[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4127 Introduced in House (IH)]







109th CONGRESS
  1st Session
                                H. R. 4127

  To protect consumers by requiring reasonable security policies and 
      procedures to protect computerized data containing personal 
  information, and to provide for nationwide notice in the event of a 
                            security breach.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 25, 2005

Mr. Stearns (for himself, Ms. Pryce of Ohio, Mr. Upton, Mr. Radanovich, 
 Mr. Bass, Mrs. Bono, Mr. Ferguson, and Mrs. Blackburn) introduced the 
   following bill; which was referred to the Committee on Energy and 
                                Commerce

_______________________________________________________________________

                                 A BILL


 
  To protect consumers by requiring reasonable security policies and 
      procedures to protect computerized data containing personal 
  information, and to provide for nationwide notice in the event of a 
                            security breach.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Accountability and Trust Act 
(DATA)''.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

    (a) General Security Policies and Procedures.--
            (1) Regulations.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall promulgate 
        regulations to require each person engaged in interstate 
        commerce that owns or possesses data in electronic form 
        containing personal information to establish and implement 
        policies and procedures regarding information security 
        practices for the treatment and protection of personal 
        information that are consistent with--
                    (A) the size of, and the nature, scope, and 
                complexity of the activities engaged in by, such 
                person;
                    (B) the current state of the art in administrative, 
                technical, and physical safeguards for protecting such 
                information; and
                    (C) the cost of implementing such safeguards.
            (2) Requirements.--Such regulations shall require the 
        policies and procedures to include the following:
                    (A) A security policy with respect to the 
                collection, use, sale, other dissemination, and 
                maintenance of such personal information.
                    (B) The identification of an officer or other 
                individual as the point of contact with responsibility 
                for the management of information security.
                    (C) A process for identifying and assessing any 
                reasonably foreseeable vulnerabilities in the system 
                maintained by such person that contains such electronic 
                data.
                    (D) A process for taking preventive and corrective 
                action to mitigate against any vulnerabilities 
                identified in the process required by subparagraph (C), 
                which may include encryption of such data, implementing 
                any changes to security practices and the architecture, 
                installation, or implementation of network or operating 
                software.
    (b) Special Requirements for Information Brokers.--
            (1) Submission of policies to the ftc.--The regulations 
        promulgated under subsection (a) shall require information 
        brokers to submit their security policies to the Commission on 
        an annual basis.
            (2) Post-breach audit.--Following a breach of security of 
        an information broker, the Commission shall conduct an audit of 
        the information security practices of such information broker. 
        The Commission may conduct additional audits, on an annual 
        basis, for a maximum of 5 years following the breach of 
        security or until the Commission determines that the security 
        practices of the information broker are in compliance with the 
        requirements of this section and are adequate to prevent 
        further breaches of security.
            (3) Individual access to personal information.--
                    (A) Access to information.--Each information broker 
                shall--
                            (i) provide to each individual whose 
                        personal information it maintains, at the 
                        individual's request at least one time per year 
                        and at no cost to the individual, a means for 
                        such individual to review any personal 
                        information of the individual maintained by the 
                        information broker and any other information 
                        about the individual maintained by the 
                        information broker; and
                            (ii) place a conspicuous notice on its 
                        Internet website (if the information broker 
                        maintains such a website) instructing 
                        individuals how to request access to the 
                        information required to be provided under 
                        clause (i).
                    (B) Disputed information.--Whenever an individual 
                whose information the information broker maintains 
                files a written request disputing the accuracy of any 
                such information, unless there is reasonable grounds to 
                believe such request is frivolous or irrelevant, the 
                information broker shall clearly note in the database 
                maintained by such information broker, and in any 
                subsequent transmission of such information by such 
                information broker, that such information is disputed 
                by the individual to whom the information relates. Such 
                note shall include either the individual's statement 
                disputing the accuracy of such information or a clear 
                and concise summary thereof.

SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.

    (a) Nationwide Notification.--Any person engaged in interstate 
commerce that owns or possesses data in electronic form containing 
personal information shall, following the discovery of a breach of 
security of the system maintained by such person that contains such 
data--
            (1) notify each individual of the United States whose 
        personal information was acquired by an unauthorized person as 
        a result of such a breach of security;
            (2) notify the Commission;
            (3) place a conspicuous notice on the Internet website of 
        the person (if such person maintains such a website), which 
        shall include a telephone number that the individual may use, 
        at no cost to such individual, to contact the person to inquire 
        about the security breach or the information the person 
        maintained about that individual; and
            (4) in the case of a breach of financial account 
        information of a merchant, notify the financial institution 
        that issued the account.
    (b) Timeliness of Notification.--All notifications required under 
subsection (a) shall be made as promptly as possible and without 
unreasonable delay following the discovery of a breach of security of 
the system and any measures necessary to determine the scope of the 
breach, prevent further breach or unauthorized disclosures, and 
reasonably restore the integrity of the data system.
    (c) Method and Content of Notification.--
            (1) Direct notification.--
                    (A) Method of notification.--A person required to 
                provide notification to individuals under subsection 
                (a)(1) shall be in compliance with such requirement if 
                the person provides conspicuous and clearly identified 
                notification by one of the following methods (provided 
                the selected method can reasonably be expected to reach 
                the intended individual):
                            (i) Written notification.
                            (ii) Email notification, if the individual 
                        has consented to receive such notification and 
                        the notification is provided in a manner that 
                        is consistent with the provisions permitting 
                        electronic transmission of notices under 
                        section 101 of the Electronic Signatures in 
                        Global Commerce Act (15 U.S.C. 7001).
                    (B) Content of notification.--Regardless of the 
                method by which notification is provided to an 
                individual under subparagraph (A), such notification 
                shall include--
                            (i) a description of the personal 
                        information that was acquired by an 
                        unauthorized person;
                            (ii) a telephone number that the individual 
                        may use, at no cost to such individual, to 
                        contact the person to inquire about the 
                        security breach or the information the person 
                        maintained about that individual;
                            (iii) the toll-free contact telephone 
                        numbers and addresses for the major credit 
                        reporting agencies; and
                            (iv) a toll-free telephone number and 
                        Internet website address for the Commission 
                        whereby the individual may obtain information 
                        regarding identity theft.
            (2) Substitute notification.--
                    (A) Circumstances giving rise to substitute 
                notification.--A person required to provide 
                notification to individuals under subsection (a)(1) may 
                provide substitute notification in lieu of the direct 
                notification required by paragraph (1) if such direct 
                notification is not feasible due to--
                            (i) excessive cost to the person required 
                        to provide such notification relative to the 
                        resources of such person, as determined in 
                        accordance with the regulations issued by the 
                        Commission under paragraph (3)(A); or
                            (ii) lack of sufficient contact information 
                        for the individual required to be notified.
                    (B) Content of substitute notification.--Such 
                substitute notification shall include notification in 
                print and broadcast media, including major media in 
                metropolitan and rural areas where the individuals 
                whose personal information was acquired reside. Such 
                notification shall include a telephone number where an 
                individual can, at no cost to such individual, learn 
                whether or not that individual's personal information 
                is included in the security breach.
            (3) Federal trade commission regulations and guidance.--
                    (A) Regulations.--Not later than 270 days after the 
                date of enactment of this Act, the Commission shall, by 
                regulation, establish criteria for determining the 
                circumstances under which substitute notification may 
                be provided under paragraph (2), including criteria for 
                determining if notification under paragraph (1) is not 
                feasible due to excessive cost to the person required 
                to provide such notification relative to the resources 
                of such person.
                    (B) Guidance.--In addition, the Commission shall 
                provide and publish general guidance with respect to 
                compliance with this section. Such guidance shall 
                include--
                            (i) a description of written or email 
                        notification that complies with the 
                        requirements of paragraph (1); and
                            (ii) guidance on the content of substitute 
                        notification under paragraph (2)(B), including 
                        the extent of notification to print and 
                        broadcast media that complies with the 
                        requirements of such paragraph.
    (d) Other Obligations Following Breach.--A person required to 
provide notification under subsection (a) shall provide or arrange for 
the provision of, to each individual to whom notification is provided 
under subsection (c)(1) and at no cost to such individual, consumer 
credit reports from at least one of the major credit reporting agencies 
beginning not later than 2 months following a breach of security and 
continuing on a quarterly basis for a period of 2 years thereafter. The 
Commission shall, by regulation, provide alternative requirements under 
this subsection for persons who qualify to provide substitute 
notification under subsection (c)(2).
    (e) Website Notice of Federal Trade Commission.--The Commission 
shall place, in a clear and conspicuous location on its Internet 
website, a notice of any breach of security that is reported to the 
Commission under subsection (a)(2).

SEC. 4. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    (a) Unfair or Deceptive Acts or Practices.--A violation of section 
2 or 3 shall be treated as a violation of a regulation under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
    (b) Powers of Commission.--The Commission shall enforce this Act in 
the same manner, by the same means, and with the same jurisdiction, 
powers, and duties as though all applicable terms and provisions of the 
Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated 
into and made a part of this Act. Any person who violates such 
regulations shall be subject to the penalties and entitled to the 
privileges and immunities provided in that Act. Nothing in this Act 
shall be construed to limit the authority of the Commission under any 
other provision of law.

SEC. 5. DEFINITIONS.

    In this Act the following definitions apply:
            (1) Breach of security.--The term ``breach of security'' 
        means the unauthorized acquisition of data in electronic form 
        containing personal information that establishes a reasonable 
        basis to conclude that there is a significant risk of identity 
        theft to the individual to whom the personal information 
        relates. The encryption of such data, combined with appropriate 
        safeguards of the keys necessary to enable decryption of such 
        data, shall establish a presumption that no such reasonable 
        basis exists. Any such presumption may be rebutted by facts 
        demonstrating that the method of encryption has been or is 
        likely to be compromised.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Data in electronic form.--The term ``data in electronic 
        form'' means any data stored electronically or digitally on any 
        computer system or other database and includes recordable tapes 
        and other mass storage devices.
            (4) Encryption.--The term ``encryption'' means the 
        protection of data in electronic form in storage or in transit 
        using an encryption algorithm implemented within a validated 
        cryptographic module that has been approved by the National 
        Institute of Standards and Technology or another comparable 
        standards body recognized by the Commission, rendering such 
        data indecipherable in the absence of associated cryptographic 
        keys necessary to enable decryption of such data. Such 
        encryption must include appropriate management and safeguards 
        of such keys to protect the integrity of the encryption.
            (5) Identity theft.--The term ``identity theft'' means the 
        unauthorized assumption of another person's identity for the 
        purpose of engaging in commercial transactions under the name 
        of such other person.
            (6) Information broker.--The term ``information broker'' 
        means a commercial entity whose business is to collect, 
        assemble, or maintain personal information concerning 
        individuals who are not customers of such entity for the sale 
        or transmission of such information or the provision of access 
        to such information to any third party, whether such 
        collection, assembly, or maintenance of personal information is 
        performed by the information broker directly, or by contract or 
        subcontract with any other entity.
            (7) Personal information.--
                    (A) Definition.--The term ``personal information'' 
                means an individual's first and last name in 
                combination with any 1 or more of the following data 
                elements for that individual:
                            (i) Social Security number.
                            (ii) Driver's license number or other State 
                        identification number.
                            (iii) Financial account number, or credit 
                        or debit card number, and any required security 
                        code, access code, or password that is 
                        necessary to permit access to an individual's 
                        financial account.
                    (B) Modified definition by rulemaking.--The 
                Commission may, by rule, modify the definition of 
                ``personal information'' under subparagraph (A) to the 
                extent that such modification is necessary to 
                accommodate changes in technology or practices, will 
                not unreasonably impede interstate commerce, and will 
                accomplish the purposes of this Act.
            (8) Person.--The term ``person'' has the same meaning given 
        such term in section 551(2) of title 5, United States Code.

SEC. 6. EFFECT ON OTHER LAWS.

    (a) Preemption of State Information Security Laws.--This Act 
supersedes any provision of a statute, regulation, or rule of a State 
or political subdivision of a State that expressly--
            (1) requires information security practices and treatment 
        of personal information similar to any of those required under 
        section 2; and
            (2) requires notification to individuals of a breach of 
        security resulting in unauthorized acquisition of their 
        personal information.
    (b) Additional Preemption.--
            (1) In general.--No person other than the Attorney General 
        of a State may bring a civil action under the laws of any State 
        if such action is premised in whole or in part upon the 
        defendant violating any provision of this Act.
            (2) Protection of consumer protection laws.--This 
        subsection shall not be construed to limit the enforcement of 
        any State consumer protection law by an Attorney General of a 
        State.
    (c) Protection of Certain State Laws.--This Act shall not be 
construed to preempt the applicability of--
            (1) State trespass, contract, or tort law; or
            (2) other State laws to the extent that those laws relate 
        to acts of fraud.

SEC. 7. EFFECTIVE DATE AND SUNSET.

    (a) Effective Date.--This Act shall take effect 1 year after the 
date of enactment of this Act.
    (b) Sunset.--This Act shall cease to be in effect on the date that 
is 10 years from the date of enactment of this Act.

SEC. 8. AUTHORIZATION OF APPROPRIATIONS.

    There is authorized to be appropriated to the Commission $1,000,000 
for each of fiscal years 2006 through 2010 to carry out this Act.
                                 <all>