[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[S. 1633 Introduced in Senate (IS)]

  1st Session
                                S. 1633

 To require financial institutions and financial service providers to 
 notify customers of the unauthorized use of personal information, to 
   amend the Fair Credit Reporting Act to require fraud alerts to be 
    included in consumer credit files in such cases, and to provide 
    customers with enhanced access to credit reports in such cases.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 17, 2003

Mr. Corzine introduced the following bill; which was read twice and 
        referred to the Committee on Banking, Housing, and Urban 
        AffairsYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

_______________________________________________________________________

                                 A BILL


 
 To require financial institutions and financial service providers to 
 notify customers of the unauthorized use of personal information, to 
   amend the Fair Credit Reporting Act to require fraud alerts to be 
    included in consumer credit files in such cases, and to provide 
    customers with enhanced access to credit reports in such cases.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Identity Theft Notification and 
Credit Restoration Act of 2003''.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) the privacy and financial security of individuals is 
        increasingly at risk due to the ever more widespread collection 
        of personal information by both the private and public sector;
            (2) credit card transactions, real estate records, consumer 
        surveys, credit reports, and Internet websites are all sources 
        of personal information and form the source material for 
        identity thieves;
            (3) identity theft is one of the fastest growing crimes 
        committed in the United States, and identity theft has become 
        one of the major law enforcement challenges of the new economy, 
        as vast quantities of sensitive personal information are now 
        vulnerable to criminal interception and misuse;
            (4) criminals who steal personal information use the 
        information to open fraudulent credit card accounts, write bad 
        checks, buy products, and commit other financial crimes with 
        assumed financial identities;
            (5) in 2002, more than 160,000 people notified the Federal 
        Trade Commission that they had been victims of identity theft, 
        more than 3 times the number reported in 2000;
            (6) identity theft is costly to consumers and to the United 
        States marketplace;
            (7) victims of identity theft are often required to contact 
        numerous Federal, State, and local law enforcement agencies, 
        consumer credit reporting agencies, and creditors over many 
        years, as each event of fraud arises;
            (8) the Government, financial institutions, financial 
        service providers, and credit reporting agencies that handle 
        sensitive personal information of consumers have a shared 
        responsibility to protect the information from identity 
        thieves, to assist identity theft victims, and to mitigate the 
        harm that results from fraud perpetrated in the name of the 
        victim; and
            (9) the private sector can better protect consumers by 
        improving customer notification, implementing effective fraud 
        alerts, affording greater consumer access to credit reports, 
        and establishing other financial identity theft prevention 
        measures.

SEC. 3. TIMELY NOTIFICATION OF UNAUTHORIZED ACCESS TO PERSONAL 
              INFORMATION.

    Subtitle B of title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6821 
et seq.) is amended--
            (1) by redesignating sections 526 and 527 as sections 528 
        and 529, respectively; and
            (2) by inserting after section 525 the following:

``SEC. 526. NOTIFICATION TO CUSTOMERS OF UNAUTHORIZED ACCESS TO 
              PERSONAL INFORMATION.

    ``(a) Definitions.--In this section--
            ``(1) the term `breach'--
                    ``(A) means unauthorized acquisition of 
                computerized data or paper records which compromises 
                the security, confidentiality, or integrity of personal 
                information maintained by or on behalf of a financial 
                institution; and
                    ``(B) does not include a good faith acquisition of 
                personal information by an employee or agent of a 
                financial institution for a business purpose of the 
                institution, if the personal information is not subject 
                to further unauthorized disclosure; and
            ``(2) with respect to a customer of a financial 
        institution, the term `personal information' means the first 
        name or first initial and last name of the customer, in 
        combination with any one or more of the following data 
        elements, when either the name or the data element is not 
        encrypted:
                    ``(A) A social security number.
                    ``(B) A driver's license number or other officially 
                recognized form of identification.
                    ``(C) A credit card number, debit card number, or 
                any required security code, access code, or password 
                that would permit access to financial account 
                information relating to that customer.
    ``(b) Notification Relating to Breach of Personal Information.--
            ``(1) Financial institution requirement.--In any case in 
        which there has been a breach of personal information at a 
        financial institution, or such a breach is reasonably believed 
        to have occurred, the financial institution shall promptly 
        notify--
                    ``(A) each customer affected by the violation or 
                suspected violation;
                    ``(B) each consumer reporting agency described in 
                section 603(p) of the Fair Credit Reporting Act (15 
                U.S.C. 1681a); and
                    ``(C) appropriate law enforcement agencies, in any 
                case in which the financial institution has reason to 
                believe that the breach or suspected breach affects a 
                large number of customers, including as described in 
                subsection (e)(1)(C), subject to regulations of the 
                Federal Trade Commission.
            ``(2) Other entities.--For purposes of paragraph (1), any 
        person that maintains personal information for or on behalf of 
        a financial institution shall promptly notify the financial 
institution of any case in which such customer information has been, or 
is reasonably believed to have been, breached.
    ``(c) Timing.--Notification required by this section shall be 
made--
            ``(1) promptly and without unreasonable delay, upon 
        discovery of the breach or suspected breach; and
            ``(2) consistent with--
                    ``(A) the legitimate needs of law enforcement, as 
                provided in subsection (d); and
                    ``(B) any measures necessary to determine the scope 
                of the breach or restore the reasonable integrity of 
                the information security system of the financial 
                institution.
    ``(d) Delays for Law Enforcement Purposes.--Notification required 
by this section may be delayed if a law enforcement agency determines 
that the notification would impede a criminal investigation, and in any 
such case, notification shall be made promptly after the law 
enforcement agency determines that it would not compromise the 
investigation.
    ``(e) Form of Notice.--Notification required by this section may be 
provided--
            ``(1) to a customer--
                    ``(A) in writing;
                    ``(B) in electronic form, if the notice provided is 
                consistent with the provisions regarding electronic 
                records and signatures set forth in section 101 of the 
                Electronic Signatures in Global and National Commerce 
                Act (15 U.S.C. 7001);
                    ``(C) if the Federal Trade Commission determines 
                that the number of all customers affected by, or the 
                cost of providing notifications relating to, a single 
                breach or suspected breach would make other forms of 
                notification prohibitive, or in any case in which the 
                financial institution certifies in writing to the 
                Federal Trade Commission that it does not have 
                sufficient customer contact information to comply with 
                other forms of notification, in the form of--
                            ``(i) an e-mail notice, if the financial 
                        institution has access to an e-mail address for 
                        the affected customer that it has reason to 
                        believe is accurate;
                            ``(ii) a conspicuous posting on the 
                        Internet website of the financial institution, 
                        if the financial institution maintains such a 
                        website; or
                            ``(iii) notification through the media that 
                        a breach of personal information has occurred 
                        or is suspected that compromises the security, 
                        confidentiality, or integrity of customer 
                        information of the financial institution; or
                    ``(D) in such other form as the Federal Trade 
                Commission may by rule prescribe; and
            ``(2) to consumer reporting agencies and law enforcement 
        agencies (where appropriate), in such form as the Federal Trade 
        Commission may prescribe, by rule.
    ``(f) Content of Notification.--Each notification to a customer 
under subsection (b) shall include--
            ``(1) a statement that--
                    ``(A) credit reporting agencies have been notified 
                of the relevant breach or suspected breach; and
                    ``(B) the credit report and file of the customer 
                will contain a fraud alert to make creditors aware of 
                the breach or suspected breach, and to inform creditors 
                that the express authorization of the customer is 
                required for any new issuance or extension of credit 
                (in accordance with section 605(g) of the Fair Credit 
                Reporting Act); and
            ``(2) such other information as the Federal Trade 
        Commission determines is appropriate.
    ``(g) Compliance.--Notwithstanding subsection (e), a financial 
institution shall be deemed to be in compliance with this section if--
            ``(1) the financial institution has established a 
        comprehensive information security program that is consistent 
        with the standards prescribed by the appropriate regulatory 
        body under section 501(b);
            ``(2) the financial institution notifies affected customers 
        and consumer reporting agencies in accordance with its own 
        internal information security policies in the event of a breach 
        or suspected breach of personal information; and
            ``(3) such internal security policies incorporate 
        notification procedures that are consistent with the 
        requirements of this section and the rules of the Federal Trade 
        Commission under this section.
    ``(h) Civil Penalties.--
            ``(1) Damages.--Any customer injured by a violation of this 
        section may institute a civil action to recover damages arising 
        from that violation.
            ``(2) Injunctions.--Actions of a financial institution in 
        violation or potential violation of this section may be 
        enjoined.
            ``(3) Cumulative effect.--The rights and remedies available 
        under this section are in addition to any other rights and 
        remedies available under applicable law.
    ``(i) Rules of Construction.--
            ``(1) In general.--Compliance with this section by a 
        financial institution shall not be construed to be a violation 
        of any provision of subtitle (A), or any other provision of 
        Federal or State law prohibiting the disclosure of financial 
        information to third parties.
            ``(2) Limitation.--Except as specifically provided in this 
        section, nothing in this section requires or authorizes a 
        financial institution to disclose information that it is 
        otherwise prohibited from disclosing under subtitle A or any 
        other provision of Federal or State law.
            ``(3) No new recordkeeping obligation.--Nothing in this 
        section creates an obligation on the part of a financial 
        institution to obtain, retain, or maintain information or 
        records that are not otherwise required to be obtained, 
        retained, or maintained in the ordinary course of its business 
or under other applicable law.''.

SEC. 4. INCLUSION OF FRAUD ALERTS IN CONSUMER CREDIT REPORTS.

    Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is 
amended by adding at the end the following:
    ``(g) Fraud Alerts.--
            ``(1) Defined term.--In this subsection, the term `fraud 
        alert' means a clear and conspicuous statement in the file of a 
        consumer that notifies all prospective users of the consumer 
        credit report (or any portion thereof) relating to the 
        consumer, that--
                    ``(A) the identity of the consumer may have been 
                used, without the consent of the consumer, to 
                fraudulently obtain goods or services in the name of 
                the consumer; and
                    ``(B) the consumer does not authorize the issuance 
                or extension of credit in the name of the consumer, 
                unless the issuer of such credit, upon receiving 
                appropriate evidence of the true identity of the 
                consumer--
                            ``(i) obtains express preauthorization from 
                        the consumer at a telephone number designated 
                        by the consumer; or
                            ``(ii) utilizes another reasonable means of 
                        communication to obtain the express 
                        preauthorization of the consumer.
            ``(2) Inclusion of fraud alert in consumer file.--
                    ``(A) Upon notification by financial institution.--
                A consumer reporting agency shall include a fraud alert 
                meeting the requirements of this subsection in the file 
                of a consumer promptly upon receipt of a notice from a 
                financial institution under section 526(b)(1)(B) of the 
                Gramm-Leach-Bliley Act relating to the consumer.
                    ``(B) Upon request of consumer.--A consumer 
                reporting agency shall include a fraud alert meeting 
                the requirements of this subsection in the file of a 
                consumer promptly upon receipt of--
                            ``(i) a request by the consumer; and
                            ``(ii) appropriate evidence of--
                                    ``(I) the true identity of the 
                                person making the request; and
                                    ``(II) the claim of identity theft 
                                forming the basis for the request.
            ``(3) Consumer reporting agency responsibilities.--A 
        consumer reporting agency shall ensure that each person 
        procuring consumer credit information with respect to a 
        consumer is made aware of the existence of a fraud alert in the 
        file of that consumer, regardless of whether a full credit 
        report, credit score, or summary report is requested.
            ``(4) Removal of fraud alerts.--The Federal Trade 
        Commission shall issue appropriate regulations to establish--
                    ``(A) the duration of fraud alerts required by this 
                subsection, which standard shall be applied 
                consistently to all consumer reporting agencies, to the 
                extent possible; and
                    ``(B) procedures for the removal of fraud alerts 
                included in the files of consumers under this 
                subsection.
            ``(5) Violations.--
                    ``(A) Consumer reporting agency.--A consumer 
                reporting agency that fails to notify any user of a 
                consumer credit report of the existence of a fraud 
                alert in that report shall be in violation of this 
                section.
                    ``(B) User of a consumer report.--A user of a 
                consumer report that fails to comply with 
                preauthorization procedures contained in a fraud alert 
                in the file of a consumer and issues or extends credit 
                in the name of the consumer to a person other than the 
                consumer shall be in violation of this subsection.
                    ``(C) No adverse action based solely on fraud 
                alert.--It shall be a violation of this title for the 
                user of a consumer report to take adverse action with 
                respect to a consumer based solely on the inclusion of 
                a fraud alert in the file of that consumer, as required 
                by this subsection.''.

SEC. 5. ACCESS TO CREDIT REPORTS AND SCORES.

    (a) No Fee in Certain Cases.--Section 612(c) of the Fair Credit 
Reporting Act (15 U.S.C. 1681j(c)) is amended to read as follows:
    ``(c) No-Cost Access to Credit Reports and Scores.--
            ``(1) In general.--Upon request of a consumer, and without 
        charge to the consumer, a consumer reporting agency shall make 
        all of the disclosures listed under section 609 to the 
        consumer--
                    ``(A) once during each calendar year; and
                    ``(B) once every 3 months during the 1-year period 
                beginning on the date on which a fraud alert is 
                included in the file of a consumer under section 
                605(g).
            ``(2) Fee authorized.--A credit reporting agency may charge 
        a reasonable fee for the costs of disclosures under paragraph 
        (1)(B) to the financial institution providing the notification 
        that is the basis for the subject fraud alert, as required by 
        section 526(b)(1)(B) of the Gramm-Leach-Bliley Act.''.
    (b) Inclusion of Credit Scores.--Section 609(a)(1) of the Fair 
Credit Reporting Act (15 U.S.C. 1681g(a)(1)) is amended by striking 
``except that'' and all that follows through ``predictors'' and 
inserting ``, including any credit score''.

SEC. 6. REGULATIONS.

    Not later than 180 days after the date of enactment of this Act, 
the Federal Trade Commission, after consultation with Federal banking 
agencies, the Securities and Exchange Commission, and other appropriate 
financial services regulatory agencies, shall issue final regulations 
to carry out the amendments made by this Act.
                                 <all>