[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1408 Reported in Senate (RS)]


                                                       Calendar No. 320
109th CONGRESS
  1st Session
                                S. 1408

                          [Report No. 109-203]

   To strengthen data protection and safeguards, require data breach 
           notification, and further prevent identity theft.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 14, 2005

Mr. Smith (for himself, Mr. Nelson of Florida, Mr. Stevens, Mr. Inouye, 
Mr. McCain, Mr. Pryor and Mrs. Clinton) introduced the following bill; 
    which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

                            December 8, 2005

  Reported under authority of the order of the Senate of November 18, 
                2005, by Mr. Stevens, with an amendment
 [Strike all after the enacting clause and insert the part printed in 
                                italic]

_______________________________________________________________________

                                 A BILL


 
   To strengthen data protection and safeguards, require data breach 
           notification, and further prevent identity theft.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>

<DELETED>    (a) Short Title.--This Act may be cited as the ``Identity 
Theft Protection Act''.</DELETED>
<DELETED>    (b) Table of Contents.--The table of contents for this Act 
is as follows:</DELETED>

<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Protection of sensitive personal information.
<DELETED>Sec. 3. Notification of security breach risk.
<DELETED>Sec. 4. Security freeze.
<DELETED>Sec. 5. Enforcement.
<DELETED>Sec. 6. Enforcement by State attorneys general.
<DELETED>Sec. 7. Preemption of State law.
<DELETED>Sec. 8. Social security and driver's license number 
                            protection.
<DELETED>Sec. 9. Information security working group.
<DELETED>Sec. 10. Definitions.
<DELETED>Sec. 11. Authorization of appropriations.
<DELETED>Sec. 12. Effective dates.

<DELETED>SEC. 2. PROTECTION OF SENSITIVE PERSONAL 
              INFORMATION.</DELETED>

<DELETED>    (a) In General.--In accordance with regulations prescribed 
by the Federal Trade Commission under subsection (b), a covered entity 
shall take reasonable steps to protect against security breaches and to 
prevent unauthorized access to sensitive personal information the 
covered entity sells, maintains, collects, or transfers.</DELETED>
<DELETED>    (b) Regulations.--Not later than 1 year after the date of 
enactment of this Act, the Commission shall promulgate regulations to 
implement subsection (a), including regulations that--</DELETED>
        <DELETED>    (1) require covered entities to develop, 
        implement, and maintain an effective information security 
        program that contains administrative, technical, and physical 
        safeguards for sensitive personal information, taking into 
        account the use of technological safeguards, including 
        encryption, truncation, and other safeguards available or being 
        developed for such purposes;</DELETED>
        <DELETED>    (2) require procedures for verifying the 
        credentials of any third party seeking to obtain the sensitive 
        personal information of another person; and</DELETED>
        <DELETED>    (3) require disposal procedures to be followed by 
        covered entities that--</DELETED>
                <DELETED>    (A) dispose of sensitive personal 
                information; or</DELETED>
                <DELETED>    (B) transfer sensitive personal 
                information to third parties for disposal.</DELETED>

<DELETED>SEC. 3. NOTIFICATION OF SECURITY BREACH RISK.</DELETED>

<DELETED>    (a) Security Breaches Affecting 1,000 or More 
Individuals.--</DELETED>
        <DELETED>    (1) In general.--If a covered entity discovers a 
        breach of security and determines that the breach of security 
        affects the sensitive personal information of 1,000 or more 
        individuals, then, before conducting the notification required 
        by subsection (b), it shall--</DELETED>
                <DELETED>    (A) report the breach to the Commission 
                (or other appropriate Federal regulator under section 
                5); and</DELETED>
                <DELETED>    (B) notify all consumer reporting agencies 
                described in section 603(p)(1) of the Fair Credit 
                Reporting Act (15 U.S.C. 1681a(p)(1)) of the 
                breach.</DELETED>
        <DELETED>    (2) FTC website publications.--Whenever the 
        Commission receives a report under paragraph (1)(A), it shall 
        post a report of the breach of security on its website without 
        disclosing any sensitive personal information or the names of 
        the individuals affected.</DELETED>
<DELETED>    (b) Notification of Consumers.--Whenever a covered entity 
discovers a breach of security and determines that the breach of 
security has resulted in, or that there is a basis for concluding that 
a reasonable risk of identity theft to 1 or more individuals, the 
covered entity shall notify each such individual.</DELETED>
<DELETED>    (c) Methods of Notification; Notice Content.--Within 1 
year after the date of enactment of this Act, the Commission shall 
promulgate regulations that establish methods of notification to be 
followed by covered entities in complying with the requirements of this 
section and the content of the notices required. In promulgating those 
regulations, the Commission shall take into consideration the types of 
sensitive personal information involved, the nature and scope of the 
security breach, other appropriate factors, and the most effective 
means of notifying affected individuals.</DELETED>
<DELETED>    (d) Timing of Notification.--</DELETED>
        <DELETED>    (1) In general.--Except as provided in paragraph 
        (2), notice required by subsection (a) shall be given--
        </DELETED>
                <DELETED>    (A) in the most expedient manner 
                practicable;</DELETED>
                <DELETED>    (B) without unreasonable delay, but not 
                later than 90 days after the date on which the breach 
                of security was discovered by the covered entity; 
                and</DELETED>
                <DELETED>    (C) in a manner that is consistent with 
                any measures necessary to determine the scope of the 
                breach and restore the security and integrity of the 
                data system.</DELETED>
        <DELETED>    (2) Law enforcement and homeland security related 
        delays.--Notwithstanding paragraph (1), the giving of notice as 
        required by that paragraph may be delayed for a reasonable 
        period of time if--</DELETED>
                <DELETED>    (A) a Federal law enforcement agency 
                determines that the timely giving of notice under 
                subsections (a) and (b), as required by paragraph (1), 
                would materially impede a civil or criminal 
                investigation; or</DELETED>
                <DELETED>    (B) a Federal national security or 
                homeland security agency determines that such timely 
                giving of notice would threaten national or homeland 
                security.</DELETED>

<DELETED>SEC. 4. SECURITY FREEZE.</DELETED>

<DELETED>    (a) In General.--</DELETED>
        <DELETED>    (1) Emplacement.--A consumer may place a security 
        freeze on his or her credit report by making a request to a 
        consumer credit reporting agency in writing or by 
        telephone.</DELETED>
        <DELETED>    (2) Consumer disclosure.--If a consumer requests a 
        security freeze, the consumer credit reporting agency shall 
        disclose to the consumer the process of placing and removing 
        the security freeze and explain to the consumer the potential 
        consequences of the security freeze.</DELETED>
<DELETED>    (b) Effect of Security Freeze.--</DELETED>
        <DELETED>    (1) Release of information blocked.--If a security 
        freeze is in place on a consumer's credit report, a consumer 
        reporting agency may not release information from the credit 
        report to a third party without prior express authorization 
        from the consumer.</DELETED>
        <DELETED>    (2) Information provided to third parties.--
        Paragraph (2) does not prevent a consumer credit reporting 
        agency from advising a third party that a security freeze is in 
        effect with respect to the consumer's credit report. If a third 
        party, in connection with an application for credit, requests 
        access to a consumer credit report on which a security freeze 
        is in place, the third party may treat the application as 
        incomplete.</DELETED>
<DELETED>    (c) Removal; Temporary Suspension.--</DELETED>
        <DELETED>    (1) In general.--Except as provided in paragraph 
        (4), a security freeze shall remain in place until the consumer 
        requests that the security freeze be removed. A consumer may 
        remove a security freeze on his or her credit report by making 
        a request to a consumer credit reporting agency in writing or 
        by telephone.</DELETED>
        <DELETED>    (2) Conditions.--A consumer credit reporting 
        agency may remove a security freeze placed on a consumer's 
        credit report only--</DELETED>
                <DELETED>    (A) upon the consumer's request, pursuant 
                to paragraph (1); or</DELETED>
                <DELETED>    (B) if the agency determines that the 
                consumer's credit report was frozen due to a material 
                misrepresentation of fact by the consumer.</DELETED>
        <DELETED>    (3) Notification to consumer.--If a consumer 
        credit reporting agency intends to remove a freeze upon a 
        consumer's credit report pursuant to paragraph (2)(B), the 
        consumer credit reporting agency shall notify the consumer in 
        writing prior to removing the freeze on the consumer's credit 
        report.</DELETED>
        <DELETED>    (4) Temporary suspension.--A consumer may have a 
        security freeze on his or her credit report temporarily 
        suspended by making a request to a consumer credit reporting 
        agency in writing or by telephone and specifying beginning and 
        ending dates for the period during which the security freeze is 
        not to apply to that consumer's credit report.</DELETED>
<DELETED>    (d) Response Times; Notification of Other Entities.--
</DELETED>
        <DELETED>    (1) In general.--A consumer credit reporting 
        agency shall--</DELETED>
                <DELETED>    (A) place a security freeze on a 
                consumer's credit report under subsection (a) no later 
                than 5 business days after receiving a request from the 
                consumer under subsection (a)(1); and</DELETED>
                <DELETED>    (B) remove, or temporarily suspend, a 
                security freeze within 3 business days after receiving 
                a request for removal or temporary suspension from the 
                consumer under subsection (c).</DELETED>
        <DELETED>    (2) Notification of other covered entities.--If 
        the consumer requests in writing or by telephone that other 
        covered entities be notified of the request, the consumer 
        reporting agency shall notify all other consumer reporting 
        agencies described in section 603(p)(1) of the Fair Credit 
        Reporting Act (15 U.S.C. 1681a(p)(1)) of the request within 3 
        days after placing, removing, or temporarily suspending a 
        security freeze on the consumer's credit report under 
        subsection (a), (c)(2)(A), or subsection (c)(4), 
        respectively.</DELETED>
        <DELETED>    (3) Implementation by other covered entities.--A 
        consumer reporting agency that is notified of a request under 
        paragraph (2) to place, remove, or temporarily suspend a 
        security freeze on a consumer's credit report shall place, 
        remove, or temporarily suspend the security freeze on that 
        credit report within 3 business days after receiving the 
        notification.</DELETED>
<DELETED>    (e) Confirmation.--Whenever a consumer credit reporting 
agency places, removes, or temporarily suspends a security freeze on a 
consumer's credit report at the request of that consumer under 
subsection (a) or (c), respectively, it shall send a written 
confirmation thereof to the consumer within 10 business days after 
placing, removing, or temporarily suspending the security freeze on the 
credit report. This subsection does not apply to the placement, 
removal, or temporary suspension of a security freeze by a consumer 
reporting agency because of a notification received under subsection 
(d)(2).</DELETED>
<DELETED>    (f) ID Required.--A consumer credit reporting agency may 
not place, remove, or temporarily suspend a security freeze on a 
consumer's credit report at the consumer's request unless the consumer 
provides proper identification (within the meaning of section 610(a)(1) 
of the Fair Credit Reporting Act (15 U.S.C. 1681h) and the regulations 
thereunder.</DELETED>
<DELETED>    (g) Exceptions.--This section does not apply to the use of 
a consumer credit report by any of the following:</DELETED>
        <DELETED>    (1) A person or entity, or a subsidiary, 
        affiliate, or agent of that person or entity, or an assignee of 
        a financial obligation owing by the consumer to that person or 
        entity, or a prospective assignee of a financial obligation 
        owing by the consumer to that person or entity in conjunction 
        with the proposed purchase of the financial obligation, with 
        which the consumer has or had prior to assignment an account or 
        contract, including a demand deposit account, or to whom the 
        consumer issued a negotiable instrument, for the purposes of 
        reviewing the account or collecting the financial obligation 
        owing for the account, contract, or negotiable 
        instrument.</DELETED>
        <DELETED>    (2) Any Federal, State or local agency, law 
        enforcement agency, trial court, or private collection agency 
        acting pursuant to a court order, warrant, or 
        subpoena.</DELETED>
        <DELETED>    (3) A child support agency or its agents or 
        assigns acting pursuant to subtitle D of title IV of the Social 
        Security Act (42 U.S.C. et seq.) or similar State 
        law.</DELETED>
        <DELETED>    (4) The Department of Health and Human Services, a 
        similar State agency, or the agents or assigns of the Federal 
        or State agency acting to investigate medicare or medicaid 
        fraud.</DELETED>
        <DELETED>    (5) The Internal Revenue Service or a State or 
        municipal taxing authority, or a State department of motor 
        vehicles, or any of the agents or assigns of these Federal, 
        State, or municipal agencies acting to investigate or collect 
        delinquent taxes or unpaid court orders or to fulfill any of 
        their other statutory responsibilities.</DELETED>
        <DELETED>    (6) The use of consumer credit information for the 
        purposes of prescreening as provided for by the Federal Fair 
        Credit Reporting Act (15 U.S.C. 1681 et seq.).</DELETED>
        <DELETED>    (7) Any person or entity administering a credit 
        file monitoring subscription to which the consumer has 
        subscribed.</DELETED>
        <DELETED>    (8) Any person or entity for the purpose of 
        providing a consumer with a copy of his or her credit report or 
        credit score upon the consumer's request.</DELETED>
<DELETED>    (h) Fees.--</DELETED>
        <DELETED>    (1) In general.--Except as provided in paragraph 
        (2), a consumer credit reporting agency may charge a reasonable 
        fee, as determined by the Commission, for placing, removing, or 
        temporarily suspending a security freeze on a consumer's credit 
        report.</DELETED>
        <DELETED>    (2) ID theft victims.--A consumer credit reporting 
        agency may not charge a fee for placing, removing, or 
        temporarily suspending a security freeze on a consumer's credit 
        report if--</DELETED>
                <DELETED>    (A) the consumer is a victim of identity 
                theft; and</DELETED>
                <DELETED>    (B) the consumer has filed a police report 
                with respect to the theft.</DELETED>
<DELETED>    (i) Limitation on Information Changes in Frozen Reports.--
</DELETED>
        <DELETED>    (1) In general.--If a security freeze is in place 
        on a consumer's credit report, a consumer credit reporting 
        agency may not change any of the following official information 
        in that credit report without sending a written confirmation of 
        the change to the consumer within 30 days after the change is 
        made:</DELETED>
                <DELETED>    (A) Name.</DELETED>
                <DELETED>    (B) Date of birth.</DELETED>
                <DELETED>    (C) Social Security number.</DELETED>
                <DELETED>    (D) Address.</DELETED>
        <DELETED>    (2) Confirmation.--Paragraph (1) does not require 
        written confirmation for technical modifications of a 
        consumer's official information, including name and street 
        abbreviations, complete spellings, or transposition of numbers 
        or letters. In the case of an address change, the written 
        confirmation shall be sent to both the new address and to the 
        former address.</DELETED>
<DELETED>    (j) Certain Entity Exemptions.--</DELETED>
        <DELETED>    (1) Aggregators and other agencies.--The 
        provisions of subsections (a) through (h) do not apply to a 
        consumer credit reporting agency that acts only as a reseller 
        of credit information by assembling and merging information 
        contained in the data base of another consumer credit reporting 
        agency or multiple consumer credit reporting agencies, and does 
        not maintain a permanent data base of credit information from 
        which new consumer credit reports are produced.</DELETED>
        <DELETED>    (2) Other exempted entities.--The following 
        entities are not required to place a security freeze in a 
        credit report:</DELETED>
                <DELETED>    (A) A check services or fraud prevention 
                services company, which issues reports on incidents of 
                fraud or authorizations for the purpose of approving or 
                processing negotiable instruments, electronic funds 
                transfers, or similar methods of payments.</DELETED>
                <DELETED>    (B) A deposit account information service 
                company, which issues reports regarding account 
                closures due to fraud, substantial overdrafts, ATM 
                abuse, or similar negative information regarding a 
                consumer, to inquiring banks or other financial 
                institutions for use only in reviewing a consumer 
                request for a deposit account at the inquiring bank or 
                financial institution.</DELETED>

<DELETED>SEC. 5. ENFORCEMENT.</DELETED>

<DELETED>    (a) Enforcement by Commission.--Except as provided in 
subsection (c), this Act shall be enforced by the Commission.</DELETED>
<DELETED>    (b) Violation is Unfair or Deceptive Act or Practice.--The 
violation of any provision of this Act shall be treated as an unfair or 
deceptive act or practice proscribed under a rule issued under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).</DELETED>
<DELETED>    (c) Enforcement by Certain Other Agencies.--Compliance 
with this Act shall be enforced under--</DELETED>
        <DELETED>    (1) section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), in the case of--</DELETED>
                <DELETED>    (A) national banks, and Federal branches 
                and Federal agencies of foreign banks, by the Office of 
                the Comptroller of the Currency;</DELETED>
                <DELETED>    (B) member banks of the Federal Reserve 
                System (other than national banks), branches and 
                agencies of foreign banks (other than Federal branches, 
                Federal agencies, and insured State branches of foreign 
                banks), commercial lending companies owned or 
                controlled by foreign banks, and organizations 
                operating under section 25 or 25A of the Federal 
                Reserve Act (12 U.S.C. 601 and 611), by the Board; 
                and</DELETED>
                <DELETED>    (C) banks insured by the Federal Deposit 
                Insurance Corporation (other than members of the 
                Federal Reserve System) and insured State branches of 
                foreign banks, by the Board of Directors of the Federal 
                Deposit Insurance Corporation;</DELETED>
        <DELETED>    (2) section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818), by the Director of the Office of Thrift 
        Supervision, in the case of a savings association the deposits 
        of which are insured by the Federal Deposit Insurance 
        Corporation;</DELETED>
        <DELETED>    (3) the Federal Credit Union Act (12 U.S.C. 1751 
        et seq.) by the National Credit Union Administration Board with 
        respect to any Federal credit union; and</DELETED>
        <DELETED>    (4) the Securities and Exchange Act of 1934 (15 
        U.S.C. 78a et seq.) by the Securities and Exchange Commission 
        with respect to--</DELETED>
                <DELETED>    (A) a broker or dealer subject to that 
                Act;</DELETED>
                <DELETED>    (B) an investment company subject to the 
                Investment Company Act of 1940 (15 U.S.C. 80a-1 et 
                seq.); and</DELETED>
                <DELETED>    (C) an investment advisor subject to the 
                Investment Advisers Act of 1940 (15 U.S.C. 80b-1 et 
                seq.).</DELETED>
<DELETED>    (d) Exercise of Certain Powers.--For the purpose of the 
exercise by any agency referred to in subsection (c) of its powers 
under any Act referred to in that subsection, a violation of this Act 
is deemed to be a violation of a requirement imposed under that Act. In 
addition to its powers under any provision of law specifically referred 
to in subsection (c), each of the agencies referred to in that 
subsection may exercise, for the purpose of enforcing compliance with 
any requirement imposed under this Act, any other authority conferred 
on it by law.</DELETED>
<DELETED>    (e) Penalties.--</DELETED>
        <DELETED>    (1) In general.--Notwithstanding section 5(m) of 
        the Federal Trade Commission Act (15 U.S.C. 45(m)), the 
        Commission may not obtain a civil penalty under that section 
        for a violation of this Act in excess of--</DELETED>
                <DELETED>    (A) $11,000 for each such individual; 
                and</DELETED>
                <DELETED>    (B) $11,000,000 in the aggregate for all 
                such individuals with respect to the same 
                violation.</DELETED>
        <DELETED>    (2) Other authority not affected.--Nothing in this 
        Act shall be construed to limit or affect in any way the 
        Commission's authority to bring enforcement actions or take any 
        other measure under the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) or any other provision of law.</DELETED>
<DELETED>    (f) No Private Cause of Action.--Nothing in this Act 
establishes a private cause of action against a covered entity for the 
violation of any provision of this Act.</DELETED>
<DELETED>    (g) Compliance With Gramm-Leach-Bliley Act.--Any person to 
which title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) 
applies shall be deemed to be in compliance with the notification 
requirements of this Act with respect to a breach of security if that 
person is in compliance with the notification requirements of that 
title with respect to that breach of security.</DELETED>

<DELETED>SEC. 6. ENFORCEMENT BY STATE ATTORNEYS GENERAL.</DELETED>

<DELETED>    (a) In General.--A State, as parens patriae, may bring a 
civil action on behalf of its residents in an appropriate district 
court of the United States to enforce the provisions of this Act, or to 
impose the civil penalties authorized by section 5, whenever the 
attorney general of the State has reason to believe that the interests 
of the residents of the State have been or are being threatened or 
adversely affected by a covered entity that violates this Act or a 
regulation under this Act.</DELETED>
<DELETED>    (b) Notice.--The State shall serve written notice to the 
Commission (or other appropriate Federal regulator under section 5) of 
any civil action under subsection (a) prior to initiating such civil 
action. The notice shall include a copy of the complaint to be filed to 
initiate such civil action, except that if it is not feasible for the 
State to provide such prior notice, the State shall provide such notice 
immediately upon instituting such civil action.</DELETED>
<DELETED>    (c) Authority To Intervene.--Upon receiving the notice 
required by subsection (b), the Commission (or other appropriate 
Federal regulator under section 5) may intervene in such civil action 
and upon intervening--</DELETED>
        <DELETED>    (1) be heard on all matters arising in such civil 
        action; and</DELETED>
        <DELETED>    (2) file petitions for appeal of a decision in 
        such civil action.</DELETED>
<DELETED>    (d) Construction.--For purposes of bringing any civil 
action under subsection (a), nothing in this section shall prevent the 
attorney general of a State from exercising the powers conferred on the 
attorney general by the laws of such State to conduct investigations or 
to administer oaths or affirmations or to compel the attendance of 
witnesses or the production of documentary and other 
evidence.</DELETED>
<DELETED>    (e) Venue; Service of Process.--In a civil action brought 
under subsection (a)--</DELETED>
        <DELETED>    (1) the venue shall be a judicial district in 
        which--</DELETED>
                <DELETED>    (A) the covered entity operates;</DELETED>
                <DELETED>    (B) the covered entity was authorized to 
                do business; or</DELETED>
                <DELETED>    (C) where the defendant in the civil 
                action is found;</DELETED>
        <DELETED>    (2) process may be served without regard to the 
        territorial limits of the district or of the State in which the 
        civil action is instituted; and</DELETED>
        <DELETED>    (3) a person who participated with a covered 
        entity in an alleged violation that is being litigated in the 
        civil action may be joined in the civil action without regard 
        to the residence of the person.</DELETED>
<DELETED>    (f) Limitation on State Action While Federal Action Is 
Pending.--If the Commission (or other appropriate Federal agency under 
section 5) has instituted a civil action or an administrative action 
for violation of this Act, no State attorney general, or official or 
agency of a State, may bring an action under this subsection during the 
pendency of that action against any defendant named in the complaint of 
the Commission or the other agency for any violation of this Act 
alleged in the complaint.</DELETED>
<DELETED>    (g) Enforcement of State Law.--Nothing contained in this 
section shall prohibit an authorized State official from proceeding in 
State court to enforce a civil or criminal statute of such 
State.</DELETED>

<DELETED>SEC. 7. PREEMPTION OF STATE LAW.</DELETED>

<DELETED>    (a) In General.--This Act preempts any State or local law, 
regulation, or rule that requires a covered entity--</DELETED>
        <DELETED>    (1) to develop, implement, or maintain information 
        security programs to which this Act applies; or</DELETED>
        <DELETED>    (2) to notify individuals of breaches of security 
        regarding their sensitive personal information.</DELETED>
<DELETED>    (b) Liability.--This Act preempts any State or local law, 
regulation, rule, administrative procedure, or judicial precedent under 
which liability is imposed on a covered entity for failure--</DELETED>
        <DELETED>    (1) to implement and maintain an adequate 
        information security program; or</DELETED>
        <DELETED>    (2) to notify an individual of any breach of 
        security pertaining to any sensitive personal information about 
        that individual.</DELETED>
<DELETED>    (c) Security Freeze.--This Act preempts any State or local 
law, regulation, or rule that requires consumer reporting agencies to 
impose a security freeze on consumer credit reports at the request of a 
consumer.</DELETED>

<DELETED>SEC. 8. SOCIAL SECURITY NUMBER PROTECTION.</DELETED>

<DELETED>    (a) Prohibition of Unnecessary Solicitation of Social 
Security Numbers.--No covered entity may solicit any social security 
number from an individual unless there is a specific use of the social 
security number for which no other identifier reasonably can be 
used.</DELETED>
<DELETED>    (b) Prohibition of the Display of Social Security Numbers 
on Employee Identification Cards, Etc.--</DELETED>
        <DELETED>    (1) In general.--No covered entity may display the 
        social security number (or any derivative of such number) of an 
        individual on any card or tag that is commonly provided to 
        employees (or to their family members), faculty, staff, or 
        students for purposes of identification.</DELETED>
        <DELETED>    (2) Driver's licenses.--A State may not display 
        the social security number of an individual on driver's 
        licenses issued by that State.</DELETED>
<DELETED>    (c) Prohibition of Inmate Access to Social Security 
Account Numbers.--</DELETED>
        <DELETED>    (1) In general.--Section 205(c)(2)(C) of the 
        Social Security Act (42 U.S.C. 405(c)(2)(C)), as amended by 
        subsection (b), is amended by adding at the end the following 
        new clause:</DELETED>
<DELETED>    ``(xi) No executive, legislative, or judicial agency or 
instrumentality of the Federal Government or of a State or political 
subdivision thereof (or person acting as an agent of such an agency or 
instrumentality) may employ, or enter into a contract for the use or 
employment of, prisoners in any capacity that would allow such 
prisoners access to the social security account numbers of other 
individuals. For purposes of this clause, the term `prisoner' means an 
individual confined in a jail, prison, or other penal institution or 
correctional facility.''.</DELETED>
        <DELETED>    (2) Treatment of current arrangements.--In the 
        case of--</DELETED>
                        <DELETED>    (i) prisoners employed as 
                        described in clause (xi) of section 
                        205(c)(2)(C) of the Social Security Act (42 
                        U.S.C. 405(c)(2)(C)), as added by paragraph 
                        (1), on the date of enactment of this Act, 
                        and</DELETED>
                        <DELETED>    (ii) contracts described in such 
                        clause in effect on such date,</DELETED>
                <DELETED>the amendment made by this section shall take 
                effect 90 days after the date of enactment of this 
                Act.</DELETED>

<DELETED>SEC. 9. INFORMATION SECURITY WORKING GROUP.</DELETED>

<DELETED>    (a) Information Security Working Group.--The Chairman of 
the Commission shall establish an Information Security Working Group to 
develop best practices to protect sensitive personal information stored 
and transferred. The Working Group shall be composed of industry 
participants, consumer groups, and other interested parties.</DELETED>
<DELETED>    (b) Report.--Not later than 12 months after the date on 
which the Working Group is established under subsection (a), the 
Working Group shall submit to Congress a report on their 
findings.</DELETED>

<DELETED>SEC. 10. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Breach of security.--The term ``breach of 
        security'' means unauthorized access to and acquisition of data 
        in any form or format containing sensitive personal information 
        that compromises the security or confidentiality of such 
        information and establishes a basis to conclude that a 
        reasonable risk of identity theft to an individual 
        exists.</DELETED>
        <DELETED>    (2) Commission.--The term ``Commission'' means the 
        Federal Trade Commission.</DELETED>
        <DELETED>    (3) Consumer credit reporting agency.--The term 
        ``consumer credit reporting agency'' means any person which, 
        for monetary fees, dues, or on a cooperative nonprofit basis, 
        regularly engages in whole or in part in the practice of 
        assembling or evaluating consumer credit information or other 
        information on consumers for the purpose of furnishing credit 
        reports to third parties, and which uses any means or facility 
        of interstate commerce for the purpose of preparing or 
        furnishing credit reports.</DELETED>
        <DELETED>    (4) Covered entity.--The term ``covered entity'' 
        means a sole proprietorship, partnership, corporation, trust, 
        estate, cooperative, association, or other commercial entity, 
        and any charitable, educational, or nonprofit organization, 
        that acquires, maintains, or utilizes sensitive personal 
        information.</DELETED>
        <DELETED>    (5) Credit report.--The term ``credit report'' 
        means a consumer report, as defined in section 603(d) of the 
        Federal Fair Credit Reporting Act (15 U.S.C. 1681a(p)), that is 
        used or expected to be used or collected in whole or in part 
        for the purpose of serving as a factor in establishing a 
        consumer's eligibility for credit for personal, family or 
        household purposes.</DELETED>
        <DELETED>    (6) Identity theft.--The term ``identity theft'' 
        means the unauthorized acquisition, purchase, sale, or use by 
        any person of an individual's sensitive personal information 
        that--</DELETED>
                <DELETED>    (A) violates section 1028 of title 18, 
                United States Code, or any provision of State law in 
                pari materia; or</DELETED>
                <DELETED>    (B) results in economic loss to the 
                individual whose sensitive personal information was 
                used.</DELETED>
        <DELETED>    (7) Reviewing the account.--The term ``reviewing 
        the account'' includes activities related to account 
        maintenance, monitoring, credit line increases, and account 
        upgrades and enhancements.</DELETED>
        <DELETED>    (8) Sensitive personal information.--</DELETED>
                <DELETED>    (A) In general.--Except as provided in 
                subparagraphs (B) and (C), the term ``sensitive 
                personal information'' means an individual's name, 
                address, or telephone number combined with 1 or more of 
                the following data elements related to that 
                individual:</DELETED>
                        <DELETED>    (i) Social security number, 
                        taxpayer identification number, or employer 
                        identification number.</DELETED>
                        <DELETED>    (ii) Financial account number, or 
                        credit card or debit card number of such 
                        individual, combined with any required security 
                        code, access code, or password that would 
                        permit access to such individual's 
                        account.</DELETED>
                        <DELETED>    (iii) State driver's license 
                        identification number or State resident 
                        identification number.</DELETED>
                        <DELETED>    (iv) Consumer credit 
                        report.</DELETED>
                        <DELETED>    (v) Employee, faculty, student, or 
                        United States armed forces serial 
                        number.</DELETED>
                        <DELETED>    (vi) Genetic or biometric 
                        information.</DELETED>
                        <DELETED>    (vii) Mother's maiden 
                        name.</DELETED>
                <DELETED>    (B) FTC modifications.--The Commission 
                may, through a rulemaking proceeding, designate other 
                identifying information that may be used to effectuate 
                identity theft as sensitive personal information for 
                purposes of this Act and limit or exclude any 
                information described in subparagraph (A) from the 
                definition of sensitive personal information for 
                purposes of this Act.</DELETED>
                <DELETED>    (C) Public records.--Nothing in this Act 
                prohibits a covered entity from obtaining, aggregating, 
                or using sensitive personal information it lawfully 
                obtains from public records in a manner that does not 
                violate this Act.</DELETED>

<DELETED>SEC. 11. AUTHORIZATION OF APPROPRIATIONS.</DELETED>

<DELETED>    There are authorized to be appropriated to the Commission 
$1,000,000 for each of fiscal years 2006 through 2010 to carry out this 
Act.</DELETED>

<DELETED>SEC. 12. EFFECTIVE DATES.</DELETED>

<DELETED>    (a) In General.--Except as provided in subsection (b), the 
provisions of this Act take effect upon its enactment.</DELETED>
<DELETED>    (b) Provisions Requiring Rulemaking.--The Commission shall 
initiate 1 or more rulemaking proceedings under sections 2, 3, and 4 
within 45 days after the date of enactment of this Act. The Commission 
shall promulgate all final rules pursuant to those rulemaking 
proceedings within 1 year after the date of enactment of this Act. The 
provisions of sections 2, 3, and 4 shall take effect on the same date 6 
months after the date on which the Commission promulgates the last 
final rule under the proceeding or proceedings commenced under the 
preceding sentence.</DELETED>
<DELETED>    (c) Preemption.--Section 7 shall take effect at the same 
time as sections 2, 3, and 4 take effect.</DELETED>

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Identity Theft 
Protection Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Protection of sensitive personal information.
Sec. 3. Notification of security breach risk.
Sec. 4. Security freeze.
Sec. 5. Enforcement.
Sec. 6. Enforcement by State attorneys general.
Sec. 7. Preemption of State law.
Sec. 8. Social security and driver's license number protection.
Sec. 9. Information security working group.
Sec. 10. Definitions.
Sec. 11. Authorization of appropriations.
Sec. 12. Related crime study.
Sec. 13. Prohibition on technology mandates.
Sec. 14. Effective dates.

SEC. 2. PROTECTION OF SENSITIVE PERSONAL INFORMATION.

    (a) In General.--A covered entity shall develop, implement, 
maintain, and enforce a written program for the security of sensitive 
personal information the entity collects, maintains, sells, transfers, 
or disposes of, containing administrative, technical, and physical 
safeguards--
            (1) to ensure the security and confidentiality of such 
        data;
            (2) to protect against any anticipated threats or hazards 
        to the security or integrity of such data; and
            (3) to protect against unauthorized access to, or use of, 
        such data that could result in substantial harm to any 
        individual.
    (b) Compliance with FTC Standards Required.--A covered entity that 
is in full compliance with the requirements of the Commission's rules 
on Standards for Safeguarding Customer Information and Disposal of 
Consumer Report Information and Records is deemed to be in compliance 
with the requirements of subsection (a).
    (c) Regulations.--Not later than 1 year after the date of enactment 
of this Act, the Commission shall promulgate regulations, in accordance 
with section 553 of title 5, United States Code, that require 
procedures for authenticating the credentials of any third party to 
which sensitive personal information is to be tranferred or sold by a 
covered entity.

SEC. 3. NOTIFICATION OF SECURITY BREACH RISK.

    (a) Security Breaches Affecting 1,000 or More Individuals.--
            (1) In general.--If a covered entity discovers a breach of 
        security that affects 1,000 or more individuals, then, before 
        conducting the notification required by subsection (c), it 
        shall--
                    (A) report the breach to the Commission (or other 
                appropriate Federal regulator under section 5); and
                    (B) notify all consumer reporting agencies 
                described in section 603(p)(1) of the Fair Credit 
                Reporting Act (15 U.S.C. 1681a(p)(1)) of the breach.
            (2) FTC Website Publication.--Whenever the Commission 
        receives a report under paragraph (1)(A), after the 
        notification required by subsection (c) it shall post a report 
        of the breach of security on its website without disclosing any 
        sensitive personal information pertaining to the individuals 
        affected (including their names).
            (3) Contents of report.--The report described in paragraph 
        (2) shall include--
                    (A) the number of individuals impacted by the 
                breach of security; and
                    (B) the fact that all impacted individuals were 
                notified directly in accordance with this Act.
    (b) Security Breaches Affecting Fewer than 1,000 Individuals.--
            (1) In General.--If a covered entity discovers breach of 
        security that affects the sensitive personal information of 
        fewer than 1,000 individuals and determines that the breach of 
        security does not create a reasonable risk of identity theft, 
        it shall report the breach to the Commission (or other 
        appropriate Federal regulator under section 5).
            (2) Report contents.--The report shall contain the number 
        of individuals affected and the type of information that was 
        exposed because of the breach of security.
            (3) Limitation on commission response.--With respect to a 
        report under paragraph (1) received by the Commission, the 
        Commission may not--
                    (A) disclose any sensitive personal information 
                relating to the individuals (including their names); or
                    (B) publish such a report on its website.
    (c) Notification of Consumers.--A covered entity shall use due 
diligence to investigate any suspected breach of security affecting 
sensitive personal information maintained by that covered entity. If, 
after the exercise of such due diligence, the covered entity discovers 
a breach of security and determines that the breach of security creates 
a reasonable risk of identity theft, the covered entity shall notify 
each such individual. In determining whether a reasonable risk of 
identity theft exists, the covered entity shall consider such factors 
as whether the data containing sensitive personal information is usable 
by an unauthorized third party and whether the data is in the 
possession and control of an unauthorized third party who is likely to 
commit identity theft.
    (d) Methods of Notification; Notice Content.--
            (1) In general.--A covered entity shall provide notice 
        pursuant to subsection (c) by--
                    (A) written notice;
                    (B) electronic notice, if such notice is consistent 
                with the provisions of the Electronic Signatures in 
                Global and National Commerce Act (15 U.S.C. 7001 et 
                seq.);
                    (C) substitute notice--
                            (i) if the covered entity demonstrates 
                        that--
                                    (I) the cost of providing such 
                                notice would exceed $250,000;
                                    (II) the individuals to be notified 
                                exceed 500,000; or
                                    (III) the covered entity does not 
                                have sufficient contact information for 
                                the individuals to be notified; and
                            (ii) consisting of--
                                    (I) notice by electronic mail when 
                                the covered entity has an electronic 
                                mail address for affected individuals;
                                    (II) conspicuous posting of such 
                                notice on the Internet website of the 
                                covered entity, if the covered entity 
                                maintains a website; and
                                    (III) notification to major 
                                Statewide media of the breach of 
                                security.
            (2) Content of notice.--The notice required under 
        subsection (c) shall consist of--
                    (A) the name of the individual whose information 
                was the subject of the breach of security;
                    (B) the name of the covered entity that was the 
                subject of the breach of security;
                    (C) a description of the categories of sensitive 
                personal information of the individual that were the 
                subject of the breach of security;
                    (D) the specific dates between the breach of 
                security of the sensitive personal information of the 
                individual and the date of discovery of such breach of 
                security; and
                    (E) the toll-free numbers necessary to contact--
                            (i) each covered entity that was the 
                        subject of the breach of security;
                            (ii) each nationwide credit reporting 
                        agency; and
                            (iii) the Commission.
    (e) Timing of Notification.--
            (1) In general.--Except as provided in paragraph (2), 
        notice required by subsection (c) shall be given--
                    (A) in the most expedient manner practicable, but 
                not later than 45 days after the date on which the 
                breach of security was discovered by the covered 
                entity; and
                    (B) in a manner that is consistent with any 
                measures necessary to determine the scope of the breach 
                and restore the security and integrity of the data 
                system.
            (2) Law enforcement and homeland security related delays.--
        Notwithstanding paragraph (1), the giving of notice as required 
        by that paragraph may be delayed for a reasonable period of 
        time if--
                    (A) a Federal or State law enforcement agency 
                determines that the timely giving of notice under 
                subsections (a) and (c), as required by paragraph (1), 
                would materially impede a civil or criminal 
                investigation; or
                    (B) a Federal national security or homeland 
                security agency determines that such timely giving of 
                notice would threaten national or homeland security.
    (f) Certain Service Providers.--Section 2 and subsections (a), (b), 
and (c) of this section do not apply to electronic communication of a 
third party stored by a cable operator, information service, or 
telecommunications carrier in the network of such operator, service or 
carrier in the course of transferring or transmitting such 
communication. Any term used in this subsection that is defined in the 
Communications Act of 1934 (47 U.S.C. 151 et seq.) has the meaning 
given it in that Act.

SEC. 4. SECURITY FREEZE.

    (a) In General.--
            (1) Emplacement.--A consumer may place a security freeze on 
        his or her credit report by making a request to a consumer 
        credit reporting agency in writing, by telephone, or through a 
        secure electronic connection made available by the consumer 
        credit reporting agency.
            (2) Consumer disclosure.--If a consumer requests a security 
        freeze, the consumer credit reporting agency shall disclose to 
        the consumer the process of placing and removing the security 
        freeze and explain to the consumer the potential consequences 
        of the security freeze. A consumer credit reporting agency may 
        not imply or inform a consumer that the placement or presence 
        of a security freeze on the consumer's credit report may 
        negatively affect the consumer's credit score.
    (b) Effect of Security Freeze.--
            (1) Release of information blocked.--If a security freeze 
        is in place on a consumer's credit report, a consumer reporting 
        agency may not release the credit report for consumer credit 
        purposes to a third party without prior express authorization 
        from the consumer.
            (2) Information provided to third parties.--Paragraph (2) 
        does not prevent a consumer credit reporting agency from 
        advising a third party that a security freeze is in effect with 
        respect to the consumer's credit report. If a third party, in 
        connection with an application for credit, requests access to a 
        consumer credit report on which a security freeze is in place, 
        the third party may treat the application as incomplete.
            (3) Consumer credit score not affected.--The placement of a 
        security freeze on a credit report may not be taken into 
        account for any purpose in determining the credit score of the 
        consumer to whom the account relates.
    (c) Removal; Temporary Suspension.--
            (1) In general.--Except as provided in paragraph (4), a 
        security freeze shall remain in place until the consumer 
        requests that the security freeze be removed. A consumer may 
        remove a security freeze on his or her credit report by making 
        a request to a consumer credit reporting agency in writing, by 
        telephone, or through a secure electronic connection made 
        available by the consumer reporting agency.
            (2) Conditions.--A consumer credit reporting agency may 
        remove a security freeze placed on a consumer's credit report 
        only--
                    (A) upon the consumer's request, pursuant to 
                paragraph (1); or
                    (B) if the agency determines that the consumer's 
                credit report was frozen due to a material 
                misrepresentation of fact by the consumer.
            (3) Notification to consumer.--If a consumer credit 
        reporting agency intends to remove a freeze upon a consumer's 
        credit report pursuant to paragraph (2)(B), the consumer credit 
        reporting agency shall notify the consumer in writing prior to 
        removing the freeze on the consumer's credit report.
            (4) Temporary suspension.--A consumer may have a security 
        freeze on his or her credit report temporarily suspended by 
        making a request to a consumer credit reporting agency in 
        writing or by telephone and specifying beginning and ending 
        dates for the period during which the security freeze is not to 
        apply to that consumer's credit report.
    (d) Response Times; Notification of Other Entities.--
            (1) In general.--A consumer credit reporting agency shall--
                    (A) place a security freeze on a consumer's credit 
                report under subsection (a) no later than 5 business 
                days after receiving a request from the consumer under 
                subsection (a)(1); and
                    (B) remove, or temporarily suspend, a security 
                freeze within 3 business days after receiving a request 
                for removal or temporary suspension from the consumer 
                under subsection (c).
            (2) Notification of other covered entities.--If the 
        consumer requests in writing or by telephone that other covered 
        entities be notified of the request, the consumer reporting 
        agency shall notify all other consumer reporting agencies 
        described in section 603(p)(1) of the Fair Credit Reporting Act 
        (15 U.S.C. 1681a(p)(1)) of the request within 3 days after 
        placing, removing, or temporarily suspending a security freeze 
        on the consumer's credit report under subsection (a), 
        (c)(2)(A), or subsection (c)(4), respectively.
            (3) Implementation by other covered entities.--A consumer 
        reporting agency that is notified of a request under paragraph 
        (2) to place, remove, or temporarily suspend a security freeze 
        on a consumer's credit report shall--
                    (A) request propert identification from the 
                consumer, in accordance with subsection (f), within 3 
                business days after receiving the notification; and
                    (B) place, remove, or temporarily suspend the 
                security freeze on that credit report within 3 business 
                days after receiving proper identification.
    (e) Confirmation.--Except as provided in subsection (c)(3), 
whenever a consumer credit reporting agency places, removes, or 
temporarily suspends a security freeze on a consumer's credit report at 
the request of that consumer under subsection (a) or (c), respectively, 
it shall send a written confirmation thereof to the consumer within 10 
business days after placing, removing, or temporarily suspending the 
security freeze on the credit report. This subsection does not apply to 
the placement, removal, or temporary suspension of a security freeze by 
a consumer reporting agency because of a notification received under 
subsection (d)(2).
    (f) ID Required.--A consumer credit reporting agency may not place, 
remove, or temporarily suspend a security freeze on a consumer's credit 
report at the consumer's request unless the consumer provides proper 
identification (within the meaning of section 610(a)(1) of the Fair 
Credit Reporting Act (15 U.S.C. 1681h) and the regulations thereunder.
    (g) Exceptions.--This section does not apply to the use of a 
consumer credit report by any of the following:
            (1) A person or entity, or a subsidiary, affiliate, or 
        agent of that person or entity, or an assignee of a financial 
        obligation owing by the consumer to that person or entity, or a 
        prospective assignee of a financial obligation owing by the 
        consumer to that person or entity in conjunction with the 
        proposed purchase of the financial obligation, with which the 
        consumer has or had prior to assignment an account or contract, 
        including a demand deposit account, or to whom the consumer 
        issued a negotiable instrument, for the purposes of reviewing 
        the account or collecting the financial obligation owing for 
        the account, contract, or negotiable instrument.
            (2) Any Federal, State or local agency, law enforcement 
        agency, trial court, or private collection agency acting 
        pursuant to a court order, warrant, subpoena, or other 
        compulsory process.
            (3) A child support agency or its agents or assigns acting 
        pursuant to subtitle D of title IV of the Social Security Act 
        (42 U.S.C. et seq.) or similar State law.
            (4) The Department of Health and Human Services, a similar 
        State agency, or the agents or assigns of the Federal or State 
        agency acting to investigate medicare or medicaid fraud.
            (5) The Internal Revenue Service or a State or municipal 
        taxing authority, or a State department of motor vehicles, or 
        any of the agents or assigns of these Federal, State, or 
        municipal agencies acting to investigate or collect delinquent 
        taxes or unpaid court orders or to fulfill any of their other 
        statutory responsibilities.
            (6) The use of consumer credit information for the purposes 
        of prescreening as provided for by the Federal Fair Credit 
        Reporting Act (15 U.S.C. 1681 et seq.).
            (7) Any person or entity administering a credit file 
        monitoring subscription to which the consumer has subscribed.
            (8) Any person or entity for the purpose of providing a 
        consumer with a copy of his or her credit report or credit 
        score upon the consumer's request.
    (h) Fees.--
            (1) In general.--Except as provided in paragraph (2), a 
        consumer credit reporting agency may charge a reasonable fee, 
        as determined by the Commission by rule, promulgated in 
        accordance with section 553 of title 5, United States Code, for 
        placing, removing, or temporarily suspending a security freeze 
        on a consumer's credit report.
            (2) ID theft victims.--A consumer credit reporting agency 
        may not charge a fee for placing, removing, or temporarily 
        suspending a security freeze on a consumer's credit report if--
                    (A) the consumer is a victim of identity theft;
                    (B) the consumer requests the security freeze in 
                writing;
                    (C) the consumer has filed a police report with 
                respect to the theft, or an identity theft report (as 
                defined in section 603(q)(4) of the Fair Credit 
                Reporting Act (15 U.S.C. 1681a(q)(4))), within 90 days 
                after the theft occured or was discovered by the 
                consumer; and
                    (D) the consumer provides a copy of the report to 
                the credit reporting agency.
    (i) Limitation on Information Changes in Frozen Reports.--
            (1) In general.--If a security freeze is in place on a 
        consumer's credit report, a consumer credit reporting agency 
        may not change any of the following official information in 
        that credit report without sending a written confirmation of 
        the change to the consumer within 30 days after the change is 
        made:
                    (A) Name.
                    (B) Date of birth.
                    (C) Social Security number.
                    (D) Address.
            (2) Confirmation.--Paragraph (1) does not require written 
        confirmation for technical modifications of a consumer's 
        official information, including name and street abbreviations, 
        complete spellings, or transposition of numbers or letters. In 
        the case of an address change, the written confirmation shall 
        be sent to both the new address and to the former address.
    (j) Certain Entity Exemptions.--
            (1) Aggregators and other agencies.--The provisions of 
        subsections (a) through (h) do not apply to a consumer credit 
        reporting agency that acts only as a reseller of credit 
        information by assembling and merging information contained in 
        the data base of another consumer credit reporting agency or 
        multiple consumer credit reporting agencies, and does not 
        maintain a permanent data base of credit information from which 
        new consumer credit reports are produced.
            (2) Other exempted entities.--The following entities are 
        not required to place a security freeze in a credit report:
                    (A) A check services or fraud prevention services 
                company, which issues reports on incidents of fraud or 
                authorizations for the purpose of approving or 
                processing negotiable instruments, electronic funds 
                transfers, or similar methods of payments.
                    (B) A deposit account information service company, 
                which issues reports regarding account closures due to 
                fraud, substantial overdrafts, ATM abuse, or similar 
                negative information regarding a consumer, to inquiring 
                banks or other financial institutions for use only in 
                reviewing a consumer request for a deposit account at 
                the inquiring bank or financial institution.

SEC. 5. ENFORCEMENT.

    (a) Enforcement by Commission.--Except as provided in subsection 
(c), this Act shall be enforced by the Commission.
    (b) Violation is Unfair or Deceptive Act or Practice.--The 
violation of any provision of this Act shall be treated as an unfair or 
deceptive act or practice proscribed under a rule issued under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (c) Enforcement by Certain Other Agencies.--Compliance with this 
Act shall be enforced exclusively under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, and any subsidiaries 
                of such entities (except brokers, dealers, persons 
                providing insurance, investment companies, and 
                investment advisers), by the Office of the Comptroller 
                of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act (12 U.S.C. 601 and 
                611), and bank holding companies and their nonbank 
                subsidiaries or affiliates (except brokers, dealers, 
                persons providing insurance, investment companies and 
                investment advisers), by the Board of Governors of the 
                Federal Reserve System;
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System), insured State branches of foreign banks, and 
                any subsidiaries of such entities (except brokers, 
                dealers, persons providing insurance, investment 
                companies and investment advisers), by the Board of 
                Directors of the Federal Deposit Insurance Corporation; 
                and
                    (D) savings associations the deposits of which are 
                insured by the Federal Deposit Insurance Corporation, 
                and any subsidiaries of such savings associations 
                (except brokers, dealers, persons providing insurance, 
                investment companies and investment advisers), by the 
                Director of the Office of Thrift Supervision;
            (2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the Board of the National Credit Union Administration Board 
        with respect to any Federal credit union and any subsidiaries 
        of such a credit union;
            (3) the Securities and Exchange Act of 1934 (15 U.S.C. 78a 
        et seq.) by the Securities and Exchange Commission with respect 
        to--
                    (A) a broker or dealer subject to that Act;
                    (B) an investment company subject to the Investment 
                Company Act of 1940 (15 U.S.C. 80a-1 et seq.); and
                    (C) an investment advisor subject to the Investment 
                Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.); and
            (4) State insurance law, in the case of any person engaged 
        in providing insurance, by the applicable State insurance 
        authority of the State in which the person is domiciled.
    (d) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (c) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (c), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this Act, any other authority conferred on it by law.
    (e) Penalties.--
            (1) In general.--Notwithstanding section 5(m) of the 
        Federal Trade Commission Act (15 U.S.C. 45(m)), the Commission 
        may not obtain a civil penalty under that section for a 
        violation of section 3 of this Act by a covered entity in 
        excess of--
                    (A) $11,000 for each such individual; and
                    (B) $11,000,000 in the aggregate for all such 
                individuals with respect to the same violation by that 
                covered entity.
            (2) Other authority not affected.--Nothing in this Act 
        shall be construed to limit or affect in any way the 
        Commission's authority to bring enforcement actions or take any 
        other measure under the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) or any other provision of law.
    (f) No Private Cause of Action.--
            (1) In general.--No private right of action or class action 
        shall be brought under this Act.
            (2) State attorney general authority.--No person other than 
        the attorney general of a State may bring a civil action under 
        the law of any State is such action is premised upon the 
        defendant violating any provision of this Act.
    (g) Compliance with Gramm-Leach-Bliley Act.--Any covered entity is 
deemed to be in compliance with the notification requirements of this 
Act with respect to any breach of security for which it complies with 
requirements regarding notification established for such entities under 
title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.). Any 
covered entity is deemed to be in compliance with the requirements of 
this Act to protect sensitive personal information with respect to any 
such information for which it complies with the information protection 
requirements established for such entities under title V of that Act 
and under section 607(a) of the Fair Credit Reporting Act (15 U.S.C. 
1681e(a)).

SEC. 6. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--Except as provided in section 5(c), a State, as 
parens patriae, may bring a civil action on behalf of its residents in 
an appropriate district court of the United States to enforce the 
provisions of this Act, to obtain damages, restitution, or other 
compensation on behalf of such residents, or to obtain such further and 
other relief as the court may deem appropriate, whenever the attorney 
general of the State has reason to believe that the interests of the 
residents of the State have been or are being threatened or adversely 
affected by a covered entity that violates this Act or a regulation 
under this Act.
    (b) Notice.--The State shall serve written notice to the Commission 
(or other appropriate Federal regulator under section 5) of any civil 
action under subsection (a) at least 60 days prior to initiating such 
civil action. The notice shall include a copy of the complaint to be 
filed to initiate such civil action, except that if it is not feasible 
for the State to provide such prior notice, the State shall provide 
such notice immediately upon instituting such civil action.
    (c) Authority To Intervene.--Upon receiving the notice required by 
subsection (b), the Commission (or other appropriate Federal regulator 
under section 5) may intervene in such civil action and upon 
intervening--
            (1) be heard on all matters arising in such civil action; 
        and
            (2) file petitions for appeal of a decision in such civil 
        action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall prevent the attorney 
general of a State from exercising the powers conferred on the attorney 
general by the laws of such State to conduct investigations or to 
administer oaths or affirmations or to compel the attendance of 
witnesses or the production of documentary and other evidence.
    (e) Venue; Service of Process.--In a civil action brought under 
subsection (a)--
            (1) the venue shall be a judicial district in which--
                    (A) the covered entity operates;
                    (B) the covered entity was authorized to do 
                business; or
                    (C) where the defendant in the civil action is 
                found;
            (2) process may be served without regard to the territorial 
        limits of the district or of the State in which the civil 
        action is instituted; and
            (3) a person who participated with a covered entity in an 
        alleged violation that is being litigated in the civil action 
        may be joined in the civil action without regard to the 
        residence of the person.
    (f) Limitation on State Action While Federal Action Is Pending.--If 
the Commission (or other appropriate Federal agency under section 5) 
has instituted a civil action or an administrative action for violation 
of this Act, no State attorney general, or official or agency of a 
State, may bring an action under this subsection during the pendency of 
that action against any defendant named in the complaint of the 
Commission or the other agency for any violation of this Act alleged in 
the complaint.

SEC. 7. PREEMPTION OF STATE LAW.

    (a) In General.--This Act preempts any State or local law, 
regulation, or rule that requires a covered entity--
            (1) to develop, implement, maintain, or enforce information 
        security programs to which this Act applies; or
            (2) to notify individuals of breaches of security 
        pertaining to them.
    (b) Liability.--This Act preempts any State or local law, 
regulation, rule, administrative procedure, or judicial precedent under 
which liability is imposed on a covered entity for failure--
            (1) to implement and maintain an adequate information 
        security program; or
            (2) to notify an individual of any breach of security 
        pertaining to any sensitive personal information about that 
        individual.
    (c) Security Freeze.--This Act preempts any State or local law, 
regulation, or rule that requires consumer reporting agencies to comply 
with a consumer's request to place, remove, or temporarily suspend a 
prohibition on the release by a consumer reporting agency of 
information from its files on that consumer.
    (d) Social Security Numbers.--Section 8 of this Act, and the 
amendments made by that section, preempt any State or local law, 
regulation, or rule prohibiting or limiting the solicitation or display 
of Social Security account numbers.
    (e) Limitation of Preemption.--Federal preemption under this Act 
shall only apply to matters expressly described in subsections (a) 
through (d) of this section, and shall have no effect on other State or 
local jurisidiction over covered entities.

SEC. 8. SOCIAL SECURITY NUMBER PROTECTION.

    (a) Prohibition of Unnecessary Solicitation of Social Security 
Numbers.--
            (1) In general.--No covered entity may solicit a social 
        security number from an individual unless there is a specific 
        use of the social security number for which no other identifier 
        reasonably can be used.
            (2) Exceptions.--Paragraph (1) does not apply to the 
        solicitation of a social security number--
                    (A) for the purpose of obtaining a consumer report 
                for any purpose permitted under the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.),
                    (B) by a consumer reporting agency for the purpose 
                of authenticating or obtaining appropriate proof of a 
                consumer's identity, as required under that Act;
                    (C) for any purpose permitted under section 502(e) 
                of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(e)); or
                    (D) to identify or locate missing or abducted 
                children, witnesses, criminals and fugitives, parties 
                to lawsuits, parents delinquent in child support 
                payments, organ and bone marrow donors, pension fund 
                beneficiaries, and missing heirs.
    (b) Prohibition of the Display of Social Security Numbers on 
Employee Identification Cards, Etc..--
    (1) In general.--No covered entity may display the social security 
number (or any derivative of such number) of an individual on any card 
or tag that is commonly provided to employees (or to their family 
members), faculty, staff, or students for purposes of identification.
    (2) Driver's Licenses.--A State may not display the social security 
number of an individual on driver's licenses issued by that State.
    (c) Prohibition of Prisoner Access to Social Security Account 
Numbers.--
            (1) In general.--Section 205(c)(2)(C) of the Social 
        Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at 
        the end the following new clause:
    ``(x) No executive, legislative, or judicial agency or 
instrumentality of the Federal Government or of a State or political 
subdivision thereof (or person acting as an agent of such an agency or 
instrumentality) may employ, or enter into a contract for the use or 
employment of, prisoners in any capacity that would allow such 
prisoners access to the social security account numbers of other 
individuals. For purposes of this clause, the term `prisoner' means an 
individual who is confined in a jail, prison, or other penal 
institution or correctional facility, serving community service as a 
term of probation or parole, or serving a sentence through a work-
furlough program.''.
            (2) Treatment of current arrangements.--In the case of--
                    (A) prisoners employed as described in clause (xi) 
                of section 205(c)(2)(C) of the Social Security Act (42 
                U.S.C. 405(c)(2)(C)), as added by paragraph (1), on the 
                date of enactment of this Act, and
                    (B) contracts described in such clause in effect on 
                such date,
        the amendment made by paragraph (1) shall take effect 90 days 
        after the date of enactment of this Act.
    (d) Prohibition of Sale, Purchase, and Display of Social Security 
Numbers to the General Public.--
            (1) In general.--Except as provided in paragraph (2), it 
        shall be unlawful for any person to--
                    (A) sell or purchase a social security account 
                number or display to the general public a social 
                security account number, or
                    (B) obtain or use any individual's social security 
                account number for the purpose of locating or 
                identifying such individual with the intent to 
                physically injure or harm such individual or using the 
                identity of such individual for any illegal purpose.
            (2) Exceptions.--Notwithstanding paragraph (1), and subject 
        to paragraph (3), a social security account number may be sold 
        or purchased by any person to the extent provided in this 
        subsection (and for no other purpose)--
                    (A) to the extent necessary for national security 
                purposes;
                    (B) to the extent necessary for public health 
                purposes;
                    (C) to the extent necessary in emergency situations 
                to protect the health or safety of 1 or more 
                individuals;
                    (D) to the extent that the sale or purchase is 
                required to comply with a tax law of the United States 
                or of any State (or political subdivision thereof);
                    (E) to the extent that the sale or purchase is to 
                or by a consumer reporting agency (as defined in 
                section 603(f) of the Fair Credit Reporting Act (15 
                U.S.C. 1681a(f))) for use or disclosure solely for 
                permissible purposes described in section 604(a) of 
                such Act (15 U.S.C. 1681b(a)); and
                    (F) to the extent necessary for research (other 
                than market research) conducted by an agency or 
                instrumentality of the United States or of a State or 
                political subdivision thereof (or an agent of such an 
                agency or instrumentality) for the purpose of advancing 
                the public good, on the condition that the researcher 
                provides adequate assurances that--
                            (i) the social security account numbers 
                        will not be used to harass, target, or publicly 
                        reveal information concerning any identifiable 
                        individuals;
                            (ii) information about identifiable 
                        individuals obtained from the research will not 
                        be used to make decisions that directly affect 
                        the rights, benefits, or privileges of specific 
                        individuals; and
                            (iii) the researcher has in place 
                        appropriate safeguards to protect the privacy 
                        and confidentiality of any information about 
                        identifiable individuals, including procedures 
                        to ensure that the social security account 
                        numbers will be encrypted or otherwise 
                        appropriately secured from unauthorized 
                        disclosure.
            (3) Consensual Sale.--Notwithstanding paragraph (1), a 
        social security account number assigned to an individual may be 
        sold, purchased, or displayed to the general public by any 
        person to the extent consistent with such individual's 
        voluntary and affirmative written consent to the sale, 
        purchase, or display of the social security account number, but 
        only if--
                    (A) the terms of the consent and the right to 
                refuse consent are presented to the individual in a 
                clear, conspicuous, and understandable manner;
                    (B) the individual is placed under no obligation to 
                provide consent to any such sale, purchase, or display; 
                and
                    (C) the terms of the consent authorize the 
                individual to limit the sale, purchase, or display to 
                purposes directly associated with the transaction with 
                respect to which the consent is sought.
            (4) Regulations.--Within 1 year after the date of enactment 
        of this Act the Commission shall promulgate regulations under 
        this subsection after consultation with the Attorney General, 
        the Commissioner of Social Security, the Secretary of Homeland 
        Security, State attorneys general, and such other governmental 
        agencies and instrumentalities as the Attorney General 
        considers appropriate.

SEC. 9. INFORMATION SECURITY WORKING GROUP.

    (a) Information Security Working Group.--The Chairman of the 
Commission shall establish an Information Security Working Group to 
collect, review, disseminate, and advise on best practices for covered 
entities to protect sensitive personal information stored and 
transferred. The Working Group shall be composed of industry 
participants, consumer groups, and other interested parties.
    (b) Report.--Not later than 12 months after the date on which the 
Working Group is established under subsection (a) and annually 
thereafter, the Working Group shall submit to Congress a report on its 
findings.
    (c) Termination.--The Commission, after notifying the Congress in 
writing of its intent to terminate the Working Group, may terminate it 
after the Comission determines that the work and annual reports are no 
longer necessary.

SEC. 10. DEFINITIONS.

    In this Act:
            (1) Breach of security.--The term ``breach of security'' 
        means unauthorized access to and acquisition of data in any 
        form or format containing sensitive personal information that 
        compromises the security or confidentiality of such information 
        and creates a reasonable risk of identity theft.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Consumer credit reporting agency.--The term ``consumer 
        credit reporting agency'' means any person which, for monetary 
        fees, dues, or on a cooperative nonprofit basis, regularly 
        engages in whole or in part in the practice of assembling or 
        evaluating consumer credit information or other information on 
        consumers for the purpose of furnishing credit reports to third 
        parties, and which uses any means or facility of interstate 
        commerce for the purpose of preparing or furnishing credit 
        reports.
            (4) Covered entity.--The term ``covered entity'' means a 
        sole proprietorship, partnership, corporation, trust, estate, 
        cooperative, association, or other commercial entity, and any 
        charitable, educational, or nonprofit organization, that 
        acquires, maintains, or utilizes sensitive personal 
        information.
            (5) Credit report.--The term ``credit report'' means a 
        consumer report, as defined in section 603(d) of the Federal 
        Fair Credit Reporting Act (15 U.S.C. 1681a(p)), that is used or 
        expected to be used or collected in whole or in part for the 
        purpose of serving as a factor in establishing a consumer's 
        eligibility for credit for personal, family or household 
        purposes.
            (6) Identity theft.--The term ``identity theft'' means the 
        unauthorized acquisition, purchase, sale, or use by any person 
        of an individual's sensitive personal information that--
                    (A) violates section 1028 of title 18, United 
                States Code, or any provision of State law in pari 
                materia; or
                    (B) results in economic loss to the individual 
                whose sensitive personal information was used.
            (7) Reasonable risk of identity theft.--The term 
        ``reasonable risk of identity theft'' means that the 
        preponderance of the evidence available to the covered entity 
        that has experienced a breach of security establishes that 
        identity theft for 1 or more individuals from the breach of 
        security is forseeable.
            (8) Reviewing the account.--The term ``reviewing the 
        account'' includes activities related to account maintenance, 
        monitoring, credit line increases, and account upgrades and 
        enhancements.
            (9) Sensitive personal information.--
                    (A) In general.--Except as provided in 
                subparagraphs (B) and (C), the term ``sensitive 
                personal information'' means an individual's name, 
                address, or telephone number combined with 1 or more of 
                the following data elements related to that individual:
                            (i) Social security number, taxpayer 
                        identification number, or an employer 
                        identification number that is the same as or is 
                        derived from the social security number of that 
                        individual.
                            (ii) Financial account number, or credit 
                        card or debit card number of such individual, 
                        combined with any required security code, 
                        access code, or password that would permit 
                        access to such individual's account.
                            (iii) State driver's license identification 
                        number or State resident identification number.
                    (B) FTC modifications.--The Commission may, through 
                a rulemaking proceeding in accordance with section 553 
                of title 5, United States Code, designate other 
                identifying information that may be used to effectuate 
                identity theft as sensitive personal information for 
                purposes of this Act and limit or exclude any 
                information described in subparagraph (A) from the 
                definition of sensitive personal information for 
                purposes of this Act.
                    (C) Public records.--Nothing in this Act prohibits 
                a covered entity from obtaining, aggregating, or using 
                sensitive personal information it lawfully obtains from 
                public records in a manner that does not violate this 
                Act.

SEC. 11. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Commission 
$1,000,000 for each of fiscal years 2006 through 2010 to carry out this 
Act.

SEC. 12. RELATED CRIME STUDY.

    (a) In General.--The Federal Trade Commission, in conjunction with 
the Department of Justice and other Federal agencies, shall undertake a 
study of--
            (1) the correlation between methamphetamine use and 
        identity theft crimes;
            (2) the needs of law enforcement to address methamphetamine 
        crimes related to identity theft, including production, 
        trafficking, and the purchase of precursor chemicals; and
            (3) the Federal Government's role in addressing and 
        deterring identity theft crimes.
    (b) Report.--Not later than 18 months after the date of enactment 
of this Act, the Federal Trade Commission shall submit a report of its 
findings and recommendations to the Congress that includes--
            (1) a detailed analysis of the correlation between 
        methamphetamine use and identity theft crimes;
            (2) the needs of law enforcement to address methamphetamine 
        crimes related to identity theft: including production, 
        trafficking, and the purchase of precursor chemicals related to 
        methamphetamine;
            (3) the Federal Government's role in addressing and 
        deterring identity theft crimes; and
            (4) specific recommendations for means of reducing and 
        preventing crimes involving methamphetamine and identity theft, 
        including recommendations for best practices for local law 
        enforcement agencies.

SEC. 13. PROHIBITION ON TECHNOLOGY MANDATES.

    Nothing in this Act shall be construed to permit the Commission to 
issue regulations that require or impose a specific technology, 
product, technological standards, or solution.

SEC. 14. EFFECTIVE DATES.

    (a) In General.--Except as provided in subsections (b) and (c), the 
provisions of this Act take effect upon its enactment.
    (b) Implementation of Security Program.--A covered entity shall 
implement the program required by section 2(a) within 6 months after 
the date of enactment of this Act.
    (c) Provisions Requiring Rulemaking.--The Commission shall initiate 
1 or more rulemaking proceedings under sections 2(c), 3, and 4 within 
45 days after the date of enactment of this Act. The Commission shall 
promulgate all final rules pursuant to those rulemaking proceedings 
within 1 year after the date of enactment of this Act. The provisions 
of sections 2(c), 3, and 4 shall take effect on the same date 6 months 
after the date on which the Commission promulgates the last final rule 
under the proceeding or proceedings commenced under the preceding 
sentence.
    (d) Preemption.--Section 7 shall take effect at the same time as 
sections 2(c), 3, and 4 take effect.




                                                       Calendar No. 320

109th CONGRESS

  1st Session

                                S. 1408

                          [Report No. 109-203]

_______________________________________________________________________

                                 A BILL

   To strengthen data protection and safeguards, require data breach 
           notification, and further prevent identity theft.

_______________________________________________________________________

                            December 8, 2005

                       Reported with an amendment