Personal Data Privacy and Security Act of 2005 - Title I: Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security - (Sec. 101) Amends the Racketeer Influenced and Corrupt Organizations Act (RICO) to make fraud and related activity in connection with unauthorized access to sensitive personally identifiable information a predicate offense.
(Sec. 102) Amends the federal criminal code to prohibit a person having the obligation to provide notice of a security breach under this Act from concealing a breach that causes economic damage to one or more persons. Grants the U.S. Secret Service exclusive authority to investigate any such offense.
(Sec. 103) Directs the U.S. Sentencing Commission to review and amend the sentencing guidelines applicable to persons convicted of using fraud to access, or misusing, digitized or electronic personally identifiable information (including identity theft).
Title II: Data Brokers - (Sec. 201) Sets forth requirements for data brokers engaged in interstate commerce with respect to products or services offered to third parties that allow access to or use of sensitive personally identifiable information, with specified exceptions.
Requires such a broker, upon request and for a reasonable fee, to disclose to an individual: (1) all personal electronic records maintained specifically for disclosure to third parties that request information on that individual in the ordinary course of business; and (2) guidance on correcting inaccuracies. Requires a broker to correct disputed information in its systems that does not accurately and completely record the information available from a public record source or licensor or that is otherwise found to be incomplete or inaccurate.
(Sec. 202) Sets civil penalties of up to $1,000 per violation per day up to a maximum of $250,000 for violations of this title, with additional penalties for intentional or willful violations. Authorizes equitable relief. Authorizes the Federal Trade Commission (FTC) to enforce this title and provides for state enforcement. Provides that nothing in this title establishes a private cause of action against a data broker for violation of this title.
Title III: Privacy and Security of Personally Identifiable Information - Subtitle A: A Data Privacy and Security Program - (Sec. 301) Subjects a business entity engaged in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more U.S. persons (with specified exceptions) to the requirements of this title.
(Sec. 302) Requires such an entity to: (1) implement a comprehensive data privacy and security program that includes safeguards identified by the FTC for the protection of sensitive personally identifiable information; (2) identify vulnerabilities and assess damage that could result in unauthorized access, disclosure, use, or alteration of such information or systems containing such information; (3) assess the sufficiency of its safeguards to control risks from such access; and (4) assess the vulnerability of such information during its destruction and disposal, including through the disposal or retirement of hardware.
Requires each entity to design its personal program to control those risks and adopt measures that: (1) control access to systems and facilities containing sensitive personally identifiable information; (2) detect fraudulent, unlawful, or unauthorized access, disclosure, use or alteration of such information; (3) protect such information by encryption or other reasonable means; and (4) ensure that such information is properly destroyed and disposed of. Requires each entity to ensure regular testing of key controls, systems, and procedures.
Requires each entity to: (1) exercise due diligence in selecting and training service providers for responsibilities related to safeguarding such information; and (2) require those service providers to implement and maintain specified measures.
Requires each entity to monitor, evaluate, and adjust its data privacy and security program regularly in light of any relevant changes in technology, the sensitivity of (or threats to) personally identifiable information, and changes in business arrangements.
(Sec. 303) Sets daily and maximum civil penalties for violations by a business entity. Establishes additional penalties for intentional or willful violations. Provides for equitable relief. Provides for enforcement by the FTC and by states.
Subtitle B: Security Breach Notification - (Sec. 321) Requires any agency or any business entity engaged in interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information, upon discovering a security breach of such information, to notify, without unreasonable delay: (1) all U.S. residents whose sensitive personally identifiable information has been accessed or acquired; or (2) the owner or licensee of the information if that agency or entity does not own or license it. Authorizes delay of notification upon written notice from a federal law enforcement agency that the notification would impede a criminal investigation.
(Sec. 322) Makes notification requirements inapplicable (subject to specified limitations) to an agency that certifies that notification of a breach could cause damage to the national security or hinder a law enforcement investigation. Exempts an agency or business entity if: (1) it concludes and notifies the Secret Service that there is no significant risk that the security breach will result in harm to individuals and the Secret Service does not indicate that notice should be given; or (2) it uses a security program that blocks the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the individual's account and that notifies affected individuals after a security breach that has resulted in fraud or unauthorized transactions.
(Sec. 323) Provides that an agency or business entity shall be in compliance with such requirements if it provides both individual notice and media notice.
(Sec. 324) Requires notice to include: (1) a description of the categories of sensitive personally identifiable information acquired by an unauthorized person; (2) a toll-free number that the individual may use to contact the agency or business entity to learn what types of personal information the agency or entity maintained; and (3) the toll-free telephone numbers and addresses for the major credit reporting agencies. Authorizes a state to require that a notice shall also include information regarding victim protection assistance provided by that state.
(Sec. 325) Directs an agency or business entity that is required to provide notification to more than 1,000 individuals to also notify all nationwide consumer reporting agencies of the timing and distribution of the notices.
(Sec. 326) Requires an agency or business entity to give notice of a security breach to the Secret Service if: (1) the number of individuals whose sensitive personally identifying information was acquired by an unauthorized person exceeds 10,000; (2) the breach involves a data system containing information on more than 1 million individuals nationwide; (3) the breach involves databases owned by the federal government; or (4) the breach involves primarily sensitive personally identifiable information of employees and contractors of the federal government involved in national security or law enforcement.
Makes the Secret Service responsible for notifying the attorney general of each state affected and the Federal Bureau of Investigation (FBI) or the U.S. Postal Inspection Service (as appropriate) not later than 14 days after discovering a breach.
(Sec. 327) Authorizes civil actions and injunctive actions by the Attorney General for violations. Amends the Fair Credit Reporting Act to authorize an extended fraud alert upon evidence that the consumer has received notice that his or her financial information has or may have been compromised.
(Sec. 328) Authorizes civil actions by state attorneys general.
(Sec. 329) Provides that this subtitle shall not: (1) supersede any other provision of federal law or of state law relating to notification of a security breach (with an exception); and (2) preclude any operation permitted under the Gramm-Leach-Bliley Act.
(Sec. 330) Authorizes appropriations to cover costs incurred by the Secret Service to carry out investigations and risk assessments of security breaches.
(Sec. 331) Directs the Secret Service to report to Congress on the number and nature of security breaches: (1) described in the notices filed by those business entities invoking the risk assessment exemption; and (2) subject to the national security and law enforcement exemptions.
Title IV: Government Access To and Use of Commercial Data - (Sec. 401) Directs the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000 with data brokers, to evaluate the broker's information privacy and security program. Deems a broker's program to be sufficient if the broker complies with or provides protection equal to applicable industry standards identified by the FTC.
Requires the GSA Administrator, in awarding contracts with data brokers for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating personally identifiable information, to: (1) include specified penalties; and (2) require the broker to exercise due diligence to require its service providers to implement and maintain specified information safeguards.
(Sec. 402) Requires each agency's information security program to include procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the agency's information systems or operations involving personally identifiable information and ensuring remedial action to address any significant deficiencies.
(Sec. 403) Amends the E-Government Act of 2002 to require an agency to take specified actions, including conducting a privacy impact assessment, before purchasing or subscribing for a fee to personally identifiable information from a data broker. Prohibits a federal agency from entering into a contract with a data broker to access any database consisting primarily of personally identifiable information concerning U.S. persons (other than news reporting or telephone directories) unless the head of such agency: (1) completes a privacy impact assessment; (2) adopts regulations specifying the personnel permitted to use such databases; and (3) incorporates into the agreement totaling more than $500,000 specified provisions regarding penalties and responsibilities related to such information.
Directs the Comptroller General to report on federal agency use of data brokers or commercial databases containing personally identifiable information.
(Sec. 404) Requires the Department of Justice (DOJ) to designate a department-wide Chief Privacy Officer. Directs that Officer to: (1) oversee DOJ's implementation of requirements to conduct privacy impact assessments of the use of commercial data containing personally identifiable information; and (2) coordinate with the Privacy and Civil Liberties Oversight Board.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1789 Introduced in Senate (IS)]
109th CONGRESS
1st Session
S. 1789
To prevent and mitigate identity theft, to ensure privacy, to provide
notice of security breaches, and to enhance criminal penalties, law
enforcement assistance, and other protections against security
breaches, fraudulent access, and misuse of personally identifiable
information.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
September 29, 2005
Mr. Specter (for himself, Mr. Leahy, Mrs. Feinstein, and Mr. Feingold)
introduced the following bill; which was read twice and referred to the
Committee on the Judiciary
_______________________________________________________________________
A BILL
To prevent and mitigate identity theft, to ensure privacy, to provide
notice of security breaches, and to enhance criminal penalties, law
enforcement assistance, and other protections against security
breaches, fraudulent access, and misuse of personally identifiable
information.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Personal Data
Privacy and Security Act of 2005''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
Sec. 101. Fraud and related criminal activity in connection with
unauthorized access to personally
identifiable information.
Sec. 102. Organized criminal activity in connection with unauthorized
access to personally identifiable
information.
Sec. 103. Concealment of security breaches involving sensitive
personally identifiable information.
Sec. 104. Aggravated fraud in connection with computers.
Sec. 105. Review and amendment of Federal sentencing guidelines related
to fraudulent access to or misuse of
digitized or electronic personally
identifiable information.
TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING
CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF
PERSONALLY IDENTIFIABLE INFORMATION
Sec. 201. Grants for State and local enforcement.
Sec. 202. Authorization of appropriations.
TITLE III--DATA BROKERS
Sec. 301. Transparency and accuracy of data collection.
Sec. 302. Enforcement.
Sec. 303. Relation to State laws.
Sec. 304. Effective date.
TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
Subtitle A--Data Privacy and Security Program
Sec. 401. Purpose and applicability of data privacy and security
program.
Sec. 402. Requirements for a personal data privacy and security
program.
Sec. 403. Enforcement.
Sec. 404. Relation to State laws.
Subtitle B--Security Breach Notification
Sec. 421. Right to notice of security breach.
Sec. 422. Notice procedures.
Sec. 423. Content of notice.
Sec. 424. Risk assessment and fraud prevention notice exemptions.
Sec. 425. Victim protection assistance.
Sec. 426. Enforcement.
Sec. 427. Relation to State laws.
Sec. 428. Study on securing personally identifiable information in the
digital era.
Sec. 429. Reporting on risk assessment exemption.
Sec. 430. Authorization of appropriations.
Sec. 431. Reporting on risk assessment exemption.
Sec. 432. Effective date.
TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA
Sec. 501. General Services Administration review of contracts.
Sec. 502. Requirement to audit information security practices of
contractors and third party business
entities.
Sec. 503. Privacy impact assessment of government use of commercial
information services containing personally
identifiable information.
Sec. 504. Implementation of Chief Privacy Officer requirements.
SEC. 2. FINDINGS.
Congress finds that--
(1) databases of personally identifiable information are
increasingly prime targets of hackers, identity thieves, rogue
employees, and other criminals, including organized and
sophisticated criminal operations;
(2) identity theft is a serious threat to the nation's
economic stability, homeland security, the development of e-
commerce, and the privacy rights of Americans;
(3) over 9,300,000 individuals were victims of identity
theft in America last year;
(4) security breaches are a serious threat to consumer
confidence, homeland security, e-commerce, and economic
stability;
(5) it is important for business entities that own, use, or
license personally identifiable information to adopt reasonable
procedures to ensure the security, privacy, and confidentially
of that personally identifiable information;
(6) individuals whose personal information has been
compromised or who have been victims of identity theft should
receive the necessary information and assistance to mitigate
their damages and to restore the integrity of their personal
information and identities;
(7) data brokers have assumed a significant role in
providing identification, authentication, and screening
services, and related data collection and analyses for
commercial, nonprofit, and government operations;
(8) data misuse and use of inaccurate data have the
potential to cause serious or irreparable harm to an
individual's livelihood, privacy, and liberty and undermine
efficient and effective business and government operations;
(9) there is a need to insure that data brokers conduct
their operations in a manner that prioritizes fairness,
transparency, accuracy, and respect for the privacy of
consumers;
(10) government access to commercial data can potentially
improve safety, law enforcement, and national security; and
(11) because government use of commercial data containing
personal information potentially affects individual privacy,
and law enforcement and national security operations, there is
a need for Congress to exercise oversight over government use
of commercial data.
SEC. 3. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the same meaning given
such term in section 551 of title 5, United States Code.
(2) Affiliate.--The term ``affiliate'' means persons
related by common ownership or by corporate control.
(3) Business entity.--The term ``business entity'' means
any organization, corporation, trust, partnership, sole
proprietorship, unincorporated association, venture established
to make a profit, or nonprofit, and any contractor,
subcontractor, affiliate, or licensee thereof engaged in
interstate commerce.
(4) Identity theft.--The term ``identity theft'' means a
violation of section 1028 of title 18, United States Code, or
any other similar provision of applicable State law.
(5) Data broker.--The term ``data broker'' means a business
entity which for monetary fees, dues, or on a cooperative
nonprofit basis, currently or regularly engages, in whole or in
part, in the practice of collecting, transmitting, or providing
access to sensitive personally identifiable information
primarily for the purposes of providing such information to
nonaffiliated third parties on a nationwide basis on more than
5,000 individuals who are not the customers or employees of the
business entity or affiliate.
(6) Data furnisher.--The term ``data furnisher'' means any
agency, governmental entity, organization, corporation, trust,
partnership, sole proprietorship, unincorporated association,
venture established to make a profit, or nonprofit, and any
contractor, subcontractor, affiliate, or licensee thereof, that
serves as a source of information for a data broker.
(7) Personal electronic record.--The term ``personal
electronic record'' means data associated with an individual
contained in a database, networked or integrated databases, or
other data system that holds sensitive personally identifiable
information of that individual and is provided to non-
affiliated third parties.
(8) Personally identifiable information.--The term
``personally identifiable information'' means any information,
or compilation of information, in electronic or digital form
serving as a means of identification, as defined by section
1028(d)(7) of title 18, United State Code.
(9) Public record source.--The term ``public record
source'' means any agency, Federal court, or State court that
maintains personally identifiable information in records
available to the public.
(10) Security breach.--
(A) In general.--The term ``security breach'' means
compromise of the security, confidentiality, or
integrity of computerized data through
misrepresentation or actions that result in, or there
is a reasonable basis to conclude has resulted in, the
unauthorized acquisition of and access to sensitive
personally identifiable information.
(B) Exclusion.--The term ``security breach'' does
not include--
(i) a good faith acquisition of sensitive
personally identifiable information by a
business entity or agency, or an employee or
agent of a business entity or agency, if the
sensitive personally identifiable information
is not subject to further unauthorized
disclosure; or
(ii) the release of a public record not
otherwise subject to confidentiality or
nondisclosure requirements.
(11) Sensitive personally identifiable information.--The
term ``sensitive personally identifiable information'' means
any information or compilation of information, in electronic or
digital form that includes:
(A) An individual's name in combination with any 1
of the following data elements:
(i) A non-truncated social security number,
driver's license number, passport number, or
alien registration number.
(ii) Any 2 of the following:
(I) Information that relates to--
(aa) the past, present, or
future physical or mental
health or condition of an
individual;
(bb) the provision of
health care to an individual;
or
(cc) the past, present, or
future payment for the
provision of health care to an
individual.
(II) Home address or telephone
number.
(III) Mother's maiden name, if
identified as such.
(IV) Month, day, and year of birth.
(iii) Unique biometric data such as a
finger print, voice print, a retina or iris
image, or any other unique physical
representation.
(iv) A unique electronic identification
number, user name, or routing code in
combination with the associated security code,
access code, or password.
(v) Any other information regarding an
individual determined appropriate by the
Federal Trade Commission.
(B) A financial account number or credit or debit
card number in combination with the required security
code, access code, or password.
TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS
OF DATA PRIVACY AND SECURITY
SEC. 101. FRAUD AND RELATED CRIMINAL ACTIVITY IN CONNECTION WITH
UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE
INFORMATION.
Section 1030(a)(2) of title 18, United States Code, is amended--
(1) in subparagraph (B), by striking ``or'' after the
semicolon;
(2) in subparagraph (C), by inserting ``or'' after the
semicolon; and
(3) by adding at the end the following:
``(D) information contained in the databases or
systems of a data broker, or in other personal
electronic records, as such terms are defined in
section 3 of the Personal Data Privacy and Security Act
of 2005;''.
SEC. 102. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED
ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.
Section 1961(1) of title 18, United States Code, is amended by
inserting ``section 1030(a)(2)(D)(relating to fraud and related
activity in connection with unauthorized access to personally
identifiable information,'' before ``section 1084''.
SEC. 103. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE
PERSONALLY IDENTIFIABLE INFORMATION.
(a) In General.--Chapter 47 of title 18, United States Code, is
amended by adding at the end the following:
``Sec. 1039. Concealment of security breaches involving sensitive
personally identifiable information
``(a) Whoever, having knowledge of a security breach and the
obligation to provide notice of such breach to individuals under title
IV of the Personal Data Privacy and Security Act of 2005, and having
not otherwise qualified for an exemption from providing notice under
section 422 of such Act, intentionally and willfully conceals the fact
of such security breach which causes economic damages to 1 or more
persons, shall be fined under this title or imprisoned not more than 5
years, or both.
``(b) For purposes of subsection (a), the term `person' means any
individual, corporation, company, association, firm, partnership,
society, or joint stock company.''.
(b) Conforming and Technical Amendments.--The table of sections for
chapter 47 of title 18, United States Code, is amended by adding at the
end the following:
``1039. Concealment of security breaches involving personally
identifiable information.''.
(c) Enforcement Authority.--The United States Secret Service shall
have the authority to investigate offenses under this section.
SEC. 104. AGGRAVATED FRAUD IN CONNECTION WITH COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States Code, is
amended by adding after section 1030 the following:
``Sec. 1030A. Aggravated fraud in connection with computers
``(a) In General.--Whoever, during and in relation to any felony
violation enumerated in subsection (c), knowingly obtains, accesses, or
transmits, without lawful authority, a means of identification of
another person may, in addition to the punishment provided for such
felony, be sentenced to a term of imprisonment of up to 2 years.
``(b) Consecutive Sentences.--Notwithstanding any other provision
of law, should a court in its discretion impose an additional sentence
under subsection (a)--
``(1) no term of imprisonment imposed on a person under
this section shall run concurrently, except as provided in
paragraph (3), with any other term of imprisonment imposed on
such person under any other provision of law, including any
term of imprisonment imposed for the felony during which the
means of identifications was obtained, accessed, or
transmitted;
``(2) in determining any term of imprisonment to be imposed
for the felony during which the means of identification was
obtained, accessed, or transmitted, a court shall not in any
way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(3) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the court,
run concurrently, in whole or in part, only with another term
of imprisonment that is imposed by the court at the same time
on that person for an additional violation of this section.
``(c) Definition.--For purposes of this section, the term `felony
violation enumerated in subsection (c)' means any offense that is a
felony violation of paragraphs (2) through (7) of section 1030(a).''.
(b) Conforming and Technical Amendments.--The table of sections for
chapter 47 of title 18, United States Code, is amended by inserting
after the item relating to section 1030 the following new item:
``1030A. Aggravated fraud in connection with computers.''.
SEC. 105. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED
TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR
ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.
(a) Review and Amendment.--Not later than 180 days after the date
of enactment of this Act, the United States Sentencing Commission,
pursuant to its authority under section 994 of title 28, United States
Code, and in accordance with this section, shall review and, if
appropriate, amend the Federal sentencing guidelines (including its
policy statements) applicable to persons convicted of using fraud to
access, or misuse of, digitized or electronic personally identifiable
information, including identity theft or any offense under--
(1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of
title 18, United States Code; or
(2) any other relevant provision.
(b) Requirements.--In carrying out the requirements of this
section, the United States Sentencing Commission shall--
(1) ensure that the Federal sentencing guidelines
(including its policy statements) reflect--
(A) the serious nature of the offenses and
penalties referred to in this Act;
(B) the growing incidences of theft and misuse of
digitized or electronic personally identifiable
information, including identity theft; and
(C) the need to deter, prevent, and punish such
offenses;
(2) consider the extent to which the Federal sentencing
guidelines (including its policy statements) adequately address
violations of the sections amended by this Act to--
(A) sufficiently deter and punish such offenses;
and
(B) adequately reflect the enhanced penalties
established under this Act;
(3) maintain reasonable consistency with other relevant
directives and sentencing guidelines;
(4) account for any additional aggravating or mitigating
circumstances that might justify exceptions to the generally
applicable sentencing ranges;
(5) consider whether to provide a sentencing enhancement
for those convicted of the offenses described in subsection
(a), if the conduct involves--
(A) the online sale of fraudulently obtained or
stolen personally identifiable information;
(B) the sale of fraudulently obtained or stolen
personally identifiable information to an individual
who is engaged in terrorist activity or aiding other
individuals engaged in terrorist activity; or
(C) the sale of fraudulently obtained or stolen
personally identifiable information to finance
terrorist activity or other criminal activities;
(6) make any necessary conforming changes to the Federal
sentencing guidelines to ensure that such guidelines (including
its policy statements) as described in subsection (a) are
sufficiently stringent to deter, and adequately reflect crimes
related to fraudulent access to, or misuse of, personally
identifiable information; and
(7) ensure that the Federal sentencing guidelines
adequately meet the purposes of sentencing under section
3553(a)(2) of title 18, United States Code.
(c) Emergency Authority to Sentencing Commission.--The United
States Sentencing Commission may, as soon as practicable, promulgate
amendments under this section in accordance with procedures established
in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 994 note) as
though the authority under that Act had not expired.
TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING
CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF
PERSONALLY IDENTIFIABLE INFORMATION
SEC. 201. GRANTS FOR STATE AND LOCAL ENFORCEMENT.
(a) In General.--Subject to the availability of amounts provided in
advance in appropriations Acts, the Assistant Attorney General for the
Office of Justice Programs of the Department of Justice may award a
grant to a State to establish and develop programs to increase and
enhance enforcement against crimes related to fraudulent, unauthorized,
or other criminal use of personally identifiable information.
(b) Application.--A State seeking a grant under subsection (a)
shall submit an application to the Assistant Attorney General for the
Office of Justice Programs of the Department of Justice at such time,
in such manner, and containing such information as the Assistant
Attorney General may require.
(c) Use of Grant Amounts.--A grant awarded to a State under
subsection (a) shall be used by a State, in conjunction with units of
local government within that State, State and local courts, other
States, or combinations thereof, to establish and develop programs to--
(1) assist State and local law enforcement agencies in
enforcing State and local criminal laws relating to crimes
involving the fraudulent, unauthorized, or other criminal use
of personally identifiable information;
(2) assist State and local law enforcement agencies in
educating the public to prevent and identify crimes involving
the fraudulent, unauthorized, or other criminal use of
personally identifiable information;
(3) educate and train State and local law enforcement
officers and prosecutors to conduct investigations and forensic
analyses of evidence and prosecutions of crimes involving the
fraudulent, unauthorized, or other criminal use of personally
identifiable information;
(4) assist State and local law enforcement officers and
prosecutors in acquiring computer and other equipment to
conduct investigations and forensic analysis of evidence of
crimes involving the fraudulent, unauthorized, or other
criminal use of personally identifiable information; and
(5) facilitate and promote the sharing of Federal law
enforcement expertise and information about the investigation,
analysis, and prosecution of crimes involving the fraudulent,
unauthorized, or other criminal use of personally identifiable
information with State and local law enforcement officers and
prosecutors, including the use of multi-jurisdictional task
forces.
(d) Assurances and Eligibility.--To be eligible to receive a grant
under subsection (a), a State shall provide assurances to the Attorney
General that the State--
(1) has in effect laws that penalize crimes involving the
fraudulent, unauthorized, or other criminal use of personally
identifiable information, such as penal laws prohibiting--
(A) fraudulent schemes executed to obtain
personally identifiable information;
(B) schemes executed to sell or use fraudulently
obtained personally identifiable information; and
(C) online sales of personally identifiable
information obtained fraudulently or by other illegal
means;
(2) will provide an assessment of the resource needs of the
State and units of local government within that State,
including criminal justice resources being devoted to the
investigation and enforcement of laws related to crimes
involving the fraudulent, unauthorized, or other criminal use
of personally identifiable information; and
(3) will develop a plan for coordinating the programs
funded under this section with other federally funded technical
assistant and training programs, including directly funded
local programs such as the Local Law Enforcement Block Grant
program (described under the heading ``Violent Crime Reduction
Programs, State and Local Law Enforcement Assistance'' of the
Departments of Commerce, Justice, and State, the Judiciary, and
Related Agencies Appropriations Act, 1998 (Public Law 105-
119)).
(e) Matching Funds.--The Federal share of a grant received under
this section may not exceed 90 percent of the total cost of a program
or proposal funded under this section unless the Attorney General
waives, wholly or in part, the requirements of this subsection.
SEC. 202. AUTHORIZATION OF APPROPRIATIONS.
(a) In General.--There is authorized to be appropriated to carry
out this title $25,000,000 for each of fiscal years 2006 through 2009.
(b) Limitations.--Of the amount made available to carry out this
title in any fiscal year not more than 3 percent may be used by the
Attorney General for salaries and administrative expenses.
(c) Minimum Amount.--Unless all eligible applications submitted by
a State or units of local government within a State for a grant under
this title have been funded, the State, together with grantees within
the State (other than Indian tribes), shall be allocated in each fiscal
year under this title not less than 0.75 percent of the total amount
appropriated in the fiscal year for grants pursuant to this title,
except that the United States Virgin Islands, American Samoa, Guam, and
the Northern Mariana Islands each shall be allocated 0.25 percent.
(d) Grants to Indian Tribes.--Notwithstanding any other provision
of this title, the Attorney General may use amounts made available
under this title to make grants to Indian tribes for use in accordance
with this title.
TITLE III--DATA BROKERS
SEC. 301. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.
(a) In General.--Data brokers engaging in interstate commerce are
subject to the requirements of this title for any product or service
offered to third parties that allows access, use, compilation,
distribution, processing, analyzing, or evaluation of sensitive
personally identifiable information.
(b) Limitation.--Notwithstanding any other paragraph of this title,
this section shall not apply to--
(1) data brokers engaging in interstate commerce for any
offered product or service currently subject to, and in
compliance with, access and accuracy protections similar to
those under subsections (c) through (f) of this section under
the Fair Credit Reporting Act (Public Law 91-508), or the
Gramm-Leach Bliley Act (Public Law 106-102);
(2) data brokers engaging in interstate commerce for any
offered product or service currently in compliance with the
requirements for such entities under the Health Insurance
Portability and Accountability Act (Public Law 104-191), and
implementing regulations;
(3) information in a personal electronic record held by a
data broker if--
(A) the data broker maintains such information
solely pursuant to a license agreement with another
business entity; and
(B) the business entity providing such information
to the data broker pursuant to a license agreement
either complies with the provisions of this section or
qualifies for this exemption; and
(4) information in a personal record that--
(A) the data broker has identified as inaccurate,
but maintains for the purpose of aiding the data broker
in preventing inaccurate information from entering an
individual's personal electronic record; and
(B) is not maintained primarily for the purpose of
transmitting or otherwise providing that information,
or assessments based on that information, to non-
affiliated third parties.
(c) Disclosures to Individuals.--
(1) In general.--A data broker shall, upon the request of
an individual, clearly and accurately disclose to such
individual for a reasonable fee all personal electronic records
pertaining to that individual maintained for disclosure to
third parties in the ordinary course of business in the
databases or systems of the data broker at the time of the
request.
(2) Information on how to correct inaccuracies.--The
disclosures required under paragraph (1) shall also include
guidance to individuals on the processes and procedures for
demonstrating and correcting any inaccuracies.
(d) Creation of an Accuracy Resolution Process.--A data broker
shall develop and publish on its website timely and fair processes and
procedures for responding to claims of inaccuracies, including
procedures for correcting inaccurate information in the personal
electronic records it maintains on individuals.
(e) Accuracy Resolution Process.--
(1) Information from a public record source.--
(A) In general.--If an individual notifies a data
broker of a dispute as to the completeness or accuracy
of information, and the data broker determines that
such information is derived from a public record
source, the data broker shall determine within 30 days
whether the information in its system accurately and
completely records the information offered by the
public record source.
(B) Data broker actions.--If a data broker
determines under subparagraph (A) that the information
in its systems--
(i) does not accurately and completely
record the information offered by a public
record source, the data broker shall correct
any inaccuracies or incompleteness, and provide
to such individual written notice of such
changes; and
(ii) does accurately and completely record
the information offered by a public record
source, the data broker shall--
(I) provide such individual with
the name, address, and telephone
contact information of the public
record source; and
(II) notify such individual of the
right to add for a period of 90 days to
the personal electronic record of the
individual maintained by the data
broker notice of the dispute under
subsection (f).
(2) Investigation of disputed information not from a public
record source.--If the completeness or accuracy of any
nonpublic record source disclosed to an individual under
subsection (c) is disputed by the individual and such
individual notifies the data broker directly of such dispute,
the data broker shall, before the end of the 30-day period
beginning on the date on which the data broker receives the
notice of the dispute--
(A) investigate free of charge and record the
current status of the disputed information; or
(B) delete the item from the individuals data file
in accordance with paragraph (8).
(3) Extension of period to investigate.--Except as provided
in paragraph (4), the 30-day period described in paragraph (1)
may be extended for not more than 15 additional days if a data
broker receives information from the individual during that 30-
day period that is relevant to the investigation.
(4) Limitations on extension of period to investigate.--
Paragraph (3) shall not apply to any investigation in which,
during the 30-day period described in paragraph (1), the
information that is the subject of the investigation is found
to be inaccurate or incomplete or a data broker determines that
the information cannot be verified.
(5) Notice identifying the data furnisher.--If the
completeness or accuracy of any information disclosed to an
individual under subsection (c) is disputed by the individual,
a data broker shall provide upon the request of the individual,
the name, business address, and telephone contact information
of any data furnisher who provided an item of information in
dispute.
(6) Determination that dispute is frivolous or
irrelevant.--
(A) In general.--Notwithstanding paragraphs (1)
through (4), a data broker may decline to investigate
or terminate an investigation of information disputed
by an individual under those paragraphs if the data
broker reasonably determines that the dispute by the
individual is frivolous or irrelevant, including by
reason of a failure by the individual to provide
sufficient information to investigate the disputed
information.
(B) Notice.--Not later than 5 business days after
making any determination in accordance with
subparagraph (A) that a dispute is frivolous or
irrelevant, a data broker shall notify the individual
of such determination by mail, or if authorized by the
individual, by any other means available to the data
broker.
(C) Contents of notice.--A notice under
subparagraph (B) shall include--
(i) the reasons for the determination under
subparagraph (A); and
(ii) identification of any information
required to investigate the disputed
information, which may consist of a
standardized form describing the general nature
of such information.
(7) Consideration of individual information.--In conducting
any investigation with respect to disputed information in the
personal electronic record of any individual, a data broker
shall review and consider all relevant information submitted by
the individual in the period described in paragraph (2) with
respect to such disputed information.
(8) Treatment of inaccurate or unverifiable information.--
(A) In general.--If, after any review of public
record information under paragraph (1) or any
investigation of any information disputed by an
individual under paragraphs (2) through (4), an item of
information is found to be inaccurate or incomplete or
cannot be verified, a data broker shall promptly delete
that item of information from the individual's personal
electronic record or modify that item of information,
as appropriate, based on the results of the
investigation.
(B) Notice to individuals of reinsertion of
previously deleted information.--If any information
that has been deleted from an individual's personal
electronic record pursuant to subparagraph (A) is
reinserted in the personal electronic record of the
individual, a data broker shall, not later than 5 days
after reinsertion, notify the individual of the
reinsertion and identify any data furnisher not
previously disclosed in writing, or if authorized by
the individual for that purpose, by any other means
available to the data broker, unless such notification
has been previously given under this subsection.
(C) Notice of results of investigation of disputed
information from a nonpublic record source.--
(i) In general.--Not later than 5 business
days after the completion of an investigation
under paragraph (2), a data broker shall
provide written notice to an individual of the
results of the investigation, by mail or, if
authorized by the individual for that purpose,
by other means available to the data broker.
(ii) Additional requirement.--Before the
expiration of the 5-day period, as part of, or
in addition to such notice, a data broker
shall, in writing, provide to an individual--
(I) a statement that the
investigation is completed;
(II) a report that is based upon
the personal electronic record of such
individual as that personal electronic
record is revised as a result of the
investigation;
(III) a notice that, if requested
by the individual, a description of the
procedures used to determine the
accuracy and completeness of the
information shall be provided to the
individual by the data broker,
including the business name, address,
and telephone number of any data
furnisher of information contacted in
connection with such information; and
(IV) a notice that the individual
has the right to request notifications
under subsection (f).
(D) Description of investigation procedures.--Not
later than 15 days after receiving a request from an
individual for a description referred to in
subparagraph (C)(ii)(III), a data broker shall provide
to the individual such a description.
(E) Expedited dispute resolution.--If by no later
than 3 business days after the date on which a data
broker receives notice of a dispute from an individual
of information in the personal electronic record of
such individual in accordance with paragraph (2), a
data broker resolves such dispute in accordance with
subparagraph (A) by the deletion of the disputed
information, then the data broker shall not be required
to comply with subsections (e) and (f) with respect to
that dispute if the data broker provides to the
individual, by telephone or other means authorized by
the individual, prompt notice of the deletion.
(f) Notice of Dispute.--
(1) In general.--If the completeness or accuracy of any
information disclosed to an individual under subsection (c) is
disputed and unless there is a reasonable ground to believe
that such dispute is frivolous or irrelevant, an individual may
request that the data broker indicate notice of the dispute for
a period of--
(A) 30 days for information from a nonpublic record
source; and
(B) 90 days for information from a public record
source.
(2) Compliance.--A data broker shall be deemed in
compliance with the requirements under paragraph (1) by
either--
(A) allowing the individual to file a brief
statement setting forth the nature of the dispute under
paragraph (3); or
(B) using an alternative notice method that--
(i) clearly flags the disputed information
for third parties accessing the information;
and
(ii) provides a means for third parties to
obtain further information regarding the nature
of the dispute.
(3) Contents of statement.--A data broker may limit
statements made under paragraph (2)(A) to not more than 100
words if it provides an individual with assistance in writing a
clear summary of the dispute or until the dispute is resolved.
(g) Additional Requirements.--The Federal Trade Commission may
exempt certain classes of data brokers from this title in a rulemaking
process pursuant to section 553 of title 5, United States Code.
SEC. 302. ENFORCEMENT.
(a) Civil Penalties.--
(1) Penalties.--Any data broker that violates the
provisions of section 301 shall be subject to civil penalties
of not more than $1,000 per violation per day, with a maximum
of $15,000 per day, while such violations persist.
(2) Intentional or willful violation.--A data broker that
intentionally or willfully violates the provisions of section
301 shall be subject to additional penalties in the amount of
$1,000 per violation per day, with a maximum of an additional
$15,000 per day, while such violations persist.
(3) Equitable relief.--A data broker engaged in interstate
commerce that violates this section may be enjoined from
further violations by a court of competent jurisdiction.
(4) Other rights and remedies.--The rights and remedies
available under this subsection are cumulative and shall not
affect any other rights and remedies available under law.
(b) Injunctive Actions by the Attorney General.--
(1) In general.--Whenever it appears that a data broker to
which this title applies has engaged, is engaged, or is about
to engage, in any act or practice constituting a violation of
this title, the Attorney General may bring a civil action in an
appropriate district court of the United States to--
(A) enjoin such act or practice;
(B) enforce compliance with this title;
(C) obtain damages--
(i) in the sum of actual damages,
restitution, and other compensation on behalf
of the affected residents of a State; and
(ii) punitive damages, if the violation is
willful or intentional; and
(D) obtain such other relief as the court
determines to be appropriate.
(2) Other injunctive relief.--Upon a proper showing in the
action under paragraph (1), the court shall grant a permanent
injunction or a temporary restraining order without bond.
(c) State Enforcement.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by an act or practice that violates this
title, the State may bring a civil action on behalf of the
residents of that State in a district court of the United
States of appropriate jurisdiction, or any other court of
competent jurisdiction, to--
(A) enjoin that act or practice;
(B) enforce compliance with this title;
(C) obtain--
(i) damages in the sum of actual damages,
restitution, or other compensation on behalf of
affected residents of the State; and
(ii) punitive damages, if the violation is
willful or intentional; or
(D) obtain such other legal and equitable relief as
the court may consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under this
subsection, the attorney general of the State involved
shall provide to the Attorney General--
(i) a written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exception.--Subparagraph (A) shall not apply
with respect to the filing of an action by an attorney
general of a State under this subsection, if the
attorney general of a State determines that it is not
feasible to provide the notice described in this
subparagraph before the filing of the action.
(C) Notification when practicable.--In an action
described under subparagraph (B), the attorney general
of a State shall provide the written notice and the
copy of the complaint to the Attorney General as soon
after the filing of the complaint as practicable.
(3) Attorney general authority.--Upon receiving notice
under paragraph (2), the Attorney General shall have the right
to--
(A) move to stay the action, pending the final
disposition of a pending Federal proceeding or action
as described in paragraph (4);
(B) intervene in an action brought under paragraph
(1); and
(C) file petitions for appeal.
(4) Pending proceedings.--If the Attorney General has
instituted a proceeding or action for a violation of this title
or any regulations thereunder, no attorney general of a State
may, during the pendency of such proceeding or action, bring an
action under this subsection against any defendant named in
such criminal proceeding or civil action for any violation that
is alleged in that proceeding or action.
(5) Rule of construction.--For purposes of bringing any
civil action under paragraph (1), nothing in this title shall
be construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths and affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(6) Venue; service of process.--
(A) Venue.--Any action brought under this
subsection may be brought in the district court of the
United States that meets applicable requirements
relating to venue under section 1931 of title 28,
United States Code.
(B) Service of process.--In an action brought under
this subsection process may be served in any district
in which the defendant--
(i) is an inhabitant; or
(ii) may be found.
(d) No Private Cause of Action.--Nothing in this title establishes
a private cause of action against a data broker for violation of any
provision of this title.
SEC. 303. RELATION TO STATE LAWS.
No requirement or prohibition may be imposed under the laws of any
State with respect to any subject matter regulated under section 301,
relating to individual access to, and correction of, personal
electronic records held by databrokers.
SEC. 304. EFFECTIVE DATE.
This title shall take effect 180 days after the date of enactment
of this Act and shall be implemented pursuant to a State by State
rollout schedule set by the Federal Trade Commission, but in no case
shall full implementation and effect of this title occur later than 1
year and 180 days after the date of enactment of this Act.
TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION
Subtitle A--Data Privacy and Security Program
SEC. 401. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY
PROGRAM.
(a) Purpose.--The purpose of this subtitle is to ensure standards
for developing and implementing administrative, technical, and physical
safeguards to protect the privacy, security, confidentiality,
integrity, storage, and disposal of sensitive personally identifiable
information.
(b) In General.--A business entity engaging in interstate commerce
that involves collecting, accessing, transmitting, using, storing, or
disposing of sensitive personally identifiable information in
electronic or digital form on 10,000 or more United States persons is
subject to the requirements for a data privacy and security program
under section 402 for protecting sensitive personally identifiable
information.
(c) Limitations.--Notwithstanding any other obligation under this
subtitle, this subtitle does not apply to--
(1) financial institutions--
(A) subject to the data security requirements and
implementing regulations under the Gramm-Leach-Bliley
Act (15 U.S.C. 6801 et seq.); and
(B) subject to--
(i) examinations for compliance with the
requirements of this Act by 1 or more Federal
or State functional regulators (as defined in
section 509 of the Gramm-Leach-Bliley Act (15
U.S.C. 6809)); or
(ii) compliance with part 314 of title 16,
Code of Federal Regulations; or
(2) ``covered entities'' subject to the Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. 1301 et
seq.), including the data security requirements and
implementing regulations of that Act.
(d) Safe Harbor.--A business entity shall be deemed in compliance
with the privacy and security program requirements under section 402 if
the business entity complies with or provides protection equal to
industry standards, as identified by the Federal Trade Commission, that
are applicable to the type of sensitive personally identifiable
information involved in the ordinary course of business of such
business entity.
SEC. 402. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY
PROGRAM.
(a) Personal Data Privacy and Security Program.--Unless otherwise
limited under section 401(c), a business entity subject to this
subtitle shall comply with the following safeguards and any others
identified by the Federal Trade Commission in a rulemaking process
pursuant to section 553 of title 5, United States Code, to protect the
privacy and security of sensitive personally identifiable information:
(1) Scope.--A business entity shall implement a
comprehensive personal data privacy and security program that
includes administrative, technical, and physical safeguards
appropriate to the size and complexity of the business entity
and the nature and scope of its activities.
(2) Design.--The personal data privacy and security program
shall be designed to--
(A) ensure the privacy, security, and
confidentiality of personal electronic records;
(B) protect against any anticipated vulnerabilities
to the privacy, security, or integrity of personal
electronic records; and
(C) protect against unauthorized access to use of
personal electronic records that could result in
substantial harm or inconvenience to any individual.
(3) Risk assessment.--A business entity shall--
(A) identify reasonably foreseeable internal and
external vulnerabilities that could result in
unauthorized access, disclosure, use, or alteration of
sensitive personally identifiable information or
systems containing sensitive personally identifiable
information;
(B) assess the likelihood of and potential damage
from unauthorized access, disclosure, use, or
alteration of sensitive personally identifiable
information; and
(C) assess the sufficiency of its policies,
technologies, and safeguards in place to control and
minimize risks from unauthorized access, disclosure,
use, or alteration of sensitive personally identifiable
information.
(4) Risk management and control.--Each business entity
shall--
(A) design its personal data privacy and security
program to control the risks identified under paragraph
(3); and
(B) adopt measures commensurate with the
sensitivity of the data as well as the size,
complexity, and scope of the activities of the business
entity that--
(i) control access to systems and
facilities containing sensitive personally
identifiable information, including controls to
authenticate and permit access only to
authorized individuals;
(ii) detect actual and attempted
fraudulent, unlawful, or unauthorized access,
disclosure, use, or alteration of sensitive
personally identifiable information, including
by employees and other individuals otherwise
authorized to have access; and
(iii) protect sensitive personally
identifiable information during use,
transmission, storage, and disposal by
encryption or other reasonable means (including
as directed for disposal of records under
section 628 of the Fair Credit Reporting Act
(15 U.S.C. 1681w) and the implementing
regulations of such Act as set forth in section
682 of title 16, Code of Federal Regulations).
(b) Training.--Each business entity subject to this subtitle shall
take steps to ensure employee training and supervision for
implementation of the data security program of the business entity.
(c) Vulnerability Testing.--
(1) In general.--Each business entity subject to this
subtitle shall take steps to ensure regular testing of key
controls, systems, and procedures of the personal data privacy
and security program to detect, prevent, and respond to attacks
or intrusions, or other system failures.
(2) Frequency.--The frequency and nature of the tests
required under paragraph (1) shall be determined by the risk
assessment of the business entity under subsection (a)(3).
(d) Relationship to Service Providers.--In the event a business
entity subject to this subtitle engages service providers not subject
to this subtitle, such business entity shall--
(1) exercise appropriate due diligence in selecting those
service providers for responsibilities related to sensitive
personally identifiable information, and take reasonable steps
to select and retain service providers that are capable of
maintaining appropriate safeguards for the security, privacy,
and integrity of the sensitive personally identifiable
information at issue; and
(2) require those service providers by contract to
implement and maintain appropriate measures designed to meet
the objectives and requirements governing entities subject to
this section, section 401, and subtitle B.
(e) Periodic Assessment and Personal Data Privacy and Security
Modernization.--Each business entity subject to this subtitle shall on
a regular basis monitor, evaluate, and adjust, as appropriate its data
privacy and security program in light of any relevant changes in--
(1) technology;
(2) the sensitivity of personally identifiable information;
(3) internal or external threats to personally identifiable
information; and
(4) the changing business arrangements of the business
entity, such as--
(A) mergers and acquisitions;
(B) alliances and joint ventures;
(C) outsourcing arrangements;
(D) bankruptcy; and
(E) changes to sensitive personally identifiable
information systems.
(f) Implementation Time Line.--Not later than 1 year after the date
of enactment of this Act, a business entity subject to the provisions
of this subtitle shall implement a data privacy and security program
pursuant to this subtitle.
SEC. 403. ENFORCEMENT.
(a) Civil Penalties.--
(1) In general.--Any business entity that violates the
provisions of sections 401 or 402 shall be subject to civil
penalties of not more than $5,000 per violation per day, with a
maximum of $35,000 per day, while such violations persist.
(2) Intentional or willful violation.--A business entity
that intentionally or willfully violates the provisions of
sections 401 or 402 shall be subject to additional penalties in
the amount of $5,000 per violation per day, with a maximum of
an additional $35,000 per day, while such violations persist.
(3) Equitable relief.--A business entity engaged in
interstate commerce that violates this section may be enjoined
from further violations by a court of competent jurisdiction.
(4) Other rights and remedies.--The rights and remedies
available under this section are cumulative and shall not
affect any other rights and remedies available under law
(b) Injunctive Actions by the Attorney General.--
(1) In general.--Whenever it appears that a business entity
or agency to which this subtitle applies has engaged, is
engaged, or is about to engage, in any act or practice
constituting a violation of this subtitle, the Attorney General
may bring a civil action in an appropriate district court of
the United States to--
(A) enjoin such act or practice;
(B) enforce compliance with this subtitle; and
(C) obtain damages--
(i) in the sum of actual damages,
restitution, and other compensation on behalf
of the affected residents of a State; and
(ii) punitive damages, if the violation is
willful or intentional; and
(D) obtain such other relief as the court
determines to be appropriate.
(2) Other injunctive relief.--Upon a proper showing in the
action under paragraph (1), the court shall grant a permanent
injunction or a temporary restraining order without bond.
(c) State Enforcement.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by an act or practice that violates this
subtitle, the State may bring a civil action on behalf of the
residents of that State in a district court of the United
States of appropriate jurisdiction, or any other court of
competent jurisdiction, to--
(A) enjoin that act or practice;
(B) enforce compliance with this subtitle;
(C) obtain--
(i) damages in the sum of actual damages,
restitution, or other compensation on behalf of
affected residents of the State; and
(ii) punitive damages, if the violation is
willful or intentional; or
(D) obtain such other legal and equitable relief as
the court may consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under this
subsection, the attorney general of the State involved
shall provide to the Attorney General--
(i) a written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exception.--Subparagraph (A) shall not apply
with respect to the filing of an action by an attorney
general of a State under this subsection, if the
attorney general of a State determines that it is not
feasible to provide the notice described in this
subparagraph before the filing of the action.
(C) Notification when practicable.--In an action
described under subparagraph (B), the attorney general
of a State shall provide the written notice and the
copy of the complaint to the Attorney General as soon
after the filing of the complaint as practicable.
(3) Attorney general authority.--Upon receiving notice
under paragraph (2), the Attorney General shall have the right
to--
(A) move to stay the action, pending the final
disposition of a pending Federal proceeding or action
as described in paragraph (4);
(B) intervene in an action brought under paragraph
(1); and
(C) file petitions for appeal.
(4) Pending proceedings.--If the Attorney General has
instituted a proceeding or action for a violation of this title
or any regulations thereunder, no attorney general of a State
may, during the pendency of such proceeding or action, bring an
action under this subsection against any defendant named in
such criminal proceeding or civil action for any violation that
is alleged in that proceeding or action.
(5) Rule of construction.--For purposes of bringing any
civil action under paragraph (1) nothing in this title shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths and affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(6) Venue; service of process.--
(A) Venue.--Any action brought under this
subsection may be brought in the district court of the
United States that meets applicable requirements
relating to venue under section 1931 of title 28,
United States Code.
(B) Service of process.--In an action brought under
this subsection process may be served in any district
in which the defendant--
(i) is an inhabitant; or
(ii) may be found.
(d) No Private Cause of Action.--Nothing in this title establishes
a private cause of action against a business entity for violation of
any provision of this subtitle.
SEC. 404. RELATION TO STATE LAWS.
(a) In General.--No State may--
(1) require an entity described in section 401(c) to comply
with this subtitle or any regulation promulgated thereunder;
and
(2) require an entity in compliance with the safe harbor
established under section 401(d), to comply with any other
provision of this subtitle.
(b) Effect of Subtitle A.--Except as provided in subsection (a),
this subtitle does not annul, alter, affect, or exempt any person
subject to the provisions of this subtitle from complying with the laws
of any State with respect to security programs for sensitive personally
identifiable information, except to the extent that those laws are
inconsistent with any provisions of this subtitle, and then only to the
extent of such inconsistency.
Subtitle B--Security Breach Notification
SEC. 421. NOTICE TO INDIVIDUALS.
(a) In General.--Any agency, or business entity engaged in
interstate commerce, that uses, accesses, transmits, stores, disposes
of or collects sensitive personally identifiable information shall,
following the discovery of a security breach maintained by the agency
or business entity that contains such information, notify any resident
of the United States whose sensitive personally identifiable
information was subject to the security breach.
(b) Obligation of Owner or Licensee.--
(1) Notice to owner or licensee.--Any agency, or business
entity engaged in interstate commerce, that uses, accesses,
transmits, stores, disposes of, or collects sensitive
personally identifiable information that the agency or business
entity does not own or license shall notify the owner or
licensee of the information following the discovery of a
security breach containing such information.
(2) Notice by owner, licensee or other designated third
party.--Noting in this subtitle shall prevent or abrogate an
agreement between an agency or business entity required to give
notice under this section and a designated third party,
including an owner or licensee of the sensitive personally
identifiable information subject to the security breach, to
provide the notifications required under subsection (a).
(3) Business entity relieved from giving notice.--A
business entity obligated to give notice under subsection (a)
shall be relieved of such obligation if an owner or licensee of
the sensitive personally identifiable information subject to
the security breach, or other designated third party, provides
such notification.
(c) Timeliness of Notification.--
(1) In general.--All notifications required under this
section shall be made without unreasonable delay following--
(A) the discovery by the agency or business entity
of a security breach; and
(B) any measures necessary to determine the scope
of the breach, prevent further disclosures, and restore
the reasonable integrity of the data system.
(2) Burden of proof.--The agency, business entity, owner,
or licensee required to provide notification under this section
shall have the burden of demonstrating that all notifications
were made as required under this subtitle, including evidence
demonstrating the necessity of any delay.
(d) Delay of Notification Authorized for Law Enforcement
Purposes.--
(1) In general.--If a law enforcement agency determines
that the notification required under this section would impede
a criminal investigation, such notification may be delayed upon
the written request of the law enforcement agency.
(2) Extended delay of notification.--If the notification
required under subsection (a) is delayed pursuant to paragraph
(1), an agency or business entity shall give notice 30 days
after the day such law enforcement delay was invoked unless a
law enforcement agency provides written notification that
further delay is necessary.
SEC. 422. EXEMPTIONS.
(a) Exemption for National Security and Law Enforcement.--
(1) In general.--Section 421 shall not apply to an agency
if the head of the agency certifies, in writing, that
notification of the security breach as required by section 421
reasonably could be expected to--
(A) cause damage to the national security; or
(B) hinder a law enforcement investigation or the
ability of the agency to conduct law enforcement
investigations.
(2) Limits on certifications.--The head of an agency may
not execute a certification under paragraph (1) to--
(A) conceal violations of law, inefficiency, or
administrative error;
(B) prevent embarrassment to a business entity,
organization, or agency; or
(C) restrain competition.
(3) Notice.--In every case in which a head of an agency
issues a certification under paragraph (1), the certification,
accompanied by a concise description of the factual basis for
the certification, shall be immediately provided to the
Congress.
(b) Risk Assessment Exemption.--An agency or business entity will
be exempt from the notice requirements under section 421, if--
(1) a risk assessment concludes that there is no
significant risk that the security breach has resulted in, or
will result in, harm to the individuals whose sensitive
personally identifiable information was subject to the security
breach;
(2) without unreasonable delay, but not later than 45 days
after the discovery of a security breach, unless extended by
the United States Secret Service, the business entity notifies
the United States Secret Service, in writing, of--
(A) the results of the risk assessment;
(B) its decision to invoke the risk assessment
exemption; and
(3) the United States Secret Service does not indicate, in
writing, within 10 days from receipt of the decision, that
notice should be given.
(c) Financial Fraud Prevention Exemption.--
(1) In general.--A business entity will be exempt from the
notice requirement under section 421 if the business entity
utilizes or participates in a security program that--
(A) is designed to block the use of the sensitive
personally identifiable information to initiate
unauthorized financial transactions before they are
charged to the account of the individual; and
(B) provides for notice after a security breach
that has resulted in fraud or unauthorized
transactions.
(2) Limitation.--The exemption by this subsection does not
apply if the information subject to the security breach
includes, in addition to an account number, sensitive
personally identifiable information.
SEC. 423. METHODS OF NOTICE.
An agency, or business entity shall be in compliance with section
421 if it provides:
(1) Individual notice.--
(A) Written notification to the last known home
mailing address of the individual in the records of the
agency or business entity; or
(B) E-mail notice, if the individual has consented
to receive such notice and the notice is consistent
with the provisions permitting electronic transmission
of notices under section 101 of the Electronic
Signatures in Global and National Commerce Act (15
U.S.C. 7001).
(2) Media notice.--If more than 5,000 residents of a State
or jurisdiction are impacted, notice to major media outlets
serving that State or jurisdiction.
SEC. 424. CONTENT OF NOTIFICATION.
(a) In General.--Regardless of the method by which notice is
provided to individuals under section 423, such notice shall include,
to the extent possible--
(1) a description of the categories of sensitive personally
identifiable information that was, or is reasonably believed to
have been, acquired by an unauthorized person;
(2) a toll-free number--
(A) that the individual may use to contact the
agency or business entity, or the agent of the agency
or business entity; and
(B) from which the individual may learn--
(i) what types of sensitive personally
identifiable information the agency or business
entity maintained about that individual or
about individuals in general; and
(ii) whether or not the agency or business
entity maintained sensitive personally
identifiable information about that individual;
and
(3) the toll-free contact telephone numbers and addresses
for the major credit reporting agencies.
(b) Additional Content.--Notwithstanding section 429, a State may
require that a notice under subsection (a) shall also include
information regarding victim protection assistance provided for by that
State.
SEC. 425. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.
If an agency or business entity is required to provide notification
to more than 1,000 individuals under section 421(a), the agency or
business entity shall also notify, without unreasonable delay, all
consumer reporting agencies that compile and maintain files on
consumers on a nationwide basis (as defined in section 603(p) of the
Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of the timing and
distribution of the notices.
SEC. 426. NOTICE TO LAW ENFORCEMENT.
(a) Secret Service.--Any business entity or agency required to give
notice under section 421 shall also give notice to the United States
Secret Service if the security breach impacts--
(1) more than 10,000 individuals nationwide;
(2) a database, networked or integrated databases, or other
data system associated with the sensitive personally
identifiable information on more than 1,000,000 individuals
nationwide;
(3) databases owned by the Federal Government; or
(4) primarily sensitive personally identifiable information
of employees and contractors of the Federal Government involved
in national security or law enforcement.
(b) Notice to Other Law Enforcement Agencies.--The United States
Secret Service shall be responsible for notifying--
(1)(A) the Federal Bureau of Investigation, if the security
breach involves espionage, foreign counterintelligence,
information protected against unauthorized disclosure for
reasons of national defense or foreign relations, or Restricted
Data (as that term is defined in section 11y of the Atomic
Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses
affecting the duties of the United States Secret Service under
section 3056(a) of title 18, United States Code; and
(B) the United States Postal Inspection Service, if the
security breach involves mail fraud; and
(2) the attorney general of each State affected by the
security breach.
(c) 30-Day Rule.--The notices to Federal law enforcement and the
attorney general of each State affected by a security breach required
under this section shall be delivered without unreasonable delay, but
not later than 30 days after discovery of the events requiring notice.
SEC. 427. CIVIL REMEDIES.
(a) Penalties.--Any agency, or business entity engaged in
interstate commerce, that violates this subtitle shall be subject to a
fine of--
(1) not more than $1,000 per individual per day whose
sensitive personally identity information was, or is reasonably
believed to have been, acquired by an unauthorized person; or
(2) not more than $50,000 per day while the failure to give
notice under this subtitle persists.
(b) Equitable Relief.--Any agency or business entity that violates,
proposes to violate, or has violated this subtitle may be enjoined from
further violations by a court of competent jurisdiction.
(c) Other Rights and Remedies.--The rights and remedies available
under this subtitle are cumulative and shall not affect any other
rights and remedies available under law.
(d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence
that the consumer has received notice that the consumer's financial
information has or may have been compromised,'' after ``identity theft
report''.
(e) Injunctive Actions by the Attorney General.--Whenever it
appears that a business entity or agency to which this subtitle applies
has engaged, is engaged, or is about to engage, in any act or practice
constituting a violation of this subtitle, the Attorney General may
bring a civil action in an appropriate district court of the United
States to--
(1) enjoin such act or practice;
(2) enforce compliance with this subtitle;
(3) obtain damages--
(A) in the sum of actual damages, restitution, and
other compensation on behalf of the affected residents
of a State; and
(B) punitive damages, if the violation is willful
or intentional; and
(4) obtain such other relief as the court determines to be
appropriate.
SEC. 428. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State, or any State or local law enforcement
agency authorized by the State attorney general or by State
statute to prosecute violations of consumer protection law, has
reason to believe that an interest of the residents of that
State has been or is threatened or adversely affected by the
engagement of any agency or business entity in a practice that
is prohibited under this subtitle, the State, as parens patriae
on behalf of the residents of the State, or the State or local
law enforcement agency on behalf of the residents of the
agency's jurisdiction, may bring a civil action on behalf of
the residents of the State or jurisdiction in a district court
of the United States of appropriate jurisdiction or any other
court of competent jurisdiction, including a State court, to--
(A) enjoin that practice;
(B) enforce compliance with this subtitle;
(C) obtain damages, restitution, or other
compensation on behalf of residents of the State; or
(D) obtain such other relief as the court may
consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Attorney General of the
United States--
(i) written notice of the action; and
(ii) a copy of the complaint for the
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subtitle, if the State attorney general
determines that it is not feasible to provide
the notice described in such subparagraph
before the filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the Attorney General at the time
the State attorney general files the action.
(b) Federal Proceedings.--Upon receiving notice under subsection
(a)(2), the Attorney General shall have the right to--
(1) move to stay the action, pending the final disposition
of a pending Federal proceeding or action;
(2) intervene in an action brought under subsection (a)(2);
and
(3) file petitions for appeal.
(c) Pending Proceedings.--If the Attorney General has instituted a
proceeding or action for a violation of this subtitle or any
regulations thereunder, no attorney general of a State may, during the
pendency of such proceeding or action, bring an action under this
subtitle against any defendant named in such criminal proceeding or
civil action for any violation that is alleged in that proceeding or
action.
(d) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this subtitle regarding notification shall
be construed to prevent an attorney general of a State from exercising
the powers conferred on such attorney general by the laws of that State
to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(e) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in--
(A) the district court of the United States that
meets applicable requirements relating to venue under
section 1391 of title 28, United States Code; or
(B) another court of competent jurisdiction.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
(f) No Private Cause of Action.--Nothing in this subtitle
establishes a private cause of action against a data broker for
violation of any provision of this subtitle.
SEC. 429. EFFECT ON FEDERAL AND STATE LAW.
The provisions of this subtitle shall supersede any other provision
of Federal law or any provision of law of any State relating to
notification of a security breach, except as provided in section
424(b).
SEC. 430. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated such sums as may be
necessary to cover the costs incurred by the United States Secret
Service to carry out investigations and risk assessments of security
breaches as required under this subtitle.
SEC. 431. REPORTING ON RISK ASSESSMENT EXEMPTION.
The United States Secret Service shall report to Congress not later
than 18 months after the date of enactment of this Act, and upon the
request by Congress thereafter, on the number and nature of the
security breaches described in the notices filed by those business
entities invoking the risk assessment exemption under section 422(b)
and the response of the United States Secret Service to those notices.
SEC. 432. EFFECTIVE DATE.
This subtitle shall take effect on the expiration of the date which
is 90 days after the date of enactment of this Act.
TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA
SEC. 501. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.
(a) In General.--In considering contract awards totaling more than
$500,000 and entered into after the date of enactment of this Act with
data brokers, the Administrator of the General Services Administration
shall evaluate--
(1) the data privacy and security program of a data broker
to ensure the privacy and security of data containing
personally identifiable information, including whether such
program adequately addresses privacy and security threats
created by malicious software or code, or the use of peer-to-
peer file sharing software;
(2) the compliance of a data broker with such program;
(3) the extent to which the databases and systems
containing personally identifiable information of a data broker
have been compromised by security breaches; and
(4) the response by a data broker to such breaches,
including the efforts by such data broker to mitigate the
impact of such breaches.
(b) Compliance Safe Harbor.--The data privacy and security program
of a data broker shall be deemed sufficient for the purposes of
subsection (a), if the data broker complies with or provides protection
equal to industry standards, as identified by the Federal Trade
Commission, that are applicable to the type of personally identifiable
information involved in the ordinary course of business of such data
broker.
(c) Penalties.--In awarding contracts with data brokers for
products or services related to access, use, compilation, distribution,
processing, analyzing, or evaluating personally identifiable
information, the Administrator of the General Services Administration
shall--
(1) include monetary or other penalties--
(A) for failure to comply with subtitles A and B of
title IV of this Act; or
(B) if a contractor knows or has reason to know
that the personally identifiable information being
provided is inaccurate, and provides such inaccurate
information; and
(2) require a data broker that engages service providers
not subject to subtitle A of title IV for responsibilities
related to sensitive personally identifiable information to--
(A) exercise appropriate due diligence in selecting
those service providers for responsibilities related to
personally identifiable information;
(B) take reasonable steps to select and retain
service providers that are capable of maintaining
appropriate safeguards for the security, privacy, and
integrity of the personally identifiable information at
issue; and
(C) require such service providers, by contract, to
implement ad maintain appropriate measures designed to
meet the objectives and requirements in title IV.
(d) Limitation.--The penalties under subsection (c) shall not apply
to a data broker providing information that is accurately and
completely recorded from a public record source.
SEC. 502. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF
CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.
Section 3544(b) of title 44, United States Code, is amended--
(1) in paragraph (7)(C)(iii), by striking ``and'' after the
semicolon;
(2) in paragraph (8), by striking the period and inserting
``; and''; and
(3) by adding at the end the following:
``(9) procedures for evaluating and auditing the
information security practices of contractors or third party
business entities supporting the information systems or
operations of the agency involving personally identifiable
information (as that term is defined in section 3 of the
Personal Data Privacy and Security Act of 2005) and ensuring
remedial action to address any significant deficiencies.''.
SEC. 503. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL
INFORMATION SERVICES CONTAINING PERSONALLY IDENTIFIABLE
INFORMATION.
(a) In General.--Section 208(b)(1) of the E-Government Act of 2002
(44 U.S.C. 3501 note) is amended--
(1) in subparagraph (A)(i), by striking ``or''; and
(2) in subparagraph (A)(ii), by striking the period and
inserting ``; or''; and
(3) by inserting after clause (ii) the following:
``(iii) purchasing or subscribing for a fee
to personally identifiable information from a
data broker (as such terms are defined in
section 3 of the Personal Data Privacy and
Security Act of 2005).''.
(b) Limitation.--Notwithstanding any other provision of law,
commencing 1 year after the date of enactment of this Act, no Federal
department or agency may enter into a contract with a data broker to
access for a fee any database consisting primarily of personally
identifiable information concerning United States persons (other than
news reporting or telephone directories) unless the head of such
department or agency--
(1) completes a privacy impact assessment under section 208
of the E-Government Act of 2002 (44 U.S.C. 3501 note), which
shall subject to the provision in that Act pertaining to
sensitive information, include a description of--
(A) such database;
(B) the name of the data broker from whom it is
obtained; and
(C) the amount of the contract for use;
(2) adopts regulations that specify--
(A) the personnel permitted to access, analyze, or
otherwise use such databases;
(B) standards governing the access, analysis, or
use of such databases;
(C) any standards used to ensure that the
personally identifiable information accessed, analyzed,
or used is the minimum necessary to accomplish the
intended legitimate purpose of the Federal department
or agency;
(D) standards limiting the retention and
redisclosure of personally identifiable information
obtained from such databases;
(E) procedures ensuring that such data meet
standards of accuracy, relevance, completeness, and
timeliness;
(F) the auditing and security measures to protect
against unauthorized access, analysis, use, or
modification of data in such databases;
(G) applicable mechanisms by which individuals may
secure timely redress for any adverse consequences
wrongly incurred due to the access, analysis, or use of
such databases;
(H) mechanisms, if any, for the enforcement and
independent oversight of existing or planned
procedures, policies, or guidelines; and
(I) an outline of enforcement mechanisms for
accountability to protect individuals and the public
against unlawful or illegitimate access or use of
databases; and
(3) incorporates into the contract or other agreement
totaling more than $500,000, provisions--
(A) providing for penalties--
(i) for failure to comply with title IV of
this Act; or
(ii) if the entity knows or has reason to
know that the personally identifiable
information being provided to the Federal
department or agency is inaccurate, and
provides such inaccurate information.
(B) requiring a data broker that engages service
providers not subject to subtitle A of title IV for
responsibilities related to sensitive personally
identifiable information to--
(i) exercise appropriate due diligence in
selecting those service providers for
responsibilities related to personally
identifiable information;
(ii) take reasonable steps to select and
retain service providers that are capable of
maintaining appropriate safeguards for the
security, privacy, and integrity of the
personally identifiable information at issue;
and
(iii) require such service providers, by
contract, to implement ad maintain appropriate
measures designed to meet the objectives and
requirements in title IV.
(c) Limitation on Penalties.--The penalties under paragraph (3)(A)
shall not apply to a data broker providing information that is
accurately and completely recorded from a public record source.
(d) Individual Screening Programs.--
(1) In general.--Notwithstanding any other provision of
law, commencing one year after the date of enactment of this
Act, no Federal department or agency may use commercial
databases or contract with a data broker to implement an
individual screening program unless such program is--
(A) congressionally authorized; and
(B) subject to regulations developed by notice and
comment that--
(i) establish a procedure to enable
individuals, who suffer an adverse consequence
because the screening system determined that
they might pose a security threat, to appeal
such determination and correct information
contained in the system;
(ii) ensure that Federal and commercial
databases that will be used to establish the
identity of individuals or otherwise make
assessments of individuals under the system
will not produce a large number of false
positives or unjustified adverse consequences;
(iii) ensure the efficacy and accuracy of
all of the search tools that will be used and
ensure that the department or agency can make
an accurate predictive assessment of those who
may constitute a threat;
(iv) establish an internal oversight board
to oversee and monitor the manner in which the
system is being implemented;
(v) establish sufficient operational
safeguards to reduce the opportunities for
abuse;
(vi) implement substantial security
measures to protect the system from
unauthorized access;
(vii) adopt policies establishing the
effective oversight of the use and operation of
the system; and
(viii) ensure that there are no specific
privacy concerns with the technological
architecture of the system; and
(C) coordinated with the Terrorist Screening Center
or any such successor organization.
(2) Definition.--As used in this subsection, the term
``individual screening program''--
(A) means a system that relies on personally
identifiable information from commercial databases to--
(i) evaluate all or most individuals
seeking to exercise a particular right or
privilege under Federal law; and
(ii) determine whether such individuals are
on a terrorist watch list or otherwise pose a
security threat; and
(B) does not include any program or system to grant
security clearances.
(e) Study of Government Use.--
(1) Scope of study.--Not later than 180 days after the date
of enactment of this Act, the Comptroller General of the United
States shall conduct a study and audit and prepare a report on
Federal agency use of data brokers or commercial databases
containing personally identifiable information, including the
impact on privacy and security, and the extent to which Federal
contracts include sufficient provisions to ensure privacy and
security protections, and penalties for failures in privacy and
security practices.
(2) Report.--A copy of the report required under paragraph
(1) shall be submitted to Congress.
SEC. 504. IMPLEMENTATION OF CHIEF PRIVACY OFFICER REQUIREMENTS.
(a) Designation of the Chief Privacy Officer.--Pursuant to the
requirements under section 522 of the Transportation, Treasury,
Independent Agencies, and General Government Appropriations Act, 2005
(division H of Public Law 108-447; 118 Stat. 3199) that each agency
designate a Chief Privacy Officer, the Department of Justice shall
implement such requirements by designating a department-wide Chief
Privacy Officer, whose primary role shall be to fulfill the duties and
responsibilities of Chief Privacy Officer and who shall report directly
to the Deputy Attorney General.
(b) Duties and Responsibilities of Chief Privacy Officer.--In
addition to the duties and responsibilities outlined under section 522
of the Transportation, Treasury, Independent Agencies, and General
Government Appropriations Act, 2005 (division H of Public Law 108-447;
118 Stat. 3199), the Department of Justice Chief Privacy Officer
shall--
(1) oversee the Department of Justice's implementation of
the requirements under section 603 to conduct privacy impact
assessments of the use of commercial data containing personally
identifiable information by the Department;
(2) promote the use of law enforcement technologies that
sustain privacy protections, and assure that the implementation
of such technologies relating to the use, collection, and
disclosure of personally identifiable information preserve the
privacy and security of such information; and
(3) coordinate with the Privacy and Civil Liberties
Oversight Board, established in the Intelligence Reform and
Terrorism Prevention Act of 2004 (Public Law 108-458), in
implementing paragraphs (1) and (2) of this subsection.
<all>
Introduced in Senate
Read twice and referred to the Committee on the Judiciary. (text of measure as introduced: CR S10725-10734)
Committee on the Judiciary. Committee consideration and Mark Up Session held.
Committee on the Judiciary. Committee consideration and Mark Up Session held.
Committee on the Judiciary. Ordered to be reported with an amendment in the nature of a substitute favorably.
Committee on the Judiciary. Reported by Senator Specter with an amendment in the nature of a substitute. Without written report.
Committee on the Judiciary. Reported by Senator Specter with an amendment in the nature of a substitute. Without written report.
Placed on Senate Legislative Calendar under General Orders. Calendar No. 297.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line