[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2617 Introduced in House (IH)]







108th CONGRESS
  1st Session
                                H. R. 2617

 To protect American consumers from identity theft and other forms of 
                                 fraud.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             June 26, 2003

 Mr. Shadegg introduced the following bill; which was referred to the 
 Committee on Financial Services, and in addition to the Committees on 
      Ways and Means, and Energy and Commerce, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
 To protect American consumers from identity theft and other forms of 
                                 fraud.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Identity and Information 
Security Act of 2003''.

SEC. 2. PROHIBITED ACTIONS WITH RESPECT TO SOCIAL SECURITY NUMBERS.

    (a) Definitions.--For purposes of this section, the following 
definitions shall apply:
            (1) Display.--The term ``display'' means to intentionally 
        communicate or otherwise make available (on the Internet or in 
        any other manner) to the general public an individual's social 
        security number.
            (2) Person.--The term ``person'' means any individual, 
        partnership, corporation, trust, estate, cooperative, 
        association, or any other entity.
            (3) State.--The term ``State'' means any State of the 
        United States, the District of Columbia, Puerto Rico, the 
        Northern Mariana Islands, the United States Virgin Islands, 
        Guam, American Samoa, and any territory or possession of the 
        United States.
    (b) Prohibited Actions With Respect to an Individual's Social 
Security Number.--Subject to subsections (c) and (d), no person may 
engage in any of the following:
            (1) Display in any manner an individual's social security 
        number.
            (2) Print or otherwise display an individual's social 
        security number on any card, or other means of access, required 
        for the individual to access products or services provided by 
        the person to the individual.
            (3) Require an individual to transmit the individual's 
        social security number over the Internet, unless the connection 
        is secure or the social security number is encrypted.
            (4) Require an individual to use the individual's social 
        security number to access an Internet Web site, unless a 
        password, unique personal identification number, or other 
        authentication device is also required to access the Internet 
        Web site.
            (5) Print or otherwise display an individual's social 
        security number on any communications by the person to the 
        individual, unless Federal or State law, or any Federal agency 
        or any contractor with the Federal Government (under color of 
        Federal law), requires the individual's social security number 
        to be included on such documents.
    (c) Exception for Certain Communications.--Subsection (b)(5) shall 
not apply with respect an individual's social security number included 
on documents sent by mail--
            (1) in connection with an application or enrollment process 
        initiated by the individual; or
            (2) to establish, amend, or terminate an account held by 
        the individual with the person; or
            (3) to verify the accuracy of the individual's social 
        security number.
    (d) Exception for Prior On-Going Use.--Subsection (b) shall not 
apply to the use by a person of an individual's social security number 
in a manner that is inconsistent with such subsection if--
            (1) the use by such person of the individual's social 
        security number in such manner began before the date of the 
        enactment of this Act;
            (2) the use by such person of the social security number in 
        such manner is continuous; and
            (3) the person notifies the individual, in writing, before 
        the end of the 30-day period beginning on the date of the 
        enactment of this Act and annually thereafter, that the 
        individual has the right to require such person to stop using 
        the individual's social security number in a manner 
        inconsistent with subsection (b).
    (e) Individual's Request To Stop Inconsistent Use.--
            (1) In general.--If a person receives a written request 
        from an individual to stop using the individual's social 
        security number in a manner that is inconsistent with 
subsection (b), the person shall fully comply with such request before 
the end of the 30-day period beginning on the date of the receipt of 
the request.
            (2) Denial of products or services prohibited.--A person 
        may not deny any product or service to an individual, or 
        otherwise discriminate against such individual in the provision 
        of any such product or service, solely on the basis that the 
        individual submitted a request described in paragraph (1).
    (f) Coordination With Other Law.--
            (1) In general.--No provision of this section shall be 
        construed as prohibiting or limiting the display or use of an 
        individual's social security number by any person--
                    (A) to the extent required or authorized under any 
                Federal or State law, or by any Federal agency or any 
                contractor with the Federal Government (under color of 
                Federal law);
                    (B) for internal verification or administrative 
                purposes of the person;
                    (C) for a public health purpose, including the 
                protection of the health or safety of an individual in 
                an emergency situation;
                    (D) for a national security purpose; or
                    (E) for a law enforcement purpose, including the 
                investigation of fraud.
            (2) Study and report.--
                    (A) In general.--The Secretary of Health and Human 
                Services shall conduct a study and prepare a report on 
                all of the uses of social security numbers permitted, 
                required, authorized, or excepted under any Federal law 
                and State and local uses of social security numbers.
                    (B) Report.--Not later than 1 year after the date 
                of enactment of this Act, the Secretary of Health and 
                Human Services shall submit a report to Congress on the 
                study conducted under this paragraph.
                    (C) Contents of report.--The report shall include--
                            (i) a detailed description of the uses of 
                        an individual's social security number that are 
                        allowed as of the date of enactment of this 
                        Act;
                            (ii) an evaluation of whether such uses 
                        should be continued or discontinued by 
                        appropriate legislative action; and
                            (iii) such other recommendations for 
                        legislative or administrative action as the 
                        Secretary determines to be appropriate.
    (g) Civil Penalties.--
            (1) In general.--Any person who the Attorney General 
        determines has violated this section shall be subject, in 
        addition to any other penalties that may be prescribed by law--
                    (A) to a civil penalty of not less than $5,000 for 
                each such violation; and
                    (B) to a civil penalty of not less than $50,000, if 
                the violations have occurred with such frequency as to 
                constitute a general business practice.
            (2) Determination of violations.--Any knowing violation 
        committed contemporaneously with respect to the social security 
        numbers of 2 or more individuals by means of mail, 
        telecommunication, or otherwise, shall be treated as a separate 
        violation with respect to each such individual.
            (3) Enforcement procedures.--The provisions of section 
        1128A of the Social Security Act (42 U.S.C. 1320a-7a), other 
        than subsections (a), (b), (f), (h), (i), (j), (m), and (n) and 
        the first sentence of subsection (c) of such section, and the 
        provisions of subsections (d) and (e) of section 205 of such 
        Act (42 U.S.C. 405) shall apply to a civil penalty action under 
        this subsection in the same manner as such provisions apply to 
        a penalty or proceeding under section 1128A(a) of such Act (42 
        U.S.C. 1320a-7a(a)), except that, for purposes of this 
        paragraph, any reference in section 1128A of such Act (42 
        U.S.C. 1320a-7a) to the Secretary shall be deemed to be a 
        reference to the Attorney General.
    (h) Effective Date.--This section shall apply after the end of the 
180-day period beginning on the date of the enactment of this Act.

SEC. 3. IMPROPER USE OF CREDIT CARD, DEBIT CARD, AND OTHER PAYMENT 
              DEVICE NUMBERS.

    (a) In General.--Except as provided in subsection (b), no person 
that accepts, in connection with the transaction of business, credit 
cards, debit cards, or other means of access to a consumer's account 
for the purpose of initiating electronic fund transfers shall print, on 
any receipt provided to the cardholder or accountholder at the point of 
the business transaction--
            (1) more than the last 5 digits of the account number of 
        any such credit card, debit card, or consumer account; or
            (2) the expiration date of any such credit card, debit 
        card, or other means of access to a consumer's account.
    (b) Scope of Application.--This section applies only to receipts 
that are electronically printed, and shall not apply to transactions in 
which the sole means of recording the credit card or debit card account 
number, or the account number of a consumer's account, is by 
handwriting or by an imprint or copy of the credit card, debit card, or 
other means of access.
    (c) Definitions.--For purposes of this section, the following 
definitions shall apply:
            (1) Consumer's account.--The term ``consumer's account' 
        means an account (as defined in paragraph (2) of section 903 of 
        the Electronic Fund Transfer Act) of a consumer (as defined in 
        paragraph (5) of such section).
            (2) Credit card.--The term ``credit card'' has the same 
        meaning as in section 103(k) of the Truth in Lending Act.
            (3) Debit card.--The term ``debit card'' means any card 
        issued by a financial institution to a consumer for use in 
        initiating electronic fund transfers from the account of the 
        consumer at such financial institution for the purpose of 
        transferring money between accounts or obtaining money, 
property, labor, or services.
            (4) Electronic fund transfer.--The term ``electronic fund 
        transfer'' has the same meaning as in section 903(6) of the 
        Electronic Fund Transfer Act.
    (d) Effective Date.--This section shall take effect on January 1, 
2005, with respect to any cash register or other machine or device that 
electronically prints receipts for credit card transactions.
    (e) Civil Liability.--Any person who violates this section with 
regard to any credit card, debit card, or other means of access to a 
consumer's account shall be liable for any damages or expenses, 
including reasonable attorney's fees, that the card holder or consumer 
incurs as a result of such violation, including losses incurred from 
the unauthorized use of the account number of any such credit card, 
debit card, or consumer's account as a result of such violation.

SEC. 4. IDENTITY THEFT PREVENTION.

    (a) Duty of Issuers of Credit and Debit Cards.--
            (1) Credit cards.--Section 132 of the Truth in Lending Act 
        (15 U.S.C. 1642) is amended--
                    (A) by inserting ``(a) In General.--'' before ``No 
                credit''; and
                    (B) by adding at the end the following:
    ``(b) Verification of Consumer Identity Upon Receiving a Request 
for an Additional Card After a Change of Address.--Each card issuer 
shall establish procedures for verifying the identification of a 
consumer whenever the card issuer receives a request from a consumer 
for an additional credit card with respect to an existing credit 
account not later than 30 days after receiving notification of a change 
of address for that account.''.
            (2) Debit cards.--Section 911 of the Electronic Fund 
        Transfer Act (15 U.S.C. 1693i) is amended by adding at the end 
        the following new subsection:
    ``(d) Verification of Consumer Identity Upon Receiving a Request 
After a Change of Address.--Each person who issues to a consumer any 
code, card, or other means of access to such consumer's account shall 
establish procedures for verifying the identification of the consumer 
whenever such person receives a request from a consumer for an 
additional card, code, or other means of access to the consumer's 
account not later than 30 days after receiving notification of a change 
of address for that account.''.
    (b) Centralized Reporting System.--The Federal Trade Commission 
shall coordinate the establishment of a centralized reporting system in 
which all consumer reporting agencies (as defined in section 603 of the 
Fair Credit Reporting Act) shall participate that will--
            (1) allow any consumer or business to report, through the 
        use of an nationwide free telephone number and an Internet Web 
        site address, any suspected violation of section 1028 of title 
        18, United States Code; and
            (2) allow such information to be immediately shared among 
        all such consumer reporting agencies.

SEC. 5. FRAUD ALERTS.

    Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is 
amended by adding at the end the following new subsection:
    ``(g) Fraud Alerts.--
            ``(1) Fraud alert defined.--For purposes of this 
        subsection, the term `fraud alert' means a statement in the 
        file of a consumer that notifies all prospective users of a 
        consumer report made with respect to that consumer that--
                    ``(A) the consumer's identity may have been used, 
                without the consumer's consent, to fraudulently obtain 
                goods or services in the consumer's name; and
                    ``(B) the consumer does not authorize the issuance 
                or extension of credit in the name of the consumer 
                unless the issuer of such credit utilizes reasonable 
                procedures established by the issuer to verify the 
                consumer's identity and obtain the consumer's 
                authorization whenever the card issuer receives a 
                request for credit.
            ``(2) Inclusion of fraud alert in consumer file.--Upon the 
        request of a consumer, or another third party who has the 
        consumer's consent to request a fraud alert on the consumer's 
        behalf, and upon receiving proper identification, a consumer 
        reporting agency shall include a fraud alert in the file of 
        that consumer and shall maintain the fraud alert for not less 
        than 1 year, unless the consumer requests a shorter time 
        period.
            ``(3) Notice sent by consumer reporting agencies to 
        users.--A consumer reporting agency shall notify each person 
        procuring consumer credit information with respect to a 
        consumer of the existence of a fraud alert in the file of that 
        consumer, regardless of whether a full credit report, credit 
        score, or summary report is requested.
            ``(4) Notice to nationwide consumer reporting agencies.--
        Whenever a consumer reporting agency that compiles and 
        maintains files on consumers on a nationwide basis receives a 
        request from a consumer, directly or through another consumer 
        reporting agency, to include a fraud alert in the consumer's 
        file, the consumer reporting agency shall promptly notify every 
        other consumer reporting agency that compiles and maintains 
        files on consumers on a nationwide basis that such request has 
        been received and each such other agency shall comply with 
        paragraph (2) in the same manner as if the agency had received 
        the request directly from the consumer.
            ``(5) Toll-free telephone number.--Each consumer reporting 
        agency referred to in paragraph (4) shall establish and 
        maintain a toll-free telephone number for consumers to request 
        fraud alerts.
            ``(6) Procedures to receive fraud alerts.--Any person who 
        uses a consumer credit report in connection with a credit 
        transaction shall establish reasonable procedures to receive 
        fraud alerts transmitted by consumer reporting agencies.
            ``(7) Violations.--
                    ``(A) Consumer reporting agency.--Any consumer 
                reporting agency that fails to notify any user of a 
                consumer credit report of the existence of a fraud 
                alert in that report shall be in violation of this 
                section.
                    ``(B) User of a consumer report.--Any user of a 
                consumer report that fails to comply with 
                preauthorization procedures contained in a fraud alert 
                and issues or extends credit in the name of the 
                consumer to a person other than the consumer shall be 
                in violation of this section.
            ``(8) Exempt institutions.--The requirement under this 
        subsection to place a fraud alert in a consumer file shall not 
        apply to--
                    ``(A) check services company or a fraud prevention 
                company, which issues authorizations for the purpose of 
                approving or processing negotiable instruments, 
                electronic funds transfers or similar methods of 
                payments; or
                    ``(B) deposit account information service company, 
                which issues reports regarding account closures due to 
                fraud, substantial overdrafts, automated teller machine 
                abuse, or similar negative information regarding a 
                consumer, to inquiring banks or other financial 
                institutions for use only in reviewing a consumer 
                request for a deposit account at the inquiring bank or 
                financial institution.
            ``(9) Policy review and regulation.--
                    ``(A) Review.--Any agency referred to in subsection 
                (a) or (c) of section 621 shall, upon the request of 
                any person under the jurisdiction of such agency 
                pursuant to this title--
                            ``(i) review any policy or procedure 
                        established by such person to carry out the 
                        purposes of this subsection to determine the 
                        effectiveness and reasonableness of the policy 
                        or procedure for such purposes; and
                            ``(ii) make such recommendations to such 
                        person for improvement in such policy or 
                        procedure as the agency may determine to be 
                        appropriate.
                    ``(B) Regulation.--Each agency referred to in 
                subparagraph (A) shall establish procedures for 
                conducting reviews under such subparagraph.''.

SEC. 6. BUSINESS GUIDELINES.

    (a) In General.--Not later than the end of the 1-year period 
beginning on the date of the enactment of this Act, the Federal Trade 
Commission, after consultation with the Federal functional regulators 
(as defined in section 509(2) of the Gramm-Leach-Bliley Act), shall 
establish procedures to--
            (1) log and acknowledge the receipt of complaints of any 
        person who has a reasonable belief that information maintained 
        in a database of such person relating to any other person has 
        likely been stolen or compromised;
            (2) provide informational materials and guidelines for a 
        business to follow when customer or other information in the 
        business' database has likely been stolen or compromised;
            (3) provide guidelines for a business to follow in 
        notifying customers of the likelihood that information 
        concerning such customers has been stolen or compromised; and
            (4) refer complaints described in paragraph (1) to--
                    (A) each consumer reporting agency that compiles 
                and maintains files on consumers on a nationwide basis 
                (as defined in section 603 of the Fair Credit Reporting 
                Act), together with any recommendation for the 
                implementation for such fraud alert as the Commission 
                may determine to be appropriate;
                    (B) appropriate law enforcement agencies.
    (b) Policy Review and Regulation.--
            (1) Review.--The Federal Trade Commission and any Federal 
        functional regulator (as defined in section 509(2) of the 
        Gramm-Leach-Bliley Act) shall, upon the request of any person 
        under the jurisdiction of such agency--
                    (A) review any policy or procedure established by 
                such person to follow in the event that information 
                maintained in a database of such person has likely been 
                stolen or compromised to determine the effectiveness 
                and reasonableness of the policy or procedure for such 
                purposes; and
                    (B) make such recommendations to such person for 
                improvement in such policy or procedure as the agency 
                may determine to be appropriate.
            (2) Regulation.--Each agency referred to in subparagraph 
        (A) shall establish procedures for conducting reviews under 
        such subparagraph.''.

SEC. 7. SPECIFICATION OF CONSTITUTIONAL AUTHORITY FOR ENACTMENT OF LAW.

    This Act is enacted pursuant to the power granted Congress under 
section 8 of article I of the United States Constitution.
                                 <all>