[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1326 Reported in Senate (RS)]
Calendar No. 252
109th CONGRESS
1st Session
S. 1326
To require agencies and persons in possession of computerized data
containing sensitive personal information, to disclose security
breaches where such breach poses a significant risk of identity theft.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 28, 2005
Mr. Sessions introduced the following bill; which was read twice and
referred to the Committee on the Judiciary
October 20, 2005
Reported by Mr. Specter, without amendment
_______________________________________________________________________
A BILL
To require agencies and persons in possession of computerized data
containing sensitive personal information, to disclose security
breaches where such breach poses a significant risk of identity theft.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Notification of Risk to Personal
Data Act''.
SEC. 2. DEFINITIONS.
In this Act, the following definitions shall apply:
(1) Agency.--The term ``agency''--
(A) has the meaning given such term in section
551(1) of title 5, United States Code; and
(B) includes any authority of a State or political
subdivision.
(2) Breach of security of the system.--The term ``breach of
security of the system''--
(A) means the compromise of the security of
computerized data containing sensitive personal
information that establishes a reasonable basis to
conclude that a significant risk of identity theft to
an individual exists; and
(B) does not include the compromise of the security
of computerized data, if the agency or person
concludes, after conducting a reasonable investigation,
that there is not a significant risk of identity theft
to an individual, including a situation in which--
(i) sensitive personal information is
acquired in good faith by an employee or agent
of the agency or person and the information is
not subject to further unauthorized disclosure;
(ii) an investigation by an appropriate law
enforcement agency, government agency, or
official determines that there is not a
significant risk of identity theft; or
(iii) the agency or person maintains or
participates in a security program reasonably
designed to block unauthorized transactions
before they are charged to an individual's
account and the security program does not
indicate that the compromise of sensitive
personal information has resulted in fraud or
unauthorized transactions.
(3) Person.--The term ``person'' has the meaning given such
term in section 551(2) of title 5, United States Code.
(4) Sensitive personal information.--The term ``sensitive
personal information''--
(A) means--
(i) an individual's first and last name;
(ii) the individual's address or telephone
number; and
(iii) the individual's social security
number, the individual's driver's license
number or equivalent State identification
number, or the individual's financial account
number, credit or debit card number, in
combination with any required security code,
access code, or password that would permit
access to an individual's financial account, if
the data element under this clause is not
encrypted or redacted and is linked to the
information described in clauses (i) and (ii);
and
(B) does not include--
(i) any list, description, or other
grouping of individuals (and publicly available
information pertaining to them) that is derived
without using any sensitive personal
information; or
(ii) publicly available information that is
lawfully made available to the general public
from Federal, State or local government
records.
(5) Redacted.--The term ``redacted'' means truncated so
that not more than the last 4 digits of the social security
number, driver's license number, State identification card
number, or account number are accessible as part of the data.
(6) Identity theft.--The term ``identity theft'' means a
fraud committed using the identification of another person with
the intent to commit, or to aid or abet any unlawful activity
that constitutes a violation of Federal law, or that
constitutes a felony under any applicable State or local law
and that results in economic loss to the individual.
(7) Personal information.--The term ``personal
information'' means personally identifiable information about a
specific individual.
(8) Functional regulator.--The term ``functional
regulator'' means--
(A) the Office of the Comptroller of the Currency
with respect to national banks, and Federal branches,
Federal agencies of foreign banks, and any subsidiaries
of such entities (except brokers, dealers, persons
providing insurance, investment companies, and
investment advisers);
(B) the Board of Governors of the Federal Reserve
System with respect to member banks of the Federal
Reserve System (other than national banks), branches
and agencies of foreign banks (other than Federal
branches, Federal agencies, and insured State branches
of foreign banks), commercial lending companies owned
or controlled by foreign banks, organizations operating
under section 25 or 25A of the Federal Reserve Act (12
U.S.C. 601 and 611), bank and financial holding
companies, and any nonbank subsidiaries or affiliates
of such entities (except brokers, dealers, persons
providing insurance, investment companies, and
investment advisers);
(C) the Board of Directors of the Federal Deposit
Insurance Corporation with respect to banks insured by
the Federal Deposit Insurance Corporation (other than
members of the Federal Reserve System), insured State
branches of foreign banks, and any subsidiaries of such
entities (except brokers, dealers, persons providing
insurance, investment companies, and investment
advisers);
(D) the Director of the Office of Thrift
Supervision with respect to savings association the
deposits of which are insured by the Federal Deposit
Insurance Corporation, savings and loan holding
companies, and any subsidiaries of such entities
(except brokers, dealers, persons providing insurance,
investment companies, and investment advisers);
(E) the National Credit Union Administration Board
with respect to any Federal credit union and any
subsidiaries of such an entity;
(F) the Secretary of Transportation with respect to
any air carrier or foreign air carrier subject to part
A of subtitle VII of title 49, United States Code;
(G) the Secretary of Agriculture with respect to
any activities subject to the Packers and Stockyards
Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in
section 406 of that Act (7 U.S.C. 226 and 227));
(H) the Farm Credit Administration with respect to
any Federal land bank, Federal land bank association,
Federal intermediate credit bank, or production credit
association;
(I) the Securities and Exchange Commission with
respect to any broker or dealer, investment company or
investment adviser;
(J) the applicable State insurance authority of the
State in which the person is domiciled with respect to
any person engaged in providing insurance;
(K) the Federal Communications Commission with
respect to any entity subject to the jurisdiction of
the Commission; and
(L) the Federal Trade Commission with respect to
any other financial institution or other person that is
not subject to the jurisdiction of any agency or
authority under subparagraphs (A) through (K).
SEC. 3. DATABASE SECURITY.
(a) In General.--Any agency or person that owns or licenses
computerized data containing sensitive personal information shall
implement and maintain reasonable security and notification procedures
and practices appropriate to the size and nature of the agency or
person and the nature of the information to protect the sensitive
personal information from unauthorized access, destruction, use,
modification or disclosure.
(b) Disclosure of Security Breach.--
(1) Notification of individual.--
(A) In general.--If an agency or person that owns
or licenses computerized data containing sensitive
personal information, determines, after discovery and a
reasonable investigation, or notification under
paragraph (2), that a significant risk of identity
theft exists as a result of a breach of security of the
system of such agency or person containing such data,
the agency or person shall notify any individual whose
sensitive personal information was compromised if such
individual is known to be a resident of the United
States.
(B) Delay of notification.--If a Federal law
enforcement agency of either appropriate domestic or
foreign jurisdiction determines that the notification
required under this subsection would impede a criminal
or civil investigation, such notification may be
delayed until such Federal law enforcement agency
determines that the notification will no longer
compromise such investigation.
(2) Notification of owner or licensor.--Any agency or
person in possession of computerized data containing sensitive
personal information that the agency or person does not own or
license shall notify the entity from whom it received the
information if the security of the sensitive personal
information was compromised and such compromise has resulted in
a significant risk of identity theft to an individual.
(3) Timeliness of notification.--All notifications required
under paragraph (1) or (2) shall be made as expediently as
possible and without unreasonable delay following--
(A) the discovery and reasonable investigation by
the agency or person of a breach of security of the
system; and
(B) any measures the agency or person takes that
are necessary to determine the scope of the breach,
prevent further breaches, determine whether there is a
reasonable basis to conclude that a significant risk of
identity theft to an individual exists, restore the
reasonable integrity of the data system, and comply
with applicable requirements of securities laws and
regulations.
(4) Methods of notice.--An agency or person shall be in
compliance with this subsection if it provides the resident,
owner, or licensee, as appropriate, with--
(A) written notification to a mailing address for
the subject individual;
(B) telephonic notification to a telephone number
for the subject individual;
(C) e-mail notice to an e-mail address for the
subject individual; or
(D) conspicuous posting of the notice on the
Internet site of the agency or person, if the agency or
person maintains an Internet site, or notification to
major media, if--
(i) the agency or person demonstrates that
the cost of providing direct notice under
paragraphs (A) through (C) of this subsection
would exceed $250,000;
(ii) the affected class of subject
individuals to be notified exceeds 500,000; or
(iii) the agency or person does not have
sufficient contact information for those to be
notified.
(5) Contents of notice.--Notice under this subsection
shall--
(A) be given in a clear and conspicuous manner;
(B) describe the breach of security of the system
in general terms and the type of sensitive personal
information involved; and
(C) include a toll-free telephone number or website
that individuals can utilize for further information
and assistance.
(6) Duty to coordinate with consumer reporting agencies.--
Before any agency or person provides notice to more than 1,000
individuals at any time, or provides notice pursuant to
paragraph (4)(D), that sensitive personal information on the
individuals was, or may reasonably be expected to have been,
the subject of a breach of security of the system, the agency
or person shall, without unreasonable delay--
(A) notify all nationwide consumer reporting
agencies (as defined in section 603(p) of the Fair
Credit Reporting Act (15 U.S.C. 1681a(p))) of the
timing, content, and distribution of the notice,
including--
(i) the number of individuals to whom the
notice will be given; or
(ii) the type of notice provided under
paragraph (4)(D); and
(B) conform the notice to individuals to be
delivered by such agency or person to accurately
reflect, to the extent given in such notice--
(i) the method of contact reasonably
specified by each nationwide consumer reporting
agency that such individuals are to use with
respect to the particular notice; and
(ii) the responsibilities of a nationwide
consumer reporting agency under the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.) and any
other applicable law.
(7) Safe harbor.--Notwithstanding any other obligation
under this subsection, an agency or person that maintains
notification procedures as part of an information security
policy for the treatment of sensitive personal information and
is otherwise consistent with the requirements of paragraphs (3)
and (6) shall be in compliance with this subsection if the
agency or person notifies subject persons in accordance with
its policies in the event of a breach of security of the
system.
(8) Relation to other provisions.--Nothing in this Act
shall be construed to modify, limit or supersede the operation
of either the Fair Credit Reporting Act, the Gramm-Leach-Bliley
Act, or any other applicable provision of Federal law.
(c) Civil Remedies.--
(1) Penalties.--
(A) In general.--Except as provided under
subparagraph (B), any agency or person that fails to
give notice in accordance with paragraph (1) through
(4) of subsection (b) shall be subject to--
(i) a fine in an amount not to exceed
$250,000 per breach of security of the system;
or
(ii) in the case of a violation of
subsection (a), such actual damages as may be
proven.
(B) Exemption.--An agency or person shall not be
subject to a fine under this paragraph if the breach of
security of the system--
(i) was not a result of the negligence of
such agency or person; and
(ii) was the result of fraud committed by a
third party.
(2) Equitable relief.--Any person that violates, proposes
to violate, or has violated this section may be enjoined from
further violations by a court of competent jurisdiction.
(3) Other rights and remedies.--The rights and remedies
available under this subsection are cumulative and shall not
affect any other rights and remedies available under law.
(d) Enforcement.--
(1) In general.--The functional regulator is authorized to
enforce compliance with this section, including the assessment
of fines under subsection (c)(1).
(2) Civil actions.--No private right of action or class
action shall be brought under this Act. No person other than
the attorney general of a State may bring a civil action under
the law of any State if such action is premised in whole or in
part upon the defendant violating any provision of this Act.
SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by the engagement of any person in a
practice that is prohibited under this Act, the State, as
parens patriae, may bring a civil action on behalf of the
residents of the State in a United States district court of
appropriate jurisdiction to--
(A) enjoin that practice;
(B) enforce compliance with this Act; or
(C) obtain damage, restitution, or other
compensation on behalf of residents of the State under
the conditions and up to the monetary limits set forth
in section 3(c)(1).
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State shall
provide the Attorney General of the United States and
the functional regulator--
(i) written notice of the action; and
(ii) a copy of the complaint for the
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the State attorney general
determines that it is not feasible to provide
the notice described in such subparagraph
before the filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the functional regulator and the
Attorney General at the time the State attorney
general files the action.
(C) United states attorney general priority.--After
having been notified, as provided in subparagraph (A),
the Attorney General shall have the right--
(i) to file a civil action, subject to
monetary limits equal to those set forth in
section 3(c)(1);
(ii) to intervene in the action;
(iii) upon so intervening, to be heard on
all matters arising therein;
(iv) to remove the action to the
appropriate United States district court; and
(v) to file petitions for appeal.
(D) Preemption.--
(i) Action by department of justice.--If
the Attorney General institutes a civil action
or intervenes in an action under this
subsection, the functional regulator, a State
attorney general, or an official or agency of a
State may not bring an action under this
section for any violation of this Act alleged
in the complaint.
(ii) Action by functional regulator.--If
the functional regulator institutes a civil
action or intervenes under section 3(d)(1) to
enforce compliance with section 3, a State
attorney general or official or agency of a
State, may not bring an action under this
section for any violation of this Act alleged
in the complaint.
(b) Limitations on State Actions.--
(1) Violation of injunction required.--A State may not
bring an action against a person under subsection (a)(1)(C)
unless--
(A) the person has been enjoined from committing
the violation, in an action brought by the State under
subsection (a)(1)(A); and
(B) the person has violated the injunction.
(2) Limitation on damages recoverable.--In an action under
subsection (a)(1)(C), a State may not recover any damages
incurred before the date of the violation of an injunction on
which the action is based.
(c) Construction.--For purposes of a civil action under subsection
(a), nothing in this Act shall be construed to prevent the attorney
general of a State from exercising the powers conferred on such
attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(d) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in the district court of the United States that meets
applicable requirements relating to venue under section 1391 of
title 28, United States Code.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 5. EFFECT ON STATE LAW.
The provisions of this Act shall supersede any law, rule, or
regulation of any State or unit of local government that relates in any
way to electronic information security standards or the notification of
any resident of the United States of any breach of security pertaining
to any collection of personal information about such resident.
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the expiration of the date which is
180 days after the date of enactment of this Act.
Calendar No. 252
109th CONGRESS
1st Session
S. 1326
_______________________________________________________________________
A BILL
To require agencies and persons in possession of computerized data
containing sensitive personal information, to disclose security
breaches where such breach poses a significant risk of identity theft.
_______________________________________________________________________
October 20, 2005
Reported without amendment