This bill would require individuals, corporations, or other non-government entities that access or handle sensitive financial account information and nonpublic personal information to implement an information security program. Those people and organizations would also be required to notify consumers, federal law enforcement, relevant administrative agencies, payment card networks and consumer reporting agencies about data breaches that could lead to identity theft or fraud.
Covered entities would be directed to require their third-party service providers by contract to put in place appropriate safeguards for sensitive information. Entities would be allowed to delay sending out notifications about a data breach if one is requested by a law enforcement agency.
Financial institutions would be allowed to communicate with account holders regarding breaches at third-party entities that have clients account information. The bill would establish special notification procedures for breaches at third-party entities and electronic data carriers. Alternative compliance procedures would be put in place for financial institutions covered by the Gramm-Leach-Bliley Act and entities complying with health record privacy laws.
Among the entities tasked with enforcing this legislation would be the following:
Federal Trade Commission (FTC);
Comptroller of the Currency;
Federal Reserve System;
Federal Deposit Insurance Corporation (FDIC);
National Credit Union Administration Board;
Securities and Exchange Commission (SEC);
Commodity Futures Trading Commission (CFTC);
The Office of Federal Housing Enterprise Oversight;
State insurance authorities in certain circumstances.
This legislation would also prohibit state laws from being imposed for information security and breach notification purposes.