Data Security and Breach Notification Act of 2015

[AI summary unavailable — showing source text] Data Security and Breach Notification Act of 2015 Requires the Federal Trade Commission (FTC) to promulgate regulations requiring commercial entities, nonprofit and for-profit corporations, estates, trusts, cooperatives, and other specified entities that own or possess data containing personal information (covered entities), or that contract to have a third-party maintain or process such data for the entity, to implement information security policies and procedures for the treatment and protection of personal information. Establishes procedures to be followed in the event of an information security breach. Requires a covered entity that discovers a breach to notify the FTC (unless the covered entity has already notified a federal entity designated by the Department of Homeland Security [DHS] to receive such information) and affected individuals. Sets forth requirements concerning such notification, including methods of notification and timeliness requirements. Allows an exemption from notification requirements if such entity reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct. Establishes a presumption that there is no such risk…