Financial Data Security Act of 2005 - Amends the Fair Credit Reporting Act to declare that each consumer reporting agency, reporting broker, or reporting collector (consumer reporter) has an obligation to maintain reasonable policies and procedures to protect the security and confidentiality of a consumer's sensitive financial account and identity information against any unauthorized use that is reasonably likely to result in substantial inconvenience or substantial harm to such consumer.
Prescribes data security safeguards that include: (1) investigations to protect against identity theft and fraudulent transactions; (2) notification alerts to law enforcement agencies, functional regulatory agencies, and affected consumers; (3) investigation and notice requirements for third party agreements; and (4) financial fraud mitigation procedures that offer free file monitoring service for affected consumers.
Requires the Secretary of the Treasury (Secretary), the Board of Governors of the Federal Reserve System (Board), and the Federal Trade Commission (FTC) jointly to prescribe regulations that shield a consumer reporter from liability under state common law for loss or harm to the consumer subsequent to such reporter's offer of the free file monitoring service.
Cites conditions under which persons in compliance with the Gramm-Leach Bliley Act governing disclosure of nonpublic personal financial information shall be deemed to be in compliance with this Act.
Prescribes guidelines for joint promulgation of uniform security regulations by the Secretary, the Board, and the FTC.
Preempts state law with respect to the data security safeguards and financial fraud mitigation prescribed by this Act.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3375 Introduced in House (IH)]
109th CONGRESS
1st Session
H. R. 3375
To amend the Fair Credit Reporting Act to provide for secure financial
data, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
July 21, 2005
Ms. Pryce of Ohio (for herself, Mr. Castle, and Mr. Moore of Kansas)
introduced the following bill; which was referred to the Committee on
Financial Services
_______________________________________________________________________
A BILL
To amend the Fair Credit Reporting Act to provide for secure financial
data, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Financial Data Security Act of
2005''.
SEC. 2. DATA SECURITY SAFEGUARDS.
(a) In General.--The Fair Credit Reporting Act (15 U.S.C. 1681) is
amended by adding at the end the following new section:
``Sec. 630. Data security safeguards
``(a) Security Policies and Procedures.--Each consumer reporter
shall have an affirmative and continuing obligation to maintain
reasonable policies and procedures to protect the security and
confidentiality of sensitive financial account information and
sensitive financial identity information of any consumer that is
maintained or received by or on behalf of such consumer reporter
against any unauthorized use that is reasonably likely to result in
substantial inconvenience or substantial harm to such consumer.
``(b) Investigation Requirements.--
``(1) Protecting against identity theft.--
``(A) Investigation required.--If a consumer
reporter is aware that a breach of data security has
occurred, or is reasonably likely to have occurred,
with respect to sensitive financial identity
information maintained by or on behalf of the consumer
reporter, the consumer reporter shall conduct an
investigation to determine the likelihood that such
information will be misused against any consumer to
whom any of such information relates in a manner that
would cause substantial inconvenience or substantial
harm to any such consumer.
``(B) Scope of investigation.--An investigation
conducted under subparagraph (A) shall be commensurate
with the nature and the amount of the sensitive
financial identity information that is subject to the
breach of data security.
``(C) Factors to be considered.--In determining the
likelihood that sensitive financial identity
information that was the subject of a breach of data
security has been or will be misused, the consumer
reporter shall consider all available relevant facts,
including whether the information that was subject to
the breach was unencrypted or unredacted, or required
technology to use that is not generally commercially
available.
``(2) Protecting against fraudulent transactions.--
``(A) Investigation required.--If a consumer
reporter is aware that a breach of data security has
occurred or is reasonably likely to have occurred with
respect to sensitive financial account information,
maintained by or on behalf of the consumer reporter,
the consumer reporter shall conduct an investigation to
determine the likelihood that such information will be
misused against any consumer to whom any of such
information relates to make 1 or more fraudulent
transactions on a financial account to which the
sensitive financial account information relates in a
manner that would cause substantial inconvenience or
substantial harm to such consumer.
``(B) Scope of investigation.--An investigation
conducted under subparagraph (A) shall be commensurate
with the nature and the amount of the sensitive
financial account information that is subject to the
breach of data security.
``(C) Factors to be considered.--In determining the
likelihood that the sensitive financial account
information that was the subject of a breach of data
security has been or will be misused, the consumer
reporter shall consider all available relevant facts,
including whether--
``(i) the information that was subject to
the breach was unencrypted, unredacted, or
required technology to use that is not
generally commercially available; and
``(ii) on an ongoing basis, any security
programs used by, or on behalf of, the consumer
reporter have detected, or are likely to
detect, fraudulent transactions resulting from
the breach of data security.
``(c) Notice Requirement.--
``(1) Notice of potential identity theft risk.--In the case
of any actual or reasonably likely breach of data security with
respect to sensitive financial identity information for which
an investigation is required under subsection (b)(1)(A), unless
the consumer reporter determines (after conducting a reasonable
investigation that meets the requirements of such subsection)
that it is not reasonably likely that such information will be
misused to commit financial fraud against any consumer to whom
such sensitive financial identity information relates in a
manner that would cause substantial inconvenience or
substantial harm to such consumer, the consumer reporter shall
provide notice, in the manner provided in subsection (e), to--
``(A) any appropriate law enforcement agency;
``(B) the appropriate functional regulatory agency
for the consumer reporter;
``(C) if the information relates to a financial
account provided to, maintained for, or serviced for
any consumer by a person other than the consumer
reporter, the person that provides, maintains, or
services the financial account for the consumer;
``(D) if the consumer reporter determines that it
is likely to be providing notice under this paragraph
to 1,000 or more consumers for any breach of data
security--
``(i) each nationwide consumer reporting
agency; and
``(ii) any other consumer reporting agency
that the consumer reporter identifies, or
expects to identify, in the notice provided to
the consumer under subparagraph (E);
``(E) any consumer to whom the sensitive financial
identity information relates; and
``(F) if the sensitive financial identity
information concerning any consumer is provided to,
maintained by, or serviced by a person other than the
consumer reporter, that person.
``(2) Notice of potential fraudulent transaction risk.--In
the case of any actual or reasonably likely breach of data
security with respect to sensitive financial account
information for which an investigation is required under
subsection (b)(2)(A), unless the consumer reporter determines
(after conducting a reasonable investigation that meets the
requirements of such subparagraph) that it is not reasonably
likely that such information will be misused against the
consumers to whom such sensitive financial account information
relates to make 1 or more fraudulent transactions on a
financial account to which such information relates in a manner
that would cause substantial inconvenience or substantial harm
to any such consumer, the consumer reporter shall provide
notice, in the manner provided in subsection (e), to--
``(A) an appropriate law enforcement agency;
``(B) the appropriate functional regulatory agency
for the consumer reporter;
``(C) if the information relates to a financial
account provided to, maintained for, or serviced for
any consumer by a person other than the consumer
reporter, the person that provides, maintains, or
services the financial account for the consumer; and
``(D) subject to subsections (d)(2) and (e), any
consumer to whom the sensitive financial account
information relates.
``(d) Investigation and Notice Requirements for Third Party
Agreements.--
``(1) Contractual obligation required.--No consumer
reporter may provide sensitive financial identity information
or sensitive financial account information to a third party to
receive, maintain, or service on behalf of the consumer
reporter, unless such third party agrees that whenever the
third party becomes aware that a breach of data security has
occurred or is reasonably likely to have occurred with respect
to such information received, maintained, or serviced by such
third party, the third party shall be obligated--
``(A) to provide notice of the breach to the
consumer reporter;
``(B) to conduct a joint investigation with the
consumer reporter to determine the likelihood that such
information will be misused against the consumers to
whom the information relates in a manner that would
cause substantial inconvenience or substantial harm to
any such consumers; and
``(C) unless the consumer reporter and third party
determine, after conducting a reasonable investigation,
that it is not reasonably likely that such information
will be misused to commit financial fraud against any
consumer to whom any of such sensitive personal
information relates in a manner that would cause
substantial inconvenience or substantial harm to such
consumer, to provide joint notice with the consumer
reporter under paragraph (2).
``(2) Joint notice requirement under certain
circumstances.--In the case of any breach of data security
involving a third party referred to in paragraph (1) for which
a notice is required to be provided by a consumer reporter to a
consumer under subsection (c)--
``(A) both the consumer reporter and any person
that provides or maintains the financial account for
the consumer shall be responsible for providing the
notice under such subsection to the consumer jointly;
``(B) the notice shall--
``(i) clearly indicate on its face (such as
the envelope for mailed notices) the identity
of a person or consumer reporter that has the
direct relationship with the consumer; and
``(ii) clearly identify the consumer
reporter that directly suffered the breach of
data security and indicate the notice is being
provided to the consumer on account of such
breach; and
``(C) the consumer reporter shall be responsible
for the reasonable actual costs of such notice, except
as otherwise established by agreement.
``(e) Time and Manner of Notices.--
``(1) Prompt notice required.--Except as provided in
paragraph (2), any notice required under subsection (c),
including any joint notice in accordance with subsection
(d)(2)(A), shall be made promptly following completion of
reasonable measures undertaken to determine the scope of the
breach of data security.
``(2) Delay of notice for law enforcement purposes.--If a
consumer reporter receives a written request from an
appropriate law enforcement agency that is approved by a court
of competent jurisdiction indicating that providing a
particular notice to any consumer under this section would
impede a criminal or civil investigation by that law
enforcement agency, or an oral request from an appropriate law
enforcement agency indicating that such a written request will
be provided, the consumer reporter shall delay, or in the case
of a foreign law enforcement agency may delay, providing such
notice until--
``(A) the law enforcement agency informs the
consumer reporter that such notice will no longer
impede the investigation; or
``(B) the law enforcement agency fails to--
``(i) confirm that a continued delay is
necessary to avoid impeding such investigation;
or
``(ii) provide a written request within a
reasonable time following an oral request for
such delay.
``(3) Order of notice.--The notices required under
subsection (c), including any joint notice in accordance with
subsection (d)(2)(A), shall be made in the order of the
subparagraphs in paragraph (1) or (2) of subsection (c), as the
case may be.
``(4) Content of consumer notice.--Any notice required to
be provided to a consumer under paragraph (1) or (2) of
subsection (c), including any joint notice in accordance with
subsection (d)(2)(A), shall include--
``(A) a clear and conspicuous heading or notice
title on the envelope or transmission title indicating
the nature of the notice, such as `LEGAL NOTICE OF DATA
SECURITY BREACH';
``(B) a brief description of the breach of data
security, including a statement of the types of
sensitive financial account and sensitive financial
identity information involved in such breach;
``(C) appropriate instructions to the consumer to
mitigate against financial fraud; and
``(D) appropriate contact information that the
consumer may use to obtain additional information.
``(5) No duplicative notices required.--A consumer
reporter, whether acting directly or jointly with a third party
under subsection (d), shall not be required to provide more
than 1 notice with respect to any breach of data security to
any affected consumer, so long as such notice meets all the
applicable requirements of this section.
``(f) Financial Fraud Mitigation.--
``(1) Free file monitoring.--Any consumer reporter that is
required to provide notice to a consumer under subsection
(c)(1), or that is deemed to be in compliance with such
requirement by operation of subsection (g), shall offer and
make available to the consumer, free of charge, a service that
monitors nationwide credit activity regarding a consumer from a
consumer reporting agency described in section 603(p).
``(2) Joint rulemaking for safe harbor.--The Secretary of
the Treasury, the Board of Governors of the Federal Reserve
System, and the Commission shall jointly develop regulations,
which shall be prescribed by all functional regulatory
agencies, that, in any case in which--
``(A) free file monitoring is offered under
paragraph (1) to a consumer;
``(B) subsequent to the offer, another party
misuses sensitive financial identity information on the
consumer obtained through the breach of data security
(that gave rise to such offer) to commit identity theft
against the consumer; and
``(C) at the time of such breach the consumer
reporter maintained reasonable policies and procedures
to comply with subsection (a),
exempts the consumer reporter from any liability under State
common law for any loss or harm to the consumer occurring after
the date of such offer, other than any direct pecuniary loss
provided under such law, resulting from such misuse.
``(g) Compliance With GLBA.--
``(1) In general.--For the purposes of this section, any
person subject to section 501(b) of title V of the Gramm-Leach-
Bliley Act shall be deemed to be in compliance with--
``(A) subsection (a) of this section, if the person
is required to implement appropriate safeguards
pursuant to regulations, guidelines, or guidance
prescribed by or issued by an agency or authority in
accordance with such subsection of the Gramm-Leach-
Bliley Act;
``(B) subsection (b) of this section, if the person
is required to conduct investigations of breaches of
information security pursuant to regulations,
guidelines, or guidance prescribed by or issued by an
agency or authority in accordance with such subsection
of the Gramm-Leach-Bliley Act; and
``(C) subsection (c) of this section, if the person
is required to implement a consumer notification
program after breaches of such data safeguards pursuant
to regulations, guidelines, or guidance prescribed by
or issued by an agency or authority in accordance with
section 501 of the Gramm-Leach-Bliley Act.
``(2) Reciprocal compliance arrangements.--If, with respect
to any person, or any agent of a person, who is subject to
section 501(b) of the Gramm-Leach-Bliley Act, the regulations,
guidelines, or guidance prescribed or issued pursuant to such
section by the agencies or authorities described in section 509
of the Gramm-Leach-Bliley Act, allow--
``(A) any requirement that such person comply with
such section to be satisfied by the person's agent; or
``(B) any requirement that a person's agent comply
with such section to be satisfied by the person,
such reciprocal compliance treatment for such person and agent
shall also apply under subsections (a), (b), and (c) of this
section in the same manner and to the same extent such
treatment applies for purposes of such section 501(b), except
as otherwise provided by any such agency or authority.
``(h) Uniform Security Regulations.--
``(1) Uniform standards.--The Secretary of the Treasury,
the Board of Governors of the Federal Reserve System, and the
Commission shall jointly--
``(A) develop appropriate standards and guidelines
in furtherance of the policy of this section; and
``(B) prescribe regulations requiring each consumer
reporter to establish reasonable policies and
procedures implementing such standards and guidelines,
consistent, as appropriate, with section 501(b) of
title V of the Gramm-Leach-Bliley Act.
``(2) Enforcement regulations.--Each of the functional
regulatory agencies shall prescribe such regulations as may be
necessary, consistent with the standards in paragraph (1), to
carry out the purposes of this section with respect to the
persons subject to the jurisdiction of such agency under
subsection (i).
``(3) Procedures and deadline.--
``(A) Procedures.--Regulations prescribed under
this subsection shall be prescribed in accordance with
applicable requirements of title 5, United States Code.
``(B) Deadline for initial regulations.--The
regulations required to be prescribed under paragraph
(1) shall be published in final form before the end of
the 12-month period beginning on the date of the
enactment of the Financial Data Security Act of 2005.
``(C) Deadline for enforcement regulations.--The
regulations required to be prescribed under paragraph
(2) shall be published in final form before the end of
the 6-month period beginning on the date regulations
described in subparagraph (B) are published in final
form.
``(D) Authority to grant exceptions.--The
regulations prescribed under paragraph (2) may include
such additional exceptions to this section as are
deemed by the functional regulatory agencies to be
consistent with the purposes of this section.
``(E) Consultation and coordination.--The Secretary
of the Treasury, the Board of Governors of the Federal
Reserve System, and the Commission shall consult and
coordinate with the other functional regulatory
agencies to the extent appropriate in prescribing
regulations under this subsection.
``(4) Appropriate exemptions.--The Secretary of the
Treasury, the Board, and the Commission, in consultation with
the Administrator of the Small Business Administration, shall
provide appropriate exemptions from requirements of this
section relating to sensitive financial identity information
for consumer reporter collectors that are small businesses.
``(i) Administrative Enforcement.--Notwithstanding section 616,
617, or 621, this section and the regulations prescribed under this
section shall be enforced exclusively by the functional regulatory
agencies with respect to financial institutions and other persons
subject to jurisdiction of each such agency under applicable law, as
follows:
``(1) Under section 8 of the Federal Deposit Insurance Act,
in the case of--
``(A) national banks, Federal branches and Federal
agencies of foreign banks, and any subsidiaries of such
entities (except brokers, dealers, persons providing
insurance, investment companies, and investment
advisers), by the Comptroller of the Currency;
``(B) member banks of the Federal Reserve System
(other than national banks), branches and agencies of
foreign banks (other than Federal branches, Federal
agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by
foreign banks, organizations operating under section 25
or 25A of the Federal Reserve Act, and bank holding
companies and their nonbank subsidiaries or affiliates
(except brokers, dealers, persons providing insurance,
investment companies, and investment advisers), by the
Board of Governors of the Federal Reserve System;
``(C) banks insured by the Federal Deposit
Insurance Corporation (other than members of the
Federal Reserve System), insured State branches of
foreign banks, and any subsidiaries of such entities
(except brokers, dealers, persons providing insurance,
investment companies, and investment advisers), by the
Board of Directors of the Federal Deposit Insurance
Corporation; and
``(D) savings associations the deposits of which
are insured by the Federal Deposit Insurance
Corporation, and any subsidiaries of such savings
associations (except brokers, dealers, persons
providing insurance, investment companies, and
investment advisers), by the Director of the Office of
Thrift Supervision.
``(2) Under the Federal Credit Union Act, by the Board of
the National Credit Union Administration with respect to any
federally insured credit union, and any subsidiaries of such an
entity.
``(3) Under the Securities Exchange Act of 1934, by the
Securities and Exchange Commission with respect to any broker
or dealer.
``(4) Under the Investment Company Act of 1940, by the
Securities and Exchange Commission with respect to investment
companies.
``(5) Under the Investment Advisers Act of 1940, by the
Securities and Exchange Commission with respect to investment
advisers registered with the Commission under such Act.
``(6) Under State insurance law, in the case of any person
engaged in the business of insurance, by the applicable State
insurance authority of the State in which the person is
domiciled.
``(7) Under the Federal Trade Commission Act, by the
Federal Trade Commission for any other person that is not
subject to the jurisdiction of any agency or authority under
paragraphs (1) through (6) of this subsection.
``(j) Definitions.--For purposes of this section, the following
definitions shall apply:
``(1) Breach of data security.--The term `breach of data
security' means, with respect to sensitive financial account
information or sensitive financial identity information that is
maintained, received, serviced, or communicated by or on behalf
of any financial institution--
``(A) an unauthorized acquisition of such
information that could be used to commit financial
fraud (such as identity theft or fraudulent
transactions made on financial accounts); or
``(B) an unusual pattern of misuse of such
information to commit financial fraud.
``(2) Consumer reporter and related terms.--
``(A) Consumer report.--The term `consumer report'
includes any written, oral, or other communication of
any information by a consumer reporter bearing on a
consumer's credit worthiness, credit standing, credit
capacity, character, general reputation, personal
characteristics, personal identifiers, financial
account information, or mode of living.
``(B) Consumer reporting broker.--The term
`consumer reporting broker' means any person which, for
monetary fees, dues, or on a cooperative nonprofit
basis, regularly engages in whole or in part in the
practice of assembling or evaluating consumer credit
information or other information on consumers for the
purpose of furnishing consumer reports to third
parties, and which uses any means or facility of
interstate commerce for the purpose of preparing or
furnishing consumer reports.
``(C) Consumer reporting collector.--The term
`consumer reporting collector' means any person (other
than a consumer reporting agency or a consumer
reporting broker) which, for monetary fees, dues, or on
a cooperative nonprofit basis, or otherwise, regularly
engages in whole or in part in the practice of
assembling or evaluating consumer reports or other
information on consumers to provide or market or
collect payment for products or services, and which
uses any means or facility of interstate commerce for
the purpose of preparing or using consumer reports.
``(D) Consumer reporter.--The term `consumer
reporter' means any consumer reporting agency, consumer
reporting broker, or consumer reporting collector.
``(3) Financial institution.--The term `financial
institution' means any consumer reporter who maintains,
receives, services, or communicates sensitive financial account
information or sensitive financial identity information on an
ongoing basis for the purposes of engaging in interstate
commerce.
``(4) Functional regulatory agency.--The term `functional
regulatory agency' means any agency described in subsection (i)
with respect to the financial institutions and other persons
subject to the jurisdiction of such agency.
``(5) Nationwide consumer reporting agency.--The term
`nationwide consumer reporting agency' means--
``(A) a consumer reporting agency described in
section 603(p);
``(B) any person who notifies the Commission that
the person reasonably expects to become a consumer
reporting agency described in subsection (p) of section
603 within a reasonable time; and
``(C) a consumer reporting agency described in
section 603(w) that notifies the Commission that the
person wishes to receive breach of data security
notices under this section that involve information of
the type maintained by such agency.
``(6) Sensitive financial account information.--The term
`sensitive financial account information' means a financial
account number of a consumer, such as credit card number or
debit card number, in combination with any security code,
access code, password, or other personal identification
information that would allow access to the consumer's financial
account.
``(7) Sensitive financial identity information.--The term
`sensitive financial identity information' means the first and
last name, the address, or the telephone number of a consumer,
in combination with any of the following of the consumer:
``(A) Social Security number.
``(B) Driver's license number or equivalent State
identification number.
``(C) Taxpayer identification number.''.
(b) Clerical Amendment.--The table of sections for the Fair Credit
Reporting Act is amended by inserting after the item relating to
section 629 the following new item:
``630. Data security safeguards.''.
(c) Effective Date.--The provisions of section 630 of the Fair
Credit Reporting Act (as added by this section), other than subsection
(h) of such section, shall take effect on the earlier of--
(1) the date of publication of the regulations required
under paragraph (3) of such subsection, with respect to any
person under the jurisdiction of each regulatory agency
publishing such regulations; or
(2) the end of the 24-month period beginning on the date of
the enactment of this Act.
SEC. 3. RELATION TO STATE LAWS.
Subsection (b) of section 625 of the Fair Credit Reporting Act (15
U.S.C. 1681t) is amended--
(1) by redesignating paragraphs (3), (4), and (5) as
paragraphs (4), (5), and (6), respectively; and
(2) by inserting after paragraph (2) the following new
paragraph:
``(3) with respect to the responsibilities of any person--
``(A) to protect the security or confidentiality of
information on consumers maintained by or on behalf of
the person;
``(B) to safeguard such information from potential
misuse;
``(C) to investigate and provide notices to
consumers of any unauthorized access to information
concerning the consumer, or the potential misuse of
such information, for fraudulent purposes; and
``(D) to mitigate any loss or harm resulting from
such unauthorized access or misuse.''.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Financial Services.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line