[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4127 Reported in House (RH)]
Union Calendar No. 270
109th CONGRESS
2d Session
H. R. 4127
[Report No. 109-453, Parts I, II, and III]
To protect consumers by requiring reasonable security policies and
procedures to protect computerized data containing personal
information, and to provide for nationwide notice in the event of a
security breach.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
October 25, 2005
Mr. Stearns (for himself, Ms. Pryce of Ohio, Mr. Upton, Mr. Radanovich,
Mr. Bass, Mrs. Bono, Mr. Ferguson, and Mrs. Blackburn) introduced the
following bill; which was referred to the Committee on Energy and
Commerce
May 4, 2006
Reported with an amendment and referred to the Committee on Financial
Services for a period ending not later than June 2, 2006, for
consideration of such provisions of the bill and amendment as fall
within the jurisdiction of that committee pursuant to clause 1(g), rule
X. Referred to the Committee on the Judiciary for a period ending not
later than June 2, 2006, for consideration of such provisions of the
bill and amendment as fall within the jurisdiction of that committee
pursuant to clause 1(l), rule X
[Strike out all after the enacting clause and insert the part printed
in italic]
May 26, 2006
Reported from the Committee on the Judiciary with an amendment
[Strike out all after the enacting clause and insert the part printed
in boldface roman]
June 2, 2006
Additional sponsors: Mr. Gillmor, Mr. Shadegg, Mr. Dingell, Ms.
Schakowsky, Ms. Eshoo, Mr. Inslee, Ms. Baldwin, and Mr. Ross
June 2, 2006
Reported from the Committee on Financial Services with amendments;
committed to the Committee of the Whole House on the State of the Union
and ordered to be printed
[Strike out all after the enacting clause and insert the part printed
in boldface italic]
[For text of introduced bill, see copy of bill as introduced on October
25, 2005]
_______________________________________________________________________
A BILL
To protect consumers by requiring reasonable security policies and
procedures to protect computerized data containing personal
information, and to provide for nationwide notice in the event of a
security breach.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Accountability and Trust Act
(DATA)''.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
(a) General Security Policies and Procedures.--
(1) Regulations.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code,
to require each person engaged in interstate commerce that owns
or possesses data in electronic form containing personal
information, or contracts to have any third party entity
maintain such data for such person, to establish and implement
policies and procedures regarding information security
practices for the treatment and protection of personal
informtion taking into consideration--
(A) the size of, and the nature, scope, and
complexity of the activities engaged in by, such
person;
(B) the current state of the art in administrative,
technical, and physical safeguards for protecting such
information; and
(C) the cost of implementing such safeguards.
(2) Requirements.--Such regulations shall require the
policies and procedures to include the following:
(A) A security policy with respect to the
collection, use, sale, other dissemination, and
maintenance of such personal information.
(B) The identification of an officer or other
individual as the point of contact with responsibility
for the management of information security.
(C) A process for identifying and assessing any
reasonably foreseeable vulnerabilities in the system
maintained by such person that contains such electronic
data, which shall include regular monitoring for a
breach of security of such system.
(D) A process for taking preventive and corrective
action to mitigate against any vulnerabilities
identified in the process required by subparagraph (C),
which may include implementing any changes to security
practices and the architecture, installation, or
implementation of network or operating software.
(E) A process for disposing of obsolete data in
electronic form containing personal information by
shredding, permanently erasing, or otherwise modifying
the personal information contained in such data to make
such personal information permanently unreadable or
undecipherable.
(3) Treatment of entities governed by other law.--In
promulgating the regulations under this subsection, the
Commission may determine to be in compliance with this
subsection any person who is required under any other Federal
law to maintain standards and safeguards for information
security and protection of personal information that provide
equal or greater protection than those required under this
subsection.
(b) Destruction of Obsolete Paper Records Containing Personal
Information.--
(1) Study.--Not later than 1 year after the date of
enactment of this Act, the Commission shall conduct a study on
the practicality of requiring a standard method or methods for
the destruction of obsolete paper documents and other non-
electronic data containing personal information by persons
engaged in interstate commerce who own or possess such paper
documents and non-electronic data. The study shall consider the
cost, benefit, feasibility, and effect of a requirement of
shredding or other permanent destruction of such paper
documents and non-electronic data.
(2) Regulations.--The Commission may promulgate regulations
under section 553 of title 5, United States Code, requiring a
standard method or methods for the destruction of obsolete
paper documents and other non-electronic data containing
personal information by persons engaged in interstate commerce
who own or possess such paper documents and non-electronic data
if the Commission finds that--
(A) the improper disposal of obsolete paper
documents and other non-electronic data creates a
reasonable risk of identity theft, fraud, or other
unlawful conduct;
(B) such a requirement would be effective in
preventing identity theft, fraud, or other unlawful
conduct;
(C) the benefit in preventing identity theft,
fraud, or other unlawful conduct would outweigh the
cost to persons subject to such a requirement; and
(D) compliance with such a requirement would be
practicable.
In enforcing any such regulations, the Commission may determine
to be in compliance with such regulations any person who is
required under any other Federal law to dispose of obsolete
paper documents and other non-electronic data containing
personal information if such other Federal law provides equal
or greater protection or personal information than the
regulations promulgated under this subsection.
(c) Special Requirements for Information Brokers.--
(1) Submission of policies to the ftc.--The regulations
promulgated under subsection (a) shall require information
brokers to submit their security policies to the Commission in
conjunction with a notification of a breach of security under
section 3 or upon request of the Commission.
(2) Post-breach audit.--For any information broker required
to provide notification under section 3, the Commission shall
conduct an audit of the information security practices of such
information broker, or require the information broker to
conduct an independent audit of such practices (by an
independent auditor who has not audited such information
broker's security practices during the preceding 5 years). The
Commission may conduct or require additional audits for a
period of 5 years following the breach of security or until the
Commission determines that the security practices of the
information broker are in compliance with the requirements of
this section and are adequate to prevent further breaches of
security.
(3) Verification of and individual access to personal
information.--
(A) Verification.--Each information broker shall
establish reasonable procedures to verify the accuracy
of the personal information it collects, assembles, or
maintains, and any other information it collects,
assembles, or maintains that specifically identifies an
individual, other than information which merely
identifies an individual's name or address.
(B) Consumer access to information.--
(i) Access.--Each information broker
shall--
(I) provide to each individual
whose personal information it
maintains, at the individual's request
at least 1 time per year and at no cost
to the individual, and after verifying
the identity of such individual, a
means for the individual to review any
personal information regarding such
individual maintained by the
information broker and any other
information maintained by the
information broker that specifically
identifies such individual, other than
information which merely identifies an
individual's name or address; and
(II) place a conspicuous notice on
its Internet website (if the
information broker maintains such a
website) instructing individuals how to
request access to the information
required to be provided under subclause
(I).
(ii) Disputed information.--Whenever an
individual whose information the information
broker maintains makes a written request
disputing the accuracy of any such information,
the information broker, after verifying the
identity of the individual making such request
and unless there are reasonable grounds to
believe such request is frivolous or
irrelevant, shall--
(I) correct any inaccuracy; or
(II)(aa) in the case of information
that is public record information,
inform the individual of the source of
the information, and, if reasonably
available, where a request for
correction may be directed; or
(bb) in the case of information
that is non-public information, note
the information that is disputed,
including the individual's statement
disputing such information, and take
reasonable steps to independently
verify such information under the
procedures outlined in subparagraph (A)
if such information can be
independently verified.
(iii) Limitations.--An information broker
may limit the access to information required
under subparagraph (B) in the following
circumstances:
(I) If access of the individual to
the information is limited by law or
legally recognized privilege.
(II) If the information is used for
a legitimate governmental or fraud
prevention purpose that would be
compromised by such access.
(iv) Rulemaking.--The Commission shall
issue regulations, as necessary, under section
553 of title 5, United States Code, on the
application of the limitations in clause (iii).
(C) Treatment of entities governed by other law.--
The Commission may promulgate rules (under section 553
of title 5, United States Code) to determine to be in
compliance with this paragraph any person who is a
consumer reporting agency, as defined in section 603(f)
of the Fair Credit Reporting Act, with respect to those
products and services that are subject to and in
compliance with the requirements of that Act.
(4) Requirement of audit log of accessed and transmitted
information.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code,
to require information brokers to establish measures which
facilitate the auditing or retracing of any internal or
external access to, or transmissions of, any data in electronic
form containing personal information collected, assembled, or
maintained by such information broker.
(5) Prohibition on pretexting by information brokers.--
(A) Prohibition on obtaining personal information
by false pretenses.--It shall be unlawful for an
information broker to obtain or attempt to obtain, or
cause to be disclosed or attempt to cause to be
disclosed to any person, personal information or any
other information relating to any person by--
(i) making a false, fictitious, or
fraudulent statement or representation to any
person; or
(ii) providing any document or other
information to any person that the information
broker knows or should know to be forged,
counterfeit, lost, stolen, or fraudulently
obtained, or to contain a false, fictitious, or
fraudulent statement or representation.
(B) Prohibition on solicitation to obtain personal
information under false pretenses.--It shall be
unlawful for an information broker to request a person
to obtain personal information or any other information
relating to any other person, if the information broker
knew or should have known that the person to whom such
a request is made will obtain or attempt to obtain such
information in the manner described in subsection (a).
(d) Exemption for Telecommunications Carrier, Cable Operator,
Information Service, or Interactive Computer Service.--Nothing in this
section shall apply to any electronic communication by a third party
stored by a telecommunications carrier, cable operator, or information
service, as those terms are defined in section 3 of the Communications
Act of 1934 (47 U.S.C. 153), or an interactive computer service, as
such term is defined in section 230(f)(2) of such Act (47 U.S.C.
230(f)(2)).
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Nationwide Notification.--Any person engaged in interstate
commerce that owns or possesses data in electronic form containing
personal information shall, following the discovery of a breach of
security of the system maintained by such person that contains such
data--
(1) notify each individual who is a citizen or resident of
the United States whose personal information was acquired by an
unauthorized person as a result of such a breach of security;
and
(2) notify the Commission.
(b) Special Notification Requirement for Certain Entities.--
(1) Third party agents.--In the event of a breach of
security by any third party entity that has been contracted to
maintain or process data in electronic form containing personal
information on behalf of any other person who owns or possesses
such data, such third party entity shall be required only to
notify such person of the breach of security. Upon receiving
such notification from such third party, such person shall
provide the notification required under subsection (a).
(2) Telecommunications carriers, cable operators,
information services, and interactive computer services.--If a
telecommunications carrier, cable operator, or information
service (as such terms are defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153)), or an interactive
computer service (as such term is defined in section 230(f)(2)
of such Act (47 U.S.C. 230(f)(2))), becomes aware of a breach
of security during the transmission of data in electronic form
containing personal information that is owned or possessed by
another person utilizing the means of transmission of such
telecommunications carrier, cable operator, information
service, or interactive computer service, such
telecommunications carrier, cable operator, information
service, or interactive computer service shall be required only
to notify the person who initiated such transmission of such a
breach of security if such person can be reasonably identified.
Upon receiving such notification from a telecommunications
carrier, cable operator, information service, or interactive
computer service, such person shall provide the notification
required under subsection (a).
(3) Breach of health information.--If the Commission
receives a notification of a breach of security and determines
that information included in such breach is individually
identifiable health information (as such term is defined in
section 1171(6) of the Social Security Act (42 U.S.C.
1320d(6)), the Commission shall send a copy of such
notification to the Secretary of Health and Human Services.
(c) Timeliness of Notification.--All notifications required under
subsection (a) shall be made as promptly as possible and without
unreasonable delay following the discovery of a breach of security of
the system and consistent with any measures necessary to determine the
scope of the breach, prevent further breach or unauthorized
disclosures, and reasonably restore the integrity of the data system.
(d) Method and Content of Notification.--
(1) Direct notification.--
(A) Method of notification.--A person required to
provide notification to individuals under subsection
(a)(1) shall be in compliance with such requirement if
the person provides conspicuous and clearly identified
notification by one of the following methods (provided
the selected method can reasonably be expected to reach
the intended individual):
(i) Written notification.
(ii) Email notification, if--
(I) the person's primary method of
communication with the individual is by
email; or
(II) the individual has consented
to receive such notification and the
notification is provided in a manner
that is consistent with the provisions
permitting electronic transmission of
notices under section 101 of the
Electronic Signatures in Global
Commerce Act (15 U.S.C. 7001).
(B) Content of notification.--Regardless of the
method by which notification is provided to an
individual under subparagraph (A), such notification
shall include--
(i) a description of the personal
information that was acquired by an
unauthorized person;
(ii) a telephone number that the individual
may use, at no cost to such individual, to
contact the person to inquire about the breach
of security or the information the person
maintained about that individual;
(iii) notice that the individual is
entitled to receive, at no cost to such
individual, consumer credit reports on a
quarterly basis for a period of 2 years, and
instructions to the individual on requesting
such reports from the person;
(iv) the toll-free contact telephone
numbers and addresses for the major credit
reporting agencies; and
(v) a toll-free telephone number and
Internet website address for the Commission
whereby the individual may obtain information
regarding identity theft.
(2) Substitute notification.--
(A) Circumstances giving rise to substitute
notification.--A person required to provide
notification to individuals under subsection (a)(1) may
provide substitute notification in lieu of the direct
notification required by paragraph (1) if--
(i) the person owns or possesses data in
electronic form containing personal information
of fewer than 1,000 individuals; and
(ii) such direct notification is not
feasible due to--
(I) excessive cost to the person
required to provide such notification
relative to the resources of such
person, as determined in accordance
with the regulations issued by the
Commission under paragraph (3)(A); or
(II) lack of sufficient contact
information for the individual required
to be notified.
(B) Form of substitute notice.--Such substitute
notification shall include--
(i) email notification to the extent that
the person has email addresses of individuals
to whom it is required to provide notification
under subsection (a)(1);
(ii) a conspicuous notice on the Internet
website of the person (if such person maintains
such a website); and
(iii) notification in print and to
broadcast media, including major media in
metropolitan and rural areas where the
individuals whose personal information was
acquired reside.
(C) Content of substitute notice.--Each form of
substitute notice under this paragraph shall include--
(i) notice that individuals whose personal
information is included in the breach of
security are entitled to receive, at no cost to
the individuals, consumer credit reports on a
quarterly basis for a period of 2 years, and
instructions on requesting such reports from
the person; and
(ii) a telephone number by which an
individual can, at no cost to such individual,
learn whether that individual's personal
information is included in the breach of
security.
(3) Federal trade commission regulations and guidance.--
(A) Regulations.--Not later than 1year after the
date of enactment of this Act, the Commission shall, by
regulations under section 553 of title 5, United States
Code, establish criteria for determining the
circumstances under which substitute notification may
be provided under paragraph (2), including criteria for
determining if notification under paragraph (1) is not
feasible due to excessive cost to the person required
to provide such notification relative to the resources
of such person.
(B) Guidance.--In addition, the Commission shall
provide and publish general guidance with respect to
compliance with this section. Such guidance shall
include--
(i) a description of written or email
notification that complies with the
requirements of paragraph (1); and
(ii) guidance on the content of substitute
notification under paragraph (2)(B), including
the extent of notification to print and
broadcast media that complies with the
requirements of such paragraph.
(e) Other Obligations Following Breach.--A person required to
provide notification under subsection (a) shall, upon request of an
individual whose personal information was included in the breach of
security, provide or arrange for the provision of, to each such
individual and at no cost to such individual, consumer credit reports
from at least one of the major credit reporting agencies beginning not
later than 2 months following the discovery of a breach of security and
continuing on a quarterly basis for a period of 2 years thereafter.
(f) Exemption.--
(1) General exemption.--A person shall be exempt from the
requirements under this section if, following a breach of
security, such person determines that there is no reasonable
risk of identity theft, fraud, or other unlawful conduct.
(2) Presumptions.--
(A) Encryption.--The encryption of data in
electronic form shall establish a presumption that no
reasonable risk of identity theft, fraud, or other
unlawful conduct exists following a breach of security
of such data. Any such presumption may be rebutted by
facts demonstrating that the encryption has been or is
reasonably likely to be compromised.
(B) Additional methodologies or technologies.--Not
later than 270 days after the date of the enactment of
this Act, the Commission shall, by rule pursuant to
section 553 of title 5, United States Code, identify
any additional security methodology or technology,
other than encryption, which renders data in electronic
form unreadable or indecipherable, that shall, if
applied to such data, establish a presumption that no
reasonable risk of identity theft, fraud, or other
unlawful conduct exists following a breach of security
of such data. Any such presumption may be rebutted by
facts demonstrating that any such methodology or
technology has been or is reasonably likely to be
compromised. In promulgating such a rule, the
Commission shall consult with relevant industries,
consumer organizations, and data security and identity
theft prevention experts and established standards
setting bodies.
(3) FTC guidance.--Not later than 1 year after the date of
the enactment of this Act, the Commission shall issue guidance
regarding the application of the exemption in paragraph (1).
(g) Website Notice of Federal Trade Commission.--If the Commission,
upon receiving notification of any breach of security that is reported
to the Commission under subsection (a)(2), finds that notification of
such a breach of security via the Commission's Internet website would
be in the public interest or for the protection of consumers, the
Commission shall place such a notice in a clear and conspicuous
location on its Internet website.
(h) FTC Study on Notification in Languages in Addition to
English.--Not later than 1 year after the date of enactment of this
Act, the Commission shall conduct a study on the practicality and cost
effectiveness of requiring the notification required by subsection
(d)(1) to be provided in a language in addition to English to
individuals known to speak only such other language.
SEC. 4. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 or 3 shall be treated as an unfair and deceptive act
or practice in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of commission.--The Commission shall enforce
this Act in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all applicable
terms and provisions of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) were incorporated into and made a part of
this Act. Any person who violates such regulations shall be
subject to the penalties and entitled to the privileges and
immunities provided in that Act.
(3) Limitation.--In promulgating rules under this Act, the
Commission shall not require the deployment or use of any
specific products or technologies, including any specific
computer software or hardware.
(b) Enforcement by State Attorneys General.--
(1) Civil action.--In any case in which the attorney
general of a State, or an official or agency of a State, has
reason to believe that an interest of the residents of that
State has been or is threatened or adversely affected by any
person who violates section 2 or 3 of this Act, the attorney
general, official, or agency of the State, as parens patriae,
may bring a civil action on behalf of the residents of the
State in a district court of the United States of appropriate
jurisdiction--
(A) to enjoin further violation of such section by
the defendant;
(B) to compel compliance with such section; or
(C) to obtain civil penalties in the amount
determined under paragraph (2).
(2) Civil penalties.--
(A) Calculation.--
(i) Treatment of violations of section 2.--
For purposes of paragraph (1)(C) with regard to
a violation of section 2, the amount determined
under this paragraph is the amount calculated
by multiplying the number of violations of such
section by an amount not greater than $11,000.
Each day that a person is not in compliance
with the requirements of such section shall be
treated as a separate violation. The maximum
civil penalty calculated under this clause
shall not exceed $5,000,000.
(ii) Treatment of violations of section
3.--For purposes of paragraph (1)(C) with
regard to a violation of section 3, the amount
determined under this paragraph is the amount
calculated by multiplying the number of
violations of such section by an amount not
greater than $11,000. Each failure to send
notification as required under section 3 to a
resident of the State shall be treated as a
separate violation. The maximum civil penalty
calculated under this clause shall not exceed
$5,000,000.
(B) Adjustment for inflation.--Beginning on the
date that the Consumer Price Index is first published
by the Bureau of Labor Statistics that is after 1 year
after the date of enactment of this Act, and each year
thereafter, the amounts specified in clauses (i) and
(ii) of subparagraph (A) shall be increased by the
percentage increase in the Consumer Price Index
published on that date from the Consumer Price Index
published the previous year.
(3) Intervention by the ftc.--
(A) Notice and intervention.--The State shall
provide prior written notice of any action under
paragraph (1) to the Commission and provide the
Commission with a copy of its complaint, except in any
case in which such prior notice is not feasible, in
which case the State shall serve such notice
immediately upon instituting such action. The
Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on
all matters arising therein; and
(iii) to file petitions for appeal.
(B) Limitation on state action while federal action
is pending.--If the Commission has instituted a civil
action for violation of this Act, no State attorney
general, or official or agency of a State, may bring an
action under this subsection during the pendency of
that action against any defendant named in the
complaint of the Commission for any violation of this
Act alleged in the complaint.
(4) Construction.--For purposes of bringing any civil
action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(c) Affirmative Defense for a Violation of Section 3.--It shall be
an affirmative defense to an enforcement action brought under
subsection (a), or a civil action brought under subsection (b), based
on a violation of section 3, that all of the personal information
contained in the data in electronic form that was acquired as a result
of a breach of security of the defendant is public record information
that is lawfully made available to the general public from Federal,
State, or local government records and was acquired by the defendant
from such records.
SEC. 5. DEFINITIONS.
In this Act the following definitions apply:
(1) Breach of security.--The term ``breach of security''
means the unauthorized acquisition of data in electronic form
containing personal information.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices.
(4) Encryption.--The term ``encryption'' means the
protection of data in electronic form in storage or in transit
using an encryption technology that has been adopted by an
established standards setting body which renders such data
indecipherable in the absence of associated cryptographic keys
necessary to enable decryption of such data. Such encryption
must include appropriate management and safeguards of such keys
to protect the integrity of the encryption.
(5) Identity theft.--The term ``identity theft'' means the
unauthorized use of another person's personal information for
the purpose of engaging in commercial transactions under the
name of such other person.
(6) Information broker.--The term ``information broker''
means a commercial entity whose business is to collect,
assemble, or maintain personal information concerning
individuals who are not current or former customers of such
entity in order to sell such information or provide access to
such information to any nonaffiliated third party in exchange
for consideration, whether such collection, assembly, or
maintenance of personal information is performed by the
information broker directly, or by contract or subcontract with
any other entity.
(7) Personal information.--
(A) Definition.--The term ``personal information''
means an individual's first name or initial and last
name, or address, or phone number, in combination with
any 1 or more of the following data elements for that
individual:
(i) Social Security number.
(ii) Driver's license number or other State
identification number.
(iii) Financial account number, or credit
or debit card number, and any required security
code, access code, or password that is
necessary to permit access to an individual's
financial account.
(B) Modified definition by rulemaking.--The
Commission may, by rule, modify the definition of
``personal information'' under subparagraph (A) to the
extent that such modification is necessary to
accommodate changes in technology or practices, will
not unreasonably impede interstate commerce, and will
accomplish the purposes of this Act.
(8) Public record information.--The term ``public record
information'' means information about an individual which has
been obtained originally from records of a Federal, State, or
local government entity that are available for public
inspection.
(9) Non-public information.--The term ``non-public
information'' means information about an individual that is of
a private nature and neither available to the general public
nor obtained from a public record.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws.--This Act
supersedes any provision of a statute, regulation, or rule of a State
or political subdivision of a State, with respect to those entities
covered by the regulations issued pursuant to this Act, that
expressly--
(1) requires information security practices and treatment
of data in electronic form containing personal information
similar to any of those required under section 2; and
(2) requires notification to individuals of a breach of
security resulting in unauthorized acquisition of data in
electronic form containing personal information.
(b) Additional Preemption.--
(1) In general.--No person other than the Attorney General
of a State may bring a civil action under the laws of any State
if such action is premised in whole or in part upon the
defendant violating any provision of this Act.
(2) Protection of consumer protection laws.--This
subsection shall not be construed to limit the enforcement of
any State consumer protection law by an Attorney General of a
State.
(c) Protection of Certain State Laws.--This Act shall not be
construed to preempt the applicability of--
(1) State trespass, contract, or tort law; or
(2) other State laws to the extent that those laws relate
to acts of fraud.
(d) Preservation of FTC Authority.--Nothing in this Act may be
construed in any way to limit or affect the Commission's authority
under any other provision of law, including the authority to issue
advisory opinions (under part 1 of volume 16 of the Code of Federal
Regulations), policy statements, or guidance regarding this Act.
SEC. 7. EFFECTIVE DATE AND SUNSET.
(a) Effective Date.--This Act shall take effect 1 year after the
date of enactment of this Act.
(b) Sunset.--This Act shall cease to be in effect on the date that
is 10 years from the date of enactment of this Act.
SEC. 8. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated to the Commission $1,000,000
for each of fiscal years 2006 through 2010 to carry out this Act.
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Accountability and Trust Act
(DATA)''.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
(a) General Security Policies and Procedures.--
(1) Regulations.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code,
to require each person engaged in interstate commerce that owns
or possesses data in electronic form containing personal
information, or contracts to have any third party entity
maintain such data for such person, to establish and implement
policies and procedures regarding information security
practices for the treatment and protection of personal
informtion taking into consideration--
(A) the size of, and the nature, scope, and
complexity of the activities engaged in by, such
person;
(B) the current state of the art in administrative,
technical, and physical safeguards for protecting such
information; and
(C) the cost of implementing such safeguards.
(2) Requirements.--Such regulations shall require the
policies and procedures to include the following:
(A) A security policy with respect to the
collection, use, sale, other dissemination, and
maintenance of such personal information.
(B) The identification of an officer or other
individual as the point of contact with responsibility
for the management of information security.
(C) A process for identifying and assessing any
reasonably foreseeable vulnerabilities in the system
maintained by such person that contains such electronic
data, which shall include regular monitoring for a
breach of security of such system.
(D) A process for taking preventive and corrective
action to mitigate against any vulnerabilities
identified in the process required by subparagraph (C),
which may include implementing any changes to security
practices and the architecture, installation, or
implementation of network or operating software.
(E) A process for disposing of obsolete data in
electronic form containing personal information by
shredding, permanently erasing, or otherwise modifying
the personal information contained in such data to make
such personal information permanently unreadable or
undecipherable.
(3) Treatment of entities governed by other law.--In
promulgating the regulations under this subsection, the
Commission may determine to be in compliance with this
subsection any person who is required under any other Federal
law to maintain standards and safeguards for information
security and protection of personal information that provide
equal or greater protection than those required under this
subsection.
(b) Destruction of Obsolete Paper Records Containing Personal
Information.--
(1) Study.--Not later than 1 year after the date of
enactment of this Act, the Commission shall conduct a study on
the practicality of requiring a standard method or methods for
the destruction of obsolete paper documents and other non-
electronic data containing personal information by persons
engaged in interstate commerce who own or possess such paper
documents and non-electronic data. The study shall consider the
cost, benefit, feasibility, and effect of a requirement of
shredding or other permanent destruction of such paper
documents and non-electronic data.
(2) Regulations.--The Commission may promulgate regulations
under section 553 of title 5, United States Code, requiring a
standard method or methods for the destruction of obsolete
paper documents and other non-electronic data containing
personal information by persons engaged in interstate commerce
who own or possess such paper documents and non-electronic data
if the Commission finds that--
(A) the improper disposal of obsolete paper
documents and other non-electronic data creates a
reasonable risk of identity theft, fraud, or other
unlawful conduct;
(B) such a requirement would be effective in
preventing identity theft, fraud, or other unlawful
conduct;
(C) the benefit in preventing identity theft,
fraud, or other unlawful conduct would outweigh the
cost to persons subject to such a requirement; and
(D) compliance with such a requirement would be
practicable.
In enforcing any such regulations, the Commission may determine
to be in compliance with such regulations any person who is
required under any other Federal law to dispose of obsolete
paper documents and other non-electronic data containing
personal information if such other Federal law provides equal
or greater protection or personal information than the
regulations promulgated under this subsection.
(c) Special Requirements for Information Brokers.--
(1) Submission of policies to the ftc.--The regulations
promulgated under subsection (a) shall require information
brokers to submit their security policies to the Commission in
conjunction with a notification of a breach of security under
section 3 or upon request of the Commission.
(2) Post-breach audit.--For any information broker required
to provide notification under section 3, the Commission shall
conduct an audit of the information security practices of such
information broker, or require the information broker to
conduct an independent audit of such practices (by an
independent auditor who has not audited such information
broker's security practices during the preceding 5 years). The
Commission may conduct or require additional audits for a
period of 5 years following the breach of security or until the
Commission determines that the security practices of the
information broker are in compliance with the requirements of
this section and are adequate to prevent further breaches of
security.
(3) Verification of and individual access to personal
information.--
(A) Verification.--Each information broker shall
establish reasonable procedures to verify the accuracy
of the personal information it collects, assembles, or
maintains, and any other information it collects,
assembles, or maintains that specifically identifies an
individual, other than information which merely
identifies an individual's name or address.
(B) Consumer access to information.--
(i) Access.--Each information broker
shall--
(I) provide to each individual
whose personal information it
maintains, at the individual's request
at least 1 time per year and at no cost
to the individual, and after verifying
the identity of such individual, a
means for the individual to review any
personal information regarding such
individual maintained by the
information broker and any other
information maintained by the
information broker that specifically
identifies such individual, other than
information which merely identifies an
individual's name or address; and
(II) place a conspicuous notice on
its Internet website (if the
information broker maintains such a
website) instructing individuals how to
request access to the information
required to be provided under subclause
(I).
(ii) Disputed information.--Whenever an
individual whose information the information
broker maintains makes a written request
disputing the accuracy of any such information,
the information broker, after verifying the
identity of the individual making such request
and unless there are reasonable grounds to
believe such request is frivolous or
irrelevant, shall--
(I) correct any inaccuracy; or
(II)(aa) in the case of information
that is public record information,
inform the individual of the source of
the information, and, if reasonably
available, where a request for
correction may be directed; or
(bb) in the case of information
that is non-public information, note
the information that is disputed,
including the individual's statement
disputing such information, and take
reasonable steps to independently
verify such information under the
procedures outlined in subparagraph (A)
if such information can be
independently verified.
(iii) Limitations.--An information broker
may limit the access to information required
under subparagraph (B) in the following
circumstances:
(I) If access of the individual to
the information is limited by law or
legally recognized privilege.
(II) If the information is used for
a legitimate governmental or fraud
prevention purpose that would be
compromised by such access.
(iv) Rulemaking.--The Commission shall
issue regulations, as necessary, under section
553 of title 5, United States Code, on the
application of the limitations in clause (iii).
(C) Treatment of entities governed by other law.--
The Commission may promulgate rules (under section 553
of title 5, United States Code) to determine to be in
compliance with this paragraph any person who is a
consumer reporting agency, as defined in section 603(f)
of the Fair Credit Reporting Act, with respect to those
products and services that are subject to and in
compliance with the requirements of that Act.
(4) Requirement of audit log of accessed and transmitted
information.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall promulgate
regulations under section 553 of title 5, United States Code,
to require information brokers to establish measures which
facilitate the auditing or retracing of any internal or
external access to, or transmissions of, any data in electronic
form containing personal information collected, assembled, or
maintained by such information broker.
(5) Prohibition on pretexting by information brokers.--
(A) Prohibition on obtaining personal information
by false pretenses.--It shall be unlawful for an
information broker to obtain or attempt to obtain, or
cause to be disclosed or attempt to cause to be
disclosed to any person, personal information or any
other information relating to any person by--
(i) making a false, fictitious, or
fraudulent statement or representation to any
person; or
(ii) providing any document or other
information to any person that the information
broker knows or should know to be forged,
counterfeit, lost, stolen, or fraudulently
obtained, or to contain a false, fictitious, or
fraudulent statement or representation.
(B) Prohibition on solicitation to obtain personal
information under false pretenses.--It shall be
unlawful for an information broker to request a person
to obtain personal information or any other information
relating to any other person, if the information broker
knew or should have known that the person to whom such
a request is made will obtain or attempt to obtain such
information in the manner described in subsection (a).
(d) Exemption for Telecommunications Carrier, Cable Operator,
Information Service, or Interactive Computer Service.--Nothing in this
section shall apply to any electronic communication by a third party
stored by a telecommunications carrier, cable operator, or information
service, as those terms are defined in section 3 of the Communications
Act of 1934 (47 U.S.C. 153), or an interactive computer service, as
such term is defined in section 230(f)(2) of such Act (47 U.S.C.
230(f)(2)).
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Nationwide Notification.--Any person engaged in interstate
commerce that owns or possesses data in electronic form containing
personal information shall, following the discovery of a breach of
security of the system maintained by such person that contains such
data--
(1) notify each individual who is a citizen or resident of
the United States whose personal information was acquired by an
unauthorized person as a result of such a breach of security;
and
(2) notify the Commission.
(b) Special Notification Requirement for Certain Entities.--
(1) Third party agents.--In the event of a breach of
security by any third party entity that has been contracted to
maintain or process data in electronic form containing personal
information on behalf of any other person who owns or possesses
such data, such third party entity shall be required only to
notify such person of the breach of security. Upon receiving
such notification from such third party, such person shall
provide the notification required under subsection (a).
(2) Telecommunications carriers, cable operators,
information services, and interactive computer services.--If a
telecommunications carrier, cable operator, or information
service (as such terms are defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153)), or an interactive
computer service (as such term is defined in section 230(f)(2)
of such Act (47 U.S.C. 230(f)(2))), becomes aware of a breach
of security during the transmission of data in electronic form
containing personal information that is owned or possessed by
another person utilizing the means of transmission of such
telecommunications carrier, cable operator, information
service, or interactive computer service, such
telecommunications carrier, cable operator, information
service, or interactive computer service shall be required only
to notify the person who initiated such transmission of such a
breach of security if such person can be reasonably identified.
Upon receiving such notification from a telecommunications
carrier, cable operator, information service, or interactive
computer service, such person shall provide the notification
required under subsection (a).
(3) Breach of health information.--If the Commission
receives a notification of a breach of security and determines
that information included in such breach is individually
identifiable health information (as such term is defined in
section 1171(6) of the Social Security Act (42 U.S.C.
1320d(6)), the Commission shall send a copy of such
notification to the Secretary of Health and Human Services.
(c) Timeliness of Notification.--All notifications required under
subsection (a) shall be made as promptly as possible and without
unreasonable delay following the discovery of a breach of security of
the system and consistent with any measures necessary to determine the
scope of the breach, prevent further breach or unauthorized
disclosures, and reasonably restore the integrity of the data system.
(d) Method and Content of Notification.--
(1) Direct notification.--
(A) Method of notification.--A person required to
provide notification to individuals under subsection
(a)(1) shall be in compliance with such requirement if
the person provides conspicuous and clearly identified
notification by one of the following methods (provided
the selected method can reasonably be expected to reach
the intended individual):
(i) Written notification.
(ii) Email notification, if--
(I) the person's primary method of
communication with the individual is by
email; or
(II) the individual has consented
to receive such notification and the
notification is provided in a manner
that is consistent with the provisions
permitting electronic transmission of
notices under section 101 of the
Electronic Signatures in Global
Commerce Act (15 U.S.C. 7001).
(B) Content of notification.--Regardless of the
method by which notification is provided to an
individual under subparagraph (A), such notification
shall include--
(i) a description of the personal
information that was acquired by an
unauthorized person;
(ii) a telephone number that the individual
may use, at no cost to such individual, to
contact the person to inquire about the breach
of security or the information the person
maintained about that individual;
(iii) notice that the individual is
entitled to receive, at no cost to such
individual, consumer credit reports on a
quarterly basis for a period of 2 years, and
instructions to the individual on requesting
such reports from the person;
(iv) the toll-free contact telephone
numbers and addresses for the major credit
reporting agencies; and
(v) a toll-free telephone number and
Internet website address for the Commission
whereby the individual may obtain information
regarding identity theft.
(2) Substitute notification.--
(A) Circumstances giving rise to substitute
notification.--A person required to provide
notification to individuals under subsection (a)(1) may
provide substitute notification in lieu of the direct
notification required by paragraph (1) if--
(i) the person owns or possesses data in
electronic form containing personal information
of fewer than 1,000 individuals; and
(ii) such direct notification is not
feasible due to--
(I) excessive cost to the person
required to provide such notification
relative to the resources of such
person, as determined in accordance
with the regulations issued by the
Commission under paragraph (3)(A); or
(II) lack of sufficient contact
information for the individual required
to be notified.
(B) Form of substitute notice.--Such substitute
notification shall include--
(i) email notification to the extent that
the person has email addresses of individuals
to whom it is required to provide notification
under subsection (a)(1);
(ii) a conspicuous notice on the Internet
website of the person (if such person maintains
such a website); and
(iii) notification in print and to
broadcast media, including major media in
metropolitan and rural areas where the
individuals whose personal information was
acquired reside.
(C) Content of substitute notice.--Each form of
substitute notice under this paragraph shall include--
(i) notice that individuals whose personal
information is included in the breach of
security are entitled to receive, at no cost to
the individuals, consumer credit reports on a
quarterly basis for a period of 2 years, and
instructions on requesting such reports from
the person; and
(ii) a telephone number by which an
individual can, at no cost to such individual,
learn whether that individual's personal
information is included in the breach of
security.
(3) Federal trade commission regulations and guidance.--
(A) Regulations.--Not later than 1year after the
date of enactment of this Act, the Commission shall, by
regulations under section 553 of title 5, United States
Code, establish criteria for determining the
circumstances under which substitute notification may
be provided under paragraph (2), including criteria for
determining if notification under paragraph (1) is not
feasible due to excessive cost to the person required
to provide such notification relative to the resources
of such person.
(B) Guidance.--In addition, the Commission shall
provide and publish general guidance with respect to
compliance with this section. Such guidance shall
include--
(i) a description of written or email
notification that complies with the
requirements of paragraph (1); and
(ii) guidance on the content of substitute
notification under paragraph (2)(B), including
the extent of notification to print and
broadcast media that complies with the
requirements of such paragraph.
(e) Other Obligations Following Breach.--A person required to
provide notification under subsection (a) shall, upon request of an
individual whose personal information was included in the breach of
security, provide or arrange for the provision of, to each such
individual and at no cost to such individual, consumer credit reports
from at least one of the major credit reporting agencies beginning not
later than 2 months following the discovery of a breach of security and
continuing on a quarterly basis for a period of 2 years thereafter.
(f) Exemption.--
(1) General exemption.--A person shall be exempt from the
requirements under this section if, following a breach of
security, such person determines that there is no reasonable
risk of identity theft, fraud, or other unlawful conduct.
(2) Presumptions.--
(A) Encryption.--The encryption of data in
electronic form shall establish a presumption that no
reasonable risk of identity theft, fraud, or other
unlawful conduct exists following a breach of security
of such data. Any such presumption may be rebutted by
facts demonstrating that the encryption has been or is
reasonably likely to be compromised.
(B) Additional methodologies or technologies.--Not
later than 270 days after the date of the enactment of
this Act, the Commission shall, by rule pursuant to
section 553 of title 5, United States Code, identify
any additional security methodology or technology,
other than encryption, which renders data in electronic
form unreadable or indecipherable, that shall, if
applied to such data, establish a presumption that no
reasonable risk of identity theft, fraud, or other
unlawful conduct exists following a breach of security
of such data. Any such presumption may be rebutted by
facts demonstrating that any such methodology or
technology has been or is reasonably likely to be
compromised. In promulgating such a rule, the
Commission shall consult with relevant industries,
consumer organizations, and data security and identity
theft prevention experts and established standards
setting bodies.
(3) FTC guidance.--Not later than 1 year after the date of
the enactment of this Act, the Commission shall issue guidance
regarding the application of the exemption in paragraph (1).
(g) Website Notice of Federal Trade Commission.--If the Commission,
upon receiving notification of any breach of security that is reported
to the Commission under subsection (a)(2), finds that notification of
such a breach of security via the Commission's Internet website would
be in the public interest or for the protection of consumers, the
Commission shall place such a notice in a clear and conspicuous
location on its Internet website.
(h) FTC Study on Notification in Languages in Addition to
English.--Not later than 1 year after the date of enactment of this
Act, the Commission shall conduct a study on the practicality and cost
effectiveness of requiring the notification required by subsection
(d)(1) to be provided in a language in addition to English to
individuals known to speak only such other language.
(i) Special Notification Requirement for Federal Agencies.--
(1) Nationwide notification.--Any Federal agency that owns
or possesses data in electronic form containing personal
information shall, following the discovery of a breach of
security of the system maintained by such agency that contains
such data, notify each individual who is a citizen or resident
of the United States whose personal information was acquired by
an unauthorized person as a result of such a breach of security
(2) Method and content of notification.--
(A) Method of notification.--A Federal agency
required to provide written notification to individuals
under paragraph (1) shall be in compliance with such
requirement if the agency provides conspicuous and
clearly identified written notification that includes
the content required under subparagraph (B).
(B) Content of notification.--Notification required
under this subsection shall include--
(i) a description of the personal
information that was acquired by an
unauthorized person;
(ii) a telephone number that the individual
may use, at no cost to such individual, to
contact the Federal agency to inquire about the
breach of security or the information the
Federal agency maintained about that
individual;
(iii) the toll-free contact telephone
number and addresses for the major credit
reporting agencies; and
(iv) a toll-free telephone number and
Internet website address whereby the individual
may obtain information regarding identity
theft.
(3) Exemption.--A Federal agency shall be exempt from the
requirements of this subsection if, following a breach of
security, such agency determines that there is no reasonable
risk of identity theft, fraud, or other unlawful conduct.
SEC. 4. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 or 3 shall be treated as an unfair and deceptive act
or practice in violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(2) Powers of commission.--The Commission shall enforce
this Act in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all applicable
terms and provisions of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) were incorporated into and made a part of
this Act. Any person who violates such regulations shall be
subject to the penalties and entitled to the privileges and
immunities provided in that Act.
(3) Limitation.--In promulgating rules under this Act, the
Commission shall not require the deployment or use of any
specific products or technologies, including any specific
computer software or hardware.
(b) Enforcement by State Attorneys General.--
(1) Civil action.--In any case in which the attorney
general of a State, or an official or agency of a State, has
reason to believe that an interest of the residents of that
State has been or is threatened or adversely affected by any
person who violates section 2 or 3 of this Act, the attorney
general, official, or agency of the State, as parens patriae,
may bring a civil action on behalf of the residents of the
State in a district court of the United States of appropriate
jurisdiction--
(A) to enjoin further violation of such section by
the defendant;
(B) to compel compliance with such section; or
(C) to obtain civil penalties in the amount
determined under paragraph (2).
(2) Civil penalties.--
(A) Calculation.--
(i) Treatment of violations of section 2.--
For purposes of paragraph (1)(C) with regard to
a violation of section 2, the amount determined
under this paragraph is the amount calculated
by multiplying the number of violations of such
section by an amount not greater than $11,000.
Each day that a person is not in compliance
with the requirements of such section shall be
treated as a separate violation. The maximum
civil penalty calculated under this clause
shall not exceed $5,000,000.
(ii) Treatment of violations of section
3.--For purposes of paragraph (1)(C) with
regard to a violation of section 3, the amount
determined under this paragraph is the amount
calculated by multiplying the number of
violations of such section by an amount not
greater than $11,000. Each failure to send
notification as required under section 3 to a
resident of the State shall be treated as a
separate violation. The maximum civil penalty
calculated under this clause shall not exceed
$5,000,000.
(B) Adjustment for inflation.--Beginning on the
date that the Consumer Price Index is first published
by the Bureau of Labor Statistics that is after 1 year
after the date of enactment of this Act, and each year
thereafter, the amounts specified in clauses (i) and
(ii) of subparagraph (A) shall be increased by the
percentage increase in the Consumer Price Index
published on that date from the Consumer Price Index
published the previous year.
(3) Intervention by the ftc.--
(A) Notice and intervention.--The State shall
provide prior written notice of any action under
paragraph (1) to the Commission and provide the
Commission with a copy of its complaint, except in any
case in which such prior notice is not feasible, in
which case the State shall serve such notice
immediately upon instituting such action. The
Commission shall have the right--
(i) to intervene in the action;
(ii) upon so intervening, to be heard on
all matters arising therein; and
(iii) to file petitions for appeal.
(B) Limitation on state action while federal action
is pending.--If the Commission has instituted a civil
action for violation of this Act, no State attorney
general, or official or agency of a State, may bring an
action under this subsection during the pendency of
that action against any defendant named in the
complaint of the Commission for any violation of this
Act alleged in the complaint.
(4) Construction.--For purposes of bringing any civil
action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(c) Affirmative Defense for a Violation of Section 3.--It shall be
an affirmative defense to an enforcement action brought under
subsection (a), or a civil action brought under subsection (b), based
on a violation of section 3, that all of the personal information
contained in the data in electronic form that was acquired as a result
of a breach of security of the defendant is public record information
that is lawfully made available to the general public from Federal,
State, or local government records and was acquired by the defendant
from such records.
SEC. 5. DEFINITIONS.
In this Act the following definitions apply:
(1) Breach of security.--The term ``breach of security''
means the unauthorized acquisition of data in electronic form
containing personal information.
(2) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(3) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or other database and includes recordable tapes
and other mass storage devices.
(4) Encryption.--The term ``encryption'' means the
protection of data in electronic form in storage or in transit
using an encryption technology that has been adopted by an
established standards setting body which renders such data
indecipherable in the absence of associated cryptographic keys
necessary to enable decryption of such data. Such encryption
must include appropriate management and safeguards of such keys
to protect the integrity of the encryption.
(5) Identity theft.--The term ``identity theft'' means the
unauthorized use of another person's personal information for
the purpose of engaging in commercial transactions under the
name of such other person.
(6) Information broker.--The term ``information broker''
means a commercial entity whose business is to collect,
assemble, or maintain personal information concerning
individuals who are not current or former customers of such
entity in order to sell such information or provide access to
such information to any nonaffiliated third party in exchange
for consideration, whether such collection, assembly, or
maintenance of personal information is performed by the
information broker directly, or by contract or subcontract with
any other entity.
(7) Personal information.--
(A) Definition.--The term ``personal information''
means an individual's first name or initial and last
name, or address, or phone number, in combination with
any 1 or more of the following data elements for that
individual:
(i) Social Security number.
(ii) Driver's license number or other State
identification number.
(iii) Financial account number, or credit
or debit card number, and any required security
code, access code, or password that is
necessary to permit access to an individual's
financial account.
(B) Modified definition by rulemaking.--The
Commission may, by rule, modify the definition of
``personal information'' under subparagraph (A) to the
extent that such modification is necessary to
accommodate changes in technology or practices, will
not unreasonably impede interstate commerce, and will
accomplish the purposes of this Act.
(8) Public record information.--The term ``public record
information'' means information about an individual which has
been obtained originally from records of a Federal, State, or
local government entity that are available for public
inspection.
(9) Non-public information.--The term ``non-public
information'' means information about an individual that is of
a private nature and neither available to the general public
nor obtained from a public record.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws.--This Act
supersedes any provision of a statute, regulation, or rule of a State
or political subdivision of a State, with respect to those entities
covered by the regulations issued pursuant to this Act, that
expressly--
(1) requires information security practices and treatment
of data in electronic form containing personal information
similar to any of those required under section 2; and
(2) requires notification to individuals of a breach of
security resulting in unauthorized acquisition of data in
electronic form containing personal information.
(b) Additional Preemption.--
(1) In general.--No person other than the Attorney General
of a State may bring a civil action under the laws of any State
if such action is premised in whole or in part upon the
defendant violating any provision of this Act.
(2) Protection of consumer protection laws.--This
subsection shall not be construed to limit the enforcement of
any State consumer protection law by an Attorney General of a
State.
(c) Protection of Certain State Laws.--This Act shall not be
construed to preempt the applicability of--
(1) State trespass, contract, or tort law; or
(2) other State laws to the extent that those laws relate
to acts of fraud.
(d) Preservation of FTC Authority.--Nothing in this Act may be
construed in any way to limit or affect the Commission's authority
under any other provision of law, including the authority to issue
advisory opinions (under part 1 of volume 16 of the Code of Federal
Regulations), policy statements, or guidance regarding this Act.
SEC. 7. EFFECTIVE DATE AND SUNSET.
(a) Effective Date.--This Act shall take effect 1 year after the
date of enactment of this Act.
(b) Sunset.--This Act shall cease to be in effect on the date that
is 10 years from the date of enactment of this Act.
SEC. 8. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated to the Commission $1,000,000
for each of fiscal years 2006 through 2010 to carry out this Act.
SECTION 1. SHORT TITLE; FINDINGS.
(a) Short Title.--This Act may be cited as the ``Financial Data
Protection Act of 2006''.
(b) Findings.--The Congress finds as follows:
(1) Protecting the security of sensitive information
relating to consumers is important to limiting account fraud
and identity theft.
(2) While the Gramm-Leach-Bliley Act requires financial
institutions to protect the security and confidentiality of the
nonpublic personal information of the customers of financial
institutions, the scope of covered entities and type of
information needs to be broadened to fully protect consumers.
(3) Some Federal agencies have issued model guidance under
the Gramm-Leach-Bliley Act requiring banks to investigate and
provide notice to customers of breaches of data security
involving customer information that could lead to account fraud
or identity theft, but these standards need to broadened to
apply to other entities acting as consumer reporters, in order
to create a single, uniform data security standard that applies
to all parties to transactions involving such financial
information.
(4) Requiring all consumer reporters handling sensitive
financial personal information to provide notice to consumers
of data security breaches that are likely to result in harm or
inconvenience will help consumers protect themselves and
mitigate against the risk of identity theft or account fraud.
(5) Therefore, all consumer reporters should--
(A) protect sensitive financial personal
information;
(B) investigate potential data security breaches;
(C) provide breach notices as appropriate to the
United States Secret Service, functional regulators,
involved third parties, and consumers;
(D) restore the security of the information and
improve safeguards after a breach; and
(E) provide consumers free file monitoring where
appropriate to reduce the risk of identity theft.
SEC. 2. DATA SECURITY SAFEGUARDS.
(a) In General.--As set forth in section 630 of the Fair Credit
Reporting Act, as amended by the Act, in the event a consumer reporter
becomes aware of information suggesting a breach of data security, such
consumer reporter shall immediately conduct an investigation, and
notify authorities and consumers as appropriate.
(b) FCRA Data Security Amendment.--The Fair Credit Reporting Act
(15 U.S.C. 1681) is amended by adding at the end the following new
section:
``SEC. 630. DATA SECURITY SAFEGUARDS.
``(a) Protection of Sensitive Financial Personal Information.--
``(1) Data security obligation policy.--It is the policy of
the Congress that each consumer reporter has an affirmative and
continuing obligation to protect the security and
confidentiality of sensitive financial personal information.
``(2) Security policies and procedures.--Each consumer
reporter shall have an affirmative obligation to implement, and
a continuing obligation to maintain, reasonable policies and
procedures to protect the security and confidentiality of
sensitive financial personal information relating to any
consumer that is handled by such consumer reporter against any
loss, unauthorized access, or misuse that is reasonably likely
to result in harm or inconvenience to such consumer.
``(3) Data destruction and data disposal policies and
procedures.--The policies and procedures described in paragraph
(2) shall include providing for the proper disposal of
sensitive financial personal information in accordance with the
standards, guidelines, or regulations issued pursuant to this
title.
``(b) Investigation Requirements.--
``(1) Investigation trigger.--A consumer reporter shall
immediately conduct a data security breach investigation if
it--
``(A) becomes aware of any information indicating a
reasonable likelihood that a data security breach has
occurred or is unavoidable;
``(B) becomes aware of information indicating an
unusual pattern of misuse of sensitive financial
personal information handled by a consumer reporter
indicative of financial fraud; or
``(C) receives a notice under subsection (e).
``(2) Scope of investigation.--Such investigation shall be
conducted in a manner commensurate with the nature and the
amount of the sensitive financial personal information that is
subject to the breach of data security, including appropriate
actions to--
``(A) assess the nature and scope of the potential
breach;
``(B) identify the sensitive financial personal
information potentially involved;
``(C) determine whether such information is usable
by the parties causing the breach; and
``(D) determine the likelihood that such
information has been, or will be, misused in a manner
that may cause harm or inconvenience to the related
consumer.
``(3) Encryption and other safeguards.--
``(A) Suggested safeguards.--The regulators
described in subsection (k)(1) shall jointly develop
standards and guidelines to identify and regularly
update appropriate technology safeguards for making
consumer reporter's sensitive financial personal
information unusable in a manner commensurate with the
nature and the amount of such information, including--
``(i) consideration of the encryption
standards adopted by the National Institute of
Standards and Technology for use by the Federal
Government; and
``(ii) appropriate management and
protection of keys or codes necessary to
protect the integrity of encrypted information.
``(B) Safeguard factors.--In determining the
likelihood of a data security breach, a consumer
reporter may consider whether the information subject
to the potential breach is unusable because it is
encrypted, redacted, requires technology to use that is
not generally commercially available, or has otherwise
similarly been rendered unreadable.
``(C) Safe harbor for protected data.--As set forth
in the standards and guidelines issued pursuant to
subparagraph (A), a consumer reporter may reasonably
conclude that a data security breach is not likely to
have occurred where the sensitive personal financial
information involved has been encrypted, redacted,
requires technology to use that is not generally
commercially available, or is otherwise unlikely to be
usable
``(D) Exception.--Subparagraphs (B) and (C) shall
not apply if the consumer reporter becomes aware of
information that would reasonably indicate that the
information that was the subject of the potential
breach is usable by the entities causing the breach or
potentially misusing the information, for example
because--
``(i) an encryption code is potentially
compromised,
``(ii) the entities are believed to have
the technology to access the information; or
``(iii) there is an unusual pattern of
misuse of such information indicative of
financial fraud.
``(c) Breach Notices.--If a consumer reporter determines that a
breach of data security has occurred, is likely to have occurred, or is
unavoidable, the consumer reporter shall in the order listed--
``(1) promptly notify the United States Secret Service;
``(2) promptly notify the appropriate functional regulatory
agency for the consumer reporter;
``(3) notify as appropriate and without unreasonable
delay--
``(A) any third party entity that owns or is
obligated on an affected financial account as set forth
in the standards or guidelines pursuant to subsection
(k)(1)(G), including in such notification information
reasonably identifying the nature and scope of the
breach and the sensitive financial personal information
involved; and
``(B) any other appropriate critical third parties
whose involvement is necessary to investigate the
breach; and
``(4) without unreasonable delay notify any affected
consumers to the extent required in subsection (f), as well
as--
``(A) each nationwide consumer reporting agency, in
the case of a breach involving sensitive financial
identity information relating to 1,000 or more
consumers; and
``(B) any other appropriate critical third parties
who will be required to undertake further action with
respect to such information to protect such consumers
from resulting fraud or identity theft.
``(d) System Restoration Requirements.--If a consumer reporter
determines that a breach of data security has occurred, is likely to
have occurred, or is unavoidable, the consumer reporter shall take
prompt and reasonable measures to--
``(1) repair the breach and restore the security and
confidentiality of the sensitive financial personal information
involved to limit further unauthorized misuse of such
information; and
``(2) restore the integrity of the consumer reporter's data
security safeguards and make appropriate improvements to its
data security policies and procedures.
``(e) Third Party Duties.--
``(1) Coordinated investigation.--Whenever any consumer
reporter that handles sensitive financial personal information
for or on behalf of another party becomes aware that an
investigation is required under subsection (b) with respect to
such information, the consumer reporter shall--
``(A) promptly notify the other party of the
breach;
``(B) conduct a coordinated investigation with the
other party as described in subsection (b); and
``(C) ensure that the appropriate notices are
provided as required under subsection (f).
``(2) Contractual obligation required.--No consumer
reporter may provide sensitive financial personal information
to a third party, unless such third party agrees to fulfill the
obligations imposed by subsections (a), (d), and (h), as well
as that whenever the third party becomes aware that a breach of
data security has occurred, is reasonably likely to have
occurred, or is unavoidable, with respect to such information,
the third party shall be obligated--
``(A) to provide notice of the potential breach to
the consumer reporter;
``(B) to conduct a coordinated investigation with
the consumer reporter to identify the sensitive
financial personal information involved and determine
if the potential breach is reasonably likely to result
in harm or inconvenience to any consumer to whom the
information relates; and
``(C) provide any notices required under this
section, except to the extent that such notices are
provided by the consumer reporter in a manner meeting
the requirements of this section.
``(f) Consumer Notice.--
``(1) Potential identity theft risk and fraudulent
transaction risk.--A consumer reporter shall provide a consumer
notice if, at any point the consumer reporter becomes aware--
``(A) that a breach of data security is reasonably
likely to have occurred or be unavoidable, with respect
to sensitive financial personal information handled by
the consumer reporter;
``(B) of information reasonably identifying the
nature and scope of the breach; and
``(C) that such information is reasonably likely to
have been or to be misused in a manner causing harm or
inconvenience against the consumers to whom such
information relates to--
``(i) commit identity theft if the
information is sensitive financial identity
information, or
``(ii) make fraudulent transactions on such
consumers' financial accounts if the
information is sensitive financial account
information.
``(2) Security program safeguards and regulations.--
``(A) Standards for safeguards.--The regulators
described in subsection (k)(1) shall issue guidelines
relating to the types of sophisticated neural networks
and security programs that are likely to detect
fraudulent account activity and at what point detection
of such activity is sufficient to avoid consumer notice
under this subsection.
``(B) Alternative safeguards.--In determining the
likelihood of misuse of sensitive financial account
information and whether a notice is required under
paragraph (1), the consumer reporter may additionally
consider--
``(i) consistent with any standards
promulgated under subparagraph (A), whether any
neural networks or security programs used by,
or on behalf of, the consumer reporter have
detected, or are likely to detect on an ongoing
basis over a reasonable period of time,
fraudulent transactions resulting from the
breach of data security; or
``(ii) whether no harm or inconvenience is
reasonably likely to have occurred, because for
example the related consumer account has been
closed or its number has been changed.
``(3) Coordination with the fair debt collection practices
act.--The provision of a notice to the extent such notice and
its contents are required under this section shall not be
considered a communication under the Fair Debt Collection
Practices Act.
``(4) Coordination of consumer notice database.--
``(A) In general.--The Commission shall coordinate
with the other government entities identified in this
section to create a publicly available list of data
security breaches that have triggered a notice to
consumers under this subsection within the last 12
months.
``(B) Listed information.--The publicly available
list described in subparagraph (A) shall include the
following:
``(i) The identity of the party responsible
that suffered the breach.
``(ii) A general description of the nature
and scope of the breach.
``(iii) Any financial fraud mitigation or
other services provided by such party to the
affected consumers, including the telephone
number and other appropriate contact
information for accessing such services.
``(g) Timing, Content, and Manner of Notices.--
``(1) Delay of notice for law enforcement purposes.--If a
consumer reporter receives a written request from an
appropriate law enforcement agency indicating that the
provision of a notice under subsection (c)(3) or (f) would
impede a criminal or civil investigation by that law
enforcement agency, or an oral request from an appropriate law
enforcement agency indicating that such a written request will
be provided within 2 business days--
``(A) the consumer reporter shall delay, or in the
case of a foreign law enforcement agency may delay,
providing such notice until--
``(i) the law enforcement agency informs
the consumer reporter that such notice will no
longer impede the investigation; or
``(ii) the law enforcement agency fails
to--
``(I) provide within 10 days a
written request to continue such delay
for a specific time that is approved by
a court of competent jurisdiction; or
``(II) in the case of an oral
request for a delay, provide a written
request within 2 business days, and if
such delay is requested for more than
10 additional days, such request must
be approved by a court of competent
jurisdiction; and
``(B) the consumer reporter may--
``(i) conduct appropriate security measures
that are not inconsistent with such request;
and
``(ii) contact such law enforcement agency
to determine whether any such inconsistency
would be created by such measures.
``(2) Hold harmless provision.--A consumer reporter shall
not be liable for any fraud mitigation costs or for any losses
that would not have occurred but for notice to or the provision
of sensitive financial personal information to law enforcement,
or the delay provided for under this subsection, except that--
``(A) nothing in this subparagraph shall be
construed as creating any inference with respect to the
establishment or existence of any such liability; and
``(B) this subparagraph shall not apply if the
costs or losses would not have occurred had the
consumer reporter undertaken reasonable system
restoration requirements to the extent required under
subsection (d), or other similar provision of law,
except to the extent that such system restoration was
delayed at the request of law enforcement.
``(3) Content of consumer notice.--Any notice required to
be provided by a consumer reporter to a consumer under
subsection (f)(1), and any notice required in accordance with
subsection (e)(2)(A), shall be provided in a standardized
transmission or exclusively colored envelope, and shall include
the following in a clear and conspicuous manner:
``(A) An appropriate heading or notice title.
``(B) A description of the nature and types of
information and accounts as appropriate that were, or
are reasonably believed to have been, subject to the
breach of data security.
``(C) A statement identifying the party
responsible, if known, that suffered the breach,
including an explanation of the relationship of such
party to the consumer.
``(D) If known, the date, or the best reasonable
approximation of the period of time, on or within which
sensitive financial personal information related to the
consumer was, or is reasonably believed to have been,
subject to a breach.
``(E) A general description of the actions taken by
the consumer reporter to restore the security and
confidentiality of the breached information.
``(F) A telephone number by which a consumer to
whom the breached information relates may call free of
charge to obtain additional information about how to
respond to the breach.
``(G) With respect to notices involving sensitive
financial identity information, a copy of the summary
of rights of consumer victims of fraud or identity
theft prepared by the Commission under section 609(d),
as well as any additional appropriate information on
how the consumer may--
``(i) obtain a copy of a consumer report
free of charge in accordance with section 612;
``(ii) place a fraud alert in any file
relating to the consumer at a consumer
reporting agency under section 605A to
discourage unauthorized use; and
``(iii) contact the Commission for more
detailed information.
``(H) With respect to notices involving sensitive
financial identity information, a prominent statement
in accordance with subsection (h) that file monitoring
will be made available to the consumer free of charge
for a period of not less than six months, together with
a telephone number for requesting such services, and
may also include such additional contact information as
a mailing address, e-mail, or Internet website address.
``(I) The approximate date the notice is being
issued.
``(4) Other transmission of notice.--The notice described
in paragraph (3) may be made by other means of transmission
(such as electronic or oral) to a consumer only if--
``(A) the consumer has affirmatively consented to
such use, has not withdrawn such consent, and with
respect to electronic transmissions is provided with
the appropriate statements related to such consent as
described in section 101(c)(1) of the Electronic
Signatures in Global and National Commerce Act; and
``(B) all of the relevant information in paragraph
(3) is communicated to such consumer in such
transmission.
``(5) Duplicative notices.--
``(A) In general.--A consumer reporter, whether
acting directly or in coordination with another
entity--
``(i) shall not be required to provide more
than 1 notice with respect to any breach of
data security to any affected consumer, so long
as such notice meets all the applicable
requirements of this section, and
``(ii) shall not be required to provide a
notice with respect to any consumer if a notice
meeting the applicable requirements of this
section has already been provided to such
consumer by another entity.
``(B) Updating notices.--If a consumer notice is
provided to consumers pursuant only to subsection
(f)(1)(C)(ii) (relating to sensitive financial account
information), and the consumer reporter subsequently
becomes aware of a reasonable likelihood that sensitive
financial personal information involved in the breach
is being misused in a manner causing harm or
inconvenience against such consumer to commit identity
theft, an additional notice shall be provided to such
consumers as well any other appropriate parties under
this section, including a copy of the Commission's
summary of rights and file monitoring mitigation
instructions under subparagraphs (G) and (H) of
paragraph (3).
``(6) Responsibility and costs.--
``(A) In general.--Except as otherwise established
by written agreement between the consumer reporter and
its agents or third party servicers, the entity that
suffered a breach of data security shall be--
``(i) primarily responsible for providing
any consumer notices and file monitoring
required under this section with respect to
such breach; and
``(ii) responsible for the reasonable
actual costs of any notices provided under this
section.
``(B) Identification to consumers.--No such
agreement shall restrict the ability of a consumer
reporter to identify the entity responsible for the
breach to consumers
``(C) No charge to consumers.-- The cost for the
notices and file monitoring described in subparagraph
(A) may not be charged to the related consumers.
``(h) Financial Fraud Mitigation.--
``(1) Free file monitoring.--Any consumer reporter that is
required to provide notice to a consumer under subsection
(f)(1)(C)(i), or that is deemed to be in compliance with such
requirement by operation of subsection (j), if requested by the
consumer before the end of the 90-day period beginning on the
date of such notice, shall make available to the consumer, free
of charge and for at least a 6-month period--
``(A) a service that monitors nationwide credit
activity regarding a consumer from a consumer reporting
agency described in section 603(p); or
``(B) a service that provides identity-monitoring
to consumers on a nationwide basis that meets the
guidelines described in paragraph (2).
``(2) Identity monitoring networks.--The regulators
described in subsection (k)(1) shall issue guidelines on the
type of identity monitoring networks that are likely to detect
fraudulent identity activity regarding a consumer on a
nationwide basis and would satisfy the requirements of
paragraph (1).
``(3) Joint rulemaking for safe harbor.--In accordance with
subsection (j), the Secretary of the Treasury, the Board of
Governors of the Federal Reserve System, and the Commission
shall jointly develop standards and guidelines, which shall be
issued by all functional regulatory agencies, that, in any case
in which--
``(A) free file monitoring is offered under
paragraph (1) to a consumer;
``(B) subsequent to the offer, another party
misuses sensitive financial identity information on the
consumer obtained through the breach of data security
(that gave rise to such offer) to commit identity theft
against the consumer; and
``(C) at the time of such breach the consumer
reporter met the requirements of subsections (a) and
(d),
exempts the consumer reporter from any liability for any harm
to the consumer resulting from such misuse, other than any
direct pecuniary loss or loss pursuant to agreement by the
consumer reporter, except that nothing in this paragraph shall
be construed as creating any inference with respect to the
establishment or existence of any such liability.
``(i) Credit Security Freeze.--
``(1) Definitions.--For purposes of this subsection, the
following definitions shall apply:
``(A) Security freeze.--The term `security freeze'
means a notice placed in a credit report on a consumer,
at the request of the consumer who is a victim of
identity theft, that prohibits the consumer reporting
agency from releasing all or any part of the credit
report, without the express authorization of the
consumer, except as otherwise provided in this section.
``(B) Reviewing the account; account review.--The
terms `reviewing the account' and `account review'
include activities related to account maintenance,
monitoring, credit line increases, and account upgrades
and enhancements.
``(2) Request for a security freeze.--
``(A) In general.--A consumer who has been the
victim of identity theft may place a security freeze on
the file of such consumer at any consumer reporting
agency by--
``(i) making a request in writing by
certified mail to the consumer reporting
agency;
``(ii) submitting an identity theft report
to the consumer reporting agency; and
``(iii) providing such evidence of the
identity of the consumer as such consumer
reporting agency may require under paragraph
(5).
``(B) Prompt imposition of freeze.--A consumer
reporting agency shall place a security freeze on a
credit report on a consumer no later than 5 business
days after receiving a written request from the
consumer in accordance with subparagraph (A).
``(C) Effect of freeze.--
``(i) In general.--Except as otherwise
provided in this subsection, if a security
freeze is in place with respect to any
consumer, information from the consumer's
credit report may not be released by the
consumer reporting agency or reseller to any
third party, including another consumer
reporting agency or reseller, without the prior
express authorization from the consumer or as
otherwise permitted in this section.
``(ii) Advising of existence of security
freeze.--Clause (i) shall not be construed as
preventing a consumer reporting agency or
reseller from advising a third party that a
security freeze is in effect with respect to
the credit report on the consumer.
``(D) Confirmation of freeze; access code.--Any
consumer reporting agency that receives a consumer
request for a security freeze in accordance with
subparagraph (A) shall--
``(i) send a written confirmation of the
security freeze to the consumer within 10
business days of placing the freeze; and
``(ii) at the same time, provide the
consumer with a unique personal identification
number or password (other than the Social
Security account number of any consumer) to be
used by the consumer when providing
authorization for the release of the credit
report of the consumer to a specific party or
for a specific period of time.
``(3) Access pursuant to consumer authorization during
security freeze.--
``(A) Notice by consumer.--If the consumer wishes
to allow the credit report on the consumer to be
accessed by a specific party or for a specific period
of time while a freeze is in place, the consumer
shall--
``(i) contact the consumer reporting agency
in any manner the agency may provide;
``(ii) request that the security freeze be
temporarily lifted; and
``(iii) provide--
``(I) proper identification;
``(II) the unique personal
identification number or password
provided by the consumer reporting
agency pursuant to paragraph
(2)(D)(ii); and
``(III) the proper information
regarding the third party who is to
receive the credit report or the time
period for which the report shall be
available to users of the credit
report.
``(B) Timely response required.--A consumer
reporting agency that receives a request from a
consumer to temporarily lift a security freeze on a
credit report in accordance with subparagraph (A) shall
comply with the request no later than 3 business days
after receiving the request.
``(C) Procedures for requests.--A consumer
reporting agency may develop procedures involving the
use of telephone, fax, or, upon the consent of the
consumer in the manner required by the Electronic
Signatures in Global and National Commerce Act for
notices legally required to be in writing, by the
Internet, e-mail, or other electronic medium to receive
and process a request from a consumer to temporarily
lift a security freeze on a credit report pursuant to
subparagraph (A) in an expedited manner.
``(4) Lifting or removing security freeze.--
``(A) In general.--A consumer reporting agency may
remove or temporarily lift a security freeze placed on
a credit report on a consumer only in the following
cases:
``(i) Upon receiving a consumer request for
a temporary lift of the security freeze in
accordance with paragraph (3)(A).
``(ii) Upon receiving a consumer request
for the removal of the security freeze in
accordance with subparagraph (C).
``(iii) Upon a determination by the
consumer reporting agency that the security
freeze was imposed on the credit report due to
a material misrepresentation of fact by the
consumer.
``(B) Notice to consumer of determination.--If a
consumer reporting agency makes a determination
described in subparagraph (A)(iii) with a respect to a
security freeze imposed on the credit report on any
consumer, the consumer reporting agency shall notify
the consumer of such determination in writing prior to
removing the security freeze on such credit report.
``(C) Removing security freeze.--
``(i) In general.--Except as provided in
this subsection, a security freeze shall remain
in place until the consumer requests that the
security freeze be removed.
``(ii) Procedure for removing security
freeze.--A consumer reporting agency shall
remove a security freeze within 3 business days
of receiving a request for removal from the
consumer who provides--
``(I) proper identification; and
``(II) the unique personal
identification number or password
provided by the consumer reporting
agency pursuant to paragraph
(2)(D)(ii).
``(5) Proper identification required.--A consumer reporting
agency shall require proper identification of any person who
makes a request to impose, temporarily lift, or permanently
remove a security freeze on the credit report of any consumer
under this section.
``(6) Third party requests.--If--
``(A) a third party requests access to a consumer's
credit report on which a security freeze is in effect
under this section in connection with an application by
the consumer for credit or any other use; and
``(B) the consumer does not allow the consumer's
credit report to be accessed by that specific party or
during the specific period such application is pending,
the third party may treat the application as incomplete.
``(7) Certain entity exemptions.--
``(A) Aggregators and other agencies.--This
subsection shall not apply to a consumer reporting
agency that acts only as a reseller of credit
information by assembling and merging information
contained in the database of another consumer reporting
agency or multiple consumer reporting agencies, and
does not maintain a permanent database of credit
information from which new credit reports are produced.
``(B) Other exempted entities.--The following
entities shall not be required to place a security
freeze in a credit report:
``(i) An entity which provides check
verification or fraud prevention services,
including but not limited to, reports on
incidents of fraud, verification or
authentication of a consumer's identification,
or authorizations for the purpose of approving
or processing negotiable instruments,
electronic funds transfers, or similar methods
of payments.
``(ii) A deposit account information
service company, which issues reports regarding
account closures due to fraud, substantial
overdrafts, automated teller machine abuse, or
similar negative information regarding a
consumer, to inquiring banks or other financial
institutions for use only in reviewing a
consumer request for a deposit account at the
inquiring bank or other financial institution.
``(8) Exceptions.--This subsection shall not apply with
respect to the use of a consumer credit report by any of the
following for the purpose described:
``(A) A person, or any affiliate, agent, or
assignee of any person, with whom the consumer has or,
prior to an assignment, had an account, contract, or
debtor-creditor relationship for the purposes of
reviewing the account or collecting the financial
obligation owing for the account, contract, or debt.
``(B) An affiliate, agent, assignee, or prospective
assignee of a person to whom access has been granted
under paragraph (3) for purposes of facilitating the
extension of credit or other permissible use of the
report in accordance with the consumer's request under
such paragraph.
``(C) Any State or local agency, law enforcement
agency, trial court, or person acting pursuant to a
court order, warrant, or subpoena.
``(D) A Federal, State, or local agency that
administers a program for establishing an enforcing
child support obligations for the purpose of
administering such program.
``(E) A Federal, State, or local health agency, or
any agent or assignee of such agency, acting to
investigate fraud within the jurisdiction of such
agency.
``(F) A Federal, State, or local tax agency, or any
agent or assignee of such agency, acting to investigate
or collect delinquent taxes or unpaid court orders or
to fulfill any of other statutory responsibility of
such agency.
``(G) Any person that intends to use the
information in accordance with section 604(c).
``(H) Any person administering a credit file
monitoring subscription or similar service to which the
consumer has subscribed.
``(I) Any person for the purpose of providing a
consumer with a copy of the credit report or credit
score of the consumer upon the consumer's request.
``(9) Prohibition on fee.--A consumer reporting agency may
not impose a fee for placing, removing, or removing for a
specific party or parties a security freeze on a credit report.
``(10) Notice of rights.--At any time that a consumer is
required to receive a summary of rights required under section
609(c)(1) or 609(d)(1) the following notice shall be included:
```Consumers Who Are Victims of Identity Theft Have
the Right to Obtain a Security Freeze on Your Consumer
Report
```You may obtain a security freeze on your
consumer credit report at no charge if you are a victim
of identity theft and you submit a copy of an identity
theft report you have filed with a law enforcement
agency about unlawful use of your personal information
by another person.
```The security freeze will prohibit a credit
reporting agency from releasing any information in your
consumer credit report without your express
authorization. A security freeze must be requested in
writing by certified mail.
```The security freeze is designed to prevent
credit, loans, and services from being approved in your
name without your consent. However, you should be aware
that using a security freeze to take control over who
gains access to the personal and financial information
in your consumer credit report may delay, interfere
with, or prohibit the timely approval of any subsequent
request or application you make regarding new loans,
credit, mortgage, insurance, government services or
payments, rental housing, employment, investment,
license, cellular phone, utilities, digital signature,
internet credit card transaction, or other services,
including an extension of credit at point of sale.
```When you place a security freeze on your
consumer credit report, within 10 business days you
will be provided a personal identification number or
password to use if you choose to remove the freeze on
your consumer credit report or authorize the release of
your consumer credit report for a specific party,
parties or period of time after the freeze is in place.
```To provide that authorization, you must contact
the consumer reporting agency and provide all of the
following: (1) The unique personal identification
number or password provided by the consumer reporting
agency (2) Proper identification to verify your
identity (3) The proper information regarding the third
party or parties who are trying to receive the consumer
credit report or the period of time for which the
report shall be available to users of the consumer
report.
```A consumer reporting agency that receives a
request from a consumer to lift temporarily a freeze on
a consumer credit report shall comply with the request
no later than 3 days after receiving the request.
```A security freeze does not apply to a person or
entity, or its affiliates, or collection agencies
acting on behalf of the person or entity with which you
have an existing account that requests information in
your consumer credit report for the purposes of
reviewing or collecting the account, if you have
previously given your consent to this use of your
consumer credit report. Reviewing the account includes
activities related to account maintenance, monitoring,
credit line increases, and account up-grades and
enhancements.
```If you are actively seeking credit, you should
understand that the procedures involved in lifting a
security freeze may slow your own applications for
credit. You should plan ahead and lift a freeze, either
completely or temporarily if you are shopping around,
or specifically for a certain creditor, a few days
before actually applying for new credit.'.
``(j) Effect on GLBA.--
``(1) Depository institutions.--The current and any future
breach notice regulations and guidelines under section 501(b)
of the Gramm-Leach-Bliley Act with respect to depository
institutions shall be superseded, as of the effective date of
the regulations required under subsection (k)(3)(A), relating
to the specific requirements of this section.
``(2) Nondepository institutions.--The current and any
future data security regulations and guidelines under section
501(b) of the Gramm-Leach-Bliley Act with respect to
nondepository institutions shall be superseded as of the
effective date of the regulations required under subsection
(k)(3)(A), relating to the responsibilities under this section.
``(k) Uniform Data Security Safeguard Regulations.--
``(1) Uniform standards.--The Secretary of the Treasury,
the Board of Governors of the Federal Reserve System, and the
Commission shall jointly, and the Federal functional regulatory
agencies that have issued guidance on consumer breach
notification shall jointly with respect to the entities under
their jurisdiction, develop standards and guidelines to
implement this section, including--
``(A) prescribing specific standards with respect
to subsection (g)(3) setting forth a reasonably unique
and, pursuant to paragraph (2)(B), exclusive color and
titling of the notice, and standardized formatting of
the notice contents described under such subsection to
standardize such communications and make them more
likely to be reviewed, and understood by, and helpful
to consumers, including to the extent possible placing
the critical information for consumers in an easily
understood and prominent text box at the top of each
notice;
``(B) providing in such standards and guidelines
that the responsibility of a consumer reporter to
provide notice under this section--
``(i) has been satisfied with respect to
any particular consumer, even if the consumer
reporter is unable to contact the consumer, so
long as the consumer reporter has made
reasonable efforts to obtain a current address
or other current contact information with
respect to such consumer;
``(ii) may be made by public notice in
appropriate cases in which--
``(I) such reasonable efforts
described in clause (i) have failed; or
``(II) a breach of data security
involves a loss or unauthorized
acquisition of sensitive financial
personal information in paper documents
or records that has been determined to
be usable, but the identities of
specific consumers are not
determinable; and
``(iii) with respect to paragraph (3) of
subsection (c), may be communicated to entities
in addition to those specifically required
under such paragraph through any reasonable
means, such as through an electronic
transmission normally received by all of the
consumer reporter's business customers; and
``(C) providing in such standards and guidelines
elaboration on how to determine whether a technology is
generally commercially available for the purposes of
subsection (b), focusing on the availability of such
technology to persons who potentially could seek to
breach the data security of the consumer reporter, and
how to determine whether the information is likely to
be usable under subsection (b)(3);
``(D) providing for a reasonable and fair manner of
providing required consumer notices where the entity
that directly suffered the breach is unavailable to pay
for such notices, because for example the entity is
bankrupt, outside of the jurisdiction of the United
States, or otherwise can not be compelled to provide
such notice;
``(E) providing for periodic instead of individual
notices to regulators and law enforcement under
subsection (c)(1) and (2) where the consumer reporter
determines that only a de minimus number of consumers
are reasonably likely to be affected;
``(F) providing, to the extent appropriate, notice
to the United States Secret Service, a consumer
reporter's functional regulator, and the entities
described in paragraphs (1) through (3) of subsection
(c), whenever the consumer reporter's sensitive
financial personal information has been lost or
illegally obtained but such loss or acquisition does
not result in a breach, for example because the
information was sufficiently encrypted or otherwise
unusable; and
``(G) establishing what types of accounts might be
subject to unauthorized transactions after a breach
involving sensitive financial account information, for
example because such accounts are open-end credit plans
or are described in section 903(2) of the Electronic
Fund Transfer Act.
``(2) Model notice forms.--
``(A) In general.--The Secretary of the Treasury,
Board of Governors of the Federal Reserve System, and
the Commission shall jointly establish and publish
model forms and disclosure statements to facilitate
compliance with the notice requirements of subsection
(g) and to aid the consumer in understanding the
information required to be disclosed relating to a
breach of data security and the options and services
available to the consumer for obtaining additional
information, consumer reports, and credit monitoring
services.
``(B) Use optional.--A consumer reporter may
utilize a model notice or any model statement
established under this paragraph for purposes of
compliance with this section, at the discretion of the
consumer reporter.
``(C) Effect of use.--A consumer reporter that uses
a model notice form or disclosure statement established
under this paragraph shall be deemed to be in
compliance with the requirement to provide the required
disclosure to consumers to which the form or statement
relates.
``(3) Enforcement.--
``(A) Regulations.--Each of the functional
regulatory agencies shall prescribe such regulations as
may be necessary, consistent with the standards in
paragraph (1), to ensure compliance with this section
with respect to the persons subject to the jurisdiction
of such agency under subsection (l).
``(B) Misuse of unique color and titles of
notices.--Any person who uses the unique color and
titling adopted under paragraph (1)(A) for notices
under subsection (f)(1) in a way that is likely to
create a false belief in a consumer that a
communication is such a notice shall be liable in the
same manner and to the same extent as a debt collector
is liable under section 813 for any failure to comply
with any provision of the Fair Debt Collection
Practices Act.
``(4) Procedures and deadline.--
``(A) Procedures.--Standards and guidelines issued
under this subsection shall be issued in accordance
with applicable requirements of title 5, United States
Code.
``(B) Deadline for initial standards and
guidelines.--The standards and guidelines required to
be issued under paragraph (1) shall be published in
final form before the end of the 9-month period
beginning on the date of the enactment of the Financial
Data Protection Act of 2006.
``(C) Deadline for enforcement regulations.--The
standards and guidelines required to be issued under
paragraph (2) shall be published in final form before
the end of the 6-month period beginning on the date
standards and guidelines described in subparagraph (B)
are published in final form.
``(D) Authority to grant exceptions.--The
regulations prescribed under paragraph (2) may include
such additional exceptions to this section as are
deemed jointly by the functional regulatory agencies to
be consistent with the purposes of this section if such
exceptions are necessary because of some unique aspect
of the entities regulated or laws governing such
entities; and such exemptions are narrowly tailored to
protect the purposes of this Act.
``(E) Consultation and coordination.--The Secretary
of the Treasury, the Board of Governors of the Federal
Reserve System, and the Commission shall consult and
coordinate with the other functional regulatory
agencies to the extent appropriate in prescribing
regulations under this subsection.
``(F) Failure to meet deadline.--Any agency or
authority required to publish standards and guidelines
or regulations under this subsection that fails to meet
the deadline for such publishing shall submit a report
to the Congress within 30 days of such deadline
describing--
``(i) the reasons for the failure to meet
such deadline;
``(ii) when the agency or authority expects
to complete the publication required; and
``(iii) the detriment such failure to
publish by the required deadline will have on
consumers and other affected parties.
``(G) Uniform implementation and interpretation.--
It is the intention of the Congress that the agencies
and authorities described in subsection (l)(1)(G) will
implement and interpret their enforcement regulations,
including any exceptions provided under subparagraph
(D), in a uniform manner.
``(5) Appropriate exemptions or modifications.--The
Secretary of the Treasury, the Board of Governors of the
Federal Reserve System, and the Commission, in consultation
with the Administrator of the Small Business Administration and
the functional regulatory agencies, shall provide appropriate
exemptions or modifications from requirements of this section
relating to sensitive financial personal information for
consumer reporters that do not maintain, service, or
communicate a large quantity of such information, taking into
account the degree of sensitivity of such information, the
likelihood of misuse, and the degree of potential harm or
inconvenience to the related consumer.
``(6) Coordination.--
``(A) In general.--Each functional regulatory
agency shall consult and coordinate with each other
functional regulatory agency so that, to the extent
possible, the regulations prescribed by each agency are
consistent and comparable.
``(B) Model regulations.--In prescribing
implementing regulations under paragraph (1), the
functional regulatory agencies agencies referred to in
such paragraph shall use the Gramm-Leach-Bliley Act
(including the guidance and regulations issued
thereunder) as a base, adding such other consumer
protections as appropriate under this section.
``(l) Administrative Enforcement.--
``(1) In general.--Notwithstanding section 616, 617, or
621, compliance with this section and the regulations
prescribed under this section shall be enforced by the
functional regulatory agencies with respect to financial
institutions and other persons subject to the jurisdiction of
each such agency under applicable law, as follows:
``(A) Under section 8 of the Federal Deposit
Insurance Act, in the case of--
``(i) national banks, Federal branches and
Federal agencies of foreign banks, and any
subsidiaries of such entities (except brokers,
dealers, persons providing insurance,
investment companies, and investment advisers),
by the Comptroller of the Currency;
``(ii) member banks of the Federal Reserve
System (other than national banks), branches
and agencies of foreign banks (other than
Federal branches, Federal agencies, and insured
State branches of foreign banks), commercial
lending companies owned or controlled by
foreign banks, organizations operating under
section 25 or 25A of the Federal Reserve Act,
and bank holding companies and their nonbank
subsidiaries or affiliates (except brokers,
dealers, persons providing insurance,
investment companies, and investment advisers),
by the Board of Governors of the Federal
Reserve System;
``(iii) banks insured by the Federal
Deposit Insurance Corporation (other than
members of the Federal Reserve System), insured
State branches of foreign banks, and any
subsidiaries of such entities (except brokers,
dealers, persons providing insurance,
investment companies, and investment advisers),
by the Board of Directors of the Federal
Deposit Insurance Corporation; and
``(iv) savings associations the deposits of
which are insured by the Federal Deposit
Insurance Corporation, and any subsidiaries of
such savings associations (except brokers,
dealers, persons providing insurance,
investment companies, and investment advisers),
by the Director of the Office of Thrift
Supervision.
``(B) Under the Federal Credit Union Act, by the
Board of the National Credit Union Administration with
respect to any federally insured credit union, and any
subsidiaries of such an entity.
``(C) Under the Securities Exchange Act of 1934, by
the Securities and Exchange Commission with respect to
any broker, dealer, or nonbank transfer agent.
``(D) Under the Investment Company Act of 1940, by
the Securities and Exchange Commission with respect to
investment companies.
``(E) Under the Investment Advisers Act of 1940, by
the Securities and Exchange Commission with respect to
investment advisers registered with the Commission
under such Act.
``(F) Under the provisions of title XIII of the
Housing and Community Development Act of 1992, by the
Director of the Office of Federal Housing Enterprise
Oversight (and any successor to such functional
regulatory agency) with respect to the Federal National
Mortgage Association, the Federal Home Loan Mortgage
Corporation, and any other entity or enterprise or bank
(as defined in such title XIII) subject to the
jurisdiction of such functional regulatory agency under
such title, including any affiliate of any such
enterprise.
``(G) Under State insurance law, in the case of any
person engaged in the business of insurance, by the
applicable State insurance authority of the State in
which the person is domiciled.
``(H) Under the Federal Home Loan Bank Act, by the
Federal Housing Finance Board (and any successor to
such functional regulatory agency) with respect to the
Federal home loan banks and any other entity subject to
the jurisdiction of such functional regulatory agency,
including any affiliate of any such bank.
``(I) Under the Federal Trade Commission Act, by
the Commission for any other person that is not subject
to the jurisdiction of any agency or authority under
subparagraphs (A) through (G) of this subsection,
except that for the purposes of this subparagraph a
violation of this section shall be treated as an unfair
and deceptive act or practice in violation of a
regulation under section 18(a)(1)(B) of the Federal
Trade Commission Act regarding unfair or deceptive acts
or practices.
``(2) Exercise of certain powers.--For the purpose of the
exercise by any agency referred to in paragraph (1) of its
powers under any Act referred to in such paragraph, a violation
of any requirement imposed under this section shall be deemed
to be a violation of a requirement imposed under that Act. In
addition to its powers under any provision of law specifically
referred to in paragraph (1), each of the agencies referred to
in that paragraph may exercise, for the purpose of enforcing
compliance with any requirement imposed under this section, any
other authority conferred on it by law.
``(3) Use of undistributed funds for financial education.--
If--
``(A) in connection with any administrative action
under this section, a fund is created or a functional
regulatory agency has obtained disgorgement; and
``(B) the functional regulatory agency determines
that--
``(i) due to the size of the fund to be
distributed, the number of individuals
affected, the nature of the underlying
violation, or for other reasons, it would be
infeasible to distribute such fund or
disgorgement to the victims of the violation;
or
``(ii) there are excess monies remaining
after the distribution of the fund or
disgorgement to victims,
the functional regulatory agency may issue an order in an
administrative proceeding requiring that the undistributed
amount of the fund or disgorgement be used in whole or in part
by the functional regulatory agency for education programs and
outreach activities of consumer groups, community based groups,
and the Financial Literacy and Education Commission established
under the Fair and Accurate Credit Transactions Act of 2003
that are consistent with and further the purposes of this
title.
``(m) Definitions.--For purposes of this section, the following
definitions shall apply:
``(1) Breach of data security.--The term `breach of data
security' or `data security breach' means any loss,
unauthorized acquisition, or misuse of sensitive financial
personal information handled by a consumer reporter that could
be misused to commit financial fraud (such as identity theft or
fraudulent transactions made on financial accounts) in a manner
causing harm or inconvenience to a consumer.
``(2) Consumer.--The term `consumer' means an individual.
``(3) Consumer reporter and related terms.--
``(A) Consumer financial file and consumer
reports.--The term `consumer financial file and
consumer reports' includes any written, oral, or other
communication of any information by a consumer reporter
bearing on a consumer's credit worthiness, credit
standing, credit capacity, character, general
reputation, personal characteristics, personal
identifiers, financial account information, or mode of
living.
``(B) Consumer reporter.--The term `consumer
reporter' means any consumer reporting agency or
financial institution, or any person which, for
monetary fees, dues, on a cooperative nonprofit basis,
or otherwise regularly engages in whole or in part in
the practice of assembling or evaluating consumer
financial file and consumer reports, consumer credit
information, or other information on consumers, for the
purpose of furnishing consumer reports to third parties
or to provide or collect payment for or market products
and services, or for employment purposes, and which
uses any means or facility of interstate commerce for
such purposes.
``(4) Financial institution.--The term `financial
institution' means--
``(A) any person the business of which is engaging
in activities that are financial in nature as described
in or determined under section 4(k) of the Bank Holding
Company Act;
``(B) any person that is primarily engaged in
activities that are subject to the Fair Credit
Reporting Act; and
``(C) any person that is maintaining, receiving, or
communicating sensitive financial personal information
on an ongoing basis for the purposes of engaging in
interstate commerce.
``(5) Functional regulatory agency.--The term `functional
regulatory agency' means any agency described in subsection (l)
with respect to the financial institutions and other persons
subject to the jurisdiction of such agency.
``(6) Handled by.--The term `handled by' includes with
respect to sensitive financial personal information, any access
to or generation, maintenance, servicing, or ownership of such
information, as well as any transfer to or allowed access to or
similar sharing or servicing of such information by or with a
third party on a consumer reporter's behalf.
``(7) Nationwide consumer reporting agency.--The term
`nationwide consumer reporting agency' means--
``(A) a consumer reporting agency described in
section 603(p);
``(B) any person who notifies the Commission that
the person reasonably expects to become a consumer
reporting agency described in section 603(p) within a
reasonable time; and
``(C) a consumer reporting agency described in
section 603(w) that notifies the Commission that the
person wishes to receive breach of data security
notices under this section that involve information of
the type maintained by such agency.
``(8) Neural network.--The term `neural network' means an
information security program that monitors financial account
transactions for potential fraud, using historical patterns to
analyze and identify suspicious financial account transactions.
``(9) Sensitive financial account information.--The term
`sensitive financial account information' means a financial
account number of a consumer, such as a credit card number or
debit card number, in combination with any required security
code, access code, biometric code, password, or other personal
identification information that would allow access to the
financial account.
``(10) Sensitive financial identity information.--The term
`sensitive financial identity information' means the first and
last name, the address, or the telephone number of a consumer,
in combination with any of the following of the consumer:
``(A) Social Security number.
``(B) Driver's license number or equivalent State
identification number.
``(C) IRS Individual Taxpayer Identification
Number.
``(D) IRS Adoption Taxpayer Identification Number.
``(E) The consumer's deoxyribonucleic acid profile
or other unique biometric data, including fingerprint,
voice print, retina or iris image, or any other unique
physical representation.
``(11) Sensitive financial personal information.--The term
`sensitive financial personal information' means any
information that is sensitive financial account information,
sensitive financial identity information, or both.
``(12) Harm or inconvenience.--The term `harm or
inconvenience', with respect to a consumer, means financial
loss to or civil or criminal penalties imposed on the consumer
or the need for the consumer to expend significant time and
effort to correct erroneous information relating to the
consumer, including information maintained by consumer
reporting agencies, financial institutions, or government
entities, in order to avoid the risk of financial loss or
increased costs or civil or criminal penalties.
``(n) Relation to State Laws.--
``(1) In general.--No requirement or prohibition may be
imposed under the laws of any State with respect to the
responsibilities of any consumer reporter or the functional
equivalent of such responsibilities--
``(A) to protect the security or confidentiality of
information on consumers maintained by or on behalf of
the person;
``(B) to safeguard such information from potential
misuse;
``(C) to investigate or provide notices of any
unauthorized access to information concerning the
consumer, or the potential misuse of such information,
for fraudulent purposes;
``(D) to mitigate any loss or harm resulting from
such unauthorized access or misuse; or
``(E) involving restricting credit reports from
being provided, or imposing any requirement on such
provision, for a permissible purpose pursuant to
section 604, such as--
``(i) the responsibilities of a consumer
reporting agency to honor a request, or
withdrawal of such a request, to prohibit the
consumer reporting agency from releasing any
type of information from the file of a
consumer;
``(ii) the process by which such a request
or withdrawal of such a request is made,
honored, or denied;
``(iii) any notice that is required to be
provided to the consumer in connection with
such a request or withdrawal of such a request;
or
``(iv) the ability of a consumer reporting
agency to update or change information in a
consumer's file as a result of such a request
or withdrawal of such a request; or
``(v) the responsibilities of third parties
if information from a consumer's file is
unavailable as a result of such a request.
``(2) Exception for certain state laws.--Paragraph (1)
shall not apply with respect to--
``(A) State laws governing professional
confidentiality; or
``(B) State privacy laws limiting the purposes for
which information may be disclosed.
``(3) Exception for certain covered entities.--Paragraph
(1) shall not apply with respect to the entities described in
subsection (l)(1)(G) to the extent that such entities are
acting in accordance with subsection (k)(4)(G) in a manner that
is consistent with this section and the implementation of this
section by the regulators described in subsection (k)(1).''.
(b) Clerical Amendment.--The table of sections for the Fair Credit
Reporting Act is amended by inserting after the item relating to
section 629 the following new item:
``630. Data security safeguards.''.
(c) Effective Date.--The provisions of section 630 of the Fair
Credit Reporting Act (as added by this section), other than subsection
(k) of such section, shall take effect on the date of publication of
the regulations required under paragraph (3) of such subsection, with
respect to any person under the jurisdiction of each regulatory agency
publishing such regulations.
SEC. 3. NATIONAL SUMMIT ON DATA SECURITY.
Not later than April 30, 2008, the President or the designee of the
President shall convene a National Summit on Data Security Safeguards
for Sensitive Personal Financial Information in the District of
Columbia.
SEC. 4. GAO STUDY.
(a) Study Required.--The Comptroller General shall conduct a study
to determine a system that would provide notices of data breaches to
consumers in languages other than English and identify what barriers
currently exist to the implementation of such a system.
(b) Report.--The Comptroller General shall submit a report to the
Congress before the end of the 1-year period beginning on the date of
the enactment of this Act containing the findings and conclusion of the
study under subsection (a) and such recommendations for legislative and
administrative action as the Comptroller General may determine to be
appropriate.
SEC. 5. ENHANCED DATA COLLECTION ON DATA SECURITY BREACHES AND ACCOUNT
FRAUD.
In order to improve law enforcement efforts relating to data
security breaches and fighting identity theft and account fraud, the
Federal Trade Commission shall compile information on the race and
ethnicity of consumers, as defined and volunteered by the consumers,
who are victims of identity theft, account fraud, and other types of
financial fraud. The Commission shall consult with the various
international, national, State, and local law enforcement officers and
agencies who work with such victims for the purpose of enlisting the
cooperation of such officers and agencies in the compilation of such
information. Notwithstanding any other provision of law, such
compilation of information shall be made available exclusively to the
Commission and law enforcement entities.
SEC. 6. CLARIFICATION RELATING TO CREDIT MONITORING SERVICES.
(a) In General.--Section 403 of the Credit Repair Organizations Act
(15 U.S.C. 1679a) is amended--
(1) by striking ``For purposes of this title'' and
inserting ``(a) In General.--For purposes of this title''; and
(2) by adding at the end the following new subsection:
``(b) Clarification With Respect to Certain Credit Monitoring
Services Under Certain Circumstances.--
``(1) In general.--Subject to paragraph (2)--
``(A) the provision of, or provision of access to,
credit reports, credit monitoring notifications, credit
scores and scoring algorithms, and other credit score-
related tools to a consumer (including generation of
projections and forecasts of such consumer's potential
credit scores under various prospective trends or
hypothetical or alternative scenarios);
``(B) any analysis, evaluation, and explanation of
such actual or hypothetical credit scores, or any
similar projections, forecasts, analyses, evaluations
or explanations; or
``(C) in conjunction with offering any of the
services described in subparagraph (A) or (B), the
provision of materials or services to assist a consumer
who is a victim of identity theft,
shall not be treated as activities described in clause (i) of
subsection (a)(3)(A).
``(2) Conditions for application of paragraph (1).--
Paragraph (1) shall apply with respect to any person engaging
in any activity described in such paragraph only if--
``(A) the person does not represent, expressly or
by implication, that such person--
``(i) will or can modify or remove, or
assist the consumer in modifying or removing,
adverse information that is accurate and not
obsolete in the consumer's credit report; or
``(ii) will or can alter, or assist the
consumer in altering, the consumer's
identification to prevent the display of the
consumer's credit record, history, or rating
for the purpose of concealing adverse
information that is accurate and not obsolete;
``(B) in any case in which the person represents,
expressly or by implication, that it will or can modify
or remove, or assist the consumer in modifying or
removing, any information in the consumer's credit
report, except for a representation with respect to any
requirement imposed on the person under section 611 or
623(b) of the Fair Credit Reporting Act, the person
discloses, clearly and conspicuously, before the
consumer pays or agrees to pay any money or other
valuable consideration to such person, whichever occurs
first, the following statement:
```NOTICE: Neither you nor anyone
else has the right to have accurate and
current information removed from your
credit report. If information in your
report is inaccurate, you have the
right to dispute it by contacting the
credit bureau directly.';
``(C) the person provides the consumer in writing
with the following statement before any contract or
agreement between the consumer and the person is
executed:
```Your Rights Concerning Your Consumer
Credit File
```You have a right to obtain a free copy
of your credit report once every 12 months from
each of the nationwide consumer reporting
agencies. To request your free annual credit
report, you may go to
www.annualcreditreport.com, or call 877-322-
8228, or complete the Annual Credit Report
Request Form and mail it to: Annual Credit
Report Request Service, P.O. Box 105281,
Atlanta, GA 30348-5281. You can obtain
additional copies of your credit report from a
credit bureau, for which you may be charged a
reasonable fee. There is no fee, however, if
you have been turned down for credit,
employment, insurance, or a rental dwelling
because of information in your credit report
within the preceding 60 days. The credit bureau
must provide someone to help you interpret the
information in your credit file. You are
entitled to receive a free copy of your credit
report if you are unemployed and intend to
apply for employment in the next 60 days, if
you are a recipient of public welfare
assistance, or if you have reason to believe
that there is inaccurate information in your
credit report due to fraud.
```You have the right to cancel your
contract with a credit monitoring service
without fee or penalty at any time, and in the
case in which you have prepaid for a credit
monitoring service, you are entitled to a pro
rata refund for the remaining term of the
credit monitoring service.
```The Federal Trade Commission regulates
credit bureaus and credit monitoring services.
For more information contact:
```Federal Trade Commission
```Washington, D.C. 20580
```1-877-FTC-HELP
```www.ftc.gov.'; and
``(D) in any case in which the person offers a
subscription to a credit file monitoring program to a
consumer, the consumer may cancel the subscription at
any time upon written notice to the person without
penalty or fee for such cancellation and, in any case
in which the consumer is billed for the subscription on
other than a monthly basis, within 60 days of receipt
of the consumer's notice of cancellation, the person
shall make a pro rata refund to the consumer of a
subscription fee prepaid by the consumer, calculated
from the date that the person receives the consumer's
notice of cancellation until the end of the
subscription period.''.
(b) Clarification of Nonexempt Status.--Section 403(a) of the
Credit Repair Organizations Act (15 U.S.C. 1679a) (as so redesignated
by subsection (a) of this section) is amended, in paragraph (3)(B)(i),
by inserting ``and is not for its own profit or for that of its
members'' before the semicolon at the end.
(c) Revision of Disclosure Requirement.--Section 405(a) of the
Credit Repair Organizations Act (15 U.S.C. 1679c) is amended by
striking everything after the heading of the disclosure statement
contained in such section and inserting the following new text of the
disclosure statement:
```You have a right to dispute inaccurate information in
your credit report by contacting the credit bureau directly.
However, neither you nor any ``credit repair'' company or
credit repair organization has the right to have accurate,
current, and verifiable information removed from your credit
report. The credit bureau must remove accurate, negative
information from your report only if it is over 7 years old.
Bankruptcy information can be reported for 10 years.
```You have a right to obtain a free copy of your credit
report once every 12 months from each of the nationwide
consumer reporting agencies. To request your free annual credit
report, you may go to www.annualcreditreport.com, or call 877-
322-8228, or complete the Annual Credit Report Request Form and
mail it to: Annual Credit Report Request Service, P.O. Box
105281, Atlanta, GA 30348-5281. You can obtain additional
copies of your credit report from a credit bureau, for which
you may be charged a reasonable fee. There is no fee, however,
if you have been turned down for credit, employment, insurance,
or a rental dwelling because of information in your credit
report within the preceding 60 days. The credit bureau must
provide someone to help you interpret the information in your
credit file. You are entitled to receive a free copy of your
credit report if you are unemployed and intend to apply for
employment in the next 60 days, if you are a recipient of
public welfare assistance, or if you have reason to believe
that there is inaccurate information in your credit report due
to fraud.
```You have a right to sue a credit repair organization
that violates the Credit Repair Organization Act. This law
prohibits deceptive practices by credit repair organizations.
```You have the right to cancel your contract with any
credit repair organization for any reason within 3 business
days from the date you signed it.
```Credit bureaus are required to follow reasonable
procedures to ensure that the information they report is
accurate. However, mistakes may occur.
```You may, on your own, notify a credit bureau in writing
that you dispute the accuracy of information in your credit
file. The credit bureau must then reinvestigate and modify or
remove inaccurate or incomplete information. The credit bureau
may not charge any fee for this service. Any pertinent
information and copies of all documents you have concerning an
error should be given to the credit bureau.
```If the credit bureau's reinvestigation does not resolve
the dispute to your satisfaction, you may send a brief
statement to the credit bureau, to be kept in your file,
explaining why you think the record is inaccurate. The credit
bureau must include a summary of your statement about disputed
information with any report it issues about you.
```The Federal Trade Commission regulates credit bureaus
and credit repair organizations. For more information contact:
```Federal Trade Commission
```Washington, D.C. 20580
```1-877-FTC-HELP
```(877 382-4357)
```www.ftc.gov.'''.
Amend the title so as to read: ``A bill to amend the Fair
Credit Reporting Act to provide for secure financial data, and
for other purposes.''.
Union Calendar No. 270
109th CONGRESS
2d Session
H. R. 4127
[Report No. 109-453, Parts I, II, and III]
_______________________________________________________________________
A BILL
To protect consumers by requiring reasonable security policies and
procedures to protect computerized data containing personal
information, and to provide for nationwide notice in the event of a
security breach.
_______________________________________________________________________
June 2, 2006
Reported from the Committee on Financial Services with amendments;
committed to the Committee of the Whole House on the State of the Union
and ordered to be printed