S196-119

2. Strengthening the BOTS Act Section 2 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c) is amended— in subsection (a)(1)— in subparagraph (A), by striking ; or and inserting a semicolon; in subparagraph (B), by striking the period at the end and inserting ; or; and by adding at the end the following new subparagraph: to use or cause to be used an application that performs automated tasks to purchase event tickets from an Internet website or online service in circumvention of posted online ticket purchasing order rules of the Internet website or online service, including a software application that circumvents an access control system, security measure, or other technological control or measure. by redesignating subsections (b) and (c) as subsections (c) and (d), respectively; by inserting after subsection (a) the following new subsection: Each ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall ensure that such website or service has in place an access control system, security measure, or other technological control or measure to enforce posted event ticket purchasing limits. Each ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall establish, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, integrity, or availability of the website or service. In establishing the safeguards described in subparagraph (A), each ticket issuer described in such paragraph shall consider— the administrative, technical, and physical safeguards that are appropriate to the size and complexity of the ticket issuer; the nature and scope of the activities of the ticket issuer; the sensitivity of any customer information at issue; and the range of security risks and vulnerabilities that are reasonably foreseeable or known to the ticket issuer. Where applicable, a ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall implement and maintain procedures to require that any third party or service provider that performs services with respect to the sale of event tickets or has access to data regarding event ticket purchasing on the website or service maintains reasonable administrative, technical, and physical safeguards to protect the security and integrity of the website or service and that data. The procedures implemented and maintained by a ticket issuer in accordance with clause (i) shall include the following: Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue. Requiring service providers by contract to implement and maintain adequate safeguards. Periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall regularly evaluate and make adjustments to the safeguards described in subparagraph (A) in light of any material changes in technology, internal or external threats to system security, confidentiality, integrity, and availability, and the changing business arrangements or operations of the ticket issuer. A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall report to the Commission any incidents of circumvention of which the ticket issuer has actual knowledge. Not later than 180 days after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall create a publicly available website (or modify an existing publicly available website of the Commission) to allow individuals to report violations of this subsection to the Commission. A ticket issuer shall report known incidents of circumvention within a reasonable period of time after the incident of circumvention is discovered by the ticket issuer, and in no case later than 30 days after an incident of circumvention is discovered by the ticket issuer. The Commission may establish a reporting mechanism to provide for the automatic submission of reports required under this subsection. The Commission shall— share reports received from ticket issuers under subparagraph (A) with State attorneys general as appropriate; and share consumer complaints submitted through the website established under subparagraph (B) with State attorneys general as appropriate. A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets must take reasonable steps to improve its access control systems, security measures, and other technological controls or measures to address any incidents of circumvention of which the ticket issuer has actual knowledge. Not later than 1 year after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall publish guidance for ticket issuers on compliance with the requirements of this subsection. in subsection (c), as redesignated by paragraph (1) of this subsection— by striking subsection (a) each place it appears and inserting subsection (a) or (b); in paragraph (2)— in subparagraph (A), by striking The Commission and inserting Except as provided in paragraph (3), the Commission; and in subparagraph (B), by striking Any person and inserting Subject to paragraph (3), any person; and by adding at the end the following new paragraphs: If the Commission has reason to believe that any person has committed a violation of subsection (a) or (b), the Commission may bring a civil action in an appropriate district court of the United States to— recover a civil penalty under paragraph (4); and seek other appropriate relief, including injunctive relief and other equitable relief. Except as otherwise provided in section 16(a)(3) of the Federal Trade Commission Act (15 U.S.C. 56(a)(3)), the Commission shall have exclusive authority to commence or defend, and supervise the litigation of, any civil action authorized under this paragraph and any appeal of such action in its own name by any of its attorneys designated by it for such purpose, unless the Commission authorizes the Attorney General to do so. The Commission shall inform the Attorney General of the exercise of such authority and such exercise shall not preclude the Attorney General from intervening on behalf of the United States in such action and any appeal of such action as may be otherwise provided by law. Any civil penalty or relief sought through a civil action under this paragraph shall be in addition to other penalties and relief as may be prescribed by law. Any person who violates subsection (a) or (b) shall be liable for— a civil penalty of not less than $10,000 for each day during which the violation occurs or continues to occur; and an additional civil penalty of not less than $1,000 per violation. In addition to the civil penalties under subparagraph (A), a person that intentionally violates subsection (a) or (b) shall be liable for a civil penalty of not less than $10,000 per violation. in subsection (d), as redesignated by paragraph (1) of this subsection, by striking subsection (a) each place it appears and inserting subsection (a) or (b); and by adding at the end the following new subsections: The Federal Bureau of Investigation, the Department of Justice, and other relevant State or local law enforcement officials shall coordinate as appropriate with the Commission to share information about known instances of cyberattacks on security measures, access control systems, or other technological controls or measures on an Internet website or online service that are used by ticket issuers to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. Such coordination may include providing information about ongoing investigations but may exclude classified information or information that could compromise a law enforcement or national security effort, as appropriate. In this paragraph, the term cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of— disrupting, disabling, destroying, or maliciously controlling a computing environment or computing infrastructure; or destroying the integrity of data or stealing controlled information. Not later than 1 year after the date of enactment of this paragraph, the Commission shall report to Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives on the status of enforcement actions taken pursuant to this Act, as well as any identified limitations to the Commission’s ability to pursue incidents of circumvention described in subsection (a)(1)(A). Section 3 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at the end the following new paragraph: The term circumvention means the act of avoiding, bypassing, removing, deactivating, or otherwise impairing an access control system, security measure, safeguard, or other technological control or measure described in section 2(b)(1). (C)to use or cause to be used an application that performs automated tasks to purchase event tickets from an Internet website or online service in circumvention of posted online ticket purchasing order rules of the Internet website or online service, including a software application that circumvents an access control system, security measure, or other technological control or measure.; (b)Requiring online ticket issuers To put in place site policies and establish safeguards To protect site security(1)Requirement to enforce site policiesEach ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall ensure that such website or service has in place an access control system, security measure, or other technological control or measure to enforce posted event ticket purchasing limits.(2)Requirement to establish site security safeguards(A)In generalEach ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall establish, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, integrity, or availability of the website or service. (B)ConsiderationsIn establishing the safeguards described in subparagraph (A), each ticket issuer described in such paragraph shall consider—(i)the administrative, technical, and physical safeguards that are appropriate to the size and complexity of the ticket issuer; (ii)the nature and scope of the activities of the ticket issuer;(iii)the sensitivity of any customer information at issue; and(iv)the range of security risks and vulnerabilities that are reasonably foreseeable or known to the ticket issuer.(C)Third parties and service providers(i)In generalWhere applicable, a ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall implement and maintain procedures to require that any third party or service provider that performs services with respect to the sale of event tickets or has access to data regarding event ticket purchasing on the website or service maintains reasonable administrative, technical, and physical safeguards to protect the security and integrity of the website or service and that data. (ii)Oversight procedure requirementsThe procedures implemented and maintained by a ticket issuer in accordance with clause (i) shall include the following:(I)Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue.(II)Requiring service providers by contract to implement and maintain adequate safeguards.(III)Periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. (D)UpdatesA ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall regularly evaluate and make adjustments to the safeguards described in subparagraph (A) in light of any material changes in technology, internal or external threats to system security, confidentiality, integrity, and availability, and the changing business arrangements or operations of the ticket issuer. (3)Requirement to report incidents of circumvention; consumer complaints(A)In generalA ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall report to the Commission any incidents of circumvention of which the ticket issuer has actual knowledge.(B)Consumer complaint websiteNot later than 180 days after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall create a publicly available website (or modify an existing publicly available website of the Commission) to allow individuals to report violations of this subsection to the Commission. (C)Reporting timeline and process(i)TimelineA ticket issuer shall report known incidents of circumvention within a reasonable period of time after the incident of circumvention is discovered by the ticket issuer, and in no case later than 30 days after an incident of circumvention is discovered by the ticket issuer.(ii)Automated submissionThe Commission may establish a reporting mechanism to provide for the automatic submission of reports required under this subsection.(iii)Coordination with state attorneys generalThe Commission shall—(I)share reports received from ticket issuers under subparagraph (A) with State attorneys general as appropriate; and(II)share consumer complaints submitted through the website established under subparagraph (B) with State attorneys general as appropriate.(4)Duty to address causes of circumventionA ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets must take reasonable steps to improve its access control systems, security measures, and other technological controls or measures to address any incidents of circumvention of which the ticket issuer has actual knowledge.(5)FTC guidanceNot later than 1 year after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall publish guidance for ticket issuers on compliance with the requirements of this subsection.; (3)Civil action(A)In generalIf the Commission has reason to believe that any person has committed a violation of subsection (a) or (b), the Commission may bring a civil action in an appropriate district court of the United States to—(i)recover a civil penalty under paragraph (4); and(ii)seek other appropriate relief, including injunctive relief and other equitable relief.(B)Litigation authorityExcept as otherwise provided in section 16(a)(3) of the Federal Trade Commission Act (15 U.S.C. 56(a)(3)), the Commission shall have exclusive authority to commence or defend, and supervise the litigation of, any civil action authorized under this paragraph and any appeal of such action in its own name by any of its attorneys designated by it for such purpose, unless the Commission authorizes the Attorney General to do so. The Commission shall inform the Attorney General of the exercise of such authority and such exercise shall not preclude the Attorney General from intervening on behalf of the United States in such action and any appeal of such action as may be otherwise provided by law.(C)Rule of constructionAny civil penalty or relief sought through a civil action under this paragraph shall be in addition to other penalties and relief as may be prescribed by law. (4)Civil penalties(A)In generalAny person who violates subsection (a) or (b) shall be liable for—(i)a civil penalty of not less than $10,000 for each day during which the violation occurs or continues to occur; and(ii)an additional civil penalty of not less than $1,000 per violation.(B)Enhanced civil penalty for intentional violationsIn addition to the civil penalties under subparagraph (A), a person that intentionally violates subsection (a) or (b) shall be liable for a civil penalty of not less than $10,000 per violation.; (e)Law enforcement coordination(1)In generalThe Federal Bureau of Investigation, the Department of Justice, and other relevant State or local law enforcement officials shall coordinate as appropriate with the Commission to share information about known instances of cyberattacks on security measures, access control systems, or other technological controls or measures on an Internet website or online service that are used by ticket issuers to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. Such coordination may include providing information about ongoing investigations but may exclude classified information or information that could compromise a law enforcement or national security effort, as appropriate.(2)Cyberattack definedIn this paragraph, the term cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of— (A)disrupting, disabling, destroying, or maliciously controlling a computing environment or computing infrastructure; or(B)destroying the integrity of data or stealing controlled information.(f)Congressional reportNot later than 1 year after the date of enactment of this paragraph, the Commission shall report to Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives on the status of enforcement actions taken pursuant to this Act, as well as any identified limitations to the Commission’s ability to pursue incidents of circumvention described in subsection (a)(1)(A).. (4)CircumventionThe term circumvention means the act of avoiding, bypassing, removing, deactivating, or otherwise impairing an access control system, security measure, safeguard, or other technological control or measure described in section 2(b)(1). .

1. Short title This Act may be cited as the Mitigating Automated Internet Networks for Event Ticketing Act or the MAIN Event Ticketing Act.

2. Strengthening the BOTS Act Section 2 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c) is amended— in subsection (a)(1)— in subparagraph (A)— by inserting online before ticket issuer; and by striking ; or and inserting a semicolon; in subparagraph (B), by striking the period at the end and inserting ; or; and by adding at the end the following new subparagraph: to use or cause to be used an application, including a software application, that performs automated tasks to purchase event tickets from an Internet website or online service used by an online ticket issuer through the circumvention of an access control system, security measure, or other technological control or measure used by such Internet website or online service to enforce posted online ticket purchasing order rules of the Internet website or online service. by redesignating subsections (b) and (c) as subsections (c) and (d), respectively; by inserting after subsection (a) the following new subsection: Each online ticket issuer shall— establish, implement, and maintain an access control system, security measure, or other technological control or measure to enforce posted event ticket purchasing limits and to maintain the integrity of posted online ticket purchasing order rules; and regularly evaluate and make adjustments, as necessary, to such an access control system, security measure, or other technological control or measure in light of any material changes in technology, internal or external threats to system security, and the changing business arrangements or operations of the ticket issuer. Each online ticket issuer shall report to the Commission any incidents of circumvention of which the ticket issuer has actual knowledge not later than 30 days after the incident of circumvention is discovered by the online ticket issuer. The Commission may establish a reporting mechanism to provide for the electronic submission of reports required by subparagraph (A). The Commission shall share with State attorneys general, as appropriate— any report received from online ticket issuers under subparagraph (A); and consumer complaints related to any violation of this subsection that are submitted through the Commission’s website. Each online ticket issuer shall take reasonable steps to improve its access control systems, security measures, and other technological controls or measures to address any known or reasonably foreseeable risks connected to incidents of circumvention. Not later than 1 year after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall publish guidance for online ticket issuers regarding compliance with the requirements of this subsection. in subsection (c), as redesignated by paragraph (2) of this subsection— by striking subsection (a) each place it appears and inserting subsection (a) or (b); and by adding at the end the following new paragraph: No guidance issued by the Commission with respect to this Act shall confer any rights on any person, State, or locality, nor shall operate to bind the Commission or any person to the approach recommended in such guidance. In any enforcement action brought pursuant to this Act, the Commission— shall allege a specific violation of a provision of this Act; and may not base an enforcement action on, or execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this Act. in subsection (d), as redesignated by paragraph (2) of this subsection, by striking subsection (a) each place it appears and inserting subsection (a) or (b); and by adding at the end the following new subsections: The Federal Bureau of Investigation, the Attorney General, and other relevant State or local law enforcement officials shall coordinate as appropriate with the Commission to share information about any known instance of a cyberattack on a security measure, access control system, or other technological control or measure on an Internet website or online service that is used by an online ticket issuer to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. Such coordination may include providing information about ongoing investigations, but may exclude classified information or information that could compromise a law enforcement or national security effort, as appropriate. In this paragraph, the term cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of— disrupting, disabling, destroying, or maliciously controlling a computing environment or computing infrastructure; or destroying the integrity of data or stealing controlled information. Not later than 1 year after the date of enactment of this paragraph, the Commission shall report to Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives on the status of any enforcement action taken pursuant to this Act, as well as any identified limitations to the Commission’s ability to pursue incidents of circumvention described in subsection (a)(1)(A). Section 3 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at the end the following new paragraphs: The term circumvention means the act of avoiding, bypassing, removing, deactivating, or otherwise impairing an access control system, security measure, safeguard, or other technological control or measure described in section 2. The term online ticket issuer means a ticket issuer that owns or operates an Internet website or online service that, in the regular course of trade or business of the issuer, facilitates or executes the sale of event tickets to the general public. (C)to use or cause to be used an application, including a software application, that performs automated tasks to purchase event tickets from an Internet website or online service used by an online ticket issuer through the circumvention of an access control system, security measure, or other technological control or measure used by such Internet website or online service to enforce posted online ticket purchasing order rules of the Internet website or online service.; (b)Requiring online ticket issuers to enforce site policies(1)Requirement to enforce and update site policiesEach online ticket issuer shall—(A)establish, implement, and maintain an access control system, security measure, or other technological control or measure to enforce posted event ticket purchasing limits and to maintain the integrity of posted online ticket purchasing order rules; and(B)regularly evaluate and make adjustments, as necessary, to such an access control system, security measure, or other technological control or measure in light of any material changes in technology, internal or external threats to system security, and the changing business arrangements or operations of the ticket issuer.(2)Requirement to report incidents of circumvention; consumer complaints(A)In generalEach online ticket issuer shall report to the Commission any incidents of circumvention of which the ticket issuer has actual knowledge not later than 30 days after the incident of circumvention is discovered by the online ticket issuer. (B)Electronic submissionThe Commission may establish a reporting mechanism to provide for the electronic submission of reports required by subparagraph (A).(C)Coordination with State attorneys generalThe Commission shall share with State attorneys general, as appropriate—(i)any report received from online ticket issuers under subparagraph (A); and(ii)consumer complaints related to any violation of this subsection that are submitted through the Commission’s website.(3)Requirement to address known causes of circumventionEach online ticket issuer shall take reasonable steps to improve its access control systems, security measures, and other technological controls or measures to address any known or reasonably foreseeable risks connected to incidents of circumvention.(4)Commission guidanceNot later than 1 year after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall publish guidance for online ticket issuers regarding compliance with the requirements of this subsection.; (3)Limitation on Commission guidance(A)In generalNo guidance issued by the Commission with respect to this Act shall confer any rights on any person, State, or locality, nor shall operate to bind the Commission or any person to the approach recommended in such guidance. (B)Specific allegationsIn any enforcement action brought pursuant to this Act, the Commission—(i)shall allege a specific violation of a provision of this Act; and(ii)may not base an enforcement action on, or execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this Act.; (e)Law enforcement coordination(1)In generalThe Federal Bureau of Investigation, the Attorney General, and other relevant State or local law enforcement officials shall coordinate as appropriate with the Commission to share information about any known instance of a cyberattack on a security measure, access control system, or other technological control or measure on an Internet website or online service that is used by an online ticket issuer to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. Such coordination may include providing information about ongoing investigations, but may exclude classified information or information that could compromise a law enforcement or national security effort, as appropriate.(2)Cyberattack definedIn this paragraph, the term cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of—(A)disrupting, disabling, destroying, or maliciously controlling a computing environment or computing infrastructure; or(B)destroying the integrity of data or stealing controlled information.(f)Congressional reportNot later than 1 year after the date of enactment of this paragraph, the Commission shall report to Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives on the status of any enforcement action taken pursuant to this Act, as well as any identified limitations to the Commission’s ability to pursue incidents of circumvention described in subsection (a)(1)(A).. (4)CircumventionThe term circumvention means the act of avoiding, bypassing, removing, deactivating, or otherwise impairing an access control system, security measure, safeguard, or other technological control or measure described in section 2.(5)Online ticket issuerThe term online ticket issuer means a ticket issuer that owns or operates an Internet website or online service that, in the regular course of trade or business of the issuer, facilitates or executes the sale of event tickets to the general public..