[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[S. 1350 Introduced in Senate (IS)]






108th CONGRESS
  1st Session
                                S. 1350

    To require Federal agencies, and persons engaged in interstate 
    commerce, in possession of electronic data containing personal 
     information, to disclose any unauthorized acquisition of such 
                              information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 26, 2003

Mrs. Feinstein introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
    To require Federal agencies, and persons engaged in interstate 
    commerce, in possession of electronic data containing personal 
     information, to disclose any unauthorized acquisition of such 
                              information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Notification of Risk to Personal 
Data Act''.

SEC. 2. DEFINITIONS.

    In this Act, the following definitions shall apply:
            (1) Agency.--The term ``agency'' has the same meaning given 
        such term in section 551(1) of title 5, United States Code.
            (2) Breach of security of the system.--The term ``breach of 
        security of the system''--
                    (A) means the compromise of the security, 
                confidentiality, or integrity of computerized data that 
                results in, or there is a reasonable basis to conclude 
                has resulted in, the unauthorized acquisition of and 
                access to personal information maintained by the person 
                or business; and
                    (B) does not include good faith acquisition of 
                personal information by an employee or agent of the 
                person or business for the purposes of the person or 
                business, if the personal information is not used or 
                subject to further unauthorized disclosure.
            (3) Person.--The term ``person'' has the same meaning given 
        such term in section 551(2) of title 5, United States Code.
            (4) Personal information.--The term ``personal 
        information'' means an individual's last name in combination 
        with any 1 or more of the following data elements, when either 
        the name or the data elements are not encrypted:
                    (A) Social security number.
                    (B) Driver's license number or State identification 
                number.
                    (C) Account number, credit or debit card number, in 
                combination with any required security code, access 
                code, or password that would permit access to an 
                individual's financial account.
            (5) Substitute notice.--The term ``substitute notice'' 
        means--
                    (A) e-mail notice, if the agency or person has an 
                e-mail address for the subject persons;
                    (B) conspicuous posting of the notice on the 
                Internet site of the agency or person, if the agency or 
                person maintains an Internet site; or
                    (C) notification to major media.

SEC. 3. DATABASE SECURITY.

    (a) Disclosure of Security Breach.--
            (1) In general.--Any agency, or person engaged in 
        interstate commerce, that owns or licenses electronic data 
        containing personal information shall, following the discovery 
        of a breach of security of the system containing such data, 
        notify any resident of the United States whose unencrypted 
        personal information was, or is reasonably believed to have 
        been, acquired by an unauthorized person.
            (2) Notification of owner or licensee.--Any agency, or 
        person engaged in interstate commerce, in possession of 
        electronic data containing personal information that the agency 
        does not own or license shall notify the owner or licensee of 
        the information if the personal information was, or is 
        reasonably believed to have been, acquired by an unauthorized 
        person through a breach of security of the system containing 
        such data.
            (3) Timeliness of notification.--Except as provided in 
        paragraph (4), all notifications required under paragraph (1) 
        or (2) shall be made as expediently as possible and without 
        unreasonable delay following--
                    (A) the discovery by the agency or person of a 
                breach of security of the system; and
                    (B) any measures necessary to determine the scope 
                of the breach, prevent further disclosures, and restore 
                the reasonable integrity of the data system.
            (4) Delay of notification authorized for law enforcement 
        purposes.--If a law enforcement agency determines that the 
        notification required under this subsection would impede a 
        criminal investigation, such notification may be delayed until 
        such law enforcement agency determines that the notification 
        will no longer compromise such investigation.
            (5) Methods of notice.--An agency, or person engaged in 
        interstate commerce, shall be in compliance with this 
        subsection if it provides the resident, owner, or licensee, as 
        appropriate, with--
                    (A) written notification;
                    (B) e-mail notice, if the person or business has an 
                e-mail address for the subject person; or
                    (C) substitute notice, if--
                            (i) the agency or person demonstrates that 
                        the cost of providing direct notice would 
                        exceed $250,000;
                            (ii) the affected class of subject persons 
                        to be notified exceeds 500,000; or
                            (iii) the agency or person does not have 
                        sufficient contact information for those to be 
                        notified.
            (6) Alternative notification procedures.--Notwithstanding 
        any other obligation under this subsection, an agency, or 
        person engaged in interstate commerce, shall be deemed to be in 
compliance with this subsection if the agency or person--
                    (A) maintains its own reasonable notification 
                procedures as part of an information security policy 
                for the treatment of personal information; and
                    (B) notifies subject persons in accordance with its 
                information security policy in the event of a breach of 
                security of the system.
            (7) Reasonable notification procedures.--As used in 
        paragraph (6), with respect to a breach of security of the 
        system involving personal information described in section 
        2(4)(C), the term ``reasonable notification procedures'' means 
        procedures that--
                    (A) use a security program reasonably designed to 
                block unauthorized transactions before they are charged 
                to the customer's account;
                    (B) provide for notice to be given by the owner or 
                licensee of the database, or another party acting on 
                behalf of such owner or licensee, after the security 
                program indicates that the breach of security of the 
                system has resulted in fraud or unauthorized 
                transactions, but does not necessarily require notice 
                in other circumstances; and
                    (C) are subject to examination for compliance with 
                the requirements of this Act by 1 or more Federal 
                functional regulators (as defined in section 509 of the 
                Gramm-Leach Bliley Act (15 U.S.C. 6809)), with respect 
                to the operation of the security program and the 
                notification procedures.
    (b) Civil Remedies.--
            (1) Penalties.--Any agency, or person engaged in interstate 
        commerce, that violates this section shall be subject to a fine 
        of not more than $5,000 per violation, to a maximum of $25,000 
        per day while such violations persist.
            (2) Equitable relief.--Any person engaged in interstate 
        commerce that violates, proposes to violate, or has violated 
        this section may be enjoined from further violations by a court 
        of competent jurisdiction.
            (3) Other rights and remedies.--The rights and remedies 
        available under this subsection are cumulative and shall not 
        affect any other rights and remedies available under law.
    (c) Enforcement.--The Federal Trade Commission is authorized to 
enforce compliance with this section, including the assessment of fines 
under subsection (b)(1).

SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that is prohibited under this Act, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this Act;
                    (C) obtain damage, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this Act shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on 
such attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (c) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 5. EFFECT ON STATE LAW.

    The provisions of this Act shall supersede any inconsistent 
provisions of law of any State or unit of local government relating to 
the notification of any resident of the United States of any breach of 
security of an electronic database containing such resident's personal 
information (as defined in this Act), except as provided under sections 
1798.82 and 1798.29 of the California Civil Code.

SEC. 6. EFFECTIVE DATE.

    This Act shall take effect on the expiration of the date which is 6 
months after the date of enactment of this Act.
                                 <all>