Notification of Risk to Personal Data Act - Prescribes notification procedures governing any agency, or person engaged in interstate commerce, that owns or licenses electronic data containing personal information, following the discovery of a breach of security of the system containing such data.
Amends the Gramm-Leach-Bliley Act to require a financial institution, at which a breach of personal information is reasonably believed to have occurred, to promptly notify: (1) each affected customer; (2) each pertinent consumer reporting agency; (3) the information clearinghouse established by the Federal Trade Commission (FTC) under this Act; and (4) appropriate law enforcement agencies in any case in which the financial institution has reason to believe that the breach or suspected breach affects a large number of customers.
Requires any person that maintains personal information for or on behalf of a financial institution to notify promptly the financial institution of any case in which such customer information has been, or is reasonably believed to have been, breached.
Amends the Fair Credit Reporting Act to require a consumer reporting agency to maintain a fraud alert file with respect to any consumer upon receiving notice of a breach of personal information from: (1) an agency or person engaged in interstate commerce pursuant to this Act; or (2) a financial institution subject to the Gramm-Leach-Bliley Act.
Authorizes State Attorneys General to bring civil actions in Federal district court to enforce this Act on behalf of the residents of the State.
Directs the FTC to establish and maintain a clearinghouse to collect and analyze information required under this Act.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1069 Introduced in House (IH)]
109th CONGRESS
1st Session
H. R. 1069
To require Federal agencies, and persons engaged in interstate
commerce, in possession of electronic data containing personal
information, to disclose any unauthorized acquisition of such
information, to amend the Gramm-Leach-Bliley Act to require financial
institutions to disclose to customers and consumer reporting agencies
any unauthorized access to personal information, to amend the Fair
Credit Reporting Act to require consumer reporting agencies to
implement a fraud alert with respect to any consumer when the agency is
notified of any such unauthorized access, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 3, 2005
Ms. Bean (for herself, Mr. Emanuel, Mr. Gutierrez, Ms. Slaughter, Mr.
Van Hollen, Mr. Towns, Mrs. Maloney, Mr. Lipinski, Mr. McDermott, Ms.
Schakowsky, Mr. Brady of Pennsylvania, and Mr. DeFazio) introduced the
following bill; which was referred to the Committee on Energy and
Commerce, and in addition to the Committees on Government Reform and
Financial Services, for a period to be subsequently determined by the
Speaker, in each case for consideration of such provisions as fall
within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To require Federal agencies, and persons engaged in interstate
commerce, in possession of electronic data containing personal
information, to disclose any unauthorized acquisition of such
information, to amend the Gramm-Leach-Bliley Act to require financial
institutions to disclose to customers and consumer reporting agencies
any unauthorized access to personal information, to amend the Fair
Credit Reporting Act to require consumer reporting agencies to
implement a fraud alert with respect to any consumer when the agency is
notified of any such unauthorized access, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Notification of Risk to Personal
Data Act''.
SEC. 2. DEFINITIONS.
In this Act, the following definitions shall apply:
(1) Agency.--The term ``agency'' has the same meaning given
such term in section 551(1) of title 5, United States Code.
(2) Breach of security of the system.--The term ``breach of
security of the system''--
(A) means the compromise of the security,
confidentiality, or integrity of computerized data that
results in, or there is a reasonable basis to conclude
has resulted in, the unauthorized acquisition or loss
of, and access to, personal information maintained by
the person or business; and
(B) does not include good faith acquisition of
personal information by an employee or agent of the
person or business for the purposes of the person or
business, if the personal information is not used or
subject to further unauthorized disclosure.
(3) Person.--The term ``person'' has the same meaning given
such term in section 551(2) of title 5, United States Code.
(4) Personal information.--The term ``personal
information'' means an individual's last name in combination
with any 1 or more of the following data elements, when either
the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver's license number or State identification
number.
(C) Account number, credit or debit card number, in
combination with any required security code, access
code, or password that would permit access to an
individual's financial account.
(5) Substitute notice.--The term ``substitute notice''
means--
(A) e-mail notice, if the agency or person has an
e-mail address for the subject persons;
(B) conspicuous posting of the notice on the
Internet site of the agency or person, if the agency or
person maintains an Internet site; or
(C) notification to major media.
SEC. 3. DATABASE SECURITY FOR AGENCIES AND NONFINANCIAL INSTITUTIONS.
(a) Disclosure of Security Breach.--
(1) In general.--Any agency, or person engaged in
interstate commerce, that owns or licenses electronic data
containing personal information shall, following the discovery
of a breach of security of the system containing such data,
notify--
(A) any resident of the United States whose
unencrypted personal information was, or is reasonably
believed to have been, lost or acquired by an
unauthorized person; and
(B) each consumer reporting agency described in
section 603(p) of the Fair Credit Reporting Act of such
loss or unauthorized acquisition with respect to such
consumer.
(2) Notification of owner or licensee.--Any agency, or
person engaged in interstate commerce, in possession of
electronic data containing personal information that the agency
does not own or license shall notify the owner or licensee of
the information if the personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person through a breach of security of the system containing
such data.
(3) Timeliness of notification.--Except as provided in
paragraph (4), all notifications required under paragraph (1)
or (2) shall be made as expediently as possible and without
unreasonable delay following--
(A) the discovery by the agency or person of a
breach of security of the system; and
(B) any measures necessary to determine the scope
of the breach, prevent further disclosures, and restore
the reasonable integrity of the data system.
(4) Delay of notification authorized for law enforcement
purposes.--If a law enforcement agency determines that the
notification required under this subsection would impede a
criminal investigation, such notification may be delayed until
such law enforcement agency determines that the notification
will no longer compromise such investigation.
(5) Methods of notice.--An agency, or person engaged in
interstate commerce, shall be in compliance with this
subsection if it provides the resident, owner, or licensee, as
appropriate, with--
(A) written notification;
(B) e-mail notice, if the person or business has an
e-mail address for the subject person; or
(C) substitute notice, if--
(i) the agency or person demonstrates that
the cost of providing direct notice would
exceed $250,000;
(ii) the affected class of subject persons
to be notified exceeds 500,000; or
(iii) the agency or person does not have
sufficient contact information for those to be
notified.
(6) Alternative notification procedures.--Notwithstanding
any other obligation under this subsection, an agency, or
person engaged in interstate commerce, shall be deemed to be in
compliance with this subsection if the agency or person--
(A) maintains its own reasonable notification
procedures as part of an information security policy
for the treatment of personal information; and
(B) notifies subject persons in accordance with its
information security policy in the event of a breach of
security of the system.
(7) Reasonable notification procedures.--As used in
paragraph (6), with respect to a breach of security of the
system involving personal information described in section
2(4)(C), the term ``reasonable notification procedures'' means
procedures that--
(A) use a security program reasonably designed to
block unauthorized transactions before they are charged
to the customer's account; and
(B) provide for notice to be given by the owner or
licensee of the database, or another party acting on
behalf of such owner or licensee, after the security
program indicates that the breach of security of the
system has resulted in fraud or unauthorized
transactions, but does not necessarily require notice
in other circumstances.
(8) Notice to information clearinghouse.--In addition to
any other notice requirement under this subsection, an agency
or person engaged in interstate commerce shall--
(A) notify the information clearinghouse
established by the Federal Trade Commission under
section 7 upon the occurrence of any breach for which
notice is required under paragraph (1); and
(B) provide such information as the Commission may
require with respect to the circumstances and manner of
the breach and the system on which the breach occurred.
(b) Civil Remedies.--
(1) Penalties.--Any agency, or person engaged in interstate
commerce, that violates this section shall be subject to a fine
of not more than $5,000 per violation, to a maximum of $25,000
per day while such violations persist.
(2) Equitable relief.--Any person engaged in interstate
commerce that violates, proposes to violate, or has violated
this section may be enjoined from further violations by a court
of competent jurisdiction.
(3) Other rights and remedies.--The rights and remedies
available under this subsection are cumulative and shall not
affect any other rights and remedies available under law.
(c) Enforcement.--The Federal Trade Commission is authorized to
enforce compliance with this section, including the assessment of fines
under subsection (b)(1).
(d) Coordination With Other Provisions of Law.--This section shall
not apply with respect to a financial institution (as defined in
section 509(3) of the Gramm-Leach-Bliley Act) that is subject to
section 526 of such Act.
SEC. 4. TIMELY NOTIFICATION BY FINANCIAL INSTITUTIONS OF UNAUTHORIZED
ACCESS TO PERSONAL INFORMATION.
Subtitle B of title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6821
et seq.) is amended--
(1) by redesignating sections 526 and 527 as sections 528
and 529, respectively; and
(2) by inserting after section 525 the following:
``SEC. 526. NOTIFICATION TO CUSTOMERS OF UNAUTHORIZED ACCESS TO
PERSONAL INFORMATION.
``(a) Definitions.--For purposes of this section, the following
definitions shall apply:
``(1) Breach.--The term `breach'--
``(A) means unauthorized acquisition or loss of
computerized data or paper records which compromises
the security, confidentiality, or integrity of personal
information maintained by or on behalf of a financial
institution; and
``(B) does not include a good faith acquisition of
personal information by an employee or agent of a
financial institution for a business purpose of the
institution, if the personal information is not subject
to further unauthorized disclosure; and
``(2) Personal information.--With respect to a customer of
a financial institution, the term `personal information' means
the first name or first initial and last name of the customer,
in combination with any 1 or more of the following data
elements, when either the name or the data element is not
encrypted:
``(A) A social security number.
``(B) A driver's license number or other officially
recognized form of identification.
``(C) A credit card number, debit card number, or
any required security code, access code, or password
that would permit access to financial account
information relating to that customer.
``(b) Notification Relating to Breach of Personal Information.--
``(1) Financial institution requirement.--In any case in
which there has been a breach of personal information at a
financial institution, or such a breach is reasonably believed
to have occurred, the financial institution shall promptly
notify--
``(A) each customer affected by the violation or
suspected violation;
``(B) each consumer reporting agency described in
section 603(p) of the Fair Credit Reporting Act;
``(C) the information clearinghouse established by
the Federal Trade Commission under section 7 of the
Notification of Risk to Personal Data Act (together
with such information as the Commission may require
with respect to the circumstances and manner of the
breach and the system on which the breach occurred);
and
``(D) appropriate law enforcement agencies, in any
case in which the financial institution has reason to
believe that the breach or suspected breach affects a
large number of customers, including as described in
subsection (e)(1)(C), subject to regulations of the
Federal Trade Commission.
``(2) Other entities.--For purposes of paragraph (1), any
person that maintains personal information for or on behalf of
a financial institution shall promptly notify the financial
institution of any case in which such customer information has
been, or is reasonably believed to have been, breached.
``(c) Timing.--Any notification required by this section shall be
made--
``(1) promptly and without unreasonable delay, upon
discovery of the breach or suspected breach; and
``(2) consistent with--
``(A) the legitimate needs of law enforcement, as
provided in subsection (d); and
``(B) any measures necessary to determine the scope
of the breach or restore the reasonable integrity of
the information security system of the financial
institution.
``(d) Delays for Law Enforcement Purposes.--Any notification
required by this section may be delayed if a law enforcement agency
determines that the notification would impede a criminal investigation,
and in any such case, notification shall be made promptly after the law
enforcement agency determines that it would not compromise the
investigation.
``(e) Form of Notice.--Any notification required by this section
may be provided--
``(1) to a customer--
``(A) in writing;
``(B) in electronic form, if the notice provided is
consistent with the provisions regarding electronic
records and signatures set forth in section 101 of the
Electronic Signatures in Global and National Commerce
Act;
``(C) if the Federal Trade Commission determines
that the number of all customers affected by, or the
cost of providing notifications relating to, a single
breach or suspected breach would make other forms of
notification prohibitive, or in any case in which the
financial institution certifies in writing to the
Federal Trade Commission that it does not have
sufficient customer contact information to comply with
other forms of notification, in the form of--
``(i) an e-mail notice, if the financial
institution has access to an e-mail address for
the affected customer that it has reason to
believe is accurate;
``(ii) a conspicuous posting on the
Internet website of the financial institution,
if the financial institution maintains such a
website; or
``(iii) notification through the media that
a breach of personal information has occurred
or is suspected that compromises the security,
confidentiality, or integrity of customer
information of the financial institution; or
``(D) in such other form as the Federal Trade
Commission may by rule prescribe; and
``(2) to consumer reporting agencies and law enforcement
agencies (where appropriate), in such form as the Federal Trade
Commission may prescribe, by rule.
``(f) Content of Notification.--Each notification to a customer
under subsection (b) shall include--
``(1) a statement that--
``(A) credit reporting agencies have been notified
of the relevant breach or suspected breach; and
``(B) the credit report and file of the customer
will contain a fraud alert to make creditors aware of
the breach or suspected breach, and to inform creditors
that the express authorization of the customer is
required for any new issuance or extension of credit
(in accordance with section 605(g) of the Fair Credit
Reporting Act); and
``(2) such other information as the Federal Trade
Commission determines is appropriate.
``(g) Compliance.--Notwithstanding subsection (e), a financial
institution shall be deemed to be in compliance with this section if--
``(1) the financial institution has established a
comprehensive information security program that is consistent
with the standards prescribed by the appropriate regulatory
body under section 501(b);
``(2) the financial institution notifies affected customers
and consumer reporting agencies in accordance with its own
internal information security policies in the event of a breach
or suspected breach of personal information; and
``(3) such internal security policies incorporate
notification procedures that are consistent with the
requirements of this section and the rules of the Federal Trade
Commission under this section.
``(h) Civil Penalties.--
``(1) Damages.--Any customer injured by a violation of this
section may institute a civil action to recover damages arising
from that violation.
``(2) Injunctions.--Actions of a financial institution in
violation or potential violation of this section may be
enjoined.
``(3) Cumulative effect.--The rights and remedies available
under this section are in addition to any other rights and
remedies available under applicable law.
``(i) Rules of Construction.--
``(1) In general.--Compliance with this section by a
financial institution shall not be construed to be a violation
of any provision of subtitle A, or any other provision of
Federal or State law prohibiting the disclosure of financial
information to third parties.
``(2) Limitation.--Except as specifically provided in this
section, nothing in this section requires or authorizes a
financial institution to disclose information that it is
otherwise prohibited from disclosing under subtitle A or any
other provision of Federal or State law.
``(3) No new recordkeeping obligation.--No provision of
this section shall be construed as creating an obligation on
the part of a financial institution to obtain, retain, or
maintain information or records that are not otherwise required
to be obtained, retained, or maintained in the ordinary course
of business of the financial institution or under other
applicable law.''.
SEC. 5. INCLUSION OF FRAUD ALERTS IN CONSUMER CREDIT REPORTS.
Section 605A(a) of the Fair Credit Reporting Act (15 U.S.C. 1681c-
1(a)) is amended by adding at the end the following new paragraph:
``(3) Treatment of notice of a breach as a request from the
consumer for an initial alert.--A consumer reporting agency
described in section 603(p) shall take the action required
under paragraph (1) with respect to any consumer and the file
of any consumer upon receiving notice of a breach of personal
information with respect to such consumer from--
``(A) an agency or person engaged in interstate
commerce pursuant to section 3(a) of the Notification
of Risk to Personal Data Act; or
``(B) a financial institution pursuant to section
526(b)(1)(B) of the Gramm-Leach-Bliley Act .''.
SEC. 6. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by the engagement of any person in a
practice that is prohibited under this Act or the amendments
made by this Act, the State, as parens patriae, may bring a
civil action on behalf of the residents of the State in a
district court of the United States of appropriate jurisdiction
to--
(A) enjoin that practice;
(B) enforce compliance with this Act;
(C) obtain damage, restitution, or other
compensation on behalf of residents of the State; or
(D) obtain such other relief as the court may
consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Attorney General (or the
Federal functional regulator, in the case of a
financial institution (as such terms are defined in
section 509 of the Gramm-Leach-Bliley Act))--
(i) written notice of the action; and
(ii) a copy of the complaint for the
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the State attorney general
determines that it is not feasible to provide
the notice described in such subparagraph
before the filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the Attorney General or the
Federal functional regulator at the time the
State attorney general files the action.
(b) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this Act shall be construed to prevent an
attorney general of a State from exercising the powers conferred on
such attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(c) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in the district court of the United States that meets
applicable requirements relating to venue under section 1391 of
title 28, United States Code.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 7. FEDERAL INFORMATION CLEARINGHOUSE.
(a) In General.--The Federal Trade Commission shall establish and
maintain a clearinghouse to collect and analyze information submitted
under section 3(a)(7) of this Act and section 526(b)(1)(C) of the
Gramm-Leach-Bliley Act.
(b) Annual Report.--The Federal Trade Commission, in consultation
with the Federal functional regulators, shall submit an annual report
to the Congress containing--
(1) containing a summary of the types of breaches that have
occurred during the period covered by the report and an
identification of trends in the manner in which unauthorized
access to and acquisition of personal information is being
accomplished; and
(2) such recommendations for administrative or legislative
action as the Commission or any Federal functional regulator
may determine to be appropriate.
SEC. 8. EFFECT ON STATE LAW.
The provisions of this Act shall supersede any inconsistent
provisions of law of any State or unit of local government relating to
the notification of any resident of the United States of any breach of
security of an electronic database containing such resident's personal
information (as defined in this Act), except as provided under sections
1798.82 and 1798.29 of the California Civil Code.
SEC. 9. EFFECTIVE DATE.
This Act, and the amendments made by this Act, shall take effect at
the end of the 6-month period beginning on the date of the enactment of
this Act.
<all>
Introduced in House
Introduced in House
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Subcommittee on Commerce, Trade and Consumer Protection.
Referred to the Subcommittee on Financial Institutions and Consumer Credit.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line