

	

		II

		109th CONGRESS

		1st Session

		S. 500

		IN THE SENATE OF THE UNITED STATES

		

			March 3, 2005

			Mr. Nelson of Florida

			 introduced the following bill; which was read twice and referred to the

			 Committee on Commerce, Science, and

			 Transportation

		

		A BILL

		To regulate information brokers and protect individual

		  rights with respect to personally identifiable information.

	

	

		1.Short titleThis Act may be cited as the

			 Information Protection and Security

			 Act.

		2.Congressional

			 findings; purpose

			(a)FindingsCongress finds the following:

				(1)Entities commonly known as

			 information brokers have created up to several billion personal

			 records on individuals.

				(2)Information made

			 available by information brokers is used in the determination of opportunities

			 for credit, employment, housing, insurance, means of travel, and other

			 commercial decisions, and must therefore be as accurate, transparent to the

			 individual, and secure as possible. Inaccurate information pertaining to an

			 individual that is made available by an information broker may significantly

			 interfere with the individual’s economic opportunities. For these reasons,

			 there is a vital need to ensure that information brokers exercise their

			 important responsibilities with fairness, impartiality, accuracy, and respect

			 for individuals’ rights to privacy and security, and that information brokers

			 properly safeguard individuals’ personally identifiable information.

				(3)In 2004, an identity theft operation

			 improperly gained access to hundreds of thousands of individual profiles

			 maintained by one large information broker. Many of these individuals have and

			 will become victims of identity theft. The full extent of this incident will

			 not be known for years.

				(4)Identity thieves illegally exploit

			 information technology to take advantage of innocent individuals. Identity

			 thieves typically steal individuals’ names, addresses, telephone numbers,

			 social security numbers, bank account information, and personal financial and

			 medical data. Due to identity thieves misusing this personal information, some

			 individuals are denied jobs, faced with debts that are not their own, and

			 arrested for crimes they did not commit.

				(5)According to the Federal Trade Commission,

			 10,000,000 Americans were affected by identity theft in 2004, and the problem

			 is growing worse. Identity theft is now the most common fraud perpetrated on

			 individuals. In 2004, identity theft accounted for 39 percent of consumer fraud

			 complaints filed with the Federal Trade Commission.

				(6)According to a survey cited by the Federal

			 Trade Commission, identity theft cost the United States $52,600,000,000 in

			 2004. Both individuals and businesses bear this heavy financial burden.

				(7)The increasing

			 power of computers and information technology has greatly magnified the risk to

			 individual privacy that can occur from any collection, maintenance, use, or

			 dissemination of personally identifiable information, as well as the number of

			 individuals who can be harmed.

				(8)There is a clear

			 difference between a compilation of personally identifiable information and the

			 compilation’s component parts. Even for information contained in public

			 records, items of data that appear in widely scattered sources are different

			 from the collection and assembly of that information into databases, reports,

			 or profiles. The interest in maintaining the privacy and security of such

			 databases has always been, and will continue to be, very high.

				(9)In order to

			 protect the privacy and security of individuals whose personally identifiable

			 information resides in systems maintained by information brokers, it is

			 necessary and proper for Congress to regulate the collection, maintenance, use,

			 and dissemination of such information by information brokers by adopting a

			 framework of fair information principles. It is the policy of Congress that

			 information brokers have an affirmative and continuing obligation to protect

			 the privacy and security of an individual's personally identifiable

			 information.

				(b)PurposesThe

			 purposes of this Act are—

				(1)to regulate the narrow category of business

			 entities commonly known as information brokers, but not to extend

			 the regulations to businesses other than information broker businesses, or to

			 weaken or alter the protections provided by other applicable laws;

				(2)to protect individual rights in relation to

			 information brokers; and

				(3)to ensure that

			 information brokers compete fairly in the processing and sale of personally

			 identifiable information.

				3.Regulation by

			 Federal Trade Commission

			(a)Regulations

				(1)In

			 generalNot later than 6

			 months after the date of enactment of this Act, the Federal Trade Commission

			 (in this Act referred to as the Commission) shall promulgate

			 regulations with respect to the conduct of information brokers and the

			 protection of personally identifiable information held by such brokers.

				(2)Content of

			 regulationsThe regulations promulgated under paragraph (1) shall

			 include rules—

					(A)requiring that

			 procedures for the collection and maintenance of data guarantee maximum

			 possible accuracy of personally identifiable information held by any

			 information broker;

					(B)allowing an

			 individual the right to obtain disclosure of all personally identifiable

			 information pertaining to the individual held by an information broker, and to

			 be informed of the identity of each entity that procured any personally

			 identifiable information from the broker;

					(C)allowing

			 individuals the right to request and receive prompt correction of errors in

			 personally identifiable information held by information brokers;

					(D)requiring

			 information brokers to safeguard and protect the confidentiality of personally

			 identifiable information, appropriate to the nature and type of information

			 involved;

					(E)requiring

			 information brokers to authenticate users before allowing access to personally

			 identifiable information, and requiring that each use of personal information

			 is employed only for a lawful purpose;

					(F)requiring

			 procedures to be established to prevent and detect fraudulent, unlawful, or

			 unauthorized access, use, or disclosure of personally identifiable information

			 held by an information broker, and to mitigate any potential harm to

			 individuals from threats to the privacy or security of such information;

					(G)requiring

			 information brokers to establish and maintain procedures that track users’

			 access to personally identifiable information held by the broker, and the

			 lawful purpose for which each access was made; and

					(H)prohibiting

			 information brokers from engaging in activities that fail to comply with the

			 Commission’s regulations.

					(b)DefinitionsIn

			 this section:

				(1)Information

			 broker

					(A)In

			 generalThe term information broker means a

			 commercial entity whose business is to collect, assemble, or maintain

			 personally identifiable information for the sale or transmission of such

			 information or the provision of access to such information to any third party,

			 whether such collection, assembly, or maintenance of personally identifiable

			 information is performed by the information broker directly, or by contract or

			 subcontract with any other entity.

					(B)ExemptionsThe

			 Commission, in promulgating regulations under subsection (a), may exempt any

			 commercial entity from such regulations, in whole or in part, if the Commission

			 determines that granting such an exemption is in the public interest,

			 consistent with the purposes of this Act, and if the entity’s collection,

			 assembly, and maintenance of personally identifiable information is only

			 incidental to the entity’s primary business.

					(2)Personally

			 identifiable informationThe

			 term personally identifiable information means any personal

			 information, as determined by the Commission, which may be used to identify a

			 person or cause harm to such person.

				4.Enforcement

			(a)Enforcement by

			 Federal Trade Commission

				(1)Unfair or

			 deceptive acts or practicesA violation of a regulation

			 promulgated under section 2 shall be treated as a violation of a regulation

			 under section 18(a)(1)(B) of the Federal Trade

			 Commission Act (15 U.S.C. 57a(a)(1)(B))

			 regarding unfair or deceptive acts or practices.

				(2)Powers of

			 CommissionThe Commission shall enforce the regulations

			 promulgated under section 2 in the same manner, by the same means, and with the

			 same jurisdiction, powers, and duties as though all applicable terms and

			 provisions of the Federal Trade Commission

			 Act (15

			 U.S.C. 41 et seq.) were incorporated into and made a part of

			 this Act. Any person who violates such regulations shall be subject to the

			 penalties and entitled to the privileges and immunities provided in that Act.

			 Nothing in this Act shall be construed to limit the authority of the Commission

			 under any other provision of law.

				(b)Actions by

			 States

				(1)Civil

			 actionsIn any case in which the attorney general of a State has

			 reason to believe that an interest of the residents of that State has been or

			 is threatened or adversely affected by an act or practice that violates any

			 regulation of the Commission promulgated under section 2, the State may bring a

			 civil action on behalf of the residents of the State in a district court of the

			 United States of appropriate jurisdiction, or any other court of competent

			 jurisdiction, to—

					(A)enjoin that act or

			 practice;

					(B)enforce compliance

			 with the regulation;

					(C)obtain damages,

			 restitution, or other compensation on behalf of residents of the State;

			 or

					(D)obtain such other

			 legal and equitable relief as the court may consider to be appropriate.

					(2)NoticeBefore

			 filing an action under this subsection, the attorney general of the State

			 involved shall provide to the Commission and to the Attorney General a written

			 notice of that action and a copy of the complaint for that action. If the State

			 attorney general determines that it is not feasible to provide the notice

			 described in this subparagraph before the filing of the action, the State

			 attorney general shall provide the written notice and the copy of the complaint

			 to the Commission and to the Attorney General as soon after the filing of the

			 complaint as practicable.

				(3)Commission and

			 Attorney General authorityOn receiving notice under paragraph

			 (2), the Commission and the Attorney General each shall have the right—

					(A)to move to stay

			 the action, pending the final disposition of a pending Federal matter as

			 described in paragraph (4);

					(B)to intervene in an

			 action under paragraph (1); and

					(C)to file petitions

			 for appeal.

					(4)Pending criminal

			 proceedingsIf the Attorney General has instituted a criminal

			 proceeding or the Commission has instituted a civil action for a violation of

			 this Act or any regulations thereunder, no State may, during the pendency of

			 such proceeding or action, bring an action under this subsection against any

			 defendant named in the criminal proceeding or civil action for any violation

			 that is alleged in that proceeding or action.

				(5)Rule of

			 constructionFor purposes of bringing any civil action under

			 paragraph (1), nothing in this Act shall be construed to prevent an attorney

			 general of a State from exercising the powers conferred on the attorney general

			 by the laws of that State to conduct investigations, administer oaths and

			 affirmations, or compel the attendance of witnesses or the production of

			 documentary and other evidence.

				(c)Private right of

			 action

				(1)In

			 generalAny individual injured by an act in violation of the

			 regulations promulgated under section 2, if otherwise permitted by the laws or

			 rules of the court of a State, bring in an appropriate court of that

			 State—

					(A)an action to enjoin

			 such violation;

					(B)an action to

			 recover for actual monetary loss from such a violation, or to receive up to

			 $1000 in damages for each such violation, whichever is greater; or

					(C)both such

			 actions.

					(2)LimitationAn

			 action may be commenced under this subsection within 2 years after the date on

			 which the alleged violation occurred, except that where a defendant has

			 materially and willfully misrepresented or disclosed any information under this

			 Act or the regulations promulgated pursuant to this Act and the information so

			 misrepresented or disclosed is material to the establishment of the defendant’s

			 liability under this Act or such regulations, the action may be brought by the

			 individual under paragraph (1) at any time within 3 years after discovery by

			 the individual of the misrepresentation or disclosure.

				(3)Nonexclusive

			 remedyThe remedy provided under this subsection shall be in

			 addition to any other remedies available to the individual.

				5.Relation to other

			 laws

			(a)Fair Credit

			 Reporting ActNothing in this

			 Act or the regulations promulgated under this Act shall be construed to modify,

			 limit or supersede the operation of the Fair Credit Reporting Act. A person or

			 entity subject to the Fair Credit Reporting Act shall comply with that Act as

			 well as with this Act and the regulations promulgated under this Act. To the

			 extent that there is any conflict between the Fair Credit Reporting Act and

			 this Act or such regulations, the Act that affords an individual greater

			 protection shall apply. Multiple requirements with respect to the same

			 information, transaction, or individual shall not be considered a

			 conflict.

			(b)State

			 lawsThis Act and the

			 regulations promulgated under this Act shall not be construed as superseding,

			 altering, or affecting any statute, regulation, order, or interpretation in

			 effect in any State, except to the extent that such statute, regulation, order,

			 or interpretation is inconsistent with the provisions of this Act or the

			 regulations promulgated under this Act, and then only to the extent of the

			 inconsistency. For purposes of this section, a State statute, regulation,

			 order, or interpretation shall not be considered inconsistent with the

			 provisions of this Act or the regulations promulgated under this Act if the

			 protection such statute, regulation, order, or interpretation affords any

			 person is greater than the protection under this Act or the regulations

			 promulgated under this Act.

			6.ReportNot later than 12 months after the issuance

			 of the regulations required by section 2, the Commission shall transmit to

			 Congress a report on the information brokerage industry and its impact on the

			 privacy of personally identifiable information. Such report shall describe the

			 regulations promulgated pursuant to this Act, compliance with such regulations

			 by the information brokerage industry, and any recommendations by the

			 Commission for additional measures (including any necessary legislation) to

			 ensure the privacy of personally identifiable information.

		

