
	
		II
		109th CONGRESS
		1st Session
		S. 751
		IN THE SENATE OF THE UNITED STATES
		
			April 11, 2005
			Mrs. Feinstein
			 introduced the following bill; which was read twice and referred to the
			 Committee on the
			 Judiciary
		
		A BILL
		To require Federal agencies, and persons engaged in
		  interstate commerce, in possession of data containing personal information, to
		  disclose any unauthorized acquisition of such information.
	
	
		
			1.
			Short title
			This Act may be cited as the
			 
					Notification of Risk to Personal Data
			 Act
				.
		
			2.
			Definitions
			In this Act, the following
			 definitions shall apply:
			
				(1)
				Agency
				The term agency has the same meaning given such term
			 in section 551(1) of title 5, United States Code.
			
				(2)
				Breach of security of the system
				The term breach of security of the system—
				
					(A)
					means the compromise of the security, confidentiality, or
			 integrity of data that results in, or there is a reasonable basis to
			 conclude
			 has resulted in, the unauthorized acquisition of personal information
			 maintained by the person or business; and
				
					(B)
					does not include good faith acquisition of personal information
			 by an employee or agent of the person or business for the purposes of the
			 person or business, if the personal information is not used or subject to
			 further unauthorized disclosure.
				
				(3)
				Person
				The term person has the same meaning given such term
			 in section 551(2) of title 5, United States Code.
			
				(4)
				Personal information
				The term personal information means an individual’s
			 last name in combination with any 1 or more of the following data
			 elements:
				
					(A)
					Social security number.
				
					(B)
					Driver’s license number or State identification number.
				
					(C)
					Account number or credit or debit card number, or, if a security
			 code, access code, or password is required for access to an individual's
			 account, the account number or credit or debit card number, in combination
			 with
			 the required code or password.
				
				(5)
				Substitute notice
				The term substitute notice means—
				
					(A)
					conspicuous posting of the notice on the Internet site of the
			 agency or person, if the agency or person maintains a public Internet
			 site;
			 and
				
					(B)
					notification to major print and broadcast media, including major
			 media in metropolitan and rural areas where the individual whose personal
			 information was, or is reasonably believed to have been, acquired resides.
			 The
			 notice to media shall include a toll-free phone number where an individual
			 can
			 learn whether or not that individual's personal data is included in the
			 security breach.
				
			3.
			Database security
			
				(a)
				Disclosure of security breach
				
					(1)
					In general
					Any agency, or person engaged in interstate commerce, that owns,
			 licenses, or collects data, whether or not held in electronic form,
			 containing
			 personal information shall, following the discovery of a breach of
			 security of
			 the system maintained by the agency or person that contains such data, or
			 upon
			 receipt of notice under paragraph (2), notify any individual of the United
			 States whose personal information was, or is reasonably believed to have
			 been,
			 acquired by an unauthorized person.
				
					(2)
					Notification of owner or licensee
					Any agency, or person engaged in interstate commerce, in
			 possession of data, whether or not held in electronic form, containing
			 personal
			 information that the agency does not own or license shall notify the owner
			 or
			 licensee of the information if the personal information was, or is
			 reasonably
			 believed to have been, acquired by an unauthorized person through a breach
			 of
			 security of the system containing such data.
				
					(3)
					Timeliness of notification
					
						(A)
						In general
						All notifications required under paragraph (1) or (2) shall be
			 made without unreasonable delay following—
						
							(i)
							the discovery by the agency or person of a breach of security of
			 the system;
						
							(ii)
							any measures necessary to determine the scope of the breach,
			 prevent further disclosures, and restore the reasonable integrity of the
			 data
			 system; and
						
							(iii)
							receipt of written notice that a law enforcement agency has
			 determined that the notification will no longer seriously impede its
			 investigation, where notification is delayed as provided in paragraph
			 (4).
						
						(B)
						Burden of proof
						The agency or person required to provide notification under this
			 subsection shall have the burden of demonstrating that all notifications
			 were
			 made as required under this paragraph, including evidence demonstrating
			 the
			 necessity of any delay.
					
					(4)
					Delay of notification authorized for law enforcement
			 purposes
					If a law enforcement agency determines that the notification
			 required under this subsection would seriously impede a criminal
			 investigation,
			 such notification may be delayed upon the written request of the law
			 enforcement agency.
				
					(5)
					Exception for national security and law enforcement
					
						(A)
						In general
						This subsection shall not apply to an agency if the head of the
			 agency certifies, in writing, that notification of the breach as required
			 by
			 this subsection reasonably could be expected to—
						
							(i)
							cause damage to the national security; and
						
							(ii)
							hinder a law enforcement investigation or the ability of the
			 agency to conduct law enforcement investigations.
						
						(B)
						Limits on certifications
						The head of an agency may not execute a certification under
			 subparagraph (A) to—
						
							(i)
							conceal violations of law, inefficiency, or administrative
			 error;
						
							(ii)
							prevent embarrassment to a person, organization, or agency;
			 or
						
							(iii)
							restrain competition.
						
						(C)
						Notice
						In every case in which a head of an agency issues a certification
			 under subparagraph (A), a copy of the certification, accompanied by a
			 concise
			 description of the factual basis for the certification, shall be
			 immediately
			 provided to the Congress.
					
					(6)
					Methods of notice
					An agency, or person engaged in interstate commerce, shall be in
			 compliance with this subsection if it provides the individual, with—
					
						(A)
						written notification;
					
						(B)
						e-mail notice, if the individual has consented to receive such
			 notice and the notice is consistent with the provisions permitting
			 electronic
			 transmission of notices under section 101 of the Electronic Signatures in
			 Global and National Commerce Act (15 U.S.C. 7001); or
					
						(C)
						substitute notice, if—
						
							(i)
							the agency or person demonstrates that the cost of providing
			 direct notice would exceed $500,000;
						
							(ii)
							the number of individuals to be notified exceeds 500,000;
			 or
						
							(iii)
							the agency or person does not have sufficient contact information
			 for those to be notified.
						
					(7)
					Content of notification
					Regardless of the method by which notice is provided to
			 individuals under paragraphs (1) and (2), such notice shall include—
					
						(A)
						to the extent possible, a description of the categories of
			 information that was, or is reasonably believed to have been, acquired by
			 an
			 unauthorized person, including social security numbers, driver's license
			 or
			 State identification numbers and financial data;
					
						(B)
						a toll-free number—
						
							(i)
							that the individual may use to contact the agency or person, or
			 the agent of the agency or person; and
						
							(ii)
							from which the individual may learn—
							
								(I)
								what types of information the agency or person maintained about
			 that individual or about individuals in general; and
							
								(II)
								whether or not the agency or person maintained information about
			 that individual; and
							
						(C)
						the toll-free contact telephone numbers and addresses for the
			 major credit reporting agencies.
					
					(8)
					Coordination of notification with credit reporting
			 agencies
					If an agency or person is required to provide notification to
			 more than 1,000 individuals under this subsection, the agency or person
			 shall
			 also notify, without unreasonable delay, all consumer reporting agencies
			 that
			 compile and maintain files on consumers on a nationwide basis (as defined
			 in
			 section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of
			 the
			 timing and distribution of the notices.
				
				(b)
				Civil remedies
				
					(1)
					Penalties
					Any agency, or person engaged in interstate commerce, that
			 violates subsection (a) shall be subject to a fine of—
					
						(A)
						not more than $1,000 per individual whose personal information
			 was, or is reasonably believed to have been, acquired by an unauthorized
			 person; or
					
						(B)
						not more than $50,000 per day while the failure to give notice
			 under subsection (a) persists.
					
					(2)
					Equitable relief
					Any agency or person that violates, proposes to violate, or has
			 violated this section may be enjoined from further violations by a court
			 of
			 competent jurisdiction.
				
					(3)
					Other rights and remedies
					The rights and remedies available under this subsection are
			 cumulative and shall not affect any other rights and remedies available
			 under
			 law.
				
				(c)
				Enforcement
				The Federal Trade Commission or other appropriate regulator, is
			 authorized to enforce compliance with this section, including the
			 assessment of
			 fines under subsection (b)(1).
			
				(d)
				Fraud alert
				Section 605A(b)(1) of the Fair Credit Reporting Act (15 U.S.C.
			 1681c–1(b)(1)) is amended by inserting , or evidence that the consumer
			 has received notice that the consumer's personal financial information has
			 or
			 may have been compromised, after identity theft
			 report.
			
			4.
			Enforcement by State attorneys general
			
				(a)
				In general
				
					(1)
					Civil actions
					In any case in which the attorney general of a State has reason
			 to believe that an interest of the residents of that State has been or is
			 threatened or adversely affected by the engagement of any person in a
			 practice
			 that is prohibited under this Act, the State, as parens patriae, may bring
			 a
			 civil action on behalf of the residents of the State in a district court
			 of the
			 United States of appropriate jurisdiction or any other court of competent
			 jurisdiction, including a State court, to—
					
						(A)
						enjoin that practice;
					
						(B)
						enforce compliance with this Act;
					
						(C)
						obtain damages, restitution, or other compensation on behalf of
			 residents of the State; or
					
						(D)
						obtain such other relief as the court may consider to be
			 appropriate.
					
					(2)
					Notice
					
						(A)
						In general
						Before filing an action under paragraph (1), the attorney general
			 of the State involved shall provide to the Attorney General of the United
			 States—
						
							(i)
							written notice of the action; and
						
							(ii)
							a copy of the complaint for the action.
						
						(B)
						Exemption
						
							(i)
							In general
							Subparagraph (A) shall not apply with respect to the filing of an
			 action by an attorney general of a State under this subsection, if the
			 State
			 attorney general determines that it is not feasible to provide the notice
			 described in such subparagraph before the filing of the action.
						
							(ii)
							Notification
							In an action described in clause (i), the attorney general of a
			 State shall provide notice and a copy of the complaint to the Attorney
			 General
			 at the time the State attorney general files the action.
						
				(b)
				Construction
				For purposes of bringing any civil action under subsection (a),
			 nothing in this Act shall be construed to prevent an attorney general of a
			 State from exercising the powers conferred on such attorney general by the
			 laws
			 of that State to—
				
					(1)
					conduct investigations;
				
					(2)
					administer oaths or affirmations; or
				
					(3)
					compel the attendance of witnesses or the production of
			 documentary and other evidence.
				
				(c)
				Venue; service of process
				
					(1)
					Venue
					Any action brought under subsection (a) may be brought in—
					
						(A)
						the district court of the United States that meets applicable
			 requirements relating to venue under section 1391 of title 28, United
			 States
			 Code; or
					
						(B)
						another court of competent jurisdiction.
					
					(2)
					Service of process
					In an action brought under subsection (a), process may be served
			 in any district in which the defendant—
					
						(A)
						is an inhabitant; or
					
						(B)
						may be found.
					
			5.
			Effect on State law
			The provisions of this Act
			 shall supersede any inconsistent provisions of law of any State or unit of
			 local government with respect to the conduct required by the specific
			 provisions of this Act.
		
			6.
			Effective date
			This Act shall take effect on
			 the expiration of the date which is 6 months after the date of enactment
			 of
			 this Act.
		
