

	

		II

		109th CONGRESS

		1st Session

		S. 1461

		IN THE SENATE OF THE UNITED

		  STATES

		

			July 21, 2005

			Mr. Shelby introduced

			 the following bill; which was read twice and referred to the

			 Committee on Banking, Housing, and Urban

			 Affairs

		

		A BILL

		To establish procedures for the protection

		  of consumers from misuse of, and unauthorized access to, sensitive personal

		  information contained in private information files maintained by commercial

		  entities engaged in, or affecting, interstate commerce, provide for enforcement

		  of those procedures by the Federal Trade Commission, and for other

		  purposes.

	

	

		1.Short titleThis Act may be cited as the

			 Consumer Identity Protection and

			 Security Act.

		2.Security

			 freezes

			The Fair Credit Reporting Act (15 U.S.C.

			 1601 et seq.) is amended by inserting after section 605B the following:

				

					605C.Security

				freezes

						(a)In

				generalA consumer reporting

				agency shall place a security freeze on a private information file when

				requested by the consumer to whom that file relates—

							(1)by certified mail,

							(2)by telephone by providing certain sensitive

				personal information, or

							(3)through a secure electronic mail connection

				if such connection is made available by the consumer reporting agency.

							(b)TimingA consumer reporting agency shall place the

				requested security freeze on the private information file no later than 2

				business days after receiving a written or telephone request from the consumer

				or 24 hours after receiving a secure electronic mail request.

						(c)ConfirmationWithin 2 business days after placing a

				security freeze on a private information file under subsection (a), the

				consumer reporting agency that received the request from the consumer

				shall—

							(1)send a written confirmation of the security

				freeze to the consumer; and

							(2)provide to the consumer a unique personal

				identification number or password to be used by the consumer to authorize

				access to the private information file or to remove the security freeze on the

				file.

							(d)Prohibition on

				unauthorized accessA

				consumer reporting agency may not grant access to a private information file on

				which a security freeze has been placed, or release information contained in a

				such a private information file, except in accordance with the provisions of

				this section or other Federal law.

						(e)Limited or

				temporary access to frozen report

							(1)In

				generalWithin 3 business

				days after receiving a request from a consumer upon whose private information

				file a security freeze has been placed to allow access to that file to a third

				party, or for a period of time, specified by the consumer, a consumer reporting

				agency shall make the private information file available in accordance with the

				request notwithstanding the security freeze. Each consumer reporting agency

				shall develop procedures involving the use of telephone, facsimile machine, or,

				upon the consent of the consumer in the manner required by the Electronic

				Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.) for

				notices legally required to be in writing, by the Internet, e-mail, or other

				electronic medium, to receive and process a request from a consumer to provide

				limited or temporary access to the private information file under this section

				in an expedited manner.

							(2)Request

				requirementsA consumer

				reporting agency may not allow access to a private information file under

				paragraph (1) unless—

								(A)the request was made by the consumer by

				telephone, certified mail, or security electronic mail (except as provided in

				accordance with procedures established pursuant to the second sentence of

				paragraph (1)); and

								(B)the consumer provides—

									(i)proper identification,

									(ii)the unique personal identification number

				or password provided by the consumer reporting agency under this section;

				and

									(iii)the proper information regarding the third

				party who is to receive the private information file or the time period for

				which the file shall be made available.

									(3)Termination not

				permittedA consumer

				reporting agency may not terminate a security freeze on the basis of a request

				under paragraph (1) for limited access to a private information file.

							(f)Termination of

				security freeze

							(1)In

				generalA consumer reporting

				agency shall terminate a security freeze on a private information file

				if—

								(A)the consumer requests that the security

				freeze be terminated; or

								(B)the consumer reporting agency—

									(i)determines that the security freeze was

				placed on the private information file due to a material misrepresentation of

				fact by the consumer; and

									(ii)notifies the consumer in writing not less

				than 5 business days before terminating the security freeze under this

				subparagraph.

									(2)Termination

				requestsExcept as provided

				in paragraph (1)(B), a consumer reporting agency may not terminate a security

				freeze on a private information file unless the consumer provides—

								(A)proper identification; and

								(B)the unique personal identification number

				or password provided by the consumer reporting agency under this

				section.

								(3)TimingA consumer reporting agency shall terminate

				a security freeze on a private information file within 3 business days after

				receiving a request that meets the requirements of this subsection from the

				consumer to whom the file relates.

							(g)Denial of third

				party requests

							(1)Requests denied

				due to security freezeNotwithstanding any other provision of law

				to the contrary, if a third party's request for access to a private information

				file is denied because there is a security freeze on it, that third party may

				treat any application in connection with which the request is made as

				incomplete.

							(2)Notification of

				consumerIf a consumer

				reporting agency denies a third party's request for access to a private

				information file on which a security freeze has been placed for any purpose

				other than account review, the consumer reporting agency shall notify the

				consumer that it denied the request within 1 business day thereafter. The

				notice shall identify the third party making the request and the stated purpose

				of the request.

							(h)Exceptions to

				security freezeThe

				provisions of this section do not apply to requests for access to a private

				information file by—

							(1)a Federal, State, or local law enforcement

				agency acting within the scope of its authority or pursuant to a court order,

				warrant, or subpoena;

							(2)a Federal, State, or local agency that

				administers a program for establishing an enforcing child support

				obligations;

							(3)a Federal, State, or local health agency or

				its agents or assignees acting to investigate fraud;

							(4)a Federal, State, or local tax agency, or

				its agents or assignees, acting to investigate or collect delinquent taxes or

				unpaid court orders or to fulfill any of its other statutory

				responsibilities;

							(5)a person, or the person's subsidiary,

				affiliate, agent, or assignee with which the consumer has or, prior to

				assignment, had an account, contract, or debtor-creditor relationship for the

				purposes of reviewing the account or collecting the financial obligation owing

				for the account, contract, or debt;

							(6)a subsidiary, affiliate, agent, assignee,

				or prospective assignee of a person to whom access has been granted under

				paragraph (5) for purposes of facilitating the extension of credit or other

				permissible use; or

							(7)any person or entity for the purpose of

				providing a consumer with a copy of his or her private information file upon

				the consumer's request.

							(i)Notification of

				violation

							(1)NotificationIf a consumer reporting agency violates the

				requirements of this section with respect to access to a private information

				file, it shall notify the consumer in writing of the violation within 5

				business days. The notice shall include a description of the information to

				which access was granted and the name and address of the third party to whom

				such access was granted.

							(2)Complaints to

				consumer protection agenciesIf a private information file on which a

				security freeze under this section is accessed in violation of this section,

				the consumer to whom the file relates may file a complaint with the Federal

				Trade Commission, the attorney general of the State in which the consumer

				resides, or any other Federal or State consumer protection agency.

							(j)Application to

				other consumer reporting agencies

							(1)NotificationWhenever a consumer reporting agency

				receives a request from a consumer under this section that meets the

				requirements of this section to place a security freeze on his or her private

				information file under subsection (a), to provide temporary or limited access

				to such a private information file under subsection (e), or to terminate a

				security freeze on such a private information file under subsection (f), it

				shall notify (on a secure basis) every other consumer reporting agency in the

				United States that it knows, or has reason to know, to maintain a private

				information file on that consumer of the request.

							(2)Compliance by

				other consumer reporting agenciesA consumer reporting agency that receives a

				reported request under paragraph (1) shall comply with the requirements of this

				section with respect to that request to the same extent and in the same manner

				as if it had received the request from the consumer.

							(3)LiabilityA consumer reporting agency responding to a

				notification from another consumer reporting agency under paragraph (1) is

				liable for any violation of this section with respect to the request to which

				the notification relates, to the same extent as if it had received the request

				from the consumer, except that such an agency shall not be liable for any

				violation attributable to incorrect information provided in the request from

				the notifying agency.

							(k)Service fees

				and charges

							(1)Fees

				prohibitedA consumer

				reporting agency may not impose a charge or fee for placing a security freeze

				on a private information file under subsection (a), for providing limited

				access to a private information file under subsection (e), or for terminating a

				security freeze on a private information file under subsection (f).

							(2)Replacement

				identification codes and passwordsA consumer reporting agency—

								(A)may not impose a fee for the replacement or

				reissue of a lost or forgotten personal identification number or password the

				first time the replacement or reissue is provided to the consumer; but

								(B)may impose a fee of not more than $5 for a

				second or subsequent replacement or reissue of such a personal identification

				number or

				password.

								.

			3.Definitions

			Section 603 of the Fair Credit Reporting

			 Act (15 U.S.C. 1681a) is amended by adding at the end the following:

				

					(y)Definitions

				relating to security freezesFor purposes of section 605C, the following

				definitions shall apply:

						(1)Account

				reviewThe term account

				review means any activity related to account maintenance, monitoring,

				credit line increases, or account upgrades and enhancements.

						(2)Private

				information file

							(A)In

				generalThe term

				private information file means any written, oral, or other

				communication of any information by a consumer reporting agency bearing on a

				consumer's character, general reputation, personal characteristics, mode of

				living, employment, or personal financial information to be used in whole or in

				part for political campaign, charitable solicitation, commercial marketing

				purposes or as a factor in establishing the consumer's eligibility for—

								(i)credit or insurance to be used primarily

				for personal, family, or household purposes; or

								(ii)employment purposes.

								(B)ExclusionsExcept as provided in subparagraph (C), the

				term private information file does not include—

								(i)any report containing information solely as

				to transactions or experiences between the consumer and the person making the

				report;

								(ii)the communication of that information among

				persons related by common ownership or affiliated by corporate control;

				or

								(iii)the communication of other information

				among persons related by common ownership or affiliated by corporate control,

				if it is clearly and conspicuously disclosed to the consumer that the

				information may be communicated among such persons and the consumer is given

				the opportunity, before the time that the information is initially

				communicated, to direct that such information not be communicated among such

				persons;

								(iv)any authorization or approval of a specific

				extension of credit directly or indirectly by the issuer of a credit card or

				similar device; or

								(v)any report in which a person who has been

				requested by a third party to make a specific extension of credit directly or

				indirectly to a consumer conveys his or her decision with respect to such

				request, if the third party advises the consumer of the name and address of the

				person to whom the request was made, and such person makes the required

				disclosures to the consumer under Federal law.

								(C)Restriction on

				sharing of medical informationExcept for information or any communication

				of information disclosed as provided in Federal law, the exclusions in

				subparagraph (B) do not apply with respect to information disclosed to any

				person related by common ownership or affiliated by corporate control, if the

				information is—

								(i)medical information;

								(ii)an individualized list or description based

				on the payment transactions of the consumer for medical products or services;

				or

								(iii)an aggregate list of identified consumers

				based on payment transactions for medical products or

				services.

								.

			4.Regulations

			(a)Rulemaking

			 proceedingWithin 90 days

			 after the date of enactment of this Act, the Federal Trade Commission shall

			 initiate a rulemaking proceeding to provide rules, guidelines, and criteria for

			 compliance with the requirements of section 605C of the Fair Credit Reporting

			 Act, as added by this Act, including—

				(1)rules necessary to implement the provisions

			 of that section 605C that include required contents for a request for a

			 security freeze, criteria for identification verification of the requesting

			 party, and consumer notification requirements to ensure that consumers are

			 aware of their rights under that section;

				(2)rules to ensure that a request for a

			 security freeze on a private information file, a request from a consumer for

			 limited or temporary access to a private information file, or a requested

			 termination of such a freeze under that section, will be communicated by the

			 consumer reporting agency receiving the request to other consumer reporting

			 agencies, as required by subsection (j) of that section, and implemented by

			 those agencies in a timely manner; and

				(3)rules to provide for the application of

			 that section in a manner that does not conflict with any other provision of

			 Federal law governing the acquisition, maintenance, disposition, or access to

			 information contained in a private information file.

				(b)Final

			 ruleThe Commission shall

			 issue final rules pursuant to the proceeding initiated under subsection (a)

			 within 1 year after the date of enactment of this Act.

			

