[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1336 Introduced in Senate (IS)]


109th CONGRESS
  1st Session
                                S. 1336

To establish procedures for the protection of consumers from misuse of, 
and unauthorized access to, sensitive personal information contained in 
private information files maintained by commercial entities engaged in, 
  or affecting, interstate commerce, provide for enforcement of those 
  procedures by the Federal Trade Commission, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 29, 2005

   Mr. Pryor introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To establish procedures for the protection of consumers from misuse of, 
and unauthorized access to, sensitive personal information contained in 
private information files maintained by commercial entities engaged in, 
  or affecting, interstate commerce, provide for enforcement of those 
  procedures by the Federal Trade Commission, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS..

    (a) Short Title.--This Act may be cited as the ``Consumer Identity 
Protection and Security Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Consumer right to security freeze.
Sec. 3. Limited or temporary access to frozen report.
Sec. 4. Termination of security freeze.
Sec. 5. Denial of third party requests.
Sec. 6. Exceptions to security freeze.
Sec. 7. Notification of violation.
Sec. 8. Application to other consumer reporting agencies.
Sec. 9. Enforcement.
Sec. 10. Private right of action.
Sec. 11. Service fees and charges.
Sec. 12. Definitions.
Sec. 13. Regulations.

SEC. 2. CONSUMER RIGHT TO SECURITY FREEZE.

    (a) In General.--A consumer reporting agency shall place a security 
freeze on a private information file when requested by the consumer to 
whom that file relates--
            (1) by certified mail,
            (2) by telephone by providing certain sensitive personal 
        information, or
            (3) through a secure electronic mail connection if such 
        connection is made available by the consumer reporting agency.
    (b) Timing.--A consumer reporting agency shall place the requested 
security freeze on the private information file no later than 2 
business days after receiving a written or telephone request from the 
consumer or 24 hours after receiving a secure electronic mail request.
    (c) Confirmation.--Within 2 business days after placing a security 
freeze on a private information file under subsection (a), the consumer 
reporting agency that received the request from the consumer shall--
            (1) send a written confirmation of the security freeze to 
        the consumer; and
            (2) provide to the consumer a unique personal 
        identification number or password to be used by the consumer to 
        authorize access to the private information file or to remove 
        the security freeze on the file.
    (d) Prohibition on Unauthorized Access.--A consumer reporting 
agency may not grant access to a private information file on which a 
security freeze has been placed, or release information contained in a 
such a private information file, except in accordance with the 
provisions of this Act or other Federal law.

SEC. 3. LIMITED OR TEMPORARY ACCESS TO FROZEN REPORT.

    (a) In General.--Within 3 business days after receiving a request 
from a consumer upon whose private information file a security freeze 
has been placed to allow access to that file to a third party, or for a 
period of time, specified by the consumer, a consumer reporting agency 
shall make the private information file available in accordance with 
the request notwithstanding the security freeze. Each consumer 
reporting agency shall develop procedures involving the use of 
telephone, facsimile machine, or, upon the consent of the consumer in 
the manner required by the Electronic Signatures in Global and National 
Commerce Act (15 U.S.C. 7001 et seq.) for notices legally required to 
be in writing, by the Internet, e-mail, or other electronic medium, to 
receive and process a request from a consumer to provide limited or 
temporary access to the private information file under this section in 
an expedited manner.
    (b) Request Requirements.--A consumer reporting agency may not 
allow access to a private information file under subsection (a) 
unless--
            (1) the request was made by the consumer by telephone, 
        certified mail, or security electronic mail (except as provided 
        in accordance with procedures established pursuant to the 
        second sentence of subsection (a)); and
            (2) the consumer provides--
                    (A) proper identification,
                    (B) the unique personal identification number or 
                password provided by the consumer reporting agency 
                under this section; and
                    (C) the proper information regarding the third 
                party who is to receive the private information file or 
                the time period for which the file shall be made 
                available.
    (c) Termination Not Permitted.--A consumer reporting agency may not 
terminate a security freeze on the basis of a request under subsection 
(a) for limited access to a private information file.

SEC. 4. TERMINATION OF SECURITY FREEZE.

    (a) In General.--A consumer reporting agency shall terminate a 
security freeze on a private information file if--
            (1) the consumer requests that the security freeze be 
        terminated; or
            (2) the consumer reporting agency--
                    (A) determines that the security freeze was placed 
                on the private information file due to a material 
                misrepresentation of fact by the consumer; and
                    (B) notifies the consumer in writing not less than 
                5 business days before terminating the security freeze 
                under this paragraph.
    (b) Termination Requests.--Except as provided in subsection (a)(2), 
a consumer reporting agency may not terminate a security freeze on a 
private information file unless the consumer provides--
            (1) proper identification; and
            (2) the unique personal identification number or password 
        provided by the consumer reporting agency under this Act.
    (c) Timing.--A consumer reporting agency shall terminate a security 
freeze on a private information file within 3 business days after 
receiving a request that meets the requirements of this section from 
the consumer to whom the file relates.

SEC. 5. DENIAL OF THIRD PARTY REQUESTS.

    (a) Requests Denied Due to Security Freeze.--Notwithstanding any 
other provision of law to the contrary, if a third party's request for 
access to a private information file is denied because there is a 
security freeze on it, that third party may treat any application in 
connection with which the request is made as incomplete.
    (b) Notification of Consumer.--If a consumer reporting agency 
denies a third party's request for access to a private information file 
on which a security freeze has been placed for any purpose other than 
account review, the consumer reporting agency shall notify the consumer 
that it denied the request within 1 business day thereafter. The notice 
shall identify the third party making the request and the stated 
purpose of the request.

SEC. 6. EXCEPTIONS TO SECURITY FREEZE.

    The provisions of this Act do not apply to requests for access to a 
private information file by any of the following:
            (1) A Federal, State, or local law enforcement agency 
        acting within the scope of its authority or pursuant to a court 
        order, warrant, or subpoena.
            (2) A Federal, State, or local agency that administers a 
        program for establishing an enforcing child support 
        obligations.
            (3) A Federal, State, or local health agency or its agents 
        or assignees acting to investigate fraud.
            (4) A Federal, State, or local tax agency, or its agents or 
        assignees, acting to investigate or collect delinquent taxes or 
        unpaid court orders or to fulfill any of its other statutory 
        responsibilities.
            (5) A person, or the person's subsidiary, affiliate, agent, 
        or assignee with which the consumer has or, prior to 
        assignment, had an account, contract, or debtor-creditor 
        relationship for the purposes of reviewing the account or 
        collecting the financial obligation owing for the account, 
        contract, or debt.
            (6) A subsidiary, affiliate, agent, assignee, or 
        prospective assignee of a person to whom access has been 
        granted under paragraph (5) for purposes of facilitating the 
        extension of credit or other permissible use.
            (7) Any person or entity for the purpose of providing a 
        consumer with a copy of his or her private information file 
        upon the consumer's request.

SEC. 7. NOTIFICATION OF VIOLATION.

    (a) Notification.--If a consumer reporting agency violates the 
requirements of this Act with respect to access to a private 
information file, it shall notify the consumer in writing of the 
violation within 5 business days. The notice shall include a 
description of the information to which access was granted and the name 
and address of the third party to whom such access was granted.
    (b) Complaints to Consumer Protection Agencies.--If a private 
information file on which a security freeze under this Act is accessed 
in violation of this Act, the consumer to whom the file relates may 
file a complaint with the Federal Trade Commission, the attorney 
general of the State in which the consumer resides, or any other 
Federal or State consumer protection agency.

SEC. 8. APPLICATION TO OTHER CONSUMER REPORTING AGENCIES.

    (a) Notification.--Whenever a consumer reporting agency receives a 
request from a consumer under this Act that meets the requirements of 
this Act to place a security freeze on his or her private information 
file under section 2, to provide temporary or limited access to such a 
private information file under section 3, or to terminate a security 
freeze on such a private information file under section 4, it shall 
notify (on a secure basis) every other consumer reporting agency in the 
United States that it knows, or has reason to know, to maintain a 
private information file on that consumer of the request.
    (b) Compliance by Other Consumer Reporting Agencies.--A consumer 
reporting agency that receives a reported request under subsection (a) 
shall comply with the requirements of this Act with respect to that 
request to the same extent and in the same manner as if it had received 
the request from the consumer.
    (c) Liability.--A consumer reporting agency responding to a 
notification from another consumer reporting agency under subsection 
(a) is liable for any violation of this Act with respect to the request 
to which the notification relates to the same extent as if it had 
received the request from the consumer, except that such an agency 
shall not be liable for any violation attributable to incorrect 
information provided in the request from the notifying agency.

SEC. 9. ENFORCEMENT.

    (a) Violation is Unfair or Deceptive Act or Practice.--The 
violation of any provision of this Act is an unfair or deceptive act or 
practice proscribed under section 18(a)(1)(B) of the Federal Trade 
Commission Act (15 U.S.C. 57a(a)(1)(B)).
    (b) Enforcement by Federal Trade Commission.--Except as provided in 
subsection (c), this Act shall be enforced by the Federal Trade 
Commission.
    (c) Enforcement by Certain Other Agencies.--Compliance with this 
Act shall be enforced under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, and organizations operating under 
                section 25 or 25A of the Federal Reserve Act (12 U.S.C. 
                601 and 611), by the Board; and
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) and insured State branches of foreign banks, by 
                the Board of Directors of the Federal Deposit Insurance 
                Corporation;
            (2) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;
            (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the National Credit Union Administration Board with respect 
        to any Federal credit union;
            (4) part A of subtitle VII of title 49, United States Code, 
        by the Secretary of Transportation with respect to any air 
        carrier or foreign air carrier subject to that part;
            (5) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et 
        seq.) (except as provided in section 406 of that Act (7 U.S.C. 
        226, 227)), by the Secretary of Agriculture with respect to any 
        activities subject to that Act;
            (6) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by 
        the Farm Credit Administration with respect to any Federal land 
        bank, Federal land bank association, Federal intermediate 
        credit bank, or production credit association;
            (7) the Securities and Exchange Act of 1934 (15 U.S.C. 78a 
        et seq.) by the Securities and Exchange Commission with respect 
        to--
                    (A) a broker or dealer subject to that Act;
                    (B) an investment company subject to the Investment 
                Company Act of 1940 (15 U.S.C. 80a-1 et seq.); and
                    (C) an investment advisor subject to the Investment 
                Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.);
            (8) the Communications Act of 1934 (47 U.S.C. 151 et seq.) 
        by the Federal Communications Commission with respect to common 
        carriers subject to the Communications Act of 1934 and excluded 
        from the jurisdiction of the Federal Trade Commission by 
        section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 
        45(a)(2)); and
            (9) the State insurance law (applying the insurance law of 
        that State subject to section 104 of the Gramm-Bliley-Leach Act 
        (15 U.S.C. 6701)) of a State in which a covered entity engaged 
        in providing insurance is domiciled, by the State insurance 
        authority of that State with respect to such an entity, except 
        that in any State in which the State insurance authority elects 
        not to exercise this power, compliance with this Act shall be 
        enforced by the Federal Trade Commission.
    (d) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (c) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (c), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this Act, any other authority conferred on it by law.
    (e) Actions by the Commission.--The Commission shall prevent any 
person from violating this Act in the same manner, by the same means, 
and with the same jurisdiction, powers, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act (15 
U.S.C. 41 et seq.) were incorporated into and made a part of this Act. 
A consumer reporting agency that violates a provision of this Act is 
subject to the penalties and entitled to the privileges and immunities 
provided in the Federal Trade Commission Act in the same manner, by the 
same means, and with the same jurisdiction, power, and duties as though 
all applicable terms and provisions of the Federal Trade Commission Act 
were incorporated into and made a part of this Act.

SEC. 10. PRIVATE RIGHT OF ACTION.

    (a) In General.--If a consumer reporting agency violates the 
requirements of this Act with respect to access to a private 
information file, the consumer may file a civil action in any court of 
competent jurisdiction.
    (b) Remedies.--A court in which such a civil action has been 
brought may--
            (1) impose a civil penalty of not more than $10,000 for 
        each violation of this Act with respect to the plaintiff's 
        private information file; and
            (2) provide such additional relief as the court deems 
        appropriate, including the award of court costs, investigative 
        costs, and reasonable attorney's fees.

SEC. 11. SERVICE FEES AND CHARGES.

    (a) Fees Prohibited.--A consumer reporting agency may not impose a 
charge or fee for placing a security freeze on a private information 
file under section 2, for providing limited access to a private 
information file under section 3, or for terminating a security freeze 
on a private information file under section 4.
    (b) Replacement Identification Codes and Passwords.--A consumer 
reporting agency--
            (1) may not impose a fee for the replacement or reissue of 
        a lost or forgotten personal identification number or password 
        the first time the replacement or reissue is provided to the 
        consumer; but
            (2) may impose a fee of not more than $5 for a second or 
        subsequent replacement or reissue of such a personal 
        identification number or password.

SEC. 12. DEFINITIONS.

    In this Act:
            (1) Account review.--The term ``account review'' means any 
        activity related to account maintenance, monitoring, credit 
        line increases, or account upgrades and enhancements.
            (2) Consumer reporting agency.--The term ``consumer 
        reporting agency'' means any person that, for fees, dues, or on 
        a cooperative nonprofit basis, regularly engages in the 
        practice of assembling or evaluating information on consumers 
        for the purpose of providing consumer credit reports, or 
        information contained in such reports, to third parties.
            (3) Private information file.--
                    (A) In general.--The term ``private information 
                file'' means any written, oral, or other communication 
                of any information by a consumer reporting agency 
                bearing on a consumer's character, general reputation, 
                personal characteristics, mode of living, employment, 
                or personal financial information to be used in whole 
                or in part for political campaign, charitable 
                solicitation, commercial marketing purposes or as a 
                factor in establishing the consumer's eligibility for--
                            (i) credit or insurance to be used 
                        primarily for personal, family, or household 
                        purposes; or
                            (ii) employment purposes.
                    (B) Exclusions.--Except as provided in subparagraph 
                (C), the term ``private information file'' does not 
                include--
                            (i) any report containing information 
                        solely as to transactions or experiences 
                        between the consumer and the person making the 
                        report;
                            (ii) the communication of that information 
                        among persons related by common ownership or 
                        affiliated by corporate control; or
                            (iii) the communication of other 
                        information among persons related by common 
                        ownership or affiliated by corporate control, 
                        if it is clearly and conspicuously disclosed to 
                        the consumer that the information may be 
                        communicated among such persons and the 
                        consumer is given the opportunity, before the 
                        time that the information is initially 
                        communicated, to direct that such information 
                        not be communicated among such persons;
                            (iv) any authorization or approval of a 
                        specific extension of credit directly or 
                        indirectly by the issuer of a credit card or 
                        similar device; or
                            (v) any report in which a person who has 
                        been requested by a third party to make a 
                        specific extension of credit directly or 
                        indirectly to a consumer conveys his or her 
                        decision with respect to such request, if the 
                        third party advises the consumer of the name 
                        and address of the person to whom the request 
                        was made, and such person makes the required 
                        disclosures to the consumer under Federal law.
                    (C) Restriction on sharing of medical 
                information.--Except for information or any 
                communication of information disclosed as provided in 
                Federal law, the exclusions in subparagraph (B) do not 
                apply with respect to information disclosed to any 
                person related by common ownership or affiliated by 
                corporate control, if the information is--
                            (i) medical information;
                            (ii) an individualized list or description 
                        based on the payment transactions of the 
                        consumer for medical products or services; or
                            (iii) an aggregate list of identified 
                        consumers based on payment transactions for 
                        medical products or services.

SEC. 13. REGULATIONS.

    (a) Rulemaking Proceeding.--Within 90 days after the date of 
enactment of this Act, the Federal Trade Commission shall initiate a 
rulemaking proceeding to provide rules, guidelines, and criteria for 
compliance with the requirements of this Act, including--
            (1) rules necessary to implement the provisions of this Act 
        that include required contents for a request for a security 
        freeze, criteria for identification verification of the 
        requesting party, and consumer notification requirements to 
        ensure that consumers are aware of their rights under this Act;
            (2) rules to ensure that a request, under section 2 of this 
        Act, for a security freeze on a private information file, a 
        request from a consumer for limited or temporary access to a 
        private information file under section 3 of this Act, or a 
        requested termination of such a freeze under section 4 of this 
        Act, will be communicated by the consumer reporting agency 
        receiving the request to other consumer reporting agencies as 
        required by section 8 of this Act and implemented by those 
        agencies in a timely manner; and
            (3) rules to provide for the application of this Act in a 
        manner that does not conflict with any other provision of 
        Federal law governing the acquisition, maintenance, 
        disposition, or access to information contained in a private 
        information file.
    (b) Final Rule.--The Commission shall issue final rules pursuant to 
the proceeding initiated under paragraph (a) within 1 year after the 
date of enactment of this Act.
                               <all>D23/