Covered entities are defined as “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other entity in or affecting commerce that acquires, maintains, stores, sells, or otherwise uses data in electronic form that includes personal information, over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act.” The definition exempts entities covered by the Health Insurance Portability and Accountability Act, (HIPAA) as well as those governed by the Gramm-Leach-Bliley Act.
Under the bill, covered entities would be required to give notice of a breach to consumers no later than 30 days after discovery of a breach, unless there is no risk of identity theft or economic harm due to protective measures, such as encryption of data. If the breach affects more than 10,000 people, the affected entity must also notify the Federal Trade Commission (FTC), FBI and Secret Service, as well as the consumer credit reporting agencies. Affected entities may provide notice either through written mail or email.
As with other proposals, enforcement power would be given to the FTC, while state attorneys general would also have the power to bring civil actions in U.S. district court. The bill would preempt all state laws governing data security and breach notification.