Consumer Data Security and Notification Act of 2005 - Amends the Fair Credit Reporting Act (FCRA) to cover communication of personally identifiable information by certain unregulated information brokers who, for compensation, regularly assemble or evaluate personally identifiable information for the purpose of furnishing reports to third parties (thereby bringing them within the scope of FCRA coverage).
Imposes an affirmative, continuing obligation upon each consumer reporting agency to respect the privacy of consumers and to protect the security and confidentiality of their nonpublic personal information.
Instructs the Federal Trade Commission to promulgate safeguards for the protection of nonpublic consumer information.
Amends the Gramm-Leach-Bliley Act to direct federal oversight agencies to include certain data security notification requirements within the regulations governing financial institutions.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3140 Introduced in House (IH)]
109th CONGRESS
1st Session
H. R. 3140
To expand the protections for sensitive personal information in Federal
law to cover the information collection and sharing practices of
unregulated information brokers, to enhance information security
requirements for consumer reporting agencies and information brokers,
and to require consumer reporting agencies, financial institutions, and
other entities to notify consumers of data security breaches involving
sensitive consumer information, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 30, 2005
Ms. Bean (for herself, Mr. Davis of Alabama, Mr. Frank of
Massachusetts, Mrs. Maloney, Mr. Gutierrez, Mr. Watt, Mr. Ackerman, Mr.
Ford, Mr. Crowley, Mr. Clay, Mrs. McCarthy, Mr. Lynch, Ms. Wasserman
Schultz, and Ms. Moore of Wisconsin) introduced the following bill;
which was referred to the Committee on Financial Services
_______________________________________________________________________
A BILL
To expand the protections for sensitive personal information in Federal
law to cover the information collection and sharing practices of
unregulated information brokers, to enhance information security
requirements for consumer reporting agencies and information brokers,
and to require consumer reporting agencies, financial institutions, and
other entities to notify consumers of data security breaches involving
sensitive consumer information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Consumer Data Security and
Notification Act of 2005''.
SEC. 2. AMENDMENTS TO THE FAIR CREDIT REPORTING ACT.
(a) FCRA Coverage of Data Brokers.--Section 603(d) of the Fair
Credit Reporting Act (15 U.S.C. 1681a(d)) is amended by adding at the
end the following new paragraph:
``(4) Communication of personally identifiable information
by certain persons included.--The term `consumer report' shall
also include any written, oral, electronic, or other
communication of any information by any person which, for
monetary fees, dues or other compensation, regularly engages in
whole or in part in the practice of assembling or evaluating
personally identifiable information for the purpose of
furnishing reports to third parties that includes the name of
any consumer and any of the following information relating to
such consumer:
``(A) Any Social Security account number.
``(B) Any driver's license number.
``(C) Any other identification number issued by a
State or the Federal Government.
``(D) Any bank, savings association, credit union,
or investment account number.
``(E) Any credit card, or debit card account
number.
``(F) Any password, access code, or security code
relating to a bank, savings association, credit union,
or investment account number or credit or debit card
account number.''.
(b) Verification Standards for Users of Consumer Reports.--Section
604(f) of the Fair Credit Reporting Act (15 U.S.C. 1681b(f)) is
amended--
(1) by striking ``and'' at the end of paragraph (1);
(2) by redesignating paragraph (2) as paragraph (3); and
(3) by inserting after paragraph (1) the following new
paragraph:
``(2) the identity of the person requesting the consumer
report has been verified, pursuant to section 607(a), in
accordance with procedures which the Commission shall prescribe
in regulation; and''.
(c) Data Security Standards and Notification of Security
Breaches.--
(1) In general.--The Fair Credit Reporting Act (15 U.S.C.
1681 et seq.) is amended by adding at the end the following new
section:
``SEC. 630. PROTECTION OF NONPUBLIC CONSUMER INFORMATION.
``(a) In General.--Notwithstanding any other provision of this
title, each consumer reporting agency shall have an affirmative and
continuing obligation to respect the privacy of consumers and to
protect the security and confidentiality of consumers nonpublic
personal information.
``(b) Safeguards Required.--In furtherance of subsection (a), the
Commission shall establish appropriate standards, by regulation, for
consumer reporting agencies relating to administrative, technical, and
physical safeguards--
``(1) to insure the security and confidentiality of
consumer records and information;
``(2) to protect against any anticipated threats or hazards
to the security of such records; and
``(3) to protect against unauthorized access to or use of
such records or information which could result in substantial
harm or inconvenience to any customer.
``(c) Notification of Data Security Breaches.--
``(1) In general.--The regulations prescribed under
subsection (b) shall include requirements for the notification
of consumers following the discovery of a breach of security of
any data system maintained by the consumer reporting agency in
which sensitive consumer information was, or is reasonably
believed to have been, acquired by an unauthorized person.
``(2) Content of regulations.--The regulations prescribed
under paragraph (1) shall include the following requirements or
provisions:
``(A) A requirement that a consumer reporting
agency provide written notice to a consumer whenever
such agency becomes aware that sensitive personal
information relating to the consumer has been, or is
reasonably believed to have been, acquired by an
unauthorized person, unless the consumer reporting
agency, after appropriate investigation--
``(i) reasonably concludes that misuse of
the information is unlikely to occur;
``(ii) notifies the appropriate law
enforcement agency of the data security breach;
and
``(iii) takes appropriate steps to remedy
the security breach and safeguard the interests
of affected consumers.
``(B) A requirement that the notices required under
paragraph (1) be provided by a consumer reporting
agency without unreasonable delay following--
``(i) the discovery by such agency of a
breach of security in the data system; and
``(ii) reasonable actions which the
consumer reporting agency shall take to
investigate the nature and intent of the
breach, prevent further unauthorized access or
disclosure, and restore the reasonable
integrity of the data system.
``(C) A provision that allows for reasonable delay
of such notification to the consumer under paragraph
(1) upon the written request of a law enforcement
agency which has determined that the notification
required under paragraph (1) would seriously impede a
criminal investigation.
``(D) A provision that the written notice required
under paragraph (1) may be made by an electronic
transmission only if--
``(i) the consumer has provided prior
consent to receive any such notice by
electronic transmission; and
``(ii) the notice is consistent with the
provisions permitting electronic transmission
of notices under section 101 of the Electronic
Signatures in Global and National Commerce Act.
``(E) A requirement that the notification provided
to consumers include--
``(i) the date on which the consumers
nonpublic personal information was, or is
reasonably believed to have been, acquired by
an unauthorized person;
``(ii) the specific information that was,
or is reasonably believed to have been,
acquired by an unauthorized person, including
Social Security account numbers, bank or
investment account numbers, credit or debit
card account numbers, or any password or code
relating to such accounts;
``(iii) the actions taken by the consumer
reporting agency to address or remedy the
security breach and prevent unauthorized use of
nonpublic personal information;
``(iv) the summary of rights of consumer
victims of fraud or identity theft prepared by
the Federal Trade Commission under section
609(d) and information on how to contact the
Commission for more detailed information; and
``(v) the toll-free telephone number where
consumers may obtain additional information
about the security breach and an explanation of
available options to protect their consumer
file from unauthorized access.
``(3) Treatment of encrypted information.--For purposes of
the regulations prescribed under paragraph (1), the Commission
shall--
``(A) permit a consumer reporting agency, in
connection with any determination pursuant to paragraph
(2)(A)(i), to reasonably conclude that misuse of
information is unlikely to occur where the sensitive
consumer information acquired, or believed to have been
acquired, by an unauthorized person consists of
information that has been encrypted in a manner
consistent with standards set forth under subparagraph
(B);
``(B) identify appropriate standards for encryption
of personal and financial information for purposes of
subparagraph (A), taking into consideration the
Advanced Encryption Standard adopted by the National
Institute of Standards and Technology for use by the
Federal Government; and
``(C) establish appropriate criteria for
determining whether information that has been encrypted
has been accessed by an unauthorized person, and
whether misuse of such information is likely to occur
and notification is required pursuant to this
section.''.
(2) Clerical amendment.--The table of contents for the Fair
Credit Reporting Act is amended by inserting after the item
relating to section 129 the following new item:
``630. Protection of nonpublic consumer information.''.
(d) Use of Consumer Reports for Private Investigations.--
(1) In general.--Section 604(a)(3) of the Fair Credit
Reporting Act (15 U.S.C.1681b(a)(3)) is amended--
(A) by striking ``or'' at the end of subparagraph
(E);
(B) by redesignating subparagraph (F) as
subparagraph (G); and
(C) by inserting after subparagraph (E) the
following new paragraph:.
``(F) is a duly licensed private investigator who
intends to use the consumer report only in connection
with a lawful investigation within the scope of the
investigator's license and for no other purpose; or''.
(2) Technical and conforming amendment.--Section
603(k)(1)(B)(iv)(I) of the Fair Credit Reporting Act (15 U.S.C.
1681a(k)(1)(B)(iv)(I)) is amended by striking
``604(a)(3)(F)(ii)'' and inserting ``604(a)(3)(G)(ii)''.
(e) Regulations.--The Federal Trade Commission shall prescribe such
regulations as the Commission determines to be necessary to implement
the amendments made by this section and such regulations shall be
published in final form before the end of the 6-month period beginning
on the date of the enactment of this Act.
SEC. 3. AMENDMENTS TO TITLE V OF THE GRAMM-LEACH-BLILEY ACT.
(a) Notification of Security Breaches.--Section 501 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801) is amended by adding at the end the
following new subsection:
``(c) Notification of Data Security Breaches.--
``(1) In general.--In establishing standards pursuant to
subsection (b), each agency or authority described in section
505(a) shall require, in regulation, that a financial
institution notify customers following the discovery of a
breach of security of any data system maintained by the
financial institution in which nonpublic personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person.
``(2) Content of regulations.--The regulations prescribed
under paragraph (1) shall include the following requirements or
provisions:
``(A) A requirement that a financial institution
provide written notice to a customer whenever the
institution becomes aware that sensitive personal
information relating to the customer has been, or is
reasonably believed to have been, acquired by an
unauthorized person, unless the financial institution,
after appropriate investigation, reasonably concludes
that misuse of the information is unlikely to occur,
and--
``(i) promptly notifies its primary Federal
financial regulatory agency of the data
security breach;
``(ii) notifies the appropriate law
enforcement agency of the data security breach;
and
``(iii) takes appropriate steps to remedy
the security breach and safeguard the interests
of affected customers, including monitoring the
affected customers accounts for unusual or
suspicious activity.
``(B) A requirement that the notice required under
paragraph (1) be provided by a financial institution
without unreasonable delay following--
``(i) the discovery by the financial
institution of a breach of security in the data
system;
``(ii) reasonable investigation of the
nature and scope of the security breach,
including identification of the customer
information systems and specific customer
information or accounts that may have been
accessed;
``(iii) notification of the primary Federal
financial regulatory agency for the financial
institution;
``(iv) notification of appropriate law
enforcement agencies; and
``(v) reasonable measures to prevent
further unauthorized access or disclosure and
to restore the reasonable integrity of the data
system.
``(C) A provision establishing minimum standards
for investigations of the nature and scope of security
breaches, including any limitation on the duration of
such investigations that the agency or authority may
consider appropriate to prevent substantial harm or
inconvenience to any customer;
``(D) A provision that allows for reasonable delay
of such notification upon the written request of a law
enforcement agency which has determined that the
notification required under paragraph (1) would
seriously impede a criminal investigation;
``(E) A provision that the written notice required
under paragraph (1) may be made by an electronic
transmission only if--
``(i) the customer has provided prior
consent to receive any such notice by
electronic transmission; and
``(ii) the notice is consistent with the
provisions permitting electronic transmission
of notices under section 101 of the Electronic
Signatures in Global and National Commerce Act.
``(F) A requirement that the notification provided
to consumers include--
``(i) the date on which the customers
nonpublic personal information was, or is
reasonably believed to have been, acquired by
an unauthorized person;
``(ii) the specific information that was,
or is reasonably believed to have been,
acquired by an unauthorized person, including
Social Security account numbers, bank or
investment account numbers, credit or debit
card account numbers, or any password or code
relating to such accounts;
``(iii) the actions taken by the financial
institution to address or remedy the security
breach and prevent unauthorized use of
nonpublic customer information;
``(iv) the summary of rights of consumer
victims of fraud or identity theft prepared by
the Federal Trade Commission under section
609(d) of the Fair Credit Reporting Act and
information on how to contact the Commission
for more detailed information; and
``(v) the toll-free telephone number where
customers may obtain additional information
about the security breach and explanations of
available options to protect their consumer
file from unauthorized access.
``(G) A requirement concerning any other action or
disclosure that the agency or authority determines
necessary or appropriate to carry out the intent of
this subsection.
``(3) Certain persons treated as financial institutions for
this subsection.--
``(A) In general.--For purposes of this subsection
(and sections 504, 505, and 507 to the extent
applicable with respect to this subsection), the term
`financial institution' includes any person or
organization that, in the regular course of business,
collects and maintains written or electronic files
containing individually identifiable information on
customer transactions, including any bank, savings
association, or credit union account number, credit
card or debt card number, and any other payment account
number, or any password, access code, or security code
pertaining to any such account or any credit card or
debit card.
``(B) Notification.--A person or organization
described in subparagraph (A) that is required to
provide written notice pursuant to regulations
prescribed under paragraph (1), shall, promptly notify
the appropriate law enforcement agency of the data
security breach, and provide notification, as
appropriate--
``(i) to the customer whose payment account
information has been, or is reasonably believed
to have been, acquired by an unauthorized
person, and such notification includes all
applicable disclosures required by paragraph
(2)(F);
``(ii) to the financial institution which
is the holder of the customer's bank, savings
association, or credit union account, credit
card or debit card account, or other payment
account which has been, or is reasonably
believed to have been, acquired by an
unauthorized person, which shall be in such
form and include such information as required
by regulation; or
``(iii) to the financial intermediary or
network used to effect the credit transaction,
electronic fund transfer, or other form of
payment on behalf of the customer whose payment
account information has been, or is reasonably
believed to have been, acquired by an
unauthorized person, which shall include the
information required by subparagraph (C) and
such other information as required by
regulation.
``(C) Response of financial intermediary or network
upon receiving notice.-- A financial intermediary or
network that receives notice of a data security breach
pursuant to subparagraph (B)(iii) shall promptly
communicate to the financial institution which is the
holder of the bank, savings association, or credit
union account, credit card or debit card account, or
other payment account with respect to which such breach
occurred, all necessary information pertaining to the
data security breach, which shall include the date on
which the breach is reasonably believed to have
occurred and the name and location of the person or
organization responsible for maintaining the data
system where the security breach occurred.
``(D) Response of financial institution that holds
customer's account upon receiving notice.--A financial
institution that receives notice of a data security
breach pursuant to subparagraphs (B)(ii) or (C) may
communicate to any customer whose bank, savings
association, or credit union account, credit card or
debit card account, or other payment account is
identified as having been, or is reasonably believed to
have been, acquired by an unauthorized person, any
information it receives relating to the security
breach, including the date on which the breach is
reasonably believed to have occurred and the name and
location of the person or organization responsible for
maintaining the data system where the security breach
occurred.
``(E) Financial intermediary or network defined.--
For purposes of this paragraph, the term `financial
intermediary or network' means a credit card
association, electronic fund transfer network, or other
system, clearinghouse, or network utilized by any
creditor, credit card issuer, financial institution, or
money transmitting business, to effect a credit
transaction, electronic fund transfer, or other money
transmitting, check clearing, or payment service.
``(4) Treatment of encrypted information.--The regulations
prescribed under paragraph (1) shall--
``(A) permit a financial institution, in connection
with any determination pursuant to paragraph (2)(A), to
reasonably conclude that misuse of information is
unlikely to occur where the sensitive consumer
information acquired, or believed to have been
acquired, by an unauthorized person consists of
information that has been encrypted in a manner
consistent with standards set forth under subparagraph
(B);
``(B) identify appropriate standards for encryption
of personal and financial information for purposes of
subparagraph (A), taking into consideration the
Advanced Encryption Standard adopted by the National
Institute of Standards and Technology for use by the
Federal Government; and
``(C) establish appropriate criteria for
determining whether information that has been encrypted
has been accessed by an unauthorized person, and
whether misuse of such information is likely to occur
and notification is required pursuant to this
section.''.
(b) Regulations.--The agencies and authorities described in section
505(a) of the Gramm-Leach-Bliley Act shall, in the manner prescribed in
section 504 of such Act, prescribe such regulations as the agencies and
authorities determine to be necessary to implement the amendments made
by this section and such regulations shall be published in final form
before the end of the 6-month period beginning on the date of the
enactment of this Act.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Financial Services.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line