[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 751 Introduced in Senate (IS)]

<DOC>






109th CONGRESS
  1st Session
                                 S. 751

    To require Federal agencies, and persons engaged in interstate 
  commerce, in possession of data containing personal information, to 
       disclose any unauthorized acquisition of such information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 11, 2005

Mrs. Feinstein introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
    To require Federal agencies, and persons engaged in interstate 
  commerce, in possession of data containing personal information, to 
       disclose any unauthorized acquisition of such information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Notification of Risk to Personal 
Data Act''.

SEC. 2. DEFINITIONS.

    In this Act, the following definitions shall apply:
            (1) Agency.--The term ``agency'' has the same meaning given 
        such term in section 551(1) of title 5, United States Code.
            (2) Breach of security of the system.--The term ``breach of 
        security of the system''--
                    (A) means the compromise of the security, 
                confidentiality, or integrity of data that results in, 
                or there is a reasonable basis to conclude has resulted 
                in, the unauthorized acquisition of personal 
                information maintained by the person or business; and
                    (B) does not include good faith acquisition of 
                personal information by an employee or agent of the 
                person or business for the purposes of the person or 
                business, if the personal information is not used or 
                subject to further unauthorized disclosure.
            (3) Person.--The term ``person'' has the same meaning given 
        such term in section 551(2) of title 5, United States Code.
            (4) Personal information.--The term ``personal 
        information'' means an individual's last name in combination 
        with any 1 or more of the following data elements:
                    (A) Social security number.
                    (B) Driver's license number or State identification 
                number.
                    (C) Account number or credit or debit card number, 
                or, if a security code, access code, or password is 
                required for access to an individual's account, the 
                account number or credit or debit card number, in 
                combination with the required code or password.
            (5) Substitute notice.--The term ``substitute notice'' 
        means--
                    (A) conspicuous posting of the notice on the 
                Internet site of the agency or person, if the agency or 
                person maintains a public Internet site; and
                    (B) notification to major print and broadcast 
                media, including major media in metropolitan and rural 
                areas where the individual whose personal information 
                was, or is reasonably believed to have been, acquired 
                resides. The notice to media shall include a toll-free 
                phone number where an individual can learn whether or 
                not that individual's personal data is included in the 
                security breach.

SEC. 3. DATABASE SECURITY.

    (a) Disclosure of Security Breach.--
            (1) In general.--Any agency, or person engaged in 
        interstate commerce, that owns, licenses, or collects data, 
        whether or not held in electronic form, containing personal 
        information shall, following the discovery of a breach of 
        security of the system maintained by the agency or person that 
        contains such data, or upon receipt of notice under paragraph 
        (2), notify any individual of the United States whose personal 
        information was, or is reasonably believed to have been, 
        acquired by an unauthorized person.
            (2) Notification of owner or licensee.--Any agency, or 
        person engaged in interstate commerce, in possession of data, 
        whether or not held in electronic form, containing personal 
        information that the agency does not own or license shall 
        notify the owner or licensee of the information if the personal 
        information was, or is reasonably believed to have been, 
        acquired by an unauthorized person through a breach of security 
        of the system containing such data.
            (3) Timeliness of notification.--
                    (A) In general.--All notifications required under 
                paragraph (1) or (2) shall be made without unreasonable 
                delay following--
                            (i) the discovery by the agency or person 
                        of a breach of security of the system;
                            (ii) any measures necessary to determine 
                        the scope of the breach, prevent further 
                        disclosures, and restore the reasonable 
                        integrity of the data system; and
                            (iii) receipt of written notice that a law 
                        enforcement agency has determined that the 
                        notification will no longer seriously impede 
                        its investigation, where notification is 
                        delayed as provided in paragraph (4).
                    (B) Burden of proof.--The agency or person required 
                to provide notification under this subsection shall 
                have the burden of demonstrating that all notifications 
                were made as required under this paragraph, including 
                evidence demonstrating the necessity of any delay.
            (4) Delay of notification authorized for law enforcement 
        purposes.--If a law enforcement agency determines that the 
        notification required under this subsection would seriously 
        impede a criminal investigation, such notification may be 
        delayed upon the written request of the law enforcement agency.
            (5) Exception for national security and law enforcement.--
                    (A) In general.--This subsection shall not apply to 
                an agency if the head of the agency certifies, in 
                writing, that notification of the breach as required by 
                this subsection reasonably could be expected to--
                            (i) cause damage to the national security; 
                        and
                            (ii) hinder a law enforcement investigation 
                        or the ability of the agency to conduct law 
                        enforcement investigations.
                    (B) Limits on certifications.--The head of an 
                agency may not execute a certification under 
                subparagraph (A) to--
                            (i) conceal violations of law, 
                        inefficiency, or administrative error;
                            (ii) prevent embarrassment to a person, 
                        organization, or agency; or
                            (iii) restrain competition.
                    (C) Notice.--In every case in which a head of an 
                agency issues a certification under subparagraph (A), a 
                copy of the certification, accompanied by a concise 
                description of the factual basis for the certification, 
                shall be immediately provided to the Congress.
            (6) Methods of notice.--An agency, or person engaged in 
        interstate commerce, shall be in compliance with this 
        subsection if it provides the individual, with--
                    (A) written notification;
                    (B) e-mail notice, if the individual has consented 
                to receive such notice and the notice is consistent 
                with the provisions permitting electronic transmission 
                of notices under section 101 of the Electronic 
                Signatures in Global and National Commerce Act (15 
                U.S.C. 7001); or
                    (C) substitute notice, if--
                            (i) the agency or person demonstrates that 
                        the cost of providing direct notice would 
                        exceed $500,000;
                            (ii) the number of individuals to be 
                        notified exceeds 500,000; or
                            (iii) the agency or person does not have 
                        sufficient contact information for those to be 
                        notified.
            (7) Content of notification.--Regardless of the method by 
        which notice is provided to individuals under paragraphs (1) 
        and (2), such notice shall include--
                    (A) to the extent possible, a description of the 
                categories of information that was, or is reasonably 
                believed to have been, acquired by an unauthorized 
                person, including social security numbers, driver's 
                license or State identification numbers and financial 
                data;
                    (B) a toll-free number--
                            (i) that the individual may use to contact 
                        the agency or person, or the agent of the 
                        agency or person; and
                            (ii) from which the individual may learn--
                                    (I) what types of information the 
                                agency or person maintained about that 
                                individual or about individuals in 
                                general; and
                                    (II) whether or not the agency or 
                                person maintained information about 
                                that individual; and
                    (C) the toll-free contact telephone numbers and 
                addresses for the major credit reporting agencies.
            (8) Coordination of notification with credit reporting 
        agencies.--If an agency or person is required to provide 
        notification to more than 1,000 individuals under this 
        subsection, the agency or person shall also notify, without 
        unreasonable delay, all consumer reporting agencies that 
        compile and maintain files on consumers on a nationwide basis 
        (as defined in section 603(p) of the Fair Credit Reporting Act 
        (15 U.S.C. 1681a(p)) of the timing and distribution of the 
        notices.
    (b) Civil Remedies.--
            (1) Penalties.--Any agency, or person engaged in interstate 
        commerce, that violates subsection (a) shall be subject to a 
        fine of--
                    (A) not more than $1,000 per individual whose 
                personal information was, or is reasonably believed to 
                have been, acquired by an unauthorized person; or
                    (B) not more than $50,000 per day while the failure 
                to give notice under subsection (a) persists.
            (2) Equitable relief.--Any agency or person that violates, 
        proposes to violate, or has violated this section may be 
        enjoined from further violations by a court of competent 
        jurisdiction.
            (3) Other rights and remedies.--The rights and remedies 
        available under this subsection are cumulative and shall not 
        affect any other rights and remedies available under law.
    (c) Enforcement.--The Federal Trade Commission or other appropriate 
regulator, is authorized to enforce compliance with this section, 
including the assessment of fines under subsection (b)(1).
    (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence 
that the consumer has received notice that the consumer's personal 
financial information has or may have been compromised,'' after 
``identity theft report''.

SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that is prohibited under this Act, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a district court of the United States 
        of appropriate jurisdiction or any other court of competent 
        jurisdiction, including a State court, to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this Act;
                    (C) obtain damages, restitution, or other 
                compensation on behalf of residents of the State; or
                    (D) obtain such other relief as the court may 
                consider to be appropriate.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this Act shall be construed to prevent an 
attorney general of a State from exercising the powers conferred on 
such attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (c) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 5. EFFECT ON STATE LAW.

    The provisions of this Act shall supersede any inconsistent 
provisions of law of any State or unit of local government with respect 
to the conduct required by the specific provisions of this Act.

SEC. 6. EFFECTIVE DATE.

    This Act shall take effect on the expiration of the date which is 6 
months after the date of enactment of this Act.
                                 <all>