Sec. 5. Application and enforcement
1,505 words·~7 min read·
/bill/113/s/1976/is/section-5A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The requirements of sections 2 and 3 shall apply to— those persons, partnerships, or corporations over which the Commission has authority under section 5(a)(2) of the Federal Trade Commission Act ( 15 U.S.C. 45(a)(2) ); and notwithstanding sections 4 and 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 44 and 45(a)(2)), any non-profit organization, including any organization described in section 501(c) of the Internal Revenue Code of 1986 that is exempt from taxation under section 501(a) of the Internal Revenue Code of 1986.
Notwithstanding sections 4 and 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 44 and 45(a)(2)), the requirements of section 3 shall apply to any other covered entity not included under subsection
(a)that enters into an agreement with the Commission under which that covered entity would be subject to section 3 with respect to any acts or omissions that occur while the agreement is in effect and that may constitute a violation of section 3, if— not less than 30 days prior to entering into the agreement with the person or entity, the Commission publishes notice in the Federal Register of the Commission's intent to enter into the agreement; and not later than 14 business days after entering into the agreement with the person or entity, the Commission publishes in the Federal Register— notice of the agreement; the identity of each person or entity covered by the agreement; and the effective date of the agreement. An agreement under paragraph
(1)shall not effect a covered entity's obligation to provide notice of a breach of security or similar event under any other Federal law. Subsections (a)(2) and
(b)of section 7 shall not apply to a breach of security that occurs before a valid agreement under paragraph
(1)is in effect. A violation of section 2 or 3 of this Act shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. The Commission shall enforce this Act in the same manner, by the same means, with the same jurisdiction, except as provided in subsections (a)(2) and
(b)of this section, and with the same powers and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any covered entity who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in that Act. In promulgating rules under this Act, the Commission shall not require the deployment or use of any specific products or technologies, including any specific computer software or hardware. In any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any covered entity who violates section 2 or section 3 of this Act, the attorney general, official, or agency of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction— to enjoin further violation of such section by the defendant; to compel compliance with such section; or to obtain civil penalties in the amount determined under paragraph (2). For purposes of paragraph (1)(C) with regard to a violation of section 2, the amount determined under this paragraph is the amount calculated by multiplying the number of days that a covered entity is not in compliance with such section by an amount not greater than $11,000. For purposes of paragraph (1)(C) with regard to a violation of section 3, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification as required under section 3 to a resident of the State shall be treated as a separate violation. Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amounts specified in clauses
(i)and
(ii)of subparagraph
(A)and in clauses
(i)and
(ii)of subparagraph
(C)shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year. Notwithstanding the number of actions which may be brought against a covered entity under this subsection, the maximum civil penalty for which any covered entity may be liable under this subsection shall not exceed— $5,000,000 for each violation of section 2; and $5,000,000 for all violations of section 3 resulting from a single breach of security. The State shall provide prior written notice of any action under paragraph
(1)to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon commencing such action. The Commission shall have the right— to intervene in the action; upon so intervening, to be heard on all matters arising therein; and to file petitions for appeal. If the Commission has instituted a civil action for violation of this Act, no State attorney general, or official or agency of a State, may bring an action under this subsection during the pendency of that action against any defendant named in the complaint of the Commission for any violation of this Act alleged in the complaint. For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State— to conduct investigations; to administer oaths or affirmations; or to compel the attendance of witnesses or the production of documentary and other evidence. The Attorney General may bring a civil action in the appropriate United States district court against any covered entity that engages in conduct constituting a violation of section 4. Upon proof of such conduct by a preponderance of the evidence, a covered entity shall be subject to a civil penalty of not more than $1,000 per individual whose personal information was or is reasonably believed to have been accessed or acquired as a result of the breach of security that is the basis of the violation, up to a maximum of $100,000 per day while such violation persists. The total amount of the civil penalty assessed under this subsection against a covered entity for acts or omissions relating to a single breach of security shall not exceed $1,000,000, unless the conduct constituting a violation of section 4 was willful or intentional, in which case an additional civil penalty of up to $1,000,000 may be imposed. Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amounts specified in subparagraphs
(A)and
(B)shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year. If it appears that a covered entity has engaged, or is engaged, in any act or practice that constitutes a violation of section 4, the Attorney General may petition an appropriate United States district court for an order enjoining such practice or enforcing compliance with section 4. A court may issue such an order under paragraph
(3)if it finds that the conduct in question constitutes a violation of section 4. Chapter 47 of title 18, United States Code, is amended by adding at the end the following: Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act of 2014 , intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both. For purposes of subsection (a), the term person has the same meaning as in section 1030(e)(12) of this title. The United States Secret Service and the Federal Bureau of Investigation shall have the authority to investigate offenses under this section. The authority granted in paragraph
(1)shall not be exclusive of any existing authority held by any other Federal agency. . The table of sections for chapter 47 of title 18, United States Code, is amended by adding at the end the following: 1041. Concealment of breaches of security involving personal information. .
Connectionstraces to 4
Citation graph
cites case law
Cites 4Cited by 0 across 0 sources