[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3374 Introduced in House (IH)]







109th CONGRESS
  1st Session
                                H. R. 3374

 To provide for the uniform and timely notification of consumers whose 
 sensitive financial personal information has been placed at risk by a 
   breach of data security, to enhance data security safeguards, to 
    provide appropriate consumer mitigation services, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 21, 2005

 Mr. LaTourette (for himself and Ms. Hooley) introduced the following 
    bill; which was referred to the Committee on Financial Services

_______________________________________________________________________

                                 A BILL


 
 To provide for the uniform and timely notification of consumers whose 
 sensitive financial personal information has been placed at risk by a 
   breach of data security, to enhance data security safeguards, to 
    provide appropriate consumer mitigation services, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Notification and Financial 
Data Protection Act of 2005''.

SEC. 2. DATA SECURITY SAFEGUARDS.

    Each financial institution shall have an affirmative and continuing 
obligation to maintain reasonable policies and procedures to protect 
the security and confidentiality of sensitive financial personal 
information of any consumer that is maintained or received by or on 
behalf of such financial institution against any unauthorized use that 
is reasonably likely to result in harm or substantial inconvenience to 
such consumer.

SEC. 3. INVESTIGATION AND NOTICE TO REGULATORS AND LAW ENFORCEMENT IN 
              CASE OF BREACH OF DATA SECURITY.

    (a) Duty to Investigate.--
            (1) In general.--Whenever any financial institution 
        determines or becomes aware of information that would 
        reasonably indicate that a breach of data security may have 
        occurred or is reasonably likely to occur, or receives notice 
        under subsection (c), the financial institution shall 
        immediately conduct a reasonable investigation to--
                    (A) assess the nature and scope of the breach;
                    (B) identify the sensitive financial personal 
                information involved; and
                    (C) determine if the breach is reasonably likely to 
                result in harm or substantial inconvenience to any 
                consumer to whom the information relates.
            (2) Factors to be considered.--In determining, under 
        paragraph (1), the likelihood that harm or substantial 
        inconvenience may be caused to consumers, the financial 
        institution shall consider all available relevant facts, 
        including whether the information that was subject to the 
        breach was unencrypted, or unredacted, or required technology 
        to use that is not generally commercially available.
    (b) Investigation Notices.--If a financial institution determines 
after commencing an investigation under subsection (a) that a potential 
breach of data security may result in harm or substantial inconvenience 
to any consumer whose sensitive financial personal information was 
involved in such potential breach, the financial institution shall--
            (1) promptly notify the appropriate law enforcement 
        agencies of the breach;
            (2) promptly notify the institution's functional regulator;
            (3) take reasonable measures to ensure and restore the 
        security and confidentiality of the sensitive financial 
        personal information involved in the breach;
            (4) take reasonable measures to prevent further 
        unauthorized access to or disclosure of any sensitive financial 
        personal information and to restore the integrity of the data 
        system; and
            (5) notify as appropriate and without unreasonable delay 
        all critical third parties--
                    (A) whose involvement is necessary to investigate 
                the breach of data security; or
                    (B) who will be required to undertake further 
                action with respect to such information to protect such 
                consumers from fraud or identity theft.
    (c) Duty of Financial Contractors.--Whenever any financial 
institution that maintains or receives sensitive personal financial 
information for or on behalf of another party determines, or has reason 
to believe, that a breach of data security has occurred with respect to 
such information, the financial institution shall--
            (1) promptly notify the other party of the breach;
            (2) conduct a joint investigation with the other party to 
        determine the likelihood that such information will be misused 
        against the consumers to whom the information relates in a 
        manner that would cause harm or substantial inconvenience to 
        such consumer; and
            (3) unless the financial institution and third party 
        determine, after conducting a reasonable investigation, that it 
        is not reasonably likely that such information will be misused 
        to commit financial fraud against any consumer to whom any of 
        such sensitive financial personal information relates in a 
        manner that would cause harm or substantial inconvenience to 
        such consumer, provide joint notice under section 4 to such 
        consumers.

SEC. 4. NOTICE TO CONSUMERS OF DATA SECURITY BREACH.

    (a) Notice Required.--If, after completing a reasonable 
investigation pursuant to section 3, a financial institution or a 
financial contractor pursuant to section 3(c) becomes aware that a 
breach of data security is reasonably likely to have occurred, with 
respect to sensitive financial personal information maintained or 
received by or on behalf of the institution, that creates a risk of 
harm or substantial inconvenience to consumers to whom the information 
relates, the financial institution shall, without unreasonable delay--
            (1) provide written notice, in accordance with this 
        section, to each consumer whose sensitive financial personal 
        information was involved in the breach of data security; and
            (2) if the financial institution determines that it is 
        likely to be providing notice under paragraph (1) to 1,000 or 
        more consumers for any breach of data security, provide written 
        notice to--
                    (A) each consumer reporting agency described in 
                section 603(p) of the Fair Credit Reporting Act; and
                    (B) any other consumer reporting agency that the 
                financial institution identifies, or expects to 
                identify, in the notice provided to the consumer under 
                paragraph (1).
    (b) Content of Notice.--The notice provided to any consumer under 
subsection (a)(1) shall include the following information in a clear 
and conspicuous manner:
            (1) A description of the nature and type of information 
        that was, or is reasonably believed to have been, subject to 
        the breach of data security.
            (2) If known, the date, or a reasonable approximation of 
        the period of time, on or within which sensitive financial 
        personal information of the consumer was, or is reasonably 
        believed to have been, acquired by an unauthorized person.
            (3) A description of the actions taken by the financial 
        institution to restore the security and confidentiality of the 
        data.
            (4) A toll-free telephone number where a consumer whose 
        information was subject of the breach of data security may 
        obtain additional information the breach of data security.
            (5) A summary of rights of consumer victims of fraud or 
        identity theft, such as that prepared by the Federal Trade 
        Commission under section 609(d) of the Fair Credit Reporting 
        Act, including any additional appropriate information on how 
        the consumer may--
                    (A) obtain a copy of a consumer report free of 
                charge in accordance with section 612 of the Fair 
                Credit Reporting Act;
                    (B) place a fraud alert in any file relating to the 
                consumer at a consumer reporting agency under section 
                605A of such Act to discourage unauthorized use; and
                    (C) contact the Federal Trade Commission for more 
                detailed information.
    (c) Notice of Identity Theft.--If a financial institution is 
required to provide a notice under subsection (a)(1) with respect to a 
breach of data security involving sensitive financial personal 
information relating to a consumer (other than financial account 
information described in section 9(5)(A)(v)), the notice required in 
this section with respect to such consumer shall include information on 
how the consumer may obtain mitigation services free of charge in 
accordance with section 5.
    (d) Delay of Notice for Law Enforcement Purposes.--If a financial 
institution receives a written request, or an oral request indicating 
that a written request will be provided, from an appropriate law 
enforcement agency indicating that providing a particular notice to any 
consumer under this section would impede a criminal or civil 
investigation by that law enforcement agency, the financial institution 
shall delay, or in the case of a foreign law enforcement agency may 
delay, providing such notice until the law enforcement agency informs 
the financial institution that such notice will no longer impede the 
investigation or the law enforcement agency fails to confirm that a 
continued delay is necessary to avoid impeding such investigation.
    (e) Electronic Transmission of Notice.--The written notice required 
under this section to any consumer may be made by an electronic 
transmission only if--
            (1) the consumer has provided prior consent to receive any 
        such notice by electronic transmission; and
            (2) the notice is consistent with the provisions permitting 
        electronic transmission of notices under section 101 of the 
        Electronic Signatures in Global and National Commerce Act.

SEC. 5. MITIGATION PROCEDURES.

    (a) Free File Monitoring.--Any financial institution that is 
required to provide notice to a consumer under section 4(a)(1) with 
respect to a breach of data security described in section 4(c) shall, 
if requested by the consumer before the end of the 90-day period 
beginning on the date of such notice, make available to the consumer, 
free of charge and for a 12-month period, a service that monitors 
nationwide credit activity regarding the consumer from a consumer 
reporting agency described in section 603(p) of the Fair Credit 
Reporting Act.
    (b) Joint Rulemaking for Safe Harbor.--The Federal Trade 
Commission, in consultation with the regulatory agencies described in 
section 8, shall develop regulations, which shall be prescribed by all 
functional regulatory agencies, that, in any case in which--
            (1) free file monitoring is offered under subsection (a) to 
        a consumer;
            (2) subsequent to the offer, another party misuses 
        sensitive financial identity information on the consumer 
        obtained through the breach of data security (that gave rise to 
        such offer) to commit identity theft against the consumer; and
            (3) at the time of such breach the financial institution 
        maintained reasonable policies and procedures to comply with 
        subsection (a),
exempts the financial institution from any liability under State common 
law for any loss or harm to the consumer occurring after the end of a 
reasonable period beginning on the date of such offer, other than any 
direct pecuniary loss provided under such law, resulting from such 
misuse.

SEC. 6. PROPER DISPOSAL OF PERSONAL INFORMATION.

    (a) In General.--Before the end of the 6-month period beginning on 
the date of the enactment of this Act, the Federal Trade Commission 
shall prescribe regulations in final form requiring any financial 
institution which maintains or otherwise possesses sensitive financial 
personal information, or any compilation of such information, for a 
business purpose to properly dispose of any such information or 
compilation so that such information or compilation cannot practicably 
be read or reconstructed.
    (b) Rule of Construction.--No provision of this section shall be 
construed--
            (1) as requiring, or authorizing the Federal Trade 
        Commission to require, any person to maintain or destroy any 
        sensitive financial personal information that is not required 
        to be maintained or destroyed under any other provision of 
        Federal or State law; or
            (2) as altering or affecting any requirement imposed under 
        any other provision of Federal or State law to maintain or 
        destroy sensitive financial personal information.

SEC. 7. RELATION TO STATE LAW.

    The provisions of this Act shall supersede any law, rule, or 
regulation of any State or political subdivision of any State that 
relates in any way to--
            (1) information security standards of financial 
        institutions; or
            (2) the notification of consumers by financial institutions 
        with respect to any breach of the confidentiality or security 
        of information maintained or received by or on behalf of the 
        financial institutions.

SEC. 8. ADMINISTRATIVE ENFORCEMENT.

    This Act and any regulation prescribed under this Act shall be 
enforced with respect to financial institutions and other persons to 
which this Act applies exclusively by the functional financial 
regulators, and by the chief law enforcement officer of a State, or an 
official or agency designated by a State (with respect to persons 
within the jurisdiction of such officer, official, or agency), as 
follows:
            (1) Under section 8 of the Federal Deposit Insurance Act, 
        in the case of--
                    (A) national banks, Federal branches and Federal 
                agencies of foreign banks, and any subsidiaries of such 
                entities (except brokers, dealers, persons providing 
                insurance, investment companies, and investment 
                advisers), by the Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act, and bank holding 
                companies and their nonbank subsidiaries or affiliates 
                (except brokers, dealers, persons providing insurance, 
                investment companies, and investment advisers), by the 
                Board of Governors of the Federal Reserve System;
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System), insured State branches of foreign banks, and 
                any subsidiaries of such entities (except brokers, 
                dealers, persons providing insurance, investment 
                companies, and investment advisers), by the Board of 
                Directors of the Federal Deposit Insurance Corporation; 
                and
                    (D) savings associations the deposits of which are 
                insured by the Federal Deposit Insurance Corporation, 
                and any subsidiaries of such savings associations 
                (except brokers, dealers, persons providing insurance, 
                investment companies, and investment advisers), by the 
                Director of the Office of Thrift Supervision.
            (2) Under the Federal Credit Union Act, by the Board of the 
        National Credit Union Administration with respect to any 
        federally insured credit union, and any subsidiaries of such an 
        entity.
            (3) Under the Securities Exchange Act of 1934, by the 
        Securities and Exchange Commission with respect to any broker 
        or dealer.
            (4) Under the Investment Company Act of 1940, by the 
        Securities and Exchange Commission with respect to investment 
        companies.
            (5) Under the Investment Advisers Act of 1940, by the 
        Securities and Exchange Commission with respect to investment 
        advisers registered with the Commission under such Act.
            (6) Under State insurance law, in the case of any person 
        engaged in the business of insurance, by the applicable State 
        insurance authority of the State in which the person is 
        domiciled.
            (7) Under the Federal Trade Commission Act, by the Federal 
        Trade Commission for any other person that is not subject to 
        the jurisdiction of any agency or authority under paragraphs 
        (1) through (6) of this subsection.

SEC. 9. DEFINITIONS.

    For purposes of this Act, the following definitions shall apply:
            (1) Breach of data security.--The term ``breach of data 
        security'' means, with respect to sensitive financial personal 
        information that is maintained, received, or communicated by or 
        on behalf of any financial institution--
                    (A) an unauthorized acquisition of such information 
                that could be used to commit financial fraud; or
                    (B) an unusual pattern of misuse of such 
                information to commit financial fraud.
            (2) Consumer.--The term ``consumer'' means an individual.
            (3) Financial institution.--The term ``financial 
        institution'' means--
                    (A) any person the business of which is engaging in 
                activities that are financial in nature as described in 
                or determined under section 4(k) of the Bank Holding 
                Company Act;
                    (B) any entity that is primarily engaged in 
                activities that are subject to the Fair Credit 
                Reporting Act; and
                    (C) any person that is maintaining, receiving, or 
                communicating sensitive financial personal information 
                on an ongoing basis for the purposes of engaging in 
                interstate commerce.
            (4) Functional financial regulator.--The term ``functional 
        financial regulator''--
                    (A) has the same meaning as in section 509(2) of 
                the Gramm-Leach-Bliley Act; and
                    (B) in the case of any financial institution that 
                is described in paragraph (3)(B) that is not subject to 
                the Gramm-Leach-Bliley Act, includes the appropriate 
                regulator for such financial institution under section 
                621 of the Fair Credit Reporting Act.
            (5) Sensitive financial personal information.--
                    (A) In general.--The term ``sensitive financial 
                personal information'' means information that is 
                personal, sensitive, and nonpublic and contains an 
                individual's first and last name and either the 
                individual's address or telephone number and appears in 
                combination with any of the following:
                            (i) Social Security number.
                            (ii) Driver's license number or an 
                        equivalent State-issued identification number.
                            (iii) Taxpayer identification number.
                            (iv) Any credit card or debit card account 
                        number.
                            (v) Any bank, savings association, credit 
                        union, or investment account number, other than 
                        an account number described in clause (iv), in 
                        combination with any required security code, 
                        biometric code, password, or other means that 
                        would permit access to a consumer's financial 
                        account.
                    (B) Exclusions.--The term ``sensitive financial 
                personal information'' shall not include--
                            (i) any list, description or other grouping 
                        of individuals (and publicly available 
                        information pertaining to them) that is derived 
                        without using any sensitive personal 
                        information; or
                            (ii) publicly available information that is 
                        lawfully made available to the general public 
                        from Federal, State or local government 
                        records.
                                 <all>