HR 135

Cyber Privacy Fortification Act of 2017


2 out of 5

01/12/2017: Referred to the Subcommittee on Regulatory Reform, Commercial And Antitrust Law

A bad bill that has some good elements mixed in. The bill has three parts. The first part imposes criminal penalties for failing to report security breaches that involve sensitive personally-identifiable information. The second part expands the authority of state or federal attorneys general to sue companies that violate federal cybersecurity laws, and recover civil penalties. The third part requires federal agencies to assess the privacy implications of their rules. The first or second parts are what make this bill generally bad, but we would consider a higher score if those parts were ever removed.

Link to Bill Text →

Visit the Action Center


The third provision stating agencies should be encouraged to do a privacy assessment when considering rules is positive and agreeable.


Criminal penalties and large civil penalties for data breaches not reported to the government and civil penalties for failure to comply with cybersecurity requirements promulgated after this bill becomes law are terrible policy intended to incite fear.

  • Privacy,
  • United States