Consumer Access Rights Defense Act (CARD) of 2005 - Requires database security breach disclosures by an agency, or person engaged in interstate commerce, that owns, licenses, or collects data containing personal information, as well as notification of individuals whose personal information was acquired by an unauthorized person.
Cites conditions which exempt national security and law enforcement agencies from this Act.
Prescribes guidelines for coordinated notification of database security breaches with credit reporting agencies.
Grants the Federal Trade Commission enforcement powers, including the assessment of civil fines.
Amends the Fair Credit Reporting Act to require a consumer reporting agency to place an extended fraud alert into a consumer file when a consumer submits evidence of notification that personal financial information has or may have been compromised.
Empowers State Attorneys General to enforce this Act.
Preempts state or local law inconsistent with this Act.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3501 Introduced in House (IH)]
109th CONGRESS
1st Session
H. R. 3501
To require financial institutions and financial service providers to
notify customers of the unauthorized use of personal financial
information, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
July 28, 2005
Ms. Carson introduced the following bill; which was referred to the
Committee on Energy and Commerce, and in addition to the Committees on
Government Reform and Financial Services, for a period to be
subsequently determined by the Speaker, in each case for consideration
of such provisions as fall within the jurisdiction of the committee
concerned
_______________________________________________________________________
A BILL
To require financial institutions and financial service providers to
notify customers of the unauthorized use of personal financial
information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Consumer Access Rights Defense Act
(CARD) of 2005''.
SEC. 2. DEFINITIONS.
In this Act, the following definitions shall apply:
(1) Agency.--The term ``agency'' has the same meaning given
such term in section 551(1) of title 5, United States Code.
(2) Breach of security of the system.--The term ``breach of
security of the system''--
(A) means the compromise of the security,
confidentiality, or integrity of data that results in,
or there is a reasonable basis to conclude has resulted
in, the unauthorized acquisition of personal
information maintained by the person or business; and
(B) does not include good faith acquisition of
personal information by an employee or agent of the
person or business for the purposes of the person or
business, if the personal information is not used or
subject to further unauthorized disclosure.
(3) Person.--The term ``person'' has the same meaning given
such term in section 551(2) of title 5, United States Code.
(4) Personal information.--The term ``personal
information'' means an individual's last name in combination
with any 1 or more of the following data elements:
(A) Social Security number.
(B) Driver's license number or State identification
number.
(C) Account number or credit or debit card number,
or, if a security code, access code, or password is
required for access to an individual's account, the
account number or credit or debit card number, in
combination with the required code or password.
(5) Substitute notice.--The term ``substitute notice''
means--
(A) conspicuous posting of the notice on the
Internet site of the agency or person, if the agency or
person maintains a public Internet site; and
(B) notification to major print and broadcast
media, including major media in metropolitan and rural
areas where the individual whose personal information
was, or is reasonably believed to have been, acquired
resides. The notice to media shall include a toll-free
phone number where an individual can learn whether or
not that individual's personal data is included in the
security breach.
SEC. 3. DATABASE SECURITY.
(a) Disclosure of Security Breach.--
(1) In general.--Any agency, or person engaged in
interstate commerce, that owns, licenses, or collects data,
whether or not held in electronic form, containing personal
information shall, following the discovery of a breach of
security of the system maintained by the agency or person that
contains such data, or upon receipt of notice under paragraph
(2), notify any individual of the United States whose personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person.
(2) Notification of owner or licensee.--Any agency, or
person engaged in interstate commerce, in possession of data,
whether or not held in electronic form, containing personal
information that the agency does not own or license shall
notify the owner or licensee of the information if the personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person through a breach of security
of the system containing such data.
(3) Timeliness of notification.--
(A) In general.--All notifications required under
paragraph (1) or (2) shall be made without unreasonable
delay following--
(i) the discovery by the agency or person
of a breach of security of the system;
(ii) any measures necessary to determine
the scope of the breach, prevent further
disclosures, and restore the reasonable
integrity of the data system; and
(iii) receipt of written notice that a law
enforcement agency has determined that the
notification will no longer seriously impede
its investigation, where notification is
delayed as provided in paragraph (4).
(B) Burden of proof.--The agency or person required
to provide notification under this subsection shall
have the burden of demonstrating that all notifications
were made as required under this paragraph, including
evidence demonstrating the necessity of any delay.
(4) Delay of notification authorized for law enforcement
purposes.--If a law enforcement agency determines that the
notification required under this subsection would seriously
impede a criminal investigation, such notification may be
delayed upon the written request of the law enforcement agency.
(5) Exception for national security and law enforcement.--
(A) In general.--This subsection shall not apply to
an agency if the head of the agency certifies, in
writing, that notification of the breach as required by
this subsection reasonably could be expected to--
(i) cause damage to the national security;
and
(ii) hinder a law enforcement investigation
or the ability of the agency to conduct law
enforcement investigations.
(B) Limits on certifications.--The head of an
agency may not execute a certification under
subparagraph (A) to--
(i) conceal violations of law,
inefficiency, or administrative error;
(ii) prevent embarrassment to a person,
organization, or agency; or
(iii) restrain competition.
(C) Notice.--In every case in which a head of an
agency issues a certification under subparagraph (A), a
copy of the certification, accompanied by a concise
description of the factual basis for the certification,
shall be immediately provided to the Congress.
(6) Methods of notice.--An agency, or person engaged in
interstate commerce, shall be in compliance with this
subsection if it provides the individual, with--
(A) written notification;
(B) e-mail notice, if the individual has consented
to receive such notice and the notice is consistent
with the provisions permitting electronic transmission
of notices under section 101 of the Electronic
Signatures in Global and National Commerce Act (15
U.S.C. 7001); or
(C) substitute notice, if--
(i) the agency or person demonstrates that
the cost of providing direct notice would
exceed $500,000;
(ii) the number of individuals to be
notified exceeds 500,000; or
(iii) the agency or person does not have
sufficient contact information for those to be
notified.
(7) Content of notification.--Regardless of the method by
which notice is provided to individuals under paragraphs (1)
and (2), such notice shall include--
(A) to the extent possible, a description of the
categories of information that was, or is reasonably
believed to have been, acquired by an unauthorized
person, including social security numbers, driver's
license or State identification numbers and financial
data;
(B) a toll-free number--
(i) that the individual may use to contact
the agency or person, or the agent of the
agency or person; and
(ii) from which the individual may learn--
(I) what types of information the
agency or person maintained about that
individual or about individuals in
general; and
(II) whether or not the agency or
person maintained information about
that individual; and
(C) the toll-free contact telephone numbers and
addresses for the major credit reporting agencies.
(8) Coordination of notification with credit reporting
agencies.--If an agency or person is required to provide
notification to more than 1,000 individuals under this
subsection, the agency or person shall also notify, without
unreasonable delay, all consumer reporting agencies that
compile and maintain files on consumers on a nationwide basis
(as defined in section 603(p) of the Fair Credit Reporting Act)
of the timing and distribution of the notices.
(b) Civil Remedies.--
(1) Penalties.--Any agency, or person engaged in interstate
commerce, that violates subsection (a) shall be subject to a
civil money penalty of--
(A) not more than $1,000 per individual whose
personal information was, or is reasonably believed to
have been, acquired by an unauthorized person; or
(B) not more than $50,000 per day while the failure
to give notice under subsection (a) persists.
(2) Equitable relief.--Any agency or person that violates,
proposes to violate, or has violated this section may be
enjoined from further violations by a court of competent
jurisdiction.
(3) Other rights and remedies.--The rights and remedies
available under this subsection are cumulative and shall not
affect any other rights and remedies available under law.
(4) Damages.--Any person injured by a violation of
subsection (a) may institute a civil action to recover damages
arising from that violation.
(c) Enforcement.--The Federal Trade Commission or other appropriate
regulator, may enforce compliance with this section, including the
assessment of fines under subsection (b)(1).
(d) Extended Fraud Alert.--Paragraph (1) of section 605A(b)(1) of
the Fair Credit Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended, in
that portion of such paragraph that precedes subparagraph (A), by
inserting ``, or evidence that the consumer has received notice that
the consumer's personal financial information has or may have been
compromised,'' after ``submits an identity theft report''.
SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by the engagement of any person in a
practice that is prohibited under this Act, the State, as
parens patriae, may bring a civil action on behalf of the
residents of the State in a district court of the United States
of appropriate jurisdiction or any other court of competent
jurisdiction to--
(A) enjoin that practice;
(B) enforce compliance with this Act;
(C) obtain damages, restitution, or other
compensation on behalf of residents of the State; or
(D) obtain such other relief as the court may
consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Attorney General of the
United States--
(i) written notice of the action; and
(ii) a copy of the complaint for the
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the State attorney general
determines that it is not feasible to provide
the notice described in such subparagraph
before the filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the Attorney General at the time
the State attorney general files the action.
(b) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this Act shall be construed to prevent an
attorney general of a State from exercising the powers conferred on
such attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(c) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in--
(A) the district court of the United States that
meets applicable requirements relating to venue under
section 1391 of title 28, United States Code; or
(B) another court of competent jurisdiction.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 5. EFFECT ON STATE LAW.
The provisions of this Act shall supersede any inconsistent
provisions of law of any State or unit of local government with respect
to the conduct required by the specific provisions of this Act.
SEC. 6. EFFECTIVE DATE.
This Act shall take effect at the end of the 6-month period
beginning on the date of the enactment of this Act.
<all>
Introduced in House
Introduced in House
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Sponsor introductory remarks on measure. (CR E1743-1744)
Referred to the Subcommittee on Commerce, Trade and Consumer Protection.
Referred to the Subcommittee on Financial Institutions and Consumer Credit.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line