[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4127 Reported in House (RH)]


                                                 Union Calendar No. 270
109th CONGRESS
  2d Session
                                H. R. 4127

               [Report No. 109-453, Parts I, II, and III]

  To protect consumers by requiring reasonable security policies and 
      procedures to protect computerized data containing personal 
  information, and to provide for nationwide notice in the event of a 
                            security breach.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 25, 2005

Mr. Stearns (for himself, Ms. Pryce of Ohio, Mr. Upton, Mr. Radanovich, 
 Mr. Bass, Mrs. Bono, Mr. Ferguson, and Mrs. Blackburn) introduced the 
   following bill; which was referred to the Committee on Energy and 
                                Commerce

                              May 4, 2006

 Reported with an amendment and referred to the Committee on Financial 
     Services for a period ending not later than June 2, 2006, for 
  consideration of such provisions of the bill and amendment as fall 
within the jurisdiction of that committee pursuant to clause 1(g), rule 
 X. Referred to the Committee on the Judiciary for a period ending not 
 later than June 2, 2006, for consideration of such provisions of the 
 bill and amendment as fall within the jurisdiction of that committee 
                    pursuant to clause 1(l), rule X
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

                              May 26, 2006

     Reported from the Committee on the Judiciary with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                           in boldface roman]

                              June 2, 2006

    Additional sponsors: Mr. Gillmor, Mr. Shadegg, Mr. Dingell, Ms. 
      Schakowsky, Ms. Eshoo, Mr. Inslee, Ms. Baldwin, and Mr. Ross

                              June 2, 2006

  Reported from the Committee on Financial Services with amendments; 
committed to the Committee of the Whole House on the State of the Union 
                       and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                          in boldface italic]
[For text of introduced bill, see copy of bill as introduced on October 
                               25, 2005]

_______________________________________________________________________

                                 A BILL


 
  To protect consumers by requiring reasonable security policies and 
      procedures to protect computerized data containing personal 
  information, and to provide for nationwide notice in the event of a 
                            security breach.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Accountability and Trust Act 
(DATA)''.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

    (a) General Security Policies and Procedures.--
            (1) Regulations.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        to require each person engaged in interstate commerce that owns 
        or possesses data in electronic form containing personal 
        information, or contracts to have any third party entity 
        maintain such data for such person, to establish and implement 
        policies and procedures regarding information security 
        practices for the treatment and protection of personal 
        informtion taking into consideration--
                    (A) the size of, and the nature, scope, and 
                complexity of the activities engaged in by, such 
                person;
                    (B) the current state of the art in administrative, 
                technical, and physical safeguards for protecting such 
                information; and
                    (C) the cost of implementing such safeguards.
            (2) Requirements.--Such regulations shall require the 
        policies and procedures to include the following:
                    (A) A security policy with respect to the 
                collection, use, sale, other dissemination, and 
                maintenance of such personal information.
                    (B) The identification of an officer or other 
                individual as the point of contact with responsibility 
                for the management of information security.
                    (C) A process for identifying and assessing any 
                reasonably foreseeable vulnerabilities in the system 
                maintained by such person that contains such electronic 
                data, which shall include regular monitoring for a 
                breach of security of such system.
                    (D) A process for taking preventive and corrective 
                action to mitigate against any vulnerabilities 
                identified in the process required by subparagraph (C), 
                which may include implementing any changes to security 
                practices and the architecture, installation, or 
                implementation of network or operating software.
                    (E) A process for disposing of obsolete data in 
                electronic form containing personal information by 
                shredding, permanently erasing, or otherwise modifying 
                the personal information contained in such data to make 
                such personal information permanently unreadable or 
                undecipherable.
            (3) Treatment of entities governed by other law.--In 
        promulgating the regulations under this subsection, the 
        Commission may determine to be in compliance with this 
        subsection any person who is required under any other Federal 
        law to maintain standards and safeguards for information 
        security and protection of personal information that provide 
        equal or greater protection than those required under this 
        subsection.
    (b) Destruction of Obsolete Paper Records Containing Personal 
Information.--
            (1) Study.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall conduct a study on 
        the practicality of requiring a standard method or methods for 
        the destruction of obsolete paper documents and other non-
        electronic data containing personal information by persons 
        engaged in interstate commerce who own or possess such paper 
        documents and non-electronic data. The study shall consider the 
        cost, benefit, feasibility, and effect of a requirement of 
        shredding or other permanent destruction of such paper 
        documents and non-electronic data.
            (2) Regulations.--The Commission may promulgate regulations 
        under section 553 of title 5, United States Code, requiring a 
        standard method or methods for the destruction of obsolete 
        paper documents and other non-electronic data containing 
        personal information by persons engaged in interstate commerce 
        who own or possess such paper documents and non-electronic data 
        if the Commission finds that--
                    (A) the improper disposal of obsolete paper 
                documents and other non-electronic data creates a 
                reasonable risk of identity theft, fraud, or other 
                unlawful conduct;
                    (B) such a requirement would be effective in 
                preventing identity theft, fraud, or other unlawful 
                conduct;
                    (C) the benefit in preventing identity theft, 
                fraud, or other unlawful conduct would outweigh the 
                cost to persons subject to such a requirement; and
                    (D) compliance with such a requirement would be 
                practicable.
        In enforcing any such regulations, the Commission may determine 
        to be in compliance with such regulations any person who is 
        required under any other Federal law to dispose of obsolete 
        paper documents and other non-electronic data containing 
        personal information if such other Federal law provides equal 
        or greater protection or personal information than the 
        regulations promulgated under this subsection.
    (c) Special Requirements for Information Brokers.--
            (1) Submission of policies to the ftc.--The regulations 
        promulgated under subsection (a) shall require information 
        brokers to submit their security policies to the Commission in 
        conjunction with a notification of a breach of security under 
        section 3 or upon request of the Commission.
            (2) Post-breach audit.--For any information broker required 
        to provide notification under section 3, the Commission shall 
        conduct an audit of the information security practices of such 
        information broker, or require the information broker to 
        conduct an independent audit of such practices (by an 
        independent auditor who has not audited such information 
        broker's security practices during the preceding 5 years). The 
        Commission may conduct or require additional audits for a 
        period of 5 years following the breach of security or until the 
        Commission determines that the security practices of the 
        information broker are in compliance with the requirements of 
        this section and are adequate to prevent further breaches of 
        security.
            (3) Verification of and individual access to personal 
        information.--
                    (A) Verification.--Each information broker shall 
                establish reasonable procedures to verify the accuracy 
                of the personal information it collects, assembles, or 
                maintains, and any other information it collects, 
                assembles, or maintains that specifically identifies an 
                individual, other than information which merely 
                identifies an individual's name or address.
                    (B) Consumer access to information.--
                            (i) Access.--Each information broker 
                        shall--
                                    (I) provide to each individual 
                                whose personal information it 
                                maintains, at the individual's request 
                                at least 1 time per year and at no cost 
                                to the individual, and after verifying 
                                the identity of such individual, a 
                                means for the individual to review any 
                                personal information regarding such 
                                individual maintained by the 
                                information broker and any other 
                                information maintained by the 
                                information broker that specifically 
                                identifies such individual, other than 
                                information which merely identifies an 
                                individual's name or address; and
                                    (II) place a conspicuous notice on 
                                its Internet website (if the 
                                information broker maintains such a 
                                website) instructing individuals how to 
                                request access to the information 
                                required to be provided under subclause 
                                (I).
                            (ii) Disputed information.--Whenever an 
                        individual whose information the information 
                        broker maintains makes a written request 
                        disputing the accuracy of any such information, 
                        the information broker, after verifying the 
                        identity of the individual making such request 
                        and unless there are reasonable grounds to 
                        believe such request is frivolous or 
                        irrelevant, shall--
                                    (I) correct any inaccuracy; or
                                    (II)(aa) in the case of information 
                                that is public record information, 
                                inform the individual of the source of 
                                the information, and, if reasonably 
                                available, where a request for 
                                correction may be directed; or
                                    (bb) in the case of information 
                                that is non-public information, note 
                                the information that is disputed, 
                                including the individual's statement 
                                disputing such information, and take 
                                reasonable steps to independently 
                                verify such information under the 
                                procedures outlined in subparagraph (A) 
                                if such information can be 
                                independently verified.
                            (iii) Limitations.--An information broker 
                        may limit the access to information required 
                        under subparagraph (B) in the following 
                        circumstances:
                                    (I) If access of the individual to 
                                the information is limited by law or 
                                legally recognized privilege.
                                    (II) If the information is used for 
                                a legitimate governmental or fraud 
                                prevention purpose that would be 
                                compromised by such access.
                            (iv) Rulemaking.--The Commission shall 
                        issue regulations, as necessary, under section 
                        553 of title 5, United States Code, on the 
                        application of the limitations in clause (iii).
                    (C) Treatment of entities governed by other law.--
                The Commission may promulgate rules (under section 553 
                of title 5, United States Code) to determine to be in 
                compliance with this paragraph any person who is a 
                consumer reporting agency, as defined in section 603(f) 
                of the Fair Credit Reporting Act, with respect to those 
                products and services that are subject to and in 
                compliance with the requirements of that Act.
            (4) Requirement of audit log of accessed and transmitted 
        information.--Not later than 1 year after the date of the 
        enactment of this Act, the Commission shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        to require information brokers to establish measures which 
        facilitate the auditing or retracing of any internal or 
        external access to, or transmissions of, any data in electronic 
        form containing personal information collected, assembled, or 
        maintained by such information broker.
            (5) Prohibition on pretexting by information brokers.--
                    (A) Prohibition on obtaining personal information 
                by false pretenses.--It shall be unlawful for an 
                information broker to obtain or attempt to obtain, or 
                cause to be disclosed or attempt to cause to be 
                disclosed to any person, personal information or any 
                other information relating to any person by--
                            (i) making a false, fictitious, or 
                        fraudulent statement or representation to any 
                        person; or
                            (ii) providing any document or other 
                        information to any person that the information 
                        broker knows or should know to be forged, 
                        counterfeit, lost, stolen, or fraudulently 
                        obtained, or to contain a false, fictitious, or 
                        fraudulent statement or representation.
                    (B) Prohibition on solicitation to obtain personal 
                information under false pretenses.--It shall be 
                unlawful for an information broker to request a person 
                to obtain personal information or any other information 
                relating to any other person, if the information broker 
                knew or should have known that the person to whom such 
                a request is made will obtain or attempt to obtain such 
                information in the manner described in subsection (a).
    (d) Exemption for Telecommunications Carrier, Cable Operator, 
Information Service, or Interactive Computer Service.--Nothing in this 
section shall apply to any electronic communication by a third party 
stored by a telecommunications carrier, cable operator, or information 
service, as those terms are defined in section 3 of the Communications 
Act of 1934 (47 U.S.C. 153), or an interactive computer service, as 
such term is defined in section 230(f)(2) of such Act (47 U.S.C. 
230(f)(2)).

SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.

    (a) Nationwide Notification.--Any person engaged in interstate 
commerce that owns or possesses data in electronic form containing 
personal information shall, following the discovery of a breach of 
security of the system maintained by such person that contains such 
data--
            (1) notify each individual who is a citizen or resident of 
        the United States whose personal information was acquired by an 
        unauthorized person as a result of such a breach of security; 
        and
            (2) notify the Commission.
    (b) Special Notification Requirement for Certain Entities.--
            (1) Third party agents.--In the event of a breach of 
        security by any third party entity that has been contracted to 
        maintain or process data in electronic form containing personal 
        information on behalf of any other person who owns or possesses 
        such data, such third party entity shall be required only to 
        notify such person of the breach of security. Upon receiving 
        such notification from such third party, such person shall 
        provide the notification required under subsection (a).
            (2) Telecommunications carriers, cable operators, 
        information services, and interactive computer services.--If a 
        telecommunications carrier, cable operator, or information 
        service (as such terms are defined in section 3 of the 
        Communications Act of 1934 (47 U.S.C. 153)), or an interactive 
        computer service (as such term is defined in section 230(f)(2) 
        of such Act (47 U.S.C. 230(f)(2))), becomes aware of a breach 
        of security during the transmission of data in electronic form 
        containing personal information that is owned or possessed by 
        another person utilizing the means of transmission of such 
        telecommunications carrier, cable operator, information 
        service, or interactive computer service, such 
        telecommunications carrier, cable operator, information 
        service, or interactive computer service shall be required only 
        to notify the person who initiated such transmission of such a 
        breach of security if such person can be reasonably identified. 
        Upon receiving such notification from a telecommunications 
        carrier, cable operator, information service, or interactive 
        computer service, such person shall provide the notification 
        required under subsection (a).
            (3) Breach of health information.--If the Commission 
        receives a notification of a breach of security and determines 
        that information included in such breach is individually 
        identifiable health information (as such term is defined in 
        section 1171(6) of the Social Security Act (42 U.S.C. 
        1320d(6)), the Commission shall send a copy of such 
        notification to the Secretary of Health and Human Services.
    (c) Timeliness of Notification.--All notifications required under 
subsection (a) shall be made as promptly as possible and without 
unreasonable delay following the discovery of a breach of security of 
the system and consistent with any measures necessary to determine the 
scope of the breach, prevent further breach or unauthorized 
disclosures, and reasonably restore the integrity of the data system.
    (d) Method and Content of Notification.--
            (1) Direct notification.--
                    (A) Method of notification.--A person required to 
                provide notification to individuals under subsection 
                (a)(1) shall be in compliance with such requirement if 
                the person provides conspicuous and clearly identified 
                notification by one of the following methods (provided 
                the selected method can reasonably be expected to reach 
                the intended individual):
                            (i) Written notification.
                            (ii) Email notification, if--
                                    (I) the person's primary method of 
                                communication with the individual is by 
                                email; or
                                    (II) the individual has consented 
                                to receive such notification and the 
                                notification is provided in a manner 
                                that is consistent with the provisions 
                                permitting electronic transmission of 
                                notices under section 101 of the 
                                Electronic Signatures in Global 
                                Commerce Act (15 U.S.C. 7001).
                    (B) Content of notification.--Regardless of the 
                method by which notification is provided to an 
                individual under subparagraph (A), such notification 
                shall include--
                            (i) a description of the personal 
                        information that was acquired by an 
                        unauthorized person;
                            (ii) a telephone number that the individual 
                        may use, at no cost to such individual, to 
                        contact the person to inquire about the breach 
                        of security or the information the person 
                        maintained about that individual;
                            (iii) notice that the individual is 
                        entitled to receive, at no cost to such 
                        individual, consumer credit reports on a 
                        quarterly basis for a period of 2 years, and 
                        instructions to the individual on requesting 
                        such reports from the person;
                            (iv) the toll-free contact telephone 
                        numbers and addresses for the major credit 
                        reporting agencies; and
                            (v) a toll-free telephone number and 
                        Internet website address for the Commission 
                        whereby the individual may obtain information 
                        regarding identity theft.
            (2) Substitute notification.--
                    (A) Circumstances giving rise to substitute 
                notification.--A person required to provide 
                notification to individuals under subsection (a)(1) may 
                provide substitute notification in lieu of the direct 
                notification required by paragraph (1) if--
                            (i) the person owns or possesses data in 
                        electronic form containing personal information 
                        of fewer than 1,000 individuals; and
                            (ii) such direct notification is not 
                        feasible due to--
                                    (I) excessive cost to the person 
                                required to provide such notification 
                                relative to the resources of such 
                                person, as determined in accordance 
                                with the regulations issued by the 
                                Commission under paragraph (3)(A); or
                                    (II) lack of sufficient contact 
                                information for the individual required 
                                to be notified.
                    (B) Form of substitute notice.--Such substitute 
                notification shall include--
                            (i) email notification to the extent that 
                        the person has email addresses of individuals 
                        to whom it is required to provide notification 
                        under subsection (a)(1);
                            (ii) a conspicuous notice on the Internet 
                        website of the person (if such person maintains 
                        such a website); and
                            (iii) notification in print and to 
                        broadcast media, including major media in 
                        metropolitan and rural areas where the 
                        individuals whose personal information was 
                        acquired reside.
                    (C) Content of substitute notice.--Each form of 
                substitute notice under this paragraph shall include--
                            (i) notice that individuals whose personal 
                        information is included in the breach of 
                        security are entitled to receive, at no cost to 
                        the individuals, consumer credit reports on a 
                        quarterly basis for a period of 2 years, and 
                        instructions on requesting such reports from 
                        the person; and
                            (ii) a telephone number by which an 
                        individual can, at no cost to such individual, 
                        learn whether that individual's personal 
                        information is included in the breach of 
                        security.
            (3) Federal trade commission regulations and guidance.--
                    (A) Regulations.--Not later than 1year after the 
                date of enactment of this Act, the Commission shall, by 
                regulations under section 553 of title 5, United States 
                Code, establish criteria for determining the 
                circumstances under which substitute notification may 
                be provided under paragraph (2), including criteria for 
                determining if notification under paragraph (1) is not 
                feasible due to excessive cost to the person required 
                to provide such notification relative to the resources 
                of such person.
                    (B) Guidance.--In addition, the Commission shall 
                provide and publish general guidance with respect to 
                compliance with this section. Such guidance shall 
                include--
                            (i) a description of written or email 
                        notification that complies with the 
                        requirements of paragraph (1); and
                            (ii) guidance on the content of substitute 
                        notification under paragraph (2)(B), including 
                        the extent of notification to print and 
                        broadcast media that complies with the 
                        requirements of such paragraph.
    (e) Other Obligations Following Breach.--A person required to 
provide notification under subsection (a) shall, upon request of an 
individual whose personal information was included in the breach of 
security, provide or arrange for the provision of, to each such 
individual and at no cost to such individual, consumer credit reports 
from at least one of the major credit reporting agencies beginning not 
later than 2 months following the discovery of a breach of security and 
continuing on a quarterly basis for a period of 2 years thereafter.
    (f) Exemption.--
            (1) General exemption.--A person shall be exempt from the 
        requirements under this section if, following a breach of 
        security, such person determines that there is no reasonable 
        risk of identity theft, fraud, or other unlawful conduct.
            (2) Presumptions.--
                    (A) Encryption.--The encryption of data in 
                electronic form shall establish a presumption that no 
                reasonable risk of identity theft, fraud, or other 
                unlawful conduct exists following a breach of security 
                of such data. Any such presumption may be rebutted by 
                facts demonstrating that the encryption has been or is 
                reasonably likely to be compromised.
                    (B) Additional methodologies or technologies.--Not 
                later than 270 days after the date of the enactment of 
                this Act, the Commission shall, by rule pursuant to 
                section 553 of title 5, United States Code, identify 
                any additional security methodology or technology, 
                other than encryption, which renders data in electronic 
                form unreadable or indecipherable, that shall, if 
                applied to such data, establish a presumption that no 
                reasonable risk of identity theft, fraud, or other 
                unlawful conduct exists following a breach of security 
                of such data. Any such presumption may be rebutted by 
                facts demonstrating that any such methodology or 
                technology has been or is reasonably likely to be 
                compromised. In promulgating such a rule, the 
                Commission shall consult with relevant industries, 
                consumer organizations, and data security and identity 
                theft prevention experts and established standards 
                setting bodies.
            (3) FTC guidance.--Not later than 1 year after the date of 
        the enactment of this Act, the Commission shall issue guidance 
        regarding the application of the exemption in paragraph (1).
    (g) Website Notice of Federal Trade Commission.--If the Commission, 
upon receiving notification of any breach of security that is reported 
to the Commission under subsection (a)(2), finds that notification of 
such a breach of security via the Commission's Internet website would 
be in the public interest or for the protection of consumers, the 
Commission shall place such a notice in a clear and conspicuous 
location on its Internet website.
    (h) FTC Study on Notification in Languages in Addition to 
English.--Not later than 1 year after the date of enactment of this 
Act, the Commission shall conduct a study on the practicality and cost 
effectiveness of requiring the notification required by subsection 
(d)(1) to be provided in a language in addition to English to 
individuals known to speak only such other language.

SEC. 4. ENFORCEMENT.

    (a) Enforcement by the Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 2 or 3 shall be treated as an unfair and deceptive act 
        or practice in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of commission.--The Commission shall enforce 
        this Act in the same manner, by the same means, and with the 
        same jurisdiction, powers, and duties as though all applicable 
        terms and provisions of the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.) were incorporated into and made a part of 
        this Act. Any person who violates such regulations shall be 
        subject to the penalties and entitled to the privileges and 
        immunities provided in that Act.
            (3) Limitation.--In promulgating rules under this Act, the 
        Commission shall not require the deployment or use of any 
        specific products or technologies, including any specific 
        computer software or hardware.
    (b) Enforcement by State Attorneys General.--
            (1) Civil action.--In any case in which the attorney 
        general of a State, or an official or agency of a State, has 
        reason to believe that an interest of the residents of that 
        State has been or is threatened or adversely affected by any 
        person who violates section 2 or 3 of this Act, the attorney 
        general, official, or agency of the State, as parens patriae, 
        may bring a civil action on behalf of the residents of the 
        State in a district court of the United States of appropriate 
        jurisdiction--
                    (A) to enjoin further violation of such section by 
                the defendant;
                    (B) to compel compliance with such section; or
                    (C) to obtain civil penalties in the amount 
                determined under paragraph (2).
            (2) Civil penalties.--
                    (A) Calculation.--
                            (i) Treatment of violations of section 2.--
                        For purposes of paragraph (1)(C) with regard to 
                        a violation of section 2, the amount determined 
                        under this paragraph is the amount calculated 
                        by multiplying the number of violations of such 
                        section by an amount not greater than $11,000. 
                        Each day that a person is not in compliance 
                        with the requirements of such section shall be 
                        treated as a separate violation. The maximum 
                        civil penalty calculated under this clause 
                        shall not exceed $5,000,000.
                            (ii) Treatment of violations of section 
                        3.--For purposes of paragraph (1)(C) with 
                        regard to a violation of section 3, the amount 
                        determined under this paragraph is the amount 
                        calculated by multiplying the number of 
                        violations of such section by an amount not 
                        greater than $11,000. Each failure to send 
                        notification as required under section 3 to a 
                        resident of the State shall be treated as a 
                        separate violation. The maximum civil penalty 
                        calculated under this clause shall not exceed 
                        $5,000,000.
                    (B) Adjustment for inflation.--Beginning on the 
                date that the Consumer Price Index is first published 
                by the Bureau of Labor Statistics that is after 1 year 
                after the date of enactment of this Act, and each year 
                thereafter, the amounts specified in clauses (i) and 
                (ii) of subparagraph (A) shall be increased by the 
                percentage increase in the Consumer Price Index 
                published on that date from the Consumer Price Index 
                published the previous year.
            (3) Intervention by the ftc.--
                    (A) Notice and intervention.--The State shall 
                provide prior written notice of any action under 
                paragraph (1) to the Commission and provide the 
                Commission with a copy of its complaint, except in any 
                case in which such prior notice is not feasible, in 
                which case the State shall serve such notice 
                immediately upon instituting such action. The 
                Commission shall have the right--
                            (i) to intervene in the action;
                            (ii) upon so intervening, to be heard on 
                        all matters arising therein; and
                            (iii) to file petitions for appeal.
                    (B) Limitation on state action while federal action 
                is pending.--If the Commission has instituted a civil 
                action for violation of this Act, no State attorney 
                general, or official or agency of a State, may bring an 
                action under this subsection during the pendency of 
                that action against any defendant named in the 
                complaint of the Commission for any violation of this 
                Act alleged in the complaint.
            (4) Construction.--For purposes of bringing any civil 
        action under paragraph (1), nothing in this Act shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
    (c) Affirmative Defense for a Violation of Section 3.--It shall be 
an affirmative defense to an enforcement action brought under 
subsection (a), or a civil action brought under subsection (b), based 
on a violation of section 3, that all of the personal information 
contained in the data in electronic form that was acquired as a result 
of a breach of security of the defendant is public record information 
that is lawfully made available to the general public from Federal, 
State, or local government records and was acquired by the defendant 
from such records.

SEC. 5. DEFINITIONS.

    In this Act the following definitions apply:
            (1) Breach of security.--The term ``breach of security'' 
        means the unauthorized acquisition of data in electronic form 
        containing personal information.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Data in electronic form.--The term ``data in electronic 
        form'' means any data stored electronically or digitally on any 
        computer system or other database and includes recordable tapes 
        and other mass storage devices.
            (4) Encryption.--The term ``encryption'' means the 
        protection of data in electronic form in storage or in transit 
        using an encryption technology that has been adopted by an 
        established standards setting body which renders such data 
        indecipherable in the absence of associated cryptographic keys 
        necessary to enable decryption of such data. Such encryption 
        must include appropriate management and safeguards of such keys 
        to protect the integrity of the encryption.
            (5) Identity theft.--The term ``identity theft'' means the 
        unauthorized use of another person's personal information for 
        the purpose of engaging in commercial transactions under the 
        name of such other person.
            (6) Information broker.--The term ``information broker'' 
        means a commercial entity whose business is to collect, 
        assemble, or maintain personal information concerning 
        individuals who are not current or former customers of such 
        entity in order to sell such information or provide access to 
        such information to any nonaffiliated third party in exchange 
        for consideration, whether such collection, assembly, or 
        maintenance of personal information is performed by the 
        information broker directly, or by contract or subcontract with 
        any other entity.
            (7) Personal information.--
                    (A) Definition.--The term ``personal information'' 
                means an individual's first name or initial and last 
                name, or address, or phone number, in combination with 
                any 1 or more of the following data elements for that 
                individual:
                            (i) Social Security number.
                            (ii) Driver's license number or other State 
                        identification number.
                            (iii) Financial account number, or credit 
                        or debit card number, and any required security 
                        code, access code, or password that is 
                        necessary to permit access to an individual's 
                        financial account.
                    (B) Modified definition by rulemaking.--The 
                Commission may, by rule, modify the definition of 
                ``personal information'' under subparagraph (A) to the 
                extent that such modification is necessary to 
                accommodate changes in technology or practices, will 
                not unreasonably impede interstate commerce, and will 
                accomplish the purposes of this Act.
            (8) Public record information.--The term ``public record 
        information'' means information about an individual which has 
        been obtained originally from records of a Federal, State, or 
        local government entity that are available for public 
        inspection.
            (9) Non-public information.--The term ``non-public 
        information'' means information about an individual that is of 
        a private nature and neither available to the general public 
        nor obtained from a public record.

SEC. 6. EFFECT ON OTHER LAWS.

    (a) Preemption of State Information Security Laws.--This Act 
supersedes any provision of a statute, regulation, or rule of a State 
or political subdivision of a State, with respect to those entities 
covered by the regulations issued pursuant to this Act, that 
expressly--
            (1) requires information security practices and treatment 
        of data in electronic form containing personal information 
        similar to any of those required under section 2; and
            (2) requires notification to individuals of a breach of 
        security resulting in unauthorized acquisition of data in 
        electronic form containing personal information.
    (b) Additional Preemption.--
            (1) In general.--No person other than the Attorney General 
        of a State may bring a civil action under the laws of any State 
        if such action is premised in whole or in part upon the 
        defendant violating any provision of this Act.
            (2) Protection of consumer protection laws.--This 
        subsection shall not be construed to limit the enforcement of 
        any State consumer protection law by an Attorney General of a 
        State.
    (c) Protection of Certain State Laws.--This Act shall not be 
construed to preempt the applicability of--
            (1) State trespass, contract, or tort law; or
            (2) other State laws to the extent that those laws relate 
        to acts of fraud.
    (d) Preservation of FTC Authority.--Nothing in this Act may be 
construed in any way to limit or affect the Commission's authority 
under any other provision of law, including the authority to issue 
advisory opinions (under part 1 of volume 16 of the Code of Federal 
Regulations), policy statements, or guidance regarding this Act.

SEC. 7. EFFECTIVE DATE AND SUNSET.

    (a) Effective Date.--This Act shall take effect 1 year after the 
date of enactment of this Act.
    (b) Sunset.--This Act shall cease to be in effect on the date that 
is 10 years from the date of enactment of this Act.

SEC. 8. AUTHORIZATION OF APPROPRIATIONS.

    There is authorized to be appropriated to the Commission $1,000,000 
for each of fiscal years 2006 through 2010 to carry out this Act.

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Accountability and Trust Act 
(DATA)''.

SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.

    (a) General Security Policies and Procedures.--
            (1) Regulations.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        to require each person engaged in interstate commerce that owns 
        or possesses data in electronic form containing personal 
        information, or contracts to have any third party entity 
        maintain such data for such person, to establish and implement 
        policies and procedures regarding information security 
        practices for the treatment and protection of personal 
        informtion taking into consideration--
                    (A) the size of, and the nature, scope, and 
                complexity of the activities engaged in by, such 
                person;
                    (B) the current state of the art in administrative, 
                technical, and physical safeguards for protecting such 
                information; and
                    (C) the cost of implementing such safeguards.
            (2) Requirements.--Such regulations shall require the 
        policies and procedures to include the following:
                    (A) A security policy with respect to the 
                collection, use, sale, other dissemination, and 
                maintenance of such personal information.
                    (B) The identification of an officer or other 
                individual as the point of contact with responsibility 
                for the management of information security.
                    (C) A process for identifying and assessing any 
                reasonably foreseeable vulnerabilities in the system 
                maintained by such person that contains such electronic 
                data, which shall include regular monitoring for a 
                breach of security of such system.
                    (D) A process for taking preventive and corrective 
                action to mitigate against any vulnerabilities 
                identified in the process required by subparagraph (C), 
                which may include implementing any changes to security 
                practices and the architecture, installation, or 
                implementation of network or operating software.
                    (E) A process for disposing of obsolete data in 
                electronic form containing personal information by 
                shredding, permanently erasing, or otherwise modifying 
                the personal information contained in such data to make 
                such personal information permanently unreadable or 
                undecipherable.
            (3) Treatment of entities governed by other law.--In 
        promulgating the regulations under this subsection, the 
        Commission may determine to be in compliance with this 
        subsection any person who is required under any other Federal 
        law to maintain standards and safeguards for information 
        security and protection of personal information that provide 
        equal or greater protection than those required under this 
        subsection.
    (b) Destruction of Obsolete Paper Records Containing Personal 
Information.--
            (1) Study.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall conduct a study on 
        the practicality of requiring a standard method or methods for 
        the destruction of obsolete paper documents and other non-
        electronic data containing personal information by persons 
        engaged in interstate commerce who own or possess such paper 
        documents and non-electronic data. The study shall consider the 
        cost, benefit, feasibility, and effect of a requirement of 
        shredding or other permanent destruction of such paper 
        documents and non-electronic data.
            (2) Regulations.--The Commission may promulgate regulations 
        under section 553 of title 5, United States Code, requiring a 
        standard method or methods for the destruction of obsolete 
        paper documents and other non-electronic data containing 
        personal information by persons engaged in interstate commerce 
        who own or possess such paper documents and non-electronic data 
        if the Commission finds that--
                    (A) the improper disposal of obsolete paper 
                documents and other non-electronic data creates a 
                reasonable risk of identity theft, fraud, or other 
                unlawful conduct;
                    (B) such a requirement would be effective in 
                preventing identity theft, fraud, or other unlawful 
                conduct;
                    (C) the benefit in preventing identity theft, 
                fraud, or other unlawful conduct would outweigh the 
                cost to persons subject to such a requirement; and
                    (D) compliance with such a requirement would be 
                practicable.
        In enforcing any such regulations, the Commission may determine 
        to be in compliance with such regulations any person who is 
        required under any other Federal law to dispose of obsolete 
        paper documents and other non-electronic data containing 
        personal information if such other Federal law provides equal 
        or greater protection or personal information than the 
        regulations promulgated under this subsection.
    (c) Special Requirements for Information Brokers.--
            (1) Submission of policies to the ftc.--The regulations 
        promulgated under subsection (a) shall require information 
        brokers to submit their security policies to the Commission in 
        conjunction with a notification of a breach of security under 
        section 3 or upon request of the Commission.
            (2) Post-breach audit.--For any information broker required 
        to provide notification under section 3, the Commission shall 
        conduct an audit of the information security practices of such 
        information broker, or require the information broker to 
        conduct an independent audit of such practices (by an 
        independent auditor who has not audited such information 
        broker's security practices during the preceding 5 years). The 
        Commission may conduct or require additional audits for a 
        period of 5 years following the breach of security or until the 
        Commission determines that the security practices of the 
        information broker are in compliance with the requirements of 
        this section and are adequate to prevent further breaches of 
        security.
            (3) Verification of and individual access to personal 
        information.--
                    (A) Verification.--Each information broker shall 
                establish reasonable procedures to verify the accuracy 
                of the personal information it collects, assembles, or 
                maintains, and any other information it collects, 
                assembles, or maintains that specifically identifies an 
                individual, other than information which merely 
                identifies an individual's name or address.
                    (B) Consumer access to information.--
                            (i) Access.--Each information broker 
                        shall--
                                    (I) provide to each individual 
                                whose personal information it 
                                maintains, at the individual's request 
                                at least 1 time per year and at no cost 
                                to the individual, and after verifying 
                                the identity of such individual, a 
                                means for the individual to review any 
                                personal information regarding such 
                                individual maintained by the 
                                information broker and any other 
                                information maintained by the 
                                information broker that specifically 
                                identifies such individual, other than 
                                information which merely identifies an 
                                individual's name or address; and
                                    (II) place a conspicuous notice on 
                                its Internet website (if the 
                                information broker maintains such a 
                                website) instructing individuals how to 
                                request access to the information 
                                required to be provided under subclause 
                                (I).
                            (ii) Disputed information.--Whenever an 
                        individual whose information the information 
                        broker maintains makes a written request 
                        disputing the accuracy of any such information, 
                        the information broker, after verifying the 
                        identity of the individual making such request 
                        and unless there are reasonable grounds to 
                        believe such request is frivolous or 
                        irrelevant, shall--
                                    (I) correct any inaccuracy; or
                                    (II)(aa) in the case of information 
                                that is public record information, 
                                inform the individual of the source of 
                                the information, and, if reasonably 
                                available, where a request for 
                                correction may be directed; or
                                    (bb) in the case of information 
                                that is non-public information, note 
                                the information that is disputed, 
                                including the individual's statement 
                                disputing such information, and take 
                                reasonable steps to independently 
                                verify such information under the 
                                procedures outlined in subparagraph (A) 
                                if such information can be 
                                independently verified.
                            (iii) Limitations.--An information broker 
                        may limit the access to information required 
                        under subparagraph (B) in the following 
                        circumstances:
                                    (I) If access of the individual to 
                                the information is limited by law or 
                                legally recognized privilege.
                                    (II) If the information is used for 
                                a legitimate governmental or fraud 
                                prevention purpose that would be 
                                compromised by such access.
                            (iv) Rulemaking.--The Commission shall 
                        issue regulations, as necessary, under section 
                        553 of title 5, United States Code, on the 
                        application of the limitations in clause (iii).
                    (C) Treatment of entities governed by other law.--
                The Commission may promulgate rules (under section 553 
                of title 5, United States Code) to determine to be in 
                compliance with this paragraph any person who is a 
                consumer reporting agency, as defined in section 603(f) 
                of the Fair Credit Reporting Act, with respect to those 
                products and services that are subject to and in 
                compliance with the requirements of that Act.
            (4) Requirement of audit log of accessed and transmitted 
        information.--Not later than 1 year after the date of the 
        enactment of this Act, the Commission shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        to require information brokers to establish measures which 
        facilitate the auditing or retracing of any internal or 
        external access to, or transmissions of, any data in electronic 
        form containing personal information collected, assembled, or 
        maintained by such information broker.
            (5) Prohibition on pretexting by information brokers.--
                    (A) Prohibition on obtaining personal information 
                by false pretenses.--It shall be unlawful for an 
                information broker to obtain or attempt to obtain, or 
                cause to be disclosed or attempt to cause to be 
                disclosed to any person, personal information or any 
                other information relating to any person by--
                            (i) making a false, fictitious, or 
                        fraudulent statement or representation to any 
                        person; or
                            (ii) providing any document or other 
                        information to any person that the information 
                        broker knows or should know to be forged, 
                        counterfeit, lost, stolen, or fraudulently 
                        obtained, or to contain a false, fictitious, or 
                        fraudulent statement or representation.
                    (B) Prohibition on solicitation to obtain personal 
                information under false pretenses.--It shall be 
                unlawful for an information broker to request a person 
                to obtain personal information or any other information 
                relating to any other person, if the information broker 
                knew or should have known that the person to whom such 
                a request is made will obtain or attempt to obtain such 
                information in the manner described in subsection (a).
    (d) Exemption for Telecommunications Carrier, Cable Operator, 
Information Service, or Interactive Computer Service.--Nothing in this 
section shall apply to any electronic communication by a third party 
stored by a telecommunications carrier, cable operator, or information 
service, as those terms are defined in section 3 of the Communications 
Act of 1934 (47 U.S.C. 153), or an interactive computer service, as 
such term is defined in section 230(f)(2) of such Act (47 U.S.C. 
230(f)(2)).

SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.

    (a) Nationwide Notification.--Any person engaged in interstate 
commerce that owns or possesses data in electronic form containing 
personal information shall, following the discovery of a breach of 
security of the system maintained by such person that contains such 
data--
            (1) notify each individual who is a citizen or resident of 
        the United States whose personal information was acquired by an 
        unauthorized person as a result of such a breach of security; 
        and
            (2) notify the Commission.
    (b) Special Notification Requirement for Certain Entities.--
            (1) Third party agents.--In the event of a breach of 
        security by any third party entity that has been contracted to 
        maintain or process data in electronic form containing personal 
        information on behalf of any other person who owns or possesses 
        such data, such third party entity shall be required only to 
        notify such person of the breach of security. Upon receiving 
        such notification from such third party, such person shall 
        provide the notification required under subsection (a).
            (2) Telecommunications carriers, cable operators, 
        information services, and interactive computer services.--If a 
        telecommunications carrier, cable operator, or information 
        service (as such terms are defined in section 3 of the 
        Communications Act of 1934 (47 U.S.C. 153)), or an interactive 
        computer service (as such term is defined in section 230(f)(2) 
        of such Act (47 U.S.C. 230(f)(2))), becomes aware of a breach 
        of security during the transmission of data in electronic form 
        containing personal information that is owned or possessed by 
        another person utilizing the means of transmission of such 
        telecommunications carrier, cable operator, information 
        service, or interactive computer service, such 
        telecommunications carrier, cable operator, information 
        service, or interactive computer service shall be required only 
        to notify the person who initiated such transmission of such a 
        breach of security if such person can be reasonably identified. 
        Upon receiving such notification from a telecommunications 
        carrier, cable operator, information service, or interactive 
        computer service, such person shall provide the notification 
        required under subsection (a).
            (3) Breach of health information.--If the Commission 
        receives a notification of a breach of security and determines 
        that information included in such breach is individually 
        identifiable health information (as such term is defined in 
        section 1171(6) of the Social Security Act (42 U.S.C. 
        1320d(6)), the Commission shall send a copy of such 
        notification to the Secretary of Health and Human Services.
    (c) Timeliness of Notification.--All notifications required under 
subsection (a) shall be made as promptly as possible and without 
unreasonable delay following the discovery of a breach of security of 
the system and consistent with any measures necessary to determine the 
scope of the breach, prevent further breach or unauthorized 
disclosures, and reasonably restore the integrity of the data system.
    (d) Method and Content of Notification.--
            (1) Direct notification.--
                    (A) Method of notification.--A person required to 
                provide notification to individuals under subsection 
                (a)(1) shall be in compliance with such requirement if 
                the person provides conspicuous and clearly identified 
                notification by one of the following methods (provided 
                the selected method can reasonably be expected to reach 
                the intended individual):
                            (i) Written notification.
                            (ii) Email notification, if--
                                    (I) the person's primary method of 
                                communication with the individual is by 
                                email; or
                                    (II) the individual has consented 
                                to receive such notification and the 
                                notification is provided in a manner 
                                that is consistent with the provisions 
                                permitting electronic transmission of 
                                notices under section 101 of the 
                                Electronic Signatures in Global 
                                Commerce Act (15 U.S.C. 7001).
                    (B) Content of notification.--Regardless of the 
                method by which notification is provided to an 
                individual under subparagraph (A), such notification 
                shall include--
                            (i) a description of the personal 
                        information that was acquired by an 
                        unauthorized person;
                            (ii) a telephone number that the individual 
                        may use, at no cost to such individual, to 
                        contact the person to inquire about the breach 
                        of security or the information the person 
                        maintained about that individual;
                            (iii) notice that the individual is 
                        entitled to receive, at no cost to such 
                        individual, consumer credit reports on a 
                        quarterly basis for a period of 2 years, and 
                        instructions to the individual on requesting 
                        such reports from the person;
                            (iv) the toll-free contact telephone 
                        numbers and addresses for the major credit 
                        reporting agencies; and
                            (v) a toll-free telephone number and 
                        Internet website address for the Commission 
                        whereby the individual may obtain information 
                        regarding identity theft.
            (2) Substitute notification.--
                    (A) Circumstances giving rise to substitute 
                notification.--A person required to provide 
                notification to individuals under subsection (a)(1) may 
                provide substitute notification in lieu of the direct 
                notification required by paragraph (1) if--
                            (i) the person owns or possesses data in 
                        electronic form containing personal information 
                        of fewer than 1,000 individuals; and
                            (ii) such direct notification is not 
                        feasible due to--
                                    (I) excessive cost to the person 
                                required to provide such notification 
                                relative to the resources of such 
                                person, as determined in accordance 
                                with the regulations issued by the 
                                Commission under paragraph (3)(A); or
                                    (II) lack of sufficient contact 
                                information for the individual required 
                                to be notified.
                    (B) Form of substitute notice.--Such substitute 
                notification shall include--
                            (i) email notification to the extent that 
                        the person has email addresses of individuals 
                        to whom it is required to provide notification 
                        under subsection (a)(1);
                            (ii) a conspicuous notice on the Internet 
                        website of the person (if such person maintains 
                        such a website); and
                            (iii) notification in print and to 
                        broadcast media, including major media in 
                        metropolitan and rural areas where the 
                        individuals whose personal information was 
                        acquired reside.
                    (C) Content of substitute notice.--Each form of 
                substitute notice under this paragraph shall include--
                            (i) notice that individuals whose personal 
                        information is included in the breach of 
                        security are entitled to receive, at no cost to 
                        the individuals, consumer credit reports on a 
                        quarterly basis for a period of 2 years, and 
                        instructions on requesting such reports from 
                        the person; and
                            (ii) a telephone number by which an 
                        individual can, at no cost to such individual, 
                        learn whether that individual's personal 
                        information is included in the breach of 
                        security.
            (3) Federal trade commission regulations and guidance.--
                    (A) Regulations.--Not later than 1year after the 
                date of enactment of this Act, the Commission shall, by 
                regulations under section 553 of title 5, United States 
                Code, establish criteria for determining the 
                circumstances under which substitute notification may 
                be provided under paragraph (2), including criteria for 
                determining if notification under paragraph (1) is not 
                feasible due to excessive cost to the person required 
                to provide such notification relative to the resources 
                of such person.
                    (B) Guidance.--In addition, the Commission shall 
                provide and publish general guidance with respect to 
                compliance with this section. Such guidance shall 
                include--
                            (i) a description of written or email 
                        notification that complies with the 
                        requirements of paragraph (1); and
                            (ii) guidance on the content of substitute 
                        notification under paragraph (2)(B), including 
                        the extent of notification to print and 
                        broadcast media that complies with the 
                        requirements of such paragraph.
    (e) Other Obligations Following Breach.--A person required to 
provide notification under subsection (a) shall, upon request of an 
individual whose personal information was included in the breach of 
security, provide or arrange for the provision of, to each such 
individual and at no cost to such individual, consumer credit reports 
from at least one of the major credit reporting agencies beginning not 
later than 2 months following the discovery of a breach of security and 
continuing on a quarterly basis for a period of 2 years thereafter.
    (f) Exemption.--
            (1) General exemption.--A person shall be exempt from the 
        requirements under this section if, following a breach of 
        security, such person determines that there is no reasonable 
        risk of identity theft, fraud, or other unlawful conduct.
            (2) Presumptions.--
                    (A) Encryption.--The encryption of data in 
                electronic form shall establish a presumption that no 
                reasonable risk of identity theft, fraud, or other 
                unlawful conduct exists following a breach of security 
                of such data. Any such presumption may be rebutted by 
                facts demonstrating that the encryption has been or is 
                reasonably likely to be compromised.
                    (B) Additional methodologies or technologies.--Not 
                later than 270 days after the date of the enactment of 
                this Act, the Commission shall, by rule pursuant to 
                section 553 of title 5, United States Code, identify 
                any additional security methodology or technology, 
                other than encryption, which renders data in electronic 
                form unreadable or indecipherable, that shall, if 
                applied to such data, establish a presumption that no 
                reasonable risk of identity theft, fraud, or other 
                unlawful conduct exists following a breach of security 
                of such data. Any such presumption may be rebutted by 
                facts demonstrating that any such methodology or 
                technology has been or is reasonably likely to be 
                compromised. In promulgating such a rule, the 
                Commission shall consult with relevant industries, 
                consumer organizations, and data security and identity 
                theft prevention experts and established standards 
                setting bodies.
            (3) FTC guidance.--Not later than 1 year after the date of 
        the enactment of this Act, the Commission shall issue guidance 
        regarding the application of the exemption in paragraph (1).
    (g) Website Notice of Federal Trade Commission.--If the Commission, 
upon receiving notification of any breach of security that is reported 
to the Commission under subsection (a)(2), finds that notification of 
such a breach of security via the Commission's Internet website would 
be in the public interest or for the protection of consumers, the 
Commission shall place such a notice in a clear and conspicuous 
location on its Internet website.
    (h) FTC Study on Notification in Languages in Addition to 
English.--Not later than 1 year after the date of enactment of this 
Act, the Commission shall conduct a study on the practicality and cost 
effectiveness of requiring the notification required by subsection 
(d)(1) to be provided in a language in addition to English to 
individuals known to speak only such other language.
    (i) Special Notification Requirement for Federal Agencies.--
            (1) Nationwide notification.--Any Federal agency that owns 
        or possesses data in electronic form containing personal 
        information shall, following the discovery of a breach of 
        security of the system maintained by such agency that contains 
        such data, notify each individual who is a citizen or resident 
        of the United States whose personal information was acquired by 
        an unauthorized person as a result of such a breach of security
            (2) Method and content of notification.--
                    (A) Method of notification.--A Federal agency 
                required to provide written notification to individuals 
                under paragraph (1) shall be in compliance with such 
                requirement if the agency provides conspicuous and 
                clearly identified written notification that includes 
                the content required under subparagraph (B).
                    (B) Content of notification.--Notification required 
                under this subsection shall include--
                            (i) a description of the personal 
                        information that was acquired by an 
                        unauthorized person;
                            (ii) a telephone number that the individual 
                        may use, at no cost to such individual, to 
                        contact the Federal agency to inquire about the 
                        breach of security or the information the 
                        Federal agency maintained about that 
                        individual;
                            (iii) the toll-free contact telephone 
                        number and addresses for the major credit 
                        reporting agencies; and
                            (iv) a toll-free telephone number and 
                        Internet website address whereby the individual 
                        may obtain information regarding identity 
                        theft.
            (3) Exemption.--A Federal agency shall be exempt from the 
        requirements of this subsection if, following a breach of 
        security, such agency determines that there is no reasonable 
        risk of identity theft, fraud, or other unlawful conduct.

SEC. 4. ENFORCEMENT.

    (a) Enforcement by the Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 2 or 3 shall be treated as an unfair and deceptive act 
        or practice in violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of commission.--The Commission shall enforce 
        this Act in the same manner, by the same means, and with the 
        same jurisdiction, powers, and duties as though all applicable 
        terms and provisions of the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.) were incorporated into and made a part of 
        this Act. Any person who violates such regulations shall be 
        subject to the penalties and entitled to the privileges and 
        immunities provided in that Act.
            (3) Limitation.--In promulgating rules under this Act, the 
        Commission shall not require the deployment or use of any 
        specific products or technologies, including any specific 
        computer software or hardware.
    (b) Enforcement by State Attorneys General.--
            (1) Civil action.--In any case in which the attorney 
        general of a State, or an official or agency of a State, has 
        reason to believe that an interest of the residents of that 
        State has been or is threatened or adversely affected by any 
        person who violates section 2 or 3 of this Act, the attorney 
        general, official, or agency of the State, as parens patriae, 
        may bring a civil action on behalf of the residents of the 
        State in a district court of the United States of appropriate 
        jurisdiction--
                    (A) to enjoin further violation of such section by 
                the defendant;
                    (B) to compel compliance with such section; or
                    (C) to obtain civil penalties in the amount 
                determined under paragraph (2).
            (2) Civil penalties.--
                    (A) Calculation.--
                            (i) Treatment of violations of section 2.--
                        For purposes of paragraph (1)(C) with regard to 
                        a violation of section 2, the amount determined 
                        under this paragraph is the amount calculated 
                        by multiplying the number of violations of such 
                        section by an amount not greater than $11,000. 
                        Each day that a person is not in compliance 
                        with the requirements of such section shall be 
                        treated as a separate violation. The maximum 
                        civil penalty calculated under this clause 
                        shall not exceed $5,000,000.
                            (ii) Treatment of violations of section 
                        3.--For purposes of paragraph (1)(C) with 
                        regard to a violation of section 3, the amount 
                        determined under this paragraph is the amount 
                        calculated by multiplying the number of 
                        violations of such section by an amount not 
                        greater than $11,000. Each failure to send 
                        notification as required under section 3 to a 
                        resident of the State shall be treated as a 
                        separate violation. The maximum civil penalty 
                        calculated under this clause shall not exceed 
                        $5,000,000.
                    (B) Adjustment for inflation.--Beginning on the 
                date that the Consumer Price Index is first published 
                by the Bureau of Labor Statistics that is after 1 year 
                after the date of enactment of this Act, and each year 
                thereafter, the amounts specified in clauses (i) and 
                (ii) of subparagraph (A) shall be increased by the 
                percentage increase in the Consumer Price Index 
                published on that date from the Consumer Price Index 
                published the previous year.
            (3) Intervention by the ftc.--
                    (A) Notice and intervention.--The State shall 
                provide prior written notice of any action under 
                paragraph (1) to the Commission and provide the 
                Commission with a copy of its complaint, except in any 
                case in which such prior notice is not feasible, in 
                which case the State shall serve such notice 
                immediately upon instituting such action. The 
                Commission shall have the right--
                            (i) to intervene in the action;
                            (ii) upon so intervening, to be heard on 
                        all matters arising therein; and
                            (iii) to file petitions for appeal.
                    (B) Limitation on state action while federal action 
                is pending.--If the Commission has instituted a civil 
                action for violation of this Act, no State attorney 
                general, or official or agency of a State, may bring an 
                action under this subsection during the pendency of 
                that action against any defendant named in the 
                complaint of the Commission for any violation of this 
                Act alleged in the complaint.
            (4) Construction.--For purposes of bringing any civil 
        action under paragraph (1), nothing in this Act shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
    (c) Affirmative Defense for a Violation of Section 3.--It shall be 
an affirmative defense to an enforcement action brought under 
subsection (a), or a civil action brought under subsection (b), based 
on a violation of section 3, that all of the personal information 
contained in the data in electronic form that was acquired as a result 
of a breach of security of the defendant is public record information 
that is lawfully made available to the general public from Federal, 
State, or local government records and was acquired by the defendant 
from such records.

SEC. 5. DEFINITIONS.

    In this Act the following definitions apply:
            (1) Breach of security.--The term ``breach of security'' 
        means the unauthorized acquisition of data in electronic form 
        containing personal information.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Data in electronic form.--The term ``data in electronic 
        form'' means any data stored electronically or digitally on any 
        computer system or other database and includes recordable tapes 
        and other mass storage devices.
            (4) Encryption.--The term ``encryption'' means the 
        protection of data in electronic form in storage or in transit 
        using an encryption technology that has been adopted by an 
        established standards setting body which renders such data 
        indecipherable in the absence of associated cryptographic keys 
        necessary to enable decryption of such data. Such encryption 
        must include appropriate management and safeguards of such keys 
        to protect the integrity of the encryption.
            (5) Identity theft.--The term ``identity theft'' means the 
        unauthorized use of another person's personal information for 
        the purpose of engaging in commercial transactions under the 
        name of such other person.
            (6) Information broker.--The term ``information broker'' 
        means a commercial entity whose business is to collect, 
        assemble, or maintain personal information concerning 
        individuals who are not current or former customers of such 
        entity in order to sell such information or provide access to 
        such information to any nonaffiliated third party in exchange 
        for consideration, whether such collection, assembly, or 
        maintenance of personal information is performed by the 
        information broker directly, or by contract or subcontract with 
        any other entity.
            (7) Personal information.--
                    (A) Definition.--The term ``personal information'' 
                means an individual's first name or initial and last 
                name, or address, or phone number, in combination with 
                any 1 or more of the following data elements for that 
                individual:
                            (i) Social Security number.
                            (ii) Driver's license number or other State 
                        identification number.
                            (iii) Financial account number, or credit 
                        or debit card number, and any required security 
                        code, access code, or password that is 
                        necessary to permit access to an individual's 
                        financial account.
                    (B) Modified definition by rulemaking.--The 
                Commission may, by rule, modify the definition of 
                ``personal information'' under subparagraph (A) to the 
                extent that such modification is necessary to 
                accommodate changes in technology or practices, will 
                not unreasonably impede interstate commerce, and will 
                accomplish the purposes of this Act.
            (8) Public record information.--The term ``public record 
        information'' means information about an individual which has 
        been obtained originally from records of a Federal, State, or 
        local government entity that are available for public 
        inspection.
            (9) Non-public information.--The term ``non-public 
        information'' means information about an individual that is of 
        a private nature and neither available to the general public 
        nor obtained from a public record.

SEC. 6. EFFECT ON OTHER LAWS.

    (a) Preemption of State Information Security Laws.--This Act 
supersedes any provision of a statute, regulation, or rule of a State 
or political subdivision of a State, with respect to those entities 
covered by the regulations issued pursuant to this Act, that 
expressly--
            (1) requires information security practices and treatment 
        of data in electronic form containing personal information 
        similar to any of those required under section 2; and
            (2) requires notification to individuals of a breach of 
        security resulting in unauthorized acquisition of data in 
        electronic form containing personal information.
    (b) Additional Preemption.--
            (1) In general.--No person other than the Attorney General 
        of a State may bring a civil action under the laws of any State 
        if such action is premised in whole or in part upon the 
        defendant violating any provision of this Act.
            (2) Protection of consumer protection laws.--This 
        subsection shall not be construed to limit the enforcement of 
        any State consumer protection law by an Attorney General of a 
        State.
    (c) Protection of Certain State Laws.--This Act shall not be 
construed to preempt the applicability of--
            (1) State trespass, contract, or tort law; or
            (2) other State laws to the extent that those laws relate 
        to acts of fraud.
    (d) Preservation of FTC Authority.--Nothing in this Act may be 
construed in any way to limit or affect the Commission's authority 
under any other provision of law, including the authority to issue 
advisory opinions (under part 1 of volume 16 of the Code of Federal 
Regulations), policy statements, or guidance regarding this Act.

SEC. 7. EFFECTIVE DATE AND SUNSET.

    (a) Effective Date.--This Act shall take effect 1 year after the 
date of enactment of this Act.
    (b) Sunset.--This Act shall cease to be in effect on the date that 
is 10 years from the date of enactment of this Act.

SEC. 8. AUTHORIZATION OF APPROPRIATIONS.

    There is authorized to be appropriated to the Commission $1,000,000 
for each of fiscal years 2006 through 2010 to carry out this Act.

SECTION 1. SHORT TITLE; FINDINGS.

    (a) Short Title.--This Act may be cited as the ``Financial Data 
Protection Act of 2006''.
    (b) Findings.--The Congress finds as follows:
            (1) Protecting the security of sensitive information 
        relating to consumers is important to limiting account fraud 
        and identity theft.
            (2) While the Gramm-Leach-Bliley Act requires financial 
        institutions to protect the security and confidentiality of the 
        nonpublic personal information of the customers of financial 
        institutions, the scope of covered entities and type of 
        information needs to be broadened to fully protect consumers.
            (3) Some Federal agencies have issued model guidance under 
        the Gramm-Leach-Bliley Act requiring banks to investigate and 
        provide notice to customers of breaches of data security 
        involving customer information that could lead to account fraud 
        or identity theft, but these standards need to broadened to 
        apply to other entities acting as consumer reporters, in order 
        to create a single, uniform data security standard that applies 
        to all parties to transactions involving such financial 
        information.
            (4) Requiring all consumer reporters handling sensitive 
        financial personal information to provide notice to consumers 
        of data security breaches that are likely to result in harm or 
        inconvenience will help consumers protect themselves and 
        mitigate against the risk of identity theft or account fraud.
            (5) Therefore, all consumer reporters should--
                    (A) protect sensitive financial personal 
                information;
                    (B) investigate potential data security breaches;
                    (C) provide breach notices as appropriate to the 
                United States Secret Service, functional regulators, 
                involved third parties, and consumers;
                    (D) restore the security of the information and 
                improve safeguards after a breach; and
                    (E) provide consumers free file monitoring where 
                appropriate to reduce the risk of identity theft.

SEC. 2. DATA SECURITY SAFEGUARDS.

    (a) In General.--As set forth in section 630 of the Fair Credit 
Reporting Act, as amended by the Act, in the event a consumer reporter 
becomes aware of information suggesting a breach of data security, such 
consumer reporter shall immediately conduct an investigation, and 
notify authorities and consumers as appropriate.
    (b) FCRA Data Security Amendment.--The Fair Credit Reporting Act 
(15 U.S.C. 1681) is amended by adding at the end the following new 
section:

``SEC. 630. DATA SECURITY SAFEGUARDS.

    ``(a) Protection of Sensitive Financial Personal Information.--
            ``(1) Data security obligation policy.--It is the policy of 
        the Congress that each consumer reporter has an affirmative and 
        continuing obligation to protect the security and 
        confidentiality of sensitive financial personal information.
            ``(2) Security policies and procedures.--Each consumer 
        reporter shall have an affirmative obligation to implement, and 
        a continuing obligation to maintain, reasonable policies and 
        procedures to protect the security and confidentiality of 
        sensitive financial personal information relating to any 
        consumer that is handled by such consumer reporter against any 
        loss, unauthorized access, or misuse that is reasonably likely 
        to result in harm or inconvenience to such consumer.
            ``(3) Data destruction and data disposal policies and 
        procedures.--The policies and procedures described in paragraph 
        (2) shall include providing for the proper disposal of 
        sensitive financial personal information in accordance with the 
        standards, guidelines, or regulations issued pursuant to this 
        title.
    ``(b) Investigation Requirements.--
            ``(1) Investigation trigger.--A consumer reporter shall 
        immediately conduct a data security breach investigation if 
        it--
                    ``(A) becomes aware of any information indicating a 
                reasonable likelihood that a data security breach has 
                occurred or is unavoidable;
                    ``(B) becomes aware of information indicating an 
                unusual pattern of misuse of sensitive financial 
                personal information handled by a consumer reporter 
                indicative of financial fraud; or
                    ``(C) receives a notice under subsection (e).
            ``(2) Scope of investigation.--Such investigation shall be 
        conducted in a manner commensurate with the nature and the 
        amount of the sensitive financial personal information that is 
        subject to the breach of data security, including appropriate 
        actions to--
                    ``(A) assess the nature and scope of the potential 
                breach;
                    ``(B) identify the sensitive financial personal 
                information potentially involved;
                    ``(C) determine whether such information is usable 
                by the parties causing the breach; and
                    ``(D) determine the likelihood that such 
                information has been, or will be, misused in a manner 
                that may cause harm or inconvenience to the related 
                consumer.
            ``(3) Encryption and other safeguards.--
                    ``(A) Suggested safeguards.--The regulators 
                described in subsection (k)(1) shall jointly develop 
                standards and guidelines to identify and regularly 
                update appropriate technology safeguards for making 
                consumer reporter's sensitive financial personal 
                information unusable in a manner commensurate with the 
                nature and the amount of such information, including--
                            ``(i) consideration of the encryption 
                        standards adopted by the National Institute of 
                        Standards and Technology for use by the Federal 
                        Government; and
                            ``(ii) appropriate management and 
                        protection of keys or codes necessary to 
                        protect the integrity of encrypted information.
                    ``(B) Safeguard factors.--In determining the 
                likelihood of a data security breach, a consumer 
                reporter may consider whether the information subject 
                to the potential breach is unusable because it is 
                encrypted, redacted, requires technology to use that is 
                not generally commercially available, or has otherwise 
                similarly been rendered unreadable.
                    ``(C) Safe harbor for protected data.--As set forth 
                in the standards and guidelines issued pursuant to 
                subparagraph (A), a consumer reporter may reasonably 
                conclude that a data security breach is not likely to 
                have occurred where the sensitive personal financial 
                information involved has been encrypted, redacted, 
                requires technology to use that is not generally 
                commercially available, or is otherwise unlikely to be 
                usable
                    ``(D) Exception.--Subparagraphs (B) and (C) shall 
                not apply if the consumer reporter becomes aware of 
                information that would reasonably indicate that the 
                information that was the subject of the potential 
                breach is usable by the entities causing the breach or 
                potentially misusing the information, for example 
                because--
                            ``(i) an encryption code is potentially 
                        compromised,
                            ``(ii) the entities are believed to have 
                        the technology to access the information; or
                            ``(iii) there is an unusual pattern of 
                        misuse of such information indicative of 
                        financial fraud.
    ``(c) Breach Notices.--If a consumer reporter determines that a 
breach of data security has occurred, is likely to have occurred, or is 
unavoidable, the consumer reporter shall in the order listed--
            ``(1) promptly notify the United States Secret Service;
            ``(2) promptly notify the appropriate functional regulatory 
        agency for the consumer reporter;
            ``(3) notify as appropriate and without unreasonable 
        delay--
                    ``(A) any third party entity that owns or is 
                obligated on an affected financial account as set forth 
                in the standards or guidelines pursuant to subsection 
                (k)(1)(G), including in such notification information 
                reasonably identifying the nature and scope of the 
                breach and the sensitive financial personal information 
                involved; and
                    ``(B) any other appropriate critical third parties 
                whose involvement is necessary to investigate the 
                breach; and
            ``(4) without unreasonable delay notify any affected 
        consumers to the extent required in subsection (f), as well 
        as--
                    ``(A) each nationwide consumer reporting agency, in 
                the case of a breach involving sensitive financial 
                identity information relating to 1,000 or more 
                consumers; and
                    ``(B) any other appropriate critical third parties 
                who will be required to undertake further action with 
                respect to such information to protect such consumers 
                from resulting fraud or identity theft.
    ``(d) System Restoration Requirements.--If a consumer reporter 
determines that a breach of data security has occurred, is likely to 
have occurred, or is unavoidable, the consumer reporter shall take 
prompt and reasonable measures to--
            ``(1) repair the breach and restore the security and 
        confidentiality of the sensitive financial personal information 
        involved to limit further unauthorized misuse of such 
        information; and
            ``(2) restore the integrity of the consumer reporter's data 
        security safeguards and make appropriate improvements to its 
        data security policies and procedures.
    ``(e) Third Party Duties.--
            ``(1) Coordinated investigation.--Whenever any consumer 
        reporter that handles sensitive financial personal information 
        for or on behalf of another party becomes aware that an 
        investigation is required under subsection (b) with respect to 
        such information, the consumer reporter shall--
                    ``(A) promptly notify the other party of the 
                breach;
                    ``(B) conduct a coordinated investigation with the 
                other party as described in subsection (b); and
                    ``(C) ensure that the appropriate notices are 
                provided as required under subsection (f).
            ``(2) Contractual obligation required.--No consumer 
        reporter may provide sensitive financial personal information 
        to a third party, unless such third party agrees to fulfill the 
        obligations imposed by subsections (a), (d), and (h), as well 
        as that whenever the third party becomes aware that a breach of 
        data security has occurred, is reasonably likely to have 
        occurred, or is unavoidable, with respect to such information, 
        the third party shall be obligated--
                    ``(A) to provide notice of the potential breach to 
                the consumer reporter;
                    ``(B) to conduct a coordinated investigation with 
                the consumer reporter to identify the sensitive 
                financial personal information involved and determine 
                if the potential breach is reasonably likely to result 
                in harm or inconvenience to any consumer to whom the 
                information relates; and
                    ``(C) provide any notices required under this 
                section, except to the extent that such notices are 
                provided by the consumer reporter in a manner meeting 
                the requirements of this section.
    ``(f) Consumer Notice.--
            ``(1) Potential identity theft risk and fraudulent 
        transaction risk.--A consumer reporter shall provide a consumer 
        notice if, at any point the consumer reporter becomes aware--
                    ``(A) that a breach of data security is reasonably 
                likely to have occurred or be unavoidable, with respect 
                to sensitive financial personal information handled by 
                the consumer reporter;
                    ``(B) of information reasonably identifying the 
                nature and scope of the breach; and
                    ``(C) that such information is reasonably likely to 
                have been or to be misused in a manner causing harm or 
                inconvenience against the consumers to whom such 
                information relates to--
                            ``(i) commit identity theft if the 
                        information is sensitive financial identity 
                        information, or
                            ``(ii) make fraudulent transactions on such 
                        consumers' financial accounts if the 
                        information is sensitive financial account 
                        information.
            ``(2) Security program safeguards and regulations.--
                    ``(A) Standards for safeguards.--The regulators 
                described in subsection (k)(1) shall issue guidelines 
                relating to the types of sophisticated neural networks 
                and security programs that are likely to detect 
                fraudulent account activity and at what point detection 
                of such activity is sufficient to avoid consumer notice 
                under this subsection.
                    ``(B) Alternative safeguards.--In determining the 
                likelihood of misuse of sensitive financial account 
                information and whether a notice is required under 
                paragraph (1), the consumer reporter may additionally 
                consider--
                            ``(i) consistent with any standards 
                        promulgated under subparagraph (A), whether any 
                        neural networks or security programs used by, 
                        or on behalf of, the consumer reporter have 
                        detected, or are likely to detect on an ongoing 
                        basis over a reasonable period of time, 
                        fraudulent transactions resulting from the 
                        breach of data security; or
                            ``(ii) whether no harm or inconvenience is 
                        reasonably likely to have occurred, because for 
                        example the related consumer account has been 
                        closed or its number has been changed.
            ``(3) Coordination with the fair debt collection practices 
        act.--The provision of a notice to the extent such notice and 
        its contents are required under this section shall not be 
        considered a communication under the Fair Debt Collection 
        Practices Act.
            ``(4) Coordination of consumer notice database.--
                    ``(A) In general.--The Commission shall coordinate 
                with the other government entities identified in this 
                section to create a publicly available list of data 
                security breaches that have triggered a notice to 
                consumers under this subsection within the last 12 
                months.
                    ``(B) Listed information.--The publicly available 
                list described in subparagraph (A) shall include the 
                following:
                            ``(i) The identity of the party responsible 
                        that suffered the breach.
                            ``(ii) A general description of the nature 
                        and scope of the breach.
                            ``(iii) Any financial fraud mitigation or 
                        other services provided by such party to the 
                        affected consumers, including the telephone 
                        number and other appropriate contact 
                        information for accessing such services.
    ``(g) Timing, Content, and Manner of Notices.--
            ``(1) Delay of notice for law enforcement purposes.--If a 
        consumer reporter receives a written request from an 
        appropriate law enforcement agency indicating that the 
        provision of a notice under subsection (c)(3) or (f) would 
        impede a criminal or civil investigation by that law 
        enforcement agency, or an oral request from an appropriate law 
        enforcement agency indicating that such a written request will 
        be provided within 2 business days--
                    ``(A) the consumer reporter shall delay, or in the 
                case of a foreign law enforcement agency may delay, 
                providing such notice until--
                            ``(i) the law enforcement agency informs 
                        the consumer reporter that such notice will no 
                        longer impede the investigation; or
                            ``(ii) the law enforcement agency fails 
                        to--
                                    ``(I) provide within 10 days a 
                                written request to continue such delay 
                                for a specific time that is approved by 
                                a court of competent jurisdiction; or
                                    ``(II) in the case of an oral 
                                request for a delay, provide a written 
                                request within 2 business days, and if 
                                such delay is requested for more than 
                                10 additional days, such request must 
                                be approved by a court of competent 
                                jurisdiction; and
                    ``(B) the consumer reporter may--
                            ``(i) conduct appropriate security measures 
                        that are not inconsistent with such request; 
                        and
                            ``(ii) contact such law enforcement agency 
                        to determine whether any such inconsistency 
                        would be created by such measures.
            ``(2) Hold harmless provision.--A consumer reporter shall 
        not be liable for any fraud mitigation costs or for any losses 
        that would not have occurred but for notice to or the provision 
        of sensitive financial personal information to law enforcement, 
        or the delay provided for under this subsection, except that--
                    ``(A) nothing in this subparagraph shall be 
                construed as creating any inference with respect to the 
                establishment or existence of any such liability; and
                    ``(B) this subparagraph shall not apply if the 
                costs or losses would not have occurred had the 
                consumer reporter undertaken reasonable system 
                restoration requirements to the extent required under 
                subsection (d), or other similar provision of law, 
                except to the extent that such system restoration was 
                delayed at the request of law enforcement.
            ``(3) Content of consumer notice.--Any notice required to 
        be provided by a consumer reporter to a consumer under 
        subsection (f)(1), and any notice required in accordance with 
        subsection (e)(2)(A), shall be provided in a standardized 
        transmission or exclusively colored envelope, and shall include 
        the following in a clear and conspicuous manner:
                    ``(A) An appropriate heading or notice title.
                    ``(B) A description of the nature and types of 
                information and accounts as appropriate that were, or 
                are reasonably believed to have been, subject to the 
                breach of data security.
                    ``(C) A statement identifying the party 
                responsible, if known, that suffered the breach, 
                including an explanation of the relationship of such 
                party to the consumer.
                    ``(D) If known, the date, or the best reasonable 
                approximation of the period of time, on or within which 
                sensitive financial personal information related to the 
                consumer was, or is reasonably believed to have been, 
                subject to a breach.
                    ``(E) A general description of the actions taken by 
                the consumer reporter to restore the security and 
                confidentiality of the breached information.
                    ``(F) A telephone number by which a consumer to 
                whom the breached information relates may call free of 
                charge to obtain additional information about how to 
                respond to the breach.
                    ``(G) With respect to notices involving sensitive 
                financial identity information, a copy of the summary 
                of rights of consumer victims of fraud or identity 
                theft prepared by the Commission under section 609(d), 
                as well as any additional appropriate information on 
                how the consumer may--
                            ``(i) obtain a copy of a consumer report 
                        free of charge in accordance with section 612;
                            ``(ii) place a fraud alert in any file 
                        relating to the consumer at a consumer 
                        reporting agency under section 605A to 
                        discourage unauthorized use; and
                            ``(iii) contact the Commission for more 
                        detailed information.
                    ``(H) With respect to notices involving sensitive 
                financial identity information, a prominent statement 
                in accordance with subsection (h) that file monitoring 
                will be made available to the consumer free of charge 
                for a period of not less than six months, together with 
                a telephone number for requesting such services, and 
                may also include such additional contact information as 
                a mailing address, e-mail, or Internet website address.
                    ``(I) The approximate date the notice is being 
                issued.
            ``(4) Other transmission of notice.--The notice described 
        in paragraph (3) may be made by other means of transmission 
        (such as electronic or oral) to a consumer only if--
                    ``(A) the consumer has affirmatively consented to 
                such use, has not withdrawn such consent, and with 
                respect to electronic transmissions is provided with 
                the appropriate statements related to such consent as 
                described in section 101(c)(1) of the Electronic 
                Signatures in Global and National Commerce Act; and
                    ``(B) all of the relevant information in paragraph 
                (3) is communicated to such consumer in such 
                transmission.
            ``(5) Duplicative notices.--
                    ``(A) In general.--A consumer reporter, whether 
                acting directly or in coordination with another 
                entity--
                            ``(i) shall not be required to provide more 
                        than 1 notice with respect to any breach of 
                        data security to any affected consumer, so long 
                        as such notice meets all the applicable 
                        requirements of this section, and
                            ``(ii) shall not be required to provide a 
                        notice with respect to any consumer if a notice 
                        meeting the applicable requirements of this 
                        section has already been provided to such 
                        consumer by another entity.
                    ``(B) Updating notices.--If a consumer notice is 
                provided to consumers pursuant only to subsection 
                (f)(1)(C)(ii) (relating to sensitive financial account 
                information), and the consumer reporter subsequently 
                becomes aware of a reasonable likelihood that sensitive 
                financial personal information involved in the breach 
                is being misused in a manner causing harm or 
                inconvenience against such consumer to commit identity 
                theft, an additional notice shall be provided to such 
                consumers as well any other appropriate parties under 
                this section, including a copy of the Commission's 
                summary of rights and file monitoring mitigation 
                instructions under subparagraphs (G) and (H) of 
                paragraph (3).
            ``(6) Responsibility and costs.--
                    ``(A) In general.--Except as otherwise established 
                by written agreement between the consumer reporter and 
                its agents or third party servicers, the entity that 
                suffered a breach of data security shall be--
                            ``(i) primarily responsible for providing 
                        any consumer notices and file monitoring 
                        required under this section with respect to 
                        such breach; and
                            ``(ii) responsible for the reasonable 
                        actual costs of any notices provided under this 
                        section.
                    ``(B) Identification to consumers.--No such 
                agreement shall restrict the ability of a consumer 
                reporter to identify the entity responsible for the 
                breach to consumers
                    ``(C) No charge to consumers.-- The cost for the 
                notices and file monitoring described in subparagraph 
                (A) may not be charged to the related consumers.
    ``(h) Financial Fraud Mitigation.--
            ``(1) Free file monitoring.--Any consumer reporter that is 
        required to provide notice to a consumer under subsection 
        (f)(1)(C)(i), or that is deemed to be in compliance with such 
        requirement by operation of subsection (j), if requested by the 
        consumer before the end of the 90-day period beginning on the 
        date of such notice, shall make available to the consumer, free 
        of charge and for at least a 6-month period--
                    ``(A) a service that monitors nationwide credit 
                activity regarding a consumer from a consumer reporting 
                agency described in section 603(p); or
                    ``(B) a service that provides identity-monitoring 
                to consumers on a nationwide basis that meets the 
                guidelines described in paragraph (2).
            ``(2) Identity monitoring networks.--The regulators 
        described in subsection (k)(1) shall issue guidelines on the 
        type of identity monitoring networks that are likely to detect 
        fraudulent identity activity regarding a consumer on a 
        nationwide basis and would satisfy the requirements of 
        paragraph (1).
            ``(3) Joint rulemaking for safe harbor.--In accordance with 
        subsection (j), the Secretary of the Treasury, the Board of 
        Governors of the Federal Reserve System, and the Commission 
        shall jointly develop standards and guidelines, which shall be 
        issued by all functional regulatory agencies, that, in any case 
        in which--
                    ``(A) free file monitoring is offered under 
                paragraph (1) to a consumer;
                    ``(B) subsequent to the offer, another party 
                misuses sensitive financial identity information on the 
                consumer obtained through the breach of data security 
                (that gave rise to such offer) to commit identity theft 
                against the consumer; and
                    ``(C) at the time of such breach the consumer 
                reporter met the requirements of subsections (a) and 
                (d),
        exempts the consumer reporter from any liability for any harm 
        to the consumer resulting from such misuse, other than any 
        direct pecuniary loss or loss pursuant to agreement by the 
        consumer reporter, except that nothing in this paragraph shall 
        be construed as creating any inference with respect to the 
        establishment or existence of any such liability.
    ``(i) Credit Security Freeze.--
            ``(1) Definitions.--For purposes of this subsection, the 
        following definitions shall apply:
                    ``(A) Security freeze.--The term `security freeze' 
                means a notice placed in a credit report on a consumer, 
                at the request of the consumer who is a victim of 
                identity theft, that prohibits the consumer reporting 
                agency from releasing all or any part of the credit 
                report, without the express authorization of the 
                consumer, except as otherwise provided in this section.
                    ``(B) Reviewing the account; account review.--The 
                terms `reviewing the account' and `account review' 
                include activities related to account maintenance, 
                monitoring, credit line increases, and account upgrades 
                and enhancements.
            ``(2) Request for a security freeze.--
                    ``(A) In general.--A consumer who has been the 
                victim of identity theft may place a security freeze on 
                the file of such consumer at any consumer reporting 
                agency by--
                            ``(i) making a request in writing by 
                        certified mail to the consumer reporting 
                        agency;
                            ``(ii) submitting an identity theft report 
                        to the consumer reporting agency; and
                            ``(iii) providing such evidence of the 
                        identity of the consumer as such consumer 
                        reporting agency may require under paragraph 
                        (5).
                    ``(B) Prompt imposition of freeze.--A consumer 
                reporting agency shall place a security freeze on a 
                credit report on a consumer no later than 5 business 
                days after receiving a written request from the 
                consumer in accordance with subparagraph (A).
                    ``(C) Effect of freeze.--
                            ``(i) In general.--Except as otherwise 
                        provided in this subsection, if a security 
                        freeze is in place with respect to any 
                        consumer, information from the consumer's 
                        credit report may not be released by the 
                        consumer reporting agency or reseller to any 
                        third party, including another consumer 
                        reporting agency or reseller, without the prior 
                        express authorization from the consumer or as 
                        otherwise permitted in this section.
                            ``(ii) Advising of existence of security 
                        freeze.--Clause (i) shall not be construed as 
                        preventing a consumer reporting agency or 
                        reseller from advising a third party that a 
                        security freeze is in effect with respect to 
                        the credit report on the consumer.
                    ``(D) Confirmation of freeze; access code.--Any 
                consumer reporting agency that receives a consumer 
                request for a security freeze in accordance with 
                subparagraph (A) shall--
                            ``(i) send a written confirmation of the 
                        security freeze to the consumer within 10 
                        business days of placing the freeze; and
                            ``(ii) at the same time, provide the 
                        consumer with a unique personal identification 
                        number or password (other than the Social 
                        Security account number of any consumer) to be 
                        used by the consumer when providing 
                        authorization for the release of the credit 
                        report of the consumer to a specific party or 
                        for a specific period of time.
            ``(3) Access pursuant to consumer authorization during 
        security freeze.--
                    ``(A) Notice by consumer.--If the consumer wishes 
                to allow the credit report on the consumer to be 
                accessed by a specific party or for a specific period 
                of time while a freeze is in place, the consumer 
                shall--
                            ``(i) contact the consumer reporting agency 
                        in any manner the agency may provide;
                            ``(ii) request that the security freeze be 
                        temporarily lifted; and
                            ``(iii) provide--
                                    ``(I) proper identification;
                                    ``(II) the unique personal 
                                identification number or password 
                                provided by the consumer reporting 
                                agency pursuant to paragraph 
                                (2)(D)(ii); and
                                    ``(III) the proper information 
                                regarding the third party who is to 
                                receive the credit report or the time 
                                period for which the report shall be 
                                available to users of the credit 
                                report.
                    ``(B) Timely response required.--A consumer 
                reporting agency that receives a request from a 
                consumer to temporarily lift a security freeze on a 
                credit report in accordance with subparagraph (A) shall 
                comply with the request no later than 3 business days 
                after receiving the request.
                    ``(C) Procedures for requests.--A consumer 
                reporting agency may develop procedures involving the 
                use of telephone, fax, or, upon the consent of the 
                consumer in the manner required by the Electronic 
                Signatures in Global and National Commerce Act for 
                notices legally required to be in writing, by the 
                Internet, e-mail, or other electronic medium to receive 
                and process a request from a consumer to temporarily 
                lift a security freeze on a credit report pursuant to 
                subparagraph (A) in an expedited manner.
            ``(4) Lifting or removing security freeze.--
                    ``(A) In general.--A consumer reporting agency may 
                remove or temporarily lift a security freeze placed on 
                a credit report on a consumer only in the following 
                cases:
                            ``(i) Upon receiving a consumer request for 
                        a temporary lift of the security freeze in 
                        accordance with paragraph (3)(A).
                            ``(ii) Upon receiving a consumer request 
                        for the removal of the security freeze in 
                        accordance with subparagraph (C).
                            ``(iii) Upon a determination by the 
                        consumer reporting agency that the security 
                        freeze was imposed on the credit report due to 
                        a material misrepresentation of fact by the 
                        consumer.
                    ``(B) Notice to consumer of determination.--If a 
                consumer reporting agency makes a determination 
                described in subparagraph (A)(iii) with a respect to a 
                security freeze imposed on the credit report on any 
                consumer, the consumer reporting agency shall notify 
                the consumer of such determination in writing prior to 
                removing the security freeze on such credit report.
                    ``(C) Removing security freeze.--
                            ``(i) In general.--Except as provided in 
                        this subsection, a security freeze shall remain 
                        in place until the consumer requests that the 
                        security freeze be removed.
                            ``(ii) Procedure for removing security 
                        freeze.--A consumer reporting agency shall 
                        remove a security freeze within 3 business days 
                        of receiving a request for removal from the 
                        consumer who provides--
                                    ``(I) proper identification; and
                                    ``(II) the unique personal 
                                identification number or password 
                                provided by the consumer reporting 
                                agency pursuant to paragraph 
                                (2)(D)(ii).
            ``(5) Proper identification required.--A consumer reporting 
        agency shall require proper identification of any person who 
        makes a request to impose, temporarily lift, or permanently 
        remove a security freeze on the credit report of any consumer 
        under this section.
            ``(6) Third party requests.--If--
                    ``(A) a third party requests access to a consumer's 
                credit report on which a security freeze is in effect 
                under this section in connection with an application by 
                the consumer for credit or any other use; and
                    ``(B) the consumer does not allow the consumer's 
                credit report to be accessed by that specific party or 
                during the specific period such application is pending,
        the third party may treat the application as incomplete.
            ``(7) Certain entity exemptions.--
                    ``(A) Aggregators and other agencies.--This 
                subsection shall not apply to a consumer reporting 
                agency that acts only as a reseller of credit 
                information by assembling and merging information 
                contained in the database of another consumer reporting 
                agency or multiple consumer reporting agencies, and 
                does not maintain a permanent database of credit 
                information from which new credit reports are produced.
                    ``(B) Other exempted entities.--The following 
                entities shall not be required to place a security 
                freeze in a credit report:
                            ``(i) An entity which provides check 
                        verification or fraud prevention services, 
                        including but not limited to, reports on 
                        incidents of fraud, verification or 
                        authentication of a consumer's identification, 
                        or authorizations for the purpose of approving 
                        or processing negotiable instruments, 
                        electronic funds transfers, or similar methods 
                        of payments.
                            ``(ii) A deposit account information 
                        service company, which issues reports regarding 
                        account closures due to fraud, substantial 
                        overdrafts, automated teller machine abuse, or 
                        similar negative information regarding a 
                        consumer, to inquiring banks or other financial 
                        institutions for use only in reviewing a 
                        consumer request for a deposit account at the 
                        inquiring bank or other financial institution.
            ``(8) Exceptions.--This subsection shall not apply with 
        respect to the use of a consumer credit report by any of the 
        following for the purpose described:
                    ``(A) A person, or any affiliate, agent, or 
                assignee of any person, with whom the consumer has or, 
                prior to an assignment, had an account, contract, or 
                debtor-creditor relationship for the purposes of 
                reviewing the account or collecting the financial 
                obligation owing for the account, contract, or debt.
                    ``(B) An affiliate, agent, assignee, or prospective 
                assignee of a person to whom access has been granted 
                under paragraph (3) for purposes of facilitating the 
                extension of credit or other permissible use of the 
                report in accordance with the consumer's request under 
                such paragraph.
                    ``(C) Any State or local agency, law enforcement 
                agency, trial court, or person acting pursuant to a 
                court order, warrant, or subpoena.
                    ``(D) A Federal, State, or local agency that 
                administers a program for establishing an enforcing 
                child support obligations for the purpose of 
                administering such program.
                    ``(E) A Federal, State, or local health agency, or 
                any agent or assignee of such agency, acting to 
                investigate fraud within the jurisdiction of such 
                agency.
                    ``(F) A Federal, State, or local tax agency, or any 
                agent or assignee of such agency, acting to investigate 
                or collect delinquent taxes or unpaid court orders or 
                to fulfill any of other statutory responsibility of 
                such agency.
                    ``(G) Any person that intends to use the 
                information in accordance with section 604(c).
                    ``(H) Any person administering a credit file 
                monitoring subscription or similar service to which the 
                consumer has subscribed.
                    ``(I) Any person for the purpose of providing a 
                consumer with a copy of the credit report or credit 
                score of the consumer upon the consumer's request.
            ``(9) Prohibition on fee.--A consumer reporting agency may 
        not impose a fee for placing, removing, or removing for a 
        specific party or parties a security freeze on a credit report.
            ``(10) Notice of rights.--At any time that a consumer is 
        required to receive a summary of rights required under section 
        609(c)(1) or 609(d)(1) the following notice shall be included:
                    ```Consumers Who Are Victims of Identity Theft Have 
                the Right to Obtain a Security Freeze on Your Consumer 
                Report
                    ```You may obtain a security freeze on your 
                consumer credit report at no charge if you are a victim 
                of identity theft and you submit a copy of an identity 
                theft report you have filed with a law enforcement 
                agency about unlawful use of your personal information 
                by another person.
                    ```The security freeze will prohibit a credit 
                reporting agency from releasing any information in your 
                consumer credit report without your express 
                authorization. A security freeze must be requested in 
                writing by certified mail.
                    ```The security freeze is designed to prevent 
                credit, loans, and services from being approved in your 
                name without your consent. However, you should be aware 
                that using a security freeze to take control over who 
                gains access to the personal and financial information 
                in your consumer credit report may delay, interfere 
                with, or prohibit the timely approval of any subsequent 
                request or application you make regarding new loans, 
                credit, mortgage, insurance, government services or 
                payments, rental housing, employment, investment, 
                license, cellular phone, utilities, digital signature, 
                internet credit card transaction, or other services, 
                including an extension of credit at point of sale.
                    ```When you place a security freeze on your 
                consumer credit report, within 10 business days you 
                will be provided a personal identification number or 
                password to use if you choose to remove the freeze on 
                your consumer credit report or authorize the release of 
                your consumer credit report for a specific party, 
                parties or period of time after the freeze is in place.
                    ```To provide that authorization, you must contact 
                the consumer reporting agency and provide all of the 
                following: (1) The unique personal identification 
                number or password provided by the consumer reporting 
                agency (2) Proper identification to verify your 
                identity (3) The proper information regarding the third 
                party or parties who are trying to receive the consumer 
                credit report or the period of time for which the 
                report shall be available to users of the consumer 
                report.
                    ```A consumer reporting agency that receives a 
                request from a consumer to lift temporarily a freeze on 
                a consumer credit report shall comply with the request 
                no later than 3 days after receiving the request.
                    ```A security freeze does not apply to a person or 
                entity, or its affiliates, or collection agencies 
                acting on behalf of the person or entity with which you 
                have an existing account that requests information in 
                your consumer credit report for the purposes of 
                reviewing or collecting the account, if you have 
                previously given your consent to this use of your 
                consumer credit report. Reviewing the account includes 
                activities related to account maintenance, monitoring, 
                credit line increases, and account up-grades and 
                enhancements.
                    ```If you are actively seeking credit, you should 
                understand that the procedures involved in lifting a 
                security freeze may slow your own applications for 
                credit. You should plan ahead and lift a freeze, either 
                completely or temporarily if you are shopping around, 
                or specifically for a certain creditor, a few days 
                before actually applying for new credit.'.
    ``(j) Effect on GLBA.--
            ``(1) Depository institutions.--The current and any future 
        breach notice regulations and guidelines under section 501(b) 
        of the Gramm-Leach-Bliley Act with respect to depository 
        institutions shall be superseded, as of the effective date of 
        the regulations required under subsection (k)(3)(A), relating 
        to the specific requirements of this section.
            ``(2) Nondepository institutions.--The current and any 
        future data security regulations and guidelines under section 
        501(b) of the Gramm-Leach-Bliley Act with respect to 
        nondepository institutions shall be superseded as of the 
        effective date of the regulations required under subsection 
        (k)(3)(A), relating to the responsibilities under this section.
    ``(k) Uniform Data Security Safeguard Regulations.--
            ``(1) Uniform standards.--The Secretary of the Treasury, 
        the Board of Governors of the Federal Reserve System, and the 
        Commission shall jointly, and the Federal functional regulatory 
        agencies that have issued guidance on consumer breach 
        notification shall jointly with respect to the entities under 
        their jurisdiction, develop standards and guidelines to 
        implement this section, including--
                    ``(A) prescribing specific standards with respect 
                to subsection (g)(3) setting forth a reasonably unique 
                and, pursuant to paragraph (2)(B), exclusive color and 
                titling of the notice, and standardized formatting of 
                the notice contents described under such subsection to 
                standardize such communications and make them more 
                likely to be reviewed, and understood by, and helpful 
                to consumers, including to the extent possible placing 
                the critical information for consumers in an easily 
                understood and prominent text box at the top of each 
                notice;
                    ``(B) providing in such standards and guidelines 
                that the responsibility of a consumer reporter to 
                provide notice under this section--
                            ``(i) has been satisfied with respect to 
                        any particular consumer, even if the consumer 
                        reporter is unable to contact the consumer, so 
                        long as the consumer reporter has made 
                        reasonable efforts to obtain a current address 
                        or other current contact information with 
                        respect to such consumer;
                            ``(ii) may be made by public notice in 
                        appropriate cases in which--
                                    ``(I) such reasonable efforts 
                                described in clause (i) have failed; or
                                    ``(II) a breach of data security 
                                involves a loss or unauthorized 
                                acquisition of sensitive financial 
                                personal information in paper documents 
                                or records that has been determined to 
                                be usable, but the identities of 
                                specific consumers are not 
                                determinable; and
                            ``(iii) with respect to paragraph (3) of 
                        subsection (c), may be communicated to entities 
                        in addition to those specifically required 
                        under such paragraph through any reasonable 
                        means, such as through an electronic 
                        transmission normally received by all of the 
                        consumer reporter's business customers; and
                    ``(C) providing in such standards and guidelines 
                elaboration on how to determine whether a technology is 
                generally commercially available for the purposes of 
                subsection (b), focusing on the availability of such 
                technology to persons who potentially could seek to 
                breach the data security of the consumer reporter, and 
                how to determine whether the information is likely to 
                be usable under subsection (b)(3);
                    ``(D) providing for a reasonable and fair manner of 
                providing required consumer notices where the entity 
                that directly suffered the breach is unavailable to pay 
                for such notices, because for example the entity is 
                bankrupt, outside of the jurisdiction of the United 
                States, or otherwise can not be compelled to provide 
                such notice;
                    ``(E) providing for periodic instead of individual 
                notices to regulators and law enforcement under 
                subsection (c)(1) and (2) where the consumer reporter 
                determines that only a de minimus number of consumers 
                are reasonably likely to be affected;
                    ``(F) providing, to the extent appropriate, notice 
                to the United States Secret Service, a consumer 
                reporter's functional regulator, and the entities 
                described in paragraphs (1) through (3) of subsection 
                (c), whenever the consumer reporter's sensitive 
                financial personal information has been lost or 
                illegally obtained but such loss or acquisition does 
                not result in a breach, for example because the 
                information was sufficiently encrypted or otherwise 
                unusable; and
                    ``(G) establishing what types of accounts might be 
                subject to unauthorized transactions after a breach 
                involving sensitive financial account information, for 
                example because such accounts are open-end credit plans 
                or are described in section 903(2) of the Electronic 
                Fund Transfer Act.
            ``(2) Model notice forms.--
                    ``(A) In general.--The Secretary of the Treasury, 
                Board of Governors of the Federal Reserve System, and 
                the Commission shall jointly establish and publish 
                model forms and disclosure statements to facilitate 
                compliance with the notice requirements of subsection 
                (g) and to aid the consumer in understanding the 
                information required to be disclosed relating to a 
                breach of data security and the options and services 
                available to the consumer for obtaining additional 
                information, consumer reports, and credit monitoring 
                services.
                    ``(B) Use optional.--A consumer reporter may 
                utilize a model notice or any model statement 
                established under this paragraph for purposes of 
                compliance with this section, at the discretion of the 
                consumer reporter.
                    ``(C) Effect of use.--A consumer reporter that uses 
                a model notice form or disclosure statement established 
                under this paragraph shall be deemed to be in 
                compliance with the requirement to provide the required 
                disclosure to consumers to which the form or statement 
                relates.
            ``(3) Enforcement.--
                    ``(A) Regulations.--Each of the functional 
                regulatory agencies shall prescribe such regulations as 
                may be necessary, consistent with the standards in 
                paragraph (1), to ensure compliance with this section 
                with respect to the persons subject to the jurisdiction 
                of such agency under subsection (l).
                    ``(B) Misuse of unique color and titles of 
                notices.--Any person who uses the unique color and 
                titling adopted under paragraph (1)(A) for notices 
                under subsection (f)(1) in a way that is likely to 
                create a false belief in a consumer that a 
                communication is such a notice shall be liable in the 
                same manner and to the same extent as a debt collector 
                is liable under section 813 for any failure to comply 
                with any provision of the Fair Debt Collection 
                Practices Act.
            ``(4) Procedures and deadline.--
                    ``(A) Procedures.--Standards and guidelines issued 
                under this subsection shall be issued in accordance 
                with applicable requirements of title 5, United States 
                Code.
                    ``(B) Deadline for initial standards and 
                guidelines.--The standards and guidelines required to 
                be issued under paragraph (1) shall be published in 
                final form before the end of the 9-month period 
                beginning on the date of the enactment of the Financial 
                Data Protection Act of 2006.
                    ``(C) Deadline for enforcement regulations.--The 
                standards and guidelines required to be issued under 
                paragraph (2) shall be published in final form before 
                the end of the 6-month period beginning on the date 
                standards and guidelines described in subparagraph (B) 
                are published in final form.
                    ``(D) Authority to grant exceptions.--The 
                regulations prescribed under paragraph (2) may include 
                such additional exceptions to this section as are 
                deemed jointly by the functional regulatory agencies to 
                be consistent with the purposes of this section if such 
                exceptions are necessary because of some unique aspect 
                of the entities regulated or laws governing such 
                entities; and such exemptions are narrowly tailored to 
                protect the purposes of this Act.
                    ``(E) Consultation and coordination.--The Secretary 
                of the Treasury, the Board of Governors of the Federal 
                Reserve System, and the Commission shall consult and 
                coordinate with the other functional regulatory 
                agencies to the extent appropriate in prescribing 
                regulations under this subsection.
                    ``(F) Failure to meet deadline.--Any agency or 
                authority required to publish standards and guidelines 
                or regulations under this subsection that fails to meet 
                the deadline for such publishing shall submit a report 
                to the Congress within 30 days of such deadline 
                describing--
                            ``(i) the reasons for the failure to meet 
                        such deadline;
                            ``(ii) when the agency or authority expects 
                        to complete the publication required; and
                            ``(iii) the detriment such failure to 
                        publish by the required deadline will have on 
                        consumers and other affected parties.
                    ``(G) Uniform implementation and interpretation.--
                It is the intention of the Congress that the agencies 
                and authorities described in subsection (l)(1)(G) will 
                implement and interpret their enforcement regulations, 
                including any exceptions provided under subparagraph 
                (D), in a uniform manner.
            ``(5) Appropriate exemptions or modifications.--The 
        Secretary of the Treasury, the Board of Governors of the 
        Federal Reserve System, and the Commission, in consultation 
        with the Administrator of the Small Business Administration and 
        the functional regulatory agencies, shall provide appropriate 
        exemptions or modifications from requirements of this section 
        relating to sensitive financial personal information for 
        consumer reporters that do not maintain, service, or 
        communicate a large quantity of such information, taking into 
        account the degree of sensitivity of such information, the 
        likelihood of misuse, and the degree of potential harm or 
        inconvenience to the related consumer.
            ``(6) Coordination.--
                    ``(A) In general.--Each functional regulatory 
                agency shall consult and coordinate with each other 
                functional regulatory agency so that, to the extent 
                possible, the regulations prescribed by each agency are 
                consistent and comparable.
                    ``(B) Model regulations.--In prescribing 
                implementing regulations under paragraph (1), the 
                functional regulatory agencies agencies referred to in 
                such paragraph shall use the Gramm-Leach-Bliley Act 
                (including the guidance and regulations issued 
                thereunder) as a base, adding such other consumer 
                protections as appropriate under this section.
    ``(l) Administrative Enforcement.--
            ``(1) In general.--Notwithstanding section 616, 617, or 
        621, compliance with this section and the regulations 
        prescribed under this section shall be enforced by the 
        functional regulatory agencies with respect to financial 
        institutions and other persons subject to the jurisdiction of 
        each such agency under applicable law, as follows:
                    ``(A) Under section 8 of the Federal Deposit 
                Insurance Act, in the case of--
                            ``(i) national banks, Federal branches and 
                        Federal agencies of foreign banks, and any 
                        subsidiaries of such entities (except brokers, 
                        dealers, persons providing insurance, 
                        investment companies, and investment advisers), 
                        by the Comptroller of the Currency;
                            ``(ii) member banks of the Federal Reserve 
                        System (other than national banks), branches 
                        and agencies of foreign banks (other than 
                        Federal branches, Federal agencies, and insured 
                        State branches of foreign banks), commercial 
                        lending companies owned or controlled by 
                        foreign banks, organizations operating under 
                        section 25 or 25A of the Federal Reserve Act, 
                        and bank holding companies and their nonbank 
                        subsidiaries or affiliates (except brokers, 
                        dealers, persons providing insurance, 
                        investment companies, and investment advisers), 
                        by the Board of Governors of the Federal 
                        Reserve System;
                            ``(iii) banks insured by the Federal 
                        Deposit Insurance Corporation (other than 
                        members of the Federal Reserve System), insured 
                        State branches of foreign banks, and any 
                        subsidiaries of such entities (except brokers, 
                        dealers, persons providing insurance, 
                        investment companies, and investment advisers), 
                        by the Board of Directors of the Federal 
                        Deposit Insurance Corporation; and
                            ``(iv) savings associations the deposits of 
                        which are insured by the Federal Deposit 
                        Insurance Corporation, and any subsidiaries of 
                        such savings associations (except brokers, 
                        dealers, persons providing insurance, 
                        investment companies, and investment advisers), 
                        by the Director of the Office of Thrift 
                        Supervision.
                    ``(B) Under the Federal Credit Union Act, by the 
                Board of the National Credit Union Administration with 
                respect to any federally insured credit union, and any 
                subsidiaries of such an entity.
                    ``(C) Under the Securities Exchange Act of 1934, by 
                the Securities and Exchange Commission with respect to 
                any broker, dealer, or nonbank transfer agent.
                    ``(D) Under the Investment Company Act of 1940, by 
                the Securities and Exchange Commission with respect to 
                investment companies.
                    ``(E) Under the Investment Advisers Act of 1940, by 
                the Securities and Exchange Commission with respect to 
                investment advisers registered with the Commission 
                under such Act.
                    ``(F) Under the provisions of title XIII of the 
                Housing and Community Development Act of 1992, by the 
                Director of the Office of Federal Housing Enterprise 
                Oversight (and any successor to such functional 
                regulatory agency) with respect to the Federal National 
                Mortgage Association, the Federal Home Loan Mortgage 
                Corporation, and any other entity or enterprise or bank 
                (as defined in such title XIII) subject to the 
                jurisdiction of such functional regulatory agency under 
                such title, including any affiliate of any such 
                enterprise.
                    ``(G) Under State insurance law, in the case of any 
                person engaged in the business of insurance, by the 
                applicable State insurance authority of the State in 
                which the person is domiciled.
                    ``(H) Under the Federal Home Loan Bank Act, by the 
                Federal Housing Finance Board (and any successor to 
                such functional regulatory agency) with respect to the 
                Federal home loan banks and any other entity subject to 
                the jurisdiction of such functional regulatory agency, 
                including any affiliate of any such bank.
                    ``(I) Under the Federal Trade Commission Act, by 
                the Commission for any other person that is not subject 
                to the jurisdiction of any agency or authority under 
                subparagraphs (A) through (G) of this subsection, 
                except that for the purposes of this subparagraph a 
                violation of this section shall be treated as an unfair 
                and deceptive act or practice in violation of a 
                regulation under section 18(a)(1)(B) of the Federal 
                Trade Commission Act regarding unfair or deceptive acts 
                or practices.
            ``(2) Exercise of certain powers.--For the purpose of the 
        exercise by any agency referred to in paragraph (1) of its 
        powers under any Act referred to in such paragraph, a violation 
        of any requirement imposed under this section shall be deemed 
        to be a violation of a requirement imposed under that Act. In 
        addition to its powers under any provision of law specifically 
        referred to in paragraph (1), each of the agencies referred to 
        in that paragraph may exercise, for the purpose of enforcing 
        compliance with any requirement imposed under this section, any 
        other authority conferred on it by law.
            ``(3) Use of undistributed funds for financial education.--
        If--
                    ``(A) in connection with any administrative action 
                under this section, a fund is created or a functional 
                regulatory agency has obtained disgorgement; and
                    ``(B) the functional regulatory agency determines 
                that--
                            ``(i) due to the size of the fund to be 
                        distributed, the number of individuals 
                        affected, the nature of the underlying 
                        violation, or for other reasons, it would be 
                        infeasible to distribute such fund or 
                        disgorgement to the victims of the violation; 
                        or
                            ``(ii) there are excess monies remaining 
                        after the distribution of the fund or 
                        disgorgement to victims,
        the functional regulatory agency may issue an order in an 
        administrative proceeding requiring that the undistributed 
        amount of the fund or disgorgement be used in whole or in part 
        by the functional regulatory agency for education programs and 
        outreach activities of consumer groups, community based groups, 
        and the Financial Literacy and Education Commission established 
        under the Fair and Accurate Credit Transactions Act of 2003 
        that are consistent with and further the purposes of this 
        title.
    ``(m) Definitions.--For purposes of this section, the following 
definitions shall apply:
            ``(1) Breach of data security.--The term `breach of data 
        security' or `data security breach' means any loss, 
        unauthorized acquisition, or misuse of sensitive financial 
        personal information handled by a consumer reporter that could 
        be misused to commit financial fraud (such as identity theft or 
        fraudulent transactions made on financial accounts) in a manner 
        causing harm or inconvenience to a consumer.
            ``(2) Consumer.--The term `consumer' means an individual.
            ``(3) Consumer reporter and related terms.--
                    ``(A) Consumer financial file and consumer 
                reports.--The term `consumer financial file and 
                consumer reports' includes any written, oral, or other 
                communication of any information by a consumer reporter 
                bearing on a consumer's credit worthiness, credit 
                standing, credit capacity, character, general 
                reputation, personal characteristics, personal 
                identifiers, financial account information, or mode of 
                living.
                    ``(B) Consumer reporter.--The term `consumer 
                reporter' means any consumer reporting agency or 
                financial institution, or any person which, for 
                monetary fees, dues, on a cooperative nonprofit basis, 
                or otherwise regularly engages in whole or in part in 
                the practice of assembling or evaluating consumer 
                financial file and consumer reports, consumer credit 
                information, or other information on consumers, for the 
                purpose of furnishing consumer reports to third parties 
                or to provide or collect payment for or market products 
                and services, or for employment purposes, and which 
                uses any means or facility of interstate commerce for 
                such purposes.
            ``(4) Financial institution.--The term `financial 
        institution' means--
                    ``(A) any person the business of which is engaging 
                in activities that are financial in nature as described 
                in or determined under section 4(k) of the Bank Holding 
                Company Act;
                    ``(B) any person that is primarily engaged in 
                activities that are subject to the Fair Credit 
                Reporting Act; and
                    ``(C) any person that is maintaining, receiving, or 
                communicating sensitive financial personal information 
                on an ongoing basis for the purposes of engaging in 
                interstate commerce.
            ``(5) Functional regulatory agency.--The term `functional 
        regulatory agency' means any agency described in subsection (l) 
        with respect to the financial institutions and other persons 
        subject to the jurisdiction of such agency.
            ``(6) Handled by.--The term `handled by' includes with 
        respect to sensitive financial personal information, any access 
        to or generation, maintenance, servicing, or ownership of such 
        information, as well as any transfer to or allowed access to or 
        similar sharing or servicing of such information by or with a 
        third party on a consumer reporter's behalf.
            ``(7) Nationwide consumer reporting agency.--The term 
        `nationwide consumer reporting agency' means--
                    ``(A) a consumer reporting agency described in 
                section 603(p);
                    ``(B) any person who notifies the Commission that 
                the person reasonably expects to become a consumer 
                reporting agency described in section 603(p) within a 
                reasonable time; and
                    ``(C) a consumer reporting agency described in 
                section 603(w) that notifies the Commission that the 
                person wishes to receive breach of data security 
                notices under this section that involve information of 
                the type maintained by such agency.
            ``(8) Neural network.--The term `neural network' means an 
        information security program that monitors financial account 
        transactions for potential fraud, using historical patterns to 
        analyze and identify suspicious financial account transactions.
            ``(9) Sensitive financial account information.--The term 
        `sensitive financial account information' means a financial 
        account number of a consumer, such as a credit card number or 
        debit card number, in combination with any required security 
        code, access code, biometric code, password, or other personal 
        identification information that would allow access to the 
        financial account.
            ``(10) Sensitive financial identity information.--The term 
        `sensitive financial identity information' means the first and 
        last name, the address, or the telephone number of a consumer, 
        in combination with any of the following of the consumer:
                    ``(A) Social Security number.
                    ``(B) Driver's license number or equivalent State 
                identification number.
                    ``(C) IRS Individual Taxpayer Identification 
                Number.
                    ``(D) IRS Adoption Taxpayer Identification Number.
                    ``(E) The consumer's deoxyribonucleic acid profile 
                or other unique biometric data, including fingerprint, 
                voice print, retina or iris image, or any other unique 
                physical representation.
            ``(11) Sensitive financial personal information.--The term 
        `sensitive financial personal information' means any 
        information that is sensitive financial account information, 
        sensitive financial identity information, or both.
            ``(12) Harm or inconvenience.--The term `harm or 
        inconvenience', with respect to a consumer, means financial 
        loss to or civil or criminal penalties imposed on the consumer 
        or the need for the consumer to expend significant time and 
        effort to correct erroneous information relating to the 
        consumer, including information maintained by consumer 
        reporting agencies, financial institutions, or government 
        entities, in order to avoid the risk of financial loss or 
        increased costs or civil or criminal penalties.
    ``(n) Relation to State Laws.--
            ``(1) In general.--No requirement or prohibition may be 
        imposed under the laws of any State with respect to the 
        responsibilities of any consumer reporter or the functional 
        equivalent of such responsibilities--
                    ``(A) to protect the security or confidentiality of 
                information on consumers maintained by or on behalf of 
                the person;
                    ``(B) to safeguard such information from potential 
                misuse;
                    ``(C) to investigate or provide notices of any 
                unauthorized access to information concerning the 
                consumer, or the potential misuse of such information, 
                for fraudulent purposes;
                    ``(D) to mitigate any loss or harm resulting from 
                such unauthorized access or misuse; or
                    ``(E) involving restricting credit reports from 
                being provided, or imposing any requirement on such 
                provision, for a permissible purpose pursuant to 
                section 604, such as--
                            ``(i) the responsibilities of a consumer 
                        reporting agency to honor a request, or 
                        withdrawal of such a request, to prohibit the 
                        consumer reporting agency from releasing any 
                        type of information from the file of a 
                        consumer;
                            ``(ii) the process by which such a request 
                        or withdrawal of such a request is made, 
                        honored, or denied;
                            ``(iii) any notice that is required to be 
                        provided to the consumer in connection with 
                        such a request or withdrawal of such a request; 
                        or
                            ``(iv) the ability of a consumer reporting 
                        agency to update or change information in a 
                        consumer's file as a result of such a request 
                        or withdrawal of such a request; or
                            ``(v) the responsibilities of third parties 
                        if information from a consumer's file is 
                        unavailable as a result of such a request.
            ``(2) Exception for certain state laws.--Paragraph (1) 
        shall not apply with respect to--
                    ``(A) State laws governing professional 
                confidentiality; or
                    ``(B) State privacy laws limiting the purposes for 
                which information may be disclosed.
            ``(3) Exception for certain covered entities.--Paragraph 
        (1) shall not apply with respect to the entities described in 
        subsection (l)(1)(G) to the extent that such entities are 
        acting in accordance with subsection (k)(4)(G) in a manner that 
        is consistent with this section and the implementation of this 
        section by the regulators described in subsection (k)(1).''.
    (b) Clerical Amendment.--The table of sections for the Fair Credit 
Reporting Act is amended by inserting after the item relating to 
section 629 the following new item:

``630. Data security safeguards.''.
    (c) Effective Date.--The provisions of section 630 of the Fair 
Credit Reporting Act (as added by this section), other than subsection 
(k) of such section, shall take effect on the date of publication of 
the regulations required under paragraph (3) of such subsection, with 
respect to any person under the jurisdiction of each regulatory agency 
publishing such regulations.

SEC. 3. NATIONAL SUMMIT ON DATA SECURITY.

    Not later than April 30, 2008, the President or the designee of the 
President shall convene a National Summit on Data Security Safeguards 
for Sensitive Personal Financial Information in the District of 
Columbia.

SEC. 4. GAO STUDY.

    (a) Study Required.--The Comptroller General shall conduct a study 
to determine a system that would provide notices of data breaches to 
consumers in languages other than English and identify what barriers 
currently exist to the implementation of such a system.
    (b) Report.--The Comptroller General shall submit a report to the 
Congress before the end of the 1-year period beginning on the date of 
the enactment of this Act containing the findings and conclusion of the 
study under subsection (a) and such recommendations for legislative and 
administrative action as the Comptroller General may determine to be 
appropriate.

SEC. 5. ENHANCED DATA COLLECTION ON DATA SECURITY BREACHES AND ACCOUNT 
              FRAUD.

    In order to improve law enforcement efforts relating to data 
security breaches and fighting identity theft and account fraud, the 
Federal Trade Commission shall compile information on the race and 
ethnicity of consumers, as defined and volunteered by the consumers, 
who are victims of identity theft, account fraud, and other types of 
financial fraud. The Commission shall consult with the various 
international, national, State, and local law enforcement officers and 
agencies who work with such victims for the purpose of enlisting the 
cooperation of such officers and agencies in the compilation of such 
information. Notwithstanding any other provision of law, such 
compilation of information shall be made available exclusively to the 
Commission and law enforcement entities.

SEC. 6. CLARIFICATION RELATING TO CREDIT MONITORING SERVICES.

    (a) In General.--Section 403 of the Credit Repair Organizations Act 
(15 U.S.C. 1679a) is amended--
            (1) by striking ``For purposes of this title'' and 
        inserting ``(a) In General.--For purposes of this title''; and
            (2) by adding at the end the following new subsection:
    ``(b) Clarification With Respect to Certain Credit Monitoring 
Services Under Certain Circumstances.--
            ``(1) In general.--Subject to paragraph (2)--
                    ``(A) the provision of, or provision of access to, 
                credit reports, credit monitoring notifications, credit 
                scores and scoring algorithms, and other credit score-
                related tools to a consumer (including generation of 
                projections and forecasts of such consumer's potential 
                credit scores under various prospective trends or 
                hypothetical or alternative scenarios);
                    ``(B) any analysis, evaluation, and explanation of 
                such actual or hypothetical credit scores, or any 
                similar projections, forecasts, analyses, evaluations 
                or explanations; or
                    ``(C) in conjunction with offering any of the 
                services described in subparagraph (A) or (B), the 
                provision of materials or services to assist a consumer 
                who is a victim of identity theft,
        shall not be treated as activities described in clause (i) of 
        subsection (a)(3)(A).
            ``(2) Conditions for application of paragraph (1).--
        Paragraph (1) shall apply with respect to any person engaging 
        in any activity described in such paragraph only if--
                    ``(A) the person does not represent, expressly or 
                by implication, that such person--
                            ``(i) will or can modify or remove, or 
                        assist the consumer in modifying or removing, 
                        adverse information that is accurate and not 
                        obsolete in the consumer's credit report; or
                            ``(ii) will or can alter, or assist the 
                        consumer in altering, the consumer's 
                        identification to prevent the display of the 
                        consumer's credit record, history, or rating 
                        for the purpose of concealing adverse 
                        information that is accurate and not obsolete;
                    ``(B) in any case in which the person represents, 
                expressly or by implication, that it will or can modify 
                or remove, or assist the consumer in modifying or 
                removing, any information in the consumer's credit 
                report, except for a representation with respect to any 
                requirement imposed on the person under section 611 or 
                623(b) of the Fair Credit Reporting Act, the person 
                discloses, clearly and conspicuously, before the 
                consumer pays or agrees to pay any money or other 
                valuable consideration to such person, whichever occurs 
                first, the following statement:
                                    ```NOTICE: Neither you nor anyone 
                                else has the right to have accurate and 
                                current information removed from your 
                                credit report. If information in your 
                                report is inaccurate, you have the 
                                right to dispute it by contacting the 
                                credit bureau directly.';
                    ``(C) the person provides the consumer in writing 
                with the following statement before any contract or 
                agreement between the consumer and the person is 
                executed:
                            ```Your Rights Concerning Your Consumer 
                        Credit File
                            ```You have a right to obtain a free copy 
                        of your credit report once every 12 months from 
                        each of the nationwide consumer reporting 
                        agencies. To request your free annual credit 
                        report, you may go to 
                        www.annualcreditreport.com, or call 877-322-
                        8228, or complete the Annual Credit Report 
                        Request Form and mail it to: Annual Credit 
                        Report Request Service, P.O. Box 105281, 
                        Atlanta, GA 30348-5281. You can obtain 
                        additional copies of your credit report from a 
                        credit bureau, for which you may be charged a 
                        reasonable fee. There is no fee, however, if 
                        you have been turned down for credit, 
                        employment, insurance, or a rental dwelling 
                        because of information in your credit report 
                        within the preceding 60 days. The credit bureau 
                        must provide someone to help you interpret the 
                        information in your credit file. You are 
                        entitled to receive a free copy of your credit 
                        report if you are unemployed and intend to 
                        apply for employment in the next 60 days, if 
                        you are a recipient of public welfare 
                        assistance, or if you have reason to believe 
                        that there is inaccurate information in your 
                        credit report due to fraud.
                            ```You have the right to cancel your 
                        contract with a credit monitoring service 
                        without fee or penalty at any time, and in the 
                        case in which you have prepaid for a credit 
                        monitoring service, you are entitled to a pro 
                        rata refund for the remaining term of the 
                        credit monitoring service.
                            ```The Federal Trade Commission regulates 
                        credit bureaus and credit monitoring services. 
                        For more information contact:
                            ```Federal Trade Commission
                            ```Washington, D.C. 20580
                            ```1-877-FTC-HELP
                            ```www.ftc.gov.'; and
                    ``(D) in any case in which the person offers a 
                subscription to a credit file monitoring program to a 
                consumer, the consumer may cancel the subscription at 
                any time upon written notice to the person without 
                penalty or fee for such cancellation and, in any case 
                in which the consumer is billed for the subscription on 
                other than a monthly basis, within 60 days of receipt 
                of the consumer's notice of cancellation, the person 
                shall make a pro rata refund to the consumer of a 
                subscription fee prepaid by the consumer, calculated 
                from the date that the person receives the consumer's 
                notice of cancellation until the end of the 
                subscription period.''.
    (b) Clarification of Nonexempt Status.--Section 403(a) of the 
Credit Repair Organizations Act (15 U.S.C. 1679a) (as so redesignated 
by subsection (a) of this section) is amended, in paragraph (3)(B)(i), 
by inserting ``and is not for its own profit or for that of its 
members'' before the semicolon at the end.
    (c) Revision of Disclosure Requirement.--Section 405(a) of the 
Credit Repair Organizations Act (15 U.S.C. 1679c) is amended by 
striking everything after the heading of the disclosure statement 
contained in such section and inserting the following new text of the 
disclosure statement:
            ```You have a right to dispute inaccurate information in 
        your credit report by contacting the credit bureau directly. 
        However, neither you nor any ``credit repair'' company or 
        credit repair organization has the right to have accurate, 
        current, and verifiable information removed from your credit 
        report. The credit bureau must remove accurate, negative 
        information from your report only if it is over 7 years old. 
        Bankruptcy information can be reported for 10 years.
            ```You have a right to obtain a free copy of your credit 
        report once every 12 months from each of the nationwide 
        consumer reporting agencies. To request your free annual credit 
        report, you may go to www.annualcreditreport.com, or call 877-
        322-8228, or complete the Annual Credit Report Request Form and 
        mail it to: Annual Credit Report Request Service, P.O. Box 
        105281, Atlanta, GA 30348-5281. You can obtain additional 
        copies of your credit report from a credit bureau, for which 
        you may be charged a reasonable fee. There is no fee, however, 
        if you have been turned down for credit, employment, insurance, 
        or a rental dwelling because of information in your credit 
        report within the preceding 60 days. The credit bureau must 
        provide someone to help you interpret the information in your 
        credit file. You are entitled to receive a free copy of your 
        credit report if you are unemployed and intend to apply for 
        employment in the next 60 days, if you are a recipient of 
        public welfare assistance, or if you have reason to believe 
        that there is inaccurate information in your credit report due 
        to fraud.
            ```You have a right to sue a credit repair organization 
        that violates the Credit Repair Organization Act. This law 
        prohibits deceptive practices by credit repair organizations.
            ```You have the right to cancel your contract with any 
        credit repair organization for any reason within 3 business 
        days from the date you signed it.
            ```Credit bureaus are required to follow reasonable 
        procedures to ensure that the information they report is 
        accurate. However, mistakes may occur.
            ```You may, on your own, notify a credit bureau in writing 
        that you dispute the accuracy of information in your credit 
        file. The credit bureau must then reinvestigate and modify or 
        remove inaccurate or incomplete information. The credit bureau 
        may not charge any fee for this service. Any pertinent 
        information and copies of all documents you have concerning an 
        error should be given to the credit bureau.
            ```If the credit bureau's reinvestigation does not resolve 
        the dispute to your satisfaction, you may send a brief 
        statement to the credit bureau, to be kept in your file, 
        explaining why you think the record is inaccurate. The credit 
        bureau must include a summary of your statement about disputed 
        information with any report it issues about you.
            ```The Federal Trade Commission regulates credit bureaus 
        and credit repair organizations. For more information contact:
            ```Federal Trade Commission
            ```Washington, D.C. 20580
            ```1-877-FTC-HELP
            ```(877 382-4357)
            ```www.ftc.gov.'''.
            Amend the title so as to read: ``A bill to amend the Fair 
        Credit Reporting Act to provide for secure financial data, and 
        for other purposes.''.
                                                 Union Calendar No. 270

109th CONGRESS

  2d Session

                               H. R. 4127

               [Report No. 109-453, Parts I, II, and III]

_______________________________________________________________________

                                 A BILL

  To protect consumers by requiring reasonable security policies and 
      procedures to protect computerized data containing personal 
  information, and to provide for nationwide notice in the event of a 
                            security breach.

_______________________________________________________________________

                              June 2, 2006

  Reported from the Committee on Financial Services with amendments; 
committed to the Committee of the Whole House on the State of the Union 
                       and ordered to be printed