[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1080 Introduced in House (IH)]
109th CONGRESS
1st Session
H. R. 1080
To regulate information brokers and protect individual rights with
respect to personally identifiable information.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 3, 2005
Mr. Markey (for himself, Mr. Thompson of Mississippi, and Ms.
Schakowsky) introduced the following bill; which was referred to the
Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To regulate information brokers and protect individual rights with
respect to personally identifiable information.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Information Protection and Security
Act''.
SEC. 2. CONGRESSIONAL FINDINGS; PURPOSE.
(a) Findings.--Congress finds the following:
(1) Entities commonly known as ``information brokers'' have
created up to several billion personal records on individuals.
(2) Information made available by information brokers is
used in the determination of opportunities for credit,
employment, housing, insurance, means of travel, and other
commercial decisions, and must therefore be as accurate,
transparent to the individual, and secure as possible.
Inaccurate information pertaining to an individual that is made
available by an information broker may significantly interfere
with the individual's economic opportunities. For these
reasons, there is a vital need to ensure that information
brokers exercise their important responsibilities with
fairness, impartiality, accuracy, and respect for individuals'
rights to privacy and security, and that information brokers
properly safeguard individuals' personally identifiable
information.
(3) In 2004, an identity theft operation improperly gained
access to hundreds of thousands of individual profiles
maintained by one large information broker. Many of these
individuals have and will become victims of identity theft. The
full extent of this incident will not be known for years.
(4) Identity thieves illegally exploit information
technology to take advantage of innocent individuals. Identity
thieves typically steal individuals' names, addresses,
telephone numbers, social security numbers, bank account
information, and personal financial and medical data. Due to
identity thieves misusing this personal information, some
individuals are denied jobs, faced with debts that are not
their own, and arrested for crimes they did not commit.
(5) According to the Federal Trade Commission, 10,000,000
Americans were affected by identity theft in 2004, and the
problem is growing worse. Identity theft is now the most common
fraud perpetrated on individuals. In 2004, identity theft
accounted for 39 percent of consumer fraud complaints filed
with the Federal Trade Commission.
(6) According to a survey cited by the Federal Trade
Commission, identity theft cost the United States
$52,600,000,000 in 2004. Both individuals and businesses bear
this heavy financial burden.
(7) The increasing power of computers and information
technology has greatly magnified the risk to individual privacy
that can occur from any collection, maintenance, use, or
dissemination of personally identifiable information, as well
as the number of individuals who can be harmed.
(8) There is a clear difference between a compilation of
personally identifiable information and the compilation's
component parts. Even for information contained in public
records, items of data that appear in widely scattered sources
are different from the collection and assembly of that
information into databases, reports, or profiles. The interest
in maintaining the privacy and security of such databases has
always been, and will continue to be, very high.
(9) In order to protect the privacy and security of
individuals whose personally identifiable information resides
in systems maintained by information brokers, it is necessary
and proper for Congress to regulate the collection,
maintenance, use, and dissemination of such information by
information brokers by adopting a framework of fair information
principles. It is the policy of Congress that information
brokers have an affirmative and continuing obligation to
protect the privacy and security of an individual's personally
identifiable information.
(b) Purposes.--The purposes of this Act are--
(1) to regulate the narrow category of business entities
commonly known as ``information brokers'', but not to extend
the regulations to businesses other than information broker
businesses, or to weaken or alter the protections provided by
other applicable laws;
(2) to protect individual rights in relation to information
brokers; and
(3) to ensure that information brokers compete fairly in
the processing and sale of personally identifiable information.
SEC. 3. REGULATION BY FEDERAL TRADE COMMISSION.
(a) Regulations.--
(1) In general.--Not later than 6 months after the date of
enactment of this Act, the Federal Trade Commission (in this
Act referred to as ``the Commission'') shall promulgate
regulations with respect to the conduct of information brokers
and the protection of personally identifiable information held
by such brokers.
(2) Content of regulations.--The regulations promulgated
under paragraph (1) shall include rules--
(A) requiring that procedures for the collection
and maintenance of data guarantee maximum possible
accuracy of personally identifiable information held by
any information broker;
(B) allowing an individual the right to obtain
disclosure of all personally identifiable information
pertaining to the individual held by an information
broker, and to be informed of the identity of each
entity that procured any personally identifiable
information from the broker;
(C) allowing individuals the right to request and
receive prompt correction of errors in personally
identifiable information held by information brokers;
(D) requiring information brokers to safeguard and
protect the confidentiality of personally identifiable
information, appropriate to the nature and type of
information involved;
(E) requiring information brokers to authenticate
users before allowing access to personally identifiable
information, and requiring that each use of personal
information is employed only for a lawful purpose;
(F) requiring procedures to be established to
prevent and detect fraudulent, unlawful, or
unauthorized access, use, or disclosure of personally
identifiable information held by an information broker,
and to mitigate any potential harm to individuals from
threats to the privacy or security of such information;
(G) requiring information brokers to establish and
maintain procedures that track users' access to
personally identifiable information held by the broker,
and the lawful purpose for which each access was made;
and
(H) prohibiting information brokers from engaging
in activities that fail to comply with the Commission's
regulations.
(b) Definitions.--In this section:
(1) Information broker.--
(A) In general.--The term ``information broker''
means a commercial entity whose business is to collect,
assemble, or maintain personally identifiable
information for the sale or transmission of such
information or the provision of access to such
information to any third party, whether such
collection, assembly, or maintenance of personally
identifiable information is performed by the
information broker directly, or by contract or
subcontract with any other entity.
(B) Exemptions.--The Commission, in promulgating
regulations under subsection (a), may exempt any
commercial entity from such regulations, in whole or in
part, if the Commission determines that granting such
an exemption is in the public interest, consistent with
the purposes of this Act, and if the entity's
collection, assembly, and maintenance of personally
identifiable information is only incidental to the
entity's primary business.
(2) Personally identifiable information.--The term
``personally identifiable information'' means any personal
information, as determined by the Commission, which may be used
to identify a person or cause harm to such person.
SEC. 4. ENFORCEMENT.
(a) Enforcement by Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
a regulation promulgated under section 2 shall be treated as a
violation of a regulation under section 18(a)(1)(B) of the
Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding
unfair or deceptive acts or practices.
(2) Powers of commission.--The Commission shall enforce the
regulations promulgated under section 2 in the same manner, by
the same means, and with the same jurisdiction, powers, and
duties as though all applicable terms and provisions of the
Federal Trade Commission Act (15 U.S.C. 41 et seq.) were
incorporated into and made a part of this Act. Any person who
violates such regulations shall be subject to the penalties and
entitled to the privileges and immunities provided in that Act.
Nothing in this Act shall be construed to limit the authority
of the Commission under any other provision of law.
(b) Actions by States.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by an act or practice that violates any
regulation of the Commission promulgated under section 2, the
State may bring a civil action on behalf of the residents of
the State in a district court of the United States of
appropriate jurisdiction, or any other court of competent
jurisdiction, to--
(A) enjoin that act or practice;
(B) enforce compliance with the regulation;
(C) obtain damages, restitution, or other
compensation on behalf of residents of the State; or
(D) obtain such other legal and equitable relief as
the court may consider to be appropriate.
(2) Notice.--Before filing an action under this subsection,
the attorney general of the State involved shall provide to the
Commission and to the Attorney General a written notice of that
action and a copy of the complaint for that action. If the
State attorney general determines that it is not feasible to
provide the notice described in this subparagraph before the
filing of the action, the State attorney general shall provide
the written notice and the copy of the complaint to the
Commission and to the Attorney General as soon after the filing
of the complaint as practicable.
(3) Commission and attorney general authority.--On
receiving notice under paragraph (2), the Commission and the
Attorney General each shall have the right--
(A) to move to stay the action, pending the final
disposition of a pending Federal matter as described in
paragraph (4);
(B) to intervene in an action under paragraph (1);
and
(C) to file petitions for appeal.
(4) Pending criminal proceedings.--If the Attorney General
has instituted a criminal proceeding or the Commission has
instituted a civil action for a violation of this Act or any
regulations thereunder, no State may, during the pendency of
such proceeding or action, bring an action under this
subsection against any defendant named in the criminal
proceeding or civil action for any violation that is alleged in
that proceeding or action.
(5) Rule of construction.--For purposes of bringing any
civil action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to conduct investigations, administer oaths
and affirmations, or compel the attendance of witnesses or the
production of documentary and other evidence.
(c) Private Right of Action.--
(1) In general.--Any individual injured by an act in
violation of the regulations promulgated under section 2, if
otherwise permitted by the laws or rules of the court of a
State, bring in an appropriate court of that State--
(A) an action to enjoin such violation;
(B) an action to recover for actual monetary loss
from such a violation, or to receive up to $1000 in
damages for each such violation, whichever is greater;
or
(C) both such actions.
(2) Limitation.--An action may be commenced under this
subsection within 2 years after the date on which the alleged
violation occurred, except that where a defendant has
materially and willfully misrepresented or disclosed any
information under this Act or the regulations promulgated
pursuant to this Act and the information so misrepresented or
disclosed is material to the establishment of the defendant's
liability under this Act or such regulations, the action may be
brought by the individual under paragraph (1) at any time
within 3 years after discovery by the individual of the
misrepresentation or disclosure.
(3) Nonexclusive remedy.--The remedy provided under this
subsection shall be in addition to any other remedies available
to the individual.
SEC. 5. RELATION TO OTHER LAWS.
(a) Fair Credit Reporting Act.--Nothing in this Act or the
regulations promulgated under this Act shall be construed to modify,
limit or supersede the operation of the Fair Credit Reporting Act. A
person or entity subject to the Fair Credit Reporting Act shall comply
with that Act as well as with this Act and the regulations promulgated
under this Act. To the extent that there is any conflict between the
Fair Credit Reporting Act and this Act or such regulations, the Act
that affords an individual greater protection shall apply. Multiple
requirements with respect to the same information, transaction, or
individual shall not be considered a conflict.
(b) State Laws.--This Act and the regulations promulgated under
this Act shall not be construed as superseding, altering, or affecting
any statute, regulation, order, or interpretation in effect in any
State, except to the extent that such statute, regulation, order, or
interpretation is inconsistent with the provisions of this Act or the
regulations promulgated under this Act, and then only to the extent of
the inconsistency. For purposes of this section, a State statute,
regulation, order, or interpretation shall not be considered
inconsistent with the provisions of this Act or the regulations
promulgated under this Act if the protection such statute, regulation,
order, or interpretation affords any person is greater than the
protection under this Act or the regulations promulgated under this
Act.
SEC. 6. REPORT.
Not later than 12 months after the issuance of the regulations
required by section 2, the Commission shall transmit to Congress a
report on the information brokerage industry and its impact on the
privacy of personally identifiable information. Such report shall
describe the regulations promulgated pursuant to this Act, compliance
with such regulations by the information brokerage industry, and any
recommendations by the Commission for additional measures (including
any necessary legislation) to ensure the privacy of personally
identifiable information.
<all>