< Back to H.R. 3997 (109th Congress, 2005–2006)

Text of the Data Accountability and Trust Act (DATA)

This bill was introduced on March 16, 2006, in a previous session of Congress, but was not enacted. The text of the bill below is as of Jun 2, 2006 (Reported by House Committee).

Download PDF

Source: GPO

HR 3997 RH

Union Calendar No. 269

109th CONGRESS

2d Session

H. R. 3997

[Report No. 109-454, Parts I and II]

To amend the Fair Credit Reporting Act to provide for secure financial data, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

October 6, 2005

Mr. LATOURETTE (for himself, Ms. HOOLEY, Mr. CASTLE, Ms. PRYCE of Ohio, and Mr. MOORE of Kansas) introduced the following bill; which was referred to the Committee on Financial Services

May 4, 2006

Reported with an amendment and referred to the Committee on Energy and Commerce for a period ending not later than June 2, 2006, for consideration of such provisions of the bill and amendment as fall within the jurisdiction of that committee pursuant to clause 1(f), rule X

[Strike out all after the enacting clause and insert the part printed in italic]

June 2, 2006

Additional sponsors: Mr. KENNEDY of Minnesota, Ms. HARRIS, Mr. JONES of North Carolina, Mr. GILLMOR, Mr. TIBERI, Mr. RENZI, Mrs. BIGGERT, Mr. PEARCE, Mr. NEY, Mr. SHAYS, Mr. PRICE of Georgia, Mr. SCOTT of Georgia, Ms. BEAN, Mr. MCHUGH, Mr. CLEAVER, Mr. WOLF, Mr. MCCOTTER, Mr. FOLEY, Mr. HINOJOSA, and Mr. Holden

June 2, 2006

Reported from the Committee on Energy and Commerce with amendments; committed to the Committee of the Whole House on the State of the Union and ordered to be printed

[Strike out all after the enacting clause and insert the part printed in boldface roman]

[For text of introduced bill, see copy of bill as introduced on October 6, 2005]


A BILL

To amend the Fair Credit Reporting Act to provide for secure financial data, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; FINDINGS.

    (a) Short Title- This Act may be cited as the `Financial Data Protection Act of 2006'.

    (b) Findings- The Congress finds as follows:

      (1) Protecting the security of sensitive information relating to consumers is important to limiting account fraud and identity theft.

      (2) While the Gramm-Leach-Bliley Act requires financial institutions to protect the security and confidentiality of the nonpublic personal information of the customers of financial institutions, the scope of covered entities and type of information needs to be broadened to fully protect consumers.

      (3) Some Federal agencies have issued model guidance under the Gramm-Leach-Bliley Act requiring banks to investigate and provide notice to customers of breaches of data security involving customer information that could lead to account fraud or identity theft, but these standards need to broadened to apply to other entities acting as consumer reporters, in order to create a single, uniform data security standard that applies to all parties to transactions involving such financial information.

      (4) Requiring all consumer reporters handling sensitive financial personal information to provide notice to consumers of data security breaches that are likely to result in harm or inconvenience will help consumers protect themselves and mitigate against the risk of identity theft or account fraud.

      (5) Therefore, all consumer reporters should--

        (A) protect sensitive financial personal information;

        (B) investigate potential data security breaches;

        (C) provide breach notices as appropriate to the United States Secret Service, functional regulators, involved third parties, and consumers;

        (D) restore the security of the information and improve safeguards after a breach; and

        (E) provide consumers free file monitoring where appropriate to reduce the risk of identity theft.

SEC. 2. DATA SECURITY SAFEGUARDS.

    (a) In General- As set forth in section 630 of the Fair Credit Reporting Act, as amended by the Act, in the event a consumer reporter becomes aware of information suggesting a breach of data security, such consumer reporter shall immediately conduct an investigation, and notify authorities and consumers as appropriate.

    (b) FCRA Data Security Amendment- The Fair Credit Reporting Act (15 U.S.C. 1681) is amended by adding at the end the following new section:

`SEC. 630. DATA SECURITY SAFEGUARDS.

    `(a) Protection of Sensitive Financial Personal Information-

      `(1) DATA SECURITY OBLIGATION POLICY- It is the policy of the Congress that each consumer reporter has an affirmative and continuing obligation to protect the security and confidentiality of sensitive financial personal information.

      `(2) SECURITY POLICIES AND PROCEDURES- Each consumer reporter shall have an affirmative obligation to implement, and a continuing obligation to maintain, reasonable policies and procedures to protect the security and confidentiality of sensitive financial personal information relating to any consumer that is handled by such consumer reporter against any loss, unauthorized access, or misuse that is reasonably likely to result in harm or inconvenience to such consumer.

      `(3) DATA DESTRUCTION AND DATA DISPOSAL POLICIES AND PROCEDURES- The policies and procedures described in paragraph (2) shall include providing for the proper disposal of sensitive financial personal information in accordance with the standards, guidelines, or regulations issued pursuant to this title.

    `(b) Investigation Requirements-

      `(1) INVESTIGATION TRIGGER- A consumer reporter shall immediately conduct a data security breach investigation if it--

        `(A) becomes aware of any information indicating a reasonable likelihood that a data security breach has occurred or is unavoidable;

        `(B) becomes aware of information indicating an unusual pattern of misuse of sensitive financial personal information handled by a consumer reporter indicative of financial fraud; or

        `(C) receives a notice under subsection (e).

      `(2) SCOPE OF INVESTIGATION- Such investigation shall be conducted in a manner commensurate with the nature and the amount of the sensitive financial personal information that is subject to the breach of data security, including appropriate actions to--

        `(A) assess the nature and scope of the potential breach;

        `(B) identify the sensitive financial personal information potentially involved;

        `(C) determine whether such information is usable by the parties causing the breach; and

        `(D) determine the likelihood that such information has been, or will be, misused in a manner that may cause harm or inconvenience to the related consumer.

      `(3) ENCRYPTION AND OTHER SAFEGUARDS-

        `(A) SUGGESTED SAFEGUARDS- The regulators described in subsection (k)(1) shall jointly develop standards and guidelines to identify and regularly update appropriate technology safeguards for making consumer reporter's sensitive financial personal information unusable in a manner commensurate with the nature and the amount of such information, including--

          `(i) consideration of the encryption standards adopted by the National Institute of Standards and Technology for use by the Federal Government; and

          `(ii) appropriate management and protection of keys or codes necessary to protect the integrity of encrypted information.

        `(B) SAFEGUARD FACTORS- In determining the likelihood of a data security breach, a consumer reporter may consider whether the information subject to the potential breach is unusable because it is encrypted, redacted, requires technology to use that is not generally commercially available, or has otherwise similarly been rendered unreadable.

        `(C) SAFE HARBOR FOR PROTECTED DATA- As set forth in the standards and guidelines issued pursuant to subparagraph (A), a consumer reporter may reasonably conclude that a data security breach is not likely to have occurred where the sensitive personal financial information involved has been encrypted, redacted, requires technology to use that is not generally commercially available, or is otherwise unlikely to be usable

        `(D) EXCEPTION- Subparagraphs (B) and (C) shall not apply if the consumer reporter becomes aware of information that would reasonably indicate that the information that was the subject of the potential breach is usable by the entities causing the breach or potentially misusing the information, for example because--

          `(i) an encryption code is potentially compromised,

          `(ii) the entities are believed to have the technology to access the information; or

          `(iii) there is an unusual pattern of misuse of such information indicative of financial fraud.

    `(c) Breach Notices- If a consumer reporter determines that a breach of data security has occurred, is likely to have occurred, or is unavoidable, the consumer reporter shall in the order listed--

      `(1) promptly notify the United States Secret Service;

      `(2) promptly notify the appropriate functional regulatory agency for the consumer reporter;

      `(3) notify as appropriate and without unreasonable delay--

        `(A) any third party entity that owns or is obligated on an affected financial account as set forth in the standards or guidelines pursuant to subsection (k)(1)(G), including in such notification information reasonably identifying the nature and scope of the breach and the sensitive financial personal information involved; and

        `(B) any other appropriate critical third parties whose involvement is necessary to investigate the breach; and

      `(4) without unreasonable delay notify any affected consumers to the extent required in subsection (f), as well as--

        `(A) each nationwide consumer reporting agency, in the case of a breach involving sensitive financial identity information relating to 1,000 or more consumers; and

        `(B) any other appropriate critical third parties who will be required to undertake further action with respect to such information to protect such consumers from resulting fraud or identity theft.

    `(d) System Restoration Requirements- If a consumer reporter determines that a breach of data security has occurred, is likely to have occurred, or is unavoidable, the consumer reporter shall take prompt and reasonable measures to--

      `(1) repair the breach and restore the security and confidentiality of the sensitive financial personal information involved to limit further unauthorized misuse of such information; and

      `(2) restore the integrity of the consumer reporter's data security safeguards and make appropriate improvements to its data security policies and procedures.

    `(e) Third Party Duties-

      `(1) COORDINATED INVESTIGATION- Whenever any consumer reporter that handles sensitive financial personal information for or on behalf of another party becomes aware that an investigation is required under subsection (b) with respect to such information, the consumer reporter shall--

        `(A) promptly notify the other party of the breach;

        `(B) conduct a coordinated investigation with the other party as described in subsection (b); and

        `(C) ensure that the appropriate notices are provided as required under subsection (f).

      `(2) CONTRACTUAL OBLIGATION REQUIRED- No consumer reporter may provide sensitive financial personal information to a third party, unless such third party agrees to fulfill the obligations imposed by subsections (a), (d), and (h), as well as that whenever the third party becomes aware that a breach of data security has occurred, is reasonably likely to have occurred, or is unavoidable, with respect to such information, the third party shall be obligated--

        `(A) to provide notice of the potential breach to the consumer reporter;

        `(B) to conduct a coordinated investigation with the consumer reporter to identify the sensitive financial personal information involved and determine if the potential breach is reasonably likely to result in harm or inconvenience to any consumer to whom the information relates; and

        `(C) provide any notices required under this section, except to the extent that such notices are provided by the consumer reporter in a manner meeting the requirements of this section.

    `(f) Consumer Notice-

      `(1) POTENTIAL IDENTITY THEFT RISK AND FRAUDULENT TRANSACTION RISK- A consumer reporter shall provide a consumer notice if, at any point the consumer reporter becomes aware--

        `(A) that a breach of data security is reasonably likely to have occurred or be unavoidable, with respect to sensitive financial personal information handled by the consumer reporter;

        `(B) of information reasonably identifying the nature and scope of the breach; and

        `(C) that such information is reasonably likely to have been or to be misused in a manner causing harm or inconvenience against the consumers to whom such information relates to--

          `(i) commit identity theft if the information is sensitive financial identity information, or

          `(ii) make fraudulent transactions on such consumers' financial accounts if the information is sensitive financial account information.

      `(2) SECURITY PROGRAM SAFEGUARDS AND REGULATIONS-

        `(A) STANDARDS FOR SAFEGUARDS- The regulators described in subsection (k)(1) shall issue guidelines relating to the types of sophisticated neural networks and security programs that are likely to detect fraudulent account activity and at what point detection of such activity is sufficient to avoid consumer notice under this subsection.

        `(B) ALTERNATIVE SAFEGUARDS- In determining the likelihood of misuse of sensitive financial account information and whether a notice is required under paragraph (1), the consumer reporter may additionally consider--

          `(i) consistent with any standards promulgated under subparagraph (A), whether any neural networks or security programs used by, or on behalf of, the consumer reporter have detected, or are likely to detect on an ongoing basis over a reasonable period of time, fraudulent transactions resulting from the breach of data security; or

          `(ii) whether no harm or inconvenience is reasonably likely to have occurred, because for example the related consumer account has been closed or its number has been changed.

      `(3) COORDINATION WITH THE FAIR DEBT COLLECTION PRACTICES ACT- The provision of a notice to the extent such notice and its contents are required under this section shall not be considered a communication under the Fair Debt Collection Practices Act.

      `(4) COORDINATION OF CONSUMER NOTICE DATABASE-

        `(A) IN GENERAL- The Commission shall coordinate with the other government entities identified in this section to create a publicly available list of data security breaches that have triggered a notice to consumers under this subsection within the last 12 months.

        `(B) LISTED INFORMATION- The publicly available list described in subparagraph (A) shall include the following:

          `(i) The identity of the party responsible that suffered the breach.

          `(ii) A general description of the nature and scope of the breach.

          `(iii) Any financial fraud mitigation or other services provided by such party to the affected consumers, including the telephone number and other appropriate contact information for accessing such services.

    `(g) Timing, Content, and Manner of Notices-

      `(1) DELAY OF NOTICE FOR LAW ENFORCEMENT PURPOSES- If a consumer reporter receives a written request from an appropriate law enforcement agency indicating that the provision of a notice under subsection (c)(3) or (f) would impede a criminal or civil investigation by that law enforcement agency, or an oral request from an appropriate law enforcement agency indicating that such a written request will be provided within 2 business days--

        `(A) the consumer reporter shall delay, or in the case of a foreign law enforcement agency may delay, providing such notice until--

          `(i) the law enforcement agency informs the consumer reporter that such notice will no longer impede the investigation; or

          `(ii) the law enforcement agency fails to--

            `(I) provide within 10 days a written request to continue such delay for a specific time that is approved by a court of competent jurisdiction; or

            `(II) in the case of an oral request for a delay, provide a written request within 2 business days, and if such delay is requested for more than 10 additional days, such request must be approved by a court of competent jurisdiction; and

        `(B) the consumer reporter may--

          `(i) conduct appropriate security measures that are not inconsistent with such request; and

          `(ii) contact such law enforcement agency to determine whether any such inconsistency would be created by such measures.

      `(2) HOLD HARMLESS PROVISION- A consumer reporter shall not be liable for any fraud mitigation costs or for any losses that would not have occurred but for notice to or the provision of sensitive financial personal information to law enforcement, or the delay provided for under this subsection, except that--

        `(A) nothing in this subparagraph shall be construed as creating any inference with respect to the establishment or existence of any such liability; and

        `(B) this subparagraph shall not apply if the costs or losses would not have occurred had the consumer reporter undertaken reasonable system restoration requirements to the extent required under subsection (d), or other similar provision of law, except to the extent that such system restoration was delayed at the request of law enforcement.

      `(3) CONTENT OF CONSUMER NOTICE- Any notice required to be provided by a consumer reporter to a consumer under subsection (f)(1), and any notice required in accordance with subsection (e)(2)(A), shall be provided in a standardized transmission or exclusively colored envelope, and shall include the following in a clear and conspicuous manner:

        `(A) An appropriate heading or notice title.

        `(B) A description of the nature and types of information and accounts as appropriate that were, or are reasonably believed to have been, subject to the breach of data security.

        `(C) A statement identifying the party responsible, if known, that suffered the breach, including an explanation of the relationship of such party to the consumer.

        `(D) If known, the date, or the best reasonable approximation of the period of time, on or within which sensitive financial personal information related to the consumer was, or is reasonably believed to have been, subject to a breach.

        `(E) A general description of the actions taken by the consumer reporter to restore the security and confidentiality of the breached information.

        `(F) A telephone number by which a consumer to whom the breached information relates may call free of charge to obtain additional information about how to respond to the breach.

        `(G) With respect to notices involving sensitive financial identity information, a copy of the summary of rights of consumer victims of fraud or identity theft prepared by the Commission under section 609(d), as well as any additional appropriate information on how the consumer may--

          `(i) obtain a copy of a consumer report free of charge in accordance with section 612;

          `(ii) place a fraud alert in any file relating to the consumer at a consumer reporting agency under section 605A to discourage unauthorized use; and

          `(iii) contact the Commission for more detailed information.

        `(H) With respect to notices involving sensitive financial identity information, a prominent statement in accordance with subsection (h) that file monitoring will be made available to the consumer free of charge for a period of not less than six months, together with a telephone number for requesting such services, and may also include such additional contact information as a mailing address, e-mail, or Internet website address.

        `(I) The approximate date the notice is being issued.

      `(4) OTHER TRANSMISSION OF NOTICE- The notice described in paragraph (3) may be made by other means of transmission (such as electronic or oral) to a consumer only if--

        `(A) the consumer has affirmatively consented to such use, has not withdrawn such consent, and with respect to electronic transmissions is provided with the appropriate statements related to such consent as described in section 101(c)(1) of the Electronic Signatures in Global and National Commerce Act; and

        `(B) all of the relevant information in paragraph (3) is communicated to such consumer in such transmission.

      `(5) DUPLICATIVE NOTICES-

        `(A) IN GENERAL- A consumer reporter, whether acting directly or in coordination with another entity--

          `(i) shall not be required to provide more than 1 notice with respect to any breach of data security to any affected consumer, so long as such notice meets all the applicable requirements of this section, and

          `(ii) shall not be required to provide a notice with respect to any consumer if a notice meeting the applicable requirements of this section has already been provided to such consumer by another entity.

        `(B) UPDATING NOTICES- If a consumer notice is provided to consumers pursuant only to subsection (f)(1)(C)(ii) (relating to sensitive financial account information), and the consumer reporter subsequently becomes aware of a reasonable likelihood that sensitive financial personal information involved in the breach is being misused in a manner causing harm or inconvenience against such consumer to commit identity theft, an additional notice shall be provided to such consumers as well any other appropriate parties under this section, including a copy of the Commission's summary of rights and file monitoring mitigation instructions under subparagraphs (G) and (H) of paragraph (3).

      `(6) RESPONSIBILITY AND COSTS-

        `(A) IN GENERAL- Except as otherwise established by written agreement between the consumer reporter and its agents or third party servicers, the entity that suffered a breach of data security shall be--

          `(i) primarily responsible for providing any consumer notices and file monitoring required under this section with respect to such breach; and

          `(ii) responsible for the reasonable actual costs of any notices provided under this section.

        `(B) IDENTIFICATION TO CONSUMERS- No such agreement shall restrict the ability of a consumer reporter to identify the entity responsible for the breach to consumers

        `(C) NO CHARGE TO CONSUMERS- The cost for the notices and file monitoring described in subparagraph (A) may not be charged to the related consumers.

    `(h) Financial Fraud Mitigation-

      `(1) FREE FILE MONITORING- Any consumer reporter that is required to provide notice to a consumer under subsection (f)(1)(C)(i), or that is deemed to be in compliance with such requirement by operation of subsection (j), if requested by the consumer before the end of the 90-day period beginning on the date of such notice, shall make available to the consumer, free of charge and for at least a 6-month period--

        `(A) a service that monitors nationwide credit activity regarding a consumer from a consumer reporting agency described in section 603(p); or

        `(B) a service that provides identity-monitoring to consumers on a nationwide basis that meets the guidelines described in paragraph (2).

      `(2) IDENTITY MONITORING NETWORKS- The regulators described in subsection (k)(1) shall issue guidelines on the type of identity monitoring networks that are likely to detect fraudulent identity activity regarding a consumer on a nationwide basis and would satisfy the requirements of paragraph (1).

      `(3) JOINT RULEMAKING FOR SAFE HARBOR- In accordance with subsection (j), the Secretary of the Treasury, the Board of Governors of the Federal Reserve System, and the Commission shall jointly develop standards and guidelines, which shall be issued by all functional regulatory agencies, that, in any case in which--

        `(A) free file monitoring is offered under paragraph (1) to a consumer;

        `(B) subsequent to the offer, another party misuses sensitive financial identity information on the consumer obtained through the breach of data security (that gave rise to such offer) to commit identity theft against the consumer; and

        `(C) at the time of such breach the consumer reporter met the requirements of subsections (a) and (d),

      exempts the consumer reporter from any liability for any harm to the consumer resulting from such misuse, other than any direct pecuniary loss or loss pursuant to agreement by the consumer reporter, except that nothing in this paragraph shall be construed as creating any inference with respect to the establishment or existence of any such liability.

    `(i) Credit Security Freeze-

      `(1) DEFINITIONS- For purposes of this subsection, the following definitions shall apply:

        `(A) SECURITY FREEZE- The term `security freeze' means a notice placed in a credit report on a consumer, at the request of the consumer who is a victim of identity theft, that prohibits the consumer reporting agency from releasing all or any part of the credit report, without the express authorization of the consumer, except as otherwise provided in this section.

        `(B) REVIEWING THE ACCOUNT; ACCOUNT REVIEW- The terms `reviewing the account' and `account review' include activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

      `(2) REQUEST FOR A SECURITY FREEZE-

        `(A) IN GENERAL- A consumer who has been the victim of identity theft may place a security freeze on the file of such consumer at any consumer reporting agency by--

          `(i) making a request in writing by certified mail to the consumer reporting agency;

          `(ii) submitting an identity theft report to the consumer reporting agency; and

          `(iii) providing such evidence of the identity of the consumer as such consumer reporting agency may require under paragraph (5).

        `(B) PROMPT IMPOSITION OF FREEZE- A consumer reporting agency shall place a security freeze on a credit report on a consumer no later than 5 business days after receiving a written request from the consumer in accordance with subparagraph (A).

        `(C) EFFECT OF FREEZE-

          `(i) IN GENERAL- Except as otherwise provided in this subsection, if a security freeze is in place with respect to any consumer, information from the consumer's credit report may not be released by the consumer reporting agency or reseller to any third party, including another consumer reporting agency or reseller, without the prior express authorization from the consumer or as otherwise permitted in this section.

          `(ii) ADVISING OF EXISTENCE OF SECURITY FREEZE- Clause (i) shall not be construed as preventing a consumer reporting agency or reseller from advising a third party that a security freeze is in effect with respect to the credit report on the consumer.

        `(D) CONFIRMATION OF FREEZE; ACCESS CODE- Any consumer reporting agency that receives a consumer request for a security freeze in accordance with subparagraph (A) shall--

          `(i) send a written confirmation of the security freeze to the consumer within 10 business days of placing the freeze; and

          `(ii) at the same time, provide the consumer with a unique personal identification number or password (other than the Social Security account number of any consumer) to be used by the consumer when providing authorization for the release of the credit report of the consumer to a specific party or for a specific period of time.

      `(3) ACCESS PURSUANT TO CONSUMER AUTHORIZATION DURING SECURITY FREEZE-

        `(A) NOTICE BY CONSUMER- If the consumer wishes to allow the credit report on the consumer to be accessed by a specific party or for a specific period of time while a freeze is in place, the consumer shall--

          `(i) contact the consumer reporting agency in any manner the agency may provide;

          `(ii) request that the security freeze be temporarily lifted; and

          `(iii) provide--

            `(I) proper identification;

            `(II) the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (2)(D)(ii); and

            `(III) the proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

        `(B) TIMELY RESPONSE REQUIRED- A consumer reporting agency that receives a request from a consumer to temporarily lift a security freeze on a credit report in accordance with subparagraph (A) shall comply with the request no later than 3 business days after receiving the request.

        `(C) PROCEDURES FOR REQUESTS- A consumer reporting agency may develop procedures involving the use of telephone, fax, or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act for notices legally required to be in writing, by the Internet, e-mail, or other electronic medium to receive and process a request from a consumer to temporarily lift a security freeze on a credit report pursuant to subparagraph (A) in an expedited manner.

      `(4) LIFTING OR REMOVING SECURITY FREEZE-

        `(A) IN GENERAL- A consumer reporting agency may remove or temporarily lift a security freeze placed on a credit report on a consumer only in the following cases:

          `(i) Upon receiving a consumer request for a temporary lift of the security freeze in accordance with paragraph (3)(A).

          `(ii) Upon receiving a consumer request for the removal of the security freeze in accordance with subparagraph (C).

          `(iii) Upon a determination by the consumer reporting agency that the security freeze was imposed on the credit report due to a material misrepresentation of fact by the consumer.

        `(B) NOTICE TO CONSUMER OF DETERMINATION- If a consumer reporting agency makes a determination described in subparagraph (A)(iii) with a respect to a security freeze imposed on the credit report on any consumer, the consumer reporting agency shall notify the consumer of such determination in writing prior to removing the security freeze on such credit report.

        `(C) REMOVING SECURITY FREEZE-

          `(i) IN GENERAL- Except as provided in this subsection, a security freeze shall remain in place until the consumer requests that the security freeze be removed.

          `(ii) PROCEDURE FOR REMOVING SECURITY FREEZE- A consumer reporting agency shall remove a security freeze within 3 business days of receiving a request for removal from the consumer who provides--

            `(I) proper identification; and

            `(II) the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (2)(D)(ii).

      `(5) PROPER IDENTIFICATION REQUIRED- A consumer reporting agency shall require proper identification of any person who makes a request to impose, temporarily lift, or permanently remove a security freeze on the credit report of any consumer under this section.

      `(6) THIRD PARTY REQUESTS- If--

        `(A) a third party requests access to a consumer's credit report on which a security freeze is in effect under this section in connection with an application by the consumer for credit or any other use; and

        `(B) the consumer does not allow the consumer's credit report to be accessed by that specific party or during the specific period such application is pending,

      the third party may treat the application as incomplete.

      `(7) CERTAIN ENTITY EXEMPTIONS-

        `(A) AGGREGATORS AND OTHER AGENCIES- This subsection shall not apply to a consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a permanent database of credit information from which new credit reports are produced.

        `(B) OTHER EXEMPTED ENTITIES- The following entities shall not be required to place a security freeze in a credit report:

          `(i) An entity which provides check verification or fraud prevention services, including but not limited to, reports on incidents of fraud, verification or authentication of a consumer's identification, or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments.

          `(ii) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or other financial institution.

      `(8) EXCEPTIONS- This subsection shall not apply with respect to the use of a consumer credit report by any of the following for the purpose described:

        `(A) A person, or any affiliate, agent, or assignee of any person, with whom the consumer has or, prior to an assignment, had an account, contract, or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or debt.

        `(B) An affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under paragraph (3) for purposes of facilitating the extension of credit or other permissible use of the report in accordance with the consumer's request under such paragraph.

        `(C) Any State or local agency, law enforcement agency, trial court, or person acting pursuant to a court order, warrant, or subpoena.

        `(D) A Federal, State, or local agency that administers a program for establishing an enforcing child support obligations for the purpose of administering such program.

        `(E) A Federal, State, or local health agency, or any agent or assignee of such agency, acting to investigate fraud within the jurisdiction of such agency.

        `(F) A Federal, State, or local tax agency, or any agent or assignee of such agency, acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of other statutory responsibility of such agency.

        `(G) Any person that intends to use the information in accordance with section 604(c).

        `(H) Any person administering a credit file monitoring subscription or similar service to which the consumer has subscribed.

        `(I) Any person for the purpose of providing a consumer with a copy of the credit report or credit score of the consumer upon the consumer's request.

      `(9) PROHIBITION ON FEE- A consumer reporting agency may not impose a fee for placing, removing, or removing for a specific party or parties a security freeze on a credit report.

      `(10) NOTICE OF RIGHTS- At any time that a consumer is required to receive a summary of rights required under section 609(c)(1) or 609(d)(1) the following notice shall be included:

        `Consumers Who Are Victims of Identity Theft Have the Right to Obtain a Security Freeze on Your Consumer Report

        `You may obtain a security freeze on your consumer credit report at no charge if you are a victim of identity theft and you submit a copy of an identity theft report you have filed with a law enforcement agency about unlawful use of your personal information by another person.

        `The security freeze will prohibit a credit reporting agency from releasing any information in your consumer credit report without your express authorization. A security freeze must be requested in writing by certified mail.

        `The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gains access to the personal and financial information in your consumer credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding new loans, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular phone, utilities, digital signature, internet credit card transaction, or other services, including an extension of credit at point of sale.

        `When you place a security freeze on your consumer credit report, within 10 business days you will be provided a personal identification number or password to use if you choose to remove the freeze on your consumer credit report or authorize the release of your consumer credit report for a specific party, parties or period of time after the freeze is in place.

        `To provide that authorization, you must contact the consumer reporting agency and provide all of the following: (1) The unique personal identification number or password provided by the consumer reporting agency (2) Proper identification to verify your identity (3) The proper information regarding the third party or parties who are trying to receive the consumer credit report or the period of time for which the report shall be available to users of the consumer report.

        `A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a consumer credit report shall comply with the request no later than 3 days after receiving the request.

        `A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity with which you have an existing account that requests information in your consumer credit report for the purposes of reviewing or collecting the account, if you have previously given your consent to this use of your consumer credit report. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account up-grades and enhancements.

        `If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely or temporarily if you are shopping around, or specifically for a certain creditor, a few days before actually applying for new credit.'.

    `(j) Effect on GLBA-

      `(1) DEPOSITORY INSTITUTIONS- The current and any future breach notice regulations and guidelines under section 501(b) of the Gramm-Leach-Bliley Act with respect to depository institutions shall be superseded, as of the effective date of the regulations required under subsection (k)(3)(A), relating to the specific requirements of this section.

      `(2) NONDEPOSITORY INSTITUTIONS- The current and any future data security regulations and guidelines under section 501(b) of the Gramm-Leach-Bliley Act with respect to nondepository institutions shall be superseded as of the effective date of the regulations required under subsection (k)(3)(A), relating to the responsibilities under this section.

    `(k) Uniform Data Security Safeguard Regulations-

      `(1) UNIFORM STANDARDS- The Secretary of the Treasury, the Board of Governors of the Federal Reserve System, and the Commission shall jointly, and the Federal functional regulatory agencies that have issued guidance on consumer breach notification shall jointly with respect to the entities under their jurisdiction, develop standards and guidelines to implement this section, including--

        `(A) prescribing specific standards with respect to subsection (g)(3) setting forth a reasonably unique and, pursuant to paragraph (2)(B), exclusive color and titling of the notice, and standardized formatting of the notice contents described under such subsection to standardize such communications and make them more likely to be reviewed, and understood by, and helpful to consumers, including to the extent possible placing the critical information for consumers in an easily understood and prominent text box at the top of each notice;

        `(B) providing in such standards and guidelines that the responsibility of a consumer reporter to provide notice under this section--

          `(i) has been satisfied with respect to any particular consumer, even if the consumer reporter is unable to contact the consumer, so long as the consumer reporter has made reasonable efforts to obtain a current address or other current contact information with respect to such consumer;

          `(ii) may be made by public notice in appropriate cases in which--

            `(I) such reasonable efforts described in clause (i) have failed; or

            `(II) a breach of data security involves a loss or unauthorized acquisition of sensitive financial personal information in paper documents or records that has been determined to be usable, but the identities of specific consumers are not determinable; and

          `(iii) with respect to paragraph (3) of subsection (c), may be communicated to entities in addition to those specifically required under such paragraph through any reasonable means, such as through an electronic transmission normally received by all of the consumer reporter's business customers; and

        `(C) providing in such standards and guidelines elaboration on how to determine whether a technology is generally commercially available for the purposes of subsection (b), focusing on the availability of such technology to persons who potentially could seek to breach the data security of the consumer reporter, and how to determine whether the information is likely to be usable under subsection (b)(3);

        `(D) providing for a reasonable and fair manner of providing required consumer notices where the entity that directly suffered the breach is unavailable to pay for such notices, because for example the entity is bankrupt, outside of the jurisdiction of the United States, or otherwise can not be compelled to provide such notice;

        `(E) providing for periodic instead of individual notices to regulators and law enforcement under subsection (c)(1) and (2) where the consumer reporter determines that only a de minimus number of consumers are reasonably likely to be affected;

        `(F) providing, to the extent appropriate, notice to the United States Secret Service, a consumer reporter's functional regulator, and the entities described in paragraphs (1) through (3) of subsection (c), whenever the consumer reporter's sensitive financial personal information has been lost or illegally obtained but such loss or acquisition does not result in a breach, for example because the information was sufficiently encrypted or otherwise unusable; and

        `(G) establishing what types of accounts might be subject to unauthorized transactions after a breach involving sensitive financial account information, for example because such accounts are open-end credit plans or are described in section 903(2) of the Electronic Fund Transfer Act.

      `(2) MODEL NOTICE FORMS-

        `(A) IN GENERAL- The Secretary of the Treasury, Board of Governors of the Federal Reserve System, and the Commission shall jointly establish and publish model forms and disclosure statements to facilitate compliance with the notice requirements of subsection (g) and to aid the consumer in understanding the information required to be disclosed relating to a breach of data security and the options and services available to the consumer for obtaining additional information, consumer reports, and credit monitoring services.

        `(B) USE OPTIONAL- A consumer reporter may utilize a model notice or any model statement established under this paragraph for purposes of compliance with this section, at the discretion of the consumer reporter.

        `(C) EFFECT OF USE- A consumer reporter that uses a model notice form or disclosure statement established under this paragraph shall be deemed to be in compliance with the requirement to provide the required disclosure to consumers to which the form or statement relates.

      `(3) ENFORCEMENT-

        `(A) REGULATIONS- Each of the functional regulatory agencies shall prescribe such regulations as may be necessary, consistent with the standards in paragraph (1), to ensure compliance with this section with respect to the persons subject to the jurisdiction of such agency under subsection (l).

        `(B) MISUSE OF UNIQUE COLOR AND TITLES OF NOTICES- Any person who uses the unique color and titling adopted under paragraph (1)(A) for notices under subsection (f)(1) in a way that is likely to create a false belief in a consumer that a communication is such a notice shall be liable in the same manner and to the same extent as a debt collector is liable under section 813 for any failure to comply with any provision of the Fair Debt Collection Practices Act.

      `(4) PROCEDURES AND DEADLINE-

        `(A) PROCEDURES- Standards and guidelines issued under this subsection shall be issued in accordance with applicable requirements of title 5, United States Code.

        `(B) DEADLINE FOR INITIAL STANDARDS AND GUIDELINES- The standards and guidelines required to be issued under paragraph (1) shall be published in final form before the end of the 9-month period beginning on the date of the enactment of the Financial Data Protection Act of 2006.

        `(C) DEADLINE FOR ENFORCEMENT REGULATIONS- The standards and guidelines required to be issued under paragraph (2) shall be published in final form before the end of the 6-month period beginning on the date standards and guidelines described in subparagraph (B) are published in final form.

        `(D) AUTHORITY TO GRANT EXCEPTIONS- The regulations prescribed under paragraph (2) may include such additional exceptions to this section as are deemed jointly by the functional regulatory agencies to be consistent with the purposes of this section if such exceptions are necessary because of some unique aspect of the entities regulated or laws governing such entities; and such exemptions are narrowly tailored to protect the purposes of this Act.

        `(E) CONSULTATION AND COORDINATION- The Secretary of the Treasury, the Board of Governors of the Federal Reserve System, and the Commission shall consult and coordinate with the other functional regulatory agencies to the extent appropriate in prescribing regulations under this subsection.

        `(F) FAILURE TO MEET DEADLINE- Any agency or authority required to publish standards and guidelines or regulations under this subsection that fails to meet the deadline for such publishing shall submit a report to the Congress within 30 days of such deadline describing--

          `(i) the reasons for the failure to meet such deadline;

          `(ii) when the agency or authority expects to complete the publication required; and

          `(iii) the detriment such failure to publish by the required deadline will have on consumers and other affected parties.

        `(G) UNIFORM IMPLEMENTATION AND INTERPRETATION- It is the intention of the Congress that the agencies and authorities described in subsection (l)(1)(G) will implement and interpret their enforcement regulations, including any exceptions provided under subparagraph (D), in a uniform manner.

      `(5) APPROPRIATE EXEMPTIONS OR MODIFICATIONS- The Secretary of the Treasury, the Board of Governors of the Federal Reserve System, and the Commission, in consultation with the Administrator of the Small Business Administration and the functional regulatory agencies, shall provide appropriate exemptions or modifications from requirements of this section relating to sensitive financial personal information for consumer reporters that do not maintain, service, or communicate a large quantity of such information, taking into account the degree of sensitivity of such information, the likelihood of misuse, and the degree of potential harm or inconvenience to the related consumer.

      `(6) COORDINATION-

        `(A) IN GENERAL- Each functional regulatory agency shall consult and coordinate with each other functional regulatory agency so that, to the extent possible, the regulations prescribed by each agency are consistent and comparable.

        `(B) MODEL REGULATIONS- In prescribing implementing regulations under paragraph (1), the functional regulatory agencies agencies referred to in such paragraph shall use the Gramm-Leach-Bliley Act (including the guidance and regulations issued thereunder) as a base, adding such other consumer protections as appropriate under this section.

    `(l) Administrative Enforcement-

      `(1) IN GENERAL- Notwithstanding section 616, 617, or 621, compliance with this section and the regulations prescribed under this section shall be enforced by the functional regulatory agencies with respect to financial institutions and other persons subject to the jurisdiction of each such agency under applicable law, as follows:

        `(A) Under section 8 of the Federal Deposit Insurance Act, in the case of--

          `(i) national banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Comptroller of the Currency;

          `(ii) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act, and bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Board of Governors of the Federal Reserve System;

          `(iii) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System), insured State branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Board of Directors of the Federal Deposit Insurance Corporation; and

          `(iv) savings associations the deposits of which are insured by the Federal Deposit Insurance Corporation, and any subsidiaries of such savings associations (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Director of the Office of Thrift Supervision.

        `(B) Under the Federal Credit Union Act, by the Board of the National Credit Union Administration with respect to any federally insured credit union, and any subsidiaries of such an entity.

        `(C) Under the Securities Exchange Act of 1934, by the Securities and Exchange Commission with respect to any broker, dealer, or nonbank transfer agent.

        `(D) Under the Investment Company Act of 1940, by the Securities and Exchange Commission with respect to investment companies.

        `(E) Under the Investment Advisers Act of 1940, by the Securities and Exchange Commission with respect to investment advisers registered with the Commission under such Act.

        `(F) Under the provisions of title XIII of the Housing and Community Development Act of 1992, by the Director of the Office of Federal Housing Enterprise Oversight (and any successor to such functional regulatory agency) with respect to the Federal National Mortgage Association, the Federal Home Loan Mortgage Corporation, and any other entity or enterprise or bank (as defined in such title XIII) subject to the jurisdiction of such functional regulatory agency under such title, including any affiliate of any such enterprise.

        `(G) Under State insurance law, in the case of any person engaged in the business of insurance, by the applicable State insurance authority of the State in which the person is domiciled.

        `(H) Under the Federal Home Loan Bank Act, by the Federal Housing Finance Board (and any successor to such functional regulatory agency) with respect to the Federal home loan banks and any other entity subject to the jurisdiction of such functional regulatory agency, including any affiliate of any such bank.

        `(I) Under the Federal Trade Commission Act, by the Commission for any other person that is not subject to the jurisdiction of any agency or authority under subparagraphs (A) through (G) of this subsection, except that for the purposes of this subparagraph a violation of this section shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act regarding unfair or deceptive acts or practices.

      `(2) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in paragraph (1) of its powers under any Act referred to in such paragraph, a violation of any requirement imposed under this section shall be deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in paragraph (1), each of the agencies referred to in that paragraph may exercise, for the purpose of enforcing compliance with any requirement imposed under this section, any other authority conferred on it by law.

      `(3) USE OF UNDISTRIBUTED FUNDS FOR FINANCIAL EDUCATION- If--

        `(A) in connection with any administrative action under this section, a fund is created or a functional regulatory agency has obtained disgorgement; and

        `(B) the functional regulatory agency determines that--

          `(i) due to the size of the fund to be distributed, the number of individuals affected, the nature of the underlying violation, or for other reasons, it would be infeasible to distribute such fund or disgorgement to the victims of the violation; or

          `(ii) there are excess monies remaining after the distribution of the fund or disgorgement to victims,

      the functional regulatory agency may issue an order in an administrative proceeding requiring that the undistributed amount of the fund or disgorgement be used in whole or in part by the functional regulatory agency for education programs and outreach activities of consumer groups, community based groups, and the Financial Literacy and Education Commission established under the Fair and Accurate Credit Transactions Act of 2003 that are consistent with and further the purposes of this title.

    `(m) Definitions- For purposes of this section, the following definitions shall apply:

      `(1) BREACH OF DATA SECURITY- The term `breach of data security' or `data security breach' means any loss, unauthorized acquisition, or misuse of sensitive financial personal information handled by a consumer reporter that could be misused to commit financial fraud (such as identity theft or fraudulent transactions made on financial accounts) in a manner causing harm or inconvenience to a consumer.

      `(2) CONSUMER- The term `consumer' means an individual.

      `(3) CONSUMER REPORTER AND RELATED TERMS-

        `(A) CONSUMER FINANCIAL FILE AND CONSUMER REPORTS- The term `consumer financial file and consumer reports' includes any written, oral, or other communication of any information by a consumer reporter bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, personal identifiers, financial account information, or mode of living.

        `(B) CONSUMER REPORTER- The term `consumer reporter' means any consumer reporting agency or financial institution, or any person which, for monetary fees, dues, on a cooperative nonprofit basis, or otherwise regularly engages in whole or in part in the practice of assembling or evaluating consumer financial file and consumer reports, consumer credit information, or other information on consumers, for the purpose of furnishing consumer reports to third parties or to provide or collect payment for or market products and services, or for employment purposes, and which uses any means or facility of interstate commerce for such purposes.

      `(4) FINANCIAL INSTITUTION- The term `financial institution' means--

        `(A) any person the business of which is engaging in activities that are financial in nature as described in or determined under section 4(k) of the Bank Holding Company Act;

        `(B) any person that is primarily engaged in activities that are subject to the Fair Credit Reporting Act; and

        `(C) any person that is maintaining, receiving, or communicating sensitive financial personal information on an ongoing basis for the purposes of engaging in interstate commerce.

      `(5) FUNCTIONAL REGULATORY AGENCY- The term `functional regulatory agency' means any agency described in subsection (l) with respect to the financial institutions and other persons subject to the jurisdiction of such agency.

      `(6) HANDLED BY- The term `handled by' includes with respect to sensitive financial personal information, any access to or generation, maintenance, servicing, or ownership of such information, as well as any transfer to or allowed access to or similar sharing or servicing of such information by or with a third party on a consumer reporter's behalf.

      `(7) NATIONWIDE CONSUMER REPORTING AGENCY- The term `nationwide consumer reporting agency' means--

        `(A) a consumer reporting agency described in section 603(p);

        `(B) any person who notifies the Commission that the person reasonably expects to become a consumer reporting agency described in section 603(p) within a reasonable time; and

        `(C) a consumer reporting agency described in section 603(w) that notifies the Commission that the person wishes to receive breach of data security notices under this section that involve information of the type maintained by such agency.

      `(8) NEURAL NETWORK- The term `neural network' means an information security program that monitors financial account transactions for potential fraud, using historical patterns to analyze and identify suspicious financial account transactions.

      `(9) SENSITIVE FINANCIAL ACCOUNT INFORMATION- The term `sensitive financial account information' means a financial account number of a consumer, such as a credit card number or debit card number, in combination with any required security code, access code, biometric code, password, or other personal identification information that would allow access to the financial account.

      `(10) SENSITIVE FINANCIAL IDENTITY INFORMATION- The term `sensitive financial identity information' means the first and last name, the address, or the telephone number of a consumer, in combination with any of the following of the consumer:

        `(A) Social Security number.

        `(B) Driver's license number or equivalent State identification number.

        `(C) IRS Individual Taxpayer Identification Number.

        `(D) IRS Adoption Taxpayer Identification Number.

        `(E) The consumer's deoxyribonucleic acid profile or other unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.

      `(11) SENSITIVE FINANCIAL PERSONAL INFORMATION- The term `sensitive financial personal information' means any information that is sensitive financial account information, sensitive financial identity information, or both.

      `(12) HARM OR INCONVENIENCE- The term `harm or inconvenience', with respect to a consumer, means financial loss to or civil or criminal penalties imposed on the consumer or the need for the consumer to expend significant time and effort to correct erroneous information relating to the consumer, including information maintained by consumer reporting agencies, financial institutions, or government entities, in order to avoid the risk of financial loss or increased costs or civil or criminal penalties.

    `(n) Relation to State Laws-

      `(1) IN GENERAL- No requirement or prohibition may be imposed under the laws of any State with respect to the responsibilities of any consumer reporter or the functional equivalent of such responsibilities--

        `(A) to protect the security or confidentiality of information on consumers maintained by or on behalf of the person;

        `(B) to safeguard such information from potential misuse;

        `(C) to investigate or provide notices of any unauthorized access to information concerning the consumer, or the potential misuse of such information, for fraudulent purposes;

        `(D) to mitigate any loss or harm resulting from such unauthorized access or misuse; or

        `(E) involving restricting credit reports from being provided, or imposing any requirement on such provision, for a permissible purpose pursuant to section 604, such as--

          `(i) the responsibilities of a consumer reporting agency to honor a request, or withdrawal of such a request, to prohibit the consumer reporting agency from releasing any type of information from the file of a consumer;

          `(ii) the process by which such a request or withdrawal of such a request is made, honored, or denied;

          `(iii) any notice that is required to be provided to the consumer in connection with such a request or withdrawal of such a request; or

          `(iv) the ability of a consumer reporting agency to update or change information in a consumer's file as a result of such a request or withdrawal of such a request; or

          `(v) the responsibilities of third parties if information from a consumer's file is unavailable as a result of such a request.

      `(2) EXCEPTION FOR CERTAIN STATE LAWS- Paragraph (1) shall not apply with respect to--

        `(A) State laws governing professional confidentiality; or

        `(B) State privacy laws limiting the purposes for which information may be disclosed.

      `(3) EXCEPTION FOR CERTAIN COVERED ENTITIES- Paragraph (1) shall not apply with respect to the entities described in subsection (l)(1)(G) to the extent that such entities are acting in accordance with subsection (k)(4)(G) in a manner that is consistent with this section and the implementation of this section by the regulators described in subsection (k)(1).'.

    (b) Clerical Amendment- The table of sections for the Fair Credit Reporting Act is amended by inserting after the item relating to section 629 the following new item:

      `630. Data security safeguards.'.

    (c) Effective Date- The provisions of section 630 of the Fair Credit Reporting Act (as added by this section), other than subsection (k) of such section, shall take effect on the date of publication of the regulations required under paragraph (3) of such subsection, with respect to any person under the jurisdiction of each regulatory agency publishing such regulations.

SEC. 3. NATIONAL SUMMIT ON DATA SECURITY.

    Not later than April 30, 2008, the President or the designee of the President shall convene a National Summit on Data Security Safeguards for Sensitive Personal Financial Information in the District of Columbia.

SEC. 4. GAO STUDY.

    (a) Study Required- The Comptroller General shall conduct a study to determine a system that would provide notices of data breaches to consumers in languages other than English and identify what barriers currently exist to the implementation of such a system.

    (b) Report- The Comptroller General shall submit a report to the Congress before the end of the 1-year period beginning on the date of the enactment of this Act containing the findings and conclusion of the study under subsection (a) and such recommendations for legislative and administrative action as the Comptroller General may determine to be appropriate.

SEC. 5. ENHANCED DATA COLLECTION ON DATA SECURITY BREACHES AND ACCOUNT FRAUD.

    In order to improve law enforcement efforts relating to data security breaches and fighting identity theft and account fraud, the Federal Trade Commission shall compile information on the race and ethnicity of consumers, as defined and volunteered by the consumers, who are victims of identity theft, account fraud, and other types of financial fraud. The Commission shall consult with the various international, national, State, and local law enforcement officers and agencies who work with such victims for the purpose of enlisting the cooperation of such officers and agencies in the compilation of such information. Notwithstanding any other provision of law, such compilation of information shall be made available exclusively to the Commission and law enforcement entities.

SEC. 6. CLARIFICATION RELATING TO CREDIT MONITORING SERVICES.

    (a) In General- Section 403 of the Credit Repair Organizations Act (15 U.S.C. 1679a) is amended--

      (1) by striking `For purposes of this title' and inserting `(a) In General- For purposes of this title'; and

      (2) by adding at the end the following new subsection:

    `(b) Clarification With Respect to Certain Credit Monitoring Services Under Certain Circumstances-

      `(1) IN GENERAL- Subject to paragraph (2)--

        `(A) the provision of, or provision of access to, credit reports, credit monitoring notifications, credit scores and scoring algorithms, and other credit score-related tools to a consumer (including generation of projections and forecasts of such consumer's potential credit scores under various prospective trends or hypothetical or alternative scenarios);

        `(B) any analysis, evaluation, and explanation of such actual or hypothetical credit scores, or any similar projections, forecasts, analyses, evaluations or explanations; or

        `(C) in conjunction with offering any of the services described in subparagraph (A) or (B), the provision of materials or services to assist a consumer who is a victim of identity theft,

      shall not be treated as activities described in clause (i) of subsection (a)(3)(A).

      `(2) CONDITIONS FOR APPLICATION OF PARAGRAPH (1)- Paragraph (1) shall apply with respect to any person engaging in any activity described in such paragraph only if--

        `(A) the person does not represent, expressly or by implication, that such person--

          `(i) will or can modify or remove, or assist the consumer in modifying or removing, adverse information that is accurate and not obsolete in the consumer's credit report; or

          `(ii) will or can alter, or assist the consumer in altering, the consumer's identification to prevent the display of the consumer's credit record, history, or rating for the purpose of concealing adverse information that is accurate and not obsolete;

        `(B) in any case in which the person represents, expressly or by implication, that it will or can modify or remove, or assist the consumer in modifying or removing, any information in the consumer's credit report, except for a representation with respect to any requirement imposed on the person under section 611 or 623(b) of the Fair Credit Reporting Act, the person discloses, clearly and conspicuously, before the consumer pays or agrees to pay any money or other valuable consideration to such person, whichever occurs first, the following statement:

            `NOTICE: Neither you nor anyone else has the right to have accurate and current information removed from your credit report. If information in your report is inaccurate, you have the right to dispute it by contacting the credit bureau directly.';

        `(C) the person provides the consumer in writing with the following statement before any contract or agreement between the consumer and the person is executed:

          `Your Rights Concerning Your Consumer Credit File

          `You have a right to obtain a free copy of your credit report once every 12 months from each of the nationwide consumer reporting agencies. To request your free annual credit report, you may go to www.annualcreditreport.com, or call 877-322-8228, or complete the Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You can obtain additional copies of your credit report from a credit bureau, for which you may be charged a reasonable fee. There is no fee, however, if you have been turned down for credit, employment, insurance, or a rental dwelling because of information in your credit report within the preceding 60 days. The credit bureau must provide someone to help you interpret the information in your credit file. You are entitled to receive a free copy of your credit report if you are unemployed and intend to apply for employment in the next 60 days, if you are a recipient of public welfare assistance, or if you have reason to believe that there is inaccurate information in your credit report due to fraud.

          `You have the right to cancel your contract with a credit monitoring service without fee or penalty at any time, and in the case in which you have prepaid for a credit monitoring service, you are entitled to a pro rata refund for the remaining term of the credit monitoring service.

          `The Federal Trade Commission regulates credit bureaus and credit monitoring services. For more information contact:

          `Federal Trade Commission

          `Washington, D.C. 20580

          `1-877-FTC-HELP

          `www.ftc.gov.'; and

        `(D) in any case in which the person offers a subscription to a credit file monitoring program to a consumer, the consumer may cancel the subscription at any time upon written notice to the person without penalty or fee for such cancellation and, in any case in which the consumer is billed for the subscription on other than a monthly basis, within 60 days of receipt of the consumer's notice of cancellation, the person shall make a pro rata refund to the consumer of a subscription fee prepaid by the consumer, calculated from the date that the person receives the consumer's notice of cancellation until the end of the subscription period.'.

    (b) Clarification of Nonexempt Status- Section 403(a) of the Credit Repair Organizations Act (15 U.S.C. 1679a) (as so redesignated by subsection (a) of this section) is amended, in paragraph (3)(B)(i), by inserting `and is not for its own profit or for that of its members' before the semicolon at the end.

    (c) Revision of Disclosure Requirement- Section 405(a) of the Credit Repair Organizations Act (15 U.S.C. 1679c) is amended by striking everything after the heading of the disclosure statement contained in such section and inserting the following new text of the disclosure statement:

      `You have a right to dispute inaccurate information in your credit report by contacting the credit bureau directly. However, neither you nor any `credit repair' company or credit repair organization has the right to have accurate, current, and verifiable information removed from your credit report. The credit bureau must remove accurate, negative information from your report only if it is over 7 years old. Bankruptcy information can be reported for 10 years.

      `You have a right to obtain a free copy of your credit report once every 12 months from each of the nationwide consumer reporting agencies. To request your free annual credit report, you may go to www.annualcreditreport.com, or call 877-322-8228, or complete the Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You can obtain additional copies of your credit report from a credit bureau, for which you may be charged a reasonable fee. There is no fee, however, if you have been turned down for credit, employment, insurance, or a rental dwelling because of information in your credit report within the preceding 60 days. The credit bureau must provide someone to help you interpret the information in your credit file. You are entitled to receive a free copy of your credit report if you are unemployed and intend to apply for employment in the next 60 days, if you are a recipient of public welfare assistance, or if you have reason to believe that there is inaccurate information in your credit report due to fraud.

      `You have a right to sue a credit repair organization that violates the Credit Repair Organization Act. This law prohibits deceptive practices by credit repair organizations.

      `You have the right to cancel your contract with any credit repair organization for any reason within 3 business days from the date you signed it.

      `Credit bureaus are required to follow reasonable procedures to ensure that the information they report is accurate. However, mistakes may occur.

      `You may, on your own, notify a credit bureau in writing that you dispute the accuracy of information in your credit file. The credit bureau must then reinvestigate and modify or remove inaccurate or incomplete information. The credit bureau may not charge any fee for this service. Any pertinent information and copies of all documents you have concerning an error should be given to the credit bureau.

      `If the credit bureau's reinvestigation does not resolve the dispute to your satisfaction, you may send a brief statement to the credit bureau, to be kept in your file, explaining why you think the record is inaccurate. The credit bureau must include a summary of your statement about disputed information with any report it issues about you.

      `The Federal Trade Commission regulates credit bureaus and credit repair organizations. For more information contact:

      `Federal Trade Commission

      `Washington, D.C. 20580

      `1-877-FTC-HELP

      `(877 382-4357)

      `www.ftc.gov.'.

SECTION 1. SHORT TITLE.

    This Act may be cited as the `Data Accountability and Trust Act (DATA)'.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

    (a) General Security Policies and Procedures-

      (1) REGULATIONS- Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information, or contracts to have any third party entity maintain such data for such person, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information taking into consideration--

        (A) the size of, and the nature, scope, and complexity of the activities engaged in by, such person;

        (B) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and

        (C) the cost of implementing such safeguards.

      (2) REQUIREMENTS- Such regulations shall require the policies and procedures to include the following:

        (A) A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information.

        (B) The identification of an officer or other individual as the point of contact with responsibility for the management of information security.

        (C) A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system maintained by such person that contains such electronic data, which shall include regular monitoring for a breach of security of such system.

        (D) A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph (C), which may include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software.

        (E) A process for disposing of obsolete data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or undecipherable.

      (3) TREATMENT OF ENTITIES GOVERNED BY OTHER LAW- In promulgating the regulations under this subsection, the Commission may determine to be in compliance with this subsection any person who is required under any other Federal law to maintain standards and safeguards for information security and protection of personal information that provide equal or greater protection than those required under this subsection.

    (b) Destruction of Obsolete Paper Records Containing Personal Information-

      (1) STUDY- Not later than 1 year after the date of enactment of this Act, the Commission shall conduct a study on the practicality of requiring a standard method or methods for the destruction of obsolete paper documents and other non-electronic data containing personal information by persons engaged in interstate commerce who own or possess such paper documents and non-electronic data. The study shall consider the cost, benefit, feasibility, and effect of a requirement of shredding or other permanent destruction of such paper documents and non-electronic data.

      (2) REGULATIONS- The Commission may promulgate regulations under section 553 of title 5, United States Code, requiring a standard method or methods for the destruction of obsolete paper documents and other non-electronic data containing personal information by persons engaged in interstate commerce who own or possess such paper documents and non-electronic data if the Commission finds that--

        (A) the improper disposal of obsolete paper documents and other non-electronic data creates a reasonable risk of identity theft, fraud, or other unlawful conduct;

        (B) such a requirement would be effective in preventing identity theft, fraud, or other unlawful conduct;

        (C) the benefit in preventing identity theft, fraud, or other unlawful conduct would outweigh the cost to persons subject to such a requirement; and

        (D) compliance with such a requirement would be practicable.

      In enforcing any such regulations, the Commission may determine to be in compliance with such regulations any person who is required under any other Federal law to dispose of obsolete paper documents and other non-electronic data containing personal information if such other Federal law provides equal or greater protection or personal information than the regulations promulgated under this subsection.

    (c) Special Requirements for Information Brokers-

      (1) SUBMISSION OF POLICIES TO THE FTC- The regulations promulgated under subsection (a) shall require information brokers to submit their security policies to the Commission in conjunction with a notification of a breach of security under section 3 or upon request of the Commission.

      (2) POST-BREACH AUDIT- For any information broker required to provide notification under section 3, the Commission shall conduct an audit of the information security practices of such information broker, or require the information broker to conduct an independent audit of such practices (by an independent auditor who has not audited such information broker's security practices during the preceding 5 years). The Commission may conduct or require additional audits for a period of 5 years following the breach of security or until the Commission determines that the security practices of the information broker are in compliance with the requirements of this section and are adequate to prevent further breaches of security.

      (3) VERIFICATION OF AND INDIVIDUAL ACCESS TO PERSONAL INFORMATION-

        (A) VERIFICATION- Each information broker shall establish reasonable procedures to verify the accuracy of the personal information it collects, assembles, or maintains, and any other information it collects, assembles, or maintains that specifically identifies an individual, other than information which merely identifies an individual's name or address.

        (B) CONSUMER ACCESS TO INFORMATION-

          (i) ACCESS- Each information broker shall--

            (I) provide to each individual whose personal information it maintains, at the individual's request at least 1 time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review any personal information regarding such individual maintained by the information broker and any other information maintained by the information broker that specifically identifies such individual, other than information which merely identifies an individual's name or address; and

            (II) place a conspicuous notice on its Internet website (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under subclause (I).

          (ii) DISPUTED INFORMATION- Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, shall--

            (I) correct any inaccuracy; or

            (II)(aa) in the case of information that is public record information, inform the individual of the source of the information, and, if reasonably available, where a request for correction may be directed; or

            (bb) in the case of information that is non-public information, note the information that is disputed, including the individual's statement disputing such information, and take reasonable steps to independently verify such information under the procedures outlined in subparagraph (A) if such information can be independently verified.

          (iii) LIMITATIONS- An information broker may limit the access to information required under subparagraph (B) in the following circumstances:

            (I) If access of the individual to the information is limited by law or legally recognized privilege.

            (II) If the information is used for a legitimate governmental or fraud prevention purpose that would be compromised by such access.

          (iv) RULEMAKING- The Commission shall issue regulations, as necessary, under section 553 of title 5, United States Code, on the application of the limitations in clause (iii).

        (C) TREATMENT OF ENTITIES GOVERNED BY OTHER LAW- The Commission may promulgate rules (under section 553 of title 5, United States Code) to determine to be in compliance with this paragraph any person who is a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act, with respect to those products and services that are subject to and in compliance with the requirements of that Act.

      (4) REQUIREMENT OF AUDIT LOG OF ACCESSED AND TRANSMITTED INFORMATION- Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require information brokers to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data in electronic form containing personal information collected, assembled, or maintained by such information broker.

      (5) PROHIBITION ON PRETEXTING BY INFORMATION BROKERS-

        (A) PROHIBITION ON OBTAINING PERSONAL INFORMATION BY FALSE PRETENSES- It shall be unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by--

          (i) making a false, fictitious, or fraudulent statement or representation to any person; or

          (ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.

        (B) PROHIBITION ON SOLICITATION TO OBTAIN PERSONAL INFORMATION UNDER FALSE PRETENSES- It shall be unlawful for an information broker to request a person to obtain personal information or any other information relating to any other person, if the information broker knew or should have known that the person to whom such a request is made will obtain or attempt to obtain such information in the manner described in subsection (a).

    (d) Exemption for Telecommunications Carrier, Cable Operator, Information Service, or Interactive Computer Service- Nothing in this section shall apply to any electronic communication by a third party stored by a telecommunications carrier, cable operator, or information service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153), or an interactive computer service, as such term is defined in section 230(f)(2) of such Act (47 U.S.C. 230(f)(2)).

SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.

    (a) Nationwide Notification- Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data--

      (1) notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; and

      (2) notify the Commission.

    (b) Special Notification Requirement for Certain Entities-

      (1) THIRD PARTY AGENTS- In the event of a breach of security by any third party entity that has been contracted to maintain or process data in electronic form containing personal information on behalf of any other person who owns or possesses such data, such third party entity shall be required only to notify such person of the breach of security. Upon receiving such notification from such third party, such person shall provide the notification required under subsection (a).

      (2) TELECOMMUNICATIONS CARRIERS, CABLE OPERATORS, INFORMATION SERVICES, AND INTERACTIVE COMPUTER SERVICES- If a telecommunications carrier, cable operator, or information service (as such terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153)), or an interactive computer service (as such term is defined in section 230(f)(2) of such Act (47 U.S.C. 230(f)(2))), becomes aware of a breach of security during the transmission of data in electronic form containing personal information that is owned or possessed by another person utilizing the means of transmission of such telecommunications carrier, cable operator, information service, or interactive computer service, such telecommunications carrier, cable operator, information service, or interactive computer service shall be required only to notify the person who initiated such transmission of such a breach of security if such person can be reasonably identified. Upon receiving such notification from a telecommunications carrier, cable operator, information service, or interactive computer service, such person shall provide the notification required under subsection (a).

      (3) BREACH OF HEALTH INFORMATION- If the Commission receives a notification of a breach of security and determines that information included in such breach is individually identifiable health information (as such term is defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), the Commission shall send a copy of such notification to the Secretary of Health and Human Services.

    (c) Timeliness of Notification- All notifications required under subsection (a) shall be made as promptly as possible and without unreasonable delay following the discovery of a breach of security of the system and consistent with any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

    (d) Method and Content of Notification-

      (1) DIRECT NOTIFICATION-

        (A) METHOD OF NOTIFICATION- A person required to provide notification to individuals under subsection (a)(1) shall be in compliance with such requirement if the person provides conspicuous and clearly identified notification by one of the following methods (provided the selected method can reasonably be expected to reach the intended individual):

          (i) Written notification.

          (ii) Email notification, if--

            (I) the person's primary method of communication with the individual is by email; or

            (II) the individual has consented to receive such notification and the notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global Commerce Act (15 U.S.C. 7001).

        (B) CONTENT OF NOTIFICATION- Regardless of the method by which notification is provided to an individual under subparagraph (A), such notification shall include--

          (i) a description of the personal information that was acquired by an unauthorized person;

          (ii) a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the breach of security or the information the person maintained about that individual;

          (iii) notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, and instructions to the individual on requesting such reports from the person;

          (iv) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and

          (v) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft.

      (2) SUBSTITUTE NOTIFICATION-

        (A) CIRCUMSTANCES GIVING RISE TO SUBSTITUTE NOTIFICATION- A person required to provide notification to individuals under subsection (a)(1) may provide substitute notification in lieu of the direct notification required by paragraph (1) if--

          (i) the person owns or possesses data in electronic form containing personal information of fewer than 1,000 individuals; and

          (ii) such direct notification is not feasible due to--

            (I) excessive cost to the person required to provide such notification relative to the resources of such person, as determined in accordance with the regulations issued by the Commission under paragraph (3)(A); or

            (II) lack of sufficient contact information for the individual required to be notified.

        (B) FORM OF SUBSTITUTE NOTICE- Such substitute notification shall include--

          (i) email notification to the extent that the person has email addresses of individuals to whom it is required to provide notification under subsection (a)(1);

          (ii) a conspicuous notice on the Internet website of the person (if such person maintains such a website); and

          (iii) notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside.

        (C) CONTENT OF SUBSTITUTE NOTICE- Each form of substitute notice under this paragraph shall include--

          (i) notice that individuals whose personal information is included in the breach of security are entitled to receive, at no cost to the individuals, consumer credit reports on a quarterly basis for a period of 2 years, and instructions on requesting such reports from the person; and

          (ii) a telephone number by which an individual can, at no cost to such individual, learn whether that individual's personal information is included in the breach of security.

      (3) FEDERAL TRADE COMMISSION REGULATIONS AND GUIDANCE-

        (A) REGULATIONS- Not later than 1year after the date of enactment of this Act, the Commission shall, by regulations under section 553 of title 5, United States Code, establish criteria for determining the circumstances under which substitute notification may be provided under paragraph (2), including criteria for determining if notification under paragraph (1) is not feasible due to excessive cost to the person required to provide such notification relative to the resources of such person.

        (B) GUIDANCE- In addition, the Commission shall provide and publish general guidance with respect to compliance with this section. Such guidance shall include--

          (i) a description of written or email notification that complies with the requirements of paragraph (1); and

          (ii) guidance on the content of substitute notification under paragraph (2)(B), including the extent of notification to print and broadcast media that complies with the requirements of such paragraph.

    (e) Other Obligations Following Breach- A person required to provide notification under subsection (a) shall, upon request of an individual whose personal information was included in the breach of security, provide or arrange for the provision of, to each such individual and at no cost to such individual, consumer credit reports from at least one of the major credit reporting agencies beginning not later than 2 months following the discovery of a breach of security and continuing on a quarterly basis for a period of 2 years thereafter.

    (f) Exemption-

      (1) GENERAL EXEMPTION- A person shall be exempt from the requirements under this section if, following a breach of security, such person determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct.

      (2) PRESUMPTIONS-

        (A) ENCRYPTION- The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.

        (B) ADDITIONAL METHODOLOGIES OR TECHNOLOGIES- Not later than 270 days after the date of the enactment of this Act, the Commission shall, by rule pursuant to section 553 of title 5, United States Code, identify any additional security methodology or technology, other than encryption, which renders data in electronic form unreadable or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that any such methodology or technology has been or is reasonably likely to be compromised. In promulgating such a rule, the Commission shall consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies.

      (3) FTC GUIDANCE- Not later than 1 year after the date of the enactment of this Act, the Commission shall issue guidance regarding the application of the exemption in paragraph (1).

    (g) Website Notice of Federal Trade Commission- If the Commission, upon receiving notification of any breach of security that is reported to the Commission under subsection (a)(2), finds that notification of such a breach of security via the Commission's Internet website would be in the public interest or for the protection of consumers, the Commission shall place such a notice in a clear and conspicuous location on its Internet website.

    (h) FTC Study on Notification in Languages in Addition to English- Not later than 1 year after the date of enactment of this Act, the Commission shall conduct a study on the practicality and cost effectiveness of requiring the notification required by subsection (d)(1) to be provided in a language in addition to English to individuals known to speak only such other language.

SEC. 4. ENFORCEMENT.

    (a) Enforcement by the Federal Trade Commission-

      (1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES- A violation of section 2 or 3 shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

      (2) POWERS OF COMMISSION- The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in that Act.

      (3) LIMITATION- In promulgating rules under this Act, the Commission shall not require the deployment or use of any specific products or technologies, including any specific computer software or hardware.

    (b) Enforcement by State Attorneys General-

      (1) CIVIL ACTION- In any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any person who violates section 2 or 3 of this Act, the attorney general, official, or agency of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction--

        (A) to enjoin further violation of such section by the defendant;

        (B) to compel compliance with such section; or

        (C) to obtain civil penalties in the amount determined under paragraph (2).

      (2) CIVIL PENALTIES-

        (A) CALCULATION-

          (i) TREATMENT OF VIOLATIONS OF SECTION 2- For purposes of paragraph (1)(C) with regard to a violation of section 2, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each day that a person is not in compliance with the requirements of such section shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000.

          (ii) TREATMENT OF VIOLATIONS OF SECTION 3- For purposes of paragraph (1)(C) with regard to a violation of section 3, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification as required under section 3 to a resident of the State shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000.

        (B) ADJUSTMENT FOR INFLATION- Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amounts specified in clauses (i) and (ii) of subparagraph (A) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.

      (3) INTERVENTION BY THE FTC-

        (A) NOTICE AND INTERVENTION- The State shall provide prior written notice of any action under paragraph (1) to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Commission shall have the right--

          (i) to intervene in the action;

          (ii) upon so intervening, to be heard on all matters arising therein; and

          (iii) to file petitions for appeal.

        (B) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING- If the Commission has instituted a civil action for violation of this Act, no State attorney general, or official or agency of a State, may bring an action under this subsection during the pendency of that action against any defendant named in the complaint of the Commission for any violation of this Act alleged in the complaint.

      (4) CONSTRUCTION- For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

        (A) conduct investigations;

        (B) administer oaths or affirmations; or

        (C) compel the attendance of witnesses or the production of documentary and other evidence.

    (c) Affirmative Defense for a Violation of Section 3- It shall be an affirmative defense to an enforcement action brought under subsection (a), or a civil action brought under subsection (b), based on a violation of section 3, that all of the personal information contained in the data in electronic form that was acquired as a result of a breach of security of the defendant is public record information that is lawfully made available to the general public from Federal, State, or local government records and was acquired by the defendant from such records.

SEC. 5. DEFINITIONS.

    In this Act the following definitions apply:

      (1) BREACH OF SECURITY- The term `breach of security' means the unauthorized acquisition of data in electronic form containing personal information.

      (2) COMMISSION- The term `Commission' means the Federal Trade Commission.

      (3) DATA IN ELECTRONIC FORM- The term `data in electronic form' means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.

      (4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

      (5) IDENTITY THEFT- The term `identity theft' means the unauthorized use of another person's personal information for the purpose of engaging in commercial transactions under the name of such other person.

      (6) INFORMATION BROKER- The term `information broker' means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.

      (7) PERSONAL INFORMATION-

        (A) DEFINITION- The term `personal information' means an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

          (i) Social Security number.

          (ii) Driver's license number or other State identification number.

          (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account.

        (B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule, modify the definition of `personal information' under subparagraph (A) to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.

      (8) PUBLIC RECORD INFORMATION- The term `public record information' means information about an individual which has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.

      (9) NON-PUBLIC INFORMATION- The term `non-public information' means information about an individual that is of a private nature and neither available to the general public nor obtained from a public record.

SEC. 6. EFFECT ON OTHER LAWS.

    (a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly--

      (1) requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; and

      (2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.

    (b) Additional Preemption-

      (1) IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.

      (2) PROTECTION OF CONSUMER PROTECTION LAWS- This subsection shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State.

    (c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of--

      (1) State trespass, contract, or tort law; or

      (2) other State laws to the extent that those laws relate to acts of fraud.

    (d) Preservation of FTC Authority- Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law, including the authority to issue advisory opinions (under part 1 of volume 16 of the Code of Federal Regulations), policy statements, or guidance regarding this Act.

SEC. 7. EFFECTIVE DATE AND SUNSET.

    (a) Effective Date- This Act shall take effect 1 year after the date of enactment of this Act.

    (b) Sunset- This Act shall cease to be in effect on the date that is 10 years from the date of enactment of this Act.

SEC. 8. AUTHORIZATION OF APPROPRIATIONS.

    There is authorized to be appropriated to the Commission $1,000,000 for each of fiscal years 2006 through 2010 to carry out this Act.

Amend the title so as to read: `A bill to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach.'.

Union Calendar No. 269

109th CONGRESS

2d Session

H. R. 3997

[Report No. 109-454, Parts I and II]

A BILL

To amend the Fair Credit Reporting Act to provide for secure financial data, and for other purposes.


June 2, 2006

Reported from the Committee on Energy and Commerce with amendments; committed to the Committee of the Whole House on the State of the Union and ordered to be printed