S. 1332 (109th): Personal Data Privacy and Security Act of 2005

109th Congress, 2005–2006. Text as of Jun 29, 2005 (Placed on Calendar in the Senate).

Status & Summary | PDF | Source: GPO

II

Calendar No. 151

109th CONGRESS

1st Session

S. 1332

IN THE SENATE OF THE UNITED STATES

June 29, 2005

(for himself, Mr. Leahy, and Mr. Feingold) introduced the following bill; which was read the first time

July 1 (legislative day, June 30), 2005

Read the second time and placed on the calendar

A BILL

To prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

1.

Short title; table of contents

(a)

Short title

This Act may be cited as the Personal Data Privacy and Security Act of 2005.

(b)

Table of contents

The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Sec. 2. Findings.

Sec. 3. Definitions.

TITLE I—Enhancing punishment for identity theft and other violations of data privacy and security

Sec. 101. Fraud and related criminal activity in connection with unauthorized access to personally identifiable information.

Sec. 102. Organized criminal activity in connection with unauthorized access to personally identifiable information.

Sec. 103. Concealment of security breaches involving personally identifiable information.

Sec. 104. Aggravated fraud in connection with computers.

Sec. 105. Review and amendment of Federal sentencing guidelines related to fraudulent access to or misuse of digitized or electronic personally identifiable information.

TITLE II—Assistance for state and local law enforcement combating crimes related to fraudulent, unauthorized, or other criminal use of personally identifiable information

Sec. 201. Grants for State and local enforcement.

Sec. 202. Authorization of appropriations.

TITLE III—Data brokers

Sec. 301. Transparency and accuracy of data collection.

Sec. 302. Enforcement.

Sec. 303. Relation to State laws.

Sec. 304. Effective date.

TITLE IV—Privacy and security of personally identifiable information

Subtitle A—Data privacy and security program

Sec. 401. Purpose and applicability of data privacy and security program.

Sec. 402. Requirements for a personal data privacy and security program.

Sec. 403. Enforcement.

Sec. 404. Relation to State laws.

Subtitle B—Security breach notification

Sec. 421. Right to notice of security breach.

Sec. 422. Notice procedures.

Sec. 423. Content of notice.

Sec. 424. Risk assessment and fraud prevention notice exemptions.

Sec. 425. Victim protection assistance.

Sec. 426. Enforcement.

Sec. 427. Relation to State laws.

Sec. 428. Study on securing personally identifiable information in the digital era.

Sec. 429. Authorization of appropriations.

Sec. 430. Effective date.

TITLE V—Protection of Social Security numbers

Sec. 501. Social Security number protection.

Sec. 502. Limits on personal disclosure of social security numbers for commercial transactions and accounts.

Sec. 503. Public records.

Sec. 504. Treatment of social security numbers on government checks and prohibition of inmate access.

Sec. 505. Study and report.

Sec. 506. Enforcement.

Sec. 507. Relation to State laws.

TITLE VI—Government access to and use of commercial data

Sec. 601. General Services Administration review of contracts.

Sec. 602. Requirement to audit information security practices of contractors and third party business entities.

Sec. 603. Privacy impact assessment of government use of commercial information services containing personally identifiable information.

Sec. 604. Implementation of Chief Privacy Officer requirements.

2.

Findings

Congress finds that—

(1)

databases of personal identifiable information are increasingly prime targets of hackers, identity thieves, rogue employees, and other criminals, including organized and sophisticated criminal operations;

(2)

identity theft is a serious threat to the nation’s economic stability, homeland security, the development of e-commerce, and the privacy rights of Americans;

(3)

over 9,300,000 individuals were victims of identity theft in America last year;

(4)

security breaches are a serious threat to consumer confidence, homeland security, e-commerce, and economic stability;

(5)

it is important for business entities that own, use, or license personally identifiable information to adopt reasonable procedures to ensure the security, privacy, and confidentially of that personally identifiable information;

(6)

individuals whose personal information has been compromised or who have been victims of identity theft should receive the necessary information and assistance to mitigate their damages and to restore the integrity of their personal information and identities;

(7)

data brokers have assumed a significant role in providing identification, authentication, and screening services, and related data collection and analyses for commercial, nonprofit, and government operations;

(8)

data misuse and use of inaccurate data have the potential to cause serious or irreparable harm to an individual’s livelihood, privacy, and liberty and undermine efficient and effective business and government operations;

(9)

there is a need to insure that data brokers conduct their operations in a manner that prioritizes fairness, transparency, accuracy, and respect for the privacy of consumers;

(10)

government access to commercial data can potentially improve safety, law enforcement, and national security; and

(11)

because government misuse of commercial data endangers privacy, security, and liberty, there is a need for Congress to exercise oversight over government use of commercial data.

3.

Definitions

In this Act:

(1)

Agency

The term agency has the same meaning given such term in section 551 of title 5, United States Code.

(2)

Affiliate

The term affiliate means persons related by common ownership or affiliated by corporate control.

(3)

Business entity

The term business entity means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, venture established to make a profit, or nonprofit, and any contractor, subcontractor, affiliate, or licensee thereof engaged in interstate commerce.

(4)

Identity theft

The term identity theft means a violation of section 1028 of title 18, United States Code, or any other similar provision of applicable State law.

(5)

Data broker

The term data broker means a business entity which for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages, in whole or in part, in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals who are not the customers or employees of the business entity or affiliate.

(6)

Data furnisher

The term data furnisher means any agency, governmental entity, organization, corporation, trust, partnership, sole proprietorship, unincorporated association, venture established to make a profit, or nonprofit, and any contractor, subcontractor, affiliate, or licensee thereof, that serves as a source of information for a data broker.

(7)

personal electronic record

The term personal electronic record means the compilation of personally identifiable information of an individual (including information associated with that personally identifiable information) in a database, networked or integrated databases, or other data system.

(8)

Personally identifiable information

The term personally identifiable information means any information, or compilation of information, in electronic or digital form serving as a means of identification, as defined by section 1028(d)(7) of title 18, United State Code.

(9)

Public record

The term public record means any item, collection, or grouping of information about an individual that is maintained by an agency, including—

(A)

education, financial transactions, medical history, and criminal or employment history containing the name of an individual; and

(B)

the identifying number, symbol, or other identifying particular assigned to an individual, such as—

(i)

a fingerprint;

(ii)

a voice print; or

(iii)

a photograph.

(10)

Security breach

(A)

In General

The term security breach means compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to sensitive personally identifiable information.

(B)

Exclusion

The term security breach does not include a good faith acquisition of sensitive personally identifiable information if the sensitive personally identifiable information is not subject to further unauthorized disclosure.

(11)

Sensitive personally identifiable information

The term sensitive personally identifiable information means any name or number used in conjunction with any other information to identify a specific individual, including any—

(A)

name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;

(B)

unique biometric data, such as—

(i)

a fingerprint;

(ii)

a voice print;

(iii)

a retina or iris image; or

(iv)

any other unique physical representation;

(C)

unique electronic identification number, address, or routing code; or

(D)

telecommunication identifying information or access device (as defined in section 1029(e) of title 18, United States Code).

I

Enhancing punishment for identity theft and other violations of data privacy and security

101.

Fraud and related criminal activity in connection with unauthorized access to personally identifiable information

Section 1030(a)(2) of title 18, United States Code, is amended—

(1)

in subparagraph (B), by striking or after the semicolon;

(2)

in subparagraph (C), by inserting or after the semicolon; and

(3)

by adding at the end the following:

(D)

information contained in the databases or systems of a data broker, or in other personal electronic records, as such terms are defined in section 3 of the Personal Data Privacy and Security Act of 2005;

.

102.

Organized criminal activity in connection with unauthorized access to personally identifiable information

Section 1961(1) of title 18, United States Code, is amended by inserting section 1030(a)(2)(D)(relating to fraud and related activity in connection with unauthorized access to personally identifiable information, before section 1084.

103.

Concealment of security breaches involving personally identifiable information

(a)

In general

Chapter 47 of title 18, United States Code, is amended by adding at the end the following:

1039.

Concealment of security breaches involving personally identifiable information

Whoever, having knowledge of a security breach requiring notice to individuals under title IV of the Personal Data Privacy and Security Act of 2005, intentionally and willfully conceals the fact of, or information related to, such security breach, shall be fined under this title or imprisoned not more than 5 years, or both.

.

(b)

Conforming and technical amendments

The table of sections for chapter 47 of title 18, United States Code, is amended by adding at the end the following:

1039. Concealment of security breaches involving personally identifiable information..

104.

Aggravated fraud in connection with computers

(a)

In general

Chapter 47 of title 18, United States Code, is amended by adding after section 1030 the following:

1030A.

Aggravated fraud in connection with computers

(a)

In general

Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly obtains, accesses, or transmits, without lawful authority, a means of identification of another person may, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of up to 2 years.

(b)

Consecutive sentences

Notwithstanding any other provision of law, should a court in its discretion impose an additional sentence under subsection (a)—

(1)

no term of imprisonment imposed on a person under this section shall run concurrently, except as provided in paragraph (3), with any other term of imprisonment imposed on such person under any other provision of law, including any term of imprisonment imposed for the felony during which the means of identifications was obtained, accessed, or transmitted;

(2)

in determining any term of imprisonment to be imposed for the felony during which the means of identification was obtained, accessed, or transmitted, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and

(3)

a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section.

(c)

Definition

For purposes of this section, the term felony violation enumerated in subsection (c) means any offense that is a felony violation of paragraphs (2) through (7) of section 1030(a).

.

(b)

Conforming and technical amendments

The table of sections for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following new item:

1030A. Aggravated fraud in connection with computers..

105.

Review and amendment of Federal sentencing guidelines related to fraudulent access to or misuse of digitized or electronic personally identifiable information

(a)

Review and amendment

Not later than 180 days after the date of enactment of this Act, the United States Sentencing Commission, pursuant to its authority under section 994 of title 28, United States Code, and in accordance with this section, shall review and, if appropriate, amend the Federal sentencing guidelines (including its policy statements) applicable to persons convicted of using fraud to access, or misuse of, digitized or electronic personally identifiable information, including identity theft or any offense under—

(1)

sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of title 18, United States Code; or

(2)

any other relevant provision.

(b)

Requirements

In carrying out the requirements of this section, the United States Sentencing Commission shall—

(1)

ensure that the Federal sentencing guidelines (including its policy statements) reflect—

(A)

the serious nature of the offenses and penalties referred to in this Act;

(B)

the growing incidences of theft and misuse of digitized or electronic personally identifiable information, including identity theft; and

(C)

the need to deter, prevent, and punish such offenses;

(2)

consider the extent to which the Federal sentencing guidelines (including its policy statements) adequately address violations of the sections amended by this Act to—

(A)

sufficiently deter and punish such offenses; and

(B)

adequately reflect the enhanced penalties established under this Act;

(3)

maintain reasonable consistency with other relevant directives and sentencing guidelines;

(4)

account for any additional aggravating or mitigating circumstances that might justify exceptions to the generally applicable sentencing ranges;

(5)

consider whether to provide a sentencing enhancement for those convicted of the offenses described in subsection (a), if the conduct involves—

(A)

the online sale of fraudulently obtained or stolen personally identifiable information;

(B)

the sale of fraudulently obtained or stolen personally identifiable information to an individual who is engaged in terrorist activity or aiding other individuals engaged in terrorist activity; or

(C)

the sale of fraudulently obtained or stolen personally identifiable information to finance terrorist activity or other criminal activities;

(6)

make any necessary conforming changes to the Federal sentencing guidelines to ensure that such guidelines (including its policy statements) as described in subsection (a) are sufficiently stringent to deter, and adequately reflect crimes related to fraudulent access to, or misuse of, personally identifiable information; and

(7)

ensure that the Federal sentencing guidelines adequately meet the purposes of sentencing under section 3553(a)(2) of title 18, United States Code.

(c)

Emergency authority to sentencing commission

The United States Sentencing Commission may, as soon as practicable, promulgate amendments under this section in accordance with procedures established in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 994 note) as though the authority under that Act had not expired.

II

Assistance for state and local law enforcement combating crimes related to fraudulent, unauthorized, or other criminal use of personally identifiable information

201.

Grants for State and local enforcement

(a)

In general

Subject to the availability of amounts provided in advance in appropriations Acts, the Assistant Attorney General for the Office of Justice Programs of the Department of Justice may award a grant to a State to establish and develop programs to increase and enhance enforcement against crimes related to fraudulent, unauthorized, or other criminal use of personally identifiable information.

(b)

Application

A State seeking a grant under subsection (a) shall submit an application to the Assistant Attorney General for the Office of Justice Programs of the Department of Justice at such time, in such manner, and containing such information as the Assistant Attorney General may require.

(c)

Use of grant amounts

A grant awarded to a State under subsection (a) shall be used by a State, in conjunction with units of local government within that State, State and local courts, other States, or combinations thereof, to establish and develop programs to—

(1)

assist State and local law enforcement agencies in enforcing State and local criminal laws relating to crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information;

(2)

assist State and local law enforcement agencies in educating the public to prevent and identify crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information;

(3)

educate and train State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information;

(4)

assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; and

(5)

facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information with State and local law enforcement officers and prosecutors, including the use of multi-jurisdictional task forces.

(d)

Assurances and eligibility

To be eligible to receive a grant under subsection (a), a State shall provide assurances to the Attorney General that the State—

(1)

has in effect laws that penalize crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information, such as penal laws prohibiting—

(A)

fraudulent schemes executed to obtain personally identifiable information;

(B)

schemes executed to sell or use fraudulently obtained personally identifiable information; and

(C)

online sales of personally identifiable information obtained fraudulently or by other illegal means;

(2)

will provide an assessment of the resource needs of the State and units of local government within that State, including criminal justice resources being devoted to the investigation and enforcement of laws related to crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; and

(3)

will develop a plan for coordinating the programs funded under this section with other federally funded technical assistant and training programs, including directly funded local programs such as the Local Law Enforcement Block Grant program (described under the heading Violent Crime Reduction Programs, State and Local Law Enforcement Assistance of the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1998 (Public Law 105–119)).

(e)

Matching funds

The Federal share of a grant received under this section may not exceed 90 percent of the total cost of a program or proposal funded under this section unless the Attorney General waives, wholly or in part, the requirements of this subsection.

202.

Authorization of appropriations

(a)

In general

There is authorized to be appropriated to carry out this title $25,000,000 for each of fiscal years 2006 through 2009.

(b)

Limitations

Of the amount made available to carry out this title in any fiscal year not more than 3 percent may be used by the Attorney General for salaries and administrative expenses.

(c)

Minimum amount

Unless all eligible applications submitted by a State or units of local government within a State for a grant under this title have been funded, the State, together with grantees within the State (other than Indian tribes), shall be allocated in each fiscal year under this title not less than 0.75 percent of the total amount appropriated in the fiscal year for grants pursuant to this title, except that the United States Virgin Islands, American Samoa, Guam, and the Northern Mariana Islands each shall be allocated 0.25 percent.

(d)

Grants to Indian tribes

Notwithstanding any other provision of this title, the Attorney General may use amounts made available under this title to make grants to Indian tribes for use in accordance with this title.

III

Data brokers

301.

Transparency and accuracy of data collection

(a)

In general

Data brokers engaging in interstate commerce are subject to the requirements of this title for any offered product or service offered to third parties that allows access, use, compilation, distribution, processing, analyzing, or evaluating personally identifiable information, unless that product or service is currently subject to similar protections under subsections (b) and (g) of this section, the Fair Credit Reporting Act (Public Law 91–508), or the Gramm-Leach Bliley Act (Public Law 106–102), and implementing regulations.

(b)

Disclosures to individuals

(1)

In general

A data broker shall, upon the request of an individual, clearly and accurately disclose to such individual for a reasonable fee all personal electronic records pertaining to that individual maintained for disclosure to third parties in the databases or systems of the data broker at the time of the request.

(2)

Information on how to correct inaccuracies

The disclosures required under paragraph (1) shall also include guidance to individuals on the processes and procedures for demonstrating and correcting any inaccuracies.

(c)

Creation of an accuracy resolution process

A data broker shall develop and publish on its website timely and fair processes and procedures for responding to claims of inaccuracies, including procedures for correcting inaccurate information in the personal electronic records it maintains on individuals.

(d)

Accuracy resolution process

(1)

Public record information

(A)

In general

If an individual notifies a data broker of a dispute as to the completeness or accuracy of information, and the data broker determines that such information is derived from a public record source, the data broker shall determine within 30 days whether the information in its system accurately and completely records the information offered by the public record source.

(B)

Data broker actions

If a data broker determines under subparagraph (A) that the information in its systems—

(i)

does not accurately and completely record the information offered by a public record source, the data broker shall correct any inaccuracies or incompleteness, and provide to such individual written notice of such changes; and

(ii)

does accurately and completely record the information offered by a public record source, the data broker shall—

(I)

provide such individual with the name, address, and telephone contact information of the public record source; and

(II)

notify such individual of the right to add to the personal electronic record of the individual maintained by the data broker a statement disputing the accuracy or completeness of the information for a period of 90 days under subsection (e).

(2)

Investigation of disputed non-public record information

If the completeness or accuracy of any non-public record information disclosed to an individual under subsection (b) is disputed by the individual and such individual notifies the data broker directly of such dispute, the data broker shall, before the end of the 30-day period beginning on the date on which the data broker receives the notice of the dispute—

(A)

investigate free of charge and record the current status of the disputed information; or

(B)

delete the item from the individuals data file in accordance with paragraph (8).

(3)

Extension of period to investigate

Except as provided in paragraph (4), the 30-day period described in paragraph (1) may be extended for not more than 15 additional days if a data broker receives information from the individual during that 30-day period that is relevant to the investigation.

(4)

Limitations on extension of period to investigate

Paragraph (3) shall not apply to any investigation in which, during the 30-day period described in paragraph (1), the information that is the subject of the investigation is found to be inaccurate or incomplete or a data broker determines that the information cannot be verified.

(5)

Notice identifying the data furnisher

If the completeness or accuracy of any information disclosed to an individual under subsection (b) is disputed by the individual, a data broker shall provide upon the request of the individual, the name, business address, and telephone contact information of any data furnisher who provided an item of information in dispute.

(6)

Determination that dispute is frivolous or irrelevant

(A)

In general

Notwithstanding paragraphs (1) through (4), a data broker may decline to investigate or terminate an investigation of information disputed by an individual under those paragraphs if the data broker reasonably determines that the dispute by the individual is frivolous or irrelevant, including by reason of a failure by the individual to provide sufficient information to investigate the disputed information.

(B)

Notice

Not later than 5 business days after making any determination in accordance with subparagraph (A) that a dispute is frivolous or irrelevant, a data broker shall notify the individual of such determination by mail, or if authorized by the individual, by any other means available to the data broker.

(C)

Contents of notice

A notice under subparagraph (B) shall include—

(i)

the reasons for the determination under subparagraph (A); and

(ii)

identification of any information required to investigate the disputed information, which may consist of a standardized form describing the general nature of such information.

(7)

Consideration of individual information

In conducting any investigation with respect to disputed information in the personal electronic record of any individual, a data broker shall review and consider all relevant information submitted by the individual in the period described in paragraph (2) with respect to such disputed information.

(8)

Treatment of inaccurate or unverifiable information

(A)

In general

If, after any review of public record information under paragraph (1) or any investigation of any information disputed by an individual under paragraphs (2) through (4), an item of information is found to be inaccurate or incomplete or cannot be verified, a data broker shall promptly delete that item of information from the individual’s personal electronic record or modify that item of information, as appropriate, based on the results of the investigation.

(B)

Notice to individuals of reinsertion of previously deleted information

If any information that has been deleted from an individual’s personal electronic record pursuant to subparagraph (A) is reinserted in the personal electronic record of the individual, a data broker shall, not later than 5 days after reinsertion, notify the individual of the reinsertion and identify any data furnisher not previously disclosed in writing, or if authorized by the individual for that purpose, by any other means available to the data broker, unless such notification has been previously given under this subsection.

(C)

Notice of results of investigation of disputed non-public record

(i)

In general

Not later than 5 business days after the completion of an investigation under paragraph (2), a data broker shall provide written notice to an individual of the results of the investigation, by mail or, if authorized by the individual for that purpose, by other means available to the data broker.

(ii)

Additional requirement

Before the expiration of the 5-day period, as part of, or in addition to such notice, a data broker shall, in writing, provide to an individual—

(I)

a statement that the investigation is completed;

(II)

a report that is based upon the personal electronic record of such individual as that personal electronic record is revised as a result of the investigation;

(III)

a notice that, if requested by the individual, a description of the procedures used to determine the accuracy and completeness of the information shall be provided to the individual by the data broker, including the business name, address, and telephone number of any data furnisher of information contacted in connection with such information; and

(IV)

a notice that the individual has the right to request notifications under subsection (g).

(D)

Description of investigation procedures

Not later than 15 days after receiving a request from an individual for a description referred to in subparagraph (C)(ii)(III), a data broker shall provide to the individual such a description.

(E)

Expedited dispute resolution

If by no later than 3 business days after the date on which a data broker receives notice of a dispute from an individual of information in the personal electronic record of such individual in accordance with paragraph (2), a data broker resolves such dispute in accordance with subparagraph (A) by the deletion of the disputed information, then the data broker shall not be required to comply with subsections (e) and (f) with respect to that dispute if the data broker provides—

(i)

to the individual, by telephone, prompt notice of the deletion; and

(ii)

to the individual a right to request that the data broker furnish notifications under subsection (g).

(e)

Statement of dispute

(1)

In general

If the completeness or accuracy of any information disclosed to an individual under subsection (b) is disputed, an individual may file a brief statement setting forth the nature of the dispute.

(2)

Contents of statement

A data broker may limit the statements made pursuant to paragraph (1) to not more than 100 words if it provides an individual with assistance in writing a clear summary of the dispute or until the dispute is resolved, whichever is earlier.

(f)

Notification of dispute in subsequent reports

Whenever a statement of a dispute is filed under subsection (e), unless there is a reasonable grounds to believe that it is frivolous or irrelevant, a data broker shall, in any subsequent report, product, or service containing the information in question, clearly note that it is disputed by an individual and provide either the statement of such individual or a clear and accurate codification or summary thereof for a period of 90 days after the data broker first posts the statement of dispute.

(g)

Notification of deletion of disputed information

Following any deletion of information which is found to be inaccurate or whose accuracy can no longer be verified, a data broker shall, at the request of an individual, furnish notification that the item has been deleted or the statement, codification, or summary pursuant to subsection (e) or (f) to any user or customer of the products or services of the data broker who has within 90 days received a report with the deleted or disputed information or has electronically accessed the deleted or disputed information.

302.

Enforcement

(a)

Civil penalties

(1)

Penalties

Any data broker that violates the provisions of section 301 shall be subject to civil penalties of not more than $1,000 per violation per day, with a maximum of $15,000 per day, while such violations persist.

(2)

Intentional or willful violation

A data broker that intentionally or willfully violates the provisions of section 301 shall be subject to additional penalties in the amount of $1,000 per violation per day, with a maximum of an additional $15,000 per day, while such violations persist.

(3)

Equitable relief

A data broker engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction.

(4)

Other rights and remedies

The rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law.

(b)

Injunctive actions by the Attorney General

(1)

In general

Whenever it appears that a data broker to which this title applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this title, the Attorney General may bring a civil action in an appropriate district court of the United States to—

(A)

enjoin such act or practice;

(B)

enforce compliance with this title;

(C)

obtain damages—

(i)

in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and

(ii)

punitive damages, if the violation is willful or intentional; and

(D)

obtain such other relief as the court determines to be appropriate.

(2)

Other injunctive relief

Upon a proper showing in the action under paragraph (1), the court shall grant a permanent injunction or a temporary restraining order without bond.

(c)

State enforcement

(1)

Civil actions

In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates this title, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to—

(A)

enjoin that act or practice;

(B)

enforce compliance with this title;

(C)

obtain—

(i)

damages in the sum of actual damages, restitution, or other compensation on behalf of affected residents of the State; and

(ii)

punitive damages, if the violation is willful or intentional; or

(D)

obtain such other legal and equitable relief as the court may consider to be appropriate.

(2)

Notice

(A)

In general

Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General—

(i)

a written notice of that action; and

(ii)

a copy of the complaint for that action.

(B)

Exception

Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action.

(C)

Notification when practicable

In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Attorney General as soon after the filing of the complaint as practicable.

(3)

Attorney General authority

Upon receiving notice under paragraph (2), the Attorney General shall have the right to—

(A)

move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4);

(B)

intervene in an action brought under paragraph (1); and

(C)

file petitions for appeal.

(4)

Pending proceedings

If the Attorney General has instituted a proceeding or action for a violation of this Act or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action.

(5)

Rule of construction

For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—

(A)

conduct investigations;

(B)

administer oaths and affirmations; or

(C)

compel the attendance of witnesses or the production of documentary and other evidence.

(6)

Venue; service of process

(A)

Venue

Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1931 of title 28, United States Code.

(B)

Service of process

In an action brought under this subsection process may be served in any district in which the defendant—

(i)

is an inhabitant; or

(ii)

may be found.

303.

Relation to State laws

(a)

In general

Except as provided in subsection (b), this title does not annul, alter, affect, or exempt any person subject to the provisions of this title from complying with the laws of any State with respect to the access, use, compilation, distribution, processing, analysis, and evaluation of any personally identifiable information by data brokers, except to the extent that those laws are inconsistent with any provisions of this title, and then only to the extent of such inconsistency.

(b)

Exceptions

No requirement or prohibition may be imposed under the laws of any State with respect to any subject matter regulated under section 301, relating to individual access to, and correction of, personal electronic records.

304.

Effective date

This title shall take effect 180 days after the date of enactment of this Act.

IV

Privacy and security of personally identifiable information

A

Data privacy and security program

401.

Purpose and applicability of data privacy and security program

(a)

Purpose

The purpose of this subtitle is to ensure standards for developing and implementing administrative, technical, and physical safeguards to protect the privacy, security, confidentiality, integrity, storage, and disposal of personally identifiable information.

(b)

In general

A business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of personally identifiable information in electronic or digital form on 10,000 or more United States persons is subject to the requirements for a data privacy and security program under section 402 for protecting personally identifiable information.

(c)

Limitations

Notwithstanding any other obligation under this subtitle, this subtitle does not apply to—

(1)

financial institutions subject to—

(A)

the data security requirements and implementing regulations under the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); and

(B)

examinations for compliance with the requirements of this Act by 1 or more Federal functional regulators (as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)); or

(2)

covered entities subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.), including the data security requirements and implementing regulations of that Act.

402.

Requirements for a personal data privacy and security program

(a)

Personal data privacy and security program

Unless otherwise limited under section 401(c), a business entity subject to this subtitle shall comply with the following safeguards to protect the privacy and security of personally identifiable information:

(1)

Scope

A business entity shall implement a comprehensive personal data privacy and security program, written in 1 or more readily accessible parts, that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities.

(2)

Design

The personal data privacy and security program shall be designed to—

(A)

ensure the privacy, security, and confidentiality of personal electronic records;

(B)

protect against any anticipated vulnerabilities to the privacy, security, or integrity of personal electronic records; and

(C)

protect against unauthorized access to use of personal electronic records that could result in substantial harm or inconvenience to any individual.

(3)

Risk assessment

A business entity shall—

(A)

identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of personally identifiable information or systems containing personally identifiable information;

(B)

assess the likelihood of and potential damage from unauthorized access, disclosure, use, or alteration of personally identifiable information; and

(C)

assess the sufficiency of its policies, technologies, and safeguards in place to control and minimize risks from unauthorized access, disclosure, use, or alteration of personally identifiable information.

(4)

Risk management and control

Each business entity shall—

(A)

design its personal data privacy and security program to control the risks identified under paragraph (3); and

(B)

adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of the activities of the business entity that—

(i)

control access to systems and facilities containing personally identifiable information, including controls to authenticate and permit access only to authorized individuals;

(ii)

detect actual and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or alteration of personally identifiable information, including by employees and other individuals otherwise authorized to have access; and

(iii)

protect personally identifiable information during use, transmission, storage, and disposal by encryption or other reasonable means (including as directed for disposal of records under section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w) and the implementing regulations of such Act as set forth in section 682 of title 16, Code of Federal Regulations).

(5)

Accountability

Each business entity required to establish a data security program under section 401 shall publish on its website or make otherwise available the terms of such program to the extent that such terms do not reveal information that compromise data security or privacy.

(b)

Training

Each business entity subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the data security program of the business entity.

(c)

Vulnerability testing

(1)

In general

Each business entity subject to this subtitle shall take steps to ensure regular testing of key controls, systems, and procedures of the personal data privacy and security program to detect, prevent, and respond to attacks or intrusions, or other system failures.

(2)

Frequency

The frequency and nature of the tests required under paragraph (1) shall be determined by the risk assessment of the business entity under subsection (a)(3).

(d)

Relationship to service providers

In the event a business entity subject to this subtitle engages service providers not subject to this subtitle, such business entity shall—

(1)

exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiable information, and take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the personally identifiable information at issue; and

(2)

require those service providers by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing entities subject to this section, section 401, and subtitle B.

(e)

Periodic assessment and personal data privacy and security modernization

Each business entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its data privacy and security program in light of any relevant changes in—

(1)

technology;

(2)

the sensitivity of personally identifiable information;

(3)

internal or external threats to personally identifiable information; and

(4)

the changing business arrangements of the business entity, such as—

(A)

mergers and acquisitions;

(B)

alliances and joint ventures;

(C)

outsourcing arrangements;

(D)

bankruptcy; and

(E)

changes to personally identifiable information systems.

(f)

Implementation time line

Not later than 1 year after the date of enactment of this Act, a business entity subject to the provisions of this subtitle shall implement a data privacy and security program pursuant to this subtitle.

403.

Enforcement

(a)

Civil penalties

(1)

In general

Any business entity that violates the provisions of sections 401 or 402 shall be subject to civil penalties of not more than $5,000 per violation per day, with a maximum of $35,000 per day, while such violations persist.

(2)

Intentional or willful violation

A business entity that intentionally or willfully violates the provisions of sections 401 or 402 shall be subject to additional penalties in the amount of $5,000 per violation per day, with a maximum of an additional $35,000 per day, while such violations persist.

(3)

Equitable relief

A business entity engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction.

(4)

Other rights and remedies

The rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law

(b)

Injunctive actions by the Attorney General

(1)

In general

Whenever it appears that a business entity or agency to which this subtitle applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this subtitle, the Attorney General may bring a civil action in an appropriate district court of the United States to—

(A)

enjoin such act or practice;

(B)

enforce compliance with this subtitle; and

(C)

obtain damages—

(i)

in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and

(ii)

punitive damages, if the violation is willful or intentional; and

(D)

obtain such other relief as the court determines to be appropriate.

(2)

Other injunctive relief

Upon a proper showing in the action under paragraph (1), the court shall grant a permanent injunction or a temporary restraining order without bond.

(c)

State enforcement

(1)

Civil actions

In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates this subtitle, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to—

(A)

enjoin that act or practice;

(B)

enforce compliance with this subtitle;

(C)

obtain—

(i)

damages in the sum of actual damages, restitution, or other compensation on behalf of affected residents of the State; and

(ii)

punitive damages, if the violation is willful or intentional; or

(D)

obtain such other legal and equitable relief as the court may consider to be appropriate.

(2)

Notice

(A)

In general

Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General—

(i)

a written notice of that action; and

(ii)

a copy of the complaint for that action.

(B)

Exception

Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action.

(C)

Notification when practicable

In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Attorney General as soon after the filing of the complaint as practicable.

(3)

Attorney General authority

Upon receiving notice under paragraph (2), the Attorney General shall have the right to—

(A)

move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4);

(B)

intervene in an action brought under paragraph (1); and

(C)

file petitions for appeal.

(4)

Pending proceedings

If the Attorney General has instituted a proceeding or action for a violation of this Act or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action.

(5)

Rule of construction

For purposes of bringing any civil action under paragraph (1) nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—

(A)

conduct investigations;

(B)

administer oaths and affirmations; or

(C)

compel the attendance of witnesses or the production of documentary and other evidence.

(6)

Venue; service of process

(A)

Venue

Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1931 of title 28, United States Code.

(B)

Service of process

In an action brought under this subsection process may be served in any district in which the defendant—

(i)

is an inhabitant; or

(ii)

may be found.

404.

Relation to State laws

(a)

In general

Except as provided in subsection (b), this title does not annul, alter, affect, or exempt any person subject to the provisions of this title from complying with the laws of any State with respect to security programs for personally identifiable information, except to the extent that those laws are inconsistent with any provisions of this title, and then only to the extent of such inconsistency.

(b)

Exceptions

No requirement or prohibition may be imposed under the laws of any State with respect to any subject matter regulated under section 401(c), relating to entities exempted from compliance with subtitle A.

B

Security breach notification

421.

Right to notice of security breach

(a)

In general

Unless delayed under section 422(d) or exempted under section 424, any business entity or agency engaged in interstate commerce that involves collecting, accessing, using, transmitting, storing, or disposing of personally identifiable information shall notify, following the discovery of a security breach of its systems or databases in its possession or direct control when such security breach impacts sensitive personally identifiable information—

(1)

if the security breach impacts more than 10,000 individuals nationwide, impacts a database, networked or integrated databases, or other data system associated with more than 1,000,000 individuals nationwide, impacts databases owned or used by the Federal Government, or involves sensitive personally identifiable information of employees and contractors of the Federal Government—

(A)

the United States Secret Service, which shall be responsible for notifying——

(i)

the Federal Bureau of Investigation, if the security breach involves espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service under section 3056(a) of title 18, United States Code; and

(ii)

the United States Postal Inspection Service, if the security breach involves mail fraud; and

(B)

the attorney general of each State affected by the security breach;

(2)

each consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a), pursuant to subsection (b); and

(3)

any resident of the United States whose sensitive personally identifiable information was subject to the security breach, pursuant to sections 422 and 423, but in the event a business entity or agency is unable to identify the specific residents of the United States whose sensitive personally identifiable information was impacted by a security breach, the business entity or agency shall consult with the United States Secret Service to determine the scope of individuals who there is a reasonable basis to conclude have been impacted by such breach and should receive notice.

(b)

Consumer reporting agencies

Any business entity or agency obligated to provide notice of a security breach to more than 1,000 residents of the United States under subsection (a)(3) shall inform consumer reporting agencies of the fact and scope of such notices for the purpose of facilitating and managing potential increases in consumer inquiries and mitigating identity theft or other negative consequences of the breach.

422.

Notice procedures

(a)

Timeliness of notice

(1)

In general

Except as provided in subsection (c), all notices required under section 421 shall be issued expeditiously and without unreasonable delay after discovery of the events requiring notice.

(2)

14-day rule

The notices to Federal law enforcement and the attorney general of each State affected by a security breach required under section 421(a) shall be delivered not later than 14 days after discovery of the events requiring notice.

(3)

Required disclosure

In complying with the notices required under section 421, a business entity or agency shall expeditiously and without unreasonable delay take reasonable measures which are necessary to—

(A)

determine the scope and assess the impact of a breach under section 421; and

(B)

restore the reasonable integrity of the data system.

(b)

Method

Any business entity or agency obligated to provide notice under section 421 shall be in compliance with that section if they provide notice as follows:

(1)

written notification

By written notification to the last known home address of the individual whose sensitive personally identifiable information was breached, or if unknown, notification via telephone call to the last known home telephone number.

(2)

internet posting

If more than 1,000 residents of the United States require notice under section 421 and if the business entity or agency maintains an Internet site, conspicuous posting of the notice on the Internet site of the business entity or agency.

(3)

media notice

If more than 5,000 residents of a State or jurisdiction are impacted, notice to major media outlets serving that State or jurisdiction.

(c)

Delay of notification for law enforcement purposes

(1)

In general

If Federal law enforcement or the attorney general of a State determines that the notices required under section 421(a) would impede a criminal investigation, such notices may be delayed until such law enforcement agency determines that the notices will no longer compromise such investigation.

(2)

Extended delay of notification for law enforcement purposes

If a business entity or agency has delayed the notices required under paragraphs (2) and (3) of section 421(a) as described in paragraph (1), the business entity or agency shall give notice 30 days after the day such law enforcement delay was invoked unless Federal law enforcement provides written notification that further delay is necessary.

423.

Content of notice

(a)

In general

A business entity or agency obligated to provide notice to residents of the United States under section 421(a)(3) shall clearly and concisely detail the nature of the sensitive personally identifiable information impacted by the security breach.

(b)

Content of notice

A notice under subsection (a) shall include—

(1)

the availability of victim protection assistance pursuant to section 425;

(2)

guidance on how to request that a fraud alert be placed in the file of the individual maintained by consumer reporting agencies, pursuant to section 605A of the Fair Credit Reporting Act (15 U.S.C. 1681c–1) and the implications of such actions;

(3)

the availability of a summary of rights for identity theft victims from consumer reporting agencies, pursuant to section 609 of the Fair Credit Reporting Act (15 U.S.C. 1681g);

(4)

if applicable, notice that the State where an individual resides has a statute that provides the individual the right to place a security freeze on their credit report; and

(5)

if applicable, notice that consumer reporting agencies have been notified of the security breach.

(c)

Marketing not allowed in notice

A notice under subsection (a) may not include—

(1)

marketing information;

(2)

sales offers; or

(3)

any solicitation regarding the collection of additional personally identifiable information from an individual.

424.

Risk assessment and fraud prevention notice exemptions

(a)

Risk assessment exemption

A business entity will be exempt from the notice requirements under paragraphs (2) and (3) of section 421(a), if a risk assessment conducted in consultation with Federal law enforcement and the attorney general of each State affected by a security breach concludes that there is a de minimis risk of harm to the individuals whose sensitive personally identifiable information was at issue in the security breach.

(b)

Fraud prevention exemption

A business entity will be exempt from the notice requirement under section 421(a) if—

(1)

the nature of the sensitive personally identifiable information subject to the security breach cannot be used to facilitate transactions or facilitate identity theft to further transactions with another business entity that is not the business entity subject to the security breach notification requirements of section 421;

(2)

the business entity utilizes a security program reasonably designed to block the use of the sensitive personally identifiable information to initiate unauthorized transactions before they are charged to the account of the individual; and

(3)

the business entity has a policy in place to provide notice and provides such notice after a breach of the security of the system has resulted in fraud or unauthorized transactions, but does not necessarily require notice in other circumstances.

425.

Victim protection assistance

Any business entity or agency obligated to provide notice to residents of the United States under section 421(a)(3) shall offer to those same residents to cover the cost of—

(1)

monthly access to a credit report for a period of 1 year from the date of notice provided under section 421(a)(3); and

(2)

credit-monitoring services for up to 1 year from the date of notice provided under section 421(a)(3).

426.

Enforcement

(a)

Civil penalties

(1)

In general

Any business entity that violates the provisions of sections 421 through 425 shall be subject to civil penalties of not more than $5,000 per violation per day, with a maximum of $55,000 per day, while such violations persist.

(2)

Intentional or willful violation

A business entity that intentionally or willfully violates the provisions of sections 421 through 425 shall be subject to additional penalties in the amount of $5,000 per violation per day, with a maximum of an additional $55,000 per day, while such violations persist.

(3)

Equitable relief

A business entity engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction.

(4)

Other rights and remedies

The rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law.

(b)

Injunctive actions by the attorney general

(1)

In general

Whenever it appears that a business entity or agency to which this subtitle applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this subtitle, the Attorney General may bring a civil action in an appropriate district court of the United States to—

(A)

enjoin such act or practice;

(B)

enforce compliance with this subtitle; and

(C)

obtain damages—

(i)

in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and

(ii)

punitive damages, if the violation is willful or intentional; and

(D)

obtain such other relief as the court determines to be appropriate.

(2)

Other injunctive relief

Upon a proper showing in the action under paragraph (1), the court shall grant a permanent injunction or a temporary restraining order without bond.

(c)

State enforcement

(1)

Civil actions

In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been, or is threatened to be, adversely affected by a violation of this subtitle, the State, as parens patriae, may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to—

(A)

enjoin that practice;

(B)

enforce compliance with this subtitle;

(C)

obtain damages—

(i)

in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of that State; and

(ii)

punitive damages, if the violation is willful or intentional; and

(D)

obtain such other equitable relief as the court may consider to be appropriate.

(2)

Notice

(A)

In general

Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General—

(i)

written notice of the action; and

(ii)

a copy of the complaint for the action.

(B)

Exception

(i)

In general

Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.

(ii)

Notification when practicable

In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the time the attorney general of a State files the action.

(3)

Attorney General authority

Upon receiving notice under paragraph (2), the Attorney General shall have the right to—

(A)

move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4);

(B)

intervene in an action brought under paragraph (1); and

(C)

file petitions for appeal.

(4)

Pending proceedings

If the Attorney General has instituted a proceeding or action for a violation of this Act or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action.

(5)

Rule of construction

For purposes of bringing any civil action under paragraph (1), nothing in this subsection shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to—

(A)

conduct investigations;

(B)

administer oaths or affirmations; or

(C)

compel the attendance of witnesses or the production of documentary and other evidence.

(6)

Venue; service of process

(A)

Venue

Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(B)

Service of process

In an action brought under this subsection process may be served in any district in which the defendant—

(i)

is an inhabitant; or

(ii)

may be found.

427.

Relation to State laws

(a)

In general

Except as provided in subsection (b), this title does not annul, alter, affect, or exempt any person subject to the provisions of this title from complying with the laws of any State with respect to protecting consumers from the risk of theft or misuse of personally identifiable information, except to the extent that those laws are inconsistent with any provisions of this title, and then only to the extent of such inconsistency.

(b)

Exceptions

No requirement or prohibition may be imposed under the laws of any State with respect to any subject matter regulated under—

(1)

section 3(9), relating to the definition of security breach;

(2)

paragraphs (1)(A), (2), and (3) of subsection (a), and subsection (b) of section 421, relating to the right to notice of security breach;

(3)

section 422, relating to notice procedures;

(4)

section 423, relating to notice content, except that nothing in this section shall prevent a State from requiring notice of additional victim protection assistance by that State; and

(5)

section 424, relating to risk assessment and fraud prevention notice exemptions.

428.

Study on securing personally identifiable information in the digital era

(a)

Requirement for study

Not later than 120 days after the date of enactment of this Act, the Department of Justice shall enter into a contract with the National Research Council of the National Academies to conduct a study on securing personally identifiable information in the digital era.

(b)

Matters to be assessed in review

The study required under subsection (a) shall include—

(1)

threats to the public posed by the unauthorized or improper disclosure of personally identifiable information, including threats to—

(A)

law enforcement;

(B)

homeland security;

(C)

individual citizens; and

(D)

commerce;

(2)

an assessment of the benefits and costs of currently available strategies for securing personally identifiable information based on—

(A)

technology;

(B)

legislation;

(C)

regulation; or

(D)

public education;

(3)

research needed to develop additional strategies;

(4)

recommendations for congressional or other policy actions to further minimize vulnerabilities to the threats described in paragraph (1); and

(5)

other relevant issues that in the discretion of the National Research Council warrant examination.

(c)

Time line for study and requirement for report

Not later than 18-month period beginning upon completion of the performance of the contract described in subsection (a), the National Research Council shall conduct the study and report its findings, conclusions, and recommendations to Congress.

(d)

Federal department and agency compliance

Federal departments and agencies shall comply with requests made by the National Science Foundation, National Research Council, and National Academies for information that is necessary to assist in preparing the report required by subsection (c).

(e)

Authorization of appropriations

Of the amounts authorized to be appropriated to the Department of Justice for Department-wide activities, $850,000 shall be made available to carry out the provisions of this section for fiscal year 2006.

429.

Authorization of appropriations

There is authorized to be appropriated such sums as may be necessary to cover the costs incurred by the United States Secret Service to carry out investigations and risk assessments of security breaches as required under this subtitle.

430.

Effective date

This subtitle shall take effect 90 days after the date of enactment of this Act.

V

Protection of Social Security numbers

501.

Social Security number protection

(a)

In general

No person may—

(1)

display any individual’s social security number to a third party without the voluntary and affirmatively expressed consent of such individual; or

(2)

sell or purchase any social security number of an individual without the voluntary and affirmatively expressed consent of such individual.

(b)

Prerequisites for consent

To obtain the consent of an individual under paragraphs (1) or (2) of subsection (a), the person displaying, selling, or attempting to sell, purchasing, or attempting to purchase the social security number of such individual shall—

(1)

inform such individual of the general purpose for which the social security number will be used, the types of persons to whom the social security number may be available, and the scope of transactions permitted by the consent; and

(2)

obtain the affirmatively expressed consent (electronically or in writing) of such individual.

(c)

Harvested social security numbers

Subsection (a) shall apply to any public record of a Federal agency that contains social security numbers extracted from other public records for the purpose of displaying or selling such numbers to the general public.

(d)

Exceptions

Nothing in this section shall be construed to prohibit or limit the display, sale, or purchase of a social security number—

(1)

as required, authorized, or excepted under Federal law;

(2)

to the extent necessary for a public health purpose, including the protection of the health or safety of an individual in an emergency situation;

(3)

to the extent necessary for a national security purpose;

(4)

to the extent necessary for a law enforcement purpose, including the investigation of fraud and the enforcement of a child support obligation;

(5)

to the extent necessary for research conducted for the purpose of advancing public knowledge, on the condition that the researcher provides adequate assurances that—

(A)

the social security numbers will not be used to harass, target, or publicly reveal information concerning any individual;

(B)

information about individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals; and

(C)

the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about individuals;

(6)

if such a number is required to be submitted as part of the process for applying for any type of Federal, State, or local government benefit or program;

(7)

when the transmission of the number is incidental to, and in the course of, the sale, lease, franchising, or merger of all or a portion of a business; or

(8)

to the extent only the last 4 digits of a social security number are displayed.

502.

Limits on personal disclosure of social security numbers for commercial transactions and accounts

(a)

In general

Part A of title XI of the Social Security Act (42 U.S.C. 1301 et seq.) is amended by adding the following:

1150A.

Limits on personal disclosure of social security numbers for commercial transactions and accounts

(a)

Account numbers

(1)

In general

A business entity may not—

(A)

require an individual to use the social security number of such individual as an account number or account identifier when purchasing a commercial good or service; or

(B)

deny an individual goods or services for refusing to accept the use of the social security number of such individual as an account number or account identifier.

(2)

Existing account exception

Paragraph (1) shall not apply to any account number or account identifier established prior to the date of enactment of this Act.

(b)

Social security number prerequisites for goods and services

A business entity may not require an individual to provide the social security number of such individual when purchasing a commercial good or service or deny an individual goods or services for refusing to provide that number except for any purpose relating to—

(1)

obtaining a consumer report for any purpose permitted under the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(2)

a background check of the individual conducted by a landlord, lessor, employer, or voluntary service agency;

(3)

law enforcement; or

(4)

a Federal, State, or local law requirement.

(c)

Application of civil money penalties

A violation of this section shall be deemed to be a violation of section 1129(a).

(d)

Application of criminal penalties

A violation of this section shall be deemed to be a violation of section 208(a)(8).

.

503.

Public records

(a)

In general

Except as provided in paragraph (2), paragraphs (a) and (b) of section 501 shall apply to all public records posted on the Internet or provided in an electronic medium by, or on behalf of, a Federal agency.

(b)

Exceptions

(1)

Truncation and prior displays

Section 501(a) shall not apply to—

(A)

a public record which displays only the last 4 digits of the social security number of an individual; and

(B)

any record or a category of public records first posted on the Internet or provided in an electronic medium by, or on behalf of, a Federal agency prior to the date of enactment of this Act.

(2)

Law enforcement

Nothing in this subsection shall be construed to prevent an entity acting pursuant to a police investigation or regulatory power of a domestic governmental unit from accessing the full social security number of an individual.

504.

Treatment of social security numbers on government checks and prohibition of inmate access

(a)

Prohibition of use of social security numbers on checks issued for payment by governmental entities

(1)

In general

Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at the end the following:

(x)

No Federal, State, or local agency may display the social security account number of any individual, or any derivative of such number, on any check issued for any payment by the Federal, State, or local agency.

.

(2)

Effective date

The amendment made under paragraph (1) shall apply with respect to checks issued after the date that is 3 years after the date of enactment of this Act.

(b)

Prohibition on inmate access to social security numbers

(1)

In general

Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)), as amended by subsection (b), is further amended by adding at the end the following:

(xi)
(I)

No Federal, State, or local agency may employ, or enter into a contract for the use or employment of, prisoners in any capacity that would allow such prisoners access to the social security account numbers of other individuals.

(II)

For purposes of this clause, the term prisoner means an individual confined in a jail, prison, or other penal institution or correctional facility pursuant to conviction of such individual of a criminal offense.

.

(2)

Effective date

The amendment made under paragraph (1) shall apply with respect to employment of prisoners, or entry into contract with prisoners, after the date that is 1 year after the date of enactment of this Act.

505.

Study and report

(a)

By the Comptroller General

The Comptroller General of the United States (in this section referred to as the Comptroller General) shall conduct a study and prepare a report on—

(1)

all of the uses of social security numbers permitted, required, authorized, or excepted under any Federal law; and

(2)

the uses of social security numbers in Federal, State, and local public records.

(b)

Content of report

The report required under subsection (a) shall—

(1)

identify users of social security numbers under Federal law;

(2)

include a detailed description of the uses allowed as of the date of enactment of this Act;

(3)

describe the impact of such uses on privacy and data security;

(4)

evaluate whether such uses should be continued or discontinued by appropriate legislative action;

(5)

examine whether States are complying with prohibitions on the display and use of social security numbers—

(A)

under the Privacy Act of 1974 (5 U.S.C. 552a et seq.); and

(B)

the Driver's Privacy Protection Act of 1994 (18 U.S.C. 2721 et seq.);

(6)

include a review of the uses of social security numbers in Federal, State, or local public records;

(7)

include a review of the manner in which public records are stored (with separate reviews for both paper records and electronic records);

(8)

include a review of the advantages, utility, and disadvantages of public records that contain social security numbers, including—

(A)

impact on law enforcement;

(B)

threats to homeland security; and

(C)

impact on personal privacy and security;

(9)

include an assessment of the costs and benefits to State and local governments of truncating, redacting, or removing social security numbers from public records, including a review of current technologies and procedures for truncating, redacting, or removing social security numbers from public records (with separate assessments for both paper and electronic records);

(10)

include an assessment of the benefits and costs to businesses, non-profit organizations, and the general public of requiring truncation, redaction, or removal of social security numbers on public records (with separate assessments for both paper and electronic records);

(11)

include an assessment of Federal and State requirements to truncate social security numbers, and issue recommendations on—

(A)

how to harmonize those requirements; and

(B)

whether to further extend truncation requirements, taking into consideration the impact on accuracy and use;

(12)

include recommendations regarding whether subsection (a) should apply to any record or category of public records first posted on the Internet or provided in an electronic medium by, or on behalf of, a Federal agency prior to the date of enactment of this Act; and

(13)

include such recommendations for legislation based on criteria the Comptroller General determines to be appropriate.

(c)

Required consultation

In developing the report required under this subsection, the Comptroller General shall consult with—

(1)

the Administrative Office of the United States Courts;

(2)

the Conference of State Court Administrators;

(3)

the Department of Justice;

(4)

the Department of Homeland Security;

(5)

the Social Security Administration;

(6)

Sate and local governments that store, maintain, or disseminate public records; and

(7)

other stakeholders, including members of the private sector who routinely use public records that contain social security numbers.

(d)

Timing of report

Not later than 1 year after the date of enactment of this Act, the Comptroller General shall report to Congress its findings under this section.

506.

Enforcement

(a)

Civil penalties

(1)

In general

Any person that violates the provisions of sections 501 or 502 shall be subject to civil penalties of not more than $5,000 per violation per day, with a maximum of $35,000 per day, while such violations persist.

(2)

Intentional or willful violation

Any person who intentionally or willfully violates the provisions of sections 501 or 502 shall be subject to additional penalties in the amount of $5,000 per violation per day, with a maximum of an additional $35,000 per day, while such violations persist.

(3)

Equitable relief

Any person who engages in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction.

(4)

Other rights and remedies

The rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law

(b)

Injunctive actions by the Attorney General

(1)

In general

Whenever it appears that a person to which this title applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this title, the Attorney General may bring a civil action in an appropriate district court of the United States to—

(A)

enjoin such act or practice;

(B)

enforce compliance with this title; and

(C)

obtain damages—

(i)

in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and

(ii)

punitive damages, if the violation is willful or intentional; and

(D)

obtain such other relief as the court determines to be appropriate.

(2)

Other injunctive relief

Upon a proper showing in the action under paragraph (1), the court shall grant a permanent injunction or a temporary restraining order without bond.

(c)

State enforcement

(1)

Civil actions

In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates this section, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to—

(A)

enjoin that act or practice;

(B)

enforce compliance with this Act;

(C)

obtain damages, restitution, or other compensation on behalf of residents of that State; or

(D)

obtain such other legal and equitable relief as the court may consider to be appropriate.

(2)

Notice

(A)

In general

Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General—

(i)

a written notice of that action; and

(ii)

a copy of the complaint for that action.

(B)

Exception

Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action.

(C)

Notification when practicable

In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Attorney General as soon after the filing of the complaint as practicable.

(3)

Attorney General authority

Upon receiving notice under paragraph (2), the Attorney General shall have the right to—

(A)

move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4);

(B)

intervene in an action brought under paragraph (1); and

(C)

file petitions for appeal.

(4)

Pending proceedings

If the Attorney General has instituted a proceeding or action for a violation of this Act or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action.

(5)

Rule of construction

For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—

(A)

conduct investigations;

(B)

administer oaths and affirmations;

(C)

or compel the attendance of witnesses or the production of documentary and other evidence.

(6)

Venue; service of process

(A)

Venue

Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(B)

Service of process

In an action brought under this subsection process may be served in any district in which the defendant—

(i)

is an inhabitant; or

(ii)

may be found.

507.

Relation to State laws

(a)

In general

Except as provided in subsection (b), this title does not annul, alter, affect, or exempt any person subject to the provisions of this title from complying with the laws of any State with respect to protecting and securing social security numbers, except to the extent that those laws are inconsistent with any provisions of this title, and then only to the extent of such inconsistency.

(b)

Exceptions

No requirement or prohibition may be imposed under the laws of any State with respect to any subject matter regulated under—

(1)

section 501(b), relating to prerequisites for consent for the display, sale, or purchase of social security numbers;

(2)

section 501(c), relating to harvesting of social security numbers; and

(3)

section 504, relating to treatment of social security numbers on government checks and prohibition of inmate access.

VI

Government access to and use of commercial data

601.

General Services Administration review of contracts

(a)

In general

In considering contract awards entered into after the date of enactment of this Act, the Administrator of the General Services Administration shall evaluate—

(1)

the program of a contractor to ensure the privacy and security of data containing personally identifiable information;

(2)

the compliance of a contractor with such program;

(3)

the extent to which the databases and systems containing personally identifiable information of a contractor have been compromised by security breaches; and

(4)

the response by a contractor to such breaches, including the efforts of a contractor to mitigate the impact of such breaches.

(b)

Penalties

In awarding contracts for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating personally identifiable information, the Administrator of the General Services Administration shall include the following:

(1)

Monetary or other penalties—

(A)

for failure to comply with subtitles A and B of title IV of this Act;

(B)

if a contractor knows or has reason to know that the personally identifiable information being provided is inaccurate, and provides such inaccurate information; or

(C)

if a contractor is notified by an individual that the personally identifiable information being provided is inaccurate and it is in fact inaccurate.

(2)

Accuracy update requirements that obligate a contractor to provide notice to the Federal department or agency of any changes or corrections to the personally identifiable information provided under the contract.

602.

Requirement to audit information security practices of contractors and third party business entities

Section 3544(b) of title 44, United States Code, is amended—

(1)

in paragraph (7)(C)(iii), by striking and after the semicolon;

(2)

in paragraph (8), by striking the period and inserting ; and; and

(3)

by adding at the end the following:

(9)

procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the information systems or operations of the agency involving personally identifiable information, and ensuring remedial action to address any significant deficiencies.

.

603.

Privacy impact assessment of government use of commercial information services containing personally identifiable information

(a)

In general

Section 208(b)(1) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended—

(1)

in subparagraph (A)(i), by striking or; and

(2)

in subparagraph (A)(ii), by striking the period and inserting ; or; and

(3)

by inserting after clause (ii) the following:

(iii)

purchasing or subscribing for a fee to personally identifiable information from a commercial entity (other than news reporting or telephone directories).

.

(b)

Limitation

Notwithstanding any other provision of law, commencing 60 days after the date of enactment of this Act, no Federal department or agency may procure or access any commercially available database consisting primarily of personally identifiable information concerning United States persons (other than news reporting or telephone directories) unless the head of such department or agency—

(1)

completes a privacy impact assessment under section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note), which shall include a description of—

(A)

such database;

(B)

the name of the commercial entity from whom it is obtained; and

(C)

the amount of the contract for use;

(2)

adopts regulations that specify—

(A)

the personnel permitted to access, analyze, or otherwise use such databases;

(B)

standards governing the access analysis, or use of such databases;

(C)

any standards used to ensure that the personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal department or agency;

(D)

standards limiting the retention and redisclosure of personally identifiable information obtained from such databases;

(E)

procedures ensuring that such data meet standards of accuracy, relevance, completeness, and timeliness;

(F)

the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases;

(G)

applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases;

(H)

mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and

(I)

an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases; and

(3)

incorporates into the contract or other agreement with the commercial entity, provisions—

(A)

providing for penalties—

(i)

if the entity knows or has reason to know that the personally identifiable information being provided to the Federal department or agency is inaccurate, and provides such inaccurate information; or

(ii)

if the entity is notified by an individual that the personally identifiable information being provided to the Federal department or agency is inaccurate and it is in fact inaccurate; and

(B)

requiring commercial entities to inform Federal departments or agencies to which they sell, disclose, or provide access to personally identifiable information of any changes or corrections to the personally identifiable information.

(c)

Individual screening programs

Notwithstanding any other provision of law, commencing 60 days after the date of enactment of this Act, no Federal department or agency may use commercial databases to implement an individual screening program unless such program is—

(1)

congressionally authorized; and

(2)

subject to regulations developed by notice and comment that—

(A)

establish a procedure to enable individuals, who suffer an adverse consequence because the screening system determined that they might pose a security threat, to appeal such determination and correct information contained in the system;

(B)

ensure that Federal and commercial databases that will be used to establish the identity of individuals or otherwise make assessments of individuals under the system will not produce a large number of false positives or unjustified adverse consequences;

(C)

ensure the efficacy and accuracy of all of the search tools that will be used and ensure that the department or agency can make an accurate predictive assessment of those who may constitute a threat;

(D)

establish an internal oversight board to oversee and monitor the manner in which the system is being implemented;

(E)

establish sufficient operational safeguards to reduce the opportunities for abuse;

(F)

implement substantial security measures to protect the system from unauthorized access;

(G)

adopt policies establishing the effective oversight of the use and operation of the system; and

(H)

ensure that there are no specific privacy concerns with the technological architecture of the system.

(d)

Study of government use

(1)

Scope of study

Not later than 180 days after the date of enactment of this Act, the Comptroller General of the United States shall conduct a study and audit and prepare a report on Federal agency use of commercial databases, including the impact on privacy and security, and the extent to which Federal contracts include sufficient provisions to ensure privacy and security protections, and penalties for failures in privacy and security practices.

(2)

Report

A copy of the report required under paragraph (1) shall be submitted to Congress.

604.

Implementation of Chief Privacy Officer requirements

(a)

Designation of the Chief Privacy Officer

Pursuant to the requirements under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (division H of Public Law 108–447; 118 Stat. 3199) that each agency designate a Chief Privacy Officer, the Department of Justice shall implement such requirements by designating a department-wide Chief Privacy Officer, whose primary role shall be to fulfill the duties and responsibilities of Chief Privacy Officer and who shall report directly to the Deputy Attorney General.

(b)

Duties and responsibilities of Chief Privacy Officer

In addition to the duties and responsibilities outlined under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (division H of Public Law 108–447; 118 Stat. 3199), the Department of Justice Chief Privacy Officer shall—

(1)

oversee the Department of Justice’s implementation of the requirements under section 603 to conduct privacy impact assessments of the use of commercial data containing personally identifiable information by the Department;

(2)

promote the use of law enforcement technologies that sustain, rather than erode, privacy protections, and assure that the implementation of such technologies relating to the use, collection, and disclosure of personally identifiable information preserve the privacy and security of such information; and

(3)

coordinate with the Privacy and Civil Liberties Oversight Board, established in the Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108–458), in implementing paragraphs (1) and (2) of this subsection.

July 1 (legislative day, June 30), 2005

Read the second time and placed on the calendar