Personal Data Protection Act of 2007 - Defines "identity theft" to mean a fraud committed using the sensitive personal information of another individual with the intent to commit or to aid or abet unlawful activity that results in economic loss to that individual.
Requires any agency or person that owns or licenses computerized data containing sensitive personal information to: (1) develop, implement, and maintain reasonable security and notification procedures and practices (appropriate to the size and nature of the agency or person and the nature of the information) to ensure the security and confidentiality of the personal information and to protect sensitive personal information against unauthorized access, destruction, use, modification, or disclosure; and (2) notify any individual whose sensitive personal information was compromised (permits a federal law enforcement agency of domestic or foreign jurisdiction to delay notification if notification would impede a criminal or civil investigation).
Requires any agency or person in possession of computerized data containing sensitive personal information that it does not own or license to notify and cooperate with the owner or licensor upon discovery of a breach of the security of the system of such agency or person as expediently as possible. Authorizes an agency or person in possession of sensitive personal information to enter into an agreement with the owner or licensor of information regarding which person or entity will provide any notice required to an individual whose sensitive personal information was compromised. Requires the agency or person that owns or licenses computerized data containing sensitive personal information to provide any notice required if there is not such an agreement. Sets forth provisions regarding the timeliness of notification, the methods and contents of notice, and the duty to coordinate with consumer reporting agencies.
Establishes civil remedies for failure to provide notice of a security breach. Authorizes enforcement by state Attorneys General on behalf of residents of the state.
[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[S. 1202 Introduced in Senate (IS)]
110th CONGRESS
1st Session
S. 1202
To require agencies and persons in possession of computerized data
containing sensitive personal information, to disclose security
breaches where such breach poses a significant risk of identity theft.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 24, 2007
Mr. Sessions introduced the following bill; which was read twice and
referred to the Committee on the Judiciary
_______________________________________________________________________
A BILL
To require agencies and persons in possession of computerized data
containing sensitive personal information, to disclose security
breaches where such breach poses a significant risk of identity theft.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Personal Data Protection Act of
2007''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency''--
(A) has the meaning given that term in section
551(1) of title 5, United States Code; and
(B) includes any authority of a State or political
subdivision.
(2) Breach of security of the system.--The term ``breach of
security of the system''--
(A) means the compromise of the security of
computerized data containing sensitive personal
information that establishes a reasonable basis to
conclude that a significant risk of identity theft to
an individual exists; and
(B) does not include the compromise of the security
of computerized data, if the agency or person
concludes, after conducting a reasonable investigation,
that there is not a significant risk of identity theft
to an individual, including a situation in which--
(i) sensitive personal information is
acquired in good faith by an employee or agent
of the agency or person and the information is
not subject to further unauthorized disclosure;
(ii) an investigation by an appropriate law
enforcement agency, government agency, or
official determines that there is not a
significant risk of identity theft; or
(iii) the agency or person maintains or
participates in a security program reasonably
designed to block unauthorized transactions
before they are charged to an individual's
account and the security program does not
indicate that the compromise of sensitive
personal information has resulted in fraud or
unauthorized transactions.
(3) Functional regulator.--The term ``functional
regulator'' means--
(A) the Office of the Comptroller of the Currency
with respect to national banks, and Federal branches,
Federal agencies of foreign banks, and any subsidiaries
of such entities (except brokers, dealers, persons
providing insurance, investment companies, and
investment advisers);
(B) the Board of Governors of the Federal Reserve
System with respect to member banks of the Federal
Reserve System (other than national banks), branches
and agencies of foreign banks (other than Federal
branches, Federal agencies, and insured State branches
of foreign banks), commercial lending companies owned
or controlled by foreign banks, organizations operating
under section 25 or 25A of the Federal Reserve Act (12
U.S.C. 601 and 611), bank and financial holding
companies, and any nonbank subsidiaries or affiliates
of such entities (except brokers, dealers, persons
providing insurance, investment companies, and
investment advisers);
(C) the Board of Directors of the Federal Deposit
Insurance Corporation with respect to banks insured by
the Federal Deposit Insurance Corporation (other than
members of the Federal Reserve System), insured State
branches of foreign banks, and any subsidiaries of such
entities (except brokers, dealers, persons providing
insurance, investment companies, and investment
advisers);
(D) the Director of the Office of Thrift
Supervision with respect to savings association the
deposits of which are insured by the Federal Deposit
Insurance Corporation, savings and loan holding
companies, and any subsidiaries of such entities
(except brokers, dealers, persons providing insurance,
investment companies, and investment advisers);
(E) the National Credit Union Administration Board
with respect to any Federal credit union and any
subsidiaries of such an entity;
(F) the Secretary of Transportation with respect to
any air carrier or foreign air carrier subject to part
A of subtitle VII of title 49, United States Code;
(G) the Secretary of Agriculture with respect to
any activities subject to the Packers and Stockyards
Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in
section 406 of that Act (7 U.S.C. 226 and 227));
(H) the Farm Credit Administration with respect to
any Federal land bank, Federal land bank association,
Federal intermediate credit bank, or production credit
association;
(I) the Securities and Exchange Commission with
respect to any broker or dealer, investment company or
investment adviser;
(J) the applicable State insurance authority of the
State in which the person is domiciled with respect to
any person engaged in providing insurance;
(K) the Federal Communications Commission with
respect to any entity subject to the jurisdiction of
the Commission; and
(L) the Federal Trade Commission with respect to
any other financial institution or other person that is
not subject to the jurisdiction of any agency or
authority under subparagraphs (A) through (K).
(4) Identity theft.--The term ``identity theft'' means a
fraud committed using the sensitive personal information of
another individual with the intent to commit, or to aid or abet
any unlawful activity that constitutes a violation of section
1028 of title 18, United States Code, and that results in
economic loss to that individual.
(5) Person.--The term ``person'' has the meaning given that
term in section 551(2) of title 5, United States Code.
(6) Personal information.--The term ``personal
information'' means personally identifiable information about a
specific individual.
(7) Redacted.--The term ``redacted'' means truncated so
that not more than the last 4 digits of the social security
number, driver's license number, State identification card
number, or account number are accessible as part of the data.
(8) Sensitive personal information.--
(A) In general.--The term ``sensitive personal
information'' means an individual's first name (or
first initial) and last name in combination with any 1
or more of the following data elements that relate to
that individual (when the data elements are not
encrypted, redacted, or secured by any other method
rendering that element unreadable or unusable):
(i) An individual's social security number.
(ii) An individual's driver's license
number or equivalent State identification
number.
(iii) An individual's financial account
number, or credit or debit card number, in
combination with any required security code,
access code, or password that would permit
access to an individual's financial account.
(B) Exclusions.--The term ``sensitive personal
information'' does not include--
(i) any list, description, or other
grouping of individuals (and publicly available
information pertaining to them) that is derived
without using any sensitive personal
information; or
(ii) any information regardless of its
source that is lawfully made available to the
general public in Federal, State, or local
government records.
SEC. 3. DATABASE SECURITY.
(a) In General.--Any agency or person that owns or licenses
computerized data containing sensitive personal information shall
develop, implement, and maintain reasonable security and notification
procedures and practices appropriate to the size and nature of the
agency or person and the nature of the information to ensure the
security and confidentiality of the personal information and protect it
against any unauthorized access, destruction, use, modification or
disclosure.
(b) Disclosure of Security Breach.--
(1) Notification of individual.--
(A) In general.--If an agency or person that owns
or licenses computerized data containing sensitive
personal information, determines, after discovery and a
reasonable investigation, or notification under
paragraph (2), that a significant risk of identity
theft exists as a result of a breach of security of the
system of such agency or person containing such data,
the agency or person shall notify any individual whose
sensitive personal information was compromised.
(B) Delay of notification.--If a Federal law
enforcement agency of either appropriate domestic or
foreign jurisdiction determines that the notification
required under this subsection would impede a criminal
or civil investigation, such notification may be
delayed until such Federal law enforcement agency
determines that the notification will no longer
compromise such investigation.
(2) Notification of owner or licensor.--
(A) In general.--Any agency or person in possession
of computerized data containing sensitive personal
information that the agency or person does not own or
license shall notify and cooperate with the owner or
licensor of the information upon the discovery of a
breach of security of the system of such agency or
person as expediently as possible and without
unreasonable delay.
(B) Agreements to notify individuals permissible.--
(i) In general.--Any agency or person in
possession of sensitive personal information on
behalf of the owner or licensor of such
information may enter an agreement with the
owner or licensor regarding which person or
entity will provide any notice required under
this subsection to an individual whose
sensitive personal information was compromised.
(ii) Single notice.--This subsection shall
not be construed to require more than a single
notice to any individual for each breach of
security of the system relating to that
individual.
(iii) No agreement.--If an agency or person
in possession of sensitive personal information
on behalf of the owner or licensor of such
information does not have an agreement
described in clause (i) in effect on the date
of a breach of security of the system of that
agency or person, the agency or person that
owns or licenses computerized data containing
sensitive personal information shall provide
any notice required under this subsection.
(3) Timeliness of notification.--
(A) In general.--All notifications required under
paragraph (1) shall be made as expediently as possible
and without unreasonable delay following--
(i) the discovery and reasonable
investigation by the agency or person of a
breach of security of the system; and
(ii) measures the agency or person takes
that are necessary to determine the scope of
the breach, prevent further breaches, determine
whether there is a reasonable basis to conclude
that a significant risk of identity theft to an
individual exists, restore the reasonable
integrity of the data system, and comply with
applicable requirements of other laws and
regulations.
(B) Expeditious notice.--Any measures described in
subparagraph (A)(ii) shall be undertaken as expediently
as possible and without unreasonable delay. Such
measures shall not be undertaken for the purpose of
causing delay of notification.
(4) Methods of notice.--An agency or person required to
give notice under paragraph (1) shall be in compliance with
this subsection if it provides--
(A) written notification to a mailing address for
the subject individual;
(B) telephonic notification to a telephone number
for the subject individual;
(C) e-mail notice to an e-mail address for the
subject individual; or
(D) conspicuous posting of the notice on the
Internet site of the agency or person, if the agency or
person maintains an Internet site, or notification to
major media, if--
(i) the agency or person demonstrates that
the cost of providing direct notice under
subparagraphs (A) through (C) of this
subsection would exceed $250,000;
(ii) the affected class of subject
individuals to be notified exceeds 500,000; or
(iii) the agency or person does not have
sufficient contact information for those to be
notified.
(5) Contents of notice.--Notice under this subsection
shall--
(A) be given in a clear and conspicuous manner;
(B) describe the breach of security of the system
in general terms and the type of sensitive personal
information involved; and
(C) include a toll-free telephone number or website
that individuals can use for further information and
assistance.
(6) Duty to coordinate with consumer reporting agencies.--
Before any agency or person provides notice to more than 1,000
individuals at any time, or provides notice pursuant to
paragraph (4)(D), that sensitive personal information on the
individuals was, or may reasonably be expected to have been,
the subject of a breach of security of the system, the agency
or person shall, without unreasonable delay--
(A) notify any consumer reporting agency that
compiles and maintains files on consumers on a
nationwide basis (as that term is defined in section
603(p) of the Fair Credit Reporting Act (15 U.S.C.
1681a(p))) of the timing, content, and distribution of
the notice, including--
(i) the number of individuals to whom the
notice will be given; or
(ii) the type of notice provided under
paragraph (4)(D); and
(B) conform the notice to individuals to be
delivered by such agency or person to accurately
reflect, to the extent given in such notice--
(i) the method of contact reasonably
specified by each consumer reporting agency
that compiles and maintains files on consumers
on a nationwide basis that such individuals are
to use with respect to the particular notice;
and
(ii) the responsibilities of a consumer
reporting agency that compiles and maintains
files on consumers on a nationwide basis under
the Fair Credit Reporting Act (15 U.S.C. 1681
et seq.) and any other applicable law.
(7) Safe harbors.--
(A) Data security.--Notwithstanding any other
obligation under this section, a person that is in
compliance with data security requirements under the
laws, rules, regulations, guidance, or guidelines
established or enforced by the functional regulator for
that person shall be deemed to be in compliance with
subsection (a).
(B) Breach notification.--Notwithstanding any other
obligation under this section, a person that is in
compliance with breach notification procedures under
the laws, rules, regulations, guidance, or guidelines
established or enforced by the functional regulator for
that person shall be deemed to be in compliance with
subsection (b).
(8) Relation to other provisions.--Nothing in this Act
shall be construed to modify, limit or supersede the operation
of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), the
Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338), or
any other applicable provision of Federal law
(c) Civil Remedies.--
(1) Penalties.--
(A) In general.--Except as provided under
subparagraph (B), any agency or person that fails to
give notice in accordance with paragraph (1) through
(4) of subsection (b) shall be subject to--
(i) a fine in an amount not to exceed
$250,000 per breach of security of the system;
or
(ii) in the case of a violation of
subsection (a), such actual damages as may be
proven.
(B) Affirmative defense.--An agency or person shall
have an affirmative defense to a fine under this
paragraph if the breach of security of the system--
(i) was not a result of the negligence of
such agency or person; and
(ii) was the result of a fraud or other
crime committed by a third party.
(2) Equitable relief.--Any person that violates, proposes
to violate, or has violated this section may be enjoined from
further violations by a court of competent jurisdiction.
(3) Other rights and remedies.--The rights and remedies
available under this subsection are cumulative and shall not
affect any other rights and remedies available under law.
(d) Enforcement.--
(1) In general.--The functional regulator is authorized to
enforce compliance with this section, including the assessment
of fines under subsection (c)(1).
(2) Civil actions.--No private right of action or class
action shall be brought under this Act. No person other than
the attorney general of a State may bring a civil action under
the law of any State if such action is premised in whole or in
part upon the defendant violating any provision of this Act.
SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by the engagement of any person in a
practice that is prohibited under this Act, the State, as
parens patriae, may bring a civil action on behalf of the
residents of the State in a United States district court of
appropriate jurisdiction to--
(A) enjoin that practice;
(B) enforce compliance with this Act; or
(C) obtain damage, restitution, or other
compensation on behalf of residents of the State under
the conditions and up to the monetary limits set forth
in section 3(c)(1).
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State shall
provide the Attorney General of the United States and
the functional regulator--
(i) written notice of the action; and
(ii) a copy of the complaint for the
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the State attorney general
determines that it is not feasible to provide
the notice described in such subparagraph
before the filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the functional regulator and the
Attorney General at the time the State attorney
general files the action.
(C) United states attorney general priority.--After
having been notified, as provided in subparagraph (A),
the Attorney General shall have the right--
(i) to file a civil action, subject to
monetary limits equal to those set forth in
section 3(c)(1);
(ii) to intervene in the action; and
(iii) upon so intervening--
(I) to be heard on all matters
arising therein;
(II) to remove the action to the
appropriate United States district
court; and
(III) to file petitions for appeal.
(D) Preemption.--
(i) Action by department of justice.--If
the Attorney General institutes a civil action
or intervenes in an action under this
subsection, the functional regulator, a State
attorney general, or an official or agency of a
State may not bring an action under this
section for any violation of this Act alleged
in the complaint.
(ii) Action by functional regulator.--If
the functional regulator institutes a civil
action or intervenes under section 3(d)(1) to
enforce compliance with section 3, a State
attorney general or official or agency of a
State, may not bring an action under this
section for any violation of this Act alleged
in the complaint.
(b) Limitations on State Actions.--
(1) Violation of injunction required.--A State may not
bring an action against a person under subsection (a)(1)(C)
unless--
(A) the person has been enjoined from committing
the violation, in an action brought by the State under
subsection (a)(1)(A); and
(B) the person has violated the injunction.
(2) Limitation on damages recoverable.--In an action under
subsection (a)(1)(C), a State may not recover any damages
incurred before the date of the violation of an injunction on
which the action is based.
(c) Construction.--For purposes of a civil action under subsection
(a), nothing in this Act shall be construed to prevent the attorney
general of a State from exercising the powers conferred on such
attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(d) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in the district court of the United States that meets
applicable requirements relating to venue under section 1391 of
title 28, United States Code.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 5. EFFECT ON STATE LAW.
The provisions of this Act shall supersede any law, rule, or
regulation of any State or unit of local government that relates in any
way to electronic information security standards or the notification of
any resident of the United States of any breach of security pertaining
to any collection of personal information about such resident.
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the expiration of the date which is
180 days after the date of enactment of this Act.
<all>
Introduced in Senate
Read twice and referred to the Committee on the Judiciary.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line