Personal Data Privacy and Security Act of 2005 - Amends the federal criminal code to prohibit: (1) intentionally accessing a computer without authorization, thereby obtaining data broker information; (2) concealing security breaches involving personally identifiable information (personal information); and (3) unlawfully accessing another's means of identification during a felony involving computers. Amends the Racketeer Influenced and Corrupt Organizations Act to cover fraud in connection with such unauthorized access. Directs the U.S. Sentencing Commission to amend the sentencing guidelines regarding identity theft.
Requires a data broker to: (1) disclose to an individual, upon request, personal electronic records pertaining to such individual maintained for disclosure to third parties; and (2) publish on its website procedures for responding to claims of inaccuracies.
Establishes safeguards to protect the privacy and security of personal information applicable to certain business entities, which shall: (1) notify specified parties of security breaches; and (2) offer to cover specified costs for affected U.S. residents.
Requires: (1) the Department of Justice to contract with the National Research Council to study securing personal information; (2) the Comptroller General to study social security number uses and federal use of commercial databases; and (3) the Administrator of the General Services Administration to evaluate contractor programs.
Prohibits without consent (with exceptions): (1) the display of an individual's social security number to a third party; and (2) the sale or purchase of such number. Amends the Social Security Act to restrict social security number use by businesses and the government.
Sets remedies for violations of this Act.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1332 Placed on Calendar Senate (PCS)]
Calendar No. 151
109th CONGRESS
1st Session
S. 1332
To prevent and mitigate identity theft; to ensure privacy; and to
enhance criminal penalties, law enforcement assistance, and other
protections against security breaches, fraudulent access, and misuse of
personally identifiable information.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 29, 2005
Mr. Specter (for himself, Mr. Leahy, and Mr. Feingold) introduced the
following bill; which was read the first time
July 1 (legislative day, June 30), 2005
Read the second time and placed on the calendar
_______________________________________________________________________
A BILL
To prevent and mitigate identity theft; to ensure privacy; and to
enhance criminal penalties, law enforcement assistance, and other
protections against security breaches, fraudulent access, and misuse of
personally identifiable information.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Personal Data
Privacy and Security Act of 2005''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
Sec. 101. Fraud and related criminal activity in connection with
unauthorized access to personally
identifiable information.
Sec. 102. Organized criminal activity in connection with unauthorized
access to personally identifiable
information.
Sec. 103. Concealment of security breaches involving personally
identifiable information.
Sec. 104. Aggravated fraud in connection with computers.
Sec. 105. Review and amendment of Federal sentencing guidelines related
to fraudulent access to or misuse of
digitized or electronic personally
identifiable information.
TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING
CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF
PERSONALLY IDENTIFIABLE INFORMATION
Sec. 201. Grants for State and local enforcement.
Sec. 202. Authorization of appropriations.
TITLE III--DATA BROKERS
Sec. 301. Transparency and accuracy of data collection.
Sec. 302. Enforcement.
Sec. 303. Relation to State laws.
Sec. 304. Effective date.
TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
Subtitle A--Data Privacy and Security Program
Sec. 401. Purpose and applicability of data privacy and security
program.
Sec. 402. Requirements for a personal data privacy and security
program.
Sec. 403. Enforcement.
Sec. 404. Relation to State laws.
Subtitle B--Security Breach Notification
Sec. 421. Right to notice of security breach.
Sec. 422. Notice procedures.
Sec. 423. Content of notice.
Sec. 424. Risk assessment and fraud prevention notice exemptions.
Sec. 425. Victim protection assistance.
Sec. 426. Enforcement.
Sec. 427. Relation to State laws.
Sec. 428. Study on securing personally identifiable information in the
digital era.
Sec. 429. Authorization of appropriations.
Sec. 430. Effective date.
TITLE V--PROTECTION OF SOCIAL SECURITY NUMBERS
Sec. 501. Social Security number protection.
Sec. 502. Limits on personal disclosure of social security numbers for
commercial transactions and accounts.
Sec. 503. Public records.
Sec. 504. Treatment of social security numbers on government checks and
prohibition of inmate access.
Sec. 505. Study and report.
Sec. 506. Enforcement.
Sec. 507. Relation to State laws.
TITLE VI--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA
Sec. 601. General Services Administration review of contracts.
Sec. 602. Requirement to audit information security practices of
contractors and third party business
entities.
Sec. 603. Privacy impact assessment of government use of commercial
information services containing personally
identifiable information.
Sec. 604. Implementation of Chief Privacy Officer requirements.
SEC. 2. FINDINGS.
Congress finds that--
(1) databases of personal identifiable information are
increasingly prime targets of hackers, identity thieves, rogue
employees, and other criminals, including organized and
sophisticated criminal operations;
(2) identity theft is a serious threat to the nation's
economic stability, homeland security, the development of e-
commerce, and the privacy rights of Americans;
(3) over 9,300,000 individuals were victims of identity
theft in America last year;
(4) security breaches are a serious threat to consumer
confidence, homeland security, e-commerce, and economic
stability;
(5) it is important for business entities that own, use, or
license personally identifiable information to adopt reasonable
procedures to ensure the security, privacy, and confidentially
of that personally identifiable information;
(6) individuals whose personal information has been
compromised or who have been victims of identity theft should
receive the necessary information and assistance to mitigate
their damages and to restore the integrity of their personal
information and identities;
(7) data brokers have assumed a significant role in
providing identification, authentication, and screening
services, and related data collection and analyses for
commercial, nonprofit, and government operations;
(8) data misuse and use of inaccurate data have the
potential to cause serious or irreparable harm to an
individual's livelihood, privacy, and liberty and undermine
efficient and effective business and government operations;
(9) there is a need to insure that data brokers conduct
their operations in a manner that prioritizes fairness,
transparency, accuracy, and respect for the privacy of
consumers;
(10) government access to commercial data can potentially
improve safety, law enforcement, and national security; and
(11) because government misuse of commercial data endangers
privacy, security, and liberty, there is a need for Congress to
exercise oversight over government use of commercial data.
SEC. 3. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the same meaning given
such term in section 551 of title 5, United States Code.
(2) Affiliate.--The term ``affiliate'' means persons
related by common ownership or affiliated by corporate control.
(3) Business entity.--The term ``business entity'' means
any organization, corporation, trust, partnership, sole
proprietorship, unincorporated association, venture established
to make a profit, or nonprofit, and any contractor,
subcontractor, affiliate, or licensee thereof engaged in
interstate commerce.
(4) Identity theft.--The term ``identity theft'' means a
violation of section 1028 of title 18, United States Code, or
any other similar provision of applicable State law.
(5) Data broker.--The term ``data broker'' means a business
entity which for monetary fees, dues, or on a cooperative
nonprofit basis, regularly engages, in whole or in part, in the
practice of collecting, transmitting, or otherwise providing
personally identifiable information on a nationwide basis on
more than 5,000 individuals who are not the customers or
employees of the business entity or affiliate.
(6) Data furnisher.--The term ``data furnisher'' means any
agency, governmental entity, organization, corporation, trust,
partnership, sole proprietorship, unincorporated association,
venture established to make a profit, or nonprofit, and any
contractor, subcontractor, affiliate, or licensee thereof, that
serves as a source of information for a data broker.
(7) Personal electronic record.--The term ``personal
electronic record'' means the compilation of personally
identifiable information of an individual (including
information associated with that personally identifiable
information) in a database, networked or integrated databases,
or other data system.
(8) Personally identifiable information.--The term
``personally identifiable information'' means any information,
or compilation of information, in electronic or digital form
serving as a means of identification, as defined by section
1028(d)(7) of title 18, United State Code.
(9) Public record.--The term ``public record'' means any
item, collection, or grouping of information about an
individual that is maintained by an agency, including--
(A) education, financial transactions, medical
history, and criminal or employment history containing
the name of an individual; and
(B) the identifying number, symbol, or other
identifying particular assigned to an individual, such
as--
(i) a fingerprint;
(ii) a voice print; or
(iii) a photograph.
(10) Security breach.--
(A) In general.--The term ``security breach'' means
compromise of the security, confidentiality, or
integrity of computerized data through
misrepresentation or actions that result in, or there
is a reasonable basis to conclude has resulted in, the
unauthorized acquisition of and access to sensitive
personally identifiable information.
(B) Exclusion.--The term ``security breach'' does
not include a good faith acquisition of sensitive
personally identifiable information if the sensitive
personally identifiable information is not subject to
further unauthorized disclosure.
(11) Sensitive personally identifiable information.--The
term ``sensitive personally identifiable information'' means
any name or number used in conjunction with any other
information to identify a specific individual, including any--
(A) name, social security number, date of birth,
official State or government issued driver's license or
identification number, alien registration number,
government passport number, employer or taxpayer
identification number;
(B) unique biometric data, such as--
(i) a fingerprint;
(ii) a voice print;
(iii) a retina or iris image; or
(iv) any other unique physical
representation;
(C) unique electronic identification number,
address, or routing code; or
(D) telecommunication identifying information or
access device (as defined in section 1029(e) of title
18, United States Code).
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
SEC. 101. FRAUD AND RELATED CRIMINAL ACTIVITY IN CONNECTION WITH
UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE
INFORMATION.
Section 1030(a)(2) of title 18, United States Code, is amended--
(1) in subparagraph (B), by striking ``or'' after the
semicolon;
(2) in subparagraph (C), by inserting ``or'' after the
semicolon; and
(3) by adding at the end the following:
``(D) information contained in the databases or
systems of a data broker, or in other personal
electronic records, as such terms are defined in
section 3 of the Personal Data Privacy and Security Act
of 2005;''.
SEC. 102. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED
ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.
Section 1961(1) of title 18, United States Code, is amended by
inserting ``section 1030(a)(2)(D)(relating to fraud and related
activity in connection with unauthorized access to personally
identifiable information,'' before ``section 1084''.
SEC. 103. CONCEALMENT OF SECURITY BREACHES INVOLVING PERSONALLY
IDENTIFIABLE INFORMATION.
(a) In General.--Chapter 47 of title 18, United States Code, is
amended by adding at the end the following:
``Sec. 1039. Concealment of security breaches involving personally
identifiable information
``Whoever, having knowledge of a security breach requiring notice
to individuals under title IV of the Personal Data Privacy and Security
Act of 2005, intentionally and willfully conceals the fact of, or
information related to, such security breach, shall be fined under this
title or imprisoned not more than 5 years, or both.''.
(b) Conforming and Technical Amendments.--The table of sections for
chapter 47 of title 18, United States Code, is amended by adding at the
end the following:
``1039. Concealment of security breaches involving personally
identifiable information.''.
SEC. 104. AGGRAVATED FRAUD IN CONNECTION WITH COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States Code, is
amended by adding after section 1030 the following:
``Sec. 1030A. Aggravated fraud in connection with computers
``(a) In General.--Whoever, during and in relation to any felony
violation enumerated in subsection (c), knowingly obtains, accesses, or
transmits, without lawful authority, a means of identification of
another person may, in addition to the punishment provided for such
felony, be sentenced to a term of imprisonment of up to 2 years.
``(b) Consecutive Sentences.--Notwithstanding any other provision
of law, should a court in its discretion impose an additional sentence
under subsection (a)--
``(1) no term of imprisonment imposed on a person under
this section shall run concurrently, except as provided in
paragraph (3), with any other term of imprisonment imposed on
such person under any other provision of law, including any
term of imprisonment imposed for the felony during which the
means of identifications was obtained, accessed, or
transmitted;
``(2) in determining any term of imprisonment to be imposed
for the felony during which the means of identification was
obtained, accessed, or transmitted, a court shall not in any
way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(3) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the court,
run concurrently, in whole or in part, only with another term
of imprisonment that is imposed by the court at the same time
on that person for an additional violation of this section.
``(c) Definition.--For purposes of this section, the term `felony
violation enumerated in subsection (c)' means any offense that is a
felony violation of paragraphs (2) through (7) of section 1030(a).''.
(b) Conforming and Technical Amendments.--The table of sections for
chapter 47 of title 18, United States Code, is amended by inserting
after the item relating to section 1030 the following new item:
``1030A. Aggravated fraud in connection with computers.''.
SEC. 105. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED
TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR
ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.
(a) Review and Amendment.--Not later than 180 days after the date
of enactment of this Act, the United States Sentencing Commission,
pursuant to its authority under section 994 of title 28, United States
Code, and in accordance with this section, shall review and, if
appropriate, amend the Federal sentencing guidelines (including its
policy statements) applicable to persons convicted of using fraud to
access, or misuse of, digitized or electronic personally identifiable
information, including identity theft or any offense under--
(1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of
title 18, United States Code; or
(2) any other relevant provision.
(b) Requirements.--In carrying out the requirements of this
section, the United States Sentencing Commission shall--
(1) ensure that the Federal sentencing guidelines
(including its policy statements) reflect--
(A) the serious nature of the offenses and
penalties referred to in this Act;
(B) the growing incidences of theft and misuse of
digitized or electronic personally identifiable
information, including identity theft; and
(C) the need to deter, prevent, and punish such
offenses;
(2) consider the extent to which the Federal sentencing
guidelines (including its policy statements) adequately address
violations of the sections amended by this Act to--
(A) sufficiently deter and punish such offenses;
and
(B) adequately reflect the enhanced penalties
established under this Act;
(3) maintain reasonable consistency with other relevant
directives and sentencing guidelines;
(4) account for any additional aggravating or mitigating
circumstances that might justify exceptions to the generally
applicable sentencing ranges;
(5) consider whether to provide a sentencing enhancement
for those convicted of the offenses described in subsection
(a), if the conduct involves--
(A) the online sale of fraudulently obtained or
stolen personally identifiable information;
(B) the sale of fraudulently obtained or stolen
personally identifiable information to an individual
who is engaged in terrorist activity or aiding other
individuals engaged in terrorist activity; or
(C) the sale of fraudulently obtained or stolen
personally identifiable information to finance
terrorist activity or other criminal activities;
(6) make any necessary conforming changes to the Federal
sentencing guidelines to ensure that such guidelines (including
its policy statements) as described in subsection (a) are
sufficiently stringent to deter, and adequately reflect crimes
related to fraudulent access to, or misuse of, personally
identifiable information; and
(7) ensure that the Federal sentencing guidelines
adequately meet the purposes of sentencing under section
3553(a)(2) of title 18, United States Code.
(c) Emergency Authority to Sentencing Commission.--The United
States Sentencing Commission may, as soon as practicable, promulgate
amendments under this section in accordance with procedures established
in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 994 note) as
though the authority under that Act had not expired.
TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING
CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF
PERSONALLY IDENTIFIABLE INFORMATION
SEC. 201. GRANTS FOR STATE AND LOCAL ENFORCEMENT.
(a) In General.--Subject to the availability of amounts provided in
advance in appropriations Acts, the Assistant Attorney General for the
Office of Justice Programs of the Department of Justice may award a
grant to a State to establish and develop programs to increase and
enhance enforcement against crimes related to fraudulent, unauthorized,
or other criminal use of personally identifiable information.
(b) Application.--A State seeking a grant under subsection (a)
shall submit an application to the Assistant Attorney General for the
Office of Justice Programs of the Department of Justice at such time,
in such manner, and containing such information as the Assistant
Attorney General may require.
(c) Use of Grant Amounts.--A grant awarded to a State under
subsection (a) shall be used by a State, in conjunction with units of
local government within that State, State and local courts, other
States, or combinations thereof, to establish and develop programs to--
(1) assist State and local law enforcement agencies in
enforcing State and local criminal laws relating to crimes
involving the fraudulent, unauthorized, or other criminal use
of personally identifiable information;
(2) assist State and local law enforcement agencies in
educating the public to prevent and identify crimes involving
the fraudulent, unauthorized, or other criminal use of
personally identifiable information;
(3) educate and train State and local law enforcement
officers and prosecutors to conduct investigations and forensic
analyses of evidence and prosecutions of crimes involving the
fraudulent, unauthorized, or other criminal use of personally
identifiable information;
(4) assist State and local law enforcement officers and
prosecutors in acquiring computer and other equipment to
conduct investigations and forensic analysis of evidence of
crimes involving the fraudulent, unauthorized, or other
criminal use of personally identifiable information; and
(5) facilitate and promote the sharing of Federal law
enforcement expertise and information about the investigation,
analysis, and prosecution of crimes involving the fraudulent,
unauthorized, or other criminal use of personally identifiable
information with State and local law enforcement officers and
prosecutors, including the use of multi-jurisdictional task
forces.
(d) Assurances and Eligibility.--To be eligible to receive a grant
under subsection (a), a State shall provide assurances to the Attorney
General that the State--
(1) has in effect laws that penalize crimes involving the
fraudulent, unauthorized, or other criminal use of personally
identifiable information, such as penal laws prohibiting--
(A) fraudulent schemes executed to obtain
personally identifiable information;
(B) schemes executed to sell or use fraudulently
obtained personally identifiable information; and
(C) online sales of personally identifiable
information obtained fraudulently or by other illegal
means;
(2) will provide an assessment of the resource needs of the
State and units of local government within that State,
including criminal justice resources being devoted to the
investigation and enforcement of laws related to crimes
involving the fraudulent, unauthorized, or other criminal use
of personally identifiable information; and
(3) will develop a plan for coordinating the programs
funded under this section with other federally funded technical
assistant and training programs, including directly funded
local programs such as the Local Law Enforcement Block Grant
program (described under the heading ``Violent Crime Reduction
Programs, State and Local Law Enforcement Assistance'' of the
Departments of Commerce, Justice, and State, the Judiciary, and
Related Agencies Appropriations Act, 1998 (Public Law 105-
119)).
(e) Matching Funds.--The Federal share of a grant received under
this section may not exceed 90 percent of the total cost of a program
or proposal funded under this section unless the Attorney General
waives, wholly or in part, the requirements of this subsection.
SEC. 202. AUTHORIZATION OF APPROPRIATIONS.
(a) In General.--There is authorized to be appropriated to carry
out this title $25,000,000 for each of fiscal years 2006 through 2009.
(b) Limitations.--Of the amount made available to carry out this
title in any fiscal year not more than 3 percent may be used by the
Attorney General for salaries and administrative expenses.
(c) Minimum Amount.--Unless all eligible applications submitted by
a State or units of local government within a State for a grant under
this title have been funded, the State, together with grantees within
the State (other than Indian tribes), shall be allocated in each fiscal
year under this title not less than 0.75 percent of the total amount
appropriated in the fiscal year for grants pursuant to this title,
except that the United States Virgin Islands, American Samoa, Guam, and
the Northern Mariana Islands each shall be allocated 0.25 percent.
(d) Grants to Indian Tribes.--Notwithstanding any other provision
of this title, the Attorney General may use amounts made available
under this title to make grants to Indian tribes for use in accordance
with this title.
TITLE III--DATA BROKERS
SEC. 301. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.
(a) In General.--Data brokers engaging in interstate commerce are
subject to the requirements of this title for any offered product or
service offered to third parties that allows access, use, compilation,
distribution, processing, analyzing, or evaluating personally
identifiable information, unless that product or service is currently
subject to similar protections under subsections (b) and (g) of this
section, the Fair Credit Reporting Act (Public Law 91-508), or the
Gramm-Leach Bliley Act (Public Law 106-102), and implementing
regulations.
(b) Disclosures to Individuals.--
(1) In general.--A data broker shall, upon the request of
an individual, clearly and accurately disclose to such
individual for a reasonable fee all personal electronic records
pertaining to that individual maintained for disclosure to
third parties in the databases or systems of the data broker at
the time of the request.
(2) Information on how to correct inaccuracies.--The
disclosures required under paragraph (1) shall also include
guidance to individuals on the processes and procedures for
demonstrating and correcting any inaccuracies.
(c) Creation of an Accuracy Resolution Process.--A data broker
shall develop and publish on its website timely and fair processes and
procedures for responding to claims of inaccuracies, including
procedures for correcting inaccurate information in the personal
electronic records it maintains on individuals.
(d) Accuracy Resolution Process.--
(1) Public record information.--
(A) In general.--If an individual notifies a data
broker of a dispute as to the completeness or accuracy
of information, and the data broker determines that
such information is derived from a public record
source, the data broker shall determine within 30 days
whether the information in its system accurately and
completely records the information offered by the
public record source.
(B) Data broker actions.--If a data broker
determines under subparagraph (A) that the information
in its systems--
(i) does not accurately and completely
record the information offered by a public
record source, the data broker shall correct
any inaccuracies or incompleteness, and provide
to such individual written notice of such
changes; and
(ii) does accurately and completely record
the information offered by a public record
source, the data broker shall--
(I) provide such individual with
the name, address, and telephone
contact information of the public
record source; and
(II) notify such individual of the
right to add to the personal electronic
record of the individual maintained by
the data broker a statement disputing
the accuracy or completeness of the
information for a period of 90 days
under subsection (e).
(2) Investigation of disputed non-public record
information.--If the completeness or accuracy of any non-public
record information disclosed to an individual under subsection
(b) is disputed by the individual and such individual notifies
the data broker directly of such dispute, the data broker
shall, before the end of the 30-day period beginning on the
date on which the data broker receives the notice of the
dispute--
(A) investigate free of charge and record the
current status of the disputed information; or
(B) delete the item from the individuals data file
in accordance with paragraph (8).
(3) Extension of period to investigate.--Except as provided
in paragraph (4), the 30-day period described in paragraph (1)
may be extended for not more than 15 additional days if a data
broker receives information from the individual during that 30-
day period that is relevant to the investigation.
(4) Limitations on extension of period to investigate.--
Paragraph (3) shall not apply to any investigation in which,
during the 30-day period described in paragraph (1), the
information that is the subject of the investigation is found
to be inaccurate or incomplete or a data broker determines that
the information cannot be verified.
(5) Notice identifying the data furnisher.--If the
completeness or accuracy of any information disclosed to an
individual under subsection (b) is disputed by the individual,
a data broker shall provide upon the request of the individual,
the name, business address, and telephone contact information
of any data furnisher who provided an item of information in
dispute.
(6) Determination that dispute is frivolous or
irrelevant.--
(A) In general.--Notwithstanding paragraphs (1)
through (4), a data broker may decline to investigate
or terminate an investigation of information disputed
by an individual under those paragraphs if the data
broker reasonably determines that the dispute by the
individual is frivolous or irrelevant, including by
reason of a failure by the individual to provide
sufficient information to investigate the disputed
information.
(B) Notice.--Not later than 5 business days after
making any determination in accordance with
subparagraph (A) that a dispute is frivolous or
irrelevant, a data broker shall notify the individual
of such determination by mail, or if authorized by the
individual, by any other means available to the data
broker.
(C) Contents of notice.--A notice under
subparagraph (B) shall include--
(i) the reasons for the determination under
subparagraph (A); and
(ii) identification of any information
required to investigate the disputed
information, which may consist of a
standardized form describing the general nature
of such information.
(7) Consideration of individual information.--In conducting
any investigation with respect to disputed information in the
personal electronic record of any individual, a data broker
shall review and consider all relevant information submitted by
the individual in the period described in paragraph (2) with
respect to such disputed information.
(8) Treatment of inaccurate or unverifiable information.--
(A) In general.--If, after any review of public
record information under paragraph (1) or any
investigation of any information disputed by an
individual under paragraphs (2) through (4), an item of
information is found to be inaccurate or incomplete or
cannot be verified, a data broker shall promptly delete
that item of information from the individual's personal
electronic record or modify that item of information,
as appropriate, based on the results of the
investigation.
(B) Notice to individuals of reinsertion of
previously deleted information.--If any information
that has been deleted from an individual's personal
electronic record pursuant to subparagraph (A) is
reinserted in the personal electronic record of the
individual, a data broker shall, not later than 5 days
after reinsertion, notify the individual of the
reinsertion and identify any data furnisher not
previously disclosed in writing, or if authorized by
the individual for that purpose, by any other means
available to the data broker, unless such notification
has been previously given under this subsection.
(C) Notice of results of investigation of disputed
non-public record.--
(i) In general.--Not later than 5 business
days after the completion of an investigation
under paragraph (2), a data broker shall
provide written notice to an individual of the
results of the investigation, by mail or, if
authorized by the individual for that purpose,
by other means available to the data broker.
(ii) Additional requirement.--Before the
expiration of the 5-day period, as part of, or
in addition to such notice, a data broker
shall, in writing, provide to an individual--
(I) a statement that the
investigation is completed;
(II) a report that is based upon
the personal electronic record of such
individual as that personal electronic
record is revised as a result of the
investigation;
(III) a notice that, if requested
by the individual, a description of the
procedures used to determine the
accuracy and completeness of the
information shall be provided to the
individual by the data broker,
including the business name, address,
and telephone number of any data
furnisher of information contacted in
connection with such information; and
(IV) a notice that the individual
has the right to request notifications
under subsection (g).
(D) Description of investigation procedures.--Not
later than 15 days after receiving a request from an
individual for a description referred to in
subparagraph (C)(ii)(III), a data broker shall provide
to the individual such a description.
(E) Expedited dispute resolution.--If by no later
than 3 business days after the date on which a data
broker receives notice of a dispute from an individual
of information in the personal electronic record of
such individual in accordance with paragraph (2), a
data broker resolves such dispute in accordance with
subparagraph (A) by the deletion of the disputed
information, then the data broker shall not be required
to comply with subsections (e) and (f) with respect to
that dispute if the data broker provides--
(i) to the individual, by telephone, prompt
notice of the deletion; and
(ii) to the individual a right to request
that the data broker furnish notifications
under subsection (g).
(e) Statement of Dispute.--
(1) In general.--If the completeness or accuracy of any
information disclosed to an individual under subsection (b) is
disputed, an individual may file a brief statement setting
forth the nature of the dispute.
(2) Contents of statement.--A data broker may limit the
statements made pursuant to paragraph (1) to not more than 100
words if it provides an individual with assistance in writing a
clear summary of the dispute or until the dispute is resolved,
whichever is earlier.
(f) Notification of Dispute in Subsequent Reports.--Whenever a
statement of a dispute is filed under subsection (e), unless there is a
reasonable grounds to believe that it is frivolous or irrelevant, a
data broker shall, in any subsequent report, product, or service
containing the information in question, clearly note that it is
disputed by an individual and provide either the statement of such
individual or a clear and accurate codification or summary thereof for
a period of 90 days after the data broker first posts the statement of
dispute.
(g) Notification of Deletion of Disputed Information.--Following
any deletion of information which is found to be inaccurate or whose
accuracy can no longer be verified, a data broker shall, at the request
of an individual, furnish notification that the item has been deleted
or the statement, codification, or summary pursuant to subsection (e)
or (f) to any user or customer of the products or services of the data
broker who has within 90 days received a report with the deleted or
disputed information or has electronically accessed the deleted or
disputed information.
SEC. 302. ENFORCEMENT.
(a) Civil Penalties.--
(1) Penalties.--Any data broker that violates the
provisions of section 301 shall be subject to civil penalties
of not more than $1,000 per violation per day, with a maximum
of $15,000 per day, while such violations persist.
(2) Intentional or willful violation.--A data broker that
intentionally or willfully violates the provisions of section
301 shall be subject to additional penalties in the amount of
$1,000 per violation per day, with a maximum of an additional
$15,000 per day, while such violations persist.
(3) Equitable relief.--A data broker engaged in interstate
commerce that violates this section may be enjoined from
further violations by a court of competent jurisdiction.
(4) Other rights and remedies.--The rights and remedies
available under this subsection are cumulative and shall not
affect any other rights and remedies available under law.
(b) Injunctive Actions by the Attorney General.--
(1) In general.--Whenever it appears that a data broker to
which this title applies has engaged, is engaged, or is about
to engage, in any act or practice constituting a violation of
this title, the Attorney General may bring a civil action in an
appropriate district court of the United States to--
(A) enjoin such act or practice;
(B) enforce compliance with this title;
(C) obtain damages--
(i) in the sum of actual damages,
restitution, and other compensation on behalf
of the affected residents of a State; and
(ii) punitive damages, if the violation is
willful or intentional; and
(D) obtain such other relief as the court
determines to be appropriate.
(2) Other injunctive relief.--Upon a proper showing in the
action under paragraph (1), the court shall grant a permanent
injunction or a temporary restraining order without bond.
(c) State Enforcement.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by an act or practice that violates this
title, the State may bring a civil action on behalf of the
residents of that State in a district court of the United
States of appropriate jurisdiction, or any other court of
competent jurisdiction, to--
(A) enjoin that act or practice;
(B) enforce compliance with this title;
(C) obtain--
(i) damages in the sum of actual damages,
restitution, or other compensation on behalf of
affected residents of the State; and
(ii) punitive damages, if the violation is
willful or intentional; or
(D) obtain such other legal and equitable relief as
the court may consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under this
subsection, the attorney general of the State involved
shall provide to the Attorney General--
(i) a written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exception.--Subparagraph (A) shall not apply
with respect to the filing of an action by an attorney
general of a State under this subsection, if the
attorney general of a State determines that it is not
feasible to provide the notice described in this
subparagraph before the filing of the action.
(C) Notification when practicable.--In an action
described under subparagraph (B), the attorney general
of a State shall provide the written notice and the
copy of the complaint to the Attorney General as soon
after the filing of the complaint as practicable.
(3) Attorney general authority.--Upon receiving notice
under paragraph (2), the Attorney General shall have the right
to--
(A) move to stay the action, pending the final
disposition of a pending Federal proceeding or action
as described in paragraph (4);
(B) intervene in an action brought under paragraph
(1); and
(C) file petitions for appeal.
(4) Pending proceedings.--If the Attorney General has
instituted a proceeding or action for a violation of this Act
or any regulations thereunder, no attorney general of a State
may, during the pendency of such proceeding or action, bring an
action under this subsection against any defendant named in
such criminal proceeding or civil action for any violation that
is alleged in that proceeding or action.
(5) Rule of construction.--For purposes of bringing any
civil action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths and affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(6) Venue; service of process.--
(A) Venue.--Any action brought under this
subsection may be brought in the district court of the
United States that meets applicable requirements
relating to venue under section 1931 of title 28,
United States Code.
(B) Service of process.--In an action brought under
this subsection process may be served in any district
in which the defendant--
(i) is an inhabitant; or
(ii) may be found.
SEC. 303. RELATION TO STATE LAWS.
(a) In General.--Except as provided in subsection (b), this title
does not annul, alter, affect, or exempt any person subject to the
provisions of this title from complying with the laws of any State with
respect to the access, use, compilation, distribution, processing,
analysis, and evaluation of any personally identifiable information by
data brokers, except to the extent that those laws are inconsistent
with any provisions of this title, and then only to the extent of such
inconsistency.
(b) Exceptions.--No requirement or prohibition may be imposed under
the laws of any State with respect to any subject matter regulated
under section 301, relating to individual access to, and correction of,
personal electronic records.
SEC. 304. EFFECTIVE DATE.
This title shall take effect 180 days after the date of enactment
of this Act.
TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
Subtitle A--Data Privacy and Security Program
SEC. 401. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY
PROGRAM.
(a) Purpose.--The purpose of this subtitle is to ensure standards
for developing and implementing administrative, technical, and physical
safeguards to protect the privacy, security, confidentiality,
integrity, storage, and disposal of personally identifiable
information.
(b) In General.--A business entity engaging in interstate commerce
that involves collecting, accessing, transmitting, using, storing, or
disposing of personally identifiable information in electronic or
digital form on 10,000 or more United States persons is subject to the
requirements for a data privacy and security program under section 402
for protecting personally identifiable information.
(c) Limitations.--Notwithstanding any other obligation under this
subtitle, this subtitle does not apply to--
(1) financial institutions subject to--
(A) the data security requirements and implementing
regulations under the Gramm-Leach-Bliley Act (15 U.S.C.
6801 et seq.); and
(B) examinations for compliance with the
requirements of this Act by 1 or more Federal
functional regulators (as defined in section 509 of the
Gramm-Leach-Bliley Act (15 U.S.C. 6809)); or
(2) ``covered entities'' subject to the Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. 1301 et
seq.), including the data security requirements and
implementing regulations of that Act.
SEC. 402. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY
PROGRAM.
(a) Personal Data Privacy and Security Program.--Unless otherwise
limited under section 401(c), a business entity subject to this
subtitle shall comply with the following safeguards to protect the
privacy and security of personally identifiable information:
(1) Scope.--A business entity shall implement a
comprehensive personal data privacy and security program,
written in 1 or more readily accessible parts, that includes
administrative, technical, and physical safeguards appropriate
to the size and complexity of the business entity and the
nature and scope of its activities.
(2) Design.--The personal data privacy and security program
shall be designed to--
(A) ensure the privacy, security, and
confidentiality of personal electronic records;
(B) protect against any anticipated vulnerabilities
to the privacy, security, or integrity of personal
electronic records; and
(C) protect against unauthorized access to use of
personal electronic records that could result in
substantial harm or inconvenience to any individual.
(3) Risk assessment.--A business entity shall--
(A) identify reasonably foreseeable internal and
external vulnerabilities that could result in
unauthorized access, disclosure, use, or alteration of
personally identifiable information or systems
containing personally identifiable information;
(B) assess the likelihood of and potential damage
from unauthorized access, disclosure, use, or
alteration of personally identifiable information; and
(C) assess the sufficiency of its policies,
technologies, and safeguards in place to control and
minimize risks from unauthorized access, disclosure,
use, or alteration of personally identifiable
information.
(4) Risk management and control.--Each business entity
shall--
(A) design its personal data privacy and security
program to control the risks identified under paragraph
(3); and
(B) adopt measures commensurate with the
sensitivity of the data as well as the size,
complexity, and scope of the activities of the business
entity that--
(i) control access to systems and
facilities containing personally identifiable
information, including controls to authenticate
and permit access only to authorized
individuals;
(ii) detect actual and attempted
fraudulent, unlawful, or unauthorized access,
disclosure, use, or alteration of personally
identifiable information, including by
employees and other individuals otherwise
authorized to have access; and
(iii) protect personally identifiable
information during use, transmission, storage,
and disposal by encryption or other reasonable
means (including as directed for disposal of
records under section 628 of the Fair Credit
Reporting Act (15 U.S.C. 1681w) and the
implementing regulations of such Act as set
forth in section 682 of title 16, Code of
Federal Regulations).
(5) Accountability.--Each business entity required to
establish a data security program under section 401 shall
publish on its website or make otherwise available the terms of
such program to the extent that such terms do not reveal
information that compromise data security or privacy.
(b) Training.--Each business entity subject to this subtitle shall
take steps to ensure employee training and supervision for
implementation of the data security program of the business entity.
(c) Vulnerability Testing.--
(1) In general.--Each business entity subject to this
subtitle shall take steps to ensure regular testing of key
controls, systems, and procedures of the personal data privacy
and security program to detect, prevent, and respond to attacks
or intrusions, or other system failures.
(2) Frequency.--The frequency and nature of the tests
required under paragraph (1) shall be determined by the risk
assessment of the business entity under subsection (a)(3).
(d) Relationship to Service Providers.--In the event a business
entity subject to this subtitle engages service providers not subject
to this subtitle, such business entity shall--
(1) exercise appropriate due diligence in selecting those
service providers for responsibilities related to personally
identifiable information, and take reasonable steps to select
and retain service providers that are capable of maintaining
appropriate safeguards for the security, privacy, and integrity
of the personally identifiable information at issue; and
(2) require those service providers by contract to
implement and maintain appropriate measures designed to meet
the objectives and requirements governing entities subject to
this section, section 401, and subtitle B.
(e) Periodic Assessment and Personal Data Privacy and Security
Modernization.--Each business entity subject to this subtitle shall on
a regular basis monitor, evaluate, and adjust, as appropriate its data
privacy and security program in light of any relevant changes in--
(1) technology;
(2) the sensitivity of personally identifiable information;
(3) internal or external threats to personally identifiable
information; and
(4) the changing business arrangements of the business
entity, such as--
(A) mergers and acquisitions;
(B) alliances and joint ventures;
(C) outsourcing arrangements;
(D) bankruptcy; and
(E) changes to personally identifiable information
systems.
(f) Implementation Time Line.--Not later than 1 year after the date
of enactment of this Act, a business entity subject to the provisions
of this subtitle shall implement a data privacy and security program
pursuant to this subtitle.
SEC. 403. ENFORCEMENT.
(a) Civil Penalties.--
(1) In general.--Any business entity that violates the
provisions of sections 401 or 402 shall be subject to civil
penalties of not more than $5,000 per violation per day, with a
maximum of $35,000 per day, while such violations persist.
(2) Intentional or willful violation.--A business entity
that intentionally or willfully violates the provisions of
sections 401 or 402 shall be subject to additional penalties in
the amount of $5,000 per violation per day, with a maximum of
an additional $35,000 per day, while such violations persist.
(3) Equitable relief.--A business entity engaged in
interstate commerce that violates this section may be enjoined
from further violations by a court of competent jurisdiction.
(4) Other rights and remedies.--The rights and remedies
available under this section are cumulative and shall not
affect any other rights and remedies available under law
(b) Injunctive Actions by the Attorney General.--
(1) In general.--Whenever it appears that a business entity
or agency to which this subtitle applies has engaged, is
engaged, or is about to engage, in any act or practice
constituting a violation of this subtitle, the Attorney General
may bring a civil action in an appropriate district court of
the United States to--
(A) enjoin such act or practice;
(B) enforce compliance with this subtitle; and
(C) obtain damages--
(i) in the sum of actual damages,
restitution, and other compensation on behalf
of the affected residents of a State; and
(ii) punitive damages, if the violation is
willful or intentional; and
(D) obtain such other relief as the court
determines to be appropriate.
(2) Other injunctive relief.--Upon a proper showing in the
action under paragraph (1), the court shall grant a permanent
injunction or a temporary restraining order without bond.
(c) State Enforcement.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by an act or practice that violates this
subtitle, the State may bring a civil action on behalf of the
residents of that State in a district court of the United
States of appropriate jurisdiction, or any other court of
competent jurisdiction, to--
(A) enjoin that act or practice;
(B) enforce compliance with this subtitle;
(C) obtain--
(i) damages in the sum of actual damages,
restitution, or other compensation on behalf of
affected residents of the State; and
(ii) punitive damages, if the violation is
willful or intentional; or
(D) obtain such other legal and equitable relief as
the court may consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under this
subsection, the attorney general of the State involved
shall provide to the Attorney General--
(i) a written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exception.--Subparagraph (A) shall not apply
with respect to the filing of an action by an attorney
general of a State under this subsection, if the
attorney general of a State determines that it is not
feasible to provide the notice described in this
subparagraph before the filing of the action.
(C) Notification when practicable.--In an action
described under subparagraph (B), the attorney general
of a State shall provide the written notice and the
copy of the complaint to the Attorney General as soon
after the filing of the complaint as practicable.
(3) Attorney general authority.--Upon receiving notice
under paragraph (2), the Attorney General shall have the right
to--
(A) move to stay the action, pending the final
disposition of a pending Federal proceeding or action
as described in paragraph (4);
(B) intervene in an action brought under paragraph
(1); and
(C) file petitions for appeal.
(4) Pending proceedings.--If the Attorney General has
instituted a proceeding or action for a violation of this Act
or any regulations thereunder, no attorney general of a State
may, during the pendency of such proceeding or action, bring an
action under this subsection against any defendant named in
such criminal proceeding or civil action for any violation that
is alleged in that proceeding or action.
(5) Rule of construction.--For purposes of bringing any
civil action under paragraph (1) nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths and affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(6) Venue; service of process.--
(A) Venue.--Any action brought under this
subsection may be brought in the district court of the
United States that meets applicable requirements
relating to venue under section 1931 of title 28,
United States Code.
(B) Service of process.--In an action brought under
this subsection process may be served in any district
in which the defendant--
(i) is an inhabitant; or
(ii) may be found.
SEC. 404. RELATION TO STATE LAWS.
(a) In General.--Except as provided in subsection (b), this title
does not annul, alter, affect, or exempt any person subject to the
provisions of this title from complying with the laws of any State with
respect to security programs for personally identifiable information,
except to the extent that those laws are inconsistent with any
provisions of this title, and then only to the extent of such
inconsistency.
(b) Exceptions.--No requirement or prohibition may be imposed under
the laws of any State with respect to any subject matter regulated
under section 401(c), relating to entities exempted from compliance
with subtitle A.
Subtitle B--Security Breach Notification
SEC. 421. RIGHT TO NOTICE OF SECURITY BREACH.
(a) In General.--Unless delayed under section 422(d) or exempted
under section 424, any business entity or agency engaged in interstate
commerce that involves collecting, accessing, using, transmitting,
storing, or disposing of personally identifiable information shall
notify, following the discovery of a security breach of its systems or
databases in its possession or direct control when such security breach
impacts sensitive personally identifiable information--
(1) if the security breach impacts more than 10,000
individuals nationwide, impacts a database, networked or
integrated databases, or other data system associated with more
than 1,000,000 individuals nationwide, impacts databases owned
or used by the Federal Government, or involves sensitive
personally identifiable information of employees and
contractors of the Federal Government--
(A) the United States Secret Service, which shall
be responsible for notifying----
(i) the Federal Bureau of Investigation, if
the security breach involves espionage, foreign
counterintelligence, information protected
against unauthorized disclosure for reasons of
national defense or foreign relations, or
Restricted Data (as that term is defined in
section 11y of the Atomic Energy Act of 1954
(42 U.S.C. 2014(y)), except for offenses
affecting the duties of the United States
Secret Service under section 3056(a) of title
18, United States Code; and
(ii) the United States Postal Inspection
Service, if the security breach involves mail
fraud; and
(B) the attorney general of each State affected by
the security breach;
(2) each consumer reporting agency described in section
603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a),
pursuant to subsection (b); and
(3) any resident of the United States whose sensitive
personally identifiable information was subject to the security
breach, pursuant to sections 422 and 423, but in the event a
business entity or agency is unable to identify the specific
residents of the United States whose sensitive personally
identifiable information was impacted by a security breach, the
business entity or agency shall consult with the United States
Secret Service to determine the scope of individuals who there
is a reasonable basis to conclude have been impacted by such
breach and should receive notice.
(b) Consumer Reporting Agencies.--Any business entity or agency
obligated to provide notice of a security breach to more than 1,000
residents of the United States under subsection (a)(3) shall inform
consumer reporting agencies of the fact and scope of such notices for
the purpose of facilitating and managing potential increases in
consumer inquiries and mitigating identity theft or other negative
consequences of the breach.
SEC. 422. NOTICE PROCEDURES.
(a) Timeliness of Notice.--
(1) In general.--Except as provided in subsection (c), all
notices required under section 421 shall be issued
expeditiously and without unreasonable delay after discovery of
the events requiring notice.
(2) 14-day rule.--The notices to Federal law enforcement
and the attorney general of each State affected by a security
breach required under section 421(a) shall be delivered not
later than 14 days after discovery of the events requiring
notice.
(3) Required disclosure.--In complying with the notices
required under section 421, a business entity or agency shall
expeditiously and without unreasonable delay take reasonable
measures which are necessary to--
(A) determine the scope and assess the impact of a
breach under section 421; and
(B) restore the reasonable integrity of the data
system.
(b) Method.--Any business entity or agency obligated to provide
notice under section 421 shall be in compliance with that section if
they provide notice as follows:
(1) Written notification.--By written notification to the
last known home address of the individual whose sensitive
personally identifiable information was breached, or if
unknown, notification via telephone call to the last known home
telephone number.
(2) Internet posting.--If more than 1,000 residents of the
United States require notice under section 421 and if the
business entity or agency maintains an Internet site,
conspicuous posting of the notice on the Internet site of the
business entity or agency.
(3) Media notice.--If more than 5,000 residents of a State
or jurisdiction are impacted, notice to major media outlets
serving that State or jurisdiction.
(c) Delay of Notification for Law Enforcement Purposes.--
(1) In general.--If Federal law enforcement or the attorney
general of a State determines that the notices required under
section 421(a) would impede a criminal investigation, such
notices may be delayed until such law enforcement agency
determines that the notices will no longer compromise such
investigation.
(2) Extended delay of notification for law enforcement
purposes.--If a business entity or agency has delayed the
notices required under paragraphs (2) and (3) of section 421(a)
as described in paragraph (1), the business entity or agency
shall give notice 30 days after the day such law enforcement
delay was invoked unless Federal law enforcement provides
written notification that further delay is necessary.
SEC. 423. CONTENT OF NOTICE.
(a) In General.--A business entity or agency obligated to provide
notice to residents of the United States under section 421(a)(3) shall
clearly and concisely detail the nature of the sensitive personally
identifiable information impacted by the security breach.
(b) Content of Notice.--A notice under subsection (a) shall
include--
(1) the availability of victim protection assistance
pursuant to section 425;
(2) guidance on how to request that a fraud alert be placed
in the file of the individual maintained by consumer reporting
agencies, pursuant to section 605A of the Fair Credit Reporting
Act (15 U.S.C. 1681c-1) and the implications of such actions;
(3) the availability of a summary of rights for identity
theft victims from consumer reporting agencies, pursuant to
section 609 of the Fair Credit Reporting Act (15 U.S.C. 1681g);
(4) if applicable, notice that the State where an
individual resides has a statute that provides the individual
the right to place a security freeze on their credit report;
and
(5) if applicable, notice that consumer reporting agencies
have been notified of the security breach.
(c) Marketing Not Allowed in Notice.--A notice under subsection (a)
may not include--
(1) marketing information;
(2) sales offers; or
(3) any solicitation regarding the collection of additional
personally identifiable information from an individual.
SEC. 424. RISK ASSESSMENT AND FRAUD PREVENTION NOTICE EXEMPTIONS.
(a) Risk Assessment Exemption.--A business entity will be exempt
from the notice requirements under paragraphs (2) and (3) of section
421(a), if a risk assessment conducted in consultation with Federal law
enforcement and the attorney general of each State affected by a
security breach concludes that there is a de minimis risk of harm to
the individuals whose sensitive personally identifiable information was
at issue in the security breach.
(b) Fraud Prevention Exemption.--A business entity will be exempt
from the notice requirement under section 421(a) if--
(1) the nature of the sensitive personally identifiable
information subject to the security breach cannot be used to
facilitate transactions or facilitate identity theft to further
transactions with another business entity that is not the
business entity subject to the security breach notification
requirements of section 421;
(2) the business entity utilizes a security program
reasonably designed to block the use of the sensitive
personally identifiable information to initiate unauthorized
transactions before they are charged to the account of the
individual; and
(3) the business entity has a policy in place to provide
notice and provides such notice after a breach of the security
of the system has resulted in fraud or unauthorized
transactions, but does not necessarily require notice in other
circumstances.
SEC. 425. VICTIM PROTECTION ASSISTANCE.
Any business entity or agency obligated to provide notice to
residents of the United States under section 421(a)(3) shall offer to
those same residents to cover the cost of--
(1) monthly access to a credit report for a period of 1
year from the date of notice provided under section 421(a)(3);
and
(2) credit-monitoring services for up to 1 year from the
date of notice provided under section 421(a)(3).
SEC. 426. ENFORCEMENT.
(a) Civil Penalties.--
(1) In general.--Any business entity that violates the
provisions of sections 421 through 425 shall be subject to
civil penalties of not more than $5,000 per violation per day,
with a maximum of $55,000 per day, while such violations
persist.
(2) Intentional or willful violation.--A business entity
that intentionally or willfully violates the provisions of
sections 421 through 425 shall be subject to additional
penalties in the amount of $5,000 per violation per day, with a
maximum of an additional $55,000 per day, while such violations
persist.
(3) Equitable relief.--A business entity engaged in
interstate commerce that violates this section may be enjoined
from further violations by a court of competent jurisdiction.
(4) Other rights and remedies.--The rights and remedies
available under this section are cumulative and shall not
affect any other rights and remedies available under law.
(b) Injunctive Actions by the Attorney General.--
(1) In general.--Whenever it appears that a business entity
or agency to which this subtitle applies has engaged, is
engaged, or is about to engage, in any act or practice
constituting a violation of this subtitle, the Attorney General
may bring a civil action in an appropriate district court of
the United States to--
(A) enjoin such act or practice;
(B) enforce compliance with this subtitle; and
(C) obtain damages--
(i) in the sum of actual damages,
restitution, and other compensation on behalf
of the affected residents of a State; and
(ii) punitive damages, if the violation is
willful or intentional; and
(D) obtain such other relief as the court
determines to be appropriate.
(2) Other injunctive relief.--Upon a proper showing in the
action under paragraph (1), the court shall grant a permanent
injunction or a temporary restraining order without bond.
(c) State Enforcement.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been, or is threatened to be,
adversely affected by a violation of this subtitle, the State,
as parens patriae, may bring a civil action on behalf of the
residents of that State in a district court of the United
States of appropriate jurisdiction, or any other court of
competent jurisdiction, to--
(A) enjoin that practice;
(B) enforce compliance with this subtitle;
(C) obtain damages--
(i) in the sum of actual damages,
restitution, and other compensation on behalf
of the affected residents of that State; and
(ii) punitive damages, if the violation is
willful or intentional; and
(D) obtain such other equitable relief as the court
may consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Attorney General--
(i) written notice of the action; and
(ii) a copy of the complaint for the
action.
(B) Exception.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the attorney general of a State
determines that it is not feasible to provide
the notice described in such subparagraph
before the filing of the action.
(ii) Notification when practicable.--In an
action described in clause (i), the attorney
general of a State shall provide notice and a
copy of the complaint to the Attorney General
at the time the attorney general of a State
files the action.
(3) Attorney general authority.--Upon receiving notice
under paragraph (2), the Attorney General shall have the right
to--
(A) move to stay the action, pending the final
disposition of a pending Federal proceeding or action
as described in paragraph (4);
(B) intervene in an action brought under paragraph
(1); and
(C) file petitions for appeal.
(4) Pending proceedings.--If the Attorney General has
instituted a proceeding or action for a violation of this Act
or any regulations thereunder, no attorney general of a State
may, during the pendency of such proceeding or action, bring an
action under this subsection against any defendant named in
such criminal proceeding or civil action for any violation that
is alleged in that proceeding or action.
(5) Rule of construction.--For purposes of bringing any
civil action under paragraph (1), nothing in this subsection
shall be construed to prevent an attorney general of a State
from exercising the powers conferred on such attorney general
by the laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(6) Venue; service of process.--
(A) Venue.--Any action brought under this
subsection may be brought in the district court of the
United States that meets applicable requirements
relating to venue under section 1391 of title 28,
United States Code.
(B) Service of process.--In an action brought under
this subsection process may be served in any district
in which the defendant--
(i) is an inhabitant; or
(ii) may be found.
SEC. 427. RELATION TO STATE LAWS.
(a) In General.--Except as provided in subsection (b), this title
does not annul, alter, affect, or exempt any person subject to the
provisions of this title from complying with the laws of any State with
respect to protecting consumers from the risk of theft or misuse of
personally identifiable information, except to the extent that those
laws are inconsistent with any provisions of this title, and then only
to the extent of such inconsistency.
(b) Exceptions.--No requirement or prohibition may be imposed under
the laws of any State with respect to any subject matter regulated
under--
(1) section 3(9), relating to the definition of ``security
breach'';
(2) paragraphs (1)(A), (2), and (3) of subsection (a), and
subsection (b) of section 421, relating to the right to notice
of security breach;
(3) section 422, relating to notice procedures;
(4) section 423, relating to notice content, except that
nothing in this section shall prevent a State from requiring
notice of additional victim protection assistance by that
State; and
(5) section 424, relating to risk assessment and fraud
prevention notice exemptions.
SEC. 428. STUDY ON SECURING PERSONALLY IDENTIFIABLE INFORMATION IN THE
DIGITAL ERA.
(a) Requirement for Study.--Not later than 120 days after the date
of enactment of this Act, the Department of Justice shall enter into a
contract with the National Research Council of the National Academies
to conduct a study on securing personally identifiable information in
the digital era.
(b) Matters to Be Assessed in Review.--The study required under
subsection (a) shall include--
(1) threats to the public posed by the unauthorized or
improper disclosure of personally identifiable information,
including threats to--
(A) law enforcement;
(B) homeland security;
(C) individual citizens; and
(D) commerce;
(2) an assessment of the benefits and costs of currently
available strategies for securing personally identifiable
information based on--
(A) technology;
(B) legislation;
(C) regulation; or
(D) public education;
(3) research needed to develop additional strategies;
(4) recommendations for congressional or other policy
actions to further minimize vulnerabilities to the threats
described in paragraph (1); and
(5) other relevant issues that in the discretion of the
National Research Council warrant examination.
(c) Time Line for Study and Requirement for Report.--Not later than
18-month period beginning upon completion of the performance of the
contract described in subsection (a), the National Research Council
shall conduct the study and report its findings, conclusions, and
recommendations to Congress.
(d) Federal Department and Agency Compliance.--Federal departments
and agencies shall comply with requests made by the National Science
Foundation, National Research Council, and National Academies for
information that is necessary to assist in preparing the report
required by subsection (c).
(e) Authorization of Appropriations.--Of the amounts authorized to
be appropriated to the Department of Justice for Department-wide
activities, $850,000 shall be made available to carry out the
provisions of this section for fiscal year 2006.
SEC. 429. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated such sums as may be
necessary to cover the costs incurred by the United States Secret
Service to carry out investigations and risk assessments of security
breaches as required under this subtitle.
SEC. 430. EFFECTIVE DATE.
This subtitle shall take effect 90 days after the date of enactment
of this Act.
TITLE V--PROTECTION OF SOCIAL SECURITY NUMBERS
SEC. 501. SOCIAL SECURITY NUMBER PROTECTION.
(a) In General.--No person may--
(1) display any individual's social security number to a
third party without the voluntary and affirmatively expressed
consent of such individual; or
(2) sell or purchase any social security number of an
individual without the voluntary and affirmatively expressed
consent of such individual.
(b) Prerequisites for Consent.--To obtain the consent of an
individual under paragraphs (1) or (2) of subsection (a), the person
displaying, selling, or attempting to sell, purchasing, or attempting
to purchase the social security number of such individual shall--
(1) inform such individual of the general purpose for which
the social security number will be used, the types of persons
to whom the social security number may be available, and the
scope of transactions permitted by the consent; and
(2) obtain the affirmatively expressed consent
(electronically or in writing) of such individual.
(c) Harvested Social Security Numbers.--Subsection (a) shall apply
to any public record of a Federal agency that contains social security
numbers extracted from other public records for the purpose of
displaying or selling such numbers to the general public.
(d) Exceptions.--Nothing in this section shall be construed to
prohibit or limit the display, sale, or purchase of a social security
number--
(1) as required, authorized, or excepted under Federal law;
(2) to the extent necessary for a public health purpose,
including the protection of the health or safety of an
individual in an emergency situation;
(3) to the extent necessary for a national security
purpose;
(4) to the extent necessary for a law enforcement purpose,
including the investigation of fraud and the enforcement of a
child support obligation;
(5) to the extent necessary for research conducted for the
purpose of advancing public knowledge, on the condition that
the researcher provides adequate assurances that--
(A) the social security numbers will not be used to
harass, target, or publicly reveal information
concerning any individual;
(B) information about individuals obtained from the
research will not be used to make decisions that
directly affect the rights, benefits, or privileges of
specific individuals; and
(C) the researcher has in place appropriate
safeguards to protect the privacy and confidentiality
of any information about individuals;
(6) if such a number is required to be submitted as part of
the process for applying for any type of Federal, State, or
local government benefit or program;
(7) when the transmission of the number is incidental to,
and in the course of, the sale, lease, franchising, or merger
of all or a portion of a business; or
(8) to the extent only the last 4 digits of a social
security number are displayed.
SEC. 502. LIMITS ON PERSONAL DISCLOSURE OF SOCIAL SECURITY NUMBERS FOR
COMMERCIAL TRANSACTIONS AND ACCOUNTS.
(a) In General.--Part A of title XI of the Social Security Act (42
U.S.C. 1301 et seq.) is amended by adding the following:
``SEC. 1150A. LIMITS ON PERSONAL DISCLOSURE OF SOCIAL SECURITY NUMBERS
FOR COMMERCIAL TRANSACTIONS AND ACCOUNTS.
``(a) Account Numbers.--
``(1) In general.--A business entity may not--
``(A) require an individual to use the social
security number of such individual as an account number
or account identifier when purchasing a commercial good
or service; or
``(B) deny an individual goods or services for
refusing to accept the use of the social security
number of such individual as an account number or
account identifier.
``(2) Existing account exception.--Paragraph (1) shall not
apply to any account number or account identifier established
prior to the date of enactment of this Act.
``(b) Social Security Number Prerequisites for Goods and
Services.--A business entity may not require an individual to provide
the social security number of such individual when purchasing a
commercial good or service or deny an individual goods or services for
refusing to provide that number except for any purpose relating to--
``(1) obtaining a consumer report for any purpose permitted
under the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
``(2) a background check of the individual conducted by a
landlord, lessor, employer, or voluntary service agency;
``(3) law enforcement; or
``(4) a Federal, State, or local law requirement.
``(c) Application of Civil Money Penalties.--A violation of this
section shall be deemed to be a violation of section 1129(a).
``(d) Application of Criminal Penalties.--A violation of this
section shall be deemed to be a violation of section 208(a)(8).''.
SEC. 503. PUBLIC RECORDS.
(a) In General.--Except as provided in paragraph (2), paragraphs
(a) and (b) of section 501 shall apply to all public records posted on
the Internet or provided in an electronic medium by, or on behalf of, a
Federal agency.
(b) Exceptions.--
(1) Truncation and prior displays.--Section 501(a) shall
not apply to--
(A) a public record which displays only the last 4
digits of the social security number of an individual;
and
(B) any record or a category of public records
first posted on the Internet or provided in an
electronic medium by, or on behalf of, a Federal agency
prior to the date of enactment of this Act.
(2) Law enforcement.--Nothing in this subsection shall be
construed to prevent an entity acting pursuant to a police
investigation or regulatory power of a domestic governmental
unit from accessing the full social security number of an
individual.
SEC. 504. TREATMENT OF SOCIAL SECURITY NUMBERS ON GOVERNMENT CHECKS AND
PROHIBITION OF INMATE ACCESS.
(a) Prohibition of Use of Social Security Numbers on Checks Issued
for Payment by Governmental Entities.--
(1) In general.--Section 205(c)(2)(C) of the Social
Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at
the end the following:
``(x) No Federal, State, or local agency may display the
social security account number of any individual, or any
derivative of such number, on any check issued for any payment
by the Federal, State, or local agency.''.
(2) Effective date.--The amendment made under paragraph (1)
shall apply with respect to checks issued after the date that
is 3 years after the date of enactment of this Act.
(b) Prohibition on Inmate Access to Social Security Numbers.--
(1) In general.--Section 205(c)(2)(C) of the Social
Security Act (42 U.S.C. 405(c)(2)(C)), as amended by subsection
(b), is further amended by adding at the end the following:
``(xi)(I) No Federal, State, or local agency may employ, or
enter into a contract for the use or employment of, prisoners
in any capacity that would allow such prisoners access to the
social security account numbers of other individuals.
``(II) For purposes of this clause, the term `prisoner'
means an individual confined in a jail, prison, or other penal
institution or correctional facility pursuant to conviction of
such individual of a criminal offense.''.
(2) Effective date.--The amendment made under paragraph (1)
shall apply with respect to employment of prisoners, or entry
into contract with prisoners, after the date that is 1 year
after the date of enactment of this Act.
SEC. 505. STUDY AND REPORT.
(a) By the Comptroller General.--The Comptroller General of the
United States (in this section referred to as the ``Comptroller
General'') shall conduct a study and prepare a report on--
(1) all of the uses of social security numbers permitted,
required, authorized, or excepted under any Federal law; and
(2) the uses of social security numbers in Federal, State,
and local public records.
(b) Content of Report.--The report required under subsection (a)
shall--
(1) identify users of social security numbers under Federal
law;
(2) include a detailed description of the uses allowed as
of the date of enactment of this Act;
(3) describe the impact of such uses on privacy and data
security;
(4) evaluate whether such uses should be continued or
discontinued by appropriate legislative action;
(5) examine whether States are complying with prohibitions
on the display and use of social security numbers--
(A) under the Privacy Act of 1974 (5 U.S.C. 552a et
seq.); and
(B) the Driver's Privacy Protection Act of 1994 (18
U.S.C. 2721 et seq.);
(6) include a review of the uses of social security numbers
in Federal, State, or local public records;
(7) include a review of the manner in which public records
are stored (with separate reviews for both paper records and
electronic records);
(8) include a review of the advantages, utility, and
disadvantages of public records that contain social security
numbers, including--
(A) impact on law enforcement;
(B) threats to homeland security; and
(C) impact on personal privacy and security;
(9) include an assessment of the costs and benefits to
State and local governments of truncating, redacting, or
removing social security numbers from public records, including
a review of current technologies and procedures for truncating,
redacting, or removing social security numbers from public
records (with separate assessments for both paper and
electronic records);
(10) include an assessment of the benefits and costs to
businesses, non-profit organizations, and the general public of
requiring truncation, redaction, or removal of social security
numbers on public records (with separate assessments for both
paper and electronic records);
(11) include an assessment of Federal and State
requirements to truncate social security numbers, and issue
recommendations on--
(A) how to harmonize those requirements; and
(B) whether to further extend truncation
requirements, taking into consideration the impact on
accuracy and use;
(12) include recommendations regarding whether subsection
(a) should apply to any record or category of public records
first posted on the Internet or provided in an electronic
medium by, or on behalf of, a Federal agency prior to the date
of enactment of this Act; and
(13) include such recommendations for legislation based on
criteria the Comptroller General determines to be appropriate.
(c) Required Consultation.--In developing the report required under
this subsection, the Comptroller General shall consult with--
(1) the Administrative Office of the United States Courts;
(2) the Conference of State Court Administrators;
(3) the Department of Justice;
(4) the Department of Homeland Security;
(5) the Social Security Administration;
(6) Sate and local governments that store, maintain, or
disseminate public records; and
(7) other stakeholders, including members of the private
sector who routinely use public records that contain social
security numbers.
(d) Timing of Report.--Not later than 1 year after the date of
enactment of this Act, the Comptroller General shall report to Congress
its findings under this section.
SEC. 506. ENFORCEMENT.
(a) Civil Penalties.--
(1) In general.--Any person that violates the provisions of
sections 501 or 502 shall be subject to civil penalties of not
more than $5,000 per violation per day, with a maximum of
$35,000 per day, while such violations persist.
(2) Intentional or willful violation.--Any person who
intentionally or willfully violates the provisions of sections
501 or 502 shall be subject to additional penalties in the
amount of $5,000 per violation per day, with a maximum of an
additional $35,000 per day, while such violations persist.
(3) Equitable relief.--Any person who engages in interstate
commerce that violates this section may be enjoined from
further violations by a court of competent jurisdiction.
(4) Other rights and remedies.--The rights and remedies
available under this section are cumulative and shall not
affect any other rights and remedies available under law
(b) Injunctive Actions by the Attorney General.--
(1) In general.--Whenever it appears that a person to which
this title applies has engaged, is engaged, or is about to
engage, in any act or practice constituting a violation of this
title, the Attorney General may bring a civil action in an
appropriate district court of the United States to--
(A) enjoin such act or practice;
(B) enforce compliance with this title; and
(C) obtain damages--
(i) in the sum of actual damages,
restitution, and other compensation on behalf
of the affected residents of a State; and
(ii) punitive damages, if the violation is
willful or intentional; and
(D) obtain such other relief as the court
determines to be appropriate.
(2) Other injunctive relief.--Upon a proper showing in the
action under paragraph (1), the court shall grant a permanent
injunction or a temporary restraining order without bond.
(c) State Enforcement.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by an act or practice that violates this
section, the State may bring a civil action on behalf of the
residents of that State in a district court of the United
States of appropriate jurisdiction, or any other court of
competent jurisdiction, to--
(A) enjoin that act or practice;
(B) enforce compliance with this Act;
(C) obtain damages, restitution, or other
compensation on behalf of residents of that State; or
(D) obtain such other legal and equitable relief as
the court may consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under this
subsection, the attorney general of the State involved
shall provide to the Attorney General--
(i) a written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exception.--Subparagraph (A) shall not apply
with respect to the filing of an action by an attorney
general of a State under this subsection, if the
attorney general of a State determines that it is not
feasible to provide the notice described in this
subparagraph before the filing of the action.
(C) Notification when practicable.--In an action
described under subparagraph (B), the attorney general
of a State shall provide the written notice and the
copy of the complaint to the Attorney General as soon
after the filing of the complaint as practicable.
(3) Attorney general authority.--Upon receiving notice
under paragraph (2), the Attorney General shall have the right
to--
(A) move to stay the action, pending the final
disposition of a pending Federal proceeding or action
as described in paragraph (4);
(B) intervene in an action brought under paragraph
(1); and
(C) file petitions for appeal.
(4) Pending proceedings.--If the Attorney General has
instituted a proceeding or action for a violation of this Act
or any regulations thereunder, no attorney general of a State
may, during the pendency of such proceeding or action, bring an
action under this subsection against any defendant named in
such criminal proceeding or civil action for any violation that
is alleged in that proceeding or action.
(5) Rule of construction.--For purposes of bringing any
civil action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths and affirmations;
(C) or compel the attendance of witnesses or the
production of documentary and other evidence.
(6) Venue; service of process.--
(A) Venue.--Any action brought under this
subsection may be brought in the district court of the
United States that meets applicable requirements
relating to venue under section 1391 of title 28,
United States Code.
(B) Service of process.--In an action brought under
this subsection process may be served in any district
in which the defendant--
(i) is an inhabitant; or
(ii) may be found.
SEC. 507. RELATION TO STATE LAWS.
(a) In General.--Except as provided in subsection (b), this title
does not annul, alter, affect, or exempt any person subject to the
provisions of this title from complying with the laws of any State with
respect to protecting and securing social security numbers, except to
the extent that those laws are inconsistent with any provisions of this
title, and then only to the extent of such inconsistency.
(b) Exceptions.--No requirement or prohibition may be imposed under
the laws of any State with respect to any subject matter regulated
under--
(1) section 501(b), relating to prerequisites for consent
for the display, sale, or purchase of social security numbers;
(2) section 501(c), relating to harvesting of social
security numbers; and
(3) section 504, relating to treatment of social security
numbers on government checks and prohibition of inmate access.
TITLE VI--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA
SEC. 601. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.
(a) In General.--In considering contract awards entered into after
the date of enactment of this Act, the Administrator of the General
Services Administration shall evaluate--
(1) the program of a contractor to ensure the privacy and
security of data containing personally identifiable
information;
(2) the compliance of a contractor with such program;
(3) the extent to which the databases and systems
containing personally identifiable information of a contractor
have been compromised by security breaches; and
(4) the response by a contractor to such breaches,
including the efforts of a contractor to mitigate the impact of
such breaches.
(b) Penalties.--In awarding contracts for products or services
related to access, use, compilation, distribution, processing,
analyzing, or evaluating personally identifiable information, the
Administrator of the General Services Administration shall include the
following:
(1) Monetary or other penalties--
(A) for failure to comply with subtitles A and B of
title IV of this Act;
(B) if a contractor knows or has reason to know
that the personally identifiable information being
provided is inaccurate, and provides such inaccurate
information; or
(C) if a contractor is notified by an individual
that the personally identifiable information being
provided is inaccurate and it is in fact inaccurate.
(2) Accuracy update requirements that obligate a contractor
to provide notice to the Federal department or agency of any
changes or corrections to the personally identifiable
information provided under the contract.
SEC. 602. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF
CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.
Section 3544(b) of title 44, United States Code, is amended--
(1) in paragraph (7)(C)(iii), by striking ``and'' after the
semicolon;
(2) in paragraph (8), by striking the period and inserting
``; and''; and
(3) by adding at the end the following:
``(9) procedures for evaluating and auditing the
information security practices of contractors or third party
business entities supporting the information systems or
operations of the agency involving personally identifiable
information, and ensuring remedial action to address any
significant deficiencies.''.
SEC. 603. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL
INFORMATION SERVICES CONTAINING PERSONALLY IDENTIFIABLE
INFORMATION.
(a) In General.--Section 208(b)(1) of the E-Government Act of 2002
(44 U.S.C. 3501 note) is amended--
(1) in subparagraph (A)(i), by striking ``or''; and
(2) in subparagraph (A)(ii), by striking the period and
inserting ``; or''; and
(3) by inserting after clause (ii) the following:
``(iii) purchasing or subscribing for a fee
to personally identifiable information from a
commercial entity (other than news reporting or
telephone directories).''.
(b) Limitation.--Notwithstanding any other provision of law,
commencing 60 days after the date of enactment of this Act, no Federal
department or agency may procure or access any commercially available
database consisting primarily of personally identifiable information
concerning United States persons (other than news reporting or
telephone directories) unless the head of such department or agency--
(1) completes a privacy impact assessment under section 208
of the E-Government Act of 2002 (44 U.S.C. 3501 note), which
shall include a description of--
(A) such database;
(B) the name of the commercial entity from whom it
is obtained; and
(C) the amount of the contract for use;
(2) adopts regulations that specify--
(A) the personnel permitted to access, analyze, or
otherwise use such databases;
(B) standards governing the access analysis, or use
of such databases;
(C) any standards used to ensure that the
personally identifiable information accessed, analyzed,
or used is the minimum necessary to accomplish the
intended legitimate purpose of the Federal department
or agency;
(D) standards limiting the retention and
redisclosure of personally identifiable information
obtained from such databases;
(E) procedures ensuring that such data meet
standards of accuracy, relevance, completeness, and
timeliness;
(F) the auditing and security measures to protect
against unauthorized access, analysis, use, or
modification of data in such databases;
(G) applicable mechanisms by which individuals may
secure timely redress for any adverse consequences
wrongly incurred due to the access, analysis, or use of
such databases;
(H) mechanisms, if any, for the enforcement and
independent oversight of existing or planned
procedures, policies, or guidelines; and
(I) an outline of enforcement mechanisms for
accountability to protect individuals and the public
against unlawful or illegitimate access or use of
databases; and
(3) incorporates into the contract or other agreement with
the commercial entity, provisions--
(A) providing for penalties--
(i) if the entity knows or has reason to
know that the personally identifiable
information being provided to the Federal
department or agency is inaccurate, and
provides such inaccurate information; or
(ii) if the entity is notified by an
individual that the personally identifiable
information being provided to the Federal
department or agency is inaccurate and it is in
fact inaccurate; and
(B) requiring commercial entities to inform Federal
departments or agencies to which they sell, disclose,
or provide access to personally identifiable
information of any changes or corrections to the
personally identifiable information.
(c) Individual Screening Programs.--Notwithstanding any other
provision of law, commencing 60 days after the date of enactment of
this Act, no Federal department or agency may use commercial databases
to implement an individual screening program unless such program is--
(1) congressionally authorized; and
(2) subject to regulations developed by notice and comment
that--
(A) establish a procedure to enable individuals,
who suffer an adverse consequence because the screening
system determined that they might pose a security
threat, to appeal such determination and correct
information contained in the system;
(B) ensure that Federal and commercial databases
that will be used to establish the identity of
individuals or otherwise make assessments of
individuals under the system will not produce a large
number of false positives or unjustified adverse
consequences;
(C) ensure the efficacy and accuracy of all of the
search tools that will be used and ensure that the
department or agency can make an accurate predictive
assessment of those who may constitute a threat;
(D) establish an internal oversight board to
oversee and monitor the manner in which the system is
being implemented;
(E) establish sufficient operational safeguards to
reduce the opportunities for abuse;
(F) implement substantial security measures to
protect the system from unauthorized access;
(G) adopt policies establishing the effective
oversight of the use and operation of the system; and
(H) ensure that there are no specific privacy
concerns with the technological architecture of the
system.
(d) Study of Government Use.--
(1) Scope of study.--Not later than 180 days after the date
of enactment of this Act, the Comptroller General of the United
States shall conduct a study and audit and prepare a report on
Federal agency use of commercial databases, including the
impact on privacy and security, and the extent to which Federal
contracts include sufficient provisions to ensure privacy and
security protections, and penalties for failures in privacy and
security practices.
(2) Report.--A copy of the report required under paragraph
(1) shall be submitted to Congress.
SEC. 604. IMPLEMENTATION OF CHIEF PRIVACY OFFICER REQUIREMENTS.
(a) Designation of the Chief Privacy Officer.--Pursuant to the
requirements under section 522 of the Transportation, Treasury,
Independent Agencies, and General Government Appropriations Act, 2005
(division H of Public Law 108-447; 118 Stat. 3199) that each agency
designate a Chief Privacy Officer, the Department of Justice shall
implement such requirements by designating a department-wide Chief
Privacy Officer, whose primary role shall be to fulfill the duties and
responsibilities of Chief Privacy Officer and who shall report directly
to the Deputy Attorney General.
(b) Duties and Responsibilities of Chief Privacy Officer.--In
addition to the duties and responsibilities outlined under section 522
of the Transportation, Treasury, Independent Agencies, and General
Government Appropriations Act, 2005 (division H of Public Law 108-447;
118 Stat. 3199), the Department of Justice Chief Privacy Officer
shall--
(1) oversee the Department of Justice's implementation of
the requirements under section 603 to conduct privacy impact
assessments of the use of commercial data containing personally
identifiable information by the Department;
(2) promote the use of law enforcement technologies that
sustain, rather than erode, privacy protections, and assure
that the implementation of such technologies relating to the
use, collection, and disclosure of personally identifiable
information preserve the privacy and security of such
information; and
(3) coordinate with the Privacy and Civil Liberties
Oversight Board, established in the Intelligence Reform and
Terrorism Prevention Act of 2004 (Public Law 108-458), in
implementing paragraphs (1) and (2) of this subsection.
Calendar No. 151
109th CONGRESS
1st Session
S. 1332
_______________________________________________________________________
A BILL
To prevent and mitigate identity theft; to ensure privacy; and to
enhance criminal penalties, law enforcement assistance, and other
protections against security breaches, fraudulent access, and misuse of
personally identifiable information.
_______________________________________________________________________
July 1 (legislative day, June 30), 2005
Read the second time and placed on the calendar
Introduced in Senate
Sponsor introductory remarks on measure. (CR S7620-7622)
Introduced in the Senate. Read the first time. Placed on Senate Legislative Calendar under Read the First Time. (text of measure as introduced: CR S7622-7631)
Read the second time. Placed on Senate Legislative Calendar under General Orders. Calendar No. 151.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line