[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5588 Introduced in House (IH)]








109th CONGRESS
  2d Session
                                H. R. 5588

   To require the Secretary of Veterans Affairs to protect sensitive 
     personal information of veterans, to ensure that veterans are 
 appropriately notified of any breach of data security with respect to 
such information, to provide free credit monitoring and credit reports 
 for veterans and others affected by any such breach of data security, 
                        and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             June 12, 2006

Mr. Salazar (for himself and Mr. Evans) introduced the following bill; 
        which was referred to the Committee on Veterans' Affairs

_______________________________________________________________________

                                 A BILL


 
   To require the Secretary of Veterans Affairs to protect sensitive 
     personal information of veterans, to ensure that veterans are 
 appropriately notified of any breach of data security with respect to 
such information, to provide free credit monitoring and credit reports 
 for veterans and others affected by any such breach of data security, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Comprehensive Veterans' Data 
Protection and Identity Theft Prevention Act of 2006''.

SEC. 2. DEFINITIONS.

    For purposes of this Act, the following definitions shall apply:
            (1) Data breach.--The term ``data breach'' means the 
        unauthorized acquisition or use of data in electronic or 
        printed form containing sensitive personal information, 
        including information compromised with respect to the theft of 
        data first publicly reported on May 22, 2006.
            (2) Data in electronic form.--The term ``data in electronic 
        form'' means any data stored electronically or digitally on any 
        computer system or database and includes recordable tapes and 
        other mass storage devices.
            (3) Department.--The term ``Department'' means the 
        Department of Veterans Affairs.
            (4) Encryption.--The term ``encryption'' means the 
        protection of data in electronic form in storage or transit 
        using an encryption technology that has been adopted by an 
        established standards setting body which renders such data 
        indecipherable in the absence of associated cryptographic keys 
        necessary to enable decryption of such data, together with 
        appropriate management and safeguards of such keys to protect 
        the integrity of the encryption.
            (5) Nationwide consumer reporting agency.--The term 
        ``nationwide consumer reporting agency'' means a consumer 
        reporting agency described in section 603(p) of the Fair Credit 
        Reporting Act.
            (6) Secretary.--The term ``Secretary'' means the Secretary 
        of Veterans Affairs.
            (7) Sensitive personal information.--The term ``sensitive 
        personal information'' means the name, address, or telephone 
        number of a veteran or other individual, in combination with 
        any of the following:
                    (A) Social Security number.
                    (B) Any information not available as part of the 
                public record regarding the veteran or other 
                individual's military service or health.
                    (C) Any financial account or other financial 
                information relating to the veteran or other person.

SEC. 3. PROTECTION OF SENSITIVE PERSONAL INFORMATION OF VETERANS.

    (a) Affirmative Obligation.--The Secretary shall have an 
affirmative obligation to protect from any data breach the sensitive 
personal information of veterans and any other individuals that the 
Department (or any third-party entity acting on behalf of the 
Department) possesses, creates, or maintains as well as any information 
or tools, including passwords or cryptographic keys used to protect the 
integrity of encrypted data, used to access sensitive personal 
information maintained independently by others.
    (b) Security Policies and Procedures.--The Secretary shall 
implement and maintain reasonable policies and procedures to protect 
the security and confidentiality of sensitive personal information 
relating to any veteran or other individual that is maintained, 
serviced, or communicated by or on behalf of the Department against any 
unauthorized access.
    (c) Policies and Procedures Regarding Access and Use.--The 
Secretary, by regulation, shall prescribe policies and procedures 
regarding employee and third party access to, and use of, sensitive 
personal information as well as the protection of such sensitive 
personal information, which the Department receives, maintains, or 
transmits. Such policies and procedures shall be issued before the end 
of the 90-day period beginning on the date of the enactment of this 
Act.
    (d) System Restoration Requirements.--If the Secretary determines 
that a data breach has occurred, is likely to have occurred, or is 
unavoidable, the Secretary shall take prompt and reasonable measures 
to--
            (1) repair the breach and restore the security and 
        confidentiality of the sensitive personal information involved 
        to limit further unauthorized misuse of such information; and
            (2) restore the integrity of the data security safeguards 
        of the Department and make appropriate improvements to the data 
        security, and the access and use, policies and procedures 
        issued under subsections (b) and (c).
    (e) Third Party Duties.--
            (1) Coordinated investigation.--Whenever any third party 
        handling sensitive personal information for or on behalf of the 
        Department determines that a data breach has occurred, is 
        likely to have occurred, or is unavoidable, with respect to 
        such information, the third party shall--
                    (A) promptly notify the Department of such 
                determination;
                    (B) conduct a coordinated investigation with the 
                Department to determine the full scope of any such data 
                breach; and
                    (C) ensure that the appropriate notices are 
                provided as required under section 4 of this Act.
            (2) Contractual obligation required.--The Secretary shall 
        not provide sensitive personal information to a third party 
        unless such third party agrees to fulfill the obligations 
        imposed by sections 4, 5, and 6 of this Act.
            (3) Liability for costs.--Except as otherwise established 
        by written agreements between the Department and any third 
        party, a third party that suffers a data breach shall be 
        responsible for all costs associated with complying with this 
        Act, as well as other costs related to such a breach, including 
        any damages relating to such a breach.

SEC. 4. NOTIFICATION OF DATA BREACH.

    (a) Notification.--Upon discovery of a data breach, the Secretary 
shall--
            (1) notify the United States Secret Service, the Inspector 
        General for the Department of Veterans Affairs, the Committees 
        on Veterans' Affairs of the Senate and the House of 
        Representatives, and the Federal Trade Commission that a data 
        breach has occurred and the extent of such a breach;
            (2) notify each individual whose personal information was 
        acquired or accessed by an unauthorized person as a result of 
        such a data breach; and
            (3) place a conspicuous notice on the Department's Internet 
        website, which shall include a telephone number that the 
        individual may use, at no cost to such individual, to contact 
        the Department to inquire about the data breach or the 
        information the Department maintained about that individual.
    (b) Timeliness of Notification.--All notifications required under 
subsection (a) shall be made as promptly as possible and without 
unreasonable delay following the discovery of a data breach and the 
implementation of any measures necessary to determine the scope of the 
breach, prevent any further breach or unauthorized disclosures, and 
reasonably restore the integrity of the data system.
    (c) Method and Content of Notification.--
            (1) Method of notification.--The Secretary shall provide 
        written notification to individuals under subsection (a)(2).
            (2) Content of notification.--Such written notification 
        provided to an individual under paragraph (1) shall include--
                    (A) a description of the personal information that 
                was acquired by an unauthorized person;
                    (B) a telephone number that the individual may use, 
                at no cost to such individual, to contact the Ombudsman 
                for Data Security in the Department to inquire about 
                the security breach or the information about that 
                individual that the person acquired or accessed, as 
                well as to obtain assistance in addressing identity 
                theft issues;
                    (C) the toll-free contact telephone numbers and 
                addresses for the major credit reporting agencies;
                    (D) a toll-free telephone number and Internet 
                website address for the Federal Trade Commission 
                whereby the individual may obtain information regarding 
                identity theft; and
                    (E) information regarding the right of an 
                individual, at no cost to that individual, to place a 
                fraud alert, obtain a security freeze, and receive 
                credit monitoring where applicable, including 
                information clearly describing the advantages and 
                disadvantages of these actions.
    (d) Website Notice of Federal Trade Commission.--The Federal Trade 
Commission shall place, in a clear and conspicuous location on its 
Internet website, a notice of any breach of security that is reported 
to the Commission under subsection (a)(1).

SEC. 5. FRAUD ALERTS.

    (a) Inclusion in Consumer Files.--The Secretary shall arrange, upon 
the request of a veteran or other individual affected by a data breach 
and at no cost to the veteran or other individual, to include a fraud 
alert in the file of that veteran or other individual with each 
nationwide consumer reporting agencies in the manner provided under 
section 605A(a) for a period of not less than 1 year, beginning on the 
date of such request, unless the veteran or other individual requests 
that such fraud alert be removed before the end of such period, and the 
agency has received appropriate proof of the identity of the requestor 
for such purpose.
    (b) Distribution.--Each nationwide consumer reporting agency 
referred to in subsection (a) shall also provide the alert required 
under such subsection in the file of a veteran or other individual 
along with any credit score generated in using that file, for a period 
of not less than 1 year, beginning on the date of such request, unless 
the veteran or other individual requests that such fraud alert be 
removed before the end of such period, and the agency has received 
appropriate proof of the identity of the requestor for such purpose.

SEC. 6. CREDIT SECURITY FREEZE.

    (a) In General.--The Secretary shall arrange, upon the request of a 
veteran or other individual affected by a data breach and at no cost to 
the veteran or other individual, to apply a security freeze to the file 
of that veteran or other individual with each nationwide consumer 
reporting agency for a period of not less than 1 year, beginning on the 
date of such request, unless the veteran or other individual requests 
that such security freeze be removed before the end of such period, and 
the agency has received appropriate proof of the identity of the 
requestor for such purpose.
    (b) Confirmation and Pin Numbers.--The agency shall send a written 
confirmation of the security freeze to the veteran or other individual 
within 5 business days of placing the freeze. The agency shall refer 
the information regarding the security freeze to other consumer 
reporting agencies. The agency shall provide the veteran or other 
individual with a unique personal identification number or password to 
be used by the veteran or other individual when providing authorization 
for the release of his or her credit for a specific party or period of 
time.
    (c) Temporary Lift of Freeze.--The agency that receives a request 
from a veteran or other individual to temporarily lift a freeze on a 
consumer report shall comply with the request no later than 3 business 
days after receiving the request. Such request shall be specific as to 
the period to which the temporary lift of a freeze shall apply.
    (d) Negotiating Authority.--The Secretary shall have broad 
authority to negotiate and secure the best possible price for services 
provided under this section. All reasonable costs shall be borne by the 
Secretary.

SEC. 7. AUTHORITY TO PROVIDE MITIGATION SERVICES TO VICTIMS OF DATA 
              SECURITY BREACHES.

    (a) In General.--The Secretary shall provide, free of charge, to 
each individual whose personal information is (or was before the date 
of enactment of this Act) compromised by a data breach at the 
Department of Veterans Affairs--
            (1) credit monitoring services, during a 1-year period 
        beginning on the date of enactment of this Act; and
            (2) a copy of the consumer report (as defined in section 
        603 of the Fair Credit Reporting Act) of the affected 
        individual once annually during the 2-year period beginning on 
        the date on which the credit monitoring services required by 
        paragraph (1) terminate, which shall be in addition to any 
        other consumer report provided to the individual under 
        otherwise applicable law, free of charge or otherwise.
    (b) Negotiating Authority.--The Secretary of Veterans Affairs shall 
have broad authority to negotiate and secure the best possible price 
for services provided under this section.

SEC. 8. OMBUDSMAN.

    (a) Establishment.--The Secretary shall establish the position of 
an Ombudsman for Data Security within the Department.
    (b) Duties.--The Ombudsman for Data Security shall--
            (1) provide information and assistance to veterans or other 
        individuals affected by data breaches, including providing 
        information and assistance on identity theft and issues 
        relating to identity theft;
            (2) assist veterans or other individuals affected by a data 
        breach with placing fraud alerts and security freezes;
            (3) provide veterans with ongoing education on general 
        financial matters and identity theft in particular; and
            (4) carry out such other duties and responsibilities as the 
        Secretary may designate to the Ombudsman for Data Security.
                                 <all>