


109 HR 5588 IH: To require the Secretary of Veterans Affairs to protect

U.S. House of Representatives
2006-06-12
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		109th CONGRESS
		2d Session
		H. R. 5588
		IN THE HOUSE OF REPRESENTATIVES
		
			June 12, 2006
			Mr. Salazar (for
			 himself and Mr. Evans) introduced the
			 following bill; which was referred to the Committee on Veterans’
			 Affairs
		
		A BILL
		To require the Secretary of Veterans Affairs to protect
		  sensitive personal information of veterans, to ensure that veterans are
		  appropriately notified of any breach of data security with respect to such
		  information, to provide free credit monitoring and credit reports for veterans
		  and others affected by any such breach of data security, and for other
		  purposes.
	
	
		1.Short titleThis Act may be cited as the
			 Comprehensive Veterans' Data Protection and Identity Theft Prevention
			 Act of 2006.
		2.DefinitionsFor purposes of this Act, the following
			 definitions shall apply:
			(1)Data
			 breachThe term data breach means the unauthorized
			 acquisition or use of data in electronic or printed form containing sensitive
			 personal information, including information compromised with respect to the
			 theft of data first publicly reported on May 22, 2006.
			(2)Data in
			 electronic formThe term data in electronic form
			 means any data stored electronically or digitally on any computer system or
			 database and includes recordable tapes and other mass storage devices.
			(3)DepartmentThe term Department means
			 the Department of Veterans Affairs.
			(4)EncryptionThe
			 term encryption means the protection of data in electronic form
			 in storage or transit using an encryption technology that has been adopted by
			 an established standards setting body which renders such data indecipherable in
			 the absence of associated cryptographic keys necessary to enable decryption of
			 such data, together with appropriate management and safeguards of such keys to
			 protect the integrity of the encryption.
			(5)Nationwide
			 consumer reporting agencyThe term nationwide consumer
			 reporting agency means a consumer reporting agency described in section
			 603(p) of the Fair Credit Reporting Act.
			(6)SecretaryThe
			 term Secretary means the Secretary of Veterans Affairs.
			(7)Sensitive
			 personal informationThe term
			 sensitive personal information means the name, address, or
			 telephone number of a veteran or other individual, in combination with any of
			 the following:
				(A)Social Security
			 number.
				(B)Any information
			 not available as part of the public record regarding the veteran or other
			 individual’s military service or health.
				(C)Any financial
			 account or other financial information relating to the veteran or other
			 person.
				3.
			 Protection of sensitive personal information of veterans
			(a)Affirmative
			 obligationThe Secretary shall have an affirmative obligation to
			 protect from any data breach the sensitive personal information of veterans and
			 any other individuals that the Department (or any third-party entity acting on
			 behalf of the Department) possesses, creates, or maintains as well as any
			 information or tools, including passwords or cryptographic keys used to protect
			 the integrity of encrypted data, used to access sensitive personal information
			 maintained independently by others.
			(b)Security
			 policies and proceduresThe
			 Secretary shall implement and maintain reasonable policies and procedures to
			 protect the security and confidentiality of sensitive personal information
			 relating to any veteran or other individual that is maintained, serviced, or
			 communicated by or on behalf of the Department against any unauthorized
			 access.
			(c)Policies and
			 procedures regarding access and useThe Secretary, by regulation,
			 shall prescribe policies and procedures regarding employee and third party
			 access to, and use of, sensitive personal information as well as the protection
			 of such sensitive personal information, which the Department receives,
			 maintains, or transmits. Such policies and procedures shall be issued before
			 the end of the 90-day period beginning on the date of the enactment of this
			 Act.
			(d)System
			 restoration requirementsIf
			 the Secretary determines that a data breach has occurred, is likely to have
			 occurred, or is unavoidable, the Secretary shall take prompt and reasonable
			 measures to—
				(1)repair the breach
			 and restore the security and confidentiality of the sensitive personal
			 information involved to limit further unauthorized misuse of such information;
			 and
				(2)restore the integrity of the data security
			 safeguards of the Department and make appropriate improvements to the data
			 security, and the access and use, policies and procedures issued under
			 subsections (b) and (c).
				(e)Third party
			 duties
				(1)Coordinated
			 investigationWhenever any
			 third party handling sensitive personal information for or on behalf of the
			 Department determines that a data breach has occurred, is likely to have
			 occurred, or is unavoidable, with respect to such information, the third party
			 shall—
					(A)promptly notify
			 the Department of such determination;
					(B)conduct a
			 coordinated investigation with the Department to determine the full scope of
			 any such data breach; and
					(C)ensure that the
			 appropriate notices are provided as required under section 4 of this
			 Act.
					(2)Contractual
			 obligation requiredThe Secretary shall not provide sensitive
			 personal information to a third party unless such third party agrees to fulfill
			 the obligations imposed by sections 4, 5, and 6 of this Act.
				(3)Liability for
			 costsExcept as otherwise
			 established by written agreements between the Department and any third party, a
			 third party that suffers a data breach shall be responsible for all costs
			 associated with complying with this Act, as well as other costs related to such
			 a breach, including any damages relating to such a breach.
				4.Notification of
			 data breach
			(a)NotificationUpon
			 discovery of a data breach, the Secretary shall—
				(1)notify the United
			 States Secret Service, the Inspector General for the Department of Veterans
			 Affairs, the Committees on Veterans’ Affairs of the Senate and the House of
			 Representatives, and the Federal Trade Commission that a data breach has
			 occurred and the extent of such a breach;
				(2)notify each
			 individual whose personal information was acquired or accessed by an
			 unauthorized person as a result of such a data breach; and
				(3)place a
			 conspicuous notice on the Department’s Internet website, which shall include a
			 telephone number that the individual may use, at no cost to such individual, to
			 contact the Department to inquire about the data breach or the information the
			 Department maintained about that individual.
				(b)Timeliness of
			 notificationAll notifications required under subsection (a)
			 shall be made as promptly as possible and without unreasonable delay following
			 the discovery of a data breach and the implementation of any measures necessary
			 to determine the scope of the breach, prevent any further breach or
			 unauthorized disclosures, and reasonably restore the integrity of the data
			 system.
			(c)Method and
			 content of notification
				(1)Method of
			 notificationThe Secretary shall provide written notification to
			 individuals under subsection (a)(2).
				(2)Content of
			 notificationSuch written notification provided to an individual
			 under paragraph (1) shall include—
					(A)a description of
			 the personal information that was acquired by an unauthorized person;
					(B)a telephone number that the individual may
			 use, at no cost to such individual, to contact the Ombudsman for Data Security
			 in the Department to inquire about the security breach or the information about
			 that individual that the person acquired or accessed, as well as to obtain
			 assistance in addressing identity theft issues;
					(C)the toll-free
			 contact telephone numbers and addresses for the major credit reporting
			 agencies;
					(D)a toll-free
			 telephone number and Internet website address for the Federal Trade Commission
			 whereby the individual may obtain information regarding identity theft;
			 and
					(E)information
			 regarding the right of an individual, at no cost to that individual, to place a
			 fraud alert, obtain a security freeze, and receive credit monitoring where
			 applicable, including information clearly describing the advantages and
			 disadvantages of these actions.
					(d)Website notice
			 of Federal Trade CommissionThe Federal Trade Commission shall
			 place, in a clear and conspicuous location on its Internet website, a notice of
			 any breach of security that is reported to the Commission under subsection
			 (a)(1).
			5.Fraud
			 alerts
			(a)Inclusion in
			 consumer filesThe Secretary shall arrange, upon the request of a
			 veteran or other individual affected by a data breach and at no cost to the
			 veteran or other individual, to include a fraud alert in the file of that
			 veteran or other individual with each nationwide consumer reporting agencies in
			 the manner provided under section 605A(a) for a period of not less than 1 year,
			 beginning on the date of such request, unless the veteran or other individual
			 requests that such fraud alert be removed before the end of such period, and
			 the agency has received appropriate proof of the identity of the requestor for
			 such purpose.
			(b)DistributionEach
			 nationwide consumer reporting agency referred to in subsection (a) shall also
			 provide the alert required under such subsection in the file of a veteran or
			 other individual along with any credit score generated in using that file, for
			 a period of not less than 1 year, beginning on the date of such request, unless
			 the veteran or other individual requests that such fraud alert be removed
			 before the end of such period, and the agency has received appropriate proof of
			 the identity of the requestor for such purpose.
			6.Credit security
			 freeze
			(a)In
			 generalThe Secretary shall arrange, upon the request of a
			 veteran or other individual affected by a data breach and at no cost to the
			 veteran or other individual, to apply a security freeze to the file of that
			 veteran or other individual with each nationwide consumer reporting agency for
			 a period of not less than 1 year, beginning on the date of such request, unless
			 the veteran or other individual requests that such security freeze be removed
			 before the end of such period, and the agency has received appropriate proof of
			 the identity of the requestor for such purpose.
			(b)Confirmation and
			 pin numbersThe agency shall send a written confirmation of the
			 security freeze to the veteran or other individual within 5 business days of
			 placing the freeze. The agency shall refer the information regarding the
			 security freeze to other consumer reporting agencies. The agency shall provide
			 the veteran or other individual with a unique personal identification number or
			 password to be used by the veteran or other individual when providing
			 authorization for the release of his or her credit for a specific party or
			 period of time.
			(c)Temporary lift of
			 freezeThe agency that receives a request from a veteran or other
			 individual to temporarily lift a freeze on a consumer report shall comply with
			 the request no later than 3 business days after receiving the request. Such
			 request shall be specific as to the period to which the temporary lift of a
			 freeze shall apply.
			(d)Negotiating
			 authorityThe Secretary shall have broad authority to negotiate
			 and secure the best possible price for services provided under this section.
			 All reasonable costs shall be borne by the Secretary.
			7.Authority to
			 provide mitigation services to victims of data security breaches
			(a)In
			 generalThe Secretary shall provide, free of charge, to each
			 individual whose personal information is (or was before the date of enactment
			 of this Act) compromised by a data breach at the Department of Veterans
			 Affairs—
				(1)credit monitoring
			 services, during a 1-year period beginning on the date of enactment of this
			 Act; and
				(2)a
			 copy of the consumer report (as defined in section 603 of the Fair Credit
			 Reporting Act) of the affected individual once annually during the 2-year
			 period beginning on the date on which the credit monitoring services required
			 by paragraph (1) terminate, which shall be in addition to any other consumer
			 report provided to the individual under otherwise applicable law, free of
			 charge or otherwise.
				(b)Negotiating
			 authorityThe Secretary of Veterans Affairs shall have broad
			 authority to negotiate and secure the best possible price for services provided
			 under this section.
			8.Ombudsman
			(a)EstablishmentThe Secretary shall establish the position
			 of an Ombudsman for Data Security within the Department.
			(b)DutiesThe
			 Ombudsman for Data Security shall—
				(1)provide
			 information and assistance to veterans or other individuals affected by data
			 breaches, including providing information and assistance on identity theft and
			 issues relating to identity theft;
				(2)assist veterans or
			 other individuals affected by a data breach with placing fraud alerts and
			 security freezes;
				(3)provide veterans
			 with ongoing education on general financial matters and identity theft in
			 particular; and
				(4)carry out such
			 other duties and responsibilities as the Secretary may designate to the
			 Ombudsman for Data Security.
				
