Financial Data Protection Act of 2006 - (Sec. 2) Amends the Fair Credit Reporting Act to prescribe guidelines for data security safeguards that require a consumer reporter who becomes aware of information suggesting a breach of data security immediately to investigate and notify authorities and consumers. Defines "consumer reporter" as any entity which regularly engages in assembling or evaluating consumer financial file and consumer reports to furnish consumer reports to third parties or to provide payment for products and services, or for employment purposes.
Declares the policy of Congress concerning the obligations of each consumer reporter to protect the security and confidentiality of sensitive financial personal information.
Prescribes investigation and consumer notification requirements.
Directs the Federal Trade Commission (FTC) to coordinate with specified government entities to create a publicly available list of data security breaches that have triggered a notice to consumers within the last 12 months.
Prohibits charging the related consumers for the cost of the notices and file monitoring regarding data security breaches.
Requires a consumer reporter, upon the request of a consumer who is the focus of a security breach, to make available a free service that: (1) monitors nationwide credit activity about the consumer from a consumer reporting agency; and (2) provides nationwide identity-monitoring.
Prescribes implementation guidelines for imposition of a security freeze, upon the request of a consumer who is a victim of identity theft, that places a notice in the consumer's credit report prohibiting the consumer reporting agency from releasing all or any part of the report without the consumer's express authorization.
Prohibits a consumer reporting agency from imposing a fee for placing or removing a security freeze.
Directs the Secretary of the Treasury, the Board of Governors of the Federal Reserve System, and the FTC to promulgate jointly: (1) uniform data security safeguard regulations; and (2) model notice forms.
Prescribes implementation and administrative enforcement procedures.
Preempts state laws governing consumer reporter data security responsibilities, except any laws governing professional confidentiality or limiting the purposes for which information may be disclosed.
(Sec. 3) Directs: (1) the President to convene a National Summit on Data Security Safeguards for Sensitive Personal Financial Information in the District of Columbia; and (2) the Comptroller General to study and report to Congress on a system that would provide notices of data breaches to consumers in languages other than English, and identify what barriers exist to its implementation.
(Sec. 5) Directs the FTC to compile voluntary information on the race and ethnicity of consumers who are victims of identity theft, account fraud, and other types of financial fraud, in order to improve law enforcement efforts relating to data security breaches and fighting identity theft and account fraud.
(Sec. 6) Amends the Credit Repair Organizations Act (CROA) to exempt from its coverage certain credit monitoring activities, including provision to a consumer of: (1) credit reports, credit monitoring notifications, credit scores and scoring algorithms, and other specified credit score-related tools; (2) any analysis, evaluation, and explanation of such actual or hypothetical credit scores or similar projections, forecasts, analyses, evaluations or explanations; or (3) materials or services to assist a consumer who is a victim of identity theft.
Specifies conditions for application of such exemption. Requires the credit monitoring service to refrain from offering to alter or remove, or assist in the alteration or removal of, accurate, non-obsolete adverse information in a credit report. Requires the service also to present the sonsumer with a specified notice and statement of rights.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4127 Introduced in House (IH)]
109th CONGRESS
1st Session
H. R. 4127
To protect consumers by requiring reasonable security policies and
procedures to protect computerized data containing personal
information, and to provide for nationwide notice in the event of a
security breach.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
October 25, 2005
Mr. Stearns (for himself, Ms. Pryce of Ohio, Mr. Upton, Mr. Radanovich,
Mr. Bass, Mrs. Bono, Mr. Ferguson, and Mrs. Blackburn) introduced the
following bill; which was referred to the Committee on Energy and
Commerce
_______________________________________________________________________
A BILL
To protect consumers by requiring reasonable security policies and
procedures to protect computerized data containing personal
information, and to provide for nationwide notice in the event of a
security breach.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Accountability and Trust Act
(DATA)''.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
(a) General Security Policies and Procedures.--
(1) Regulations.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate
regulations to require each person engaged in interstate
commerce that owns or possesses data in electronic form
containing personal information to establish and implement
policies and procedures regarding information security
practices for the treatment and protection of personal
information that are consistent with--
(A) the size of, and the nature, scope, and
complexity of the activities engaged in by, such
person;
(B) the current state of the art in administrative,
technical, and physical safeguards for protecting such
information; and
(C) the cost of implementing such safeguards.
(2) Requirements.--Such regulations shall require the
policies and procedures to include the following:
(A) A security policy with respect to the
collection, use, sale, other dissemination, and
maintenance of such personal information.
(B) The identification of an officer or other
individual as the point of contact with responsibility
for the management of information security.
(C) A process for identifying and assessing any
reasonably foreseeable vulnerabilities in the system
maintained by such person that contains such electronic
data.
(D) A process for taking preventive and corrective
action to mitigate against any vulnerabilities
identified in the process required by subparagraph (C),
which may include encryption of such data, implementing
any changes to security practices and the architecture,
installation, or implementation of network or operating
software.
(b) Special Requirements for Information Brokers.--
(1) Submission of policies to the ftc.--The regulations
promulgated under subsection (a) shall require information
brokers to submit their security policies to the Commission on
an annual basis.
(2) Post-breach audit.--Following a breach of security of
an information broker, the Commission shall conduct an audit of
the information security practices of such information broker.
The Commission may conduct additional audits, on an annual
basis, for a maximum of 5 years following the breach of
security or until the Commission determines that the security
practices of the information broker are in compliance with the
requirements of this section and are adequate to prevent
further breaches of security.
(3) Individual access to personal information.--
(A) Access to information.--Each information broker
shall--
(i) provide to each individual whose
personal information it maintains, at the
individual's request at least one time per year
and at no cost to the individual, a means for
such individual to review any personal
information of the individual maintained by the
information broker and any other information
about the individual maintained by the
information broker; and
(ii) place a conspicuous notice on its
Internet website (if the information broker
maintains such a website) instructing
individuals how to request access to the
information required to be provided under
clause (i).
(B) Disputed information.--Whenever an individual
whose information the information broker maintains
files a written request disputing the accuracy of any
such information, unless there is reasonable grounds to
believe such request is frivolous or irrelevant, the
information broker shall clearly note in the database
maintained by such information broker, and in any
subsequent transmission of such information by such
information broker, that such information is disputed
by the individual to whom the information relates. Such
note shall include either the individual's statement
disputing the accuracy of such information or a clear
and concise summary thereof.
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Nationwide Notification.--Any person engaged in interstate
commerce that owns or possesses data in electronic form containing
personal information shall, following the discovery of a breach of
security of the system maintained by such person that contains such
data--
(1) notify each individual of the United States whose
personal information was acquired by an unauthorized person as
a result of such a breach of security;
(2) notify the Commission;
(3) place a conspicuous notice on the Internet website of
the person (if such person maintains such a website), which
shall include a telephone number that the individual may use,
at no cost to such individual, to contact the person to inquire
about the security breach or the information the person
maintained about that individual; and
(4) in the case of a breach of financial account
information of a merchant, notify the financial institution
that issued the account.
(b) Timeliness of Notification.--All notifications required under
subsection (a) shall be made as promptly as possible and without
unreasonable delay following the discovery of a breach of security of
the system and any measures necessary to determine the scope of the
breach, prevent further breach or unauthorized disclosures, and
reasonably restore the integrity of the data system.
(c) Method and Content of Notification.--
(1) Direct notification.--
(A) Method of notification.--A person required to
provide notification to individuals under subsection
(a)(1) shall be in compliance with such requirement if
the person provides conspicuous and clearly identified
notification by one of the following methods (provided
the selected method can reasonably be expected to reach
the intended individual):
(i) Written notification.
(ii) Email notification, if the individual
has consented to receive such notification and
the notification is provided in a manner that
is consistent with the provisions permitting
electronic transmission of notices under
section 101 of the Electronic Signatures in
Global Commerce Act (15 U.S.C. 7001).
(B) Content of notification.--Regardless of the
method by which notification is provided to an
individual under subparagraph (A), such notification
shall include--
(i) a description of the personal
information that was acquired by an
unauthorized person;
(ii) a telephone number that the individual
may use, at no cost to such individual, to
contact the person to inquire about the
security breach or the information the person
maintained about that individual;
(iii) the toll-free contact telephone
numbers and addresses for the major credit
reporting agencies; and
(iv) a toll-free telephone number and
Internet website address for the Commission
whereby the individual may obtain information
regarding identity theft.
(2) Substitute notification.--
(A) Circumstances giving rise to substitute
notification.--A person required to provide
notification to individuals under subsection (a)(1) may
provide substitute notification in lieu of the direct
notification required by paragraph (1) if such direct
notification is not feasible due to--
(i) excessive cost to the person required
to provide such notification relative to the
resources of such person, as determined in
accordance with the regulations issued by the
Commission under paragraph (3)(A); or
(ii) lack of sufficient contact information
for the individual required to be notified.
(B) Content of substitute notification.--Such
substitute notification shall include notification in
print and broadcast media, including major media in
metropolitan and rural areas where the individuals
whose personal information was acquired reside. Such
notification shall include a telephone number where an
individual can, at no cost to such individual, learn
whether or not that individual's personal information
is included in the security breach.
(3) Federal trade commission regulations and guidance.--
(A) Regulations.--Not later than 270 days after the
date of enactment of this Act, the Commission shall, by
regulation, establish criteria for determining the
circumstances under which substitute notification may
be provided under paragraph (2), including criteria for
determining if notification under paragraph (1) is not
feasible due to excessive cost to the person required
to provide such notification relative to the resources
of such person.
(B) Guidance.--In addition, the Commission shall
provide and publish general guidance with respect to
compliance with this section. Such guidance shall
include--
(i) a description of written or email
notification that complies with the
requirements of paragraph (1); and
(ii) guidance on the content of substitute
notification under paragraph (2)(B), including
the extent of notification to print and
broadcast media that complies with the
requirements of such paragraph.
(d) Other Obligations Following Breach.--A person required to
provide notification under subsection (a) shall provide or arrange for
the provision of, to each individual to whom notification is provided
under subsection (c)(1) and at no cost to such individual, consumer
credit reports from at least one of the major credit reporting agencies
beginning not later than 2 months following a breach of security and
continuing on a quarterly basis for a period of 2 years thereafter. The
Commission shall, by regulation, provide alternative requirements under
this subsection for persons who qualify to provide substitute
notification under subsection (c)(2).
(e) Website Notice of Federal Trade Commission.--The Commission
shall place, in a clear and conspicuous location on its Internet
website, a notice of any breach of security that is reported to the
Commission under subsection (a)(2).
SEC. 4. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) Unfair or Deceptive Acts or Practices.--A violation of section
2 or 3 shall be treated as a violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(b) Powers of Commission.--The Commission shall enforce this Act in
the same manner, by the same means, and with the same jurisdiction,
powers, and duties as though all applicable terms and provisions of the
Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act. Any person who violates such
regulations shall be subject to the penalties and entitled to the
privileges and immunities provided in that Act. Nothing in this Act
shall be construed to limit the authority of the Commission under any
other provision of law.
SEC. 5. DEFINITIONS.
In this Act the following definitions apply:
(1) Breach of security.--The term ``breach of security''
means the unauthorized acquisition of data in electronic form
containing personal information that establishes a reasonable
basis to conclude that there is a significant risk of identity
theft to the individual to whom the personal information
relates. The encryption of such data, combined with appropriate
safeguards of the keys necessary to enable decryption of such
data, shall establish a presumption that no such reasonable
basis exists. Any such presumption may be rebutted by facts
demonstrating that the method of encryption has been or is
likely to be compromised.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices.
(4) Encryption.--The term ``encryption'' means the
protection of data in electronic form in storage or in transit
using an encryption algorithm implemented within a validated
cryptographic module that has been approved by the National
Institute of Standards and Technology or another comparable
standards body recognized by the Commission, rendering such
data indecipherable in the absence of associated cryptographic
keys necessary to enable decryption of such data. Such
encryption must include appropriate management and safeguards
of such keys to protect the integrity of the encryption.
(5) Identity theft.--The term ``identity theft'' means the
unauthorized assumption of another person's identity for the
purpose of engaging in commercial transactions under the name
of such other person.
(6) Information broker.--The term ``information broker''
means a commercial entity whose business is to collect,
assemble, or maintain personal information concerning
individuals who are not customers of such entity for the sale
or transmission of such information or the provision of access
to such information to any third party, whether such
collection, assembly, or maintenance of personal information is
performed by the information broker directly, or by contract or
subcontract with any other entity.
(7) Personal information.--
(A) Definition.--The term ``personal information''
means an individual's first and last name in
combination with any 1 or more of the following data
elements for that individual:
(i) Social Security number.
(ii) Driver's license number or other State
identification number.
(iii) Financial account number, or credit
or debit card number, and any required security
code, access code, or password that is
necessary to permit access to an individual's
financial account.
(B) Modified definition by rulemaking.--The
Commission may, by rule, modify the definition of
``personal information'' under subparagraph (A) to the
extent that such modification is necessary to
accommodate changes in technology or practices, will
not unreasonably impede interstate commerce, and will
accomplish the purposes of this Act.
(8) Person.--The term ``person'' has the same meaning given
such term in section 551(2) of title 5, United States Code.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws.--This Act
supersedes any provision of a statute, regulation, or rule of a State
or political subdivision of a State that expressly--
(1) requires information security practices and treatment
of personal information similar to any of those required under
section 2; and
(2) requires notification to individuals of a breach of
security resulting in unauthorized acquisition of their
personal information.
(b) Additional Preemption.--
(1) In general.--No person other than the Attorney General
of a State may bring a civil action under the laws of any State
if such action is premised in whole or in part upon the
defendant violating any provision of this Act.
(2) Protection of consumer protection laws.--This
subsection shall not be construed to limit the enforcement of
any State consumer protection law by an Attorney General of a
State.
(c) Protection of Certain State Laws.--This Act shall not be
construed to preempt the applicability of--
(1) State trespass, contract, or tort law; or
(2) other State laws to the extent that those laws relate
to acts of fraud.
SEC. 7. EFFECTIVE DATE AND SUNSET.
(a) Effective Date.--This Act shall take effect 1 year after the
date of enactment of this Act.
(b) Sunset.--This Act shall cease to be in effect on the date that
is 10 years from the date of enactment of this Act.
SEC. 8. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated to the Commission $1,000,000
for each of fiscal years 2006 through 2010 to carry out this Act.
<all>
Referred to the House Committee on Energy and Commerce.
Referred to the Subcommittee on Commerce, Trade and Consumer Protection.
Subcommittee Consideration and Mark-up Session Held.
Forwarded by Subcommittee to Full Committee (Amended) by the Yeas and Nays: 13 - 8.
Committee Consideration and Mark-up Session Held.
Ordered to be Reported (Amended) by the Yeas and Nays: 41 - 0.
Reported (Amended) by the Committee on Energy and Commerce. H. Rept. 109-453, Part I.
Reported (Amended) by the Committee on Energy and Commerce. H. Rept. 109-453, Part I.
Referred jointly and sequentially to the House Committee on Financial Services for a period ending not later than June 2, 2006 for consideration of such provisions of the bill and amendment as fall within the jurisdiction of that committee pursuant to clause 1(g), rule X.
Referred jointly and sequentially to the House Committee on the Judiciary for a period ending not later than June 2, 2006 for consideration of such provisions of the bill and amendment as fall within the jurisdiction of that committee pursuant to clause 1(1), rule X.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line
Committee Consideration and Mark-up Session Held.
Ordered to be Reported (Amended) by Voice Vote.
Committee Consideration and Mark-up Session Held.
Ordered to be Reported (Amended) by Voice Vote.
Reported (Amended) by the Committee on Judiciary. H. Rept. 109-453, Part II.
Reported (Amended) by the Committee on Judiciary. H. Rept. 109-453, Part II.
Reported (Amended) by the Committee on Financial Services. H. Rept. 109-453, Part III.
Reported (Amended) by the Committee on Financial Services. H. Rept. 109-453, Part III.
Placed on the Union Calendar, Calendar No. 270.
Sponsor introductory remarks on measure. (CR H3502)