[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5487 Introduced in House (IH)]








109th CONGRESS
  2d Session
                                H. R. 5487

To require the Secretary of Veterans Affairs to take certain actions to 
 mitigate the effects of the breach of data security that occurred, or 
is likely to have occurred, in May, 2006, at the Department of Veterans 
                    Affairs, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              May 25, 2006

Ms. Hooley (for herself, Mr. LaTourette, Ms. Bean, Mr. Baker, Mr. Moore 
of Kansas, Mr. Kanjorski, Mr. Crowley, Mrs. McCarthy, Mr. Meeks of New 
 York, Mr. Hinojosa, Ms. Moore of Wisconsin, Mr. Clay, Mrs. Kelly, Ms. 
   Harman, Mr. Larson of Connecticut, Mr. Rahall, Mr. Delahunt, Ms. 
   Corrine Brown of Florida, Mr. Kucinich, Mr. Michaud, Mr. Davis of 
 Alabama, Mr. Al Green of Texas, Mr. Scott of Georgia, Mr. Lynch, Mr. 
Grijalva, Ms. DeGette, Ms. Bordallo, Mr. Baca, Mr. Smith of Washington, 
 Mr. Clyburn, Mr. Conyers, Mr. Thompson of Mississippi, Mr. Dicks, Mr. 
 Inslee, Mr. Pomeroy, Mr. Filner, Mr. Ramstad, Ms. Wasserman Schultz, 
    Mr. Walden of Oregon, Mr. DeFazio, Mr. Baird, and Ms. Herseth) 
 introduced the following bill; which was referred to the Committee on 
                           Veterans' Affairs

_______________________________________________________________________

                                 A BILL


 
To require the Secretary of Veterans Affairs to take certain actions to 
 mitigate the effects of the breach of data security that occurred, or 
is likely to have occurred, in May, 2006, at the Department of Veterans 
                    Affairs, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Veterans' ID Theft Protection Act of 
2006''.

SEC. 2. ACTIONS REQUIRED WITH RESPECT TO VETERANS ADMINISTRATION DATA 
              BREACH.

    (a) In General.--With respect to the breach of data security that 
occurred, or is likely to have occurred, in May, 2006, at the 
Department of Veterans Affairs, the Secretary of Veterans Affairs shall 
take the following actions with respect to such breach in addition to 
any other actions the Secretary may determine to be appropriate.
            (1) System restoration requirements.--The Secretary shall 
        take prompt and reasonable measures to--
                    (A) repair the breach and restore the security and 
                confidentiality of the sensitive financial personal 
                information involved to limit further unauthorized 
                misuse of such information; and
                    (B) restore the integrity of the Department's data 
                security safeguards and make appropriate improvements 
                to its data security policies and procedures.
            (2) Notice requirements.--
                    (A) In general.--The Secretary shall without 
                unreasonable delay notify any person affected by the 
                breach in the manner provided in this paragraph, as 
                well as--
                            (i) each nationwide consumer reporting 
                        agency described in section 603(p) of the Fair 
                        Credit Reporting Act with respect to the breach 
                        itself and each person affected by the breach; 
                        and
                            (ii) any other appropriate critical third 
                        parties who will be required to undertake 
                        further action with respect to such information 
                        to protect such persons from resulting fraud or 
                        identity theft.
                    (B) Content of notice.--Any notice required to be 
                provided under subparagraph (A) by the Secretary to any 
                person affected by the breach shall be provided in a 
                standardized transmission or envelope clearly marked as 
                containing an important notice from the Department of 
                Veterans Affairs on stolen identity information, and 
                shall include the following in a clear and conspicuous 
                manner:
                            (i) An appropriate heading or notice title.
                            (ii) A description of the nature and types 
                        of information and accounts as appropriate that 
                        were, or are reasonably believed to have been, 
                        subject to the breach of data security.
                            (iii) If known, the date, or the best 
                        reasonable approximation of the period of time, 
                        on or within which sensitive personal 
                        information related to the consumer was, or is 
                        reasonably believed to have been, subject to a 
                        breach.
                            (iv) A general description of the actions 
                        taken by the Secretary to restore the security 
                        and confidentiality of the breached 
                        information.
                            (v) A telephone number by which any person 
                        affected by the breach may call the Department 
                        of Veterans Affairs, free of charge, to obtain 
                        additional information about how to respond to 
                        the breach.
                            (vi) A copy of the summary of rights of 
                        consumer victims of fraud or identity theft 
                        prepared by the Federal Trade Commission under 
                        section 609(d) of the Fair Credit Reporting 
                        Act, as well as any additional appropriate 
                        information on how the person affected by the 
                        breach may--
                                    (I) obtain a copy of a consumer 
                                report free of charge in accordance 
                                with section 612 of the Fair Credit 
                                Reporting Act;
                                    (II) place a fraud alert in any 
                                file relating to the person at a 
                                consumer reporting agency under section 
                                605A of such Act to discourage 
                                unauthorized use; and
                                    (III) contact the Federal Trade 
                                Commission for more detailed 
                                information.
                            (vii) A prominent statement that file 
                        monitoring will be made available upon request 
                        in accordance with paragraph (3) to the person 
                        affected by the breach free of charge for a 
                        period of not less than 6 months, together with 
                        a telephone number at the Department of 
                        Veterans Affair for requesting such services. 
                        The statement may also include such additional 
                        contact information as a mailing address, e-
                        mail, or Internet website address.
                            (viii) The approximate date the notice is 
                        being issued.
                    (C) Responsibility and costs.--
                            (i) In general.--The Secretary of Veterans 
                        Affairs shall be--
                                    (I) responsible for providing any 
                                notices and file monitoring required 
                                under this section with respect to such 
                                breach; and
                                    (II) responsible for the reasonable 
                                actual costs of any notices provided 
                                under this section.
                            (ii) No charge to persons affected by the 
                        breach.--The cost for the notices and file 
                        monitoring described in clause (i) may not be 
                        charged to the persons affected by the breach.
            (3) Free file monitoring.--The Secretary of Veterans 
        Affairs, if requested by the person affected by the breach 
        before the end of the 90-day period beginning on the date of 
        such notice, shall make available to the person, free of charge 
        and for at least a 6-month period a service that monitors 
        nationwide credit activity regarding a consumer from a consumer 
        reporting agency described in section 603(p) of the Fair Credit 
        Reporting Act.
    (b) Negotiating Authority.--The Secretary of Veterans Affairs shall 
have broad authority to secure the best possible price for credit 
monitoring services on behalf of taxpayers.
    (c) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary of Veterans Affairs the sum of 
$100,000,000 to carry out the requirements of this section.
                                 <all>