[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[S. 1458 Introduced in Senate (IS)]







108th CONGRESS
  1st Session
                                S. 1458

To amend the Gramm-Leach-Bliley Act to provide for enhanced protection 
 of nonpublic personal information, including health information, and 
                          for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                July 25 (legislative day, July 21), 2003

  Mr. Nelson of Florida introduced the following bill; which was read 
  twice and referred to the Committee on Banking, Housing, and Urban 
                                Affairs

_______________________________________________________________________

                                 A BILL


 
To amend the Gramm-Leach-Bliley Act to provide for enhanced protection 
 of nonpublic personal information, including health information, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Financial Institution Privacy 
Protection Act of 2003''.

SEC. 2. PROTECTION OF PRIVATE HEALTH INFORMATION.

    Section 509(4) of the Gramm-Leach-Bliley Act (15 U.S.C. 6809(4)) is 
amended by adding at the end the following:
                    ``(D) The term `nonpublic personal information' 
                includes health information, defined as any 
                information, including genetic information, demographic 
                information, and tissue samples collected from an 
                individual, whether oral or recorded in any form or 
                medium--
                            ``(i) that is created or received by a 
                        health care provider, health researcher, health 
                        plan, health oversight agency, public health 
                        authority, employer, health or life insurer, 
                        school, or university; and
                            ``(ii) that --
                                    ``(I) relates to the past, present, 
                                or future physical or mental health or 
                                condition of an individual (including 
                                individual cells and their components), 
                                the provision of health care to an 
                                individual, or the past, present, or 
                                future payment for the provision of 
                                health care to an individual; and
                                    ``(II) that identifies an 
                                individual, or with respect to which 
                                there is a reasonable basis to believe 
                                that the information can be used to 
                                identify an individual.''.

SEC. 3. OPT-IN FOR SHARING OF INFORMATION.

    Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is 
amended--
            (1) in subsection (a)--
                    (A) by inserting ``any affiliate or'' before ``a 
                nonaffiliated'';
                    (B) by striking ``unless such financial institution 
                provides'' and inserting the following: ``unless--
            ``(1) the institution provides''; and
                    (C) by striking the period at the end and inserting 
                the following: ``; and
            ``(2) the consumer to whom the information pertains--
                    ``(A) has affirmatively consented (in writing, in 
                the case of health information, as defined in section 
                509(4)(D)), in accordance with rules prescribed under 
                section 504, to the disclosure of such information; and
                    ``(B) has not withdrawn such consent.''; and
            (2) by striking subsection (b) and inserting the following:
    ``(b) Denial of Service Prohibited.--A financial institution may 
not deny a financial product or a financial service to any consumer 
based on the refusal by the consumer to grant the consent required by 
this section.''.

SEC. 4. COMPLIANCE OFFICERS.

    Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is 
amended by adding at the end the following:
    ``(c) Compliance Officers.--Each financial institution shall 
designate a privacy compliance officer, who shall be responsible for 
ensuring compliance by the institution with the requirements of this 
title and the privacy policies of the institution.''.

SEC. 5. LIABILITY.

    Section 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6805) is 
amended by adding at the end the following:
    ``(e) Civil Penalties.--The Attorney General of the United States 
may bring a civil action in the appropriate district court of the 
United States against any financial institution that engages in conduct 
constituting a violation of this title, and, upon proof of such 
violation--
            ``(1) the financial institution shall be subject to a civil 
        penalty of not more than $100,000 for each such violation; and
            ``(2) the officers and directors of the financial 
        institution shall be subject to, and shall be personally liable 
        for, a civil penalty of not more than $10,000 for each such 
        violation.''.
                                 <all>