[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 1924 Introduced in Senate (IS)]







106th CONGRESS
  1st Session
                                S. 1924

 To ensure personal privacy with respect to financial information, to 
     provide customers notice and choice about how their financial 
  institutions share or sell their personally identifiable sensitive 
   financial information, to provide for strong enforcement of these 
                 rights, and to protect States' rights.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           November 16, 1999

    Mr. Leahy (for himself, Mr. Bryan, Mr. Harkin, Mr. Durbin, Mr. 
 Feingold, and Mr. Robb) introduced the following bill; which was read 
  twice and referred to the Committee on Banking, Housing, and Urban 
                                Affairs

_______________________________________________________________________

                                 A BILL


 
 To ensure personal privacy with respect to financial information, to 
     provide customers notice and choice about how their financial 
  institutions share or sell their personally identifiable sensitive 
   financial information, to provide for strong enforcement of these 
                 rights, and to protect States' rights.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Financial Information Privacy and 
Security Act''.

SEC. 2. DEFINITIONS.

    In this Act--
            (1) the term ``covered person'' means--
                    (A) a person that is subject to the jurisdiction of 
                any of the Federal banking agencies;
                    (B) a broker or dealer, or a person associated with 
                a broker or dealer, as those terms are defined in the 
                Securities Exchange Act of 1934;
                    (C) an investment advisor, as that term is defined 
                in section 202 of the Investment Advisors Act of 1940, 
                and any officer, director, partner, copartner, or 
                employee of such investment advisor; and
                    (D) an investment company, as that term is defined 
                in section 3 of the Investment Company Act of 1940, and 
                any officer, director, partner, copartner, or employee 
                of such investment company; and
            (2) the term ``Federal financial regulatory authorities'' 
        means--
                    (A) each of the Federal banking agencies, as that 
                term is defined in section 3(z) of the Federal Deposit 
                Insurance Act; and
                    (B) the Securities and Exchange Commission.

SEC. 3. PRIVACY OF CONFIDENTIAL CUSTOMER INFORMATION.

    (a) Rulemaking.--The Federal financial regulatory authorities shall 
jointly issue final rules to protect the privacy of confidential 
customer information relating to the customers of covered persons, not 
later than 270 days after the date of enactment of this Act (and shall 
issue a notice of proposed rulemaking not later than 150 days after the 
date of enactment of this Act), which rules shall--
            (1) define the term ``confidential customer information'' 
        to be personally identifiable data that includes social 
        security numbers, transactions, experiences, rejections, 
        balances, maturity dates, payouts, and payout dates, of--
                    (A) deposit and trust accounts;
                    (B) certificates of deposit;
                    (C) securities holdings; and
                    (D) insurance policies;
            (2) require that a covered person may not disclose or share 
        any confidential customer information to or with any affiliate 
        or agent of that covered person if the customer to whom the 
        information relates has been provided written notice, as 
        described in paragraphs (4) and (5), to the covered person 
        prohibiting such disclosure or sharing--
                    (A) with respect to an individual that became a 
                customer on or after the effective date of such rules, 
                at the time at which the business relationship between 
                the customer and the covered person is initiated; and
                    (B) with respect to an individual that was a 
                customer before the effective date of such rules, at 
                such time thereafter that provides a reasonable and 
                informed opportunity to the customer to prohibit such 
                disclosure or sharing;
            (3) require that a covered person may not disclose or share 
        any confidential customer information to or with any person 
        that is not an affiliate or agent of that covered person unless 
        the covered person has first--
                    (A) given written notice to the customer to whom 
                the information relates, as described in paragraphs (4) 
                and (5); and
                    (B) obtained the informed written or electronic 
                consent of that customer for such disclosures or 
                sharing;
            (4) require that the covered person provide notices and 
        consent acknowledgments to customers, as required by this 
        section, in separate and easily identifiable and 
        distinguishable form;
            (5) require that the covered person provide notice as 
        required by this section to the customer to whom the 
        information relates that describes what specific types of 
        information would be disclosed or shared, and under what 
        general circumstances, to what specific types of businesses or 
        persons, and for what specific types of purposes such 
        information could be disclosed or shared, and not less 
        frequently than annually thereafter;
            (6) require that the customer to whom the information 
        relates be provided with access to the confidential customer 
        information that could be disclosed or shared so that the 
        information may be reviewed for accuracy and corrected or 
        supplemented;
            (7) require that, before a covered person may use any 
        confidential customer information provided by a third party 
        that engages, directly or indirectly, in activities that are 
        financial in nature, as determined by the Federal financial 
        regulatory authorities, the covered person shall take 
        reasonable steps to assure that procedures that are 
        substantially similar to those described in paragraphs (2) 
        through (6) have been followed by the provider of the 
        information (or an affiliate or agent of that provider);
            (8) establish a means of examination for compliance and 
        enforcement of such rules and resolving consumer complaints; 
        and
            (9) require financial institutions within the jurisdiction 
        of the Federal financial regulatory authorities--
                    (A) to establish appropriate administrative, 
                technical, and physical safeguards to ensure protection 
                of the security and confidentiality of records of 
                confidential customer information; and
                    (B) to protect against any anticipated threats or 
                hazards to the security or integrity of such records 
                that could result in their unauthorized release or 
                disclosure.
    (b) Limitation.--The rules prescribed pursuant to subsection (a) 
may not prohibit the release of confidential customer information--
            (1) that is essential to processing a specific financial 
        transaction that the customer to whom the information relates 
        has authorized;
            (2) to a governmental, regulatory, or self-regulatory 
        authority having jurisdiction over the covered financial entity 
        for examination, compliance, or other authorized purposes;
            (3) to a court of competent jurisdiction;
            (4) to a consumer reporting agency, as defined in section 
        603 of the Fair Credit Reporting Act for inclusion in a 
        consumer report that may be released to a third party only for 
        a purpose permissible under section 604 of that Act; or
            (5) that is not personally identifiable.

SEC. 4. CIVIL LIABILITY FOR NONCOMPLIANCE.

    (a) In General.--Any individual whose rights under this Act have 
been knowingly or negligently violated may bring a civil action to 
recover--
            (1) such preliminary and equitable relief as the court 
        determines to be appropriate; and
            (2) the greater of compensatory damages or liquidated 
        damages of $5,000.
    (b) Punitive Damages.--In any action brought under this section in 
which the individual has prevailed because of a knowing violation of a 
provision of this Act, the court may, in addition to any relief awarded 
under subsection (a), award such punitive damages as may be warranted.
    (c) Attorney's Fees.--In the case of a civil action brought under 
subsection (a) in which the individual has substantially prevailed, the 
court may assess against the respondent a reasonable attorney's fee and 
other litigation costs and expenses (including expert fees) reasonably 
incurred.
    (d) Limitation.--No action may be commenced under this section more 
than 3 years after the date on which the violation was or should 
reasonably have been discovered.
    (e) Agency.--A principal is jointly and severally liable with the 
principal's agent for damages under this section for the actions of the 
principal's agent acting within the scope of the agency.
    (f) Additional Remedies.--The equitable relief or damages that may 
be available under this section shall be in addition to any other 
lawful remedy or award available.

SEC. 5. RELATION TO STATE LAWS.

    (a) In General.--This Act shall not be construed as superseding, 
altering, or affecting the statutes, regulations, orders, or 
interpretations in effect in any State, except to the extent that such 
statutes, regulations, orders, or interpretations are inconsistent with 
the provisions of this Act, and then only to the extent of the 
inconsistency.
    (b) Greater Protection Under State Law.--For purposes of this Act, 
a State statute, regulation, order, or interpretation is not 
inconsistent with the provisions of this subtitle if the protection 
such statute, regulation, order, or interpretation affords any person 
is greater than the protection provided under this Act.
                                 <all>