[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 3713 Introduced in Senate (IS)]








109th CONGRESS
  2d Session
                                S. 3713

  To protect privacy rights associated with electronic and commercial 
                             transactions.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 21, 2006

 Mrs. Clinton introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
  To protect privacy rights associated with electronic and commercial 
                             transactions.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Privacy Rights and OversighT for 
Electronic and Commercial Transactions Act of 2006'' or the ``PROTECT 
Act''.

SEC. 2. PRIVATE RIGHT OF ACTION.

    (a) Compromised Data.--
            (1) In general.--It shall be unlawful for any for profit 
        entity that stores, processes, or otherwise handles the 
        personal data of an individual to compromise the personal, 
        nonpublic information of that individual through theft, loss, 
        data breach or other malfeasance.
            (2) Liability.--An entity that violates this subsection 
        shall--
                    (A) be liable to the injured individual for $1,000; 
                and
                    (B) have a net liability arising from any 
                individual data breach, theft, or loss event of not to 
                exceed 1 percent of annual revenues for the entity.
    (b) Identity Theft.--
            (1) In general.--It shall be unlawful for any for profit 
        entity to issue credit or an account for services to an 
        unauthorized individual or make an inaccurate change to a 
        credit report as a result of identity theft.
            (2) Liability.--An entity that violates this subsection 
        shall--
                    (A) be liable for $5,000 to the injured individual 
                for each instance of unauthorized use; and
                    (B) have a net liability for identity thefts 
                resulting from a specific data breach event of not to 
                exceed 5 percent of annual revenues for the entity.
    (c) Small Business Exception.--A small business as defined by the 
standards of the Small Business Administration shall be exempt from 
this section although nothing in this section shall prohibit private 
rights of action against any entity for data loss or identity theft.
    (d) Collective Action.--A collective action may be brought under 
this section pursuant to the procedures provided in section 16(b) of 
the Fair Labor Standards Act of 1938.

SEC. 3. OPT-IN FOR CERTAIN TYPES OF INFORMATION.

    Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is 
amended by adding at the end the following:
    ``(f) Opt in Requirement for Certain Information.--
            ``(1) Limitation.--Notwithstanding subsection (b), a 
        financial institution may not disclose usage data relating to a 
        consumer to a nonaffiliated third part, unless--
                    ``(A) such financial institution clearly and 
                conspicuously requests authority from the consumer, in 
                writing or in electronic form or other form permitted 
                by the regulations prescribed under section 504 to 
                disclose such information to such third party; and
                    ``(B) the consumer affirmatively authorizes such 
                disclosure, in writing.
            ``(2) Definition.--As used in this subsection, the term 
        `usage data', means any information relating to purchase 
        history records or any listing of items and services purchased 
        by the consumer to whom the information relates.''.

SEC. 4. CHIEF PRIVACY OFFICER WITHIN THE OFFICE OF MANAGEMENT AND 
              BUDGET.

    (a) Definitions.--In this section--
            (1) the term ``agency'' has the meaning given under section 
        551(1) of title 5, United States Code; and
            (2) the term ``system of records'' has the meaning given 
        under section 552a(5) of title 5, United States Code.
    (b) Designation of Chief Privacy Officer.--The President shall 
designate a senior officer within the Office of Management and Budget 
as the Chief Privacy Officer, who shall have primary responsibility for 
privacy policy throughout all agencies.
    (c) Responsibilities.--The Chief Privacy Officer shall--
            (1) ensure that the technologies procured and use of 
        technologies by agencies sustain, and do not erode, privacy 
        protections relating to the use, collection, and disclosure of 
        personally identifiable information;
            (2) ensure that agency officers have the authority to 
        enforce rules and regulations relating to the collection, 
        processing, and storage of personally identifiable information 
        within, between, and among agencies;
            (3) ensure that personally identifiable information 
        contained in each system of records is handled in full 
        compliance with fair information practices required under 
        section 552a of title 5, United States Code, (commonly referred 
        to as the ``Privacy Act'');
            (4) evaluate legislative and regulatory proposals involving 
        collection, use, and disclosure of personally identifiable 
        information by agencies;
            (5) exercise responsibility under the direction of the 
        Director of the Office of Management and Budget with respect to 
        privacy impact assessment rules, regulations, and oversight 
        under section 208 of the E-Government Act of 2002 (44 U.S.C. 
        3501 note); and
            (6) submit an annual report to the Congress containing an 
        analysis of each agency of Federal activities that affect 
        privacy, including complaints of privacy violations, 
        implementation of section 552a of title 5, United States Code, 
        (commonly referred to as the ``Privacy Act''), internal 
        controls, and other matters.
    (d) Agency Reports to the Chief Privacy Officer .--The head of each 
agency and the Chief Privacy Officer of each agency established under 
section 522 of the Consolidated Appropriations Act, 2005 (relating to 
Chief Privacy Officers) (5 U.S.C. 552a note; Public Law 108-447; 118 
Stat. 3268) shall--
            (1) provide to the Chief Privacy Officer established under 
        this section such information as the Chief Privacy Officer 
        considers necessary for the completion of the annual reports 
        under subsection (c)(6); and
            (2) submit annual reports to the Chief Privacy Officer 
        established under this section that include--
                    (A) an assessment of agency policies and protocols 
                relating to data security; and
                    (B) a description of the actions that are being 
                taken to ensure protection against--
                            (i) threats and hazards to data security; 
                        and
                            (ii) unauthorized access or use of data.
    (e) Notifications on Breaches of Personally Identifiable 
Information .--
            (1) Notification to individual.--
                    (A) In general.--If a system of records maintained 
                by an agency is breached and data with personally 
                identifiable information is accessed or disclosed 
                without authorization as a result of that breach, the 
                agency shall provide timely notification to each 
                individual affected by that breach.
                    (B) Exception.--An agency may delay notification 
                under subparagraph (A) on the basis of national 
                security.
            (2) Notification to major credit reporting services.--
                    (A) In general.--If an individual receives 
                notification of a breach under paragraph (1), the 
                individual may request the agency to provide 
                notification of the breach to all major credit 
                reporting services.
                    (B) Notification.--Upon the receipt of a request 
                under subparagraph (A), the agency shall provide 
                notification of the breach to all major credit 
                reporting services.
            (3) No cost to individual.--Notification under paragraphs 
        (1) or (2) shall be at no cost to any individual.

SEC. 5. RULEMAKING RELATING TO DISCLOSURES.

    Section 504 of the Gramm-Leach-Bliley Act (15 U.S.C. 6804) is 
amended by adding at the end the following:
    ``(c) Disclosure Regulations.--The Federal Trade Commission and 
each of the Federal functional regulators shall, promptly upon the date 
of enactment of this subsection, issue final rules applicable to 
financial institutions subject to their authority to require standard, 
clear, easy to understand disclosures of what specific information 
could be shared under this title, the types of third parties with which 
such information could be shared, and when consumers are given opt out 
opportunities.''.

SEC. 6. ANNUAL DISCLOSURES TO CONSUMERS.

    Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is 
amended by adding at the end the following:
    ``(c) Annual Disclosures.--In addition to the disclosures required 
under subsection (a), upon written request of a consumer, each 
financial institution shall provide free of charge to the consumer up 
to once each year, a copy of all information maintained by the 
financial institution relating to the consumer, including any 
consolidated profile.''.

SEC. 7. AUTOMATIC FREE ANNUAL CREDIT REPORTS.

    Section 612(a) of the Fair Credit Reporting Act (15 U.S.C. 
1681j(a)) is amended by striking ``period upon request of the consumer 
and'' and inserting ``period,''.

SEC. 8. NOTICE OF SECURITY BREACHES.

    (a) Notice to Persons Affected.--Each Federal agency, and each 
business entity, whether a nonprofit or for profit concern, shall 
promptly notify each person who may be a victim of identity theft due 
to a security breach involving the agency or entity, including the 
theft or potential theft of or other inappropriate access to 
identifying information relating to that person that is collected or 
maintained by the agency or business entity.
    (b) Notice to Consumer Reporting Agencies.--Each Federal agency and 
business entity described in subsection (a) shall promptly notify each 
consumer reporting agency described in section 603(p) of the Fair 
Credit Reporting Act (15 U.S.C. 1681a(p)) of a security breach 
described in subsection (a), including the names of all persons 
affected or potentially affected thereby.
    (c) Regulations.--The Federal Trade Commission shall issue 
regulations to carry out the provisions of this section.

SEC. 9. SECURITY FREEZE ON CREDIT REPORTS.

    Section 605B of the Fair Credit Reporting Act (15 U.S.C. 1681C-2) 
is amended to read as follows:

``SEC. 605B. SECURITY FREEZE ON RELEASE OF INFORMATION.

    ``(a) In General.--
            ``(1) Consumer placement of a security freeze on individual 
        credit files.--A consumer may place a security freeze on his or 
        her file by making a request to a consumer reporting agency in 
        writing, by telephone, or through a secure electronic 
        connection made available by the consumer reporting agency.
            ``(2) Consumer disclosure.--If a consumer requests a 
        security freeze under this section, the consumer reporting 
        agency shall disclose to the consumer the process of placing 
        and removing the security freeze and explain to the consumer 
        the potential consequences of the security freeze. A consumer 
        reporting agency may not imply or inform a consumer that the 
        placement or presence of a security freeze on the file of the 
        consumer may negatively affect the consumer's credit score.
    ``(b) Effect of Security Freeze.--
            ``(1) Release of information blocked.--If a security freeze 
        is in place on the file of a consumer, a consumer reporting 
        agency may not release information relating to that file for 
        consumer credit purposes to a third party without prior express 
        authorization from the consumer.
            ``(2) Information provided to third parties.--Paragraph (1) 
        does not prevent a consumer reporting agency from advising a 
        third party that a security freeze is in effect with respect to 
        the file of a consumer. If a third party requests access to the 
        file of a consumer on which a security freeze is in place in 
        connection with an application for credit, the third party may 
        treat the application as incomplete.
            ``(3) Consumer credit score not affected.--The placement of 
        a security freeze on a consumer file may not be taken into 
        account for any purpose in determining the credit score of the 
        consumer to whom the account relates.
    ``(c) Removal; Temporary Suspension.--
            ``(1) In general.--Except as provided in paragraph (4), a 
        security freeze under this section shall remain in place until 
        the consumer requests that the security freeze be removed. A 
        consumer may remove a security freeze on his or her credit file 
        by making a request to a consumer reporting agency in writing, 
        by telephone, or through a secure electronic connection made 
        available by the consumer reporting agency.
            ``(2) Conditions.--A consumer reporting agency may remove a 
        security freeze placed on the file of a consumer only--
                    ``(A) upon request of the consumer, pursuant to 
                paragraph (1); or
                    ``(B) if the agency determines that the credit file 
                of the consumer was frozen due to a material 
                misrepresentation of fact by the consumer.
            ``(3) Notification to consumer.--If a consumer reporting 
        agency intends to remove a security freeze on the file of a 
        consumer pursuant to paragraph (2)(B), the consumer reporting 
        agency shall notify the consumer in writing prior to removing 
        the security freeze.
            ``(4) Temporary suspension.--A consumer may have a security 
        freeze on his or her credit file temporarily suspended by 
        making a request to a consumer reporting agency in writing or 
        by telephone and specifying beginning and ending dates for the 
        period during which the security freeze is not to apply to that 
        file.
    ``(d) Response Times; Notification of Other Entities.--
            ``(1) In general.--A consumer reporting agency shall--
                    ``(A) place a security freeze on the file of a 
                consumer under subsection (a) not later than 5 business 
                days after receiving a request from the consumer under 
                subsection (a)(1); and
                    ``(B) remove or temporarily suspend a security 
                freeze not later than 3 business days after receiving a 
                request for removal or temporary suspension from the 
                consumer under subsection (c).
            ``(2) Notification to other agencies.--If the consumer so 
        requests in writing or by telephone, a consumer reporting 
        agency shall notify all other consumer reporting agencies 
        described in section 603(p)(1) not later than 3 days after 
        placing, removing, or temporarily suspending a security freeze 
        on the file of the consumer under subsection (a), (c)(2)(A), or 
        (c)(4), respectively.
            ``(3) Implementation by other covered entities.--A consumer 
        reporting agency that is notified of a request under paragraph 
        (2) to place, remove, or temporarily suspend a security freeze 
        on the file of a consumer shall--
                    ``(A) request proper identification from the 
                consumer, in accordance with subsection (f), not later 
                than 3 business days after receiving the notification; 
                and
                    ``(B) place, remove, or temporarily suspend the 
                security freeze on that credit report not later than 3 
                business days after receiving proper identification.
    ``(e) Confirmation.--Except as provided in subsection (c)(3), 
whenever a consumer reporting agency places, removes, or temporarily 
suspends a security freeze on the file of a consumer at the request of 
that consumer under subsection (a) or (c), respectively, it shall send 
a written confirmation thereof to the consumer not later than 10 
business days after placing, removing, or temporarily suspending the 
security freeze on the file. This subsection does not apply to the 
placement, removal, or temporary suspension of a security freeze by a 
consumer reporting agency because of a notification received under 
subsection (d)(2).
    ``(f) Identification Required.--A consumer reporting agency may not 
place, remove, or temporarily suspend a security freeze on the file of 
a consumer or otherwise provide a credit report or score in accordance 
with this section at the request of the consumer, unless the consumer 
provides proper identification (within the meaning of section 610(a)(1) 
and the regulations thereunder).
    ``(g) Exceptions.--This section does not apply to the use of a 
consumer credit report by any of the following:
            ``(1) A person or entity, or a subsidiary, affiliate, or 
        agent of that person or entity, or an assignee of a financial 
        obligation owing by the consumer to that person or entity, or a 
        prospective assignee of a financial obligation owing by the 
        consumer to that person or entity in conjunction with the 
        proposed purchase of the financial obligation, with which the 
        consumer has or had prior to assignment an account or contract, 
        including a demand deposit account, or to whom the consumer 
        issued a negotiable instrument, for the purposes of reviewing 
        the account or collecting the financial obligation owing for 
        the account, contract, or negotiable instrument.
            ``(2) Any Federal, State, or local agency, law enforcement 
        agency, trial court, or private collection agency acting 
        pursuant to a court order, warrant, subpoena, or other 
        compulsory process.
            ``(3) A child support agency or its agents or assigns 
        acting pursuant to subtitle D of title IV of the Social 
        Security Act (42 U.S.C. et seq.) or similar State law.
            ``(4) The Department of Health and Human Services, a 
        similar State agency, or the agents or assigns of the Federal 
        or State agency acting to investigate Medicare or Medicaid 
        fraud.
            ``(5) The Internal Revenue Service or a State or municipal 
        taxing authority, or a State department of motor vehicles, or 
        any of the agents or assigns of these Federal, State, or 
        municipal agencies acting to investigate or collect delinquent 
        taxes, or unpaid court orders, or to fulfill any of their other 
        statutory responsibilities.
            ``(6) The use of consumer credit information for the 
        purposes of prescreening as provided in this title.
            ``(7) Any person or entity administering a credit file 
        monitoring subscription to which the consumer has subscribed.
            ``(8) Any person or entity for the purpose of providing a 
        consumer with a copy of his or her credit report or credit 
        score, upon the request of the consumer and upon provision of 
        appropriate identification in accordance with subsection (f).
    ``(h) Fees.--
            ``(1) In general.--Except as provided in paragraph (2), a 
        consumer reporting agency may charge a reasonable fee, as 
        determined by the Commission by rule, promulgated in accordance 
        with section 553 of title 5, United States Code, for placing, 
        removing, or temporarily suspending a security freeze on the 
        file of a consumer under this section.
            ``(2) Exception for identification theft victims.--A 
        consumer reporting agency may not charge a fee for placing, 
        removing, or temporarily suspending a security freeze on the 
        file of a consumer, if--
                    ``(A) the consumer is a victim of identity theft;
                    ``(B) the consumer requests the security freeze in 
                writing;
                    ``(C) the consumer has filed a police report with 
                respect to the theft, or an identity theft report (as 
                defined in section 603(q)(4)), not later than 90 days 
                after the date on which the theft occurred or was 
                discovered by the consumer;
                    ``(D) the consumer provides a copy of the police 
                report to the consumer reporting agency; and
                    ``(E) the consumer--
                            ``(i) has been notified by any entity that 
                        personally identifiable information handled by 
                        that entity has been compromised or breached; 
                        and
                            ``(ii) notifies the consumer reporting 
                        agency of such compromise or breach.
    ``(i) Limitation on Information Changes in Frozen Files.--
            ``(1) In general.--If a security freeze is in place on the 
        file of consumer, a consumer reporting agency may not change 
        any of the following official information in that file without 
        sending a written confirmation of the change to the consumer, 
        not later than 30 days after the change is made:
                    ``(A) Name.
                    ``(B) Date of birth.
                    ``(C) Social Security number.
                    ``(D) Address.
            ``(2) Confirmation.--Paragraph (1) does not require written 
        confirmation for technical modifications of a consumer's 
        official information, including name and street abbreviations, 
        complete spellings, or transposition of numbers or letters. In 
        the case of an address change, the written confirmation shall 
        be sent to both the new address and to the former address.
    ``(j) Certain Entity Exemptions.--
            ``(1) Aggregators and other agencies.--The provisions of 
        subsections (a) through (i) do not apply to a consumer 
        reporting agency that acts only as a reseller of credit 
        information by assembling and merging information contained in 
        the data base of another consumer reporting agency or multiple 
        consumer reporting agencies, and does not maintain a permanent 
        data base of credit information from which new consumer credit 
        reports are produced.
            ``(2) Other exempted entities.--The following entities are 
        not required to place a security freeze on the file of a 
        consumer under this section:
                    ``(A) A check services or fraud prevention services 
                company which issues reports on incidents of fraud or 
                authorizations for the purpose of approving or 
                processing negotiable instruments, electronic funds 
                transfers, or similar methods of payments.
                    ``(B) A deposit account information service company 
                which issues reports regarding account closures due to 
                fraud, substantial overdrafts, ATM abuse, or similar 
                negative information regarding a consumer, to inquiring 
                banks or other financial institutions for use only in 
                reviewing a consumer request for a deposit account at 
                the inquiring bank or financial institution.
    ``(k) State Preemption.--This section shall preempt any provision 
of State of local law, regulation, or rule that requires consumer 
reporting agencies to comply with the request of a consumer to place, 
remove, or temporarily suspend a prohibition on the release by a 
consumer reporting agency of information from its files on that 
consumer, but only if it is determined by the Commission that this 
section will provide materially stronger consumer protections than 
those afforded to consumers under otherwise applicable State or local 
law.''.

SEC. 10. SAFEGUARDING AMERICANS FROM EXPORTING IDENTIFICATION DATA.

    (a) Definitions.--As used in this section:
            (1) Business enterprise.--The term ``business enterprise'' 
        means--
                    (A) any organization, association, or venture 
                established to make a profit;
                    (B) any health care business;
                    (C) any private, nonprofit organization; or
                    (D) any contractor, subcontractor, or potential 
                subcontractor of an entity described in subparagraph 
                (A), (B), or (C).
            (2) Health care business.--The term ``health care 
        business'' means any business enterprise or private, nonprofit 
        organization that collects or retains personally identifiable 
        information about consumers in relation to medical care, 
        including--
                    (A) hospitals;
                    (B) health maintenance organizations;
                    (C) medical partnerships;
                    (D) emergency medical transportation companies;
                    (E) medical transcription companies;
                    (F) banks that collect or process medical billing 
                information; and
                    (G) subcontractors, or potential subcontractors, of 
                the entities described in subparagraphs (A) through 
                (F).
            (3) Personally identifiable information.--The term 
        ``personally identifiable information'' includes information 
        such as--
                    (A) name;
                    (B) postal address;
                    (C) financial information;
                    (D) medical records;
                    (E) date of birth;
                    (F) phone number;
                    (G) e-mail address;
                    (H) social security number;
                    (I) mother's maiden name;
                    (J) password;
                    (K) State identification information; and
                    (L) driver's license number.
    (b) Transmission of Information.--
            (1) Prohibition.--A business enterprise may not disclose 
        personally identifiable information regarding a resident of the 
        United States to any foreign branch, affiliate, subcontractor, 
        or unaffiliated third party located in a foreign country 
        unless--
                    (A) the business enterprise provides the notice of 
                privacy protections described in sections 502 and 503 
                of the Gramm-Leach-Bliley Act (15 U.S.C. 6802 and 6803) 
                or required by the regulations promulgated pursuant to 
                section 264(c) of the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1320d-2 note), as 
                appropriate;
                    (B) the business enterprise complies with the 
                safeguards described in section 501(b) of the Gramm-
                Leach-Bliley Act (15 U.S.C. 6801(b)), as appropriate;
                    (C) the consumer is given the opportunity, before 
                the time that such information is initially disclosed, 
                to object to the disclosure of such information to such 
                foreign branch, affiliate, subcontractor, or 
                unaffiliated third party; and
                    (D) the consumer is given an explanation of how the 
                consumer can exercise the nondisclosure option 
                described in subparagraph (C).
            (2) Health care businesses.--A health care business may not 
        terminate an existing relationship with a consumer of health 
        care services to avoid the consumer from objecting to the 
        disclosure under paragraph (1)(C).
            (3) Effect on business relationship.--
                    (A) Nondiscrimination.--A business enterprise may 
                not discriminate against or deny an otherwise qualified 
                consumer a financial product or a health care service 
                because the consumer has objected to the disclosure 
                under paragraph (1)(C).
                    (B) Products and services.--A business enterprise 
                shall not be required to offer or provide a product or 
                service through affiliated entities or jointly with 
                nonaffiliated business enterprises.
                    (C) Incentives and discounts.--Nothing in this 
                subsection is intended to prohibit a business 
                enterprise from offering incentives or discounts to 
                elicit a specific response to the notice required under 
                paragraph (1).
            (4) Liability.--
                    (A) In general.--A business enterprise that 
                knowingly and directly transfers personally 
                identifiable information to a foreign branch, 
                affiliate, subcontractor, or unaffiliated third party 
                shall be liable to any person suffering damages 
                resulting from the improper storage, duplication, 
                sharing, or other misuse of such information by the 
                transferee.
                    (B) Civil action.--An injured party under 
                subparagraph (A) may sue in law or in equity in any 
                court of competent jurisdiction to recover the damages 
                sustained as a result of a violation of this 
                subsection.
            (5) Rulemaking.--The Chairman of the Federal Trade 
        Commission shall promulgate regulations through which the 
        Chairman may enforce the provisions of this subsection and 
        impose a civil penalty for a violation of this section.
    (c) Privacy for Consumers of Health Services.--The Secretary of 
Health and Human Services shall revise the regulations promulgated 
pursuant to section 264(c) of the Health Insurance Portability and 
Accountability Act of 1996 (42 U.S.C. 1320d-2 note) to require a 
covered entity (as defined by such regulations) that outsources 
protected health information (as defined by such regulations) outside 
the United States to include in such entity's notice of privacy 
protections--
            (1) notification that the covered entity outsources 
        protected health information to business associates (as defined 
        by such regulations) for processing outside the United States;
            (2) a description of the privacy laws of the country to 
        which the protected health information will be sent;
            (3) any additional risks and consequences to the privacy 
        and security of protected health information that arise as a 
        result of the processing of such information in a foreign 
        country;
            (4) additional measures the covered entity is taking to 
        protect the protected health information outsourced for 
        processing outside the United States;
            (5) notification that the protected health information will 
        not be outsourced outside the United States if the consumer 
        objects; and
            (6) a certification that--
                    (A) the covered entity has taken reasonable steps 
                to identify the locations where protected health 
                information is outsourced by such business associates;
                    (B) attests to the privacy and security of the 
                protected health information outsourced for processing 
                outside the United States; and
                    (C) states the reasons for the determination by the 
                covered entity that the privacy and security of such 
                information is maintained.
    (d) Privacy for Consumers of Financial Services.--Section 503(b) of 
the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)) is amended--
            (1) in paragraph (3), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (4), by striking the period at the end and 
        inserting ``; and''; and
            (3) by adding at the end the following:
            ``(5) if the financial institution outsources nonpublic 
        personal information outside the United States--
                    ``(A) information informing the consumer in simple 
                language--
                            ``(i) that the financial institution 
                        outsources nonpublic personal information to 
                        entities for processing outside the United 
                        States;
                            ``(ii) of the privacy laws of the country 
                        to which nonpublic personal information will be 
                        sent;
                            ``(iii) of any additional risks and 
                        consequences to the privacy and security of an 
                        individual's nonpublic personal information 
                        that arise as a result of the processing of 
                        such information in a foreign country; and
                            ``(iv) of the additional measures the 
                        financial institution is taking to protect the 
                        nonpublic personal information outsourced for 
                        processing outside the United States; and
                    ``(B) a certification that--
                            ``(i) the financial institution has taken 
                        reasonable steps to identify the locations 
                        where nonpublic personal information is 
                        outsourced by such entities;
                            ``(ii) attests to the privacy and security 
                        of the nonpublic personal information 
                        outsourced for processing outside the United 
                        States; and
                            ``(iii) states the reasons for the 
                        determination by the institution that the 
                        privacy and security of such information is 
                        maintained.''.
    (e) Effective Date.--This section shall take effect on the 
expiration of the date which is 90 days after the date of enactment of 
this Act.

SEC. 11. TELEPHONE AND COMMUNICATIONS RECORDS .

    (a) In General.--Not later than 120 days after the date of 
enactment of this Act, the Federal Trade Commission, the Federal 
Communications Commission and the Attorney General shall establish a 
Center for Telecommunications Records Privacy (referred to in this 
section as the ``Center'') which shall consist of the appropriate 
designees of each agency which shall be established by a memorandum of 
understanding among the agencies.
    (b) Responsibilities.--The Center shall--
            (1) be charged with evaluating the current rules, 
        regulations and law regarding the unauthorized disclosure, 
        access, and sharing of telephone and telephony technology call 
        records and identify gaps in coverage and enforcement regarding 
        the unauthorized disclosure, sharing, or sale of telephone and 
        communications records; and
            (2) on an annual basis--
                    (A) provide an assessment of the frequency and 
                scope of the unauthorized and criminal disclosure of 
                telecommunications records and provide an evaluation of 
                the effectiveness of enacted laws and regulations;
                    (B) identify new telecommunications technologies 
                not covered by current law or regulation; and
                    (C) make recommendations to Congress regarding 
                other legislative or regulatory steps that can be taken 
                to address emerging issues.

SEC. 12. FEDERAL TRADE COMMISSION RULES FOR DATA PROCESSORS AND RULES 
              FOR FEDERAL AGENCIES.

    (a) In General.--The Federal Trade Commission shall issue new rules 
for Federal agencies responsible for working with data processors to 
ensure the security and confidentiality of nonpublic personal 
information to--
            (1) protect against any anticipated threats or hazards to 
        the security or integrity of such information;
            (2) protect against unauthorized access to or use of such 
        information which could result in substantial harm or 
        inconvenience to a customer or the relevant financial 
        institution; and
            (3) protect against the illegal or unauthorized collection 
        of personally identifiable information by data processors.
    (b) Definition.--In this section, the term ``data processor'' means 
any entity the business of which in whole or in part is the handling 
processing, compilation, exchange, transmittal, or other management or 
processing of the nonpublic personal information of consumers by 
agreement on behalf of another institution.
    (c) Report.--Each Federal agency covered by this section shall 
submit annual reports to the Chief Privacy Officer established under 
section 4, which shall include an assessment of agency policies and 
protocols dealing with data security and what steps are being taken to 
ensure against threats and hazards to that security and protecting 
against unauthorized access or use of data.

SEC. 13. MEDICAL RECORDS.

    (a) Application of Penalties to Certain Employees.--Section 1177 of 
the Social Security Act (42 U.S.C. 1320d-6) is amended by adding at the 
end the following:
    ``(c) Clarification of Application.--The provisions of subsection 
(a) shall apply to individuals who knowingly use, obtain, or disclose 
individually identifiable health information or a unique health 
identifier regardless of the manner in which such individuals obtain 
such information or the relation of the individual to the entity that 
maintains the information involved. The preceding sentence shall apply 
to individuals who illegally hack into computer systems to obtain 
data.''.
    (b) Expanding the Scope of the HIPAA Privacy Rule.--
            (1) In general.--The Secretary of Health and Human Services 
        shall modify the regulations promulgated under section 264(c) 
        of the Health Insurance Portability and Accountability Act (42 
        U.S.C. 1320dd-2 note) to broaden the scope of who is considered 
        to be a covered entity to include those entities and 
        individuals that disclose health information to other entities 
        in the course of their commercial activities and not in 
        relation to the provision of healthcare services.
            (2) Timing.--The Secretary of Health and Human Services 
        shall--
                    (A) not later than 12 months after the date of 
                enactment of this Act, promulgate a proposed rule for 
                the modifications described in paragraph (1); and
                    (B) not later than 24 months after the date of 
                enactment of this Act, promulgate a final rule for the 
                modifications described in paragraph (1).
            (3) Reinstatement of certain consent provisions.--
        Notwithstanding any other provision of law, the provisions of 
        section 164-506(b) of title 45, Code of Federal Regulations, as 
        in effect on April 14, 2001 and modified in 2002, relating to 
        the consent to use and disclose certain information for 
        treatment, payment, or health care operations, shall be deemed 
        to be reinstated and implemented accordingly.
    (c) Reporting Requirements.--The Secretary of Health and Human 
Services shall develop a procedure for the reporting to the Secretary, 
by individuals or entities receiving assistance from the Department of 
Health and Human Services, of any unlawful disclosures of identifiable 
health information in violation of section 1176 or 1177 of the Social 
Security Act (42 U.S.C. 12320d-5; 1320d-6) or the regulations 
promulgated under section 264(c) of the Health Insurance Portability 
and Accountability Act (42 U.S.C. 1320dd-2 note) by such individuals or 
entities. In developing such procedure, the Secretary shall--
            (1) take into consideration the notification procedures 
        used by other public or private sector entities, including the 
        TRICARE program; and
            (2) provide for the appropriate notification, by 
        individuals or entities receiving assistance from the 
        Department of Health and Human Services, to individuals whose 
        identifiable health information has been disclosed in violation 
        of such section 1176 or 1177 or such regulations by such 
        individuals or entities.
    (d) Investigation of Complaints.--With respect to a report of an 
unlawful disclosure of health information under subsection (c), the 
Secretary of Health and Human Services shall investigate such 
disclosure using the complaint process contained in subpart C of part 
160 of title 45, Code of Federal Regulations (as in effect on the date 
of enactment of this Act), except that for purposes of the review 
process contained in section 160.308 of such subpart, the Secretary 
shall establish a schedule of routine compliance reviews of covered 
entities (as such term is used for purposes of such section).
                                 <all>