[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3501 Introduced in House (IH)]







109th CONGRESS
  1st Session
                                H. R. 3501

 To require financial institutions and financial service providers to 
    notify customers of the unauthorized use of personal financial 
                  information, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 28, 2005

  Ms. Carson introduced the following bill; which was referred to the 
Committee on Energy and Commerce, and in addition to the Committees on 
     Government Reform and Financial Services, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
 To require financial institutions and financial service providers to 
    notify customers of the unauthorized use of personal financial 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Access Rights Defense Act 
(CARD) of 2005''.

SEC. 2. DEFINITIONS.

    In this Act, the following definitions shall apply:
            (1) Agency.--The term ``agency'' has the same meaning given 
        such term in section 551(1) of title 5, United States Code.
            (2) Breach of security of the system.--The term ``breach of 
        security of the system''--
                    (A) means the compromise of the security, 
                confidentiality, or integrity of data that results in, 
                or there is a reasonable basis to conclude has resulted 
                in, the unauthorized acquisition of personal 
                information maintained by the person or business; and
                    (B) does not include good faith acquisition of 
                personal information by an employee or agent of the 
                person or business for the purposes of the person or 
                business, if the personal information is not used or 
                subject to further unauthorized disclosure.
            (3) Person.--The term ``person'' has the same meaning given 
        such term in section 551(2) of title 5, United States Code.
            (4) Personal information.--The term ``personal 
        information'' means an individual's last name in combination 
        with any 1 or more of the following data elements:
                    (A) Social Security number.
                    (B) Driver's license number or State identification 
                number.
                    (C) Account number or credit or debit card number, 
                or, if a security code, access code, or password is 
                required for access to an individual's account, the 
                account number or credit or debit card number, in 
                combination with the required code or password.
            (5) Substitute notice.--The term ``substitute notice'' 
        means--
                    (A) conspicuous posting of the notice on the 
                Internet site of the agency or person, if the agency or 
                person maintains a public Internet site; and
                    (B) notification to major print and broadcast 
                media, including major media in metropolitan and rural 
                areas where the individual whose personal information 
                was, or is reasonably believed to have been, acquired 
                resides. The notice to media shall include a toll-free 
                phone number where an individual can learn whether or 
                not that individual's personal data is included in the 
                security breach.

SEC. 3. DATABASE SECURITY.

    (a) Disclosure of Security Breach.--
            (1) In general.--Any agency, or person engaged in 
        interstate commerce, that owns, licenses, or collects data, 
        whether or not held in electronic form, containing personal 
        information shall, following the discovery of a breach of 
        security of the system maintained by the agency or person that 
        contains such data, or upon receipt of notice under paragraph 
        (2), notify any individual of the United States whose personal 
        information was, or is reasonably believed to have been, 
        acquired by an unauthorized person.
            (2) Notification of owner or licensee.--Any agency, or 
        person engaged in interstate commerce, in possession of data, 
        whether or not held in electronic form, containing personal 
        information that the agency does not own or license shall 
        notify the owner or licensee of the information if the personal 
        information was, or is reasonably believed to have been, 
        acquired by an unauthorized person through a breach of security 
        of the system containing such data.
            (3) Timeliness of notification.--
                    (A) In general.--All notifications required under 
                paragraph (1) or (2) shall be made without unreasonable 
                delay following--
                            (i) the discovery by the agency or person 
                        of a breach of security of the system;
                            (ii) any measures necessary to determine 
                        the scope of the breach, prevent further 
                        disclosures, and restore the reasonable 
                        integrity of the data system; and
                            (iii) receipt of written notice that a law 
                        enforcement agency has determined that the 
                        notification will no longer seriously impede 
                        its investigation, where notification is 
                        delayed as provided in paragraph (4).
                    (B) Burden of proof.--The agency or person required 
                to provide notification under this subsection shall 
                have the burden of demonstrating that all notifications 
                were made as required under this paragraph, including 
                evidence demonstrating the necessity of any delay.
            (4) Delay of notification authorized for law enforcement 
        purposes.--If a law enforcement agency determines that the 
        notification required under this subsection would seriously 
        impede a criminal investigation, such notification may be 
        delayed upon the written request of the law enforcement agency.
            (5) Exception for national security and law enforcement.--
                    (A) In general.--This subsection shall not apply to 
                an agency if the head of the agency certifies, in 
                writing, that notification of the breach as required by 
                this subsection reasonably could be expected to--
                            (i) cause damage to the national security; 
                        and
                            (ii) hinder a law enforcement investigation 
                        or the ability of the agency to conduct law 
                        enforcement investigations.
                    (B) Limits on certifications.--The head of an 
                agency may not execute a certification under 
                subparagraph (A) to--
                            (i) conceal violations of law, 
                        inefficiency, or administrative error;
                            (ii) prevent embarrassment to a person, 
                        organization, or agency; or
                            (iii) restrain competition.
                    (C) Notice.--In every case in which a head of an 
                agency issues a certification under subparagraph (A), a 
                copy of the certification, accompanied by a concise 
                description of the factual basis for the certification, 
                shall be immediately provided to the Congress.
            (6) Methods of notice.--An agency, or person engaged in 
        interstate commerce, shall be in compliance with this 
        subsection if it provides the individual, with--
                    (A) written notification;
                    (B) e-mail notice, if the individual has consented 
                to receive such notice and the notice is consistent 
                with the provisions permitting electronic transmission 
                of notices under section 101 of the Electronic 
                Signatures in Global and National Commerce Act (15 
                U.S.C. 7001); or
                    (C) substitute notice, if--
                            (i) the agency or person demonstrates that 
                        the cost of providing direct notice would 
                        exceed $500,000;
                            (ii) the number of individuals to be 
                        notified exceeds 500,000; or
                            (iii) the agency or person does not have 
                        sufficient contact information for those to be 
                        notified.
            (7) Content of notification.--Regardless of the method by 
        which notice is provided to individuals under paragraphs (1) 
        and (2), such notice shall include--
                    (A) to the extent possible, a description of the 
                categories of information that was, or is reasonably 
                believed to have been, acquired by an unauthorized 
                person, including social security numbers, driver's 
                license or State identification numbers and financial 
                data;
                    (B) a toll-free number--
                            (i) that the individual may use to contact 
                        the agency or person, or the agent of the 
                        agency or person; and
                            (ii) from which the individual may learn--
                                    (I) what types of information the 
                                agency or person maintained about that 
                                individual or about individuals in 
                                general; and
                                    (II) whether or not the agency or 
                                person maintained information about 
                                that individual; and
                    (C) the toll-free contact telephone numbers and 
                addresses for the major credit reporting agencies.
            (8) Coordination of notification with credit reporting 
        agencies.--If an agency or person is required to provide 
        notification to more than 1,000 individuals under this 
        subsection, the agency or person shall also notify, without 
        unreasonable delay, all consumer reporting agencies that 
        compile and maintain files on consumers on a nationwide basis 
        (as defined in section 603(p) of the Fair Credit Reporting Act) 
        of the timing and distribution of the notices.
    (b) Civil Remedies.--
            (1) Penalties.--Any agency, or person engaged in interstate 
        commerce, that violates subsection (a) shall be subject to a 
        civil money penalty of--
                    (A) not more than $1,000 per individual whose 
                personal information was, or is reasonably believed to 
                have been, acquired by an unauthorized person; or
                    (B) not more than $50,000 per day while the failure 
                to give notice under subsection (a) persists.
            (2) Equitable relief.--Any agency or person that violates, 
        proposes to violate, or has violated this section may be 
        enjoined from further violations by a court of competent 
        jurisdiction.
            (3) Other rights and remedies.--The rights and remedies 
        available under this subsection are cumulative and shall not 
        affect any other rights and remedies available under law.
            (4) Damages.--Any person injured by a violation of 
        subsection (a) may institute a civil action to recover damages 
        arising from that violation.
    (c) Enforcement.--The Federal Trade Commission or other appropriate 
regulator, may enforce compliance with this section, including the 
assessment of fines under subsection (b)(1).
    (d) Extended Fraud Alert.--Paragraph (1) of section 605A(b)(1) of 
the Fair Credit Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended, in 
that portion of such paragraph that precedes subparagraph (A), by 
inserting ``, or evidence that the consumer has received notice that 
the consumer's personal financial information has or may have been 
compromised,'' after ``submits an identity theft report''.

SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that is prohibited under this Act, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction or any other court of competent 
        jurisdiction to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this Act;
                    (C) obtain damages, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this Act shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on 
such attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (c) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 5. EFFECT ON STATE LAW.

    The provisions of this Act shall supersede any inconsistent 
provisions of law of any State or unit of local government with respect 
to the conduct required by the specific provisions of this Act.

SEC. 6. EFFECTIVE DATE.

    This Act shall take effect at the end of the 6-month period 
beginning on the date of the enactment of this Act.
                                 <all>