CONGRESSWOMAN ELISE STEFANIK
H.R. 2221 is expected to be considered on the floor of the House under a motion to suspend the rules, requiring a two-thirds vote for passage. The legislation was introduced by Rep. Bobby Rush (D-IL) on April 30, 2009. The Committee on Energy and Commerce approved the bill by voice vote on September 30, 2009.
H.R. 2221 would require that parties electronically collecting consumers' personal information take steps to keep the data secure. The bill would require notification of affected consumers if there is a data breach. H.R. 2221 does allow law enforcement or national security agencies to delay notification under certain circumstances.
The bill directs the Federal Trade Commission (FTC) to create rules to require any person involved in interstate commerce who owns or possesses data containing personal information, or has a third party maintaining the data, to create procedures regarding information security practices to protect personal information. The bill clarifies that rules created by the FTC would require each data broker to submit security policies to the FTC if there is a security breach.
H.R. 2221 requires that following a security breach, any person involved in interstate commerce who owns or possesses data or a third party entity contracted to maintain data in electronic form containing personal information would have to notify each individual whose personal information was acquired by an unauthorized person and notify the FTC.
All security breach notifications would be made within 60 days, with limited exceptions. The notification requirement would not apply if the compromised information is considered unusable, unreadable or indecipherable by encryption or other security technology.
The measure specifies that the civil penalty cap that would apply to State enforcement of the bill would be $5 million for each violation. If a federal, State or local law enforcement agency determines that the notification required would impede a civil or criminal investigation, the notification would be delayed for 30 days. An agency would be able to revoke the delay or extend the period of time if needed. Additionally, if a federal national security agency or homeland security agency determines that a notification would threaten national or homeland security, the notification could be delayed for a period of time which the agency determines is reasonably necessary and requests in writing.
H.R. 2221 also creates a new procedure that would allow data information brokers to offer consumers the ability to prohibit their information from being used for marketing purposes.
The bill authorizes $1 million each year for the FTC between Fiscal Years 2010 and 2015.
There is no Congressional Budget Office (CBO) cost estimate available for this bill.