[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 500 Introduced in Senate (IS)]







109th CONGRESS
  1st Session
                                 S. 500

  To regulate information brokers and protect individual rights with 
            respect to personally identifiable information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 3, 2005

  Mr. Nelson of Florida introduced the following bill; which was read 
     twice and referred to the Committee on Commerce, Science, and 
                             Transportation

_______________________________________________________________________

                                 A BILL


 
  To regulate information brokers and protect individual rights with 
            respect to personally identifiable information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Information Protection and Security 
Act''.

SEC. 2. CONGRESSIONAL FINDINGS; PURPOSE.

    (a) Findings.--Congress finds the following:
            (1) Entities commonly known as ``information brokers'' have 
        created up to several billion personal records on individuals.
            (2) Information made available by information brokers is 
        used in the determination of opportunities for credit, 
        employment, housing, insurance, means of travel, and other 
        commercial decisions, and must therefore be as accurate, 
        transparent to the individual, and secure as possible. 
        Inaccurate information pertaining to an individual that is made 
        available by an information broker may significantly interfere 
        with the individual's economic opportunities. For these 
        reasons, there is a vital need to ensure that information 
        brokers exercise their important responsibilities with 
        fairness, impartiality, accuracy, and respect for individuals' 
        rights to privacy and security, and that information brokers 
        properly safeguard individuals' personally identifiable 
        information.
            (3) In 2004, an identity theft operation improperly gained 
        access to hundreds of thousands of individual profiles 
        maintained by one large information broker. Many of these 
        individuals have and will become victims of identity theft. The 
        full extent of this incident will not be known for years.
            (4) Identity thieves illegally exploit information 
        technology to take advantage of innocent individuals. Identity 
        thieves typically steal individuals' names, addresses, 
        telephone numbers, social security numbers, bank account 
        information, and personal financial and medical data. Due to 
        identity thieves misusing this personal information, some 
        individuals are denied jobs, faced with debts that are not 
        their own, and arrested for crimes they did not commit.
            (5) According to the Federal Trade Commission, 10,000,000 
        Americans were affected by identity theft in 2004, and the 
        problem is growing worse. Identity theft is now the most common 
        fraud perpetrated on individuals. In 2004, identity theft 
        accounted for 39 percent of consumer fraud complaints filed 
        with the Federal Trade Commission.
            (6) According to a survey cited by the Federal Trade 
        Commission, identity theft cost the United States 
        $52,600,000,000 in 2004. Both individuals and businesses bear 
        this heavy financial burden.
            (7) The increasing power of computers and information 
        technology has greatly magnified the risk to individual privacy 
        that can occur from any collection, maintenance, use, or 
        dissemination of personally identifiable information, as well 
        as the number of individuals who can be harmed.
            (8) There is a clear difference between a compilation of 
        personally identifiable information and the compilation's 
        component parts. Even for information contained in public 
        records, items of data that appear in widely scattered sources 
        are different from the collection and assembly of that 
        information into databases, reports, or profiles. The interest 
        in maintaining the privacy and security of such databases has 
        always been, and will continue to be, very high.
            (9) In order to protect the privacy and security of 
        individuals whose personally identifiable information resides 
        in systems maintained by information brokers, it is necessary 
        and proper for Congress to regulate the collection, 
        maintenance, use, and dissemination of such information by 
        information brokers by adopting a framework of fair information 
        principles. It is the policy of Congress that information 
        brokers have an affirmative and continuing obligation to 
        protect the privacy and security of an individual's personally 
        identifiable information.
    (b) Purposes.--The purposes of this Act are--
            (1) to regulate the narrow category of business entities 
        commonly known as ``information brokers'', but not to extend 
        the regulations to businesses other than information broker 
        businesses, or to weaken or alter the protections provided by 
        other applicable laws;
            (2) to protect individual rights in relation to information 
        brokers; and
            (3) to ensure that information brokers compete fairly in 
        the processing and sale of personally identifiable information.

SEC. 3. REGULATION BY FEDERAL TRADE COMMISSION.

    (a) Regulations.--
            (1) In general.--Not later than 6 months after the date of 
        enactment of this Act, the Federal Trade Commission (in this 
        Act referred to as ``the Commission'') shall promulgate 
        regulations with respect to the conduct of information brokers 
        and the protection of personally identifiable information held 
        by such brokers.
            (2) Content of regulations.--The regulations promulgated 
        under paragraph (1) shall include rules--
                    (A) requiring that procedures for the collection 
                and maintenance of data guarantee maximum possible 
                accuracy of personally identifiable information held by 
                any information broker;
                    (B) allowing an individual the right to obtain 
                disclosure of all personally identifiable information 
                pertaining to the individual held by an information 
                broker, and to be informed of the identity of each 
                entity that procured any personally identifiable 
                information from the broker;
                    (C) allowing individuals the right to request and 
                receive prompt correction of errors in personally 
                identifiable information held by information brokers;
                    (D) requiring information brokers to safeguard and 
                protect the confidentiality of personally identifiable 
                information, appropriate to the nature and type of 
                information involved;
                    (E) requiring information brokers to authenticate 
                users before allowing access to personally identifiable 
                information, and requiring that each use of personal 
                information is employed only for a lawful purpose;
                    (F) requiring procedures to be established to 
                prevent and detect fraudulent, unlawful, or 
                unauthorized access, use, or disclosure of personally 
                identifiable information held by an information broker, 
                and to mitigate any potential harm to individuals from 
                threats to the privacy or security of such information;
                    (G) requiring information brokers to establish and 
                maintain procedures that track users' access to 
                personally identifiable information held by the broker, 
                and the lawful purpose for which each access was made; 
                and
                    (H) prohibiting information brokers from engaging 
                in activities that fail to comply with the Commission's 
                regulations.
    (b) Definitions.--In this section:
            (1) Information broker.--
                    (A) In general.--The term ``information broker'' 
                means a commercial entity whose business is to collect, 
                assemble, or maintain personally identifiable 
                information for the sale or transmission of such 
                information or the provision of access to such 
                information to any third party, whether such 
                collection, assembly, or maintenance of personally 
                identifiable information is performed by the 
                information broker directly, or by contract or 
                subcontract with any other entity.
                    (B) Exemptions.--The Commission, in promulgating 
                regulations under subsection (a), may exempt any 
                commercial entity from such regulations, in whole or in 
                part, if the Commission determines that granting such 
                an exemption is in the public interest, consistent with 
                the purposes of this Act, and if the entity's 
                collection, assembly, and maintenance of personally 
                identifiable information is only incidental to the 
                entity's primary business.
            (2) Personally identifiable information.--The term 
        ``personally identifiable information'' means any personal 
        information, as determined by the Commission, which may be used 
        to identify a person or cause harm to such person.

SEC. 4. ENFORCEMENT.

    (a) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        a regulation promulgated under section 2 shall be treated as a 
        violation of a regulation under section 18(a)(1)(B) of the 
        Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding 
        unfair or deceptive acts or practices.
            (2) Powers of commission.--The Commission shall enforce the 
        regulations promulgated under section 2 in the same manner, by 
        the same means, and with the same jurisdiction, powers, and 
        duties as though all applicable terms and provisions of the 
        Federal Trade Commission Act (15 U.S.C. 41 et seq.) were 
        incorporated into and made a part of this Act. Any person who 
        violates such regulations shall be subject to the penalties and 
        entitled to the privileges and immunities provided in that Act. 
        Nothing in this Act shall be construed to limit the authority 
        of the Commission under any other provision of law.
    (b) Actions by States.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by an act or practice that violates any 
        regulation of the Commission promulgated under section 2, the 
        State may bring a civil action on behalf of the residents of 
        the State in a district court of the United States of 
        appropriate jurisdiction, or any other court of competent 
        jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with the regulation;
                    (C) obtain damages, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other legal and equitable relief as 
                the court may consider to be appropriate.
            (2) Notice.--Before filing an action under this subsection, 
        the attorney general of the State involved shall provide to the 
        Commission and to the Attorney General a written notice of that 
        action and a copy of the complaint for that action. If the 
        State attorney general determines that it is not feasible to 
        provide the notice described in this subparagraph before the 
        filing of the action, the State attorney general shall provide 
        the written notice and the copy of the complaint to the 
        Commission and to the Attorney General as soon after the filing 
        of the complaint as practicable.
            (3) Commission and attorney general authority.--On 
        receiving notice under paragraph (2), the Commission and the 
        Attorney General each shall have the right--
                    (A) to move to stay the action, pending the final 
                disposition of a pending Federal matter as described in 
                paragraph (4);
                    (B) to intervene in an action under paragraph (1); 
                and
                    (C) to file petitions for appeal.
            (4) Pending criminal proceedings.--If the Attorney General 
        has instituted a criminal proceeding or the Commission has 
        instituted a civil action for a violation of this Act or any 
        regulations thereunder, no State may, during the pendency of 
        such proceeding or action, bring an action under this 
        subsection against any defendant named in the criminal 
        proceeding or civil action for any violation that is alleged in 
        that proceeding or action.
            (5) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1), nothing in this Act shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to conduct investigations, administer oaths 
        and affirmations, or compel the attendance of witnesses or the 
        production of documentary and other evidence.
    (c) Private Right of Action.--
            (1) In general.--Any individual injured by an act in 
        violation of the regulations promulgated under section 2, if 
        otherwise permitted by the laws or rules of the court of a 
        State, bring in an appropriate court of that State--
                    (A) an action to enjoin such violation;
                    (B) an action to recover for actual monetary loss 
                from such a violation, or to receive up to $1000 in 
                damages for each such violation, whichever is greater; 
                or
                    (C) both such actions.
            (2) Limitation.--An action may be commenced under this 
        subsection within 2 years after the date on which the alleged 
        violation occurred, except that where a defendant has 
        materially and willfully misrepresented or disclosed any 
        information under this Act or the regulations promulgated 
        pursuant to this Act and the information so misrepresented or 
        disclosed is material to the establishment of the defendant's 
        liability under this Act or such regulations, the action may be 
        brought by the individual under paragraph (1) at any time 
        within 3 years after discovery by the individual of the 
        misrepresentation or disclosure.
            (3) Nonexclusive remedy.--The remedy provided under this 
        subsection shall be in addition to any other remedies available 
        to the individual.

SEC. 5. RELATION TO OTHER LAWS.

    (a) Fair Credit Reporting Act.--Nothing in this Act or the 
regulations promulgated under this Act shall be construed to modify, 
limit or supersede the operation of the Fair Credit Reporting Act. A 
person or entity subject to the Fair Credit Reporting Act shall comply 
with that Act as well as with this Act and the regulations promulgated 
under this Act. To the extent that there is any conflict between the 
Fair Credit Reporting Act and this Act or such regulations, the Act 
that affords an individual greater protection shall apply. Multiple 
requirements with respect to the same information, transaction, or 
individual shall not be considered a conflict.
    (b) State Laws.--This Act and the regulations promulgated under 
this Act shall not be construed as superseding, altering, or affecting 
any statute, regulation, order, or interpretation in effect in any 
State, except to the extent that such statute, regulation, order, or 
interpretation is inconsistent with the provisions of this Act or the 
regulations promulgated under this Act, and then only to the extent of 
the inconsistency. For purposes of this section, a State statute, 
regulation, order, or interpretation shall not be considered 
inconsistent with the provisions of this Act or the regulations 
promulgated under this Act if the protection such statute, regulation, 
order, or interpretation affords any person is greater than the 
protection under this Act or the regulations promulgated under this 
Act.

SEC. 6. REPORT.

    Not later than 12 months after the issuance of the regulations 
required by section 2, the Commission shall transmit to Congress a 
report on the information brokerage industry and its impact on the 
privacy of personally identifiable information. Such report shall 
describe the regulations promulgated pursuant to this Act, compliance 
with such regulations by the information brokerage industry, and any 
recommendations by the Commission for additional measures (including 
any necessary legislation) to ensure the privacy of personally 
identifiable information.
                                 <all>