[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1408 Introduced in Senate (IS)]

  1st Session
                                S. 1408

   To strengthen data protection and safeguards, require data breach 
           notification, and further prevent identity theft.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 14, 2005

Mr. Smith (for himself, Mr. Nelson of Florida, Mr. Stevens, Mr. Inouye, 
  Mr. McCain, and Mr. Pryor) introduced the following bill; which was 
  read twice and referred to the Committee on Commerce, Science, and 
                             Transportation

_______________________________________________________________________

                                 A BILL


 
   To strengthen data protection and safeguards, require data breach 
           notification, and further prevent identity theft.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Identity Theft 
Protection Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Protection of sensitive personal information.
Sec. 3. Notification of security breach risk.
Sec. 4. Security freeze.
Sec. 5. Enforcement.
Sec. 6. Enforcement by State attorneys general.
Sec. 7. Preemption of State law.
Sec. 8. Social security and driver's license number protection.
Sec. 9. Information security working group.
Sec. 10. Definitions.
Sec. 11. Authorization of appropriations.
Sec. 12. Effective dates.

SEC. 2. PROTECTION OF SENSITIVE PERSONAL INFORMATION.

    (a) In General.--In accordance with regulations prescribed by the 
Federal Trade Commission under subsection (b), a covered entity shall 
take reasonable steps to protect against security breaches and to 
prevent unauthorized access to sensitive personal information the 
covered entity sells, maintains, collects, or transfers.
    (b) Regulations.--Not later than 1 year after the date of enactment 
of this Act, the Commission shall promulgate regulations to implement 
subsection (a), including regulations that--
            (1) require covered entities to develop, implement, and 
        maintain an effective information security program that 
        contains administrative, technical, and physical safeguards for 
        sensitive personal information, taking into account the use of 
        technological safeguards, including encryption, truncation, and 
        other safeguards available or being developed for such 
        purposes;
            (2) require procedures for verifying the credentials of any 
        third party seeking to obtain the sensitive personal 
        information of another person; and
            (3) require disposal procedures to be followed by covered 
        entities that--
                    (A) dispose of sensitive personal information; or
                    (B) transfer sensitive personal information to 
                third parties for disposal.

SEC. 3. NOTIFICATION OF SECURITY BREACH RISK.

    (a) Security Breaches Affecting 1,000 or More Individuals.--
            (1) In general.--If a covered entity discovers a breach of 
        security and determines that the breach of security affects the 
        sensitive personal information of 1,000 or more individuals, 
        then, before conducting the notification required by subsection 
        (b), it shall--
                    (A) report the breach to the Commission (or other 
                appropriate Federal regulator under section 5); and
                    (B) notify all consumer reporting agencies 
                described in section 603(p)(1) of the Fair Credit 
                Reporting Act (15 U.S.C. 1681a(p)(1)) of the breach.
            (2) FTC website publications.--Whenever the Commission 
        receives a report under paragraph (1)(A), it shall post a 
        report of the breach of security on its website without 
        disclosing any sensitive personal information or the names of 
        the individuals affected.
    (b) Notification of Consumers.--Whenever a covered entity discovers 
a breach of security and determines that the breach of security has 
resulted in, or that there is a basis for concluding that a reasonable 
risk of identity theft to 1 or more individuals, the covered entity 
shall notify each such individual.
    (c) Methods of Notification; Notice Content.--Within 1 year after 
the date of enactment of this Act, the Commission shall promulgate 
regulations that establish methods of notification to be followed by 
covered entities in complying with the requirements of this section and 
the content of the notices required. In promulgating those regulations, 
the Commission shall take into consideration the types of sensitive 
personal information involved, the nature and scope of the security 
breach, other appropriate factors, and the most effective means of 
notifying affected individuals.
    (d) Timing of Notification.--
            (1) In general.--Except as provided in paragraph (2), 
        notice required by subsection (a) shall be given--
                    (A) in the most expedient manner practicable;
                    (B) without unreasonable delay, but not later than 
                90 days after the date on which the breach of security 
                was discovered by the covered entity; and
                    (C) in a manner that is consistent with any 
                measures necessary to determine the scope of the breach 
                and restore the security and integrity of the data 
                system.
            (2) Law enforcement and homeland security related delays.--
        Notwithstanding paragraph (1), the giving of notice as required 
        by that paragraph may be delayed for a reasonable period of 
        time if--
                    (A) a Federal law enforcement agency determines 
                that the timely giving of notice under subsections (a) 
                and (b), as required by paragraph (1), would materially 
                impede a civil or criminal investigation; or
                    (B) a Federal national security or homeland 
                security agency determines that such timely giving of 
                notice would threaten national or homeland security.

SEC. 4. SECURITY FREEZE.

    (a) In General.--
            (1) Emplacement.--A consumer may place a security freeze on 
        his or her credit report by making a request to a consumer 
        credit reporting agency in writing or by telephone.
            (2) Consumer disclosure.--If a consumer requests a security 
        freeze, the consumer credit reporting agency shall disclose to 
        the consumer the process of placing and removing the security 
        freeze and explain to the consumer the potential consequences 
        of the security freeze.
    (b) Effect of Security Freeze.--
            (1) Release of information blocked.--If a security freeze 
        is in place on a consumer's credit report, a consumer reporting 
        agency may not release information from the credit report to a 
        third party without prior express authorization from the 
        consumer.
            (2) Information provided to third parties.--Paragraph (2) 
        does not prevent a consumer credit reporting agency from 
        advising a third party that a security freeze is in effect with 
        respect to the consumer's credit report. If a third party, in 
        connection with an application for credit, requests access to a 
        consumer credit report on which a security freeze is in place, 
        the third party may treat the application as incomplete.
    (c) Removal; Temporary Suspension.--
            (1) In general.--Except as provided in paragraph (4), a 
        security freeze shall remain in place until the consumer 
        requests that the security freeze be removed. A consumer may 
        remove a security freeze on his or her credit report by making 
        a request to a consumer credit reporting agency in writing or 
        by telephone.
            (2) Conditions.--A consumer credit reporting agency may 
        remove a security freeze placed on a consumer's credit report 
        only--
                    (A) upon the consumer's request, pursuant to 
                paragraph (1); or
                    (B) if the agency determines that the consumer's 
                credit report was frozen due to a material 
                misrepresentation of fact by the consumer.
            (3) Notification to consumer.--If a consumer credit 
        reporting agency intends to remove a freeze upon a consumer's 
        credit report pursuant to paragraph (2)(B), the consumer credit 
        reporting agency shall notify the consumer in writing prior to 
        removing the freeze on the consumer's credit report.
            (4) Temporary suspension.--A consumer may have a security 
        freeze on his or her credit report temporarily suspended by 
        making a request to a consumer credit reporting agency in 
        writing or by telephone and specifying beginning and ending 
        dates for the period during which the security freeze is not to 
        apply to that consumer's credit report.
    (d) Response Times; Notification of Other Entities.--
            (1) In general.--A consumer credit reporting agency shall--
                    (A) place a security freeze on a consumer's credit 
                report under subsection (a) no later than 5 business 
                days after receiving a request from the consumer under 
                subsection (a)(1); and
                    (B) remove, or temporarily suspend, a security 
                freeze within 3 business days after receiving a request 
                for removal or temporary suspension from the consumer 
                under subsection (c).
            (2) Notification of other covered entities.--If the 
        consumer requests in writing or by telephone that other covered 
        entities be notified of the request, the consumer reporting 
        agency shall notify all other consumer reporting agencies 
        described in section 603(p)(1) of the Fair Credit Reporting Act 
        (15 U.S.C. 1681a(p)(1)) of the request within 3 days after 
        placing, removing, or temporarily suspending a security freeze 
        on the consumer's credit report under subsection (a), 
        (c)(2)(A), or subsection (c)(4), respectively.
            (3) Implementation by other covered entities.--A consumer 
        reporting agency that is notified of a request under paragraph 
        (2) to place, remove, or temporarily suspend a security freeze 
        on a consumer's credit report shall place, remove, or 
        temporarily suspend the security freeze on that credit report 
        within 3 business days after receiving the notification.
    (e) Confirmation.--Whenever a consumer credit reporting agency 
places, removes, or temporarily suspends a security freeze on a 
consumer's credit report at the request of that consumer under 
subsection (a) or (c), respectively, it shall send a written 
confirmation thereof to the consumer within 10 business days after 
placing, removing, or temporarily suspending the security freeze on the 
credit report. This subsection does not apply to the placement, 
removal, or temporary suspension of a security freeze by a consumer 
reporting agency because of a notification received under subsection 
(d)(2).
    (f) ID Required.--A consumer credit reporting agency may not place, 
remove, or temporarily suspend a security freeze on a consumer's credit 
report at the consumer's request unless the consumer provides proper 
identification (within the meaning of section 610(a)(1) of the Fair 
Credit Reporting Act (15 U.S.C. 1681h) and the regulations thereunder.
    (g) Exceptions.--This section does not apply to the use of a 
consumer credit report by any of the following:
            (1) A person or entity, or a subsidiary, affiliate, or 
        agent of that person or entity, or an assignee of a financial 
        obligation owing by the consumer to that person or entity, or a 
        prospective assignee of a financial obligation owing by the 
        consumer to that person or entity in conjunction with the 
        proposed purchase of the financial obligation, with which the 
        consumer has or had prior to assignment an account or contract, 
        including a demand deposit account, or to whom the consumer 
        issued a negotiable instrument, for the purposes of reviewing 
        the account or collecting the financial obligation owing for 
        the account, contract, or negotiable instrument.
            (2) Any Federal, State or local agency, law enforcement 
        agency, trial court, or private collection agency acting 
        pursuant to a court order, warrant, or subpoena.
            (3) A child support agency or its agents or assigns acting 
        pursuant to subtitle D of title IV of the Social Security Act 
        (42 U.S.C. et seq.) or similar State law.
            (4) The Department of Health and Human Services, a similar 
        State agency, or the agents or assigns of the Federal or State 
        agency acting to investigate medicare or medicaid fraud.
            (5) The Internal Revenue Service or a State or municipal 
        taxing authority, or a State department of motor vehicles, or 
        any of the agents or assigns of these Federal, State, or 
        municipal agencies acting to investigate or collect delinquent 
        taxes or unpaid court orders or to fulfill any of their other 
        statutory responsibilities.
            (6) The use of consumer credit information for the purposes 
        of prescreening as provided for by the Federal Fair Credit 
        Reporting Act (15 U.S.C. 1681 et seq.).
            (7) Any person or entity administering a credit file 
        monitoring subscription to which the consumer has subscribed.
            (8) Any person or entity for the purpose of providing a 
        consumer with a copy of his or her credit report or credit 
        score upon the consumer's request.
    (h) Fees.--
            (1) In general.--Except as provided in paragraph (2), a 
        consumer credit reporting agency may charge a reasonable fee, 
        as determined by the Commission, for placing, removing, or 
        temporarily suspending a security freeze on a consumer's credit 
        report.
            (2) ID theft victims.--A consumer credit reporting agency 
        may not charge a fee for placing, removing, or temporarily 
        suspending a security freeze on a consumer's credit report if--
                    (A) the consumer is a victim of identity theft; and
                    (B) the consumer has filed a police report with 
                respect to the theft.
    (i) Limitation on Information Changes in Frozen Reports.--
            (1) In general.--If a security freeze is in place on a 
        consumer's credit report, a consumer credit reporting agency 
        may not change any of the following official information in 
        that credit report without sending a written confirmation of 
        the change to the consumer within 30 days after the change is 
        made:
                    (A) Name.
                    (B) Date of birth.
                    (C) Social Security number.
                    (D) Address.
            (2) Confirmation.--Paragraph (1) does not require written 
        confirmation for technical modifications of a consumer's 
        official information, including name and street abbreviations, 
        complete spellings, or transposition of numbers or letters. In 
        the case of an address change, the written confirmation shall 
        be sent to both the new address and to the former address.
    (j) Certain Entity Exemptions.--
            (1) Aggregators and other agencies.--The provisions of 
        subsections (a) through (h) do not apply to a consumer credit 
        reporting agency that acts only as a reseller of credit 
        information by assembling and merging information contained in 
        the data base of another consumer credit reporting agency or 
        multiple consumer credit reporting agencies, and does not 
        maintain a permanent data base of credit information from which 
        new consumer credit reports are produced.
            (2) Other exempted entities.--The following entities are 
        not required to place a security freeze in a credit report:
                    (A) A check services or fraud prevention services 
                company, which issues reports on incidents of fraud or 
                authorizations for the purpose of approving or 
                processing negotiable instruments, electronic funds 
                transfers, or similar methods of payments.
                    (B) A deposit account information service company, 
                which issues reports regarding account closures due to 
                fraud, substantial overdrafts, ATM abuse, or similar 
                negative information regarding a consumer, to inquiring 
                banks or other financial institutions for use only in 
                reviewing a consumer request for a deposit account at 
                the inquiring bank or financial institution.

SEC. 5. ENFORCEMENT.

    (a) Enforcement by Commission.--Except as provided in subsection 
(c), this Act shall be enforced by the Commission.
    (b) Violation is Unfair or Deceptive Act or Practice.--The 
violation of any provision of this Act shall be treated as an unfair or 
deceptive act or practice proscribed under a rule issued under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (c) Enforcement by Certain Other Agencies.--Compliance with this 
Act shall be enforced under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, and organizations operating under 
                section 25 or 25A of the Federal Reserve Act (12 U.S.C. 
                601 and 611), by the Board; and
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System) and insured State branches of foreign banks, by 
                the Board of Directors of the Federal Deposit Insurance 
                Corporation;
            (2) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;
            (3) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the National Credit Union Administration Board with respect 
        to any Federal credit union; and
            (4) the Securities and Exchange Act of 1934 (15 U.S.C. 78a 
        et seq.) by the Securities and Exchange Commission with respect 
        to--
                    (A) a broker or dealer subject to that Act;
                    (B) an investment company subject to the Investment 
                Company Act of 1940 (15 U.S.C. 80a-1 et seq.); and
                    (C) an investment advisor subject to the Investment 
                Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.).
    (d) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (c) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (c), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this Act, any other authority conferred on it by law.
    (e) Penalties.--
            (1) In general.--Notwithstanding section 5(m) of the 
        Federal Trade Commission Act (15 U.S.C. 45(m)), the Commission 
        may not obtain a civil penalty under that section for a 
        violation of this Act in excess of--
                    (A) $11,000 for each such individual; and
                    (B) $11,000,000 in the aggregate for all such 
                individuals with respect to the same violation.
            (2) Other authority not affected.--Nothing in this Act 
        shall be construed to limit or affect in any way the 
        Commission's authority to bring enforcement actions or take any 
        other measure under the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) or any other provision of law.
    (f) No Private Cause of Action.--Nothing in this Act establishes a 
private cause of action against a covered entity for the violation of 
any provision of this Act.
    (g) Compliance With Gramm-Leach-Bliley Act.--Any person to which 
title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) applies 
shall be deemed to be in compliance with the notification requirements 
of this Act with respect to a breach of security if that person is in 
compliance with the notification requirements of that title with 
respect to that breach of security.

SEC. 6. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--A State, as parens patriae, may bring a civil 
action on behalf of its residents in an appropriate district court of 
the United States to enforce the provisions of this Act, or to impose 
the civil penalties authorized by section 5, whenever the attorney 
general of the State has reason to believe that the interests of the 
residents of the State have been or are being threatened or adversely 
affected by a covered entity that violates this Act or a regulation 
under this Act.
    (b) Notice.--The State shall serve written notice to the Commission 
(or other appropriate Federal regulator under section 5) of any civil 
action under subsection (a) prior to initiating such civil action. The 
notice shall include a copy of the complaint to be filed to initiate 
such civil action, except that if it is not feasible for the State to 
provide such prior notice, the State shall provide such notice 
immediately upon instituting such civil action.
    (c) Authority To Intervene.--Upon receiving the notice required by 
subsection (b), the Commission (or other appropriate Federal regulator 
under section 5) may intervene in such civil action and upon 
intervening--
            (1) be heard on all matters arising in such civil action; 
        and
            (2) file petitions for appeal of a decision in such civil 
        action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall prevent the attorney 
general of a State from exercising the powers conferred on the attorney 
general by the laws of such State to conduct investigations or to 
administer oaths or affirmations or to compel the attendance of 
witnesses or the production of documentary and other evidence.
    (e) Venue; Service of Process.--In a civil action brought under 
subsection (a)--
            (1) the venue shall be a judicial district in which--
                    (A) the covered entity operates;
                    (B) the covered entity was authorized to do 
                business; or
                    (C) where the defendant in the civil action is 
                found;
            (2) process may be served without regard to the territorial 
        limits of the district or of the State in which the civil 
        action is instituted; and
            (3) a person who participated with a covered entity in an 
        alleged violation that is being litigated in the civil action 
        may be joined in the civil action without regard to the 
        residence of the person.
    (f) Limitation on State Action While Federal Action Is Pending.--If 
the Commission (or other appropriate Federal agency under section 5) 
has instituted a civil action or an administrative action for violation 
of this Act, no State attorney general, or official or agency of a 
State, may bring an action under this subsection during the pendency of 
that action against any defendant named in the complaint of the 
Commission or the other agency for any violation of this Act alleged in 
the complaint.
    (g) Enforcement of State Law.--Nothing contained in this section 
shall prohibit an authorized State official from proceeding in State 
court to enforce a civil or criminal statute of such State.

SEC. 7. PREEMPTION OF STATE LAW.

    (a) In General.--This Act preempts any State or local law, 
regulation, or rule that requires a covered entity--
            (1) to develop, implement, or maintain information security 
        programs to which this Act applies; or
            (2) to notify individuals of breaches of security regarding 
        their sensitive personal information.
    (b) Liability.--This Act preempts any State or local law, 
regulation, rule, administrative procedure, or judicial precedent under 
which liability is imposed on a covered entity for failure--
            (1) to implement and maintain an adequate information 
        security program; or
            (2) to notify an individual of any breach of security 
        pertaining to any sensitive personal information about that 
        individual.
    (c) Security Freeze.--This Act preempts any State or local law, 
regulation, or rule that requires consumer reporting agencies to impose 
a security freeze on consumer credit reports at the request of a 
consumer.

SEC. 8. SOCIAL SECURITY NUMBER PROTECTION.

    (a) Prohibition of Unnecessary Solicitation of Social Security 
Numbers.--No covered entity may solicit any social security number from 
an individual unless there is a specific use of the social security 
number for which no other identifier reasonably can be used.
    (b) Prohibition of the Display of Social Security Numbers on 
Employee Identification Cards, Etc.--
            (1) In general.--No covered entity may display the social 
        security number (or any derivative of such number) of an 
        individual on any card or tag that is commonly provided to 
        employees (or to their family members), faculty, staff, or 
        students for purposes of identification.
            (2) Driver's licenses.--A State may not display the social 
        security number of an individual on driver's licenses issued by 
        that State.
    (c) Prohibition of Inmate Access to Social Security Account 
Numbers.--
            (1) In general.--Section 205(c)(2)(C) of the Social 
        Security Act (42 U.S.C. 405(c)(2)(C)), as amended by subsection 
        (b), is amended by adding at the end the following new clause:
    ``(xi) No executive, legislative, or judicial agency or 
instrumentality of the Federal Government or of a State or political 
subdivision thereof (or person acting as an agent of such an agency or 
instrumentality) may employ, or enter into a contract for the use or 
employment of, prisoners in any capacity that would allow such 
prisoners access to the social security account numbers of other 
individuals. For purposes of this clause, the term `prisoner' means an 
individual confined in a jail, prison, or other penal institution or 
correctional facility.''.
            (2) Treatment of current arrangements.--In the case of--
                            (i) prisoners employed as described in 
                        clause (xi) of section 205(c)(2)(C) of the 
                        Social Security Act (42 U.S.C. 405(c)(2)(C)), 
                        as added by paragraph (1), on the date of 
                        enactment of this Act, and
                            (ii) contracts described in such clause in 
                        effect on such date,
                the amendment made by this section shall take effect 90 
                days after the date of enactment of this Act.

SEC. 9. INFORMATION SECURITY WORKING GROUP.

    (a) Information Security Working Group.--The Chairman of the 
Commission shall establish an Information Security Working Group to 
develop best practices to protect sensitive personal information stored 
and transferred. The Working Group shall be composed of industry 
participants, consumer groups, and other interested parties.
    (b) Report.--Not later than 12 months after the date on which the 
Working Group is established under subsection (a), the Working Group 
shall submit to Congress a report on their findings.

SEC. 10. DEFINITIONS.

    In this Act:
            (1) Breach of security.--The term ``breach of security'' 
        means unauthorized access to and acquisition of data in any 
        form or format containing sensitive personal information that 
        compromises the security or confidentiality of such information 
        and establishes a basis to conclude that a reasonable risk of 
        identity theft to an individual exists.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Consumer credit reporting agency.--The term ``consumer 
        credit reporting agency'' means any person which, for monetary 
        fees, dues, or on a cooperative nonprofit basis, regularly 
        engages in whole or in part in the practice of assembling or 
        evaluating consumer credit information or other information on 
        consumers for the purpose of furnishing credit reports to third 
        parties, and which uses any means or facility of interstate 
        commerce for the purpose of preparing or furnishing credit 
        reports.
            (4) Covered entity.--The term ``covered entity'' means a 
        sole proprietorship, partnership, corporation, trust, estate, 
        cooperative, association, or other commercial entity, and any 
        charitable, educational, or nonprofit organization, that 
        acquires, maintains, or utilizes sensitive personal 
        information.
            (5) Credit report.--The term ``credit report'' means a 
        consumer report, as defined in section 603(d) of the Federal 
        Fair Credit Reporting Act (15 U.S.C. 1681a(p)), that is used or 
        expected to be used or collected in whole or in part for the 
        purpose of serving as a factor in establishing a consumer's 
        eligibility for credit for personal, family or household 
        purposes.
            (6) Identity theft.--The term ``identity theft'' means the 
        unauthorized acquisition, purchase, sale, or use by any person 
        of an individual's sensitive personal information that--
                    (A) violates section 1028 of title 18, United 
                States Code, or any provision of State law in pari 
                materia; or
                    (B) results in economic loss to the individual 
                whose sensitive personal information was used.
            (7) Reviewing the account.--The term ``reviewing the 
        account'' includes activities related to account maintenance, 
        monitoring, credit line increases, and account upgrades and 
        enhancements.
            (8) Sensitive personal information.--
                    (A) In general.--Except as provided in 
                subparagraphs (B) and (C), the term ``sensitive 
                personal information'' means an individual's name, 
                address, or telephone number combined with 1 or more of 
                the following data elements related to that individual:
                            (i) Social security number, taxpayer 
                        identification number, or employer 
                        identification number.
                            (ii) Financial account number, or credit 
                        card or debit card number of such individual, 
                        combined with any required security code, 
                        access code, or password that would permit 
                        access to such individual's account.
                            (iii) State driver's license identification 
                        number or State resident identification number.
                            (iv) Consumer credit report.
                            (v) Employee, faculty, student, or United 
                        States armed forces serial number.
                            (vi) Genetic or biometric information.
                            (vii) Mother's maiden name.
                    (B) FTC modifications.--The Commission may, through 
                a rulemaking proceeding, designate other identifying 
                information that may be used to effectuate identity 
                theft as sensitive personal information for purposes of 
                this Act and limit or exclude any information described 
                in subparagraph (A) from the definition of sensitive 
                personal information for purposes of this Act.
                    (C) Public records.--Nothing in this Act prohibits 
                a covered entity from obtaining, aggregating, or using 
                sensitive personal information it lawfully obtains from 
                public records in a manner that does not violate this 
                Act.

SEC. 11. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Commission 
$1,000,000 for each of fiscal years 2006 through 2010 to carry out this 
Act.

SEC. 12. EFFECTIVE DATES.

    (a) In General.--Except as provided in subsection (b), the 
provisions of this Act take effect upon its enactment.
    (b) Provisions Requiring Rulemaking.--The Commission shall initiate 
1 or more rulemaking proceedings under sections 2, 3, and 4 within 45 
days after the date of enactment of this Act. The Commission shall 
promulgate all final rules pursuant to those rulemaking proceedings 
within 1 year after the date of enactment of this Act. The provisions 
of sections 2, 3, and 4 shall take effect on the same date 6 months 
after the date on which the Commission promulgates the last final rule 
under the proceeding or proceedings commenced under the preceding 
sentence.
    (c) Preemption.--Section 7 shall take effect at the same time as 
sections 2, 3, and 4 take effect.
                               <all>D23/