[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1789 Introduced in Senate (IS)]








109th CONGRESS
  1st Session
                                S. 1789

 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 29, 2005

Mr. Specter (for himself, Mr. Leahy, Mrs. Feinstein, and Mr. Feingold) 
introduced the following bill; which was read twice and referred to the 
                       Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Personal Data 
Privacy and Security Act of 2005''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Fraud and related criminal activity in connection with 
                            unauthorized access to personally 
                            identifiable information.
Sec. 102. Organized criminal activity in connection with unauthorized 
                            access to personally identifiable 
                            information.
Sec. 103. Concealment of security breaches involving sensitive 
                            personally identifiable information.
Sec. 104. Aggravated fraud in connection with computers.
Sec. 105. Review and amendment of Federal sentencing guidelines related 
                            to fraudulent access to or misuse of 
                            digitized or electronic personally 
                            identifiable information.
  TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING 
 CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF 
                  PERSONALLY IDENTIFIABLE INFORMATION

Sec. 201. Grants for State and local enforcement.
Sec. 202. Authorization of appropriations.
                        TITLE III--DATA BROKERS

Sec. 301. Transparency and accuracy of data collection.
Sec. 302. Enforcement.
Sec. 303. Relation to State laws.
Sec. 304. Effective date.
 TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

             Subtitle A--Data Privacy and Security Program

Sec. 401. Purpose and applicability of data privacy and security 
                            program.
Sec. 402. Requirements for a personal data privacy and security 
                            program.
Sec. 403. Enforcement.
Sec. 404. Relation to State laws.
                Subtitle B--Security Breach Notification

Sec. 421. Right to notice of security breach.
Sec. 422. Notice procedures.
Sec. 423. Content of notice.
Sec. 424. Risk assessment and fraud prevention notice exemptions.
Sec. 425. Victim protection assistance.
Sec. 426. Enforcement.
Sec. 427. Relation to State laws.
Sec. 428. Study on securing personally identifiable information in the 
                            digital era.
Sec. 429. Reporting on risk assessment exemption.
Sec. 430. Authorization of appropriations.
Sec. 431. Reporting on risk assessment exemption.
Sec. 432. Effective date.
        TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 501. General Services Administration review of contracts.
Sec. 502. Requirement to audit information security practices of 
                            contractors and third party business 
                            entities.
Sec. 503. Privacy impact assessment of government use of commercial 
                            information services containing personally 
                            identifiable information.
Sec. 504. Implementation of Chief Privacy Officer requirements.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) databases of personally identifiable information are 
        increasingly prime targets of hackers, identity thieves, rogue 
        employees, and other criminals, including organized and 
        sophisticated criminal operations;
            (2) identity theft is a serious threat to the nation's 
        economic stability, homeland security, the development of e-
        commerce, and the privacy rights of Americans;
            (3) over 9,300,000 individuals were victims of identity 
        theft in America last year;
            (4) security breaches are a serious threat to consumer 
        confidence, homeland security, e-commerce, and economic 
        stability;
            (5) it is important for business entities that own, use, or 
        license personally identifiable information to adopt reasonable 
        procedures to ensure the security, privacy, and confidentially 
        of that personally identifiable information;
            (6) individuals whose personal information has been 
        compromised or who have been victims of identity theft should 
        receive the necessary information and assistance to mitigate 
        their damages and to restore the integrity of their personal 
        information and identities;
            (7) data brokers have assumed a significant role in 
        providing identification, authentication, and screening 
        services, and related data collection and analyses for 
        commercial, nonprofit, and government operations;
            (8) data misuse and use of inaccurate data have the 
        potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government operations;
            (9) there is a need to insure that data brokers conduct 
        their operations in a manner that prioritizes fairness, 
        transparency, accuracy, and respect for the privacy of 
        consumers;
            (10) government access to commercial data can potentially 
        improve safety, law enforcement, and national security; and
            (11) because government use of commercial data containing 
        personal information potentially affects individual privacy, 
        and law enforcement and national security operations, there is 
        a need for Congress to exercise oversight over government use 
        of commercial data.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the same meaning given 
        such term in section 551 of title 5, United States Code.
            (2) Affiliate.--The term ``affiliate'' means persons 
        related by common ownership or by corporate control.
            (3) Business entity.--The term ``business entity'' means 
        any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, venture established 
        to make a profit, or nonprofit, and any contractor, 
        subcontractor, affiliate, or licensee thereof engaged in 
        interstate commerce.
            (4) Identity theft.--The term ``identity theft'' means a 
        violation of section 1028 of title 18, United States Code, or 
        any other similar provision of applicable State law.
            (5) Data broker.--The term ``data broker'' means a business 
        entity which for monetary fees, dues, or on a cooperative 
        nonprofit basis, currently or regularly engages, in whole or in 
        part, in the practice of collecting, transmitting, or providing 
        access to sensitive personally identifiable information 
        primarily for the purposes of providing such information to 
        nonaffiliated third parties on a nationwide basis on more than 
        5,000 individuals who are not the customers or employees of the 
        business entity or affiliate.
            (6) Data furnisher.--The term ``data furnisher'' means any 
        agency, governmental entity, organization, corporation, trust, 
        partnership, sole proprietorship, unincorporated association, 
        venture established to make a profit, or nonprofit, and any 
        contractor, subcontractor, affiliate, or licensee thereof, that 
        serves as a source of information for a data broker.
            (7) Personal electronic record.--The term ``personal 
        electronic record'' means data associated with an individual 
        contained in a database, networked or integrated databases, or 
        other data system that holds sensitive personally identifiable 
        information of that individual and is provided to non-
        affiliated third parties.
            (8) Personally identifiable information.--The term 
        ``personally identifiable information'' means any information, 
        or compilation of information, in electronic or digital form 
        serving as a means of identification, as defined by section 
        1028(d)(7) of title 18, United State Code.
            (9) Public record source.--The term ``public record 
        source'' means any agency, Federal court, or State court that 
        maintains personally identifiable information in records 
        available to the public.
            (10) Security breach.--
                    (A) In general.--The term ``security breach'' means 
                compromise of the security, confidentiality, or 
                integrity of computerized data through 
                misrepresentation or actions that result in, or there 
                is a reasonable basis to conclude has resulted in, the 
                unauthorized acquisition of and access to sensitive 
                personally identifiable information.
                    (B) Exclusion.--The term ``security breach'' does 
                not include--
                            (i) a good faith acquisition of sensitive 
                        personally identifiable information by a 
                        business entity or agency, or an employee or 
                        agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure; or
                            (ii) the release of a public record not 
                        otherwise subject to confidentiality or 
                        nondisclosure requirements.
            (11) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        any information or compilation of information, in electronic or 
        digital form that includes:
                    (A) An individual's name in combination with any 1 
                of the following data elements:
                            (i) A non-truncated social security number, 
                        driver's license number, passport number, or 
                        alien registration number.
                            (ii) Any 2 of the following:
                                    (I) Information that relates to--
                                            (aa) the past, present, or 
                                        future physical or mental 
                                        health or condition of an 
                                        individual;
                                            (bb) the provision of 
                                        health care to an individual; 
                                        or
                                            (cc) the past, present, or 
                                        future payment for the 
                                        provision of health care to an 
                                        individual.
                                    (II) Home address or telephone 
                                number.
                                    (III) Mother's maiden name, if 
                                identified as such.
                                    (IV) Month, day, and year of birth.
                            (iii) Unique biometric data such as a 
                        finger print, voice print, a retina or iris 
                        image, or any other unique physical 
                        representation.
                            (iv) A unique electronic identification 
                        number, user name, or routing code in 
                        combination with the associated security code, 
                        access code, or password.
                            (v) Any other information regarding an 
                        individual determined appropriate by the 
                        Federal Trade Commission.
                    (B) A financial account number or credit or debit 
                card number in combination with the required security 
                code, access code, or password.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. FRAUD AND RELATED CRIMINAL ACTIVITY IN CONNECTION WITH 
              UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
              INFORMATION.

    Section 1030(a)(2) of title 18, United States Code, is amended--
            (1) in subparagraph (B), by striking ``or'' after the 
        semicolon;
            (2) in subparagraph (C), by inserting ``or'' after the 
        semicolon; and
            (3) by adding at the end the following:
                    ``(D) information contained in the databases or 
                systems of a data broker, or in other personal 
                electronic records, as such terms are defined in 
                section 3 of the Personal Data Privacy and Security Act 
                of 2005;''.

SEC. 102. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED 
              ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.

    Section 1961(1) of title 18, United States Code, is amended by 
inserting ``section 1030(a)(2)(D)(relating to fraud and related 
activity in connection with unauthorized access to personally 
identifiable information,'' before ``section 1084''.

SEC. 103. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 1039. Concealment of security breaches involving sensitive 
              personally identifiable information
    ``(a) Whoever, having knowledge of a security breach and the 
obligation to provide notice of such breach to individuals under title 
IV of the Personal Data Privacy and Security Act of 2005, and having 
not otherwise qualified for an exemption from providing notice under 
section 422 of such Act, intentionally and willfully conceals the fact 
of such security breach which causes economic damages to 1 or more 
persons, shall be fined under this title or imprisoned not more than 5 
years, or both.
    ``(b) For purposes of subsection (a), the term `person' means any 
individual, corporation, company, association, firm, partnership, 
society, or joint stock company.''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

``1039. Concealment of security breaches involving personally 
                            identifiable information.''.
    (c) Enforcement Authority.--The United States Secret Service shall 
have the authority to investigate offenses under this section.

SEC. 104. AGGRAVATED FRAUD IN CONNECTION WITH COMPUTERS.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding after section 1030 the following:
``Sec. 1030A. Aggravated fraud in connection with computers
    ``(a) In General.--Whoever, during and in relation to any felony 
violation enumerated in subsection (c), knowingly obtains, accesses, or 
transmits, without lawful authority, a means of identification of 
another person may, in addition to the punishment provided for such 
felony, be sentenced to a term of imprisonment of up to 2 years.
    ``(b) Consecutive Sentences.--Notwithstanding any other provision 
of law, should a court in its discretion impose an additional sentence 
under subsection (a)--
            ``(1) no term of imprisonment imposed on a person under 
        this section shall run concurrently, except as provided in 
        paragraph (3), with any other term of imprisonment imposed on 
        such person under any other provision of law, including any 
        term of imprisonment imposed for the felony during which the 
        means of identifications was obtained, accessed, or 
        transmitted;
            ``(2) in determining any term of imprisonment to be imposed 
        for the felony during which the means of identification was 
        obtained, accessed, or transmitted, a court shall not in any 
        way reduce the term to be imposed for such crime so as to 
        compensate for, or otherwise take into account, any separate 
        term of imprisonment imposed or to be imposed for a violation 
        of this section; and
            ``(3) a term of imprisonment imposed on a person for a 
        violation of this section may, in the discretion of the court, 
        run concurrently, in whole or in part, only with another term 
        of imprisonment that is imposed by the court at the same time 
        on that person for an additional violation of this section.
    ``(c) Definition.--For purposes of this section, the term `felony 
violation enumerated in subsection (c)' means any offense that is a 
felony violation of paragraphs (2) through (7) of section 1030(a).''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by inserting 
after the item relating to section 1030 the following new item:

``1030A. Aggravated fraud in connection with computers.''.

SEC. 105. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED 
              TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR 
              ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.

    (a) Review and Amendment.--Not later than 180 days after the date 
of enactment of this Act, the United States Sentencing Commission, 
pursuant to its authority under section 994 of title 28, United States 
Code, and in accordance with this section, shall review and, if 
appropriate, amend the Federal sentencing guidelines (including its 
policy statements) applicable to persons convicted of using fraud to 
access, or misuse of, digitized or electronic personally identifiable 
information, including identity theft or any offense under--
            (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of 
        title 18, United States Code; or
            (2) any other relevant provision.
    (b) Requirements.--In carrying out the requirements of this 
section, the United States Sentencing Commission shall--
            (1) ensure that the Federal sentencing guidelines 
        (including its policy statements) reflect--
                    (A) the serious nature of the offenses and 
                penalties referred to in this Act;
                    (B) the growing incidences of theft and misuse of 
                digitized or electronic personally identifiable 
                information, including identity theft; and
                    (C) the need to deter, prevent, and punish such 
                offenses;
            (2) consider the extent to which the Federal sentencing 
        guidelines (including its policy statements) adequately address 
        violations of the sections amended by this Act to--
                    (A) sufficiently deter and punish such offenses; 
                and
                    (B) adequately reflect the enhanced penalties 
                established under this Act;
            (3) maintain reasonable consistency with other relevant 
        directives and sentencing guidelines;
            (4) account for any additional aggravating or mitigating 
        circumstances that might justify exceptions to the generally 
        applicable sentencing ranges;
            (5) consider whether to provide a sentencing enhancement 
        for those convicted of the offenses described in subsection 
        (a), if the conduct involves--
                    (A) the online sale of fraudulently obtained or 
                stolen personally identifiable information;
                    (B) the sale of fraudulently obtained or stolen 
                personally identifiable information to an individual 
                who is engaged in terrorist activity or aiding other 
                individuals engaged in terrorist activity; or
                    (C) the sale of fraudulently obtained or stolen 
                personally identifiable information to finance 
                terrorist activity or other criminal activities;
            (6) make any necessary conforming changes to the Federal 
        sentencing guidelines to ensure that such guidelines (including 
        its policy statements) as described in subsection (a) are 
        sufficiently stringent to deter, and adequately reflect crimes 
        related to fraudulent access to, or misuse of, personally 
        identifiable information; and
            (7) ensure that the Federal sentencing guidelines 
        adequately meet the purposes of sentencing under section 
        3553(a)(2) of title 18, United States Code.
    (c) Emergency Authority to Sentencing Commission.--The United 
States Sentencing Commission may, as soon as practicable, promulgate 
amendments under this section in accordance with procedures established 
in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 994 note) as 
though the authority under that Act had not expired.

  TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING 
 CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF 
                  PERSONALLY IDENTIFIABLE INFORMATION

SEC. 201. GRANTS FOR STATE AND LOCAL ENFORCEMENT.

    (a) In General.--Subject to the availability of amounts provided in 
advance in appropriations Acts, the Assistant Attorney General for the 
Office of Justice Programs of the Department of Justice may award a 
grant to a State to establish and develop programs to increase and 
enhance enforcement against crimes related to fraudulent, unauthorized, 
or other criminal use of personally identifiable information.
    (b) Application.--A State seeking a grant under subsection (a) 
shall submit an application to the Assistant Attorney General for the 
Office of Justice Programs of the Department of Justice at such time, 
in such manner, and containing such information as the Assistant 
Attorney General may require.
    (c) Use of Grant Amounts.--A grant awarded to a State under 
subsection (a) shall be used by a State, in conjunction with units of 
local government within that State, State and local courts, other 
States, or combinations thereof, to establish and develop programs to--
            (1) assist State and local law enforcement agencies in 
        enforcing State and local criminal laws relating to crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information;
            (2) assist State and local law enforcement agencies in 
        educating the public to prevent and identify crimes involving 
        the fraudulent, unauthorized, or other criminal use of 
        personally identifiable information;
            (3) educate and train State and local law enforcement 
        officers and prosecutors to conduct investigations and forensic 
        analyses of evidence and prosecutions of crimes involving the 
        fraudulent, unauthorized, or other criminal use of personally 
        identifiable information;
            (4) assist State and local law enforcement officers and 
        prosecutors in acquiring computer and other equipment to 
        conduct investigations and forensic analysis of evidence of 
        crimes involving the fraudulent, unauthorized, or other 
        criminal use of personally identifiable information; and
            (5) facilitate and promote the sharing of Federal law 
        enforcement expertise and information about the investigation, 
        analysis, and prosecution of crimes involving the fraudulent, 
        unauthorized, or other criminal use of personally identifiable 
        information with State and local law enforcement officers and 
        prosecutors, including the use of multi-jurisdictional task 
        forces.
    (d) Assurances and Eligibility.--To be eligible to receive a grant 
under subsection (a), a State shall provide assurances to the Attorney 
General that the State--
            (1) has in effect laws that penalize crimes involving the 
        fraudulent, unauthorized, or other criminal use of personally 
        identifiable information, such as penal laws prohibiting--
                    (A) fraudulent schemes executed to obtain 
                personally identifiable information;
                    (B) schemes executed to sell or use fraudulently 
                obtained personally identifiable information; and
                    (C) online sales of personally identifiable 
                information obtained fraudulently or by other illegal 
                means;
            (2) will provide an assessment of the resource needs of the 
        State and units of local government within that State, 
        including criminal justice resources being devoted to the 
        investigation and enforcement of laws related to crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information; and
            (3) will develop a plan for coordinating the programs 
        funded under this section with other federally funded technical 
        assistant and training programs, including directly funded 
        local programs such as the Local Law Enforcement Block Grant 
        program (described under the heading ``Violent Crime Reduction 
        Programs, State and Local Law Enforcement Assistance'' of the 
        Departments of Commerce, Justice, and State, the Judiciary, and 
        Related Agencies Appropriations Act, 1998 (Public Law 105-
        119)).
    (e) Matching Funds.--The Federal share of a grant received under 
this section may not exceed 90 percent of the total cost of a program 
or proposal funded under this section unless the Attorney General 
waives, wholly or in part, the requirements of this subsection.

SEC. 202. AUTHORIZATION OF APPROPRIATIONS.

    (a) In General.--There is authorized to be appropriated to carry 
out this title $25,000,000 for each of fiscal years 2006 through 2009.
    (b) Limitations.--Of the amount made available to carry out this 
title in any fiscal year not more than 3 percent may be used by the 
Attorney General for salaries and administrative expenses.
    (c) Minimum Amount.--Unless all eligible applications submitted by 
a State or units of local government within a State for a grant under 
this title have been funded, the State, together with grantees within 
the State (other than Indian tribes), shall be allocated in each fiscal 
year under this title not less than 0.75 percent of the total amount 
appropriated in the fiscal year for grants pursuant to this title, 
except that the United States Virgin Islands, American Samoa, Guam, and 
the Northern Mariana Islands each shall be allocated 0.25 percent.
    (d) Grants to Indian Tribes.--Notwithstanding any other provision 
of this title, the Attorney General may use amounts made available 
under this title to make grants to Indian tribes for use in accordance 
with this title.

                        TITLE III--DATA BROKERS

SEC. 301. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.

    (a) In General.--Data brokers engaging in interstate commerce are 
subject to the requirements of this title for any product or service 
offered to third parties that allows access, use, compilation, 
distribution, processing, analyzing, or evaluation of sensitive 
personally identifiable information.
    (b) Limitation.--Notwithstanding any other paragraph of this title, 
this section shall not apply to--
            (1) data brokers engaging in interstate commerce for any 
        offered product or service currently subject to, and in 
        compliance with, access and accuracy protections similar to 
        those under subsections (c) through (f) of this section under 
        the Fair Credit Reporting Act (Public Law 91-508), or the 
        Gramm-Leach Bliley Act (Public Law 106-102);
            (2) data brokers engaging in interstate commerce for any 
        offered product or service currently in compliance with the 
        requirements for such entities under the Health Insurance 
        Portability and Accountability Act (Public Law 104-191), and 
        implementing regulations;
            (3) information in a personal electronic record held by a 
        data broker if--
                    (A) the data broker maintains such information 
                solely pursuant to a license agreement with another 
                business entity; and
                    (B) the business entity providing such information 
                to the data broker pursuant to a license agreement 
                either complies with the provisions of this section or 
                qualifies for this exemption; and
            (4) information in a personal record that--
                    (A) the data broker has identified as inaccurate, 
                but maintains for the purpose of aiding the data broker 
                in preventing inaccurate information from entering an 
                individual's personal electronic record; and
                    (B) is not maintained primarily for the purpose of 
                transmitting or otherwise providing that information, 
                or assessments based on that information, to non-
                affiliated third parties.
    (c) Disclosures to Individuals.--
            (1) In general.--A data broker shall, upon the request of 
        an individual, clearly and accurately disclose to such 
        individual for a reasonable fee all personal electronic records 
        pertaining to that individual maintained for disclosure to 
        third parties in the ordinary course of business in the 
        databases or systems of the data broker at the time of the 
        request.
            (2) Information on how to correct inaccuracies.--The 
        disclosures required under paragraph (1) shall also include 
        guidance to individuals on the processes and procedures for 
        demonstrating and correcting any inaccuracies.
    (d) Creation of an Accuracy Resolution Process.--A data broker 
shall develop and publish on its website timely and fair processes and 
procedures for responding to claims of inaccuracies, including 
procedures for correcting inaccurate information in the personal 
electronic records it maintains on individuals.
    (e) Accuracy Resolution Process.--
            (1) Information from a public record source.--
                    (A) In general.--If an individual notifies a data 
                broker of a dispute as to the completeness or accuracy 
                of information, and the data broker determines that 
                such information is derived from a public record 
                source, the data broker shall determine within 30 days 
                whether the information in its system accurately and 
                completely records the information offered by the 
                public record source.
                    (B) Data broker actions.--If a data broker 
                determines under subparagraph (A) that the information 
                in its systems--
                            (i) does not accurately and completely 
                        record the information offered by a public 
                        record source, the data broker shall correct 
                        any inaccuracies or incompleteness, and provide 
                        to such individual written notice of such 
                        changes; and
                            (ii) does accurately and completely record 
                        the information offered by a public record 
                        source, the data broker shall--
                                    (I) provide such individual with 
                                the name, address, and telephone 
                                contact information of the public 
                                record source; and
                                    (II) notify such individual of the 
                                right to add for a period of 90 days to 
                                the personal electronic record of the 
                                individual maintained by the data 
                                broker notice of the dispute under 
                                subsection (f).
            (2) Investigation of disputed information not from a public 
        record source.--If the completeness or accuracy of any 
        nonpublic record source disclosed to an individual under 
        subsection (c) is disputed by the individual and such 
        individual notifies the data broker directly of such dispute, 
        the data broker shall, before the end of the 30-day period 
        beginning on the date on which the data broker receives the 
        notice of the dispute--
                    (A) investigate free of charge and record the 
                current status of the disputed information; or
                    (B) delete the item from the individuals data file 
                in accordance with paragraph (8).
            (3) Extension of period to investigate.--Except as provided 
        in paragraph (4), the 30-day period described in paragraph (1) 
        may be extended for not more than 15 additional days if a data 
        broker receives information from the individual during that 30-
        day period that is relevant to the investigation.
            (4) Limitations on extension of period to investigate.--
        Paragraph (3) shall not apply to any investigation in which, 
        during the 30-day period described in paragraph (1), the 
        information that is the subject of the investigation is found 
        to be inaccurate or incomplete or a data broker determines that 
        the information cannot be verified.
            (5) Notice identifying the data furnisher.--If the 
        completeness or accuracy of any information disclosed to an 
        individual under subsection (c) is disputed by the individual, 
        a data broker shall provide upon the request of the individual, 
        the name, business address, and telephone contact information 
        of any data furnisher who provided an item of information in 
        dispute.
            (6) Determination that dispute is frivolous or 
        irrelevant.--
                    (A) In general.--Notwithstanding paragraphs (1) 
                through (4), a data broker may decline to investigate 
                or terminate an investigation of information disputed 
                by an individual under those paragraphs if the data 
                broker reasonably determines that the dispute by the 
                individual is frivolous or irrelevant, including by 
                reason of a failure by the individual to provide 
                sufficient information to investigate the disputed 
                information.
                    (B) Notice.--Not later than 5 business days after 
                making any determination in accordance with 
                subparagraph (A) that a dispute is frivolous or 
                irrelevant, a data broker shall notify the individual 
                of such determination by mail, or if authorized by the 
                individual, by any other means available to the data 
                broker.
                    (C) Contents of notice.--A notice under 
                subparagraph (B) shall include--
                            (i) the reasons for the determination under 
                        subparagraph (A); and
                            (ii) identification of any information 
                        required to investigate the disputed 
                        information, which may consist of a 
                        standardized form describing the general nature 
                        of such information.
            (7) Consideration of individual information.--In conducting 
        any investigation with respect to disputed information in the 
        personal electronic record of any individual, a data broker 
        shall review and consider all relevant information submitted by 
        the individual in the period described in paragraph (2) with 
        respect to such disputed information.
            (8) Treatment of inaccurate or unverifiable information.--
                    (A) In general.--If, after any review of public 
                record information under paragraph (1) or any 
                investigation of any information disputed by an 
                individual under paragraphs (2) through (4), an item of 
                information is found to be inaccurate or incomplete or 
                cannot be verified, a data broker shall promptly delete 
                that item of information from the individual's personal 
                electronic record or modify that item of information, 
                as appropriate, based on the results of the 
                investigation.
                    (B) Notice to individuals of reinsertion of 
                previously deleted information.--If any information 
                that has been deleted from an individual's personal 
                electronic record pursuant to subparagraph (A) is 
                reinserted in the personal electronic record of the 
                individual, a data broker shall, not later than 5 days 
                after reinsertion, notify the individual of the 
                reinsertion and identify any data furnisher not 
                previously disclosed in writing, or if authorized by 
                the individual for that purpose, by any other means 
                available to the data broker, unless such notification 
                has been previously given under this subsection.
                    (C) Notice of results of investigation of disputed 
                information from a nonpublic record source.--
                            (i) In general.--Not later than 5 business 
                        days after the completion of an investigation 
                        under paragraph (2), a data broker shall 
                        provide written notice to an individual of the 
                        results of the investigation, by mail or, if 
                        authorized by the individual for that purpose, 
                        by other means available to the data broker.
                            (ii) Additional requirement.--Before the 
                        expiration of the 5-day period, as part of, or 
                        in addition to such notice, a data broker 
                        shall, in writing, provide to an individual--
                                    (I) a statement that the 
                                investigation is completed;
                                    (II) a report that is based upon 
                                the personal electronic record of such 
                                individual as that personal electronic 
                                record is revised as a result of the 
                                investigation;
                                    (III) a notice that, if requested 
                                by the individual, a description of the 
                                procedures used to determine the 
                                accuracy and completeness of the 
                                information shall be provided to the 
                                individual by the data broker, 
                                including the business name, address, 
                                and telephone number of any data 
                                furnisher of information contacted in 
                                connection with such information; and
                                    (IV) a notice that the individual 
                                has the right to request notifications 
                                under subsection (f).
                    (D) Description of investigation procedures.--Not 
                later than 15 days after receiving a request from an 
                individual for a description referred to in 
                subparagraph (C)(ii)(III), a data broker shall provide 
                to the individual such a description.
                    (E) Expedited dispute resolution.--If by no later 
                than 3 business days after the date on which a data 
                broker receives notice of a dispute from an individual 
                of information in the personal electronic record of 
                such individual in accordance with paragraph (2), a 
                data broker resolves such dispute in accordance with 
                subparagraph (A) by the deletion of the disputed 
                information, then the data broker shall not be required 
                to comply with subsections (e) and (f) with respect to 
                that dispute if the data broker provides to the 
                individual, by telephone or other means authorized by 
                the individual, prompt notice of the deletion.
    (f) Notice of Dispute.--
            (1) In general.--If the completeness or accuracy of any 
        information disclosed to an individual under subsection (c) is 
        disputed and unless there is a reasonable ground to believe 
        that such dispute is frivolous or irrelevant, an individual may 
        request that the data broker indicate notice of the dispute for 
        a period of--
                    (A) 30 days for information from a nonpublic record 
                source; and
                    (B) 90 days for information from a public record 
                source.
            (2) Compliance.--A data broker shall be deemed in 
        compliance with the requirements under paragraph (1) by 
        either--
                    (A) allowing the individual to file a brief 
                statement setting forth the nature of the dispute under 
                paragraph (3); or
                    (B) using an alternative notice method that--
                            (i) clearly flags the disputed information 
                        for third parties accessing the information; 
                        and
                            (ii) provides a means for third parties to 
                        obtain further information regarding the nature 
                        of the dispute.
            (3) Contents of statement.--A data broker may limit 
        statements made under paragraph (2)(A) to not more than 100 
        words if it provides an individual with assistance in writing a 
        clear summary of the dispute or until the dispute is resolved.
    (g) Additional Requirements.--The Federal Trade Commission may 
exempt certain classes of data brokers from this title in a rulemaking 
process pursuant to section 553 of title 5, United States Code.

SEC. 302. ENFORCEMENT.

    (a) Civil Penalties.--
            (1) Penalties.--Any data broker that violates the 
        provisions of section 301 shall be subject to civil penalties 
        of not more than $1,000 per violation per day, with a maximum 
        of $15,000 per day, while such violations persist.
            (2) Intentional or willful violation.--A data broker that 
        intentionally or willfully violates the provisions of section 
        301 shall be subject to additional penalties in the amount of 
        $1,000 per violation per day, with a maximum of an additional 
        $15,000 per day, while such violations persist.
            (3) Equitable relief.--A data broker engaged in interstate 
        commerce that violates this section may be enjoined from 
        further violations by a court of competent jurisdiction.
            (4) Other rights and remedies.--The rights and remedies 
        available under this subsection are cumulative and shall not 
        affect any other rights and remedies available under law.
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--Whenever it appears that a data broker to 
        which this title applies has engaged, is engaged, or is about 
        to engage, in any act or practice constituting a violation of 
        this title, the Attorney General may bring a civil action in an 
        appropriate district court of the United States to--
                    (A) enjoin such act or practice;
                    (B) enforce compliance with this title;
                    (C) obtain damages--
                            (i) in the sum of actual damages, 
                        restitution, and other compensation on behalf 
                        of the affected residents of a State; and
                            (ii) punitive damages, if the violation is 
                        willful or intentional; and
                    (D) obtain such other relief as the court 
                determines to be appropriate.
            (2) Other injunctive relief.--Upon a proper showing in the 
        action under paragraph (1), the court shall grant a permanent 
        injunction or a temporary restraining order without bond.
    (c) State Enforcement.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by an act or practice that violates this 
        title, the State may bring a civil action on behalf of the 
        residents of that State in a district court of the United 
        States of appropriate jurisdiction, or any other court of 
        competent jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this title;
                    (C) obtain--
                            (i) damages in the sum of actual damages, 
                        restitution, or other compensation on behalf of 
                        affected residents of the State; and
                            (ii) punitive damages, if the violation is 
                        willful or intentional; or
                    (D) obtain such other legal and equitable relief as 
                the court may consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Attorney General--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in this 
                subparagraph before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described under subparagraph (B), the attorney general 
                of a State shall provide the written notice and the 
                copy of the complaint to the Attorney General as soon 
                after the filing of the complaint as practicable.
            (3) Attorney general authority.--Upon receiving notice 
        under paragraph (2), the Attorney General shall have the right 
        to--
                    (A) move to stay the action, pending the final 
                disposition of a pending Federal proceeding or action 
                as described in paragraph (4);
                    (B) intervene in an action brought under paragraph 
                (1); and
                    (C) file petitions for appeal.
            (4) Pending proceedings.--If the Attorney General has 
        instituted a proceeding or action for a violation of this title 
        or any regulations thereunder, no attorney general of a State 
        may, during the pendency of such proceeding or action, bring an 
        action under this subsection against any defendant named in 
        such criminal proceeding or civil action for any violation that 
        is alleged in that proceeding or action.
            (5) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1), nothing in this title shall 
        be construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths and affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (6) Venue; service of process.--
                    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1931 of title 28, 
                United States Code.
                    (B) Service of process.--In an action brought under 
                this subsection process may be served in any district 
                in which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (d) No Private Cause of Action.--Nothing in this title establishes 
a private cause of action against a data broker for violation of any 
provision of this title.

SEC. 303. RELATION TO STATE LAWS.

    No requirement or prohibition may be imposed under the laws of any 
State with respect to any subject matter regulated under section 301, 
relating to individual access to, and correction of, personal 
electronic records held by databrokers.

SEC. 304. EFFECTIVE DATE.

    This title shall take effect 180 days after the date of enactment 
of this Act and shall be implemented pursuant to a State by State 
rollout schedule set by the Federal Trade Commission, but in no case 
shall full implementation and effect of this title occur later than 1 
year and 180 days after the date of enactment of this Act.

 TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

             Subtitle A--Data Privacy and Security Program

SEC. 401. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Purpose.--The purpose of this subtitle is to ensure standards 
for developing and implementing administrative, technical, and physical 
safeguards to protect the privacy, security, confidentiality, 
integrity, storage, and disposal of sensitive personally identifiable 
information.
    (b) In General.--A business entity engaging in interstate commerce 
that involves collecting, accessing, transmitting, using, storing, or 
disposing of sensitive personally identifiable information in 
electronic or digital form on 10,000 or more United States persons is 
subject to the requirements for a data privacy and security program 
under section 402 for protecting sensitive personally identifiable 
information.
    (c) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to--
            (1) financial institutions--
                    (A) subject to the data security requirements and 
                implementing regulations under the Gramm-Leach-Bliley 
                Act (15 U.S.C. 6801 et seq.); and
                    (B) subject to--
                            (i) examinations for compliance with the 
                        requirements of this Act by 1 or more Federal 
                        or State functional regulators (as defined in 
                        section 509 of the Gramm-Leach-Bliley Act (15 
                        U.S.C. 6809)); or
                            (ii) compliance with part 314 of title 16, 
                        Code of Federal Regulations; or
            (2) ``covered entities'' subject to the Health Insurance 
        Portability and Accountability Act of 1996 (42 U.S.C. 1301 et 
        seq.), including the data security requirements and 
        implementing regulations of that Act.
    (d) Safe Harbor.--A business entity shall be deemed in compliance 
with the privacy and security program requirements under section 402 if 
the business entity complies with or provides protection equal to 
industry standards, as identified by the Federal Trade Commission, that 
are applicable to the type of sensitive personally identifiable 
information involved in the ordinary course of business of such 
business entity.

SEC. 402. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Personal Data Privacy and Security Program.--Unless otherwise 
limited under section 401(c), a business entity subject to this 
subtitle shall comply with the following safeguards and any others 
identified by the Federal Trade Commission in a rulemaking process 
pursuant to section 553 of title 5, United States Code, to protect the 
privacy and security of sensitive personally identifiable information:
            (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.
            (2) Design.--The personal data privacy and security program 
        shall be designed to--
                    (A) ensure the privacy, security, and 
                confidentiality of personal electronic records;
                    (B) protect against any anticipated vulnerabilities 
                to the privacy, security, or integrity of personal 
                electronic records; and
                    (C) protect against unauthorized access to use of 
                personal electronic records that could result in 
                substantial harm or inconvenience to any individual.
            (3) Risk assessment.--A business entity shall--
                    (A) identify reasonably foreseeable internal and 
                external vulnerabilities that could result in 
                unauthorized access, disclosure, use, or alteration of 
                sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;
                    (B) assess the likelihood of and potential damage 
                from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information; and
                    (C) assess the sufficiency of its policies, 
                technologies, and safeguards in place to control and 
                minimize risks from unauthorized access, disclosure, 
                use, or alteration of sensitive personally identifiable 
                information.
            (4) Risk management and control.--Each business entity 
        shall--
                    (A) design its personal data privacy and security 
                program to control the risks identified under paragraph 
                (3); and
                    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--
                            (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;
                            (ii) detect actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access; and
                            (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption or other reasonable means (including 
                        as directed for disposal of records under 
                        section 628 of the Fair Credit Reporting Act 
                        (15 U.S.C. 1681w) and the implementing 
                        regulations of such Act as set forth in section 
                        682 of title 16, Code of Federal Regulations).
    (b) Training.--Each business entity subject to this subtitle shall 
take steps to ensure employee training and supervision for 
implementation of the data security program of the business entity.
    (c) Vulnerability Testing.--
            (1) In general.--Each business entity subject to this 
        subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.
            (2) Frequency.--The frequency and nature of the tests 
        required under paragraph (1) shall be determined by the risk 
        assessment of the business entity under subsection (a)(3).
    (d) Relationship to Service Providers.--In the event a business 
entity subject to this subtitle engages service providers not subject 
to this subtitle, such business entity shall--
            (1) exercise appropriate due diligence in selecting those 
        service providers for responsibilities related to sensitive 
        personally identifiable information, and take reasonable steps 
        to select and retain service providers that are capable of 
        maintaining appropriate safeguards for the security, privacy, 
        and integrity of the sensitive personally identifiable 
        information at issue; and
            (2) require those service providers by contract to 
        implement and maintain appropriate measures designed to meet 
        the objectives and requirements governing entities subject to 
        this section, section 401, and subtitle B.
    (e) Periodic Assessment and Personal Data Privacy and Security 
Modernization.--Each business entity subject to this subtitle shall on 
a regular basis monitor, evaluate, and adjust, as appropriate its data 
privacy and security program in light of any relevant changes in--
            (1) technology;
            (2) the sensitivity of personally identifiable information;
            (3) internal or external threats to personally identifiable 
        information; and
            (4) the changing business arrangements of the business 
        entity, such as--
                    (A) mergers and acquisitions;
                    (B) alliances and joint ventures;
                    (C) outsourcing arrangements;
                    (D) bankruptcy; and
                    (E) changes to sensitive personally identifiable 
                information systems.
    (f) Implementation Time Line.--Not later than 1 year after the date 
of enactment of this Act, a business entity subject to the provisions 
of this subtitle shall implement a data privacy and security program 
pursuant to this subtitle.

SEC. 403. ENFORCEMENT.

    (a) Civil Penalties.--
            (1) In general.--Any business entity that violates the 
        provisions of sections 401 or 402 shall be subject to civil 
        penalties of not more than $5,000 per violation per day, with a 
        maximum of $35,000 per day, while such violations persist.
            (2) Intentional or willful violation.--A business entity 
        that intentionally or willfully violates the provisions of 
        sections 401 or 402 shall be subject to additional penalties in 
        the amount of $5,000 per violation per day, with a maximum of 
        an additional $35,000 per day, while such violations persist.
            (3) Equitable relief.--A business entity engaged in 
        interstate commerce that violates this section may be enjoined 
        from further violations by a court of competent jurisdiction.
            (4) Other rights and remedies.--The rights and remedies 
        available under this section are cumulative and shall not 
        affect any other rights and remedies available under law
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--Whenever it appears that a business entity 
        or agency to which this subtitle applies has engaged, is 
        engaged, or is about to engage, in any act or practice 
        constituting a violation of this subtitle, the Attorney General 
        may bring a civil action in an appropriate district court of 
        the United States to--
                    (A) enjoin such act or practice;
                    (B) enforce compliance with this subtitle; and
                    (C) obtain damages--
                            (i) in the sum of actual damages, 
                        restitution, and other compensation on behalf 
                        of the affected residents of a State; and
                            (ii) punitive damages, if the violation is 
                        willful or intentional; and
                    (D) obtain such other relief as the court 
                determines to be appropriate.
            (2) Other injunctive relief.--Upon a proper showing in the 
        action under paragraph (1), the court shall grant a permanent 
        injunction or a temporary restraining order without bond.
    (c) State Enforcement.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by an act or practice that violates this 
        subtitle, the State may bring a civil action on behalf of the 
        residents of that State in a district court of the United 
        States of appropriate jurisdiction, or any other court of 
        competent jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this subtitle;
                    (C) obtain--
                            (i) damages in the sum of actual damages, 
                        restitution, or other compensation on behalf of 
                        affected residents of the State; and
                            (ii) punitive damages, if the violation is 
                        willful or intentional; or
                    (D) obtain such other legal and equitable relief as 
                the court may consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Attorney General--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in this 
                subparagraph before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described under subparagraph (B), the attorney general 
                of a State shall provide the written notice and the 
                copy of the complaint to the Attorney General as soon 
                after the filing of the complaint as practicable.
            (3) Attorney general authority.--Upon receiving notice 
        under paragraph (2), the Attorney General shall have the right 
        to--
                    (A) move to stay the action, pending the final 
                disposition of a pending Federal proceeding or action 
                as described in paragraph (4);
                    (B) intervene in an action brought under paragraph 
                (1); and
                    (C) file petitions for appeal.
            (4) Pending proceedings.--If the Attorney General has 
        instituted a proceeding or action for a violation of this title 
        or any regulations thereunder, no attorney general of a State 
        may, during the pendency of such proceeding or action, bring an 
        action under this subsection against any defendant named in 
        such criminal proceeding or civil action for any violation that 
        is alleged in that proceeding or action.
            (5) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1) nothing in this title shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths and affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (6) Venue; service of process.--
                    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1931 of title 28, 
                United States Code.
                    (B) Service of process.--In an action brought under 
                this subsection process may be served in any district 
                in which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (d) No Private Cause of Action.--Nothing in this title establishes 
a private cause of action against a business entity for violation of 
any provision of this subtitle.

SEC. 404. RELATION TO STATE LAWS.

    (a) In General.--No State may--
            (1) require an entity described in section 401(c) to comply 
        with this subtitle or any regulation promulgated thereunder; 
        and
            (2) require an entity in compliance with the safe harbor 
        established under section 401(d), to comply with any other 
        provision of this subtitle.
    (b) Effect of Subtitle A.--Except as provided in subsection (a), 
this subtitle does not annul, alter, affect, or exempt any person 
subject to the provisions of this subtitle from complying with the laws 
of any State with respect to security programs for sensitive personally 
identifiable information, except to the extent that those laws are 
inconsistent with any provisions of this subtitle, and then only to the 
extent of such inconsistency.

                Subtitle B--Security Breach Notification

SEC. 421. NOTICE TO INDIVIDUALS.

    (a) In General.--Any agency, or business entity engaged in 
interstate commerce, that uses, accesses, transmits, stores, disposes 
of or collects sensitive personally identifiable information shall, 
following the discovery of a security breach maintained by the agency 
or business entity that contains such information, notify any resident 
of the United States whose sensitive personally identifiable 
information was subject to the security breach.
    (b) Obligation of Owner or Licensee.--
            (1) Notice to owner or licensee.--Any agency, or business 
        entity engaged in interstate commerce, that uses, accesses, 
        transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach containing such information.
            (2) Notice by owner, licensee or other designated third 
        party.--Noting in this subtitle shall prevent or abrogate an 
        agreement between an agency or business entity required to give 
        notice under this section and a designated third party, 
        including an owner or licensee of the sensitive personally 
        identifiable information subject to the security breach, to 
        provide the notifications required under subsection (a).
            (3) Business entity relieved from giving notice.--A 
        business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.
    (c) Timeliness of Notification.--
            (1) In general.--All notifications required under this 
        section shall be made without unreasonable delay following--
                    (A) the discovery by the agency or business entity 
                of a security breach; and
                    (B) any measures necessary to determine the scope 
                of the breach, prevent further disclosures, and restore 
                the reasonable integrity of the data system.
            (2) Burden of proof.--The agency, business entity, owner, 
        or licensee required to provide notification under this section 
        shall have the burden of demonstrating that all notifications 
        were made as required under this subtitle, including evidence 
        demonstrating the necessity of any delay.
    (d) Delay of Notification Authorized for Law Enforcement 
Purposes.--
            (1) In general.--If a law enforcement agency determines 
        that the notification required under this section would impede 
        a criminal investigation, such notification may be delayed upon 
        the written request of the law enforcement agency.
            (2) Extended delay of notification.--If the notification 
        required under subsection (a) is delayed pursuant to paragraph 
        (1), an agency or business entity shall give notice 30 days 
        after the day such law enforcement delay was invoked unless a 
        law enforcement agency provides written notification that 
        further delay is necessary.

SEC. 422. EXEMPTIONS.

    (a) Exemption for National Security and Law Enforcement.--
            (1) In general.--Section 421 shall not apply to an agency 
        if the head of the agency certifies, in writing, that 
        notification of the security breach as required by section 421 
        reasonably could be expected to--
                    (A) cause damage to the national security; or
                    (B) hinder a law enforcement investigation or the 
                ability of the agency to conduct law enforcement 
                investigations.
            (2) Limits on certifications.--The head of an agency may 
        not execute a certification under paragraph (1) to--
                    (A) conceal violations of law, inefficiency, or 
                administrative error;
                    (B) prevent embarrassment to a business entity, 
                organization, or agency; or
                    (C) restrain competition.
            (3) Notice.--In every case in which a head of an agency 
        issues a certification under paragraph (1), the certification, 
        accompanied by a concise description of the factual basis for 
        the certification, shall be immediately provided to the 
        Congress.
    (b) Risk Assessment Exemption.--An agency or business entity will 
be exempt from the notice requirements under section 421, if--
            (1) a risk assessment concludes that there is no 
        significant risk that the security breach has resulted in, or 
        will result in, harm to the individuals whose sensitive 
        personally identifiable information was subject to the security 
        breach;
            (2) without unreasonable delay, but not later than 45 days 
        after the discovery of a security breach, unless extended by 
        the United States Secret Service, the business entity notifies 
        the United States Secret Service, in writing, of--
                    (A) the results of the risk assessment;
                    (B) its decision to invoke the risk assessment 
                exemption; and
            (3) the United States Secret Service does not indicate, in 
        writing, within 10 days from receipt of the decision, that 
        notice should be given.
    (c) Financial Fraud Prevention Exemption.--
            (1) In general.--A business entity will be exempt from the 
        notice requirement under section 421 if the business entity 
        utilizes or participates in a security program that--
                    (A) is designed to block the use of the sensitive 
                personally identifiable information to initiate 
                unauthorized financial transactions before they are 
                charged to the account of the individual; and
                    (B) provides for notice after a security breach 
                that has resulted in fraud or unauthorized 
                transactions.
            (2) Limitation.--The exemption by this subsection does not 
        apply if the information subject to the security breach 
        includes, in addition to an account number, sensitive 
        personally identifiable information.

SEC. 423. METHODS OF NOTICE.

    An agency, or business entity shall be in compliance with section 
421 if it provides:
            (1) Individual notice.--
                    (A) Written notification to the last known home 
                mailing address of the individual in the records of the 
                agency or business entity; or
                    (B) E-mail notice, if the individual has consented 
                to receive such notice and the notice is consistent 
                with the provisions permitting electronic transmission 
                of notices under section 101 of the Electronic 
                Signatures in Global and National Commerce Act (15 
                U.S.C. 7001).
            (2) Media notice.--If more than 5,000 residents of a State 
        or jurisdiction are impacted, notice to major media outlets 
        serving that State or jurisdiction.

SEC. 424. CONTENT OF NOTIFICATION.

    (a) In General.--Regardless of the method by which notice is 
provided to individuals under section 423, such notice shall include, 
to the extent possible--
            (1) a description of the categories of sensitive personally 
        identifiable information that was, or is reasonably believed to 
        have been, acquired by an unauthorized person;
            (2) a toll-free number--
                    (A) that the individual may use to contact the 
                agency or business entity, or the agent of the agency 
                or business entity; and
                    (B) from which the individual may learn--
                            (i) what types of sensitive personally 
                        identifiable information the agency or business 
                        entity maintained about that individual or 
                        about individuals in general; and
                            (ii) whether or not the agency or business 
                        entity maintained sensitive personally 
                        identifiable information about that individual; 
                        and
            (3) the toll-free contact telephone numbers and addresses 
        for the major credit reporting agencies.
    (b) Additional Content.--Notwithstanding section 429, a State may 
require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.

SEC. 425. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.

    If an agency or business entity is required to provide notification 
to more than 1,000 individuals under section 421(a), the agency or 
business entity shall also notify, without unreasonable delay, all 
consumer reporting agencies that compile and maintain files on 
consumers on a nationwide basis (as defined in section 603(p) of the 
Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of the timing and 
distribution of the notices.

SEC. 426. NOTICE TO LAW ENFORCEMENT.

    (a) Secret Service.--Any business entity or agency required to give 
notice under section 421 shall also give notice to the United States 
Secret Service if the security breach impacts--
            (1) more than 10,000 individuals nationwide;
            (2) a database, networked or integrated databases, or other 
        data system associated with the sensitive personally 
        identifiable information on more than 1,000,000 individuals 
        nationwide;
            (3) databases owned by the Federal Government; or
            (4) primarily sensitive personally identifiable information 
        of employees and contractors of the Federal Government involved 
        in national security or law enforcement.
    (b) Notice to Other Law Enforcement Agencies.--The United States 
Secret Service shall be responsible for notifying--
            (1)(A) the Federal Bureau of Investigation, if the security 
        breach involves espionage, foreign counterintelligence, 
        information protected against unauthorized disclosure for 
        reasons of national defense or foreign relations, or Restricted 
        Data (as that term is defined in section 11y of the Atomic 
        Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses 
        affecting the duties of the United States Secret Service under 
        section 3056(a) of title 18, United States Code; and
            (B) the United States Postal Inspection Service, if the 
        security breach involves mail fraud; and
            (2) the attorney general of each State affected by the 
        security breach.
    (c) 30-Day Rule.--The notices to Federal law enforcement and the 
attorney general of each State affected by a security breach required 
under this section shall be delivered without unreasonable delay, but 
not later than 30 days after discovery of the events requiring notice.

SEC. 427. CIVIL REMEDIES.

    (a) Penalties.--Any agency, or business entity engaged in 
interstate commerce, that violates this subtitle shall be subject to a 
fine of--
            (1) not more than $1,000 per individual per day whose 
        sensitive personally identity information was, or is reasonably 
        believed to have been, acquired by an unauthorized person; or
            (2) not more than $50,000 per day while the failure to give 
        notice under this subtitle persists.
    (b) Equitable Relief.--Any agency or business entity that violates, 
proposes to violate, or has violated this subtitle may be enjoined from 
further violations by a court of competent jurisdiction.
    (c) Other Rights and Remedies.--The rights and remedies available 
under this subtitle are cumulative and shall not affect any other 
rights and remedies available under law.
    (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence 
that the consumer has received notice that the consumer's financial 
information has or may have been compromised,'' after ``identity theft 
report''.
    (e) Injunctive Actions by the Attorney General.--Whenever it 
appears that a business entity or agency to which this subtitle applies 
has engaged, is engaged, or is about to engage, in any act or practice 
constituting a violation of this subtitle, the Attorney General may 
bring a civil action in an appropriate district court of the United 
States to--
            (1) enjoin such act or practice;
            (2) enforce compliance with this subtitle;
            (3) obtain damages--
                    (A) in the sum of actual damages, restitution, and 
                other compensation on behalf of the affected residents 
                of a State; and
                    (B) punitive damages, if the violation is willful 
                or intentional; and
            (4) obtain such other relief as the court determines to be 
        appropriate.

SEC. 428. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State, or any State or local law enforcement 
        agency authorized by the State attorney general or by State 
        statute to prosecute violations of consumer protection law, has 
        reason to believe that an interest of the residents of that 
        State has been or is threatened or adversely affected by the 
        engagement of any agency or business entity in a practice that 
        is prohibited under this subtitle, the State, as parens patriae 
        on behalf of the residents of the State, or the State or local 
        law enforcement agency on behalf of the residents of the 
        agency's jurisdiction, may bring a civil action on behalf of 
        the residents of the State or jurisdiction in a district court 
        of the United States of appropriate jurisdiction or any other 
        court of competent jurisdiction, including a State court, to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this subtitle;
                    (C) obtain damages, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subtitle, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) intervene in an action brought under subsection (a)(2); 
        and
            (3) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.
    (f) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a data broker for 
violation of any provision of this subtitle.

SEC. 429. EFFECT ON FEDERAL AND STATE LAW.

    The provisions of this subtitle shall supersede any other provision 
of Federal law or any provision of law of any State relating to 
notification of a security breach, except as provided in section 
424(b).

SEC. 430. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated such sums as may be 
necessary to cover the costs incurred by the United States Secret 
Service to carry out investigations and risk assessments of security 
breaches as required under this subtitle.

SEC. 431. REPORTING ON RISK ASSESSMENT EXEMPTION.

    The United States Secret Service shall report to Congress not later 
than 18 months after the date of enactment of this Act, and upon the 
request by Congress thereafter, on the number and nature of the 
security breaches described in the notices filed by those business 
entities invoking the risk assessment exemption under section 422(b) 
and the response of the United States Secret Service to those notices.

SEC. 432. EFFECTIVE DATE.

    This subtitle shall take effect on the expiration of the date which 
is 90 days after the date of enactment of this Act.

        TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

SEC. 501. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.

    (a) In General.--In considering contract awards totaling more than 
$500,000 and entered into after the date of enactment of this Act with 
data brokers, the Administrator of the General Services Administration 
shall evaluate--
            (1) the data privacy and security program of a data broker 
        to ensure the privacy and security of data containing 
        personally identifiable information, including whether such 
        program adequately addresses privacy and security threats 
        created by malicious software or code, or the use of peer-to-
        peer file sharing software;
            (2) the compliance of a data broker with such program;
            (3) the extent to which the databases and systems 
        containing personally identifiable information of a data broker 
        have been compromised by security breaches; and
            (4) the response by a data broker to such breaches, 
        including the efforts by such data broker to mitigate the 
        impact of such breaches.
    (b) Compliance Safe Harbor.--The data privacy and security program 
of a data broker shall be deemed sufficient for the purposes of 
subsection (a), if the data broker complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of personally identifiable 
information involved in the ordinary course of business of such data 
broker.
    (c) Penalties.--In awarding contracts with data brokers for 
products or services related to access, use, compilation, distribution, 
processing, analyzing, or evaluating personally identifiable 
information, the Administrator of the General Services Administration 
shall--
            (1) include monetary or other penalties--
                    (A) for failure to comply with subtitles A and B of 
                title IV of this Act; or
                    (B) if a contractor knows or has reason to know 
                that the personally identifiable information being 
                provided is inaccurate, and provides such inaccurate 
                information; and
            (2) require a data broker that engages service providers 
        not subject to subtitle A of title IV for responsibilities 
        related to sensitive personally identifiable information to--
                    (A) exercise appropriate due diligence in selecting 
                those service providers for responsibilities related to 
                personally identifiable information;
                    (B) take reasonable steps to select and retain 
                service providers that are capable of maintaining 
                appropriate safeguards for the security, privacy, and 
                integrity of the personally identifiable information at 
                issue; and
                    (C) require such service providers, by contract, to 
                implement ad maintain appropriate measures designed to 
                meet the objectives and requirements in title IV.
    (d) Limitation.--The penalties under subsection (c) shall not apply 
to a data broker providing information that is accurately and 
completely recorded from a public record source.

SEC. 502. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF 
              CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.

    Section 3544(b) of title 44, United States Code, is amended--
            (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (8), by striking the period and inserting 
        ``; and''; and
            (3) by adding at the end the following:
            ``(9) procedures for evaluating and auditing the 
        information security practices of contractors or third party 
        business entities supporting the information systems or 
        operations of the agency involving personally identifiable 
        information (as that term is defined in section 3 of the 
        Personal Data Privacy and Security Act of 2005) and ensuring 
        remedial action to address any significant deficiencies.''.

SEC. 503. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL 
              INFORMATION SERVICES CONTAINING PERSONALLY IDENTIFIABLE 
              INFORMATION.

    (a) In General.--Section 208(b)(1) of the E-Government Act of 2002 
(44 U.S.C. 3501 note) is amended--
            (1) in subparagraph (A)(i), by striking ``or''; and
            (2) in subparagraph (A)(ii), by striking the period and 
        inserting ``; or''; and
            (3) by inserting after clause (ii) the following:
                            ``(iii) purchasing or subscribing for a fee 
                        to personally identifiable information from a 
                        data broker (as such terms are defined in 
                        section 3 of the Personal Data Privacy and 
                        Security Act of 2005).''.
    (b) Limitation.--Notwithstanding any other provision of law, 
commencing 1 year after the date of enactment of this Act, no Federal 
department or agency may enter into a contract with a data broker to 
access for a fee any database consisting primarily of personally 
identifiable information concerning United States persons (other than 
news reporting or telephone directories) unless the head of such 
department or agency--
            (1) completes a privacy impact assessment under section 208 
        of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
        shall subject to the provision in that Act pertaining to 
        sensitive information, include a description of--
                    (A) such database;
                    (B) the name of the data broker from whom it is 
                obtained; and
                    (C) the amount of the contract for use;
            (2) adopts regulations that specify--
                    (A) the personnel permitted to access, analyze, or 
                otherwise use such databases;
                    (B) standards governing the access, analysis, or 
                use of such databases;
                    (C) any standards used to ensure that the 
                personally identifiable information accessed, analyzed, 
                or used is the minimum necessary to accomplish the 
                intended legitimate purpose of the Federal department 
                or agency;
                    (D) standards limiting the retention and 
                redisclosure of personally identifiable information 
                obtained from such databases;
                    (E) procedures ensuring that such data meet 
                standards of accuracy, relevance, completeness, and 
                timeliness;
                    (F) the auditing and security measures to protect 
                against unauthorized access, analysis, use, or 
                modification of data in such databases;
                    (G) applicable mechanisms by which individuals may 
                secure timely redress for any adverse consequences 
                wrongly incurred due to the access, analysis, or use of 
                such databases;
                    (H) mechanisms, if any, for the enforcement and 
                independent oversight of existing or planned 
                procedures, policies, or guidelines; and
                    (I) an outline of enforcement mechanisms for 
                accountability to protect individuals and the public 
                against unlawful or illegitimate access or use of 
                databases; and
            (3) incorporates into the contract or other agreement 
        totaling more than $500,000, provisions--
                    (A) providing for penalties--
                            (i) for failure to comply with title IV of 
                        this Act; or
                            (ii) if the entity knows or has reason to 
                        know that the personally identifiable 
                        information being provided to the Federal 
                        department or agency is inaccurate, and 
                        provides such inaccurate information.
                    (B) requiring a data broker that engages service 
                providers not subject to subtitle A of title IV for 
                responsibilities related to sensitive personally 
                identifiable information to--
                            (i) exercise appropriate due diligence in 
                        selecting those service providers for 
                        responsibilities related to personally 
                        identifiable information;
                            (ii) take reasonable steps to select and 
                        retain service providers that are capable of 
                        maintaining appropriate safeguards for the 
                        security, privacy, and integrity of the 
                        personally identifiable information at issue; 
                        and
                            (iii) require such service providers, by 
                        contract, to implement ad maintain appropriate 
                        measures designed to meet the objectives and 
                        requirements in title IV.
    (c) Limitation on Penalties.--The penalties under paragraph (3)(A) 
shall not apply to a data broker providing information that is 
accurately and completely recorded from a public record source.
    (d) Individual Screening Programs.--
            (1) In general.--Notwithstanding any other provision of 
        law, commencing one year after the date of enactment of this 
        Act, no Federal department or agency may use commercial 
        databases or contract with a data broker to implement an 
        individual screening program unless such program is--
                    (A) congressionally authorized; and
                    (B) subject to regulations developed by notice and 
                comment that--
                            (i) establish a procedure to enable 
                        individuals, who suffer an adverse consequence 
                        because the screening system determined that 
                        they might pose a security threat, to appeal 
                        such determination and correct information 
                        contained in the system;
                            (ii) ensure that Federal and commercial 
                        databases that will be used to establish the 
                        identity of individuals or otherwise make 
                        assessments of individuals under the system 
                        will not produce a large number of false 
                        positives or unjustified adverse consequences;
                            (iii) ensure the efficacy and accuracy of 
                        all of the search tools that will be used and 
                        ensure that the department or agency can make 
                        an accurate predictive assessment of those who 
                        may constitute a threat;
                            (iv) establish an internal oversight board 
                        to oversee and monitor the manner in which the 
                        system is being implemented;
                            (v) establish sufficient operational 
                        safeguards to reduce the opportunities for 
                        abuse;
                            (vi) implement substantial security 
                        measures to protect the system from 
                        unauthorized access;
                            (vii) adopt policies establishing the 
                        effective oversight of the use and operation of 
                        the system; and
                            (viii) ensure that there are no specific 
                        privacy concerns with the technological 
                        architecture of the system; and
                    (C) coordinated with the Terrorist Screening Center 
                or any such successor organization.
            (2) Definition.--As used in this subsection, the term 
        ``individual screening program''--
                    (A) means a system that relies on personally 
                identifiable information from commercial databases to--
                            (i) evaluate all or most individuals 
                        seeking to exercise a particular right or 
                        privilege under Federal law; and
                            (ii) determine whether such individuals are 
                        on a terrorist watch list or otherwise pose a 
                        security threat; and
                    (B) does not include any program or system to grant 
                security clearances.
    (e) Study of Government Use.--
            (1) Scope of study.--Not later than 180 days after the date 
        of enactment of this Act, the Comptroller General of the United 
        States shall conduct a study and audit and prepare a report on 
        Federal agency use of data brokers or commercial databases 
        containing personally identifiable information, including the 
        impact on privacy and security, and the extent to which Federal 
        contracts include sufficient provisions to ensure privacy and 
        security protections, and penalties for failures in privacy and 
        security practices.
            (2) Report.--A copy of the report required under paragraph 
        (1) shall be submitted to Congress.

SEC. 504. IMPLEMENTATION OF CHIEF PRIVACY OFFICER REQUIREMENTS.

    (a) Designation of the Chief Privacy Officer.--Pursuant to the 
requirements under section 522 of the Transportation, Treasury, 
Independent Agencies, and General Government Appropriations Act, 2005 
(division H of Public Law 108-447; 118 Stat. 3199) that each agency 
designate a Chief Privacy Officer, the Department of Justice shall 
implement such requirements by designating a department-wide Chief 
Privacy Officer, whose primary role shall be to fulfill the duties and 
responsibilities of Chief Privacy Officer and who shall report directly 
to the Deputy Attorney General.
    (b) Duties and Responsibilities of Chief Privacy Officer.--In 
addition to the duties and responsibilities outlined under section 522 
of the Transportation, Treasury, Independent Agencies, and General 
Government Appropriations Act, 2005 (division H of Public Law 108-447; 
118 Stat. 3199), the Department of Justice Chief Privacy Officer 
shall--
            (1) oversee the Department of Justice's implementation of 
        the requirements under section 603 to conduct privacy impact 
        assessments of the use of commercial data containing personally 
        identifiable information by the Department;
            (2) promote the use of law enforcement technologies that 
        sustain privacy protections, and assure that the implementation 
        of such technologies relating to the use, collection, and 
        disclosure of personally identifiable information preserve the 
        privacy and security of such information; and
            (3) coordinate with the Privacy and Civil Liberties 
        Oversight Board, established in the Intelligence Reform and 
        Terrorism Prevention Act of 2004 (Public Law 108-458), in 
        implementing paragraphs (1) and (2) of this subsection.
                                 <all>