[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 1789 Reported in Senate (RS)]


                                                       Calendar No. 297
109th CONGRESS
  1st Session
                                S. 1789

 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 29, 2005

Mr. Specter (for himself, Mr. Leahy, Mrs. Feinstein, and Mr. Feingold) 
introduced the following bill; which was read twice and referred to the 
                       Committee on the Judiciary

                           November 17, 2005

               Reported by Mr. Specter, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>

<DELETED>    (a) Short Title.--This Act may be cited as the ``Personal 
Data Privacy and Security Act of 2005''.</DELETED>
<DELETED>    (b) Table of Contents.--The table of contents for this Act 
is as follows:</DELETED>

<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Findings.
<DELETED>Sec. 3. Definitions.
  <DELETED>TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER 
                VIOLATIONS OF DATA PRIVACY AND SECURITY

<DELETED>Sec. 101. Fraud and related criminal activity in connection 
                            with unauthorized access to personally 
                            identifiable information.
<DELETED>Sec. 102. Organized criminal activity in connection with 
                            unauthorized access to personally 
                            identifiable information.
<DELETED>Sec. 103. Concealment of security breaches involving sensitive 
                            personally identifiable information.
<DELETED>Sec. 104. Aggravated fraud in connection with computers.
<DELETED>Sec. 105. Review and amendment of Federal sentencing 
                            guidelines related to fraudulent access to 
                            or misuse of digitized or electronic 
                            personally identifiable information.
   <DELETED>TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT 
COMBATING CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL 
               USE OF PERSONALLY IDENTIFIABLE INFORMATION

<DELETED>Sec. 201. Grants for State and local enforcement.
<DELETED>Sec. 202. Authorization of appropriations.
                    <DELETED>TITLE III--DATA BROKERS

<DELETED>Sec. 301. Transparency and accuracy of data collection.
<DELETED>Sec. 302. Enforcement.
<DELETED>Sec. 303. Relation to State laws.
<DELETED>Sec. 304. Effective date.
  <DELETED>TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE 
                              INFORMATION

         <DELETED>Subtitle A--Data Privacy and Security Program

<DELETED>Sec. 401. Purpose and applicability of data privacy and 
                            security program.
<DELETED>Sec. 402. Requirements for a personal data privacy and 
                            security program.
<DELETED>Sec. 403. Enforcement.
<DELETED>Sec. 404. Relation to State laws.
           <DELETED>Subtitle B--Security Breach Notification

<DELETED>Sec. 421. Right to notice of security breach.
<DELETED>Sec. 422. Notice procedures.
<DELETED>Sec. 423. Content of notice.
<DELETED>Sec. 424. Risk assessment and fraud prevention notice 
                            exemptions.
<DELETED>Sec. 425. Victim protection assistance.
<DELETED>Sec. 426. Enforcement.
<DELETED>Sec. 427. Relation to State laws.
<DELETED>Sec. 428. Study on securing personally identifiable 
                            information in the digital era.
<DELETED>Sec. 429. Reporting on risk assessment exemption.
<DELETED>Sec. 430. Authorization of appropriations.
<DELETED>Sec. 431. Reporting on risk assessment exemption.
<DELETED>Sec. 432. Effective date.
   <DELETED>TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

<DELETED>Sec. 501. General Services Administration review of contracts.
<DELETED>Sec. 502. Requirement to audit information security practices 
                            of contractors and third party business 
                            entities.
<DELETED>Sec. 503. Privacy impact assessment of government use of 
                            commercial information services containing 
                            personally identifiable information.
<DELETED>Sec. 504. Implementation of Chief Privacy Officer 
                            requirements.

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    Congress finds that--</DELETED>
        <DELETED>    (1) databases of personally identifiable 
        information are increasingly prime targets of hackers, identity 
        thieves, rogue employees, and other criminals, including 
        organized and sophisticated criminal operations;</DELETED>
        <DELETED>    (2) identity theft is a serious threat to the 
        nation's economic stability, homeland security, the development 
        of e-commerce, and the privacy rights of Americans;</DELETED>
        <DELETED>    (3) over 9,300,000 individuals were victims of 
        identity theft in America last year;</DELETED>
        <DELETED>    (4) security breaches are a serious threat to 
        consumer confidence, homeland security, e-commerce, and 
        economic stability;</DELETED>
        <DELETED>    (5) it is important for business entities that 
        own, use, or license personally identifiable information to 
        adopt reasonable procedures to ensure the security, privacy, 
        and confidentially of that personally identifiable 
        information;</DELETED>
        <DELETED>    (6) individuals whose personal information has 
        been compromised or who have been victims of identity theft 
        should receive the necessary information and assistance to 
        mitigate their damages and to restore the integrity of their 
        personal information and identities;</DELETED>
        <DELETED>    (7) data brokers have assumed a significant role 
        in providing identification, authentication, and screening 
        services, and related data collection and analyses for 
        commercial, nonprofit, and government operations;</DELETED>
        <DELETED>    (8) data misuse and use of inaccurate data have 
        the potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government 
        operations;</DELETED>
        <DELETED>    (9) there is a need to insure that data brokers 
        conduct their operations in a manner that prioritizes fairness, 
        transparency, accuracy, and respect for the privacy of 
        consumers;</DELETED>
        <DELETED>    (10) government access to commercial data can 
        potentially improve safety, law enforcement, and national 
        security; and</DELETED>
        <DELETED>    (11) because government use of commercial data 
        containing personal information potentially affects individual 
        privacy, and law enforcement and national security operations, 
        there is a need for Congress to exercise oversight over 
        government use of commercial data.</DELETED>

<DELETED>SEC. 3. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Agency.--The term ``agency'' has the same 
        meaning given such term in section 551 of title 5, United 
        States Code.</DELETED>
        <DELETED>    (2) Affiliate.--The term ``affiliate'' means 
        persons related by common ownership or by corporate 
        control.</DELETED>
        <DELETED>    (3) Business entity.--The term ``business entity'' 
        means any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, venture established 
        to make a profit, or nonprofit, and any contractor, 
        subcontractor, affiliate, or licensee thereof engaged in 
        interstate commerce.</DELETED>
        <DELETED>    (4) Identity theft.--The term ``identity theft'' 
        means a violation of section 1028 of title 18, United States 
        Code, or any other similar provision of applicable State 
        law.</DELETED>
        <DELETED>    (5) Data broker.--The term ``data broker'' means a 
        business entity which for monetary fees, dues, or on a 
        cooperative nonprofit basis, currently or regularly engages, in 
        whole or in part, in the practice of collecting, transmitting, 
        or providing access to sensitive personally identifiable 
        information primarily for the purposes of providing such 
        information to nonaffiliated third parties on a nationwide 
        basis on more than 5,000 individuals who are not the customers 
        or employees of the business entity or affiliate.</DELETED>
        <DELETED>    (6) Data furnisher.--The term ``data furnisher'' 
        means any agency, governmental entity, organization, 
        corporation, trust, partnership, sole proprietorship, 
        unincorporated association, venture established to make a 
        profit, or nonprofit, and any contractor, subcontractor, 
        affiliate, or licensee thereof, that serves as a source of 
        information for a data broker.</DELETED>
        <DELETED>    (7) Personal electronic record.--The term 
        ``personal electronic record'' means data associated with an 
        individual contained in a database, networked or integrated 
        databases, or other data system that holds sensitive personally 
        identifiable information of that individual and is provided to 
        non-affiliated third parties.</DELETED>
        <DELETED>    (8) Personally identifiable information.--The term 
        ``personally identifiable information'' means any information, 
        or compilation of information, in electronic or digital form 
        serving as a means of identification, as defined by section 
        1028(d)(7) of title 18, United State Code.</DELETED>
        <DELETED>    (9) Public record source.--The term ``public 
        record source'' means any agency, Federal court, or State court 
        that maintains personally identifiable information in records 
        available to the public.</DELETED>
        <DELETED>    (10) Security breach.--</DELETED>
                <DELETED>    (A) In general.--The term ``security 
                breach'' means compromise of the security, 
                confidentiality, or integrity of computerized data 
                through misrepresentation or actions that result in, or 
                there is a reasonable basis to conclude has resulted 
                in, the unauthorized acquisition of and access to 
                sensitive personally identifiable 
                information.</DELETED>
                <DELETED>    (B) Exclusion.--The term ``security 
                breach'' does not include--</DELETED>
                        <DELETED>    (i) a good faith acquisition of 
                        sensitive personally identifiable information 
                        by a business entity or agency, or an employee 
                        or agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure; or</DELETED>
                        <DELETED>    (ii) the release of a public 
                        record not otherwise subject to confidentiality 
                        or nondisclosure requirements.</DELETED>
        <DELETED>    (11) Sensitive personally identifiable 
        information.--The term ``sensitive personally identifiable 
        information'' means any information or compilation of 
        information, in electronic or digital form that 
        includes:</DELETED>
                <DELETED>    (A) An individual's name in combination 
                with any 1 of the following data elements:</DELETED>
                        <DELETED>    (i) A non-truncated social 
                        security number, driver's license number, 
                        passport number, or alien registration 
                        number.</DELETED>
                        <DELETED>    (ii) Any 2 of the 
                        following:</DELETED>
                                <DELETED>    (I) Information that 
                                relates to--</DELETED>
                                        <DELETED>    (aa) the past, 
                                        present, or future physical or 
                                        mental health or condition of 
                                        an individual;</DELETED>
                                        <DELETED>    (bb) the provision 
                                        of health care to an 
                                        individual; or</DELETED>
                                        <DELETED>    (cc) the past, 
                                        present, or future payment for 
                                        the provision of health care to 
                                        an individual.</DELETED>
                                <DELETED>    (II) Home address or 
                                telephone number.</DELETED>
                                <DELETED>    (III) Mother's maiden 
                                name, if identified as such.</DELETED>
                                <DELETED>    (IV) Month, day, and year 
                                of birth.</DELETED>
                        <DELETED>    (iii) Unique biometric data such 
                        as a finger print, voice print, a retina or 
                        iris image, or any other unique physical 
                        representation.</DELETED>
                        <DELETED>    (iv) A unique electronic 
                        identification number, user name, or routing 
                        code in combination with the associated 
                        security code, access code, or 
                        password.</DELETED>
                        <DELETED>    (v) Any other information 
                        regarding an individual determined appropriate 
                        by the Federal Trade Commission.</DELETED>
                <DELETED>    (B) A financial account number or credit 
                or debit card number in combination with the required 
                security code, access code, or password.</DELETED>

  <DELETED>TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER 
           VIOLATIONS OF DATA PRIVACY AND SECURITY</DELETED>

<DELETED>SEC. 101. FRAUD AND RELATED CRIMINAL ACTIVITY IN CONNECTION 
              WITH UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
              INFORMATION.</DELETED>

<DELETED>    Section 1030(a)(2) of title 18, United States Code, is 
amended--</DELETED>
        <DELETED>    (1) in subparagraph (B), by striking ``or'' after 
        the semicolon;</DELETED>
        <DELETED>    (2) in subparagraph (C), by inserting ``or'' after 
        the semicolon; and</DELETED>
        <DELETED>    (3) by adding at the end the following:</DELETED>
                <DELETED>    ``(D) information contained in the 
                databases or systems of a data broker, or in other 
                personal electronic records, as such terms are defined 
                in section 3 of the Personal Data Privacy and Security 
                Act of 2005;''.</DELETED>

<DELETED>SEC. 102. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH 
              UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
              INFORMATION.</DELETED>

<DELETED>    Section 1961(1) of title 18, United States Code, is 
amended by inserting ``section 1030(a)(2)(D)(relating to fraud and 
related activity in connection with unauthorized access to personally 
identifiable information,'' before ``section 1084''.</DELETED>

<DELETED>SEC. 103. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.</DELETED>

<DELETED>    (a) In General.--Chapter 47 of title 18, United States 
Code, is amended by adding at the end the following:</DELETED>
<DELETED>``Sec. 1039. Concealment of security breaches involving 
              sensitive personally identifiable information</DELETED>
<DELETED>    ``(a) Whoever, having knowledge of a security breach and 
the obligation to provide notice of such breach to individuals under 
title IV of the Personal Data Privacy and Security Act of 2005, and 
having not otherwise qualified for an exemption from providing notice 
under section 422 of such Act, intentionally and willfully conceals the 
fact of such security breach which causes economic damages to 1 or more 
persons, shall be fined under this title or imprisoned not more than 5 
years, or both.</DELETED>
<DELETED>    ``(b) For purposes of subsection (a), the term `person' 
means any individual, corporation, company, association, firm, 
partnership, society, or joint stock company.''.</DELETED>
<DELETED>    (b) Conforming and Technical Amendments.--The table of 
sections for chapter 47 of title 18, United States Code, is amended by 
adding at the end the following:</DELETED>

<DELETED>``1039. Concealment of security breaches involving personally 
                            identifiable information.''.
<DELETED>    (c) Enforcement Authority.--The United States Secret 
Service shall have the authority to investigate offenses under this 
section.</DELETED>

<DELETED>SEC. 104. AGGRAVATED FRAUD IN CONNECTION WITH 
              COMPUTERS.</DELETED>

<DELETED>    (a) In General.--Chapter 47 of title 18, United States 
Code, is amended by adding after section 1030 the following:</DELETED>
<DELETED>``Sec. 1030A. Aggravated fraud in connection with 
              computers</DELETED>
<DELETED>    ``(a) In General.--Whoever, during and in relation to any 
felony violation enumerated in subsection (c), knowingly obtains, 
accesses, or transmits, without lawful authority, a means of 
identification of another person may, in addition to the punishment 
provided for such felony, be sentenced to a term of imprisonment of up 
to 2 years.</DELETED>
<DELETED>    ``(b) Consecutive Sentences.--Notwithstanding any other 
provision of law, should a court in its discretion impose an additional 
sentence under subsection (a)--</DELETED>
        <DELETED>    ``(1) no term of imprisonment imposed on a person 
        under this section shall run concurrently, except as provided 
        in paragraph (3), with any other term of imprisonment imposed 
        on such person under any other provision of law, including any 
        term of imprisonment imposed for the felony during which the 
        means of identifications was obtained, accessed, or 
        transmitted;</DELETED>
        <DELETED>    ``(2) in determining any term of imprisonment to 
        be imposed for the felony during which the means of 
        identification was obtained, accessed, or transmitted, a court 
        shall not in any way reduce the term to be imposed for such 
        crime so as to compensate for, or otherwise take into account, 
        any separate term of imprisonment imposed or to be imposed for 
        a violation of this section; and</DELETED>
        <DELETED>    ``(3) a term of imprisonment imposed on a person 
        for a violation of this section may, in the discretion of the 
        court, run concurrently, in whole or in part, only with another 
        term of imprisonment that is imposed by the court at the same 
        time on that person for an additional violation of this 
        section.</DELETED>
<DELETED>    ``(c) Definition.--For purposes of this section, the term 
`felony violation enumerated in subsection (c)' means any offense that 
is a felony violation of paragraphs (2) through (7) of section 
1030(a).''.</DELETED>
<DELETED>    (b) Conforming and Technical Amendments.--The table of 
sections for chapter 47 of title 18, United States Code, is amended by 
inserting after the item relating to section 1030 the following new 
item:</DELETED>

<DELETED>``1030A. Aggravated fraud in connection with computers.''.

<DELETED>SEC. 105. REVIEW AND AMENDMENT OF FEDERAL SENTENCING 
              GUIDELINES RELATED TO FRAUDULENT ACCESS TO OR MISUSE OF 
              DIGITIZED OR ELECTRONIC PERSONALLY IDENTIFIABLE 
              INFORMATION.</DELETED>

<DELETED>    (a) Review and Amendment.--Not later than 180 days after 
the date of enactment of this Act, the United States Sentencing 
Commission, pursuant to its authority under section 994 of title 28, 
United States Code, and in accordance with this section, shall review 
and, if appropriate, amend the Federal sentencing guidelines (including 
its policy statements) applicable to persons convicted of using fraud 
to access, or misuse of, digitized or electronic personally 
identifiable information, including identity theft or any offense 
under--</DELETED>
        <DELETED>    (1) sections 1028, 1028A, 1030, 1030A, 2511, and 
        2701 of title 18, United States Code; or</DELETED>
        <DELETED>    (2) any other relevant provision.</DELETED>
<DELETED>    (b) Requirements.--In carrying out the requirements of 
this section, the United States Sentencing Commission shall--</DELETED>
        <DELETED>    (1) ensure that the Federal sentencing guidelines 
        (including its policy statements) reflect--</DELETED>
                <DELETED>    (A) the serious nature of the offenses and 
                penalties referred to in this Act;</DELETED>
                <DELETED>    (B) the growing incidences of theft and 
                misuse of digitized or electronic personally 
                identifiable information, including identity theft; 
                and</DELETED>
                <DELETED>    (C) the need to deter, prevent, and punish 
                such offenses;</DELETED>
        <DELETED>    (2) consider the extent to which the Federal 
        sentencing guidelines (including its policy statements) 
        adequately address violations of the sections amended by this 
        Act to--</DELETED>
                <DELETED>    (A) sufficiently deter and punish such 
                offenses; and</DELETED>
                <DELETED>    (B) adequately reflect the enhanced 
                penalties established under this Act;</DELETED>
        <DELETED>    (3) maintain reasonable consistency with other 
        relevant directives and sentencing guidelines;</DELETED>
        <DELETED>    (4) account for any additional aggravating or 
        mitigating circumstances that might justify exceptions to the 
        generally applicable sentencing ranges;</DELETED>
        <DELETED>    (5) consider whether to provide a sentencing 
        enhancement for those convicted of the offenses described in 
        subsection (a), if the conduct involves--</DELETED>
                <DELETED>    (A) the online sale of fraudulently 
                obtained or stolen personally identifiable 
                information;</DELETED>
                <DELETED>    (B) the sale of fraudulently obtained or 
                stolen personally identifiable information to an 
                individual who is engaged in terrorist activity or 
                aiding other individuals engaged in terrorist activity; 
                or</DELETED>
                <DELETED>    (C) the sale of fraudulently obtained or 
                stolen personally identifiable information to finance 
                terrorist activity or other criminal 
                activities;</DELETED>
        <DELETED>    (6) make any necessary conforming changes to the 
        Federal sentencing guidelines to ensure that such guidelines 
        (including its policy statements) as described in subsection 
        (a) are sufficiently stringent to deter, and adequately reflect 
        crimes related to fraudulent access to, or misuse of, 
        personally identifiable information; and</DELETED>
        <DELETED>    (7) ensure that the Federal sentencing guidelines 
        adequately meet the purposes of sentencing under section 
        3553(a)(2) of title 18, United States Code.</DELETED>
<DELETED>    (c) Emergency Authority to Sentencing Commission.--The 
United States Sentencing Commission may, as soon as practicable, 
promulgate amendments under this section in accordance with procedures 
established in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 
994 note) as though the authority under that Act had not 
expired.</DELETED>

   <DELETED>TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT 
COMBATING CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL 
          USE OF PERSONALLY IDENTIFIABLE INFORMATION</DELETED>

<DELETED>SEC. 201. GRANTS FOR STATE AND LOCAL ENFORCEMENT.</DELETED>

<DELETED>    (a) In General.--Subject to the availability of amounts 
provided in advance in appropriations Acts, the Assistant Attorney 
General for the Office of Justice Programs of the Department of Justice 
may award a grant to a State to establish and develop programs to 
increase and enhance enforcement against crimes related to fraudulent, 
unauthorized, or other criminal use of personally identifiable 
information.</DELETED>
<DELETED>    (b) Application.--A State seeking a grant under subsection 
(a) shall submit an application to the Assistant Attorney General for 
the Office of Justice Programs of the Department of Justice at such 
time, in such manner, and containing such information as the Assistant 
Attorney General may require.</DELETED>
<DELETED>    (c) Use of Grant Amounts.--A grant awarded to a State 
under subsection (a) shall be used by a State, in conjunction with 
units of local government within that State, State and local courts, 
other States, or combinations thereof, to establish and develop 
programs to--</DELETED>
        <DELETED>    (1) assist State and local law enforcement 
        agencies in enforcing State and local criminal laws relating to 
        crimes involving the fraudulent, unauthorized, or other 
        criminal use of personally identifiable information;</DELETED>
        <DELETED>    (2) assist State and local law enforcement 
        agencies in educating the public to prevent and identify crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information;</DELETED>
        <DELETED>    (3) educate and train State and local law 
        enforcement officers and prosecutors to conduct investigations 
        and forensic analyses of evidence and prosecutions of crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information;</DELETED>
        <DELETED>    (4) assist State and local law enforcement 
        officers and prosecutors in acquiring computer and other 
        equipment to conduct investigations and forensic analysis of 
        evidence of crimes involving the fraudulent, unauthorized, or 
        other criminal use of personally identifiable information; 
        and</DELETED>
        <DELETED>    (5) facilitate and promote the sharing of Federal 
        law enforcement expertise and information about the 
        investigation, analysis, and prosecution of crimes involving 
        the fraudulent, unauthorized, or other criminal use of 
        personally identifiable information with State and local law 
        enforcement officers and prosecutors, including the use of 
        multi-jurisdictional task forces.</DELETED>
<DELETED>    (d) Assurances and Eligibility.--To be eligible to receive 
a grant under subsection (a), a State shall provide assurances to the 
Attorney General that the State--</DELETED>
        <DELETED>    (1) has in effect laws that penalize crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information, such as penal laws 
        prohibiting--</DELETED>
                <DELETED>    (A) fraudulent schemes executed to obtain 
                personally identifiable information;</DELETED>
                <DELETED>    (B) schemes executed to sell or use 
                fraudulently obtained personally identifiable 
                information; and</DELETED>
                <DELETED>    (C) online sales of personally 
                identifiable information obtained fraudulently or by 
                other illegal means;</DELETED>
        <DELETED>    (2) will provide an assessment of the resource 
        needs of the State and units of local government within that 
        State, including criminal justice resources being devoted to 
        the investigation and enforcement of laws related to crimes 
        involving the fraudulent, unauthorized, or other criminal use 
        of personally identifiable information; and</DELETED>
        <DELETED>    (3) will develop a plan for coordinating the 
        programs funded under this section with other federally funded 
        technical assistant and training programs, including directly 
        funded local programs such as the Local Law Enforcement Block 
        Grant program (described under the heading ``Violent Crime 
        Reduction Programs, State and Local Law Enforcement 
        Assistance'' of the Departments of Commerce, Justice, and 
        State, the Judiciary, and Related Agencies Appropriations Act, 
        1998 (Public Law 105-119)).</DELETED>
<DELETED>    (e) Matching Funds.--The Federal share of a grant received 
under this section may not exceed 90 percent of the total cost of a 
program or proposal funded under this section unless the Attorney 
General waives, wholly or in part, the requirements of this 
subsection.</DELETED>

<DELETED>SEC. 202. AUTHORIZATION OF APPROPRIATIONS.</DELETED>

<DELETED>    (a) In General.--There is authorized to be appropriated to 
carry out this title $25,000,000 for each of fiscal years 2006 through 
2009.</DELETED>
<DELETED>    (b) Limitations.--Of the amount made available to carry 
out this title in any fiscal year not more than 3 percent may be used 
by the Attorney General for salaries and administrative 
expenses.</DELETED>
<DELETED>    (c) Minimum Amount.--Unless all eligible applications 
submitted by a State or units of local government within a State for a 
grant under this title have been funded, the State, together with 
grantees within the State (other than Indian tribes), shall be 
allocated in each fiscal year under this title not less than 0.75 
percent of the total amount appropriated in the fiscal year for grants 
pursuant to this title, except that the United States Virgin Islands, 
American Samoa, Guam, and the Northern Mariana Islands each shall be 
allocated 0.25 percent.</DELETED>
<DELETED>    (d) Grants to Indian Tribes.--Notwithstanding any other 
provision of this title, the Attorney General may use amounts made 
available under this title to make grants to Indian tribes for use in 
accordance with this title.</DELETED>

               <DELETED>TITLE III--DATA BROKERS</DELETED>

<DELETED>SEC. 301. TRANSPARENCY AND ACCURACY OF DATA 
              COLLECTION.</DELETED>

<DELETED>    (a) In General.--Data brokers engaging in interstate 
commerce are subject to the requirements of this title for any product 
or service offered to third parties that allows access, use, 
compilation, distribution, processing, analyzing, or evaluation of 
sensitive personally identifiable information.</DELETED>
<DELETED>    (b) Limitation.--Notwithstanding any other paragraph of 
this title, this section shall not apply to--</DELETED>
        <DELETED>    (1) data brokers engaging in interstate commerce 
        for any offered product or service currently subject to, and in 
        compliance with, access and accuracy protections similar to 
        those under subsections (c) through (f) of this section under 
        the Fair Credit Reporting Act (Public Law 91-508), or the 
        Gramm-Leach Bliley Act (Public Law 106-102);</DELETED>
        <DELETED>    (2) data brokers engaging in interstate commerce 
        for any offered product or service currently in compliance with 
        the requirements for such entities under the Health Insurance 
        Portability and Accountability Act (Public Law 104-191), and 
        implementing regulations;</DELETED>
        <DELETED>    (3) information in a personal electronic record 
        held by a data broker if--</DELETED>
                <DELETED>    (A) the data broker maintains such 
                information solely pursuant to a license agreement with 
                another business entity; and</DELETED>
                <DELETED>    (B) the business entity providing such 
                information to the data broker pursuant to a license 
                agreement either complies with the provisions of this 
                section or qualifies for this exemption; and</DELETED>
        <DELETED>    (4) information in a personal record that--
        </DELETED>
                <DELETED>    (A) the data broker has identified as 
                inaccurate, but maintains for the purpose of aiding the 
                data broker in preventing inaccurate information from 
                entering an individual's personal electronic record; 
                and</DELETED>
                <DELETED>    (B) is not maintained primarily for the 
                purpose of transmitting or otherwise providing that 
                information, or assessments based on that information, 
                to non-affiliated third parties.</DELETED>
<DELETED>    (c) Disclosures to Individuals.--</DELETED>
        <DELETED>    (1) In general.--A data broker shall, upon the 
        request of an individual, clearly and accurately disclose to 
        such individual for a reasonable fee all personal electronic 
        records pertaining to that individual maintained for disclosure 
        to third parties in the ordinary course of business in the 
        databases or systems of the data broker at the time of the 
        request.</DELETED>
        <DELETED>    (2) Information on how to correct inaccuracies.--
        The disclosures required under paragraph (1) shall also include 
        guidance to individuals on the processes and procedures for 
        demonstrating and correcting any inaccuracies.</DELETED>
<DELETED>    (d) Creation of an Accuracy Resolution Process.--A data 
broker shall develop and publish on its website timely and fair 
processes and procedures for responding to claims of inaccuracies, 
including procedures for correcting inaccurate information in the 
personal electronic records it maintains on individuals.</DELETED>
<DELETED>    (e) Accuracy Resolution Process.--</DELETED>
        <DELETED>    (1) Information from a public record source.--
        </DELETED>
                <DELETED>    (A) In general.--If an individual notifies 
                a data broker of a dispute as to the completeness or 
                accuracy of information, and the data broker determines 
                that such information is derived from a public record 
                source, the data broker shall determine within 30 days 
                whether the information in its system accurately and 
                completely records the information offered by the 
                public record source.</DELETED>
                <DELETED>    (B) Data broker actions.--If a data broker 
                determines under subparagraph (A) that the information 
                in its systems--</DELETED>
                        <DELETED>    (i) does not accurately and 
                        completely record the information offered by a 
                        public record source, the data broker shall 
                        correct any inaccuracies or incompleteness, and 
                        provide to such individual written notice of 
                        such changes; and</DELETED>
                        <DELETED>    (ii) does accurately and 
                        completely record the information offered by a 
                        public record source, the data broker shall--
                        </DELETED>
                                <DELETED>    (I) provide such 
                                individual with the name, address, and 
                                telephone contact information of the 
                                public record source; and</DELETED>
                                <DELETED>    (II) notify such 
                                individual of the right to add for a 
                                period of 90 days to the personal 
                                electronic record of the individual 
                                maintained by the data broker notice of 
                                the dispute under subsection 
                                (f).</DELETED>
        <DELETED>    (2) Investigation of disputed information not from 
        a public record source.--If the completeness or accuracy of any 
        nonpublic record source disclosed to an individual under 
        subsection (c) is disputed by the individual and such 
        individual notifies the data broker directly of such dispute, 
        the data broker shall, before the end of the 30-day period 
        beginning on the date on which the data broker receives the 
        notice of the dispute--</DELETED>
                <DELETED>    (A) investigate free of charge and record 
                the current status of the disputed information; 
                or</DELETED>
                <DELETED>    (B) delete the item from the individuals 
                data file in accordance with paragraph (8).</DELETED>
        <DELETED>    (3) Extension of period to investigate.--Except as 
        provided in paragraph (4), the 30-day period described in 
        paragraph (1) may be extended for not more than 15 additional 
        days if a data broker receives information from the individual 
        during that 30-day period that is relevant to the 
        investigation.</DELETED>
        <DELETED>    (4) Limitations on extension of period to 
        investigate.--Paragraph (3) shall not apply to any 
        investigation in which, during the 30-day period described in 
        paragraph (1), the information that is the subject of the 
        investigation is found to be inaccurate or incomplete or a data 
        broker determines that the information cannot be 
        verified.</DELETED>
        <DELETED>    (5) Notice identifying the data furnisher.--If the 
        completeness or accuracy of any information disclosed to an 
        individual under subsection (c) is disputed by the individual, 
        a data broker shall provide upon the request of the individual, 
        the name, business address, and telephone contact information 
        of any data furnisher who provided an item of information in 
        dispute.</DELETED>
        <DELETED>    (6) Determination that dispute is frivolous or 
        irrelevant.--</DELETED>
                <DELETED>    (A) In general.--Notwithstanding 
                paragraphs (1) through (4), a data broker may decline 
                to investigate or terminate an investigation of 
                information disputed by an individual under those 
                paragraphs if the data broker reasonably determines 
                that the dispute by the individual is frivolous or 
                irrelevant, including by reason of a failure by the 
                individual to provide sufficient information to 
                investigate the disputed information.</DELETED>
                <DELETED>    (B) Notice.--Not later than 5 business 
                days after making any determination in accordance with 
                subparagraph (A) that a dispute is frivolous or 
                irrelevant, a data broker shall notify the individual 
                of such determination by mail, or if authorized by the 
                individual, by any other means available to the data 
                broker.</DELETED>
                <DELETED>    (C) Contents of notice.--A notice under 
                subparagraph (B) shall include--</DELETED>
                        <DELETED>    (i) the reasons for the 
                        determination under subparagraph (A); 
                        and</DELETED>
                        <DELETED>    (ii) identification of any 
                        information required to investigate the 
                        disputed information, which may consist of a 
                        standardized form describing the general nature 
                        of such information.</DELETED>
        <DELETED>    (7) Consideration of individual information.--In 
        conducting any investigation with respect to disputed 
        information in the personal electronic record of any 
        individual, a data broker shall review and consider all 
        relevant information submitted by the individual in the period 
        described in paragraph (2) with respect to such disputed 
        information.</DELETED>
        <DELETED>    (8) Treatment of inaccurate or unverifiable 
        information.--</DELETED>
                <DELETED>    (A) In general.--If, after any review of 
                public record information under paragraph (1) or any 
                investigation of any information disputed by an 
                individual under paragraphs (2) through (4), an item of 
                information is found to be inaccurate or incomplete or 
                cannot be verified, a data broker shall promptly delete 
                that item of information from the individual's personal 
                electronic record or modify that item of information, 
                as appropriate, based on the results of the 
                investigation.</DELETED>
                <DELETED>    (B) Notice to individuals of reinsertion 
                of previously deleted information.--If any information 
                that has been deleted from an individual's personal 
                electronic record pursuant to subparagraph (A) is 
                reinserted in the personal electronic record of the 
                individual, a data broker shall, not later than 5 days 
                after reinsertion, notify the individual of the 
                reinsertion and identify any data furnisher not 
                previously disclosed in writing, or if authorized by 
                the individual for that purpose, by any other means 
                available to the data broker, unless such notification 
                has been previously given under this 
                subsection.</DELETED>
                <DELETED>    (C) Notice of results of investigation of 
                disputed information from a nonpublic record source.--
                </DELETED>
                        <DELETED>    (i) In general.--Not later than 5 
                        business days after the completion of an 
                        investigation under paragraph (2), a data 
                        broker shall provide written notice to an 
                        individual of the results of the investigation, 
                        by mail or, if authorized by the individual for 
                        that purpose, by other means available to the 
                        data broker.</DELETED>
                        <DELETED>    (ii) Additional requirement.--
                        Before the expiration of the 5-day period, as 
                        part of, or in addition to such notice, a data 
                        broker shall, in writing, provide to an 
                        individual--</DELETED>
                                <DELETED>    (I) a statement that the 
                                investigation is completed;</DELETED>
                                <DELETED>    (II) a report that is 
                                based upon the personal electronic 
                                record of such individual as that 
                                personal electronic record is revised 
                                as a result of the 
                                investigation;</DELETED>
                                <DELETED>    (III) a notice that, if 
                                requested by the individual, a 
                                description of the procedures used to 
                                determine the accuracy and completeness 
                                of the information shall be provided to 
                                the individual by the data broker, 
                                including the business name, address, 
                                and telephone number of any data 
                                furnisher of information contacted in 
                                connection with such information; 
                                and</DELETED>
                                <DELETED>    (IV) a notice that the 
                                individual has the right to request 
                                notifications under subsection 
                                (f).</DELETED>
                <DELETED>    (D) Description of investigation 
                procedures.--Not later than 15 days after receiving a 
                request from an individual for a description referred 
                to in subparagraph (C)(ii)(III), a data broker shall 
                provide to the individual such a description.</DELETED>
                <DELETED>    (E) Expedited dispute resolution.--If by 
                no later than 3 business days after the date on which a 
                data broker receives notice of a dispute from an 
                individual of information in the personal electronic 
                record of such individual in accordance with paragraph 
                (2), a data broker resolves such dispute in accordance 
                with subparagraph (A) by the deletion of the disputed 
                information, then the data broker shall not be required 
                to comply with subsections (e) and (f) with respect to 
                that dispute if the data broker provides to the 
                individual, by telephone or other means authorized by 
                the individual, prompt notice of the 
                deletion.</DELETED>
<DELETED>    (f) Notice of Dispute.--</DELETED>
        <DELETED>    (1) In general.--If the completeness or accuracy 
        of any information disclosed to an individual under subsection 
        (c) is disputed and unless there is a reasonable ground to 
        believe that such dispute is frivolous or irrelevant, an 
        individual may request that the data broker indicate notice of 
        the dispute for a period of--</DELETED>
                <DELETED>    (A) 30 days for information from a 
                nonpublic record source; and</DELETED>
                <DELETED>    (B) 90 days for information from a public 
                record source.</DELETED>
        <DELETED>    (2) Compliance.--A data broker shall be deemed in 
        compliance with the requirements under paragraph (1) by 
        either--</DELETED>
                <DELETED>    (A) allowing the individual to file a 
                brief statement setting forth the nature of the dispute 
                under paragraph (3); or</DELETED>
                <DELETED>    (B) using an alternative notice method 
                that--</DELETED>
                        <DELETED>    (i) clearly flags the disputed 
                        information for third parties accessing the 
                        information; and</DELETED>
                        <DELETED>    (ii) provides a means for third 
                        parties to obtain further information regarding 
                        the nature of the dispute.</DELETED>
        <DELETED>    (3) Contents of statement.--A data broker may 
        limit statements made under paragraph (2)(A) to not more than 
        100 words if it provides an individual with assistance in 
        writing a clear summary of the dispute or until the dispute is 
        resolved.</DELETED>
<DELETED>    (g) Additional Requirements.--The Federal Trade Commission 
may exempt certain classes of data brokers from this title in a 
rulemaking process pursuant to section 553 of title 5, United States 
Code.</DELETED>

<DELETED>SEC. 302. ENFORCEMENT.</DELETED>

<DELETED>    (a) Civil Penalties.--</DELETED>
        <DELETED>    (1) Penalties.--Any data broker that violates the 
        provisions of section 301 shall be subject to civil penalties 
        of not more than $1,000 per violation per day, with a maximum 
        of $15,000 per day, while such violations persist.</DELETED>
        <DELETED>    (2) Intentional or willful violation.--A data 
        broker that intentionally or willfully violates the provisions 
        of section 301 shall be subject to additional penalties in the 
        amount of $1,000 per violation per day, with a maximum of an 
        additional $15,000 per day, while such violations 
        persist.</DELETED>
        <DELETED>    (3) Equitable relief.--A data broker engaged in 
        interstate commerce that violates this section may be enjoined 
        from further violations by a court of competent 
        jurisdiction.</DELETED>
        <DELETED>    (4) Other rights and remedies.--The rights and 
        remedies available under this subsection are cumulative and 
        shall not affect any other rights and remedies available under 
        law.</DELETED>
<DELETED>    (b) Injunctive Actions by the Attorney General.--
</DELETED>
        <DELETED>    (1) In general.--Whenever it appears that a data 
        broker to which this title applies has engaged, is engaged, or 
        is about to engage, in any act or practice constituting a 
        violation of this title, the Attorney General may bring a civil 
        action in an appropriate district court of the United States 
        to--</DELETED>
                <DELETED>    (A) enjoin such act or practice;</DELETED>
                <DELETED>    (B) enforce compliance with this 
                title;</DELETED>
                <DELETED>    (C) obtain damages--</DELETED>
                        <DELETED>    (i) in the sum of actual damages, 
                        restitution, and other compensation on behalf 
                        of the affected residents of a State; 
                        and</DELETED>
                        <DELETED>    (ii) punitive damages, if the 
                        violation is willful or intentional; 
                        and</DELETED>
                <DELETED>    (D) obtain such other relief as the court 
                determines to be appropriate.</DELETED>
        <DELETED>    (2) Other injunctive relief.--Upon a proper 
        showing in the action under paragraph (1), the court shall 
        grant a permanent injunction or a temporary restraining order 
        without bond.</DELETED>
<DELETED>    (c) State Enforcement.--</DELETED>
        <DELETED>    (1) Civil actions.--In any case in which the 
        attorney general of a State has reason to believe that an 
        interest of the residents of that State has been or is 
        threatened or adversely affected by an act or practice that 
        violates this title, the State may bring a civil action on 
        behalf of the residents of that State in a district court of 
        the United States of appropriate jurisdiction, or any other 
        court of competent jurisdiction, to--</DELETED>
                <DELETED>    (A) enjoin that act or practice;</DELETED>
                <DELETED>    (B) enforce compliance with this 
                title;</DELETED>
                <DELETED>    (C) obtain--</DELETED>
                        <DELETED>    (i) damages in the sum of actual 
                        damages, restitution, or other compensation on 
                        behalf of affected residents of the State; 
                        and</DELETED>
                        <DELETED>    (ii) punitive damages, if the 
                        violation is willful or intentional; 
                        or</DELETED>
                <DELETED>    (D) obtain such other legal and equitable 
                relief as the court may consider to be 
                appropriate.</DELETED>
        <DELETED>    (2) Notice.--</DELETED>
                <DELETED>    (A) In general.--Before filing an action 
                under this subsection, the attorney general of the 
                State involved shall provide to the Attorney General--
                </DELETED>
                        <DELETED>    (i) a written notice of that 
                        action; and</DELETED>
                        <DELETED>    (ii) a copy of the complaint for 
                        that action.</DELETED>
                <DELETED>    (B) Exception.--Subparagraph (A) shall not 
                apply with respect to the filing of an action by an 
                attorney general of a State under this subsection, if 
                the attorney general of a State determines that it is 
                not feasible to provide the notice described in this 
                subparagraph before the filing of the action.</DELETED>
                <DELETED>    (C) Notification when practicable.--In an 
                action described under subparagraph (B), the attorney 
                general of a State shall provide the written notice and 
                the copy of the complaint to the Attorney General as 
                soon after the filing of the complaint as 
                practicable.</DELETED>
        <DELETED>    (3) Attorney general authority.--Upon receiving 
        notice under paragraph (2), the Attorney General shall have the 
        right to--</DELETED>
                <DELETED>    (A) move to stay the action, pending the 
                final disposition of a pending Federal proceeding or 
                action as described in paragraph (4);</DELETED>
                <DELETED>    (B) intervene in an action brought under 
                paragraph (1); and</DELETED>
                <DELETED>    (C) file petitions for appeal.</DELETED>
        <DELETED>    (4) Pending proceedings.--If the Attorney General 
        has instituted a proceeding or action for a violation of this 
        title or any regulations thereunder, no attorney general of a 
        State may, during the pendency of such proceeding or action, 
        bring an action under this subsection against any defendant 
        named in such criminal proceeding or civil action for any 
        violation that is alleged in that proceeding or 
        action.</DELETED>
        <DELETED>    (5) Rule of construction.--For purposes of 
        bringing any civil action under paragraph (1), nothing in this 
        title shall be construed to prevent an attorney general of a 
        State from exercising the powers conferred on the attorney 
        general by the laws of that State to--</DELETED>
                <DELETED>    (A) conduct investigations;</DELETED>
                <DELETED>    (B) administer oaths and affirmations; 
                or</DELETED>
                <DELETED>    (C) compel the attendance of witnesses or 
                the production of documentary and other 
                evidence.</DELETED>
        <DELETED>    (6) Venue; service of process.--</DELETED>
                <DELETED>    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1931 of title 28, 
                United States Code.</DELETED>
                <DELETED>    (B) Service of process.--In an action 
                brought under this subsection process may be served in 
                any district in which the defendant--</DELETED>
                        <DELETED>    (i) is an inhabitant; or</DELETED>
                        <DELETED>    (ii) may be found.</DELETED>
<DELETED>    (d) No Private Cause of Action.--Nothing in this title 
establishes a private cause of action against a data broker for 
violation of any provision of this title.</DELETED>

<DELETED>SEC. 303. RELATION TO STATE LAWS.</DELETED>

<DELETED>    No requirement or prohibition may be imposed under the 
laws of any State with respect to any subject matter regulated under 
section 301, relating to individual access to, and correction of, 
personal electronic records held by databrokers.</DELETED>

<DELETED>SEC. 304. EFFECTIVE DATE.</DELETED>

<DELETED>    This title shall take effect 180 days after the date of 
enactment of this Act and shall be implemented pursuant to a State by 
State rollout schedule set by the Federal Trade Commission, but in no 
case shall full implementation and effect of this title occur later 
than 1 year and 180 days after the date of enactment of this 
Act.</DELETED>

  <DELETED>TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE 
                         INFORMATION</DELETED>

    <DELETED>Subtitle A--Data Privacy and Security Program</DELETED>

<DELETED>SEC. 401. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND 
              SECURITY PROGRAM.</DELETED>

<DELETED>    (a) Purpose.--The purpose of this subtitle is to ensure 
standards for developing and implementing administrative, technical, 
and physical safeguards to protect the privacy, security, 
confidentiality, integrity, storage, and disposal of sensitive 
personally identifiable information.</DELETED>
<DELETED>    (b) In General.--A business entity engaging in interstate 
commerce that involves collecting, accessing, transmitting, using, 
storing, or disposing of sensitive personally identifiable information 
in electronic or digital form on 10,000 or more United States persons 
is subject to the requirements for a data privacy and security program 
under section 402 for protecting sensitive personally identifiable 
information.</DELETED>
<DELETED>    (c) Limitations.--Notwithstanding any other obligation 
under this subtitle, this subtitle does not apply to--</DELETED>
        <DELETED>    (1) financial institutions--</DELETED>
                <DELETED>    (A) subject to the data security 
                requirements and implementing regulations under the 
                Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); 
                and</DELETED>
                <DELETED>    (B) subject to--</DELETED>
                        <DELETED>    (i) examinations for compliance 
                        with the requirements of this Act by 1 or more 
                        Federal or State functional regulators (as 
                        defined in section 509 of the Gramm-Leach-
                        Bliley Act (15 U.S.C. 6809)); or</DELETED>
                        <DELETED>    (ii) compliance with part 314 of 
                        title 16, Code of Federal Regulations; 
                        or</DELETED>
        <DELETED>    (2) ``covered entities'' subject to the Health 
        Insurance Portability and Accountability Act of 1996 (42 U.S.C. 
        1301 et seq.), including the data security requirements and 
        implementing regulations of that Act.</DELETED>
<DELETED>    (d) Safe Harbor.--A business entity shall be deemed in 
compliance with the privacy and security program requirements under 
section 402 if the business entity complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of sensitive personally 
identifiable information involved in the ordinary course of business of 
such business entity.</DELETED>

<DELETED>SEC. 402. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND 
              SECURITY PROGRAM.</DELETED>

<DELETED>    (a) Personal Data Privacy and Security Program.--Unless 
otherwise limited under section 401(c), a business entity subject to 
this subtitle shall comply with the following safeguards and any others 
identified by the Federal Trade Commission in a rulemaking process 
pursuant to section 553 of title 5, United States Code, to protect the 
privacy and security of sensitive personally identifiable 
information:</DELETED>
        <DELETED>    (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.</DELETED>
        <DELETED>    (2) Design.--The personal data privacy and 
        security program shall be designed to--</DELETED>
                <DELETED>    (A) ensure the privacy, security, and 
                confidentiality of personal electronic 
                records;</DELETED>
                <DELETED>    (B) protect against any anticipated 
                vulnerabilities to the privacy, security, or integrity 
                of personal electronic records; and</DELETED>
                <DELETED>    (C) protect against unauthorized access to 
                use of personal electronic records that could result in 
                substantial harm or inconvenience to any 
                individual.</DELETED>
        <DELETED>    (3) Risk assessment.--A business entity shall--
        </DELETED>
                <DELETED>    (A) identify reasonably foreseeable 
                internal and external vulnerabilities that could result 
                in unauthorized access, disclosure, use, or alteration 
                of sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;</DELETED>
                <DELETED>    (B) assess the likelihood of and potential 
                damage from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information; and</DELETED>
                <DELETED>    (C) assess the sufficiency of its 
                policies, technologies, and safeguards in place to 
                control and minimize risks from unauthorized access, 
                disclosure, use, or alteration of sensitive personally 
                identifiable information.</DELETED>
        <DELETED>    (4) Risk management and control.--Each business 
        entity shall--</DELETED>
                <DELETED>    (A) design its personal data privacy and 
                security program to control the risks identified under 
                paragraph (3); and</DELETED>
                <DELETED>    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--</DELETED>
                        <DELETED>    (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;</DELETED>
                        <DELETED>    (ii) detect actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access; and</DELETED>
                        <DELETED>    (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption or other reasonable means (including 
                        as directed for disposal of records under 
                        section 628 of the Fair Credit Reporting Act 
                        (15 U.S.C. 1681w) and the implementing 
                        regulations of such Act as set forth in section 
                        682 of title 16, Code of Federal 
                        Regulations).</DELETED>
<DELETED>    (b) Training.--Each business entity subject to this 
subtitle shall take steps to ensure employee training and supervision 
for implementation of the data security program of the business 
entity.</DELETED>
<DELETED>    (c) Vulnerability Testing.--</DELETED>
        <DELETED>    (1) In general.--Each business entity subject to 
        this subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.</DELETED>
        <DELETED>    (2) Frequency.--The frequency and nature of the 
        tests required under paragraph (1) shall be determined by the 
        risk assessment of the business entity under subsection 
        (a)(3).</DELETED>
<DELETED>    (d) Relationship to Service Providers.--In the event a 
business entity subject to this subtitle engages service providers not 
subject to this subtitle, such business entity shall--</DELETED>
        <DELETED>    (1) exercise appropriate due diligence in 
        selecting those service providers for responsibilities related 
        to sensitive personally identifiable information, and take 
        reasonable steps to select and retain service providers that 
        are capable of maintaining appropriate safeguards for the 
        security, privacy, and integrity of the sensitive personally 
        identifiable information at issue; and</DELETED>
        <DELETED>    (2) require those service providers by contract to 
        implement and maintain appropriate measures designed to meet 
        the objectives and requirements governing entities subject to 
        this section, section 401, and subtitle B.</DELETED>
<DELETED>    (e) Periodic Assessment and Personal Data Privacy and 
Security Modernization.--Each business entity subject to this subtitle 
shall on a regular basis monitor, evaluate, and adjust, as appropriate 
its data privacy and security program in light of any relevant changes 
in--</DELETED>
        <DELETED>    (1) technology;</DELETED>
        <DELETED>    (2) the sensitivity of personally identifiable 
        information;</DELETED>
        <DELETED>    (3) internal or external threats to personally 
        identifiable information; and</DELETED>
        <DELETED>    (4) the changing business arrangements of the 
        business entity, such as--</DELETED>
                <DELETED>    (A) mergers and acquisitions;</DELETED>
                <DELETED>    (B) alliances and joint 
                ventures;</DELETED>
                <DELETED>    (C) outsourcing arrangements;</DELETED>
                <DELETED>    (D) bankruptcy; and</DELETED>
                <DELETED>    (E) changes to sensitive personally 
                identifiable information systems.</DELETED>
<DELETED>    (f) Implementation Time Line.--Not later than 1 year after 
the date of enactment of this Act, a business entity subject to the 
provisions of this subtitle shall implement a data privacy and security 
program pursuant to this subtitle.</DELETED>

<DELETED>SEC. 403. ENFORCEMENT.</DELETED>

<DELETED>    (a) Civil Penalties.--</DELETED>
        <DELETED>    (1) In general.--Any business entity that violates 
        the provisions of sections 401 or 402 shall be subject to civil 
        penalties of not more than $5,000 per violation per day, with a 
        maximum of $35,000 per day, while such violations 
        persist.</DELETED>
        <DELETED>    (2) Intentional or willful violation.--A business 
        entity that intentionally or willfully violates the provisions 
        of sections 401 or 402 shall be subject to additional penalties 
        in the amount of $5,000 per violation per day, with a maximum 
        of an additional $35,000 per day, while such violations 
        persist.</DELETED>
        <DELETED>    (3) Equitable relief.--A business entity engaged 
        in interstate commerce that violates this section may be 
        enjoined from further violations by a court of competent 
        jurisdiction.</DELETED>
        <DELETED>    (4) Other rights and remedies.--The rights and 
        remedies available under this section are cumulative and shall 
        not affect any other rights and remedies available under 
        law</DELETED>
<DELETED>    (b) Injunctive Actions by the Attorney General.--
</DELETED>
        <DELETED>    (1) In general.--Whenever it appears that a 
        business entity or agency to which this subtitle applies has 
        engaged, is engaged, or is about to engage, in any act or 
        practice constituting a violation of this subtitle, the 
        Attorney General may bring a civil action in an appropriate 
        district court of the United States to--</DELETED>
                <DELETED>    (A) enjoin such act or practice;</DELETED>
                <DELETED>    (B) enforce compliance with this subtitle; 
                and</DELETED>
                <DELETED>    (C) obtain damages--</DELETED>
                        <DELETED>    (i) in the sum of actual damages, 
                        restitution, and other compensation on behalf 
                        of the affected residents of a State; 
                        and</DELETED>
                        <DELETED>    (ii) punitive damages, if the 
                        violation is willful or intentional; 
                        and</DELETED>
                <DELETED>    (D) obtain such other relief as the court 
                determines to be appropriate.</DELETED>
        <DELETED>    (2) Other injunctive relief.--Upon a proper 
        showing in the action under paragraph (1), the court shall 
        grant a permanent injunction or a temporary restraining order 
        without bond.</DELETED>
<DELETED>    (c) State Enforcement.--</DELETED>
        <DELETED>    (1) Civil actions.--In any case in which the 
        attorney general of a State has reason to believe that an 
        interest of the residents of that State has been or is 
        threatened or adversely affected by an act or practice that 
        violates this subtitle, the State may bring a civil action on 
        behalf of the residents of that State in a district court of 
        the United States of appropriate jurisdiction, or any other 
        court of competent jurisdiction, to--</DELETED>
                <DELETED>    (A) enjoin that act or practice;</DELETED>
                <DELETED>    (B) enforce compliance with this 
                subtitle;</DELETED>
                <DELETED>    (C) obtain--</DELETED>
                        <DELETED>    (i) damages in the sum of actual 
                        damages, restitution, or other compensation on 
                        behalf of affected residents of the State; 
                        and</DELETED>
                        <DELETED>    (ii) punitive damages, if the 
                        violation is willful or intentional; 
                        or</DELETED>
                <DELETED>    (D) obtain such other legal and equitable 
                relief as the court may consider to be 
                appropriate.</DELETED>
        <DELETED>    (2) Notice.--</DELETED>
                <DELETED>    (A) In general.--Before filing an action 
                under this subsection, the attorney general of the 
                State involved shall provide to the Attorney General--
                </DELETED>
                        <DELETED>    (i) a written notice of that 
                        action; and</DELETED>
                        <DELETED>    (ii) a copy of the complaint for 
                        that action.</DELETED>
                <DELETED>    (B) Exception.--Subparagraph (A) shall not 
                apply with respect to the filing of an action by an 
                attorney general of a State under this subsection, if 
                the attorney general of a State determines that it is 
                not feasible to provide the notice described in this 
                subparagraph before the filing of the action.</DELETED>
                <DELETED>    (C) Notification when practicable.--In an 
                action described under subparagraph (B), the attorney 
                general of a State shall provide the written notice and 
                the copy of the complaint to the Attorney General as 
                soon after the filing of the complaint as 
                practicable.</DELETED>
        <DELETED>    (3) Attorney general authority.--Upon receiving 
        notice under paragraph (2), the Attorney General shall have the 
        right to--</DELETED>
                <DELETED>    (A) move to stay the action, pending the 
                final disposition of a pending Federal proceeding or 
                action as described in paragraph (4);</DELETED>
                <DELETED>    (B) intervene in an action brought under 
                paragraph (1); and</DELETED>
                <DELETED>    (C) file petitions for appeal.</DELETED>
        <DELETED>    (4) Pending proceedings.--If the Attorney General 
        has instituted a proceeding or action for a violation of this 
        title or any regulations thereunder, no attorney general of a 
        State may, during the pendency of such proceeding or action, 
        bring an action under this subsection against any defendant 
        named in such criminal proceeding or civil action for any 
        violation that is alleged in that proceeding or 
        action.</DELETED>
        <DELETED>    (5) Rule of construction.--For purposes of 
        bringing any civil action under paragraph (1) nothing in this 
        title shall be construed to prevent an attorney general of a 
        State from exercising the powers conferred on the attorney 
        general by the laws of that State to--</DELETED>
                <DELETED>    (A) conduct investigations;</DELETED>
                <DELETED>    (B) administer oaths and affirmations; 
                or</DELETED>
                <DELETED>    (C) compel the attendance of witnesses or 
                the production of documentary and other 
                evidence.</DELETED>
        <DELETED>    (6) Venue; service of process.--</DELETED>
                <DELETED>    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1931 of title 28, 
                United States Code.</DELETED>
                <DELETED>    (B) Service of process.--In an action 
                brought under this subsection process may be served in 
                any district in which the defendant--</DELETED>
                        <DELETED>    (i) is an inhabitant; or</DELETED>
                        <DELETED>    (ii) may be found.</DELETED>
<DELETED>    (d) No Private Cause of Action.--Nothing in this title 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.</DELETED>

<DELETED>SEC. 404. RELATION TO STATE LAWS.</DELETED>

<DELETED>    (a) In General.--No State may--</DELETED>
        <DELETED>    (1) require an entity described in section 401(c) 
        to comply with this subtitle or any regulation promulgated 
        thereunder; and</DELETED>
        <DELETED>    (2) require an entity in compliance with the safe 
        harbor established under section 401(d), to comply with any 
        other provision of this subtitle.</DELETED>
<DELETED>    (b) Effect of Subtitle A.--Except as provided in 
subsection (a), this subtitle does not annul, alter, affect, or exempt 
any person subject to the provisions of this subtitle from complying 
with the laws of any State with respect to security programs for 
sensitive personally identifiable information, except to the extent 
that those laws are inconsistent with any provisions of this subtitle, 
and then only to the extent of such inconsistency.</DELETED>

      <DELETED>Subtitle B--Security Breach Notification</DELETED>

<DELETED>SEC. 421. NOTICE TO INDIVIDUALS.</DELETED>

<DELETED>    (a) In General.--Any agency, or business entity engaged in 
interstate commerce, that uses, accesses, transmits, stores, disposes 
of or collects sensitive personally identifiable information shall, 
following the discovery of a security breach maintained by the agency 
or business entity that contains such information, notify any resident 
of the United States whose sensitive personally identifiable 
information was subject to the security breach.</DELETED>
<DELETED>    (b) Obligation of Owner or Licensee.--</DELETED>
        <DELETED>    (1) Notice to owner or licensee.--Any agency, or 
        business entity engaged in interstate commerce, that uses, 
        accesses, transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach containing such information.</DELETED>
        <DELETED>    (2) Notice by owner, licensee or other designated 
        third party.--Noting in this subtitle shall prevent or abrogate 
        an agreement between an agency or business entity required to 
        give notice under this section and a designated third party, 
        including an owner or licensee of the sensitive personally 
        identifiable information subject to the security breach, to 
        provide the notifications required under subsection 
        (a).</DELETED>
        <DELETED>    (3) Business entity relieved from giving notice.--
        A business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.</DELETED>
<DELETED>    (c) Timeliness of Notification.--</DELETED>
        <DELETED>    (1) In general.--All notifications required under 
        this section shall be made without unreasonable delay 
        following--</DELETED>
                <DELETED>    (A) the discovery by the agency or 
                business entity of a security breach; and</DELETED>
                <DELETED>    (B) any measures necessary to determine 
                the scope of the breach, prevent further disclosures, 
                and restore the reasonable integrity of the data 
                system.</DELETED>
        <DELETED>    (2) Burden of proof.--The agency, business entity, 
        owner, or licensee required to provide notification under this 
        section shall have the burden of demonstrating that all 
        notifications were made as required under this subtitle, 
        including evidence demonstrating the necessity of any 
        delay.</DELETED>
<DELETED>    (d) Delay of Notification Authorized for Law Enforcement 
Purposes.--</DELETED>
        <DELETED>    (1) In general.--If a law enforcement agency 
        determines that the notification required under this section 
        would impede a criminal investigation, such notification may be 
        delayed upon the written request of the law enforcement 
        agency.</DELETED>
        <DELETED>    (2) Extended delay of notification.--If the 
        notification required under subsection (a) is delayed pursuant 
        to paragraph (1), an agency or business entity shall give 
        notice 30 days after the day such law enforcement delay was 
        invoked unless a law enforcement agency provides written 
        notification that further delay is necessary.</DELETED>

<DELETED>SEC. 422. EXEMPTIONS.</DELETED>

<DELETED>    (a) Exemption for National Security and Law Enforcement.--
</DELETED>
        <DELETED>    (1) In general.--Section 421 shall not apply to an 
        agency if the head of the agency certifies, in writing, that 
        notification of the security breach as required by section 421 
        reasonably could be expected to--</DELETED>
                <DELETED>    (A) cause damage to the national security; 
                or</DELETED>
                <DELETED>    (B) hinder a law enforcement investigation 
                or the ability of the agency to conduct law enforcement 
                investigations.</DELETED>
        <DELETED>    (2) Limits on certifications.--The head of an 
        agency may not execute a certification under paragraph (1) to--
        </DELETED>
                <DELETED>    (A) conceal violations of law, 
                inefficiency, or administrative error;</DELETED>
                <DELETED>    (B) prevent embarrassment to a business 
                entity, organization, or agency; or</DELETED>
                <DELETED>    (C) restrain competition.</DELETED>
        <DELETED>    (3) Notice.--In every case in which a head of an 
        agency issues a certification under paragraph (1), the 
        certification, accompanied by a concise description of the 
        factual basis for the certification, shall be immediately 
        provided to the Congress.</DELETED>
<DELETED>    (b) Risk Assessment Exemption.--An agency or business 
entity will be exempt from the notice requirements under section 421, 
if--</DELETED>
        <DELETED>    (1) a risk assessment concludes that there is no 
        significant risk that the security breach has resulted in, or 
        will result in, harm to the individuals whose sensitive 
        personally identifiable information was subject to the security 
        breach;</DELETED>
        <DELETED>    (2) without unreasonable delay, but not later than 
        45 days after the discovery of a security breach, unless 
        extended by the United States Secret Service, the business 
        entity notifies the United States Secret Service, in writing, 
        of--</DELETED>
                <DELETED>    (A) the results of the risk 
                assessment;</DELETED>
                <DELETED>    (B) its decision to invoke the risk 
                assessment exemption; and</DELETED>
        <DELETED>    (3) the United States Secret Service does not 
        indicate, in writing, within 10 days from receipt of the 
        decision, that notice should be given.</DELETED>
<DELETED>    (c) Financial Fraud Prevention Exemption.--</DELETED>
        <DELETED>    (1) In general.--A business entity will be exempt 
        from the notice requirement under section 421 if the business 
        entity utilizes or participates in a security program that--
        </DELETED>
                <DELETED>    (A) is designed to block the use of the 
                sensitive personally identifiable information to 
                initiate unauthorized financial transactions before 
                they are charged to the account of the individual; 
                and</DELETED>
                <DELETED>    (B) provides for notice after a security 
                breach that has resulted in fraud or unauthorized 
                transactions.</DELETED>
        <DELETED>    (2) Limitation.--The exemption by this subsection 
        does not apply if the information subject to the security 
        breach includes, in addition to an account number, sensitive 
        personally identifiable information.</DELETED>

<DELETED>SEC. 423. METHODS OF NOTICE.</DELETED>

<DELETED>    An agency, or business entity shall be in compliance with 
section 421 if it provides:</DELETED>
        <DELETED>    (1) Individual notice.--</DELETED>
                <DELETED>    (A) Written notification to the last known 
                home mailing address of the individual in the records 
                of the agency or business entity; or</DELETED>
                <DELETED>    (B) E-mail notice, if the individual has 
                consented to receive such notice and the notice is 
                consistent with the provisions permitting electronic 
                transmission of notices under section 101 of the 
                Electronic Signatures in Global and National Commerce 
                Act (15 U.S.C. 7001).</DELETED>
        <DELETED>    (2) Media notice.--If more than 5,000 residents of 
        a State or jurisdiction are impacted, notice to major media 
        outlets serving that State or jurisdiction.</DELETED>

<DELETED>SEC. 424. CONTENT OF NOTIFICATION.</DELETED>

<DELETED>    (a) In General.--Regardless of the method by which notice 
is provided to individuals under section 423, such notice shall 
include, to the extent possible--</DELETED>
        <DELETED>    (1) a description of the categories of sensitive 
        personally identifiable information that was, or is reasonably 
        believed to have been, acquired by an unauthorized 
        person;</DELETED>
        <DELETED>    (2) a toll-free number--</DELETED>
                <DELETED>    (A) that the individual may use to contact 
                the agency or business entity, or the agent of the 
                agency or business entity; and</DELETED>
                <DELETED>    (B) from which the individual may learn--
                </DELETED>
                        <DELETED>    (i) what types of sensitive 
                        personally identifiable information the agency 
                        or business entity maintained about that 
                        individual or about individuals in general; 
                        and</DELETED>
                        <DELETED>    (ii) whether or not the agency or 
                        business entity maintained sensitive personally 
                        identifiable information about that individual; 
                        and</DELETED>
        <DELETED>    (3) the toll-free contact telephone numbers and 
        addresses for the major credit reporting agencies.</DELETED>
<DELETED>    (b) Additional Content.--Notwithstanding section 429, a 
State may require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.</DELETED>

<DELETED>SEC. 425. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING 
              AGENCIES.</DELETED>

<DELETED>    If an agency or business entity is required to provide 
notification to more than 1,000 individuals under section 421(a), the 
agency or business entity shall also notify, without unreasonable 
delay, all consumer reporting agencies that compile and maintain files 
on consumers on a nationwide basis (as defined in section 603(p) of the 
Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of the timing and 
distribution of the notices.</DELETED>

<DELETED>SEC. 426. NOTICE TO LAW ENFORCEMENT.</DELETED>

<DELETED>    (a) Secret Service.--Any business entity or agency 
required to give notice under section 421 shall also give notice to the 
United States Secret Service if the security breach impacts--</DELETED>
        <DELETED>    (1) more than 10,000 individuals 
        nationwide;</DELETED>
        <DELETED>    (2) a database, networked or integrated databases, 
        or other data system associated with the sensitive personally 
        identifiable information on more than 1,000,000 individuals 
        nationwide;</DELETED>
        <DELETED>    (3) databases owned by the Federal Government; 
        or</DELETED>
        <DELETED>    (4) primarily sensitive personally identifiable 
        information of employees and contractors of the Federal 
        Government involved in national security or law 
        enforcement.</DELETED>
<DELETED>    (b) Notice to Other Law Enforcement Agencies.--The United 
States Secret Service shall be responsible for notifying--</DELETED>
        <DELETED>    (1)(A) the Federal Bureau of Investigation, if the 
        security breach involves espionage, foreign 
        counterintelligence, information protected against unauthorized 
        disclosure for reasons of national defense or foreign 
        relations, or Restricted Data (as that term is defined in 
        section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 
        2014(y)), except for offenses affecting the duties of the 
        United States Secret Service under section 3056(a) of title 18, 
        United States Code; and</DELETED>
        <DELETED>    (B) the United States Postal Inspection Service, 
        if the security breach involves mail fraud; and</DELETED>
        <DELETED>    (2) the attorney general of each State affected by 
        the security breach.</DELETED>
<DELETED>    (c) 30-Day Rule.--The notices to Federal law enforcement 
and the attorney general of each State affected by a security breach 
required under this section shall be delivered without unreasonable 
delay, but not later than 30 days after discovery of the events 
requiring notice.</DELETED>

<DELETED>SEC. 427. CIVIL REMEDIES.</DELETED>

<DELETED>    (a) Penalties.--Any agency, or business entity engaged in 
interstate commerce, that violates this subtitle shall be subject to a 
fine of--</DELETED>
        <DELETED>    (1) not more than $1,000 per individual per day 
        whose sensitive personally identity information was, or is 
        reasonably believed to have been, acquired by an unauthorized 
        person; or</DELETED>
        <DELETED>    (2) not more than $50,000 per day while the 
        failure to give notice under this subtitle persists.</DELETED>
<DELETED>    (b) Equitable Relief.--Any agency or business entity that 
violates, proposes to violate, or has violated this subtitle may be 
enjoined from further violations by a court of competent 
jurisdiction.</DELETED>
<DELETED>    (c) Other Rights and Remedies.--The rights and remedies 
available under this subtitle are cumulative and shall not affect any 
other rights and remedies available under law.</DELETED>
<DELETED>    (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit 
Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or 
evidence that the consumer has received notice that the consumer's 
financial information has or may have been compromised,'' after 
``identity theft report''.</DELETED>
<DELETED>    (e) Injunctive Actions by the Attorney General.--Whenever 
it appears that a business entity or agency to which this subtitle 
applies has engaged, is engaged, or is about to engage, in any act or 
practice constituting a violation of this subtitle, the Attorney 
General may bring a civil action in an appropriate district court of 
the United States to--</DELETED>
        <DELETED>    (1) enjoin such act or practice;</DELETED>
        <DELETED>    (2) enforce compliance with this 
        subtitle;</DELETED>
        <DELETED>    (3) obtain damages--</DELETED>
                <DELETED>    (A) in the sum of actual damages, 
                restitution, and other compensation on behalf of the 
                affected residents of a State; and</DELETED>
                <DELETED>    (B) punitive damages, if the violation is 
                willful or intentional; and</DELETED>
        <DELETED>    (4) obtain such other relief as the court 
        determines to be appropriate.</DELETED>

<DELETED>SEC. 428. ENFORCEMENT BY STATE ATTORNEYS GENERAL.</DELETED>

<DELETED>    (a) In General.--</DELETED>
        <DELETED>    (1) Civil actions.--In any case in which the 
        attorney general of a State, or any State or local law 
        enforcement agency authorized by the State attorney general or 
        by State statute to prosecute violations of consumer protection 
        law, has reason to believe that an interest of the residents of 
        that State has been or is threatened or adversely affected by 
        the engagement of any agency or business entity in a practice 
        that is prohibited under this subtitle, the State, as parens 
        patriae on behalf of the residents of the State, or the State 
        or local law enforcement agency on behalf of the residents of 
        the agency's jurisdiction, may bring a civil action on behalf 
        of the residents of the State or jurisdiction in a district 
        court of the United States of appropriate jurisdiction or any 
        other court of competent jurisdiction, including a State court, 
        to--</DELETED>
                <DELETED>    (A) enjoin that practice;</DELETED>
                <DELETED>    (B) enforce compliance with this 
                subtitle;</DELETED>
                <DELETED>    (C) obtain damages, restitution, or other 
                compensation on behalf of residents of the State; 
                or</DELETED>
                <DELETED>    (D) obtain such other relief as the court 
                may consider to be appropriate.</DELETED>
        <DELETED>    (2) Notice.--</DELETED>
                <DELETED>    (A) In general.--Before filing an action 
                under paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--</DELETED>
                        <DELETED>    (i) written notice of the action; 
                        and</DELETED>
                        <DELETED>    (ii) a copy of the complaint for 
                        the action.</DELETED>
                <DELETED>    (B) Exemption.--</DELETED>
                        <DELETED>    (i) In general.--Subparagraph (A) 
                        shall not apply with respect to the filing of 
                        an action by an attorney general of a State 
                        under this subtitle, if the State attorney 
                        general determines that it is not feasible to 
                        provide the notice described in such 
                        subparagraph before the filing of the 
                        action.</DELETED>
                        <DELETED>    (ii) Notification.--In an action 
                        described in clause (i), the attorney general 
                        of a State shall provide notice and a copy of 
                        the complaint to the Attorney General at the 
                        time the State attorney general files the 
                        action.</DELETED>
<DELETED>    (b) Federal Proceedings.--Upon receiving notice under 
subsection (a)(2), the Attorney General shall have the right to--
</DELETED>
        <DELETED>    (1) move to stay the action, pending the final 
        disposition of a pending Federal proceeding or 
        action;</DELETED>
        <DELETED>    (2) intervene in an action brought under 
        subsection (a)(2); and</DELETED>
        <DELETED>    (3) file petitions for appeal.</DELETED>
<DELETED>    (c) Pending Proceedings.--If the Attorney General has 
instituted a proceeding or action for a violation of this subtitle or 
any regulations thereunder, no attorney general of a State may, during 
the pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.</DELETED>
<DELETED>    (d) Construction.--For purposes of bringing any civil 
action under subsection (a), nothing in this subtitle regarding 
notification shall be construed to prevent an attorney general of a 
State from exercising the powers conferred on such attorney general by 
the laws of that State to--</DELETED>
        <DELETED>    (1) conduct investigations;</DELETED>
        <DELETED>    (2) administer oaths or affirmations; or</DELETED>
        <DELETED>    (3) compel the attendance of witnesses or the 
        production of documentary and other evidence.</DELETED>
<DELETED>    (e) Venue; Service of Process.--</DELETED>
        <DELETED>    (1) Venue.--Any action brought under subsection 
        (a) may be brought in--</DELETED>
                <DELETED>    (A) the district court of the United 
                States that meets applicable requirements relating to 
                venue under section 1391 of title 28, United States 
                Code; or</DELETED>
                <DELETED>    (B) another court of competent 
                jurisdiction.</DELETED>
        <DELETED>    (2) Service of process.--In an action brought 
        under subsection (a), process may be served in any district in 
        which the defendant--</DELETED>
                <DELETED>    (A) is an inhabitant; or</DELETED>
                <DELETED>    (B) may be found.</DELETED>
<DELETED>    (f) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a data broker for 
violation of any provision of this subtitle.</DELETED>

<DELETED>SEC. 429. EFFECT ON FEDERAL AND STATE LAW.</DELETED>

<DELETED>    The provisions of this subtitle shall supersede any other 
provision of Federal law or any provision of law of any State relating 
to notification of a security breach, except as provided in section 
424(b).</DELETED>

<DELETED>SEC. 430. AUTHORIZATION OF APPROPRIATIONS.</DELETED>

<DELETED>    There are authorized to be appropriated such sums as may 
be necessary to cover the costs incurred by the United States Secret 
Service to carry out investigations and risk assessments of security 
breaches as required under this subtitle.</DELETED>

<DELETED>SEC. 431. REPORTING ON RISK ASSESSMENT EXEMPTION.</DELETED>

<DELETED>    The United States Secret Service shall report to Congress 
not later than 18 months after the date of enactment of this Act, and 
upon the request by Congress thereafter, on the number and nature of 
the security breaches described in the notices filed by those business 
entities invoking the risk assessment exemption under section 422(b) 
and the response of the United States Secret Service to those 
notices.</DELETED>

<DELETED>SEC. 432. EFFECTIVE DATE.</DELETED>

<DELETED>    This subtitle shall take effect on the expiration of the 
date which is 90 days after the date of enactment of this 
Act.</DELETED>

     <DELETED>TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL 
                             DATA</DELETED>

<DELETED>SEC. 501. GENERAL SERVICES ADMINISTRATION REVIEW OF 
              CONTRACTS.</DELETED>

<DELETED>    (a) In General.--In considering contract awards totaling 
more than $500,000 and entered into after the date of enactment of this 
Act with data brokers, the Administrator of the General Services 
Administration shall evaluate--</DELETED>
        <DELETED>    (1) the data privacy and security program of a 
        data broker to ensure the privacy and security of data 
        containing personally identifiable information, including 
        whether such program adequately addresses privacy and security 
        threats created by malicious software or code, or the use of 
        peer-to-peer file sharing software;</DELETED>
        <DELETED>    (2) the compliance of a data broker with such 
        program;</DELETED>
        <DELETED>    (3) the extent to which the databases and systems 
        containing personally identifiable information of a data broker 
        have been compromised by security breaches; and</DELETED>
        <DELETED>    (4) the response by a data broker to such 
        breaches, including the efforts by such data broker to mitigate 
        the impact of such breaches.</DELETED>
<DELETED>    (b) Compliance Safe Harbor.--The data privacy and security 
program of a data broker shall be deemed sufficient for the purposes of 
subsection (a), if the data broker complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of personally identifiable 
information involved in the ordinary course of business of such data 
broker.</DELETED>
<DELETED>    (c) Penalties.--In awarding contracts with data brokers 
for products or services related to access, use, compilation, 
distribution, processing, analyzing, or evaluating personally 
identifiable information, the Administrator of the General Services 
Administration shall--</DELETED>
        <DELETED>    (1) include monetary or other penalties--
        </DELETED>
                <DELETED>    (A) for failure to comply with subtitles A 
                and B of title IV of this Act; or</DELETED>
                <DELETED>    (B) if a contractor knows or has reason to 
                know that the personally identifiable information being 
                provided is inaccurate, and provides such inaccurate 
                information; and</DELETED>
        <DELETED>    (2) require a data broker that engages service 
        providers not subject to subtitle A of title IV for 
        responsibilities related to sensitive personally identifiable 
        information to--</DELETED>
                <DELETED>    (A) exercise appropriate due diligence in 
                selecting those service providers for responsibilities 
                related to personally identifiable 
                information;</DELETED>
                <DELETED>    (B) take reasonable steps to select and 
                retain service providers that are capable of 
                maintaining appropriate safeguards for the security, 
                privacy, and integrity of the personally identifiable 
                information at issue; and</DELETED>
                <DELETED>    (C) require such service providers, by 
                contract, to implement ad maintain appropriate measures 
                designed to meet the objectives and requirements in 
                title IV.</DELETED>
<DELETED>    (d) Limitation.--The penalties under subsection (c) shall 
not apply to a data broker providing information that is accurately and 
completely recorded from a public record source.</DELETED>

<DELETED>SEC. 502. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES 
              OF CONTRACTORS AND THIRD PARTY BUSINESS 
              ENTITIES.</DELETED>

<DELETED>    Section 3544(b) of title 44, United States Code, is 
amended--</DELETED>
        <DELETED>    (1) in paragraph (7)(C)(iii), by striking ``and'' 
        after the semicolon;</DELETED>
        <DELETED>    (2) in paragraph (8), by striking the period and 
        inserting ``; and''; and</DELETED>
        <DELETED>    (3) by adding at the end the following:</DELETED>
        <DELETED>    ``(9) procedures for evaluating and auditing the 
        information security practices of contractors or third party 
        business entities supporting the information systems or 
        operations of the agency involving personally identifiable 
        information (as that term is defined in section 3 of the 
        Personal Data Privacy and Security Act of 2005) and ensuring 
        remedial action to address any significant 
        deficiencies.''.</DELETED>

<DELETED>SEC. 503. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF 
              COMMERCIAL INFORMATION SERVICES CONTAINING PERSONALLY 
              IDENTIFIABLE INFORMATION.</DELETED>

<DELETED>    (a) In General.--Section 208(b)(1) of the E-Government Act 
of 2002 (44 U.S.C. 3501 note) is amended--</DELETED>
        <DELETED>    (1) in subparagraph (A)(i), by striking ``or''; 
        and</DELETED>
        <DELETED>    (2) in subparagraph (A)(ii), by striking the 
        period and inserting ``; or''; and</DELETED>
        <DELETED>    (3) by inserting after clause (ii) the 
        following:</DELETED>
                        <DELETED>    ``(iii) purchasing or subscribing 
                        for a fee to personally identifiable 
                        information from a data broker (as such terms 
                        are defined in section 3 of the Personal Data 
                        Privacy and Security Act of 2005).''.</DELETED>
<DELETED>    (b) Limitation.--Notwithstanding any other provision of 
law, commencing 1 year after the date of enactment of this Act, no 
Federal department or agency may enter into a contract with a data 
broker to access for a fee any database consisting primarily of 
personally identifiable information concerning United States persons 
(other than news reporting or telephone directories) unless the head of 
such department or agency--</DELETED>
        <DELETED>    (1) completes a privacy impact assessment under 
        section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 
        note), which shall subject to the provision in that Act 
        pertaining to sensitive information, include a description of--
        </DELETED>
                <DELETED>    (A) such database;</DELETED>
                <DELETED>    (B) the name of the data broker from whom 
                it is obtained; and</DELETED>
                <DELETED>    (C) the amount of the contract for 
                use;</DELETED>
        <DELETED>    (2) adopts regulations that specify--</DELETED>
                <DELETED>    (A) the personnel permitted to access, 
                analyze, or otherwise use such databases;</DELETED>
                <DELETED>    (B) standards governing the access, 
                analysis, or use of such databases;</DELETED>
                <DELETED>    (C) any standards used to ensure that the 
                personally identifiable information accessed, analyzed, 
                or used is the minimum necessary to accomplish the 
                intended legitimate purpose of the Federal department 
                or agency;</DELETED>
                <DELETED>    (D) standards limiting the retention and 
                redisclosure of personally identifiable information 
                obtained from such databases;</DELETED>
                <DELETED>    (E) procedures ensuring that such data 
                meet standards of accuracy, relevance, completeness, 
                and timeliness;</DELETED>
                <DELETED>    (F) the auditing and security measures to 
                protect against unauthorized access, analysis, use, or 
                modification of data in such databases;</DELETED>
                <DELETED>    (G) applicable mechanisms by which 
                individuals may secure timely redress for any adverse 
                consequences wrongly incurred due to the access, 
                analysis, or use of such databases;</DELETED>
                <DELETED>    (H) mechanisms, if any, for the 
                enforcement and independent oversight of existing or 
                planned procedures, policies, or guidelines; 
                and</DELETED>
                <DELETED>    (I) an outline of enforcement mechanisms 
                for accountability to protect individuals and the 
                public against unlawful or illegitimate access or use 
                of databases; and</DELETED>
        <DELETED>    (3) incorporates into the contract or other 
        agreement totaling more than $500,000, provisions--</DELETED>
                <DELETED>    (A) providing for penalties--</DELETED>
                        <DELETED>    (i) for failure to comply with 
                        title IV of this Act; or</DELETED>
                        <DELETED>    (ii) if the entity knows or has 
                        reason to know that the personally identifiable 
                        information being provided to the Federal 
                        department or agency is inaccurate, and 
                        provides such inaccurate information.</DELETED>
                <DELETED>    (B) requiring a data broker that engages 
                service providers not subject to subtitle A of title IV 
                for responsibilities related to sensitive personally 
                identifiable information to--</DELETED>
                        <DELETED>    (i) exercise appropriate due 
                        diligence in selecting those service providers 
                        for responsibilities related to personally 
                        identifiable information;</DELETED>
                        <DELETED>    (ii) take reasonable steps to 
                        select and retain service providers that are 
                        capable of maintaining appropriate safeguards 
                        for the security, privacy, and integrity of the 
                        personally identifiable information at issue; 
                        and</DELETED>
                        <DELETED>    (iii) require such service 
                        providers, by contract, to implement ad 
                        maintain appropriate measures designed to meet 
                        the objectives and requirements in title 
                        IV.</DELETED>
<DELETED>    (c) Limitation on Penalties.--The penalties under 
paragraph (3)(A) shall not apply to a data broker providing information 
that is accurately and completely recorded from a public record 
source.</DELETED>
<DELETED>    (d) Individual Screening Programs.--</DELETED>
        <DELETED>    (1) In general.--Notwithstanding any other 
        provision of law, commencing one year after the date of 
        enactment of this Act, no Federal department or agency may use 
        commercial databases or contract with a data broker to 
        implement an individual screening program unless such program 
        is--</DELETED>
                <DELETED>    (A) congressionally authorized; 
                and</DELETED>
                <DELETED>    (B) subject to regulations developed by 
                notice and comment that--</DELETED>
                        <DELETED>    (i) establish a procedure to 
                        enable individuals, who suffer an adverse 
                        consequence because the screening system 
                        determined that they might pose a security 
                        threat, to appeal such determination and 
                        correct information contained in the 
                        system;</DELETED>
                        <DELETED>    (ii) ensure that Federal and 
                        commercial databases that will be used to 
                        establish the identity of individuals or 
                        otherwise make assessments of individuals under 
                        the system will not produce a large number of 
                        false positives or unjustified adverse 
                        consequences;</DELETED>
                        <DELETED>    (iii) ensure the efficacy and 
                        accuracy of all of the search tools that will 
                        be used and ensure that the department or 
                        agency can make an accurate predictive 
                        assessment of those who may constitute a 
                        threat;</DELETED>
                        <DELETED>    (iv) establish an internal 
                        oversight board to oversee and monitor the 
                        manner in which the system is being 
                        implemented;</DELETED>
                        <DELETED>    (v) establish sufficient 
                        operational safeguards to reduce the 
                        opportunities for abuse;</DELETED>
                        <DELETED>    (vi) implement substantial 
                        security measures to protect the system from 
                        unauthorized access;</DELETED>
                        <DELETED>    (vii) adopt policies establishing 
                        the effective oversight of the use and 
                        operation of the system; and</DELETED>
                        <DELETED>    (viii) ensure that there are no 
                        specific privacy concerns with the 
                        technological architecture of the system; 
                        and</DELETED>
                <DELETED>    (C) coordinated with the Terrorist 
                Screening Center or any such successor 
                organization.</DELETED>
        <DELETED>    (2) Definition.--As used in this subsection, the 
        term ``individual screening program''--</DELETED>
                <DELETED>    (A) means a system that relies on 
                personally identifiable information from commercial 
                databases to--</DELETED>
                        <DELETED>    (i) evaluate all or most 
                        individuals seeking to exercise a particular 
                        right or privilege under Federal law; 
                        and</DELETED>
                        <DELETED>    (ii) determine whether such 
                        individuals are on a terrorist watch list or 
                        otherwise pose a security threat; and</DELETED>
                <DELETED>    (B) does not include any program or system 
                to grant security clearances.</DELETED>
<DELETED>    (e) Study of Government Use.--</DELETED>
        <DELETED>    (1) Scope of study.--Not later than 180 days after 
        the date of enactment of this Act, the Comptroller General of 
        the United States shall conduct a study and audit and prepare a 
        report on Federal agency use of data brokers or commercial 
        databases containing personally identifiable information, 
        including the impact on privacy and security, and the extent to 
        which Federal contracts include sufficient provisions to ensure 
        privacy and security protections, and penalties for failures in 
        privacy and security practices.</DELETED>
        <DELETED>    (2) Report.--A copy of the report required under 
        paragraph (1) shall be submitted to Congress.</DELETED>

<DELETED>SEC. 504. IMPLEMENTATION OF CHIEF PRIVACY OFFICER 
              REQUIREMENTS.</DELETED>

<DELETED>    (a) Designation of the Chief Privacy Officer.--Pursuant to 
the requirements under section 522 of the Transportation, Treasury, 
Independent Agencies, and General Government Appropriations Act, 2005 
(division H of Public Law 108-447; 118 Stat. 3199) that each agency 
designate a Chief Privacy Officer, the Department of Justice shall 
implement such requirements by designating a department-wide Chief 
Privacy Officer, whose primary role shall be to fulfill the duties and 
responsibilities of Chief Privacy Officer and who shall report directly 
to the Deputy Attorney General.</DELETED>
<DELETED>    (b) Duties and Responsibilities of Chief Privacy 
Officer.--In addition to the duties and responsibilities outlined under 
section 522 of the Transportation, Treasury, Independent Agencies, and 
General Government Appropriations Act, 2005 (division H of Public Law 
108-447; 118 Stat. 3199), the Department of Justice Chief Privacy 
Officer shall--</DELETED>
        <DELETED>    (1) oversee the Department of Justice's 
        implementation of the requirements under section 603 to conduct 
        privacy impact assessments of the use of commercial data 
        containing personally identifiable information by the 
        Department;</DELETED>
        <DELETED>    (2) promote the use of law enforcement 
        technologies that sustain privacy protections, and assure that 
        the implementation of such technologies relating to the use, 
        collection, and disclosure of personally identifiable 
        information preserve the privacy and security of such 
        information; and</DELETED>
        <DELETED>    (3) coordinate with the Privacy and Civil 
        Liberties Oversight Board, established in the Intelligence 
        Reform and Terrorism Prevention Act of 2004 (Public Law 108-
        458), in implementing paragraphs (1) and (2) of this 
        subsection.</DELETED>

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Personal Data 
Privacy and Security Act of 2005''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Organized criminal activity in connection with unauthorized 
                            access to personally identifiable 
                            information.
Sec. 102. Concealment of security breaches involving sensitive 
                            personally identifiable information.
Sec. 103. Review and amendment of Federal sentencing guidelines related 
                            to fraudulent access to or misuse of 
                            digitized or electronic personally 
                            identifiable information.

                         TITLE II--DATA BROKERS

Sec. 201. Transparency and accuracy of data collection.
Sec. 202. Enforcement.
Sec. 203. Relation to state laws.
Sec. 204. Effective date.

 TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

Sec. 301. Purpose and applicability of data privacy and security 
                            program.
Sec. 302. Requirements for a personal data privacy and security 
                            program.
Sec. 303. Enforcement.
Sec. 304. Relation to other laws.

                Subtitle B--Security Breach Notification

Sec. 321. Notice to individuals.
Sec. 322. Exemptions.
Sec. 323. Methods of notice.
Sec. 324. Content of notification.
Sec. 325. Coordination of notification with credit reporting agencies.
Sec. 326. Notice to law enforcement.
Sec. 327. Enforcement.
Sec. 328. Enforcement by State attorneys general.
Sec. 329. Effect on Federal and State law.
Sec. 330. Authorization of appropriations.
Sec. 331. Reporting on risk assessment exemptions.
Sec. 332. Effective date.

       TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 401. General services administration review of contracts.
Sec. 402. Requirement to audit information security practices of 
                            contractors and third party business 
                            entities.
Sec. 403. Privacy impact assessment of government use of commercial 
                            information services containing personally 
                            identifiable information.
Sec. 404. Implementation of chief privacy officer requirements.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) databases of personally identifiable information are 
        increasingly prime targets of hackers, identity thieves, rogue 
        employees, and other criminals, including organized and 
        sophisticated criminal operations;
            (2) identity theft is a serious threat to the nation's 
        economic stability, homeland security, the development of e-
        commerce, and the privacy rights of Americans;
            (3) over 9,300,000 individuals were victims of identity 
        theft in America last year;
            (4) security breaches are a serious threat to consumer 
        confidence, homeland security, e-commerce, and economic 
        stability;
            (5) it is important for business entities that own, use, or 
        license personally identifiable information to adopt reasonable 
        procedures to ensure the security, privacy, and confidentiality 
        of that personally identifiable information;
            (6) individuals whose personal information has been 
        compromised or who have been victims of identity theft should 
        receive the necessary information and assistance to mitigate 
        their damages and to restore the integrity of their personal 
        information and identities;
            (7) data brokers have assumed a significant role in 
        providing identification, authentication, and screening 
        services, and related data collection and analyses for 
        commercial, nonprofit, and government operations;
            (8) data misuse and use of inaccurate data have the 
        potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government operations;
            (9) there is a need to insure that data brokers conduct 
        their operations in a manner that prioritizes fairness, 
        transparency, accuracy, and respect for the privacy of 
        consumers;
            (10) government access to commercial data can potentially 
        improve safety, law enforcement, and national security; and
            (11) because government use of commercial data containing 
        personal information potentially affects individual privacy, 
        and law enforcement and national security operations, there is 
        a need for Congress to exercise oversight over government use 
        of commercial data.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the same meaning given 
        such term in section 551 of title 5, United States Code.
            (2) Affiliate.--The term ``affiliate'' means persons 
        related by common ownership or by corporate control.
            (3) Business entity.--The term ``business entity'' means 
        any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, venture established 
        to make a profit, or nonprofit, and any contractor, 
        subcontractor, affiliate, or licensee thereof engaged in 
        interstate commerce.
            (4) Identity theft.--The term ``identity theft'' means a 
        violation of section 1028 of title 18, United States Code.
            (5) Data broker.--The term ``data broker'' means a business 
        entity which for monetary fees or dues regularly engages in the 
        practice of collecting, transmitting, or providing access to 
        sensitive personally identifiable information on more than 
        5,000 individuals who are not the customers or employees of 
        that business entity or affiliate primarily for the purposes of 
        providing such information to nonaffiliated third parties on an 
        interstate basis.
            (6) Data furnisher.--The term ``data furnisher'' means any 
        agency, organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or nonprofit that 
        serves as a source of information for a data broker.
            (7) Personal electronic record.--
                    (A) In general.--The term ``personal electronic 
                record'' means data associated with an individual 
                contained in a database, networked or integrated 
                databases, or other data system that holds sensitive 
                personally identifiable information of that individual 
                and is provided to nonaffiliated third parties.
                    (B) Exclusions.--The term ``personal electronic 
                record'' does not include--
                            (i) any data related to an individual's 
                        past purchases of consumer goods; or
                            (ii) any proprietary assessment or 
                        evaluation of an individual or any proprietary 
                        assessment or evaluation of information about 
                        an individual.
            (8) Personally identifiable information.--The term 
        ``personally identifiable information'' means any information, 
        or compilation of information, in electronic or digital form 
        serving as a means of identification, as defined by section 
        1028(d)(7) of title 18, United State Code.
            (9) Public record source.--The term ``public record 
        source'' means the Congress, any agency, any State or local 
        government agency, the government of the District of Columbia 
        and governments of the territories or possessions of the United 
        States, and Federal, State or local courts, courts martial and 
        military commissions, that maintain personally identifiable 
        information in records available to the public.
            (10) Security breach.--
                    (A) In general.--The term ``security breach'' means 
                compromise of the security, confidentiality, or 
                integrity of computerized data through 
                misrepresentation or actions that result in, or there 
                is a reasonable basis to conclude has resulted in, 
                acquisition of or access to sensitive personally 
                identifiable information that is unauthorized or in 
                excess of authorization.
                    (B) Exclusion.--The term ``security breach'' does 
                not include--
                            (i) a good faith acquisition of sensitive 
                        personally identifiable information by a 
                        business entity or agency, or an employee or 
                        agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure; or
                            (ii) the release of a public record not 
                        otherwise subject to confidentiality or 
                        nondisclosure requirements.
            (11) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        any information or compilation of information, in electronic or 
        digital form that includes--
                    (A) an individual's first and last name or first 
                initial and last name in combination with any 1 of the 
                following data elements:
                            (i) A non-truncated social security number, 
                        driver's license number, passport number, or 
                        alien registration number.
                            (ii) Any 2 of the following:
                                    (I) Home address or telephone 
                                number.
                                    (II) Mother's maiden name, if 
                                identified as such.
                                    (III) Month, day, and year of 
                                birth.
                            (iii) Unique biometric data such as a 
                        finger print, voice print, a retina or iris 
                        image, or any other unique physical 
                        representation.
                            (iv) A unique account identifier, 
                        electronic identification number, user name, or 
                        routing code in combination with any associated 
                        security code, access code, or password that is 
                        required for an individual to obtain money, 
                        goods, services or any other thing of value; or
                    (B) a financial account number or credit or debit 
                card number in combination with any security code, 
                access code or password that is required for an 
                individual to obtain money, goods, services or any 
                other thing of value.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED 
              ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.

    Section 1961(1) of title 18, United States Code, is amended by 
inserting ``section 1030(a)(2)(D) (relating to fraud and related 
activity in connection with unauthorized access to sensitive personally 
identifiable information as defined in the Data Privacy and Security 
Act of 2005,'' before ``section 1084'' .

SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:

``SEC. 1039. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    ``(a) Whoever, having knowledge of a security breach and of the 
obligation either individually or collectively to provide notice of 
such breach to individuals under title IV of the Personal Data Privacy 
and Security Act of 2005, and having not otherwise qualified for an 
exemption from providing notice under section 422 of such Act, 
intentionally and willfully conceals the fact of such security breach 
and which breach causes economic damage to 1 or more persons, shall be 
fined under this title or imprisoned not more than 5 years, or both.
    ``(b) For purposes of subsection (a), the term `person' has the 
same meaning as in section 1030(e)(12) of title 18, United States 
Code.''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

        ``1039. Concealment of security breaches involving personally 
                            identifiable information.''.
    (c) Enforcement Authority.--
            (1) In general.--The United States Secret Service shall 
        have the authority to investigate offenses under this section.
            (2) Non-exclusivity.--The authority granted in paragraph 
        (1) shall not be exclusive of any existing authority held by 
        any other Federal agency.

SEC. 103. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED 
              TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR 
              ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.

    (a) Review and Amendment.--The United States Sentencing Commission, 
pursuant to its authority under section 994 of title 28, United States 
Code, and in accordance with this section, shall review and, if 
appropriate, amend the Federal sentencing guidelines (including its 
policy statements) applicable to persons convicted of using fraud to 
access, or misuse of, digitized or electronic personally identifiable 
information, including identity theft or any offense under--
            (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of 
        title 18, United States Code; and
            (2) any other relevant provision.
    (b) Requirements.--In carrying out the requirements of this 
section, the United States Sentencing Commission shall--
            (1) ensure that the Federal sentencing guidelines 
        (including its policy statements) reflect--
                    (A) the serious nature of the offenses and 
                penalties referred to in this Act;
                    (B) the growing incidences of theft and misuse of 
                digitized or electronic personally identifiable 
                information, including identity theft; and
                    (C) the need to deter, prevent, and punish such 
                offenses;
            (2) consider the extent to which the Federal sentencing 
        guidelines (including its policy statements) adequately address 
        violations of the sections amended by this Act to--
                    (A) sufficiently deter and punish such offenses; 
                and
                    (B) adequately reflect the enhanced penalties 
                established under this Act;
            (3) maintain reasonable consistency with other relevant 
        directives and sentencing guidelines;
            (4) account for any additional aggravating or mitigating 
        circumstances that might justify exceptions to the generally 
        applicable sentencing ranges;
            (5) consider whether to provide a sentencing enhancement 
        for those convicted of the offenses described in subsection 
        (a), if the conduct involves--
                    (A) the online sale of fraudulently obtained or 
                stolen personally identifiable information;
                    (B) the sale of fraudulently obtained or stolen 
                personally identifiable information to an individual 
                who is engaged in terrorist activity or aiding other 
                individuals engaged in terrorist activity; or
                    (C) the sale of fraudulently obtained or stolen 
                personally identifiable information to finance 
                terrorist activity or other criminal activities;
            (6) make any necessary conforming changes to the Federal 
        sentencing guidelines to ensure that such guidelines (including 
        its policy statements) as described in subsection (a) are 
        sufficiently stringent to deter, and adequately reflect crimes 
        related to fraudulent access to, or misuse of, personally 
        identifiable information; and
            (7) ensure that the Federal sentencing guidelines 
        adequately meet the purposes of sentencing under section 
        3553(a)(2) of title 18, United States Code.
    (c) Emergency Authority to Sentencing Commission.--The United 
States Sentencing Commission may, as soon as practicable, promulgate 
amendments under this section in accordance with procedures established 
in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 994 note) as 
though the authority under that Act had not expired.

                         TITLE II--DATA BROKERS

SEC. 201. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.

    (a) In General.--Data brokers engaging in interstate commerce are 
subject to the requirements of this title for any product or service 
offered to third parties that allows access or use of sensitive 
personally identifiable information.
    (b) Limitation.--Notwithstanding any other provision of this title, 
this section shall not apply to--
            (1) any product or service offered by a data broker 
        engaging in interstate commerce where such product or service 
        is currently subject to, and in compliance with, access and 
        accuracy protections similar to those under subsections (c) 
        through (f) of this section under the Fair Credit Reporting Act 
        (Public Law 91-508);
            (2) any data broker that is subject to regulation under the 
        Gramm-Leach-Bliley Act (Public Law 106-102);
            (3) any data broker currently subject to and in compliance 
        with the data security requirements for such entities under the 
        Health Insurance Portability and Accountability Act (Public Law 
        104-191), and its implementing regulations;
            (4) information in a personal electronic record that--
                    (A) the data broker has identified as inaccurate, 
                but maintains for the purpose of aiding the data broker 
                in preventing inaccurate information from entering an 
                individual's personal electronic record; and
                    (B) is not maintained primarily for the purpose of 
                transmitting or otherwise providing that information, 
                or assessments based on that information, to non-
                affiliated third parties; and
            (5) information concerning proprietary methodologies, 
        techniques, scores, or algorithms relating to fraud prevention 
        not normally provided to third parties in the ordinary course 
        of business.
    (c) Disclosures to Individuals.--
            (1) In general.--A data broker shall, upon the request of 
        an individual, disclose to such individual for a reasonable fee 
        all personal electronic records pertaining to that individual 
        maintained specifically for disclosure to third parties that 
        request information on that individual in the ordinary course 
        of business in the databases or systems of the data broker at 
        the time of such request.
            (2) Information on how to correct inaccuracies.--The 
        disclosures required under paragraph (1) shall also include 
        guidance to individuals on procedures for correcting 
        inaccuracies.
    (d) Accuracy Resolution Process.--
            (1) Information from a public record or licensor.--
                    (A) In general.--If an individual notifies a data 
                broker of a dispute as to the completeness or accuracy 
                of information disclosed to such individual under 
                subsection (c) that is derived from a public record 
                source or pursuant to a license agreement, such data 
                broker shall determine within 30 days whether the 
                information in its system accurately and completely 
                records the information available from the public 
                record source or licensor.
                    (B) Data broker actions.--If a data broker 
                determines under subparagraph (A) that the information 
                in its systems does not accurately and completely 
                record the information available from a public record 
                source or licensor, the data broker shall --
                            (i) correct any inaccuracies or 
                        incompleteness, and provide to such individual 
                        written notice of such changes; or
                            (ii) provide such individual with the 
                        contact information of the public record or 
                        licensor.
            (2) Information not from a public record source or 
        licensor.--If an individual notifies a data broker of a dispute 
        as to the completeness or accuracy of information not from a 
        public record or licensor that was disclosed to the individual 
        under subsection (c), the data broker shall, within 30 days of 
        receiving notice of such dispute--
                    (A) review and consider free of charge any 
                information submitted by such individual that is 
                relevant to the completeness or accuracy of the 
                disputed information; and
                    (B) correct any information found to be incomplete 
                or inaccurate and provide notice to such individual of 
                whether and what information was corrected, if any.
            (3) Extension of review period.--The 30-day period 
        described in paragraph (1) may be extended for not more than 30 
        additional days if a data broker receives information from the 
        individual during the initial 30-day period that is relevant to 
        the completeness or accuracy of any disputed information.
            (4) Notice identifying the data furnisher.--If the 
        completeness or accuracy of any information not from a public 
        record source or licensor that was disclosed to an individual 
        under subsection (c) is disputed by such individual, the data 
        broker shall provide, upon the request of such individual, the 
        contact information of any data furnisher that provided the 
        disputed information.
            (5) Determination that dispute is frivolous or 
        irrelevant.--
                    (A) In general.--Notwithstanding paragraphs (1) 
                through (3), a data broker may decline to investigate 
                or terminate a review of information disputed by an 
                individual under those paragraphs if the data broker 
                reasonably determines that the dispute by the 
                individual is frivolous or intended to perpetrate 
                fraud.
                    (B) Notice.--A data broker shall notify an 
                individual of a determination under subparagraph (A) 
                within a reasonable time by any means available to such 
                data broker.

SEC. 202. ENFORCEMENT.

    (a) Civil Penalties.--
            (1) Penalties.--Any data broker that violates the 
        provisions of section 201 shall be subject to civil penalties 
        of not more than $1,000 per violation per day while such 
        violations persist, up to a maximum of $250,000 per violation.
            (2) Intentional or willful violation.--A data broker that 
        intentionally or willfully violates the provisions of section 
        201 shall be subject to additional penalties in the amount of 
        $1,000 per violation per day, to a maximum of an additional 
        $250,000 per violation, while such violations persist.
            (3) Equitable relief.--A data broker engaged in interstate 
        commerce that violates this section may be enjoined from 
        further violations by a court of competent jurisdiction.
            (4) Other rights and remedies.--The rights and remedies 
        available under this subsection are cumulative and shall not 
        affect any other rights and remedies available under law.
    (b) Federal Trade Commission Authority.--Any data broker shall have 
the provisions of this title enforced against it by the Federal Trade 
Commission.
    (c) State Enforcement.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a data broker that violate this subtitle, the 
        State may bring a civil action on behalf of the residents of 
        that State in a district court of the United States of 
        appropriate jurisdiction, or any other court of competent 
        jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this title; or
                    (C) obtain civil penalties of not more than $1,000 
                per violation per day while such violations persist, up 
                to a maximum of $250,000 per violation.
            (2) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Federal Trade Commission--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in 
                subparagraph (A) before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described under subparagraph (B), the attorney general 
                of a State shall provide the written notice and the 
                copy of the complaint to the Federal Trade Commission 
                as soon after the filing of the complaint as 
                practicable.
            (3) Federal trade commission authority.--Upon receiving 
        notice under paragraph (2), the Federal Trade Commission shall 
        have the right to--
                    (A) move to stay the action, pending the final 
                disposition of a pending Federal proceeding or action 
                as described in paragraph (4);
                    (B) intervene in an action brought under paragraph 
                (1); and
                    (C) file petitions for appeal.
            (4) Pending proceedings.--If the Federal Trade Commission 
        has instituted a proceeding or civil action for a violation of 
        this title, no attorney general of a State may, during the 
        pendency of such proceeding or civil action, bring an action 
        under this subsection against any defendant named in such civil 
        action for any violation that is alleged in that civil action.
            (5) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1), nothing in this title shall 
        be construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths and affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (6) Venue; service of process.--
                    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1931 of title 28, 
                United States Code.
                    (B) Service of process.--In an action brought under 
                this subsection process may be served in any district 
                in which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (d) No Private Cause of Action.--Nothing in this title establishes 
a private cause of action against a data broker for violation of any 
provision of this title.
    (e) Implementation Time Line.--Not later than 1 year after the date 
of enactment of this Act, a business entity subject to the provisions 
of this title shall implement a data privacy and security program 
pursuant to this title.

SEC. 203. RELATION TO STATE LAWS.

    No requirement or prohibition may be imposed under the laws of any 
State with respect to any subject matter regulated under section 201, 
relating to individual access to, and correction of, personal 
electronic records held by data brokers.

SEC. 204. EFFECTIVE DATE.

    This title shall take effect 180 days after the date of enactment 
of this Act.

 TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

SEC. 301. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Purpose.--The purpose of this subtitle is to ensure standards 
for developing and implementing administrative, technical, and physical 
safeguards to protect the security of sensitive personally identifiable 
information.
    (b) In General.--A business entity engaging in interstate commerce 
that involves collecting, accessing, transmitting, using, storing, or 
disposing of sensitive personally identifiable information in 
electronic or digital form on 10,000 or more United States persons is 
subject to the requirements for a data privacy and security program 
under section 302 for protecting sensitive personally identifiable 
information.
    (c) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to:
            (1) Financial institutions.--Financial institutions--
                    (A) subject to the data security requirements and 
                implementing regulations under the Gramm-Leach-Bliley 
                Act (15 U.S.C. 6801 et seq.); and
                    (B) subject to--
                            (i) examinations for compliance with the 
                        requirements of this Act by a Federal 
                        Functional Regulator or State Insurance 
                        Authority (as those terms are defined in 
                        section 509 of the Gramm-Leach-Bliley Act (15 
                        U.S.C. 6809)); or
                            (ii) compliance with part 314 of title 16, 
                        Code of Federal Regulations.
            (2) HIPPA regulated entities.--
                    (A) Covered entities.--Covered entities subject to 
                the Health Insurance Portability and Accountability Act 
                of 1996 (42 U.S.C. 1301 et seq.), including the data 
                security requirements and implementing regulations of 
                that Act.
                    (B) Business entities.--A business entity shall be 
                deemed in compliance with the privacy and security 
                program requirements under section 302 if the business 
                entity is acting as a ``business associate'' as that 
                term is defined in the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1301 et. seq.) 
                and is in compliance with requirements imposed under 
                that Act and its implementing regulations
    (d) Safe Harbors.--
            (1) In general.--A business entity shall be deemed in 
        compliance with the privacy and security program requirements 
        under section 302 if the business entity complies with or 
        provides protection equal to industry standards, as identified 
        by the Federal Trade Commission, that are applicable to the 
        type of sensitive personally identifiable information involved 
        in the ordinary course of business of such business entity.
            (2) Limitation.--Nothing in this subsection shall be 
        construed to permit, and nothing does permit, the Federal Trade 
        Commission to issue regulations requiring, or according greater 
        legal status to, the implementation of or application of a 
        specific technology or technological specifications for meeting 
        the requirements of this title.

SEC. 302. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Personal Data Privacy and Security Program.--A business entity 
subject to this subtitle shall comply with the following safeguards and 
any other administrative, technical, or physical safeguards identified 
by the Federal Trade Commission in a rulemaking process pursuant to 
section 553 of title 5, United States Code, for the protection of 
sensitive personally identifiable information:
            (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.
            (2) Design.--The personal data privacy and security program 
        shall be designed to--
                    (A) ensure the privacy, security, and 
                confidentiality of personal electronic records;
                    (B) protect against any anticipated vulnerabilities 
                to the privacy, security, or integrity of sensitive 
                personally identifying information; and
                    (C) protect against unauthorized access to use of 
                sensitive personally identifying information that could 
                result in substantial harm or inconvenience to any 
                individual.
            (3) Risk assessment.--A business entity shall--
                    (A) identify reasonably foreseeable internal and 
                external vulnerabilities that could result in 
                unauthorized access, disclosure, use, or alteration of 
                sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;
                    (B) assess the likelihood of and potential damage 
                from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information;
                    (C) assess the sufficiency of its policies, 
                technologies, and safeguards in place to control and 
                minimize risks from unauthorized access, disclosure, 
                use, or alteration of sensitive personally identifiable 
                information; and
                    (D) assess the vulnerability of sensitive 
                personally identifiable information during destruction 
                and disposal of such information, including through the 
                disposal or retirement of hardware.
            (4) Risk management and control.--Each business entity 
        shall--
                    (A) design its personal data privacy and security 
                program to control the risks identified under paragraph 
                (3); and
                    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--
                            (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;
                            (ii) detect actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access;
                            (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption or other reasonable means (including 
                        as directed for disposal of records under 
                        section 628 of the Fair Credit Reporting Act 
                        (15 U.S.C. 1681w) and the implementing 
                        regulations of such Act as set forth in section 
                        682 of title 16, Code of Federal Regulations); 
                        and
                            (iv) ensure that sensitive personally 
                        identifiable information is properly destroyed 
                        and disposed of, including during the 
                        destruction of computers, diskettes, and other 
                        electronic media that contain sensitive 
                        personally identifiable information.
    (b) Training.--Each business entity subject to this subtitle shall 
take steps to ensure employee training and supervision for 
implementation of the data security program of the business entity.
    (c) Vulnerability Testing.--
            (1) In general.--Each business entity subject to this 
        subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.
            (2) Frequency.--The frequency and nature of the tests 
        required under paragraph (1) shall be determined by the risk 
        assessment of the business entity under subsection (a)(3).
    (d) Relationship to Service Providers.--In the event a business 
entity subject to this subtitle engages service providers not subject 
to this subtitle, such business entity shall--
            (1) exercise appropriate due diligence in selecting those 
        service providers for responsibilities related to sensitive 
        personally identifiable information, and take reasonable steps 
        to select and retain service providers that are capable of 
        maintaining appropriate safeguards for the security, privacy, 
        and integrity of the sensitive personally identifiable 
        information at issue; and
            (2) require those service providers by contract to 
        implement and maintain appropriate measures designed to meet 
        the objectives and requirements governing entities subject to 
        section 301, this section, and subtitle B.
    (e) Periodic Assessment and Personal Data Privacy and Security 
Modernization.--Each business entity subject to this subtitle shall on 
a regular basis monitor, evaluate, and adjust, as appropriate its data 
privacy and security program in light of any relevant changes in--
            (1) technology;
            (2) the sensitivity of personally identifiable information;
            (3) internal or external threats to personally identifiable 
        information; and
            (4) the changing business arrangements of the business 
        entity, such as--
                    (A) mergers and acquisitions;
                    (B) alliances and joint ventures;
                    (C) outsourcing arrangements;
                    (D) bankruptcy; and
                    (E) changes to sensitive personally identifiable 
                information systems.
    (f) Implementation Time Line.--Not later than 1 year after the date 
of enactment of this Act, a business entity subject to the provisions 
of this subtitle shall implement a data privacy and security program 
pursuant to this subtitle.

SEC. 303. ENFORCEMENT.

    (a) Civil Penalties.--
            (1) In general.--Any business entity that violates the 
        provisions of sections 301 or 302 shall be subject to civil 
        penalties of not more than $5,000 per violation per day while 
        such a violation exists, with a maximum of $500,000 per 
        violation.
            (2) Intentional or willful violation.--A business entity 
        that intentionally or willfully violates the provisions of 
        sections 301 or 302 shall be subject to additional penalties in 
        the amount of $5,000 per violation per day while such a 
        violation exists, with a maximum of an additional $500,000 per 
        violation.
            (3) Equitable relief.--A business entity engaged in 
        interstate commerce that violates this section may be enjoined 
        from further violations by a court of competent jurisdiction.
            (4) Other rights and remedies.--The rights and remedies 
        available under this section are cumulative and shall not 
        affect any other rights and remedies available under law.
    (b) Federal Trade Commission Authority.--Any data broker shall have 
the provisions of this title enforced against it by the Federal Trade 
Commission.
    (c) State Enforcement.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a data broker that violate this subtitle, the 
        State may bring a civil action on behalf of the residents of 
        that State in a district court of the United States of 
        appropriate jurisdiction, or any other court of competent 
        jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this title; or
                    (C) obtain civil penalties of not more than $5,000 
                per violation per day while such violations persist, up 
                to a maximum of $500,000 per violation.
            (2) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the Attorney General of the State involved 
                shall provide to the Federal Trade Commission--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an Attorney 
                General of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in this 
                subparagraph before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described under subparagraph (B), the Attorney General 
                of a State shall provide the written notice and the 
                copy of the complaint to the Federal Trade Commission 
                as soon after the filing of the complaint as 
                practicable.
            (3) Federal trade commission authority.--Upon receiving 
        notice under paragraph (2), the Federal Trade Commission shall 
        have the right to--
                    (A) move to stay the action, pending the final 
                disposition of a pending Federal proceeding or action 
                as described in paragraph (4);
                    (B) intervene in an action brought under paragraph 
                (1); and
                    (C) file petitions for appeal.
            (4) Pending proceedings.--If the Federal Trade Commission 
        has instituted a proceeding or action for a violation of this 
        title or any regulations thereunder, no attorney general of a 
        State may, during the pendency of such proceeding or action, 
        bring an action under this subsection against any defendant 
        named in such criminal proceeding or civil action for any 
        violation that is alleged in that proceeding or action.
            (5) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1) nothing in this title shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths and affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (6) Venue; service of process.--
                    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1391 of title 28, 
                United States Code.
                    (B) Service of process.--In an action brought under 
                this subsection process may be served in any district 
                in which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (d) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.

SEC. 304. RELATION TO OTHER LAWS.

    (a) In General.--No State may require any business entity subject 
to this subtitle to comply with any requirements with respect to 
administrative, technical, and physical safeguards for the protection 
of sensitive personally identifying information.
    (b) Limitations.--Nothing in this subtitle shall be construed to 
modify, limit, or supersede the operation of the Gramm-Leach-Bliley Act 
or its implementing regulations, including those adopted or enforced by 
States.

                Subtitle B--Security Breach Notification

SEC. 321. NOTICE TO INDIVIDUALS.

    (a) In General.--Any agency, or business entity engaged in 
interstate commerce, that uses, accesses, transmits, stores, disposes 
of or collects sensitive personally identifiable information shall, 
following the discovery of a security breach of such information notify 
any resident of the United States whose sensitive personally 
identifiable information has been, or is reasonably believed to have 
been, accessed, or acquired.
    (b) Obligation of Owner or Licensee.--
            (1) Notice to owner or licensee.--Any agency, or business 
        entity engaged in interstate commerce, that uses, accesses, 
        transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach involving such information.
            (2) Notice by owner, licensee or other designated third 
        party.--Nothing in this subtitle shall prevent or abrogate an 
        agreement between an agency or business entity required to give 
        notice under this section and a designated third party, 
        including an owner or licensee of the sensitive personally 
        identifiable information subject to the security breach, to 
        provide the notifications required under subsection (a).
            (3) Business entity relieved from giving notice.--A 
        business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.
    (c) Timeliness of Notification.--
            (1) In general.--All notifications required under this 
        section shall be made without unreasonable delay following the 
        discovery by the agency or business entity of a security 
        breach.
            (2) Reasonable delay.--Reasonable delay under this 
        subsection may include any time necessary to determine the 
        scope of the security breach, prevent further disclosures, and 
        restore the reasonable integrity of the data system and provide 
        notice to law enforcement when required.
            (3) Burden of proof.--The agency, business entity, owner, 
        or licensee required to provide notification under this section 
        shall have the burden of demonstrating that all notifications 
        were made as required under this subtitle, including evidence 
        demonstrating the necessity of any delay.
    (d) Delay of Notification Authorized for Law Enforcement 
Purposes.--
            (1) In general.--If a Federal law enforcement agency 
        determines that the notification required under this section 
        would impede a criminal investigation, such notification shall 
        be delayed upon written notice from such Federal law 
        enforcement agency to the agency or business entity that 
        experienced the breach.
            (2) Extended delay of notification.--If the notification 
        required under subsection (a) is delayed pursuant to paragraph 
        (1), an agency or business entity shall give notice 30 days 
        after the day such law enforcement delay was invoked unless a 
        Federal law enforcement agency provides written notification 
        that further delay is necessary.
            (3) Law enforcement immunity.--No cause of action shall lie 
        in any court against any law enforcement agency for acts 
        relating to the delay of notification for law enforcement 
        purposes under this Act.

SEC. 322. EXEMPTIONS.

    (a) Exemption for National Security and Law Enforcement.--
            (1) In general.--Section 321 shall not apply to an agency 
        if the agency certifies, in writing, that notification of the 
        security breach as required by section 321 reasonably could be 
        expected to--
                    (A) cause damage to the national security; or
                    (B) hinder a law enforcement investigation or the 
                ability of the agency to conduct law enforcement 
                investigations.
            (2) Limits on certifications.--An agency may not execute a 
        certification under paragraph (1) to--
                    (A) conceal violations of law, inefficiency, or 
                administrative error;
                    (B) prevent embarrassment to a business entity, 
                organization, or agency; or
                    (C) restrain competition.
            (3) Notice.--In every case in which an agency issues a 
        certification under paragraph (1), the certification, 
        accompanied by a description of the factual basis for the 
        certification, shall be immediately provided to the United 
        States Secret Service.
    (b) Safe Harbor.--An agency or business entity will be exempt from 
the notice requirements under section 321, if--
            (1) a risk assessment concludes that there is no 
        significant risk that the security breach has resulted in, or 
        will result in, harm to the individuals whose sensitive 
        personally identifiable information was subject to the security 
        breach;
            (2) without unreasonable delay, but not later than 45 days 
        after the discovery of a security breach, unless extended by 
        the United States Secret Service, the agency or business entity 
        notifies the United States Secret Service, in writing, of--
                    (A) the results of the risk assessment; and
                    (B) its decision to invoke the risk assessment 
                exemption; and
            (3) the United States Secret Service does not indicate, in 
        writing, within 10 days from receipt of the decision, that 
        notice should be given.
    (c) Financial Fraud Prevention Exemption.--
            (1) In general.--A business entity will be exempt from the 
        notice requirement under section 321 if the business entity 
        utilizes or participates in a security program that--
                    (A) is designed to block the use of the sensitive 
                personally identifiable information to initiate 
                unauthorized financial transactions before they are 
                charged to the account of the individual; and
                    (B) provides for notice to affected individuals 
                after a security breach that has resulted in fraud or 
                unauthorized transactions.
            (2) Limitation.--The exemption by this subsection does not 
        apply if the information subject to the security breach 
        includes sensitive personally identifiable information in 
        addition to the sensitive personally identifiable information 
        identified in section 3.

SEC. 323. METHODS OF NOTICE.

    An agency, or business entity shall be in compliance with section 
321 if it provides both:
            (1) Individual notice.--
                    (A) Written notification to the last known home 
                mailing address of the individual in the records of the 
                agency or business entity;
                    (B) Telephone notice to the individual personally; 
                or
                    (C) E-mail notice, if the individual has consented 
                to receive such notice and the notice is consistent 
                with the provisions permitting electronic transmission 
                of notices under section 101 of the Electronic 
                Signatures in Global and National Commerce Act (15 
                U.S.C. 7001).
            (2) Media notice.--Notice to major media outlets serving a 
        State or jurisdiction, if the number of residents of such State 
        whose sensitive personally identifiable information was, or is 
        reasonably believed to have been, acquired by an unauthorized 
        person exceeds 5,000.

SEC. 324. CONTENT OF NOTIFICATION.

    (a) In General.--Regardless of the method by which notice is 
provided to individuals under section 323, such notice shall include, 
to the extent possible--
            (1) a description of the categories of sensitive personally 
        identifiable information that was, or is reasonably believed to 
        have been, acquired by an unauthorized person;
            (2) a toll-free number--
                    (A) that the individual may use to contact the 
                agency or business entity, or the agent of the agency 
                or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual; and
            (3) the toll-free contact telephone numbers and addresses 
        for the major credit reporting agencies.
    (b) Additional Content.--Notwithstanding section 329, a State may 
require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.

SEC. 325. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.

    If an agency or business entity is required to provide notification 
to more than 1,000 individuals under section 321(a), the agency or 
business entity shall also notify, without unreasonable delay, all 
consumer reporting agencies that compile and maintain files on 
consumers on a nationwide basis (as defined in section 603(p) of the 
Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of the timing and 
distribution of the notices.

SEC. 326. NOTICE TO LAW ENFORCEMENT.

    (a) Secret Service.--Any business entity or agency shall give 
notice of a security breach to the United States Secret Service if--
            (1) the number of individuals whose sensitive personally 
        identifying information was, or is reasonably believed to have 
        been acquired by an unauthorized person exceeds 10,000;
            (2) the security breach involves a database, networked or 
        integrated databases, or other data system containing the 
        sensitive personally identifiable information of more than 
        1,000,000 individuals nationwide;
            (3) the security breach involves databases owned by the 
        Federal Government; or
            (4) the security breach involves primarily sensitive 
        personally identifiable information of employees and 
        contractors of the Federal Government involved in national 
        security or law enforcement.
    (b) Notice to Other Law Enforcement Agencies.--The United States 
Secret Service shall be responsible for notifying--
            (1) the Federal Bureau of Investigation, if the security 
        breach involves espionage, foreign counterintelligence, 
        information protected against unauthorized disclosure for 
        reasons of national defense or foreign relations, or Restricted 
        Data (as that term is defined in section 11y of the Atomic 
        Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses 
        affecting the duties of the United States Secret Service under 
        section 3056(a) of title 18, United States Code;
            (2) the United States Postal Inspection Service, if the 
        security breach involves mail fraud; and
            (3) the attorney general of each State affected by the 
        security breach.
    (c) 14-Day Rule.--The notices to Federal law enforcement and the 
attorney general of each State affected by a security breach required 
under this section shall be delivered as promptly as possible, but not 
later than 14 days after discovery of the events requiring notice.

SEC. 327. ENFORCEMENT.

    (a) Civil Actions by the Attorney General.--The Attorney General 
may bring a civil action in the appropriate United States district 
court against any business entity that engages in conduct constituting 
a violation of this subtitle and, upon proof of such conduct by a 
preponderance of the evidence, such business entity shall be subject to 
a civil penalty of not more than $1,000 per day per individual whose 
sensitive personally identifiable information was, or is reasonably 
believed to have been, accessed or acquired by an unauthorized person, 
up to a maximum of $50,000 per person.
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (c) Other Rights and Remedies.--The rights and remedies available 
under this subtitle are cumulative and shall not affect any other 
rights and remedies available under law.
    (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence 
that the consumer has received notice that the consumer's financial 
information has or may have been compromised,'' after ``identity theft 
report''.

SEC. 328. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the engagement 
        of a business entity in a practice that is prohibited under 
        this subtitle, the State or the State or local law enforcement 
        agency on behalf of the residents of the agency's jurisdiction, 
        may bring a civil action on behalf of the residents of the 
        State or jurisdiction in a district court of the United States 
        of appropriate jurisdiction or any other court of competent 
        jurisdiction, including a State court, to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this subtitle; or
                    (C) civil penalties of not more than $1,000 per day 
                per individual whose sensitive personally identifiable 
                information was, or is reasonably believed to have 
                been, accessed or acquired by an unauthorized person, 
                up to a maximum of $50,000 per day.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subtitle, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) initiate an action in the appropriate United States 
        district court under section 327 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.
    (f) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.

SEC. 329. EFFECT ON FEDERAL AND STATE LAW.

    (a) In General.--The provisions of this subtitle shall supersede 
any other provision of Federal law or any provision of law of any State 
relating to notification of a security breach, except as provided in 
section 324(b).
    (b) Gramm-Leach-Bliley.--This subtitle shall not preclude any 
operation permitted under section 507 of the Gramm-Leach-Bliley Act (15 
U.S.C. 6807).

SEC. 330. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated such sums as may be 
necessary to cover the costs incurred by the United States Secret 
Service to carry out investigations and risk assessments of security 
breaches as required under this subtitle.

SEC. 331. REPORTING ON RISK ASSESSMENT EXEMPTIONS.

    The United States Secret Service shall report to Congress not later 
than 18 months after the date of enactment of this Act, and upon the 
request by Congress thereafter, on--
            (1) the number and nature of the security breaches 
        described in the notices filed by those business entities 
        invoking the risk assessment exemption under section 322(b) of 
        this Act and the response of the United States Secret Service 
        to such notices; and
            (2) the number and nature of security breaches subject to 
        the national security and law enforcement exemptions under 
        section 322(a) of this Act.

SEC. 332. EFFECTIVE DATE.

    This subtitle shall take effect on the expiration of the date which 
is 90 days after the date of enactment of this Act.

       TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

SEC. 401. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.

    (a) In General.--In considering contract awards totaling more than 
$500,000 and entered into after the date of enactment of this Act with 
data brokers, the Administrator of the General Services Administration 
shall evaluate--
            (1) the data privacy and security program of a data broker 
        to ensure the privacy and security of data containing 
        personally identifiable information, including whether such 
        program adequately addresses privacy and security threats 
        created by malicious software or code, or the use of peer-to-
        peer file sharing software;
            (2) the compliance of a data broker with such program;
            (3) the extent to which the databases and systems 
        containing personally identifiable information of a data broker 
        have been compromised by security breaches; and
            (4) the response by a data broker to such breaches, 
        including the efforts by such data broker to mitigate the 
        impact of such security breaches.
    (b) Compliance Safe Harbor.--The data privacy and security program 
of a data broker shall be deemed sufficient for the purposes of 
subsection (a), if the data broker complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of personally identifiable 
information involved in the ordinary course of business of such data 
broker.
    (c) Penalties.--In awarding contracts with data brokers for 
products or services related to access, use, compilation, distribution, 
processing, analyzing, or evaluating personally identifiable 
information, the Administrator of the General Services Administration 
shall--
            (1) include monetary or other penalties--
                    (A) for failure to comply with subtitles A and B of 
                title IV of this Act; or
                    (B) if a contractor knows or has reason to know 
                that the personally identifiable information being 
                provided is inaccurate, and provides such inaccurate 
                information; and
            (2) require a data broker that engages service providers 
        not subject to subtitle A of title IV for responsibilities 
        related to sensitive personally identifiable information to--
                    (A) exercise appropriate due diligence in selecting 
                those service providers for responsibilities related to 
                personally identifiable information;
                    (B) take reasonable steps to select and retain 
                service providers that are capable of maintaining 
                appropriate safeguards for the security, privacy, and 
                integrity of the personally identifiable information at 
                issue; and
                    (C) require such service providers, by contract, to 
                implement and maintain appropriate measures designed to 
                meet the objectives and requirements in title IV.
    (d) Limitation.--The penalties under subsection (c) shall not apply 
to a data broker providing information that is accurately and 
completely recorded from a public record source or licensor.

SEC. 402. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF 
              CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.

    Section 3544(b) of title 44, United States Code, is amended--
            (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (8), by striking the period and inserting 
        ``; and''; and
            (3) by adding at the end the following:
            ``(9) procedures for evaluating and auditing the 
        information security practices of contractors or third party 
        business entities supporting the information systems or 
        operations of the agency involving personally identifiable 
        information (as that term is defined in section 3 of the 
        Personal Data Privacy and Security Act of 2005) and ensuring 
        remedial action to address any significant deficiencies.''.

SEC. 403. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL 
              INFORMATION SERVICES CONTAINING PERSONALLY IDENTIFIABLE 
              INFORMATION.

    (a) In General.--Section 208(b)(1) of the E-Government Act of 2002 
(44 U.S.C. 3501 note) is amended--
            (1) in subparagraph (A)(i), by striking ``or''; and
            (2) in subparagraph (A)(ii), by striking the period and 
        inserting ``; or''; and
            (3) by inserting after clause (ii) the following:
                            ``(iii) purchasing or subscribing for a fee 
                        to personally identifiable information from a 
                        data broker (as such terms are defined in 
                        section 3 of the Personal Data Privacy and 
                        Security Act of 2005).''.
    (b) Limitation.--Notwithstanding any other provision of law, 
commencing 1 year after the date of enactment of this Act, no Federal 
agency may enter into a contract with a data broker to access for a fee 
any database consisting primarily of personally identifiable 
information concerning United States persons (other than news reporting 
or telephone directories) unless the head of such department or 
agency--
            (1) completes a privacy impact assessment under section 208 
        of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
        shall subject to the provision in that Act pertaining to 
        sensitive information, include a description of--
                    (A) such database;
                    (B) the name of the data broker from whom it is 
                obtained; and
                    (C) the amount of the contract for use;
            (2) adopts regulations that specify--
                    (A) the personnel permitted to access, analyze, or 
                otherwise use such databases;
                    (B) standards governing the access, analysis, or 
                use of such databases;
                    (C) any standards used to ensure that the 
                personally identifiable information accessed, analyzed, 
                or used is the minimum necessary to accomplish the 
                intended legitimate purpose of the Federal agency;
                    (D) standards limiting the retention and 
                redisclosure of personally identifiable information 
                obtained from such databases;
                    (E) procedures ensuring that such data meet 
                standards of accuracy, relevance, completeness, and 
                timeliness;
                    (F) the auditing and security measures to protect 
                against unauthorized access, analysis, use, or 
                modification of data in such databases;
                    (G) applicable mechanisms by which individuals may 
                secure timely redress for any adverse consequences 
                wrongly incurred due to the access, analysis, or use of 
                such databases;
                    (H) mechanisms, if any, for the enforcement and 
                independent oversight of existing or planned 
                procedures, policies, or guidelines; and
                    (I) an outline of enforcement mechanisms for 
                accountability to protect individuals and the public 
                against unlawful or illegitimate access or use of 
                databases; and
            (3) incorporates into the contract or other agreement 
        totaling more than $500,000, provisions--
                    (A) providing for penalties--
                            (i) for failure to comply with title IV of 
                        this Act; or
                            (ii) if the entity knows or has reason to 
                        know that the personally identifiable 
                        information being provided to the Federal 
                        department or agency is inaccurate, and 
                        provides such inaccurate information; and
                    (B) requiring a data broker that engages service 
                providers not subject to subtitle A of title IV for 
                responsibilities related to sensitive personally 
                identifiable information to--
                            (i) exercise appropriate due diligence in 
                        selecting those service providers for 
                        responsibilities related to personally 
                        identifiable information;
                            (ii) take reasonable steps to select and 
                        retain service providers that are capable of 
                        maintaining appropriate safeguards for the 
                        security, privacy, and integrity of the 
                        personally identifiable information at issue; 
                        and
                            (iii) require such service providers, by 
                        contract, to implement ad maintain appropriate 
                        measures designed to meet the objectives and 
                        requirements in title IV.
    (c) Limitation on Penalties.--The penalties under subsection 
(b)(3)(A) shall not apply to a data broker providing information that 
is accurately and completely recorded from a public record source.
    (d) Study of Government Use.--
            (1) Scope of study.--Not later than 180 days after the date 
        of enactment of this Act, the Comptroller General of the United 
        States shall conduct a study and audit and prepare a report on 
        Federal agency use of data brokers or commercial databases 
        containing personally identifiable information, including the 
        impact on privacy and security, and the extent to which Federal 
        contracts include sufficient provisions to ensure privacy and 
        security protections, and penalties for failures in privacy and 
        security practices.
            (2) Report.--A copy of the report required under paragraph 
        (1) shall be submitted to Congress.

SEC. 404. IMPLEMENTATION OF CHIEF PRIVACY OFFICER REQUIREMENTS.

    (a) Designation of the Chief Privacy Officer.--Pursuant to the 
requirements under section 522 of the Transportation, Treasury, 
Independent Agencies, and General Government Appropriations Act, 2005 
(division H of Public Law 108-447; 118 Stat. 3199) that each agency 
designate a Chief Privacy Officer, the Department of Justice shall 
implement such requirements by designating a department-wide Chief 
Privacy Officer, whose primary role shall be to fulfill the duties and 
responsibilities of Chief Privacy Officer and who shall report directly 
to the Deputy Attorney General.
    (b) Duties and Responsibilities of Chief Privacy Officer.--In 
addition to the duties and responsibilities outlined under section 522 
of the Transportation, Treasury, Independent Agencies, and General 
Government Appropriations Act, 2005 (division H of Public Law 108-447; 
118 Stat. 3199), the Department of Justice Chief Privacy Officer 
shall--
            (1) oversee the Department of Justice's implementation of 
        the requirements under section 603 to conduct privacy impact 
        assessments of the use of commercial data containing personally 
        identifiable information by the Department; and
            (2) coordinate with the Privacy and Civil Liberties 
        Oversight Board, established in the Intelligence Reform and 
        Terrorism Prevention Act of 2004 (Public Law 108-458), in 
        implementing this section.
                                                       Calendar No. 297

109th CONGRESS

  1st Session

                                S. 1789

_______________________________________________________________________

                                 A BILL

 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.

_______________________________________________________________________

                           November 17, 2005

                       Reported with an amendment