Short title

This Act may be cited as the

Information Protection and Security Act

Congressional findings; purpose

(a)

Findings

Congress finds the following: (1)Entities commonly known as information brokers have created up to several billion personal records on individuals. (2)Information made available by information brokers is used in the determination of opportunities for credit, employment, housing, insurance, means of travel, and other commercial decisions, and must therefore be as accurate, transparent to the individual, and secure as possible. Inaccurate information pertaining to an individual that is made available by an information broker may significantly interfere with the individual’s economic opportunities. For these reasons, there is a vital need to ensure that information brokers exercise their important responsibilities with fairness, impartiality, accuracy, and respect for individuals’ rights to privacy and security, and that information brokers properly safeguard individuals’ personally identifiable information. (3)In 2004, an identity theft operation improperly gained access to hundreds of thousands of individual profiles maintained by one large information broker. Many of these individuals have and will become victims of identity theft. The full extent of this incident will not be known for years. (4)Identity thieves illegally exploit information technology to take advantage of innocent individuals. Identity thieves typically steal individuals’ names, addresses, telephone numbers, social security numbers, bank account information, and personal financial and medical data. Due to identity thieves misusing this personal information, some individuals are denied jobs, faced with debts that are not their own, and arrested for crimes they did not commit. (5)According to the Federal Trade Commission, 10,000,000 Americans were affected by identity theft in 2004, and the problem is growing worse. Identity theft is now the most common fraud perpetrated on individuals. In 2004, identity theft accounted for 39 percent of consumer fraud complaints filed with the Federal Trade Commission. (6)According to a survey cited by the Federal Trade Commission, identity theft cost the United States $52,600,000,000 in 2004. Both individuals and businesses bear this heavy financial burden. (7)The increasing power of computers and information technology has greatly magnified the risk to individual privacy that can occur from any collection, maintenance, use, or dissemination of personally identifiable information, as well as the number of individuals who can be harmed. (8)There is a clear difference between a compilation of personally identifiable information and the compilation’s component parts. Even for information contained in public records, items of data that appear in widely scattered sources are different from the collection and assembly of that information into databases, reports, or profiles. The interest in maintaining the privacy and security of such databases has always been, and will continue to be, very high. (9)In order to protect the privacy and security of individuals whose personally identifiable information resides in systems maintained by information brokers, it is necessary and proper for Congress to regulate the collection, maintenance, use, and dissemination of such information by information brokers by adopting a framework of fair information principles. It is the policy of Congress that information brokers have an affirmative and continuing obligation to protect the privacy and security of an individual’s personally identifiable information. (b)

Purposes

The purposes of this Act are— (1)to regulate the narrow category of business entities commonly known as information brokers, but not to extend the regulations to businesses other than information broker businesses, or to weaken or alter the protections provided by other applicable laws; (2)to protect individual rights in relation to information brokers; and (3)to ensure that information brokers compete fairly in the processing and sale of personally identifiable information.

Regulation by Federal Trade Commission

(a)

Regulations

(1)

In general

Not later than 6 months after the date of enactment of this Act, the Federal Trade Commission (in this Act referred to as the Commission) shall promulgate regulations with respect to the conduct of information brokers and the protection of personally identifiable information held by such brokers. (2)

Content of regulations

The regulations promulgated under paragraph (1) shall include rules— (A)requiring that procedures for the collection and maintenance of data guarantee maximum possible accuracy of personally identifiable information held by any information broker; (B)allowing an individual the right to obtain disclosure of all personally identifiable information pertaining to the individual held by an information broker, and to be informed of the identity of each entity that procured any personally identifiable information from the broker; (C)allowing individuals the right to request and receive prompt correction of errors in personally identifiable information held by information brokers; (D)requiring information brokers to safeguard and protect the confidentiality of personally identifiable information, appropriate to the nature and type of information involved; (E)requiring information brokers to authenticate users before allowing access to personally identifiable information, and requiring that each use of personal information is employed only for a lawful purpose; (F)requiring procedures to be established to prevent and detect fraudulent, unlawful, or unauthorized access, use, or disclosure of personally identifiable information held by an information broker, and to mitigate any potential harm to individuals from threats to the privacy or security of such information; (G)requiring information brokers to establish and maintain procedures that track users’ access to personally identifiable information held by the broker, and the lawful purpose for which each access was made; and (H)prohibiting information brokers from engaging in activities that fail to comply with the Commission’s regulations. (b)

Definitions

In this section: (1)

Information broker

(A)

In general

The term information broker means a commercial entity whose business is to collect, assemble, or maintain personally identifiable information for the sale or transmission of such information or the provision of access to such information to any third party, whether such collection, assembly, or maintenance of personally identifiable information is performed by the information broker directly, or by contract or subcontract with any other entity. (B)

Exemptions

The Commission, in promulgating regulations under subsection (a), may exempt any commercial entity from such regulations, in whole or in part, if the Commission determines that granting such an exemption is in the public interest, consistent with the purposes of this Act, and if the entity’s collection, assembly, and maintenance of personally identifiable information is only incidental to the entity’s primary business. (2)

Personally identifiable information

The term personally identifiable information means any personal information, as determined by the Commission, which may be used to identify a person or cause harm to such person.

Enforcement

(a)

Enforcement by Federal Trade Commission

(1)

Unfair or deceptive acts or practices

A violation of a regulation promulgated under section 2 shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. (2)

Powers of Commission

The Commission shall enforce the regulations promulgated under section 2 in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in that Act. Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law. (b)

Actions by States

(1)

Civil actions

In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates any regulation of the Commission promulgated under section 2, the State may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to— (A)enjoin that act or practice; (B)enforce compliance with the regulation; (C)obtain damages, restitution, or other compensation on behalf of residents of the State; or (D)obtain such other legal and equitable relief as the court may consider to be appropriate. (2)

Notice

Before filing an action under this subsection, the attorney general of the State involved shall provide to the Commission and to the Attorney General a written notice of that action and a copy of the complaint for that action. If the State attorney general determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action, the State attorney general shall provide the written notice and the copy of the complaint to the Commission and to the Attorney General as soon after the filing of the complaint as practicable. (3)

Commission and Attorney General authority

On receiving notice under paragraph (2), the Commission and the Attorney General each shall have the right— (A)to move to stay the action, pending the final disposition of a pending Federal matter as described in paragraph (4); (B)to intervene in an action under paragraph (1); and (C)to file petitions for appeal. (4)

Pending criminal proceedings

If the Attorney General has instituted a criminal proceeding or the Commission has instituted a civil action for a violation of this Act or any regulations thereunder, no State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in the criminal proceeding or civil action for any violation that is alleged in that proceeding or action. (5)

Rule of construction

For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence. (c)

Private right of action

(1)

In general

Any individual injured by an act in violation of the regulations promulgated under section 2, if otherwise permitted by the laws or rules of the court of a State, bring in an appropriate court of that State— (A)an action to enjoin such violation; (B)an action to recover for actual monetary loss from such a violation, or to receive up to $1000 in damages for each such violation, whichever is greater; or (C)both such actions. (2)

Limitation

An action may be commenced under this subsection within 2 years after the date on which the alleged violation occurred, except that where a defendant has materially and willfully misrepresented or disclosed any information under this Act or the regulations promulgated pursuant to this Act and the information so misrepresented or disclosed is material to the establishment of the defendant’s liability under this Act or such regulations, the action may be brought by the individual under paragraph (1) at any time within 3 years after discovery by the individual of the misrepresentation or disclosure. (3)

Nonexclusive remedy

The remedy provided under this subsection shall be in addition to any other remedies available to the individual.

Relation to other laws

(a)

Fair Credit Reporting Act

Nothing in this Act or the regulations promulgated under this Act shall be construed to modify, limit or supersede the operation of the Fair Credit Reporting Act. A person or entity subject to the Fair Credit Reporting Act shall comply with that Act as well as with this Act and the regulations promulgated under this Act. To the extent that there is any conflict between the Fair Credit Reporting Act and this Act or such regulations, the Act that affords an individual greater protection shall apply. Multiple requirements with respect to the same information, transaction, or individual shall not be considered a conflict. (b)

State laws

This Act and the regulations promulgated under this Act shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this Act or the regulations promulgated under this Act, and then only to the extent of the inconsistency. For purposes of this section, a State statute, regulation, order, or interpretation shall not be considered inconsistent with the provisions of this Act or the regulations promulgated under this Act if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection under this Act or the regulations promulgated under this Act.

Report

Not later than 12 months after the issuance of the regulations required by section 2, the Commission shall transmit to Congress a report on the information brokerage industry and its impact on the privacy of personally identifiable information. Such report shall describe the regulations promulgated pursuant to this Act, compliance with such regulations by the information brokerage industry, and any recommendations by the Commission for additional measures (including any necessary legislation) to ensure the privacy of personally identifiable information.