
	
		II
		109th CONGRESS
		2d Session
		S. 3713
		IN THE SENATE OF THE UNITED STATES
		
			July 21, 2006
			Mrs. Clinton introduced
			 the following bill; which was read twice and referred to the
			 Committee on the
			 Judiciary
		
		A BILL
		To protect privacy rights associated with electronic and
		  commercial transactions. 
	
	
		1.Short
			 titleThis Act may be cited as
			 the Privacy Rights and OversighT for
			 Electronic and Commercial Transactions Act of 2006 or the
			 PROTECT
			 Act.
		2.Private right of
			 action
			(a)Compromised
			 data
				(1)In
			 generalIt shall be unlawful for any for profit entity that
			 stores, processes, or otherwise handles the personal data of an individual to
			 compromise the personal, nonpublic information of that individual through
			 theft, loss, data breach or other malfeasance.
				(2)LiabilityAn
			 entity that violates this subsection shall—
					(A)be liable to the
			 injured individual for $1,000; and
					(B)have a net
			 liability arising from any individual data breach, theft, or loss event of not
			 to exceed 1 percent of annual revenues for the entity.
					(b)Identity
			 theft
				(1)In
			 generalIt shall be unlawful for any for profit entity to issue
			 credit or an account for services to an unauthorized individual or make an
			 inaccurate change to a credit report as a result of identity theft.
				(2)LiabilityAn
			 entity that violates this subsection shall—
					(A)be liable for
			 $5,000 to the injured individual for each instance of unauthorized use;
			 and
					(B)have a net
			 liability for identity thefts resulting from a specific data breach event of
			 not to exceed 5 percent of annual revenues for the entity.
					(c)Small business
			 exceptionA small business as defined by the standards of the
			 Small Business Administration shall be exempt from this section although
			 nothing in this section shall prohibit private rights of action against any
			 entity for data loss or identity theft.
			(d)Collective
			 actionA collective action may be brought under this section
			 pursuant to the procedures provided in section 16(b) of the Fair Labor
			 Standards Act of 1938.
			3.Opt-in for
			 certain types of informationSection 502 of the Gramm-Leach-Bliley Act
			 (15 U.S.C. 6802) is amended by adding at the end the following:
			
				(f)Opt in
				requirement for certain information
					(1)LimitationNotwithstanding
				subsection (b), a financial institution may not disclose usage data relating to
				a consumer to a nonaffiliated third part, unless—
						(A)such financial
				institution clearly and conspicuously requests authority from the consumer, in
				writing or in electronic form or other form permitted by the regulations
				prescribed under section 504 to disclose such information to such third party;
				and
						(B)the consumer
				affirmatively authorizes such disclosure, in writing.
						(2)DefinitionAs
				used in this subsection, the term usage data, means any
				information relating to purchase history records or any listing of items and
				services purchased by the consumer to whom the information
				relates.
					.
		4.Chief Privacy
			 Officer within the Office of Management and Budget
			(a)DefinitionsIn
			 this section—
				(1)the term
			 agency has the meaning given under section 551(1) of title 5,
			 United States Code; and
				(2)the term
			 system of records has the meaning given under section 552a(5) of
			 title 5, United States Code.
				(b)Designation of
			 Chief Privacy OfficerThe
			 President shall designate a senior officer within the Office of Management and
			 Budget as the Chief Privacy Officer, who shall have primary responsibility for
			 privacy policy throughout all agencies.
			(c)ResponsibilitiesThe
			 Chief Privacy Officer shall—
				(1)ensure that the
			 technologies procured and use of technologies by agencies sustain, and do not
			 erode, privacy protections relating to the use, collection, and disclosure of
			 personally identifiable information;
				(2)ensure that
			 agency officers have the authority to enforce rules and regulations relating to
			 the collection, processing, and storage of personally identifiable information
			 within, between, and among agencies;
				(3)ensure that
			 personally identifiable information contained in each system of records is
			 handled in full compliance with fair information practices required under
			 section 552a of title 5, United States Code, (commonly referred to as the
			 Privacy Act);
				(4)evaluate
			 legislative and regulatory proposals involving collection, use, and disclosure
			 of personally identifiable information by agencies;
				(5)exercise
			 responsibility under the direction of the Director of the Office of Management
			 and Budget with respect to privacy impact assessment rules, regulations, and
			 oversight under section 208 of the E-Government Act of 2002 (44 U.S.C. 3501
			 note); and
				(6)submit an annual
			 report to the Congress containing an analysis of each agency of Federal
			 activities that affect privacy, including complaints of privacy violations,
			 implementation of section 552a of title 5, United States Code, (commonly
			 referred to as the Privacy Act), internal controls, and other
			 matters.
				(d)Agency reports
			 to the Chief Privacy Officer The head of each agency and the
			 Chief Privacy Officer of each agency established under section 522 of the
			 Consolidated Appropriations Act, 2005 (relating to Chief Privacy Officers) (5
			 U.S.C. 552a note; Public Law 108–447; 118 Stat. 3268) shall—
				(1)provide to the
			 Chief Privacy Officer established under this section such information as the
			 Chief Privacy Officer considers necessary for the completion of the annual
			 reports under subsection (c)(6); and
				(2)submit annual
			 reports to the Chief Privacy Officer established under this section that
			 include—
					(A)an assessment of
			 agency policies and protocols relating to data security; and
					(B)a description of
			 the actions that are being taken to ensure protection against—
						(i)threats and
			 hazards to data security; and
						(ii)unauthorized
			 access or use of data.
						(e)Notifications
			 on Breaches of Personally Identifiable Information 
				(1)Notification to
			 individual
					(A)In
			 generalIf a system of records maintained by an agency is
			 breached and data with personally identifiable information is accessed or
			 disclosed without authorization as a result of that breach, the agency shall
			 provide timely notification to each individual affected by that breach.
					(B)ExceptionAn
			 agency may delay notification under subparagraph (A) on the basis of national
			 security.
					(2)Notification to
			 major credit reporting services
					(A)In
			 generalIf an individual receives notification of a breach under
			 paragraph (1), the individual may request the agency to provide notification of
			 the breach to all major credit reporting services.
					(B)NotificationUpon
			 the receipt of a request under subparagraph (A), the agency shall provide
			 notification of the breach to all major credit reporting services.
					(3)No cost to
			 individualNotification under paragraphs (1) or (2) shall be at
			 no cost to any individual.
				5.Rulemaking
			 relating to disclosuresSection 504 of the Gramm-Leach-Bliley Act
			 (15 U.S.C. 6804) is amended by adding at the end the following:
			
				(c)Disclosure
				regulationsThe Federal Trade Commission and each of the Federal
				functional regulators shall, promptly upon the date of enactment of this
				subsection, issue final rules applicable to financial institutions subject to
				their authority to require standard, clear, easy to understand disclosures of
				what specific information could be shared under this title, the types of third
				parties with which such information could be shared, and when consumers are
				given opt out
				opportunities.
				.
		6.Annual
			 disclosures to consumersSection 503 of the Gramm-Leach-Bliley Act
			 (15 U.S.C. 6803) is amended by adding at the end the following:
			
				(c)Annual
				disclosuresIn addition to the disclosures required under
				subsection (a), upon written request of a consumer, each financial institution
				shall provide free of charge to the consumer up to once each year, a copy of
				all information maintained by the financial institution relating to the
				consumer, including any consolidated
				profile.
				.
		7.Automatic free
			 annual credit reportsSection
			 612(a) of the Fair Credit Reporting Act (15 U.S.C. 1681j(a)) is amended by
			 striking period upon request of the consumer and and inserting
			 period,.
		8.Notice of
			 security breaches
			(a)Notice to
			 persons affectedEach Federal agency, and each business entity,
			 whether a nonprofit or for profit concern, shall promptly notify each person
			 who may be a victim of identity theft due to a security breach involving the
			 agency or entity, including the theft or potential theft of or other
			 inappropriate access to identifying information relating to that person that is
			 collected or maintained by the agency or business entity.
			(b)Notice to
			 consumer reporting agenciesEach Federal agency and business
			 entity described in subsection (a) shall promptly notify each consumer
			 reporting agency described in section 603(p) of the Fair Credit Reporting Act
			 (15 U.S.C. 1681a(p)) of a security breach described in subsection (a),
			 including the names of all persons affected or potentially affected
			 thereby.
			(c)RegulationsThe
			 Federal Trade Commission shall issue regulations to carry out the provisions of
			 this section.
			9.Security freeze
			 on credit reportsSection 605B
			 of the Fair Credit Reporting Act (15 U.S.C. 1681C–2) is amended to read as
			 follows:
			
				605B.Security
				freeze on release of information
					(a)In
				general
						(1)Consumer
				placement of a security freeze on individual credit filesA
				consumer may place a security freeze on his or her file by making a request to
				a consumer reporting agency in writing, by telephone, or through a secure
				electronic connection made available by the consumer reporting agency.
						(2)Consumer
				disclosureIf a consumer requests a security freeze under this
				section, the consumer reporting agency shall disclose to the consumer the
				process of placing and removing the security freeze and explain to the consumer
				the potential consequences of the security freeze. A consumer reporting agency
				may not imply or inform a consumer that the placement or presence of a security
				freeze on the file of the consumer may negatively affect the consumer's credit
				score.
						(b)Effect of
				security freeze
						(1)Release of
				information blockedIf a security freeze is in place on the file
				of a consumer, a consumer reporting agency may not release information relating
				to that file for consumer credit purposes to a third party without prior
				express authorization from the consumer.
						(2)Information
				provided to third partiesParagraph (1) does not prevent a
				consumer reporting agency from advising a third party that a security freeze is
				in effect with respect to the file of a consumer. If a third party requests
				access to the file of a consumer on which a security freeze is in place in
				connection with an application for credit, the third party may treat the
				application as incomplete.
						(3)Consumer credit
				score not affectedThe placement of a security freeze on a
				consumer file may not be taken into account for any purpose in determining the
				credit score of the consumer to whom the account relates.
						(c)Removal;
				temporary suspension
						(1)In
				generalExcept as provided in paragraph (4), a security freeze
				under this section shall remain in place until the consumer requests that the
				security freeze be removed. A consumer may remove a security freeze on his or
				her credit file by making a request to a consumer reporting agency in writing,
				by telephone, or through a secure electronic connection made available by the
				consumer reporting agency.
						(2)ConditionsA
				consumer reporting agency may remove a security freeze placed on the file of a
				consumer only—
							(A)upon request of
				the consumer, pursuant to paragraph (1); or
							(B)if the agency
				determines that the credit file of the consumer was frozen due to a material
				misrepresentation of fact by the consumer.
							(3)Notification to
				consumerIf a consumer reporting agency intends to remove a
				security freeze on the file of a consumer pursuant to paragraph (2)(B), the
				consumer reporting agency shall notify the consumer in writing prior to
				removing the security freeze.
						(4)Temporary
				suspensionA consumer may have a security freeze on his or her
				credit file temporarily suspended by making a request to a consumer reporting
				agency in writing or by telephone and specifying beginning and ending dates for
				the period during which the security freeze is not to apply to that
				file.
						(d)Response times;
				notification of other entities
						(1)In
				generalA consumer reporting agency shall—
							(A)place a security
				freeze on the file of a consumer under subsection (a) not later than 5 business
				days after receiving a request from the consumer under subsection (a)(1);
				and
							(B)remove or
				temporarily suspend a security freeze not later than 3 business days after
				receiving a request for removal or temporary suspension from the consumer under
				subsection (c).
							(2)Notification to
				other agenciesIf the consumer so requests in writing or by
				telephone, a consumer reporting agency shall notify all other consumer
				reporting agencies described in section 603(p)(1) not later than 3 days after
				placing, removing, or temporarily suspending a security freeze on the file of
				the consumer under subsection (a), (c)(2)(A), or (c)(4), respectively.
						(3)Implementation
				by other covered entitiesA consumer reporting agency that is
				notified of a request under paragraph (2) to place, remove, or temporarily
				suspend a security freeze on the file of a consumer shall—
							(A)request proper
				identification from the consumer, in accordance with subsection (f), not later
				than 3 business days after receiving the notification; and
							(B)place, remove, or
				temporarily suspend the security freeze on that credit report not later than 3
				business days after receiving proper identification.
							(e)ConfirmationExcept
				as provided in subsection (c)(3), whenever a consumer reporting agency places,
				removes, or temporarily suspends a security freeze on the file of a consumer at
				the request of that consumer under subsection (a) or (c), respectively, it
				shall send a written confirmation thereof to the consumer not later than 10
				business days after placing, removing, or temporarily suspending the security
				freeze on the file. This subsection does not apply to the placement, removal,
				or temporary suspension of a security freeze by a consumer reporting agency
				because of a notification received under subsection (d)(2).
					(f)Identification
				requiredA consumer reporting agency may not place, remove, or
				temporarily suspend a security freeze on the file of a consumer or otherwise
				provide a credit report or score in accordance with this section at the request
				of the consumer, unless the consumer provides proper identification (within the
				meaning of section 610(a)(1) and the regulations thereunder).
					(g)ExceptionsThis
				section does not apply to the use of a consumer credit report by any of the
				following:
						(1)A person or
				entity, or a subsidiary, affiliate, or agent of that person or entity, or an
				assignee of a financial obligation owing by the consumer to that person or
				entity, or a prospective assignee of a financial obligation owing by the
				consumer to that person or entity in conjunction with the proposed purchase of
				the financial obligation, with which the consumer has or had prior to
				assignment an account or contract, including a demand deposit account, or to
				whom the consumer issued a negotiable instrument, for the purposes of reviewing
				the account or collecting the financial obligation owing for the account,
				contract, or negotiable instrument.
						(2)Any Federal,
				State, or local agency, law enforcement agency, trial court, or private
				collection agency acting pursuant to a court order, warrant, subpoena, or other
				compulsory process.
						(3)A child support
				agency or its agents or assigns acting pursuant to subtitle D of title IV of
				the Social Security Act (42 U.S.C. et seq.) or similar State law.
						(4)The Department of
				Health and Human Services, a similar State agency, or the agents or assigns of
				the Federal or State agency acting to investigate Medicare or Medicaid
				fraud.
						(5)The Internal
				Revenue Service or a State or municipal taxing authority, or a State department
				of motor vehicles, or any of the agents or assigns of these Federal, State, or
				municipal agencies acting to investigate or collect delinquent taxes, or unpaid
				court orders, or to fulfill any of their other statutory
				responsibilities.
						(6)The use of
				consumer credit information for the purposes of prescreening as provided in
				this title.
						(7)Any person or
				entity administering a credit file monitoring subscription to which the
				consumer has subscribed.
						(8)Any person or
				entity for the purpose of providing a consumer with a copy of his or her credit
				report or credit score, upon the request of the consumer and upon provision of
				appropriate identification in accordance with subsection (f).
						(h)Fees
						(1)In
				generalExcept as provided in paragraph (2), a consumer reporting
				agency may charge a reasonable fee, as determined by the Commission by rule,
				promulgated in accordance with section 553 of title 5, United States Code, for
				placing, removing, or temporarily suspending a security freeze on the file of a
				consumer under this section.
						(2)Exception for
				identification theft victimsA consumer reporting agency may not
				charge a fee for placing, removing, or temporarily suspending a security freeze
				on the file of a consumer, if—
							(A)the consumer is a
				victim of identity theft;
							(B)the consumer
				requests the security freeze in writing;
							(C)the consumer has
				filed a police report with respect to the theft, or an identity theft report
				(as defined in section 603(q)(4)), not later than 90 days after the date on
				which the theft occurred or was discovered by the consumer;
							(D)the consumer
				provides a copy of the police report to the consumer reporting agency;
				and
							(E)the
				consumer—
								(i)has been notified
				by any entity that personally identifiable information handled by that entity
				has been compromised or breached; and
								(ii)notifies the
				consumer reporting agency of such compromise or breach.
								(i)Limitation on
				information changes in frozen files
						(1)In
				generalIf a security freeze is in place on the file of consumer,
				a consumer reporting agency may not change any of the following official
				information in that file without sending a written confirmation of the change
				to the consumer, not later than 30 days after the change is made:
							(A)Name.
							(B)Date of
				birth.
							(C)Social Security
				number.
							(D)Address.
							(2)ConfirmationParagraph
				(1) does not require written confirmation for technical modifications of a
				consumer's official information, including name and street abbreviations,
				complete spellings, or transposition of numbers or letters. In the case of an
				address change, the written confirmation shall be sent to both the new address
				and to the former address.
						(j)Certain entity
				exemptions
						(1)Aggregators and
				other agenciesThe provisions of subsections (a) through (i) do
				not apply to a consumer reporting agency that acts only as a reseller of credit
				information by assembling and merging information contained in the data base of
				another consumer reporting agency or multiple consumer reporting agencies, and
				does not maintain a permanent data base of credit information from which new
				consumer credit reports are produced.
						(2)Other exempted
				entitiesThe following entities are not required to place a
				security freeze on the file of a consumer under this section:
							(A)A check services
				or fraud prevention services company which issues reports on incidents of fraud
				or authorizations for the purpose of approving or processing negotiable
				instruments, electronic funds transfers, or similar methods of payments.
							(B)A deposit account
				information service company which issues reports regarding account closures due
				to fraud, substantial overdrafts, ATM abuse, or similar negative information
				regarding a consumer, to inquiring banks or other financial institutions for
				use only in reviewing a consumer request for a deposit account at the inquiring
				bank or financial institution.
							(k)State
				PreemptionThis section shall preempt any provision of State of
				local law, regulation, or rule that requires consumer reporting agencies to
				comply with the request of a consumer to place, remove, or temporarily suspend
				a prohibition on the release by a consumer reporting agency of information from
				its files on that consumer, but only if it is determined by the Commission that
				this section will provide materially stronger consumer protections than those
				afforded to consumers under otherwise applicable State or local
				law.
					.
		10.Safeguarding
			 Americans from exporting identification data
			(a)DefinitionsAs used in this section:
				(1)Business
			 enterpriseThe term business enterprise
			 means—
					(A)any organization,
			 association, or venture established to make a profit;
					(B)any health care
			 business;
					(C)any private,
			 nonprofit organization; or
					(D)any contractor,
			 subcontractor, or potential subcontractor of an entity described in
			 subparagraph (A), (B), or (C).
					(2)Health care
			 businessThe term health care business means any
			 business enterprise or private, nonprofit organization that collects or retains
			 personally identifiable information about consumers in relation to medical
			 care, including—
					(A)hospitals;
					(B)health
			 maintenance organizations;
					(C)medical
			 partnerships;
					(D)emergency medical
			 transportation companies;
					(E)medical
			 transcription companies;
					(F)banks that
			 collect or process medical billing information; and
					(G)subcontractors,
			 or potential subcontractors, of the entities described in subparagraphs (A)
			 through (F).
					(3)Personally
			 identifiable informationThe term personally identifiable
			 information includes information such as—
					(A)name;
					(B)postal
			 address;
					(C)financial
			 information;
					(D)medical
			 records;
					(E)date of
			 birth;
					(F)phone
			 number;
					(G)e-mail
			 address;
					(H)social security
			 number;
					(I)mother's maiden
			 name;
					(J)password;
					(K)State
			 identification information; and
					(L)driver's license
			 number.
					(b)Transmission of
			 information
				(1)ProhibitionA
			 business enterprise may not disclose personally identifiable information
			 regarding a resident of the United States to any foreign branch, affiliate,
			 subcontractor, or unaffiliated third party located in a foreign country
			 unless—
					(A)the business
			 enterprise provides the notice of privacy protections described in sections 502
			 and 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802 and 6803) or required by
			 the regulations promulgated pursuant to section 264(c) of the Health Insurance
			 Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), as
			 appropriate;
					(B)the business
			 enterprise complies with the safeguards described in section 501(b) of the
			 Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)), as appropriate;
					(C)the consumer is
			 given the opportunity, before the time that such information is initially
			 disclosed, to object to the disclosure of such information to such foreign
			 branch, affiliate, subcontractor, or unaffiliated third party; and
					(D)the consumer is
			 given an explanation of how the consumer can exercise the nondisclosure option
			 described in subparagraph (C).
					(2)Health care
			 businessesA health care
			 business may not terminate an existing relationship with a consumer of health
			 care services to avoid the consumer from objecting to the disclosure under
			 paragraph (1)(C).
				(3)Effect on
			 business relationship
					(A)NondiscriminationA
			 business enterprise may not discriminate against or deny an otherwise qualified
			 consumer a financial product or a health care service because the consumer has
			 objected to the disclosure under paragraph (1)(C).
					(B)Products and
			 servicesA business enterprise shall not be required to offer or
			 provide a product or service through affiliated entities or jointly with
			 nonaffiliated business enterprises.
					(C)Incentives and
			 discountsNothing in this subsection is intended to prohibit a
			 business enterprise from offering incentives or discounts to elicit a specific
			 response to the notice required under paragraph (1).
					(4)Liability
					(A)In
			 generalA business enterprise that knowingly and directly
			 transfers personally identifiable information to a foreign branch, affiliate,
			 subcontractor, or unaffiliated third party shall be liable to any person
			 suffering damages resulting from the improper storage, duplication, sharing, or
			 other misuse of such information by the transferee.
					(B)Civil
			 actionAn injured party under subparagraph (A) may sue in law or
			 in equity in any court of competent jurisdiction to recover the damages
			 sustained as a result of a violation of this subsection.
					(5)RulemakingThe
			 Chairman of the Federal Trade Commission shall promulgate regulations through
			 which the Chairman may enforce the provisions of this subsection and impose a
			 civil penalty for a violation of this section.
				(c)Privacy for
			 consumers of health servicesThe Secretary of Health and Human Services
			 shall revise the regulations promulgated pursuant to
			 section
			 264(c) of the Health Insurance
			 Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note) to
			 require a covered entity (as defined by such regulations) that outsources
			 protected health information (as defined by such regulations) outside the
			 United States to include in such entity’s notice of privacy protections—
				(1)notification that
			 the covered entity outsources protected health information to business
			 associates (as defined by such regulations) for processing outside the United
			 States;
				(2)a description of
			 the privacy laws of the country to which the protected health information will
			 be sent;
				(3)any additional
			 risks and consequences to the privacy and security of protected health
			 information that arise as a result of the processing of such information in a
			 foreign country;
				(4)additional
			 measures the covered entity is taking to protect the protected health
			 information outsourced for processing outside the United States;
				(5)notification that
			 the protected health information will not be outsourced outside the United
			 States if the consumer objects; and
				(6)a certification
			 that—
					(A)the covered
			 entity has taken reasonable steps to identify the locations where protected
			 health information is outsourced by such business associates;
					(B)attests to the
			 privacy and security of the protected health information outsourced for
			 processing outside the United States; and
					(C)states the
			 reasons for the determination by the covered entity that the privacy and
			 security of such information is maintained.
					(d)Privacy for
			 consumers of financial servicesSection 503(b) of the Gramm-Leach-Bliley
			 Act (15 U.S.C.
			 6803(b)) is amended—
				(1)in paragraph (3),
			 by striking and after the semicolon;
				(2)in paragraph (4),
			 by striking the period at the end and inserting ; and;
			 and
				(3)by adding at the
			 end the following:
					
						(5)if the financial
				institution outsources nonpublic personal information outside the United
				States—
							(A)information
				informing the consumer in simple language—
								(i)that the
				financial institution outsources nonpublic personal information to entities for
				processing outside the United States;
								(ii)of the privacy
				laws of the country to which nonpublic personal information will be
				sent;
								(iii)of any
				additional risks and consequences to the privacy and security of an
				individual’s nonpublic personal information that arise as a result of the
				processing of such information in a foreign country; and
								(iv)of the
				additional measures the financial institution is taking to protect the
				nonpublic personal information outsourced for processing outside the United
				States; and
								(B)a certification
				that—
								(i)the financial
				institution has taken reasonable steps to identify the locations where
				nonpublic personal information is outsourced by such entities;
								(ii)attests to the
				privacy and security of the nonpublic personal information outsourced for
				processing outside the United States; and
								(iii)states the
				reasons for the determination by the institution that the privacy and security
				of such information is
				maintained.
								.
				(e)Effective
			 dateThis section shall take
			 effect on the expiration of the date which is 90 days after the date of
			 enactment of this Act.
			11.Telephone and
			 communications records 
			(a)In
			 generalNot later than 120 days after the date of enactment of
			 this Act, the Federal Trade Commission, the Federal Communications Commission
			 and the Attorney General shall establish a Center for Telecommunications
			 Records Privacy (referred to in this section as the Center)
			 which shall consist of the appropriate designees of each agency which shall be
			 established by a memorandum of understanding among the agencies.
			(b)ResponsibilitiesThe
			 Center shall—
				(1)be charged with
			 evaluating the current rules, regulations and law regarding the unauthorized
			 disclosure, access, and sharing of telephone and telephony technology call
			 records and identify gaps in coverage and enforcement regarding the
			 unauthorized disclosure, sharing, or sale of telephone and communications
			 records; and
				(2)on an annual
			 basis—
					(A)provide an
			 assessment of the frequency and scope of the unauthorized and criminal
			 disclosure of telecommunications records and provide an evaluation of the
			 effectiveness of enacted laws and regulations;
					(B)identify new
			 telecommunications technologies not covered by current law or regulation;
			 and
					(C)make
			 recommendations to Congress regarding other legislative or regulatory steps
			 that can be taken to address emerging issues.
					12.Federal Trade
			 Commission rules for data processors and rules for Federal agencies
			(a)In
			 generalThe Federal Trade Commission shall issue new rules for
			 Federal agencies responsible for working with data processors to ensure the
			 security and confidentiality of nonpublic personal information to—
				(1)protect against
			 any anticipated threats or hazards to the security or integrity of such
			 information;
				(2)protect against
			 unauthorized access to or use of such information which could result in
			 substantial harm or inconvenience to a customer or the relevant financial
			 institution; and
				(3)protect against
			 the illegal or unauthorized collection of personally identifiable information
			 by data processors.
				(b)DefinitionIn
			 this section, the term data processor means any entity the
			 business of which in whole or in part is the handling processing, compilation,
			 exchange, transmittal, or other management or processing of the nonpublic
			 personal information of consumers by agreement on behalf of another
			 institution.
			(c)ReportEach
			 Federal agency covered by this section shall submit annual reports to the Chief
			 Privacy Officer established under section 4, which shall include an assessment
			 of agency policies and protocols dealing with data security and what steps are
			 being taken to ensure against threats and hazards to that security and
			 protecting against unauthorized access or use of data.
			13.Medical
			 records
			(a)Application of
			 penalties to certain employeesSection 1177 of the Social
			 Security Act (42 U.S.C. 1320d–6) is amended by adding at the end the
			 following:
				
					(c)Clarification
				of applicationThe provisions of subsection (a) shall apply to
				individuals who knowingly use, obtain, or disclose individually identifiable
				health information or a unique health identifier regardless of the manner in
				which such individuals obtain such information or the relation of the
				individual to the entity that maintains the information involved. The preceding
				sentence shall apply to individuals who illegally hack into computer systems to
				obtain
				data.
					.
			(b)Expanding the
			 scope of the HIPAA privacy rule
				(1)In
			 generalThe Secretary of Health and Human Services shall modify
			 the regulations promulgated under section 264(c) of the Health Insurance
			 Portability and Accountability Act (42 U.S.C. 1320dd–2 note) to broaden the
			 scope of who is considered to be a covered entity to include those entities and
			 individuals that disclose health information to other entities in the course of
			 their commercial activities and not in relation to the provision of healthcare
			 services.
				(2)TimingThe
			 Secretary of Health and Human Services shall—
					(A)not later than 12
			 months after the date of enactment of this Act, promulgate a proposed rule for
			 the modifications described in paragraph (1); and
					(B)not later than 24
			 months after the date of enactment of this Act, promulgate a final rule for the
			 modifications described in paragraph (1).
					(3)Reinstatement
			 of certain consent provisionsNotwithstanding any other provision
			 of law, the provisions of section 164–506(b) of title 45, Code of Federal
			 Regulations, as in effect on April 14, 2001 and modified in 2002, relating to
			 the consent to use and disclose certain information for treatment, payment, or
			 health care operations, shall be deemed to be reinstated and implemented
			 accordingly.
				(c)Reporting
			 requirementsThe Secretary of Health and Human Services shall
			 develop a procedure for the reporting to the Secretary, by individuals or
			 entities receiving assistance from the Department of Health and Human Services,
			 of any unlawful disclosures of identifiable health information in violation of
			 section 1176 or 1177 of the Social Security Act (42 U.S.C. 12320d–5; 1320d–6)
			 or the regulations promulgated under section 264(c) of the Health Insurance
			 Portability and Accountability Act (42 U.S.C. 1320dd–2 note) by such
			 individuals or entities. In developing such procedure, the Secretary
			 shall—
				(1)take into
			 consideration the notification procedures used by other public or private
			 sector entities, including the TRICARE program; and
				(2)provide for the
			 appropriate notification, by individuals or entities receiving assistance from
			 the Department of Health and Human Services, to individuals whose identifiable
			 health information has been disclosed in violation of such section 1176 or 1177
			 or such regulations by such individuals or entities.
				(d)Investigation
			 of complaintsWith respect to a report of an unlawful disclosure
			 of health information under subsection (c), the Secretary of Health and Human
			 Services shall investigate such disclosure using the complaint process
			 contained in subpart C of part 160 of title 45, Code of Federal Regulations (as
			 in effect on the date of enactment of this Act), except that for purposes of
			 the review process contained in section 160.308 of such subpart, the Secretary
			 shall establish a schedule of routine compliance reviews of covered entities
			 (as such term is used for purposes of such section).
			
