[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1461 Introduced in Senate (IS)]








109th CONGRESS
  1st Session
                                S. 1461

To establish procedures for the protection of consumers from misuse of, 
and unauthorized access to, sensitive personal information contained in 
private information files maintained by commercial entities engaged in, 
  or affecting, interstate commerce, provide for enforcement of those 
  procedures by the Federal Trade Commission, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 21, 2005

  Mr. Shelby introduced the following bill; which was read twice and 
    referred to the Committee on Banking, Housing, and Urban Affairs

_______________________________________________________________________

                                 A BILL


 
To establish procedures for the protection of consumers from misuse of, 
and unauthorized access to, sensitive personal information contained in 
private information files maintained by commercial entities engaged in, 
  or affecting, interstate commerce, provide for enforcement of those 
  procedures by the Federal Trade Commission, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Identity Protection and 
Security Act''.

SEC. 2. SECURITY FREEZES.

    The Fair Credit Reporting Act (15 U.S.C. 1601 et seq.) is amended 
by inserting after section 605B the following:

``SEC. 605C. SECURITY FREEZES.

    ``(a) In General.--A consumer reporting agency shall place a 
security freeze on a private information file when requested by the 
consumer to whom that file relates--
            ``(1) by certified mail,
            ``(2) by telephone by providing certain sensitive personal 
        information, or
            ``(3) through a secure electronic mail connection if such 
        connection is made available by the consumer reporting agency.
    ``(b) Timing.--A consumer reporting agency shall place the 
requested security freeze on the private information file no later than 
2 business days after receiving a written or telephone request from the 
consumer or 24 hours after receiving a secure electronic mail request.
    ``(c) Confirmation.--Within 2 business days after placing a 
security freeze on a private information file under subsection (a), the 
consumer reporting agency that received the request from the consumer 
shall--
            ``(1) send a written confirmation of the security freeze to 
        the consumer; and
            ``(2) provide to the consumer a unique personal 
        identification number or password to be used by the consumer to 
        authorize access to the private information file or to remove 
        the security freeze on the file.
    ``(d) Prohibition on Unauthorized Access.--A consumer reporting 
agency may not grant access to a private information file on which a 
security freeze has been placed, or release information contained in a 
such a private information file, except in accordance with the 
provisions of this section or other Federal law.
    ``(e) Limited or Temporary Access to Frozen Report.--
            ``(1) In general.--Within 3 business days after receiving a 
        request from a consumer upon whose private information file a 
        security freeze has been placed to allow access to that file to 
        a third party, or for a period of time, specified by the 
        consumer, a consumer reporting agency shall make the private 
        information file available in accordance with the request 
        notwithstanding the security freeze. Each consumer reporting 
        agency shall develop procedures involving the use of telephone, 
        facsimile machine, or, upon the consent of the consumer in the 
        manner required by the Electronic Signatures in Global and 
        National Commerce Act (15 U.S.C. 7001 et seq.) for notices 
        legally required to be in writing, by the Internet, e-mail, or 
        other electronic medium, to receive and process a request from 
        a consumer to provide limited or temporary access to the 
        private information file under this section in an expedited 
        manner.
            ``(2) Request requirements.--A consumer reporting agency 
        may not allow access to a private information file under 
        paragraph (1) unless--
                    ``(A) the request was made by the consumer by 
                telephone, certified mail, or security electronic mail 
                (except as provided in accordance with procedures 
                established pursuant to the second sentence of 
                paragraph (1)); and
                    ``(B) the consumer provides--
                            ``(i) proper identification,
                            ``(ii) the unique personal identification 
                        number or password provided by the consumer 
                        reporting agency under this section; and
                            ``(iii) the proper information regarding 
                        the third party who is to receive the private 
                        information file or the time period for which 
                        the file shall be made available.
            ``(3) Termination not permitted.--A consumer reporting 
        agency may not terminate a security freeze on the basis of a 
        request under paragraph (1) for limited access to a private 
        information file.
    ``(f) Termination of Security Freeze.--
            ``(1) In general.--A consumer reporting agency shall 
        terminate a security freeze on a private information file if--
                    ``(A) the consumer requests that the security 
                freeze be terminated; or
                    ``(B) the consumer reporting agency--
                            ``(i) determines that the security freeze 
                        was placed on the private information file due 
                        to a material misrepresentation of fact by the 
                        consumer; and
                            ``(ii) notifies the consumer in writing not 
                        less than 5 business days before terminating 
                        the security freeze under this subparagraph.
            ``(2) Termination requests.--Except as provided in 
        paragraph (1)(B), a consumer reporting agency may not terminate 
        a security freeze on a private information file unless the 
        consumer provides--
                    ``(A) proper identification; and
                    ``(B) the unique personal identification number or 
                password provided by the consumer reporting agency 
                under this section.
            ``(3) Timing.--A consumer reporting agency shall terminate 
        a security freeze on a private information file within 3 
        business days after receiving a request that meets the 
        requirements of this subsection from the consumer to whom the 
        file relates.
    ``(g) Denial of Third Party Requests.--
            ``(1) Requests denied due to security freeze.--
        Notwithstanding any other provision of law to the contrary, if 
        a third party's request for access to a private information 
        file is denied because there is a security freeze on it, that 
        third party may treat any application in connection with which 
        the request is made as incomplete.
            ``(2) Notification of consumer.--If a consumer reporting 
        agency denies a third party's request for access to a private 
        information file on which a security freeze has been placed for 
        any purpose other than account review, the consumer reporting 
        agency shall notify the consumer that it denied the request 
        within 1 business day thereafter. The notice shall identify the 
        third party making the request and the stated purpose of the 
        request.
    ``(h) Exceptions to Security Freeze.--The provisions of this 
section do not apply to requests for access to a private information 
file by--
            ``(1) a Federal, State, or local law enforcement agency 
        acting within the scope of its authority or pursuant to a court 
        order, warrant, or subpoena;
            ``(2) a Federal, State, or local agency that administers a 
        program for establishing an enforcing child support 
        obligations;
            ``(3) a Federal, State, or local health agency or its 
        agents or assignees acting to investigate fraud;
            ``(4) a Federal, State, or local tax agency, or its agents 
        or assignees, acting to investigate or collect delinquent taxes 
        or unpaid court orders or to fulfill any of its other statutory 
        responsibilities;
            ``(5) a person, or the person's subsidiary, affiliate, 
        agent, or assignee with which the consumer has or, prior to 
        assignment, had an account, contract, or debtor-creditor 
        relationship for the purposes of reviewing the account or 
        collecting the financial obligation owing for the account, 
        contract, or debt;
            ``(6) a subsidiary, affiliate, agent, assignee, or 
        prospective assignee of a person to whom access has been 
        granted under paragraph (5) for purposes of facilitating the 
        extension of credit or other permissible use; or
            ``(7) any person or entity for the purpose of providing a 
        consumer with a copy of his or her private information file 
        upon the consumer's request.
    ``(i) Notification of Violation.--
            ``(1) Notification.--If a consumer reporting agency 
        violates the requirements of this section with respect to 
        access to a private information file, it shall notify the 
        consumer in writing of the violation within 5 business days. 
        The notice shall include a description of the information to 
        which access was granted and the name and address of the third 
        party to whom such access was granted.
            ``(2) Complaints to consumer protection agencies.--If a 
        private information file on which a security freeze under this 
        section is accessed in violation of this section, the consumer 
        to whom the file relates may file a complaint with the Federal 
        Trade Commission, the attorney general of the State in which 
        the consumer resides, or any other Federal or State consumer 
        protection agency.
    ``(j) Application to Other Consumer Reporting Agencies.--
            ``(1) Notification.--Whenever a consumer reporting agency 
        receives a request from a consumer under this section that 
        meets the requirements of this section to place a security 
        freeze on his or her private information file under subsection 
        (a), to provide temporary or limited access to such a private 
        information file under subsection (e), or to terminate a 
        security freeze on such a private information file under 
        subsection (f), it shall notify (on a secure basis) every other 
        consumer reporting agency in the United States that it knows, 
        or has reason to know, to maintain a private information file 
        on that consumer of the request.
            ``(2) Compliance by other consumer reporting agencies.--A 
        consumer reporting agency that receives a reported request 
        under paragraph (1) shall comply with the requirements of this 
        section with respect to that request to the same extent and in 
        the same manner as if it had received the request from the 
        consumer.
            ``(3) Liability.--A consumer reporting agency responding to 
        a notification from another consumer reporting agency under 
        paragraph (1) is liable for any violation of this section with 
        respect to the request to which the notification relates, to 
        the same extent as if it had received the request from the 
        consumer, except that such an agency shall not be liable for 
        any violation attributable to incorrect information provided in 
        the request from the notifying agency.
    ``(k) Service Fees and Charges.--
            ``(1) Fees prohibited.--A consumer reporting agency may not 
        impose a charge or fee for placing a security freeze on a 
        private information file under subsection (a), for providing 
        limited access to a private information file under subsection 
        (e), or for terminating a security freeze on a private 
        information file under subsection (f).
            ``(2) Replacement identification codes and passwords.--A 
        consumer reporting agency--
                    ``(A) may not impose a fee for the replacement or 
                reissue of a lost or forgotten personal identification 
                number or password the first time the replacement or 
                reissue is provided to the consumer; but
                    ``(B) may impose a fee of not more than $5 for a 
                second or subsequent replacement or reissue of such a 
                personal identification number or password.''.

SEC. 3. DEFINITIONS.

    Section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a) is 
amended by adding at the end the following:
    ``(y) Definitions Relating to Security Freezes.--For purposes of 
section 605C, the following definitions shall apply:
            ``(1) Account review.--The term `account review' means any 
        activity related to account maintenance, monitoring, credit 
        line increases, or account upgrades and enhancements.
            ``(2) Private information file.--
                    ``(A) In general.--The term `private information 
                file' means any written, oral, or other communication 
                of any information by a consumer reporting agency 
                bearing on a consumer's character, general reputation, 
                personal characteristics, mode of living, employment, 
                or personal financial information to be used in whole 
                or in part for political campaign, charitable 
                solicitation, commercial marketing purposes or as a 
                factor in establishing the consumer's eligibility for--
                            ``(i) credit or insurance to be used 
                        primarily for personal, family, or household 
                        purposes; or
                            ``(ii) employment purposes.
                    ``(B) Exclusions.--Except as provided in 
                subparagraph (C), the term `private information file' 
                does not include--
                            ``(i) any report containing information 
                        solely as to transactions or experiences 
                        between the consumer and the person making the 
                        report;
                            ``(ii) the communication of that 
                        information among persons related by common 
                        ownership or affiliated by corporate control; 
                        or
                            ``(iii) the communication of other 
                        information among persons related by common 
                        ownership or affiliated by corporate control, 
                        if it is clearly and conspicuously disclosed to 
                        the consumer that the information may be 
                        communicated among such persons and the 
                        consumer is given the opportunity, before the 
                        time that the information is initially 
                        communicated, to direct that such information 
                        not be communicated among such persons;
                            ``(iv) any authorization or approval of a 
                        specific extension of credit directly or 
                        indirectly by the issuer of a credit card or 
                        similar device; or
                            ``(v) any report in which a person who has 
                        been requested by a third party to make a 
                        specific extension of credit directly or 
                        indirectly to a consumer conveys his or her 
                        decision with respect to such request, if the 
                        third party advises the consumer of the name 
                        and address of the person to whom the request 
                        was made, and such person makes the required 
                        disclosures to the consumer under Federal law.
                    ``(C) Restriction on sharing of medical 
                information.--Except for information or any 
                communication of information disclosed as provided in 
                Federal law, the exclusions in subparagraph (B) do not 
                apply with respect to information disclosed to any 
                person related by common ownership or affiliated by 
                corporate control, if the information is--
                            ``(i) medical information;
                            ``(ii) an individualized list or 
                        description based on the payment transactions 
                        of the consumer for medical products or 
                        services; or
                            ``(iii) an aggregate list of identified 
                        consumers based on payment transactions for 
                        medical products or services.''.

SEC. 4. REGULATIONS.

    (a) Rulemaking Proceeding.--Within 90 days after the date of 
enactment of this Act, the Federal Trade Commission shall initiate a 
rulemaking proceeding to provide rules, guidelines, and criteria for 
compliance with the requirements of section 605C of the Fair Credit 
Reporting Act, as added by this Act, including--
            (1) rules necessary to implement the provisions of that 
        section 605C that include required contents for a request for a 
        security freeze, criteria for identification verification of 
        the requesting party, and consumer notification requirements to 
        ensure that consumers are aware of their rights under that 
        section;
            (2) rules to ensure that a request for a security freeze on 
        a private information file, a request from a consumer for 
        limited or temporary access to a private information file, or a 
        requested termination of such a freeze under that section, will 
        be communicated by the consumer reporting agency receiving the 
        request to other consumer reporting agencies, as required by 
        subsection (j) of that section, and implemented by those 
        agencies in a timely manner; and
            (3) rules to provide for the application of that section in 
        a manner that does not conflict with any other provision of 
        Federal law governing the acquisition, maintenance, 
        disposition, or access to information contained in a private 
        information file.
    (b) Final Rule.--The Commission shall issue final rules pursuant to 
the proceeding initiated under subsection (a) within 1 year after the 
date of enactment of this Act.
                                 <all>