apply to the Act. Paragraph (1) defines ``breach of security'' to mean the unauthorized access to or acquisition of data in electronic form containing personal information. Paragraph (2) defines the term ``Commission'' to mean the Federal Trade Commission. Paragraph (3) defines the term ``data in electronic form'' to mean any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices. The definition includes data stored on removable media and portable storage devices. Paragraph (4) defines the term ``encryption'' to mean the protection of data in electronic form in storage or in transit using an encryption technology that has been adopted by an established standards setting body that renders data indecipherable in the absence of the cryptographic keys needed to decrypt the data. Such encryption must include the appropriate management and protection of the keys. Paragraph (5) defines the term ``identity theft'' to mean the unauthorized use of another person's personal information for the purpose of engaging in commercial transactions under the name of that other person. While identity theft has predominantly involved account fraud, including the misuse of existing accounts and new account fraud, the term captures other equally harmful actions that occur in commerce that do not constitute account fraud. Paragraph (6)(A) defines the term ``information broker'' to mean a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell that information or provide access to that information to any non-affiliated third party. This term includes entities who meet this definition as to any part of their overall business. Some entities may have other business lines under which they conduct transactions directly with individual customers. Any entity will be considered an information broker if any part of its business meets the definition. Paragraph (6)(B) excludes from the definition of information broker a commercial entity to the extent that it processes information collected by and received from a nonaffiliated third party concerning individuals who are current or former customers or employees of that third party to enable that third party to (1) provide benefits for its employees or (2) directly transact business with its customers. This subparagraph clarifies that ``information broker'' does not include an entity where the collection or processing of information is incidental to its provision of other services, such as the provision of employee benefits. The phrase ``collected by and received from a nonaffiliated third party'' includes information collected on behalf of such nonaffiliated third party, received directly from the individual about whom the information relates. During the course of administration of an employee benefit plan, for example, an entity may, on behalf of the plan, directly collect and receive data (e.g. phone numbers, address updates, bank deposit/EFT instructions) from individual employees. Paragraph (7) provides that the term ``personal information'' means an individual's first name or initial and last name, or address, or phone number, in combination with any one or more of the following data elements for that individual: Social Security number; driver's license number, passport number, military identification number, or other similar number issued on a government document used to verify identity; financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account. An individual's first name or initial and last name, or address, or phone number, in combination with a financial account number, or credit or debit card number alone, constitutes ``personal information'' for the purposes of this Act where such information, without a security code, access code, or password, could be used to commit identity theft, fraud, or other unlawful conduct. For example, information contained in the magnetic field on the back of a credit card contains only the card holder's name and the card number, along with associated security data. For most credit cards, theft of this information, without a PIN or password, is adequate to duplicate the card and steal goods. Therefore, the definition of personal information includes the name and card number information contained in the magnetic fields of a credit card. Pursuant to paragraph 7(B), the FTC may modify the definition of ``personal information'' through rulemaking, but only to the extent that modification will not unreasonably impede interstate commerce and will accomplish the purposes of this Act. In addition, for the purpose of section 3, the FTC must further find that modification is necessary to accommodate changes in technology or practices. Paragraph (8) defines the term ``public record information'' to mean information about an individual that has been obtained originally from records of a federal, state, or local government entity that are available for public inspection. Paragraph (9) defines the term ``non-public information'' to mean information about an individual that is of a private nature and neither available to the general public nor obtained from a public record. Paragraph (10) defines the term ``service provider'' to mean an entity that provides to a user transmission, routing, intermediate and transient storage, or connections to its system or network, for electronic communications, between or among points specified by such user of material of the user's choosing, without modification to the content of the material as sent or received. Any such entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage, or connections. In this context, intermediate or transient storage is to be interpreted narrowly to only cover temporary storage in the course of transmission or routing. Furthermore, the term service provider only applies to those entities that serve as a conduit of information and only to the specific activities of providing transmission, routing, intermediate and transient storage or connections. The service provider does not treat personal information it is transmitting or routing any differently from any other data sent over its pipes. An entity that processes information, or serves as an intermediary for the transmission or processing of specific categories of information, such as a credit card processor receiving and forwarding credit card information, does not meet this definition. Section 6. Effect on other laws Section 6 provides that this Act preempts any provision of a state law to the extent a state law expressly requires information security practices and treatment of data containing personal information similar to any of those required under section 2; and requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information. Section 6 further provides that no person other than a person specified in section 4(c) may bring a civil action under the laws of any state if such action is premised in whole or in part upon the defendant violating any provisions of this Act, but makes clear that this provision shall not be construed to limit the enforcement of any state consumer protection law by an attorney general of a state. Section 7. Effective date Section 7 establishes the effective date as 1 year after enactment of this Act. Section 8. Authorization of appropriations Section 8 authorizes appropriations of $1 million for each fiscal year from 2010 to 2015 to carry out the provisions of this Act. EXPLANATION OF AMENDMENTS During the full Committee markup of H.R. 2221, Chairman Waxman offered an amendment in the nature of a substitute as a manager's amendment. The bipartisan amendment not only incorporated the changes made in Subcommittee, but also included several additional changes to the bill. In section 2, the manager's amendment streamlined the ability of the FTC to conduct rulemaking concerning the destruction of paper documents. The manager's amendment also clarified that persons subject to security requirements under other relevant federal statutes will be deemed to be in compliance with the bill's security requirements provided that those safeguards are ``substantially similar to or greater than'' the requirements of this bill. In addition, the amendment clarified the telecommunications exemption in section 2 to ensure that certain service providers are exempt from the security requirements only to the extent they are serving as the conduit for the transmission of information. With respect to the information broker provisions in section 2(b), the amendment: (1) clarified the exemption for fraud databases from the accuracy requirements under certain circumstances; (2) established a new procedure that permits information brokers to offer consumers the ability to prohibit the use of their information for marketing purposes in lieu of complying with the bill's access and correction provisions for marketing databases; and (3) further clarified that compliance with the Fair Credit Reporting Act constitutes compliance with the accuracy, access, and correction requirements of this Act. The amendment deleted the provision in section 3 of the bill concerning breaches of health information; added a requirement that consumers be provided with notice not later than 60 days after the discovery of the breach; provided that in lieu of free credit reports for individuals who have experienced a breach, a breached entity may provide affected individuals with credit monitoring or other services that assist in the detection or prevention of the misuse of their personal information; and revised provisions concerning the presumption that there is no reasonable risk of identity theft so that the presumption is more technology neutral and remains current and relevant as technology evolves. In addition, as with section 2, the amendment clarified the scope and application of the limited telecommunications exemption in section 3 to ensure that such exception only applies to service providers when serving as the conduit for the transmission of information. Further, the amendment clarified that the Act only applies to commercial entities subject to FTC jurisdiction and that the civil penalty cap that applies to enforcement by the states may not exceed $5 million for each violation. Finally, the amendment added language to clarify the definition of information broker. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED There are no changes in existing federal law made by the bill, as reported.