


109 HR 5582 IH: Notification of Risk to Personal Data

U.S. House of Representatives
2006-06-12
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		109th CONGRESS
		2d Session
		H. R. 5582
		IN THE HOUSE OF REPRESENTATIVES
		
			June 12, 2006
			Mr. Lantos introduced
			 the following bill; which was referred to the
			 Committee on Energy and
			 Commerce, and in addition to the Committees on
			 Government Reform and
			 Financial Services, for a
			 period to be subsequently determined by the Speaker, in each case for
			 consideration of such provisions as fall within the jurisdiction of the
			 committee concerned
		
		A BILL
		To require Federal agencies, and persons engaged in
		  interstate commerce, in possession of data containing personal information, to
		  disclose any unauthorized acquisition of such information.
	
	
		1.Short titleThis Act may be cited as the
			 Notification of Risk to Personal Data
			 Act.
		2.DefinitionsIn this Act, the following definitions shall
			 apply:
			(1)AgencyThe
			 term agency has the same meaning given such term in section 551(1)
			 of title 5, United States Code.
			(2)Breach of
			 security of the systemThe term breach of security of the
			 system—
				(A)means the
			 compromise of the security, confidentiality, or integrity of data that results
			 in, or there is a reasonable basis to conclude has resulted in, the
			 unauthorized acquisition of personal information maintained by the person or
			 business; and
				(B)does not include
			 good faith acquisition of personal information by an employee or agent of the
			 person or business for the purposes of the person or business, if the personal
			 information is not used or subject to further unauthorized disclosure.
				(3)PersonThe
			 term person has the same meaning given such term in section 551(2)
			 of title 5, United States Code.
			(4)Personal
			 informationThe term personal information means an
			 individual’s last name in combination with any 1 or more of the following data
			 elements:
				(A)Social security
			 number.
				(B)Driver’s license
			 number or State identification number.
				(C)Account number or
			 credit or debit card number, or, if a security code, access code, or password
			 is required for access to an individual's account, the account number or credit
			 or debit card number, in combination with the required code or password.
				(5)Substitute
			 noticeThe term substitute notice means—
				(A)conspicuous
			 posting of the notice on the Internet site of the agency or person, if the
			 agency or person maintains a public Internet site; and
				(B)notification to
			 major print and broadcast media, including major media in metropolitan and
			 rural areas where the individual whose personal information was, or is
			 reasonably believed to have been, acquired resides. The notice to media shall
			 include a toll-free phone number where an individual can learn whether or not
			 that individual's personal data is included in the security breach.
				3.Database
			 security
			(a)Disclosure of
			 security breach
				(1)In
			 generalAny agency, or person engaged in interstate commerce,
			 that owns, licenses, or collects data, whether or not held in electronic form,
			 containing personal information shall, following the discovery of a breach of
			 security of the system maintained by the agency or person that contains such
			 data, or upon receipt of notice under paragraph (2), notify any individual of
			 the United States whose personal information was, or is reasonably believed to
			 have been, acquired by an unauthorized person.
				(2)Notification of
			 owner or licenseeAny agency, or person engaged in interstate
			 commerce, in possession of data, whether or not held in electronic form,
			 containing personal information that the agency does not own or license shall
			 notify the owner or licensee of the information if the personal information
			 was, or is reasonably believed to have been, acquired by an unauthorized person
			 through a breach of security of the system containing such data.
				(3)Timeliness of
			 notification
					(A)In
			 generalAll notifications required under paragraph (1) or (2)
			 shall be made without unreasonable delay following—
						(i)the
			 discovery by the agency or person of a breach of security of the system;
						(ii)any
			 measures necessary to determine the scope of the breach, prevent further
			 disclosures, and restore the reasonable integrity of the data system;
			 and
						(iii)receipt of
			 written notice that a law enforcement agency has determined that the
			 notification will no longer seriously impede its investigation, where
			 notification is delayed as provided in paragraph (4).
						(B)Burden of
			 proofThe agency or person required to provide notification under
			 this subsection shall have the burden of demonstrating that all notifications
			 were made as required under this paragraph, including evidence demonstrating
			 the necessity of any delay.
					(4)Delay of
			 notification authorized for law enforcement purposesIf a law
			 enforcement agency determines that the notification required under this
			 subsection would seriously impede a criminal investigation, such notification
			 may be delayed upon the written request of the law enforcement agency.
				(5)Exception for
			 national security and law enforcement
					(A)In
			 generalThis subsection shall not apply to an agency if the head
			 of the agency certifies, in writing, that notification of the breach as
			 required by this subsection reasonably could be expected to—
						(i)cause damage to
			 the national security; and
						(ii)hinder a law
			 enforcement investigation or the ability of the agency to conduct law
			 enforcement investigations.
						(B)Limits on
			 certificationsThe head of an agency may not execute a
			 certification under subparagraph (A) to—
						(i)conceal violations
			 of law, inefficiency, or administrative error;
						(ii)prevent
			 embarrassment to a person, organization, or agency; or
						(iii)restrain
			 competition.
						(C)NoticeIn
			 every case in which a head of an agency issues a certification under
			 subparagraph (A), a copy of the certification, accompanied by a concise
			 description of the factual basis for the certification, shall be immediately
			 provided to the Congress.
					(6)Methods of
			 noticeAn agency, or person engaged in interstate commerce, shall
			 be in compliance with this subsection if it provides the individual,
			 with—
					(A)written
			 notification;
					(B)e-mail notice, if
			 the individual has consented to receive such notice and the notice is
			 consistent with the provisions permitting electronic transmission of notices
			 under section 101 of the Electronic Signatures in Global and National Commerce
			 Act (15 U.S.C. 7001); or
					(C)substitute notice,
			 if—
						(i)the
			 agency or person demonstrates that the cost of providing direct notice would
			 exceed $500,000;
						(ii)the
			 number of individuals to be notified exceeds 500,000; or
						(iii)the agency or
			 person does not have sufficient contact information for those to be
			 notified.
						(7)Content of
			 notificationRegardless of the method by which notice is provided
			 to individuals under paragraphs (1) and (2), such notice shall include—
					(A)to the extent
			 possible, a description of the categories of information that was, or is
			 reasonably believed to have been, acquired by an unauthorized person, including
			 social security numbers, driver's license or State identification numbers and
			 financial data;
					(B)a toll-free
			 number—
						(i)that
			 the individual may use to contact the agency or person, or the agent of the
			 agency or person; and
						(ii)from which the
			 individual may learn—
							(I)what types of
			 information the agency or person maintained about that individual or about
			 individuals in general; and
							(II)whether or not
			 the agency or person maintained information about that individual; and
							(C)the toll-free
			 contact telephone numbers and addresses for the major credit reporting
			 agencies.
					(8)Coordination of
			 notification with credit reporting agenciesIf an agency or
			 person is required to provide notification to more than 1,000 individuals under
			 this subsection, the agency or person shall also notify, without unreasonable
			 delay, all consumer reporting agencies that compile and maintain files on
			 consumers on a nationwide basis (as defined in section 603(p) of the Fair
			 Credit Reporting Act (15 U.S.C. 1681a(p)) of the timing and distribution of the
			 notices.
				(b)Civil
			 remedies
				(1)PenaltiesAny
			 agency, or person engaged in interstate commerce, that violates subsection (a)
			 shall be subject to a fine of—
					(A)not more than
			 $1,000 per individual whose personal information was, or is reasonably believed
			 to have been, acquired by an unauthorized person; or
					(B)not more than
			 $50,000 per day while the failure to give notice under subsection (a)
			 persists.
					(2)Equitable
			 reliefAny agency or person that violates, proposes to violate,
			 or has violated this section may be enjoined from further violations by a court
			 of competent jurisdiction.
				(3)Other rights and
			 remediesThe rights and remedies available under this subsection
			 are cumulative and shall not affect any other rights and remedies available
			 under law.
				(c)EnforcementThe
			 Federal Trade Commission or other appropriate regulator, is authorized to
			 enforce compliance with this section, including the assessment of fines under
			 subsection (b)(1).
			(d)Fraud
			 alertSection 605A(b)(1) of the Fair Credit Reporting Act (15
			 U.S.C. 1681c–1(b)(1)) is amended by inserting , or evidence that the
			 consumer has received notice that the consumer's personal financial information
			 has or may have been compromised, after identity theft
			 report.
			4.Enforcement by
			 State attorneys general
			(a)In
			 general
				(1)Civil
			 actionsIn any case in which the attorney general of a State has
			 reason to believe that an interest of the residents of that State has been or
			 is threatened or adversely affected by the engagement of any person in a
			 practice that is prohibited under this Act, the State, as parens patriae, may
			 bring a civil action on behalf of the residents of the State in a district
			 court of the United States of appropriate jurisdiction or any other court of
			 competent jurisdiction, including a State court, to—
					(A)enjoin that
			 practice;
					(B)enforce compliance
			 with this Act;
					(C)obtain damages,
			 restitution, or other compensation on behalf of residents of the State;
			 or
					(D)obtain such other
			 relief as the court may consider to be appropriate.
					(2)Notice
					(A)In
			 generalBefore filing an action under paragraph (1), the attorney
			 general of the State involved shall provide to the Attorney General of the
			 United States—
						(i)written notice of
			 the action; and
						(ii)a
			 copy of the complaint for the action.
						(B)Exemption
						(i)In
			 generalSubparagraph (A) shall not apply with respect to the
			 filing of an action by an attorney general of a State under this subsection, if
			 the State attorney general determines that it is not feasible to provide the
			 notice described in such subparagraph before the filing of the action.
						(ii)NotificationIn
			 an action described in clause (i), the attorney general of a State shall
			 provide notice and a copy of the complaint to the Attorney General at the time
			 the State attorney general files the action.
						(b)ConstructionFor
			 purposes of bringing any civil action under subsection (a), nothing in this Act
			 shall be construed to prevent an attorney general of a State from exercising
			 the powers conferred on such attorney general by the laws of that State
			 to—
				(1)conduct
			 investigations;
				(2)administer oaths
			 or affirmations; or
				(3)compel the
			 attendance of witnesses or the production of documentary and other
			 evidence.
				(c)Venue; service
			 of process
				(1)VenueAny
			 action brought under subsection (a) may be brought in—
					(A)the district court
			 of the United States that meets applicable requirements relating to venue under
			 section 1391 of title 28, United States Code; or
					(B)another court of
			 competent jurisdiction.
					(2)Service of
			 processIn an action brought under subsection (a), process may be
			 served in any district in which the defendant—
					(A)is an inhabitant;
			 or
					(B)may be
			 found.
					5.Effect on State
			 lawThe provisions of this Act
			 shall supersede any inconsistent provisions of law of any State or unit of
			 local government with respect to the conduct required by the specific
			 provisions of this Act.
		6.Effective
			 dateThis Act shall take
			 effect on the expiration of the date which is 6 months after the date of
			 enactment of this Act.
		
