H.R. 1770 would establish a new law to require businesses to take reasonable steps to protect personal information they maintain in electronic form. Further, H.R. 1770 would require those entities, in the event of a breach in their security systems, to notify individuals whose personal information has been accessed and acquired as a result of the breach. Forty-seven states have laws that govern data security; H.R. 1770 would pre-empt many of those statutes. The bill would direct the Federal Trade Commission (FTC) to enforce the rules and authorize the agency to collect civil penalties if those rules are violated.
CBO estimates that implementing H.R. 1770 would cost $1 million over the 2015-2020 period, assuming appropriation of the necessary amounts. In addition, CBO estimates that enacting the bill would increase revenues by $9 million over the 2015-2025 period from the collection of civil penalties; therefore pay-as-you-go procedures would apply. Enacting H.R. 1770 would not affect direct spending.
H.R. 1770 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates that the cost of complying with the mandates would be small and would not exceed the threshold established in UMRA ($77 million in 2015, adjusted annually for inflation).
H.R. 1770 would impose private-sector mandates as defined in UMRA on businesses and non-profits that possess or manage sensitive personal information and on Internet service providers (ISPs). Because most of those businesses already comply with similar requirements in state laws, CBO estimates that the incremental cost to comply with the mandates in the bill would probably fall below the annual threshold established in UMRA for private-sector mandates ($154 million in 2015, adjusted annually for inflation).