National Identity Exposure and Data Breach Reporting Act

Draft Federal Bill Text

National Identity Exposure and Data Breach Reporting Act

Publication Date: March 3, 2026

---

SECTION 1. SHORT TITLE.

This Act may be cited as the “National Identity Exposure and Data Breach Reporting Act.”

SECTION 2. FINDINGS AND PURPOSE.

Congress finds the following:

1. Identity theft, credential compromise, and data breaches represent one of the most pervasive forms of criminal activity affecting individuals and institutions within the United States.
2. Sensitive personal data belonging to hundreds of millions of Americans has been exposed through cyber intrusions, data breaches, and unlawful dissemination.
3. Current breach notification systems are fragmented across state statutes, private reporting platforms, and voluntary industry disclosure practices.
4. Identity monitoring and protection services have emerged as a private industry that alerts consumers to potential compromise of their personal information, yet these alerts are not consistently shared with law enforcement agencies responsible for investigating identity theft and cybercrime.
5. Effective prevention and prosecution of identity theft and cyber-enabled fraud requires a centralized reporting and analysis system capable of aggregating breach data from private entities and identity protection services.
6. The Federal Government maintains systems capable of secure digital identity verification, including Login.gov, that may enable individuals to securely access and review exposure of their personal data.
7. Congress has a responsibility to ensure coordination between private entities and law enforcement agencies to combat identity theft, cybercrime, and organized criminal activity targeting the personal data of Americans.

Purpose.

The purpose of this Act is to establish a centralized federal system for reporting, tracking, and analyzing compromised personal data in order to:

• improve law enforcement response to identity theft and cybercrime;
• provide secure tools for individuals to monitor exposure of their personal data; and
• enhance transparency and oversight of data breach incidents affecting the American public.

SECTION 3. DEFINITIONS.

(1) Personal Identifying Information.

The term “personal identifying information” means any data element that may be used to identify an individual, including but not limited to:

• Social Security numbers
• Driver’s license or government identification numbers
• Passport numbers
• Financial account numbers
• Authentication credentials including passwords or tokens
• Biometric identifiers
• Email addresses or usernames associated with authentication systems

(2) Covered Entity.

The term “covered entity” means any corporation, partnership, nonprofit organization, or government contractor that stores or processes personal identifying information of more than 10,000 individuals within the United States.

(3) Identity Protection Service.

The term “identity protection service” means any company or organization offering monitoring, alerting, or remediation services related to identity theft, credential exposure, or data breaches.

(4) Data Breach.

The term “data breach” means any unauthorized acquisition, access, or disclosure of personal identifying information.

SECTION 4. ESTABLISHMENT OF NATIONAL IDENTITY EXPOSURE DATABASE.

(a) Establishment.

The Federal Bureau of Investigation, in coordination with the Department of Homeland Security, shall establish and maintain a secure federal system known as the National Identity Exposure Database (NIED).

(b) Administration.

The database shall be operated by the Federal Bureau of Investigation Cyber Division, with technical coordination by the Cybersecurity and Infrastructure Security Agency (CISA).

(c) Purpose.

The database shall collect, store, and analyze information related to:

• data breaches
• compromised credentials
• identity theft incidents
• dark-web datasets containing personal identifying information
• related cybercrime indicators

(d) Data Protection.

The system shall employ appropriate safeguards to ensure:

• encryption of stored data
• restricted law enforcement access
• protection against unauthorized disclosure
• compliance with applicable federal privacy statutes

SECTION 5. MANDATORY REPORTING REQUIREMENTS.

(a) Reporting by Covered Entities.

Any covered entity experiencing a data breach involving personal identifying information of United States residents shall report the breach to the National Identity Exposure Database not later than 72 hours after discovery.

(b) Required Reporting Information.

Reports shall include:

• Description of the breach
• Categories of compromised data
• Estimated number of affected individuals
• Known or suspected threat actors
• Datasets or credential lists obtained during incident response

(c) Reporting by Identity Protection Services.

Identity protection services shall report to the database:

• Datasets identified through dark-web monitoring that contain personal identifying information of U.S. persons
• Breach information discovered through credential monitoring services
• Patterns indicating large-scale credential compromise

(d) Law Enforcement Coordination.

Reports submitted under this section shall be made available to authorized federal law enforcement agencies for the purpose of investigating identity theft, cybercrime, and related offenses.

SECTION 6. INDIVIDUAL ACCESS TO PERSONAL DATA EXPOSURE INFORMATION.

(a) Secure Access Portal.

The Department of Homeland Security shall develop a secure consumer access portal allowing individuals to review exposure of their personal identifying information.

(b) Authentication.

Access shall be provided through identity verification using Login.gov or another federally approved authentication system.

(c) Consumer Features.

The portal shall provide:

• Breach exposure notifications
• Credential compromise alerts
• Identity theft reporting tools
• Links to relevant law enforcement reporting mechanisms

(d) Privacy Protection.

Information presented to individuals shall be limited to data associated with the authenticated identity of the requesting user.

SECTION 7. LAW ENFORCEMENT USE.

Federal law enforcement agencies, including the Federal Bureau of Investigation and the United States Secret Service, shall utilize the National Identity Exposure Database for the purposes of:

• Identifying organized cybercrime groups
• Tracking patterns of identity theft and fraud
• Supporting criminal investigations

The Attorney General may authorize access by additional federal agencies where necessary for cybercrime investigations.

SECTION 8. CONGRESSIONAL OVERSIGHT.

(a) Annual Report.

The Director of the Federal Bureau of Investigation and the Secretary of Homeland Security shall jointly submit an annual report to Congress containing:

• The number of reported breaches
• Estimated number of affected individuals
• Identity theft investigations initiated
• Trends in cybercrime affecting personal data

(b) Briefings.

The relevant congressional committees shall receive periodic classified briefings regarding:

• Foreign cyber operations targeting U.S. personal data
• Organized criminal networks involved in identity theft

SECTION 9. ENFORCEMENT.

(a) Civil Penalties.

Covered entities that fail to comply with reporting requirements may be subject to civil penalties not exceeding:

• $100,000 per violation
• or $10 per affected individual, whichever is greater

(b) Regulatory Authority.

The Federal Trade Commission shall have authority to enforce compliance with this Act.

SECTION 10. RULEMAKING.

The Attorney General, in coordination with the Secretary of Homeland Security and the Director of the Federal Bureau of Investigation, shall issue regulations necessary to implement this Act within 180 days of enactment.

SECTION 11. EFFECTIVE DATE.

The provisions of this Act shall take effect one year after enactment.