

	

		II

		109th CONGRESS

		1st Session

		S. 115

		IN THE SENATE OF THE UNITED STATES

		

			January 24, 2005

			Mrs. Feinstein

			 introduced the following bill; which was read twice and referred to the

			 Committee on the

			 Judiciary

		

		A BILL

		To require Federal agencies, and persons engaged in

		  interstate commerce, in possession of electronic data containing personal

		  information, to disclose any unauthorized acquisition of such

		  information.

	

	

		1.Short titleThis Act may be cited as the

			 Notification of Risk to Personal Data

			 Act.

		2.DefinitionsIn this Act, the following definitions shall

			 apply:

			(1)AgencyThe

			 term agency has the same meaning given such term in section 551(1)

			 of title 5, United States Code.

			(2)Breach of

			 security of the systemThe term breach of security of the

			 system—

				(A)means the

			 compromise of the security, confidentiality, or integrity of computerized data

			 that results in, or there is a reasonable basis to conclude has resulted in,

			 the unauthorized acquisition of and access to personal information maintained

			 by the person or business; and

				(B)does not include

			 good faith acquisition of personal information by an employee or agent of the

			 person or business for the purposes of the person or business, if the personal

			 information is not used or subject to further unauthorized disclosure.

				(3)PersonThe

			 term person has the same meaning given such term in section 551(2)

			 of title 5, United States Code.

			(4)Personal

			 informationThe term personal information means an

			 individual’s last name in combination with any 1 or more of the following data

			 elements, when either the name or the data elements are not encrypted:

				(A)Social security

			 number.

				(B)Driver’s license

			 number or State identification number.

				(C)Account number,

			 credit or debit card number, in combination with any required security code,

			 access code, or password that would permit access to an individual’s financial

			 account.

				(5)Substitute

			 noticeThe term substitute notice means—

				(A)e-mail notice, if

			 the agency or person has an e-mail address for the subject persons;

				(B)conspicuous

			 posting of the notice on the Internet site of the agency or person, if the

			 agency or person maintains an Internet site; or

				(C)notification to

			 major media.

				3.Database

			 security

			(a)Disclosure of

			 security breach

				(1)In

			 generalAny agency, or person engaged in interstate commerce,

			 that owns or licenses electronic data containing personal information shall,

			 following the discovery of a breach of security of the system containing such

			 data, notify any resident of the United States whose unencrypted personal

			 information was, or is reasonably believed to have been, acquired by an

			 unauthorized person.

				(2)Notification of

			 owner or licenseeAny agency, or person engaged in interstate

			 commerce, in possession of electronic data containing personal information that

			 the agency does not own or license shall notify the owner or licensee of the

			 information if the personal information was, or is reasonably believed to have

			 been, acquired by an unauthorized person through a breach of security of the

			 system containing such data.

				(3)Timeliness of

			 notificationExcept as provided in paragraph (4), all

			 notifications required under paragraph (1) or (2) shall be made as expediently

			 as possible and without unreasonable delay following—

					(A)the discovery by

			 the agency or person of a breach of security of the system; and

					(B)any measures

			 necessary to determine the scope of the breach, prevent further disclosures,

			 and restore the reasonable integrity of the data system.

					(4)Delay of

			 notification authorized for law enforcement purposesIf a law

			 enforcement agency determines that the notification required under this

			 subsection would impede a criminal investigation, such notification may be

			 delayed until such law enforcement agency determines that the notification will

			 no longer compromise such investigation.

				(5)Methods of

			 noticeAn agency, or person engaged in interstate commerce, shall

			 be in compliance with this subsection if it provides the resident, owner, or

			 licensee, as appropriate, with—

					(A)written

			 notification;

					(B)e-mail notice, if

			 the person or business has an e-mail address for the subject person; or

					(C)substitute

			 notice, if—

						(i)the

			 agency or person demonstrates that the cost of providing direct notice would

			 exceed $250,000;

						(ii)the affected

			 class of subject persons to be notified exceeds 500,000; or

						(iii)the agency or

			 person does not have sufficient contact information for those to be

			 notified.

						(6)Alternative

			 notification proceduresNotwithstanding any other obligation

			 under this subsection, an agency, or person engaged in interstate commerce,

			 shall be deemed to be in compliance with this subsection if the agency or

			 person—

					(A)maintains its own

			 reasonable notification procedures as part of an information security policy

			 for the treatment of personal information; and

					(B)notifies subject

			 persons in accordance with its information security policy in the event of a

			 breach of security of the system.

					(7)Reasonable

			 notification proceduresAs used in paragraph (6), with respect to

			 a breach of security of the system involving personal information described in

			 section 2(4)(C), the term reasonable notification procedures means

			 procedures that—

					(A)use a security

			 program reasonably designed to block unauthorized transactions before they are

			 charged to the customer’s account;

					(B)provide for

			 notice to be given by the owner or licensee of the database, or another party

			 acting on behalf of such owner or licensee, after the security program

			 indicates that the breach of security of the system has resulted in fraud or

			 unauthorized transactions, but does not necessarily require notice in other

			 circumstances; and

					(C)are subject to

			 examination for compliance with the requirements of this Act by 1 or more

			 Federal functional regulators (as defined in section 509 of the Gramm-Leach

			 Bliley Act (15

			 U.S.C. 6809)), with respect to the operation of the security

			 program and the notification procedures.

					(b)Civil

			 remedies

				(1)PenaltiesAny

			 agency, or person engaged in interstate commerce, that violates this section

			 shall be subject to a fine of not more than $5,000 per violation, to a maximum

			 of $25,000 per day while such violations persist.

				(2)Equitable

			 reliefAny person engaged in interstate commerce that violates,

			 proposes to violate, or has violated this section may be enjoined from further

			 violations by a court of competent jurisdiction.

				(3)Other rights

			 and remediesThe rights and remedies available under this

			 subsection are cumulative and shall not affect any other rights and remedies

			 available under law.

				(c)EnforcementThe

			 Federal Trade Commission is authorized to enforce compliance with this section,

			 including the assessment of fines under subsection (b)(1).

			4.Enforcement by

			 State attorneys general

			(a)In

			 general

				(1)Civil

			 actionsIn any case in which the attorney general of a State has

			 reason to believe that an interest of the residents of that State has been or

			 is threatened or adversely affected by the engagement of any person in a

			 practice that is prohibited under this Act, the State, as parens patriae, may

			 bring a civil action on behalf of the residents of the State in a district

			 court of the United States of appropriate jurisdiction to—

					(A)enjoin that

			 practice;

					(B)enforce

			 compliance with this Act;

					(C)obtain damage,

			 restitution, or other compensation on behalf of residents of the State;

			 or

					(D)obtain such other

			 relief as the court may consider to be appropriate.

					(2)Notice

					(A)In

			 generalBefore filing an action under paragraph (1), the attorney

			 general of the State involved shall provide to the Attorney General—

						(i)written notice of

			 the action; and

						(ii)a

			 copy of the complaint for the action.

						(B)Exemption

						(i)In

			 generalSubparagraph (A) shall not apply with respect to the

			 filing of an action by an attorney general of a State under this subsection, if

			 the State attorney general determines that it is not feasible to provide the

			 notice described in such subparagraph before the filing of the action.

						(ii)NotificationIn

			 an action described in clause (i), the attorney general of a State shall

			 provide notice and a copy of the complaint to the Attorney General at the time

			 the State attorney general files the action.

						(b)ConstructionFor

			 purposes of bringing any civil action under subsection (a), nothing in this Act

			 shall be construed to prevent an attorney general of a State from exercising

			 the powers conferred on such attorney general by the laws of that State

			 to—

				(1)conduct

			 investigations;

				(2)administer oaths

			 or affirmations; or

				(3)compel the

			 attendance of witnesses or the production of documentary and other

			 evidence.

				(c)Venue; service

			 of process

				(1)VenueAny

			 action brought under subsection (a) may be brought in the district court of the

			 United States that meets applicable requirements relating to venue under

			 section 1391 of title 28, United States Code.

				(2)Service of

			 processIn an action brought under subsection (a), process may be

			 served in any district in which the defendant—

					(A)is an inhabitant;

			 or

					(B)may be

			 found.

					5.Effect on State

			 lawThe provisions of this Act

			 shall supersede any inconsistent provisions of law of any State or unit of

			 local government relating to the notification of any resident of the United

			 States of any breach of security of an electronic database containing such

			 resident’s personal information (as defined in this Act), except as provided

			 under sections 1798.82 and 1798.29 of the California Civil Code.

		6.Effective

			 dateThis Act shall take

			 effect on the expiration of the date which is 6 months after the date of

			 enactment of this Act.

		

