Notification of Risk to Personal Data Act - Requires any Federal agency or person that owns, licenses, or collects personal information data following the discovery of a breach its personal data security system, or upon receiving notice of a system breach, to notify (as specified) the individual whose information was obtained by an unauthorized person. Requires any agency or person possessing, but not owning or licensing such data, to notify the information owner or licensee of an unauthorized acquisition. Excepts agencies from notification requirements for national security and law enforcement purposes and requires Congress to be immediately notified when such exceptions are made. Sets forth enforcement provisions.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5582 Introduced in House (IH)]
109th CONGRESS
2d Session
H. R. 5582
To require Federal agencies, and persons engaged in interstate
commerce, in possession of data containing personal information, to
disclose any unauthorized acquisition of such information.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 12, 2006
Mr. Lantos introduced the following bill; which was referred to the
Committee on Energy and Commerce, and in addition to the Committees on
Government Reform and Financial Services, for a period to be
subsequently determined by the Speaker, in each case for consideration
of such provisions as fall within the jurisdiction of the committee
concerned
_______________________________________________________________________
A BILL
To require Federal agencies, and persons engaged in interstate
commerce, in possession of data containing personal information, to
disclose any unauthorized acquisition of such information.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Notification of Risk to Personal
Data Act''.
SEC. 2. DEFINITIONS.
In this Act, the following definitions shall apply:
(1) Agency.--The term ``agency'' has the same meaning given
such term in section 551(1) of title 5, United States Code.
(2) Breach of security of the system.--The term ``breach of
security of the system''--
(A) means the compromise of the security,
confidentiality, or integrity of data that results in,
or there is a reasonable basis to conclude has resulted
in, the unauthorized acquisition of personal
information maintained by the person or business; and
(B) does not include good faith acquisition of
personal information by an employee or agent of the
person or business for the purposes of the person or
business, if the personal information is not used or
subject to further unauthorized disclosure.
(3) Person.--The term ``person'' has the same meaning given
such term in section 551(2) of title 5, United States Code.
(4) Personal information.--The term ``personal
information'' means an individual's last name in combination
with any 1 or more of the following data elements:
(A) Social security number.
(B) Driver's license number or State identification
number.
(C) Account number or credit or debit card number,
or, if a security code, access code, or password is
required for access to an individual's account, the
account number or credit or debit card number, in
combination with the required code or password.
(5) Substitute notice.--The term ``substitute notice''
means--
(A) conspicuous posting of the notice on the
Internet site of the agency or person, if the agency or
person maintains a public Internet site; and
(B) notification to major print and broadcast
media, including major media in metropolitan and rural
areas where the individual whose personal information
was, or is reasonably believed to have been, acquired
resides. The notice to media shall include a toll-free
phone number where an individual can learn whether or
not that individual's personal data is included in the
security breach.
SEC. 3. DATABASE SECURITY.
(a) Disclosure of Security Breach.--
(1) In general.--Any agency, or person engaged in
interstate commerce, that owns, licenses, or collects data,
whether or not held in electronic form, containing personal
information shall, following the discovery of a breach of
security of the system maintained by the agency or person that
contains such data, or upon receipt of notice under paragraph
(2), notify any individual of the United States whose personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person.
(2) Notification of owner or licensee.--Any agency, or
person engaged in interstate commerce, in possession of data,
whether or not held in electronic form, containing personal
information that the agency does not own or license shall
notify the owner or licensee of the information if the personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person through a breach of security
of the system containing such data.
(3) Timeliness of notification.--
(A) In general.--All notifications required under
paragraph (1) or (2) shall be made without unreasonable
delay following--
(i) the discovery by the agency or person
of a breach of security of the system;
(ii) any measures necessary to determine
the scope of the breach, prevent further
disclosures, and restore the reasonable
integrity of the data system; and
(iii) receipt of written notice that a law
enforcement agency has determined that the
notification will no longer seriously impede
its investigation, where notification is
delayed as provided in paragraph (4).
(B) Burden of proof.--The agency or person required
to provide notification under this subsection shall
have the burden of demonstrating that all notifications
were made as required under this paragraph, including
evidence demonstrating the necessity of any delay.
(4) Delay of notification authorized for law enforcement
purposes.--If a law enforcement agency determines that the
notification required under this subsection would seriously
impede a criminal investigation, such notification may be
delayed upon the written request of the law enforcement agency.
(5) Exception for national security and law enforcement.--
(A) In general.--This subsection shall not apply to
an agency if the head of the agency certifies, in
writing, that notification of the breach as required by
this subsection reasonably could be expected to--
(i) cause damage to the national security;
and
(ii) hinder a law enforcement investigation
or the ability of the agency to conduct law
enforcement investigations.
(B) Limits on certifications.--The head of an
agency may not execute a certification under
subparagraph (A) to--
(i) conceal violations of law,
inefficiency, or administrative error;
(ii) prevent embarrassment to a person,
organization, or agency; or
(iii) restrain competition.
(C) Notice.--In every case in which a head of an
agency issues a certification under subparagraph (A), a
copy of the certification, accompanied by a concise
description of the factual basis for the certification,
shall be immediately provided to the Congress.
(6) Methods of notice.--An agency, or person engaged in
interstate commerce, shall be in compliance with this
subsection if it provides the individual, with--
(A) written notification;
(B) e-mail notice, if the individual has consented
to receive such notice and the notice is consistent
with the provisions permitting electronic transmission
of notices under section 101 of the Electronic
Signatures in Global and National Commerce Act (15
U.S.C. 7001); or
(C) substitute notice, if--
(i) the agency or person demonstrates that
the cost of providing direct notice would
exceed $500,000;
(ii) the number of individuals to be
notified exceeds 500,000; or
(iii) the agency or person does not have
sufficient contact information for those to be
notified.
(7) Content of notification.--Regardless of the method by
which notice is provided to individuals under paragraphs (1)
and (2), such notice shall include--
(A) to the extent possible, a description of the
categories of information that was, or is reasonably
believed to have been, acquired by an unauthorized
person, including social security numbers, driver's
license or State identification numbers and financial
data;
(B) a toll-free number--
(i) that the individual may use to contact
the agency or person, or the agent of the
agency or person; and
(ii) from which the individual may learn--
(I) what types of information the
agency or person maintained about that
individual or about individuals in
general; and
(II) whether or not the agency or
person maintained information about
that individual; and
(C) the toll-free contact telephone numbers and
addresses for the major credit reporting agencies.
(8) Coordination of notification with credit reporting
agencies.--If an agency or person is required to provide
notification to more than 1,000 individuals under this
subsection, the agency or person shall also notify, without
unreasonable delay, all consumer reporting agencies that
compile and maintain files on consumers on a nationwide basis
(as defined in section 603(p) of the Fair Credit Reporting Act
(15 U.S.C. 1681a(p)) of the timing and distribution of the
notices.
(b) Civil Remedies.--
(1) Penalties.--Any agency, or person engaged in interstate
commerce, that violates subsection (a) shall be subject to a
fine of--
(A) not more than $1,000 per individual whose
personal information was, or is reasonably believed to
have been, acquired by an unauthorized person; or
(B) not more than $50,000 per day while the failure
to give notice under subsection (a) persists.
(2) Equitable relief.--Any agency or person that violates,
proposes to violate, or has violated this section may be
enjoined from further violations by a court of competent
jurisdiction.
(3) Other rights and remedies.--The rights and remedies
available under this subsection are cumulative and shall not
affect any other rights and remedies available under law.
(c) Enforcement.--The Federal Trade Commission or other appropriate
regulator, is authorized to enforce compliance with this section,
including the assessment of fines under subsection (b)(1).
(d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence
that the consumer has received notice that the consumer's personal
financial information has or may have been compromised,'' after
``identity theft report''.
SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by the engagement of any person in a
practice that is prohibited under this Act, the State, as
parens patriae, may bring a civil action on behalf of the
residents of the State in a district court of the United States
of appropriate jurisdiction or any other court of competent
jurisdiction, including a State court, to--
(A) enjoin that practice;
(B) enforce compliance with this Act;
(C) obtain damages, restitution, or other
compensation on behalf of residents of the State; or
(D) obtain such other relief as the court may
consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Attorney General of the
United States--
(i) written notice of the action; and
(ii) a copy of the complaint for the
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the State attorney general
determines that it is not feasible to provide
the notice described in such subparagraph
before the filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the Attorney General at the time
the State attorney general files the action.
(b) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this Act shall be construed to prevent an
attorney general of a State from exercising the powers conferred on
such attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(c) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in--
(A) the district court of the United States that
meets applicable requirements relating to venue under
section 1391 of title 28, United States Code; or
(B) another court of competent jurisdiction.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 5. EFFECT ON STATE LAW.
The provisions of this Act shall supersede any inconsistent
provisions of law of any State or unit of local government with respect
to the conduct required by the specific provisions of this Act.
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the expiration of the date which is 6
months after the date of enactment of this Act.
<all>
Introduced in House
Introduced in House
Sponsor introductory remarks on measure. (CR E1114)
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Subcommittee on Commerce, Trade and Consumer Protection.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line