 


109 HR 3501 IH: Consumer Access Rights Defense Act (CARD) of 2005
U.S. House of Representatives
2005-07-28
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


 
I 
109th CONGRESS 1st Session 
H. R. 3501 
IN THE HOUSE OF REPRESENTATIVES 
 
July 28, 2005 
Ms. Carson introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committees on Government Reform and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned 
 
A BILL 
To require financial institutions and financial service providers to notify customers of the unauthorized use of personal financial information, and for other purposes. 
 
 
1.Short titleThis Act may be cited as the Consumer Access Rights Defense Act (CARD) of 2005. 
2.DefinitionsIn this Act, the following definitions shall apply: 
(1)AgencyThe term agency has the same meaning given such term in section 551(1) of title 5, United States Code. 
(2)Breach of security of the systemThe term breach of security of the system— 
(A)means the compromise of the security, confidentiality, or integrity of data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of personal information maintained by the person or business; and 
(B)does not include good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business, if the personal information is not used or subject to further unauthorized disclosure. 
(3)PersonThe term person has the same meaning given such term in section 551(2) of title 5, United States Code. 
(4)Personal informationThe term personal information means an individual’s last name in combination with any 1 or more of the following data elements: 
(A)Social Security number. 
(B)Driver’s license number or State identification number. 
(C)Account number or credit or debit card number, or, if a security code, access code, or password is required for access to an individual’s account, the account number or credit or debit card number, in combination with the required code or password. 
(5)Substitute noticeThe term substitute notice means— 
(A)conspicuous posting of the notice on the Internet site of the agency or person, if the agency or person maintains a public Internet site; and 
(B)notification to major print and broadcast media, including major media in metropolitan and rural areas where the individual whose personal information was, or is reasonably believed to have been, acquired resides. The notice to media shall include a toll-free phone number where an individual can learn whether or not that individual’s personal data is included in the security breach. 
3.Database security 
(a)Disclosure of Security Breach 
(1)In generalAny agency, or person engaged in interstate commerce, that owns, licenses, or collects data, whether or not held in electronic form, containing personal information shall, following the discovery of a breach of security of the system maintained by the agency or person that contains such data, or upon receipt of notice under paragraph (2), notify any individual of the United States whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. 
(2)Notification of owner or licenseeAny agency, or person engaged in interstate commerce, in possession of data, whether or not held in electronic form, containing personal information that the agency does not own or license shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data. 
(3)Timeliness of notification 
(A)In generalAll notifications required under paragraph (1) or (2) shall be made without unreasonable delay following— 
(i)the discovery by the agency or person of a breach of security of the system; 
(ii)any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system; and 
(iii)receipt of written notice that a law enforcement agency has determined that the notification will no longer seriously impede its investigation, where notification is delayed as provided in paragraph (4). 
(B)Burden of proofThe agency or person required to provide notification under this subsection shall have the burden of demonstrating that all notifications were made as required under this paragraph, including evidence demonstrating the necessity of any delay. 
(4)Delay of notification authorized for law enforcement purposesIf a law enforcement agency determines that the notification required under this subsection would seriously impede a criminal investigation, such notification may be delayed upon the written request of the law enforcement agency. 
(5)Exception for national security and law enforcement 
(A)In generalThis subsection shall not apply to an agency if the head of the agency certifies, in writing, that notification of the breach as required by this subsection reasonably could be expected to— 
(i)cause damage to the national security; and 
(ii)hinder a law enforcement investigation or the ability of the agency to conduct law enforcement investigations. 
(B)Limits on certificationsThe head of an agency may not execute a certification under subparagraph (A) to— 
(i)conceal violations of law, inefficiency, or administrative error; 
(ii)prevent embarrassment to a person, organization, or agency; or 
(iii)restrain competition. 
(C)NoticeIn every case in which a head of an agency issues a certification under subparagraph (A), a copy of the certification, accompanied by a concise description of the factual basis for the certification, shall be immediately provided to the Congress. 
(6)Methods of noticeAn agency, or person engaged in interstate commerce, shall be in compliance with this subsection if it provides the individual, with— 
(A)written notification; 
(B)e-mail notice, if the individual has consented to receive such notice and the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001); or 
(C)substitute notice, if— 
(i)the agency or person demonstrates that the cost of providing direct notice would exceed $500,000; 
(ii)the number of individuals to be notified exceeds 500,000; or 
(iii)the agency or person does not have sufficient contact information for those to be notified. 
(7)Content of notificationRegardless of the method by which notice is provided to individuals under paragraphs (1) and (2), such notice shall include— 
(A)to the extent possible, a description of the categories of information that was, or is reasonably believed to have been, acquired by an unauthorized person, including social security numbers, driver’s license or State identification numbers and financial data; 
(B)a toll-free number— 
(i)that the individual may use to contact the agency or person, or the agent of the agency or person; and 
(ii)from which the individual may learn— 
(I)what types of information the agency or person maintained about that individual or about individuals in general; and 
(II)whether or not the agency or person maintained information about that individual; and 
(C)the toll-free contact telephone numbers and addresses for the major credit reporting agencies. 
(8)Coordination of notification with credit reporting agenciesIf an agency or person is required to provide notification to more than 1,000 individuals under this subsection, the agency or person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in section 603(p) of the Fair Credit Reporting Act) of the timing and distribution of the notices. 
(b)Civil Remedies 
(1)PenaltiesAny agency, or person engaged in interstate commerce, that violates subsection (a) shall be subject to a civil money penalty of— 
(A)not more than $1,000 per individual whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person; or 
(B)not more than $50,000 per day while the failure to give notice under subsection (a) persists. 
(2)Equitable reliefAny agency or person that violates, proposes to violate, or has violated this section may be enjoined from further violations by a court of competent jurisdiction. 
(3)Other rights and remediesThe rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law. 
(4)DamagesAny person injured by a violation of subsection (a) may institute a civil action to recover damages arising from that violation. 
(c)EnforcementThe Federal Trade Commission or other appropriate regulator, may enforce compliance with this section, including the assessment of fines under subsection (b)(1). 
(d)Extended fraud alertParagraph (1) of section 605A(b)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681c–1(b)(1)) is amended, in that portion of such paragraph that precedes subparagraph (A), by inserting , or evidence that the consumer has received notice that the consumer’s personal financial information has or may have been compromised, after submits an identity theft report.  
4.Enforcement by state attorneys general 
(a)In General 
(1)Civil actionsIn any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that is prohibited under this Act, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction or any other court of competent jurisdiction to— 
(A)enjoin that practice; 
(B)enforce compliance with this Act; 
(C)obtain damages, restitution, or other compensation on behalf of residents of the State; or 
(D)obtain such other relief as the court may consider to be appropriate. 
(2)Notice 
(A)In generalBefore filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General of the United States— 
(i)written notice of the action; and 
(ii)a copy of the complaint for the action. 
(B)Exemption 
(i)In generalSubparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action. 
(ii)NotificationIn an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the time the State attorney general files the action. 
(b)ConstructionFor purposes of bringing any civil action under subsection (a), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to— 
(1)conduct investigations; 
(2)administer oaths or affirmations; or 
(3)compel the attendance of witnesses or the production of documentary and other evidence. 
(c)Venue; Service of Process 
(1)VenueAny action brought under subsection (a) may be brought in— 
(A)the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or 
(B)another court of competent jurisdiction. 
(2)Service of processIn an action brought under subsection (a), process may be served in any district in which the defendant— 
(A)is an inhabitant; or 
(B)may be found. 
5.Effect on State lawThe provisions of this Act shall supersede any inconsistent provisions of law of any State or unit of local government with respect to the conduct required by the specific provisions of this Act. 
6.Effective dateThis Act shall take effect at the end of the 6-month period beginning on the date of the enactment of this Act. 
 
