

	

		II

		109th CONGRESS

		1st Session

		S. 1594

		IN THE SENATE OF THE UNITED

		  STATES

		

			July 29, 2005

			Mr. Corzine introduced

			 the following bill; which was read twice and referred to the

			 Committee on Banking, Housing, and Urban

			 Affairs

		

		A BILL

		To require financial services providers to

		  maintain customer information security systems and to notify customers of

		  unauthorized access to personal information, and for other

		  purposes.

	

	

		1.Short titleThis Act may be cited as the

			 Financial Privacy Protection Act of

			 2005.

		2.Prevention of identity

			 theft; notification of unauthorized access to customer

			 informationSubtitle B of

			 title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6821 et seq.) is

			 amended—

			(1)by striking section 525;

			(2)by redesignating sections 522 through 524

			 as sections 523 through 525, respectively;

			(3)in section 525, as redesignated, by

			 striking section 522 and inserting section 523;

			 and

			(4)by inserting after section 521 the

			 following:

				

					522.Prevention of

				identity theft; notification of unauthorized access to customer

				information

						(a)Customer

				information security system required

							(1)In

				generalIn accordance with

				regulations issued under paragraph (2), each financial institution shall

				develop and maintain a customer information security system, including

				policies, procedures, and controls designed to prevent any breach with respect

				to the customer information of the financial institution.

							(2)Regulations

								(A)In

				generalEach of the Federal

				functional regulators shall issue regulations regarding the policies,

				procedures, and controls required by paragraph (1) applicable to the financial

				institutions that are subject to their respective enforcement authority under

				section 523.

								(B)Specific

				requirementsThe regulations

				required by subparagraph (A) shall—

									(i)require the chief compliance officer or

				chief executive officer of a financial institution to personally attest that

				the customer information security system of the financial institution is in

				compliance with Federal and other applicable standards and is subject to an

				ongoing system of monitoring;

									(ii)require audits by the issuing agency (or

				submitted to the issuing agency by an independent auditor paid for by the

				financial institution to audit the financial institution on behalf of the

				issuing agency) of the customer information security system of a financial

				institution not less frequently than once every 5 years;

									(iii)require the imposition by the issuing

				agency of appropriate monetary penalties for failure to comply with applicable

				customer information security standards; and

									(iv)include such other requirements or

				restrictions as the issuing agency considers appropriate to carry out this

				section.

									(C)Effective

				dateRegulations issued under

				this paragraph shall become effective 6 months after the effective date of the

				Financial Privacy Protection Act of

				2005.

								(b)Notification to

				customers of unauthorized access to customer information

							(1)Financial

				institution requirementIn

				any case in which there has been a breach at a financial institution, or such a

				breach is reasonably believed to have occurred, the financial institution shall

				promptly notify—

								(A)each customer whose customer information

				was or is reasonably believed to have been accessed in connection with the

				breach or suspected breach;

								(B)the appropriate Federal functional

				regulator or regulators with respect to the financial institutions that are

				subject to their respective enforcement authority;

								(C)each consumer reporting agency described in

				section 603(p) of the Fair Credit Reporting

				Act; and

								(D)appropriate law enforcement agencies, in

				any case in which the financial institution has reason to believe that the

				breach or suspected breach affects a large number of customers, including as

				described in paragraph (5)(A)(iii), subject to regulations of the Federal Trade

				Commission.

								(2)Other

				entitiesFor purposes of

				paragraph (1), any person that maintains customer information for or on behalf

				of a financial institution shall promptly notify the financial institution of

				any case in which such customer information has been, or is reasonably believed

				to have been, breached.

							(3)Timeliness of

				notificationNotification

				required by this subsection shall be made—

								(A)promptly and without unreasonable delay,

				upon discovery of the breach or suspected breach; and

								(B)consistent with—

									(i)the legitimate needs of law enforcement, as

				provided in paragraph (4); and

									(ii)any measures necessary to determine the

				scope of the breach or restore the reasonable integrity of the customer

				information security system of the financial institution.

									(4)Delays for law

				enforcement purposesNotification required by this subsection

				may be delayed if a law enforcement agency determines that the notification

				would seriously impede a criminal investigation, and in any such case,

				notification shall be made promptly after the law enforcement agency determines

				that it would not compromise the investigation.

							(5)Form of

				noticeNotification required

				by this subsection may be provided—

								(A)to a customer—

									(i)in writing;

									(ii)in electronic form, if the notice provided

				is consistent with the provisions regarding electronic records and signatures

				set forth in section 101 of the Electronic Signatures in Global and National

				Commerce Act;

									(iii)if the number of people affected by the

				breach exceeds 500,000 or the cost of notification exceeds $500,000, or a

				higher number or numbers determined by the Federal Trade Commission, such that

				the cost of providing notifications relating to a single breach or suspected

				breach would make other forms of notification prohibitive, or in any case in

				which the financial institution certifies in writing to the Federal Trade

				Commission that it does not have sufficient customer contact information to

				comply with other forms of notification with respect to some customers, then

				for those customers, in the form of—

										(I)a conspicuous posting on the Internet

				website of the financial institution, if the financial institution maintains

				such a website; and

										(II)notification through major media in all

				major cities and regions in which the customers whose customer information is

				suspected to have been breached reside, that a breach has occurred, or is

				suspected, that compromises the security, confidentiality, or integrity of

				customer information of the financial institution; or

										(iv)in such additional forms as the Federal

				Trade Commission may by rule prescribe; and

									(B)to consumer reporting agencies and law

				enforcement agencies (where appropriate), in such form as the Federal Trade

				Commission shall by rule prescribe.

								(6)Content of

				notificationEach

				notification to a customer under this subsection shall include—

								(A)a statement that—

									(i)credit reporting agencies have been

				notified of the relevant breach or suspected breach; and

									(ii)notwithstanding any other provision of law,

				the customer may elect to place a fraud alert in the file of the consumer to

				make creditors aware of the breach or suspected breach, and to inform creditors

				that the express authorization of the customer is required for any new issuance

				or extension of credit (in accordance with section 605A of the

				Fair Credit Reporting Act);

				and

									(B)such other information as the Federal Trade

				Commission determines is appropriate.

								(7)ComplianceNotwithstanding paragraph (5), a financial

				institution shall be deemed to be in compliance with this subsection,

				if—

								(A)the financial institution has established a

				comprehensive customer information security system that is consistent with the

				standards prescribed by the appropriate Federal functional regulator under

				subsection (a);

								(B)the financial institution notifies affected

				customers and consumer reporting agencies in accordance with its own internal

				information security policies in the event of a breach or suspected breach;

				and

								(C)such internal security policies incorporate

				notification procedures that are consistent with the requirements of this

				subsection and the rules of the Federal Trade Commission under this

				subsection.

								(8)Rules of

				construction

								(A)In

				generalCompliance with this

				subsection by a financial institution shall not be construed to be a violation

				of any provision of subtitle A, or any other provision of Federal or State law

				prohibiting the disclosure of financial information to third parties.

								(B)LimitationExcept as specifically provided in this

				subsection, nothing in this subsection requires or authorizes a financial

				institution to disclose information that it is otherwise prohibited from

				disclosing under subtitle A or any other applicable provision of Federal or

				State law.

								(c)Civil

				penalties

							(1)DamagesAny customer adversely affected by an act

				or practice that violates this section may institute a civil action to recover

				damages arising from that violation.

							(2)InjunctionsActions of a financial institution in

				violation or potential violation of this section may be enjoined.

							(3)Cumulative

				effectThe rights and

				remedies available under this section are in addition to any other rights and

				remedies available under any other provision of applicable State or Federal

				law.

							(d)Civil actions

				by state attorneys general

							(1)Authority of

				state attorneys generalIn

				any case in which the attorney general of a State has reason to believe that an

				interest of the residents of that State has been or is threatened or adversely

				affected by an act or practice that violates this section, the State may bring

				a civil action on behalf of the residents of that State in a district court of

				the United States of appropriate jurisdiction, or any other court of competent

				jurisdiction—

								(A)to enjoin that act or practice;

								(B)to enforce compliance with this

				section;

								(C)to obtain—

									(i)damages in the sum of actual damages,

				restitution, or other compensation on behalf of affected residents of the

				State; and

									(ii)punitive damages, if the violation is

				willful or intentional; or

									(D)obtain such other legal and equitable

				relief as the court may consider to be appropriate.

								(2)Rule of

				constructionFor purposes of

				bringing any civil action under paragraph (1), nothing in this section shall be

				construed to prevent an attorney general of a State from exercising the powers

				conferred on the attorney general by the laws of that State—

								(A)to conduct investigations;

								(B)to administer oaths and affirmations;

				or

								(C)to compel the attendance of witnesses or

				the production of documentary and other evidence.

								(3)VenueAny action brought under this subsection

				may be brought in the district court of the United States that meets applicable

				requirements relating to venue under section 1931 of title 28, United States

				Code.

							(4)Service of

				processIn an action brought

				under this subsection, process may be served in any district in which the

				defendant—

								(A)is an inhabitant; or

								(B)may be

				found.

								.

			3.DefinitionsSection 527 of the Gramm-Leach-Bliley Act

			 (15 U.S.C. 6827) is amended—

			(1)by redesignating paragraph (4) as paragraph

			 (6);

			(2)by redesignating paragraphs (1) through (3)

			 as paragraphs (2) through (4), respectively;

			(3)by inserting before paragraph (2), as

			 redesignated, the following:

				

					(1)BreachThe term breach—

						(A)means the unauthorized acquisition,

				disclosure, or loss of computerized data or paper records which compromises the

				security, confidentiality, or integrity of customer information, including

				activities proscribed under section 521; and

						(B)does not include a good faith acquisition

				of customer information by an employee or agent of a financial institution for

				a business purpose of the institution, if the customer information is not

				subject to further unauthorized

				disclosure.

						;

				

			(4)in paragraph (2), as redesignated—

				(A)by striking person) to whom

			 and inserting the following: "person)—

					

						(A)to

				whom

						;

				and

				(B)by striking the period at the end and

			 inserting the following:

					

						;

			 and(B)with respect to whom the financial

				institution maintains information in any form, regardless of whether the

				financial institution is providing a product or service to or on behalf of that

				person.

						;

				

				(5)in paragraph (3), as redesignated—

				(A)by striking institution' means

			 any and inserting the

			 following:

					

						institution'—(A)means

				any

						; 

				(B)by inserting (regardless of whether

			 the financial institution is providing any product or service to or on behalf

			 of that customer) before and is identified; and

				(C)by striking the period at the end and

			 inserting the following:

					

						;

			 and(B)for purposes of section 522, includes the

				last name of an individual in combination with any 1 or more of the following

				data elements, when either the name or the data elements are not

				encrypted:

							(i)Social security number.

							(ii)Driver’s license number or State

				identification number.

							(iii)Account number, credit or debit card

				number, or any required security code, access code, or password that would

				permit access to a financial account of the individual.

							(iv)Such other information as the Federal

				functional regulators determine is appropriate with respect to the financial

				institutions that are subject to their respective enforcement

				authority.

							;

				and

				(6)by inserting before paragraph (6), as

			 redesignated, the following:

				

					(5)Federal

				functional regulatorThe term

				Federal functional regulator has the same meaning as in section

				509, and includes the Federal Trade

				Commission.

					.

			4.Inclusion of fraud

			 alerts in consumer credit reportsSection 605A of the

			 Fair Credit Reporting Act

			 (15 U.S.C.

			 1681c–1) is amended–

			(1)in subsection (b)(1), by inserting

			 or proof of a notification of a breach or suspected breach under section

			 522(b)(1)(C) of the Gramm-Leach-Bliley Act after theft

			 report; and

			(2)by adding at the end the following:

				

					(i)No adverse

				action based solely on fraud alertIt shall be a violation of this title for

				the user of a consumer report to take any adverse action with respect to a

				consumer based solely on the inclusion of a fraud alert, extended alert, or

				active duty alert in the file of that consumer, as required by this

				subsection.

					.

			5.Studies and reports on

			 improving protection of customer information

			(a)Alternative

			 information storage methods

				(1)StudyThe Federal Trade Commission shall conduct

			 a study of alternative technologies, including biometrics, that may be used by

			 financial institutions and other businesses to enhance the safeguarding of the

			 customer information of financial institutions and other sensitive personal

			 information. Such study shall include an analysis of how to ensure that such

			 information does not become widespread or subject to theft.

				(2)Report to

			 congressThe Commission shall

			 submit a report to the Congress on the results of the study conducted under

			 paragraph (1) not later than 6 months after the date of enactment of this

			 Act.

				(b)Transportation

			 of customer information

				(1)StudyThe Comptroller General of the United

			 States, in consultation with the Federal functional regulators and appropriate

			 law enforcement agencies, shall conduct a study of the cross country transport

			 of the customer information of financial institutions and other sensitive

			 personal information by or on behalf of financial institutions and other

			 businesses.

				(2)Report to

			 congressThe Comptroller

			 General shall submit a report to the Congress on the results of the study

			 conducted under paragraph (1) not later than 6 months after the date of

			 enactment of this Act, including any recommendations on ways that financial

			 institutions may best reduce the risk of compromise, breach, or loss of the

			 customer information of financial institutions and other sensitive personal

			 information during transport.

				6.Effective

			 dateThis Act and the

			 amendments made by this Act shall take effect 6 months after the date of

			 enactment of this Act.

		

