[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[S. 1178 Reported in Senate (RS)]

                                                       Calendar No. 520
110th CONGRESS
  1st Session
                                S. 1178

                          [Report No. 110-235]

   To strengthen data protection and safeguards, require data breach 
           notification, and further prevent identity theft.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 20, 2007

  Mr. Inouye (for himself, Mr. Stevens, Mr. Pryor, Mr. Smith, and Mr. 
Nelson of Florida) introduced the following bill; which was read twice 
 and referred to the Committee on Commerce, Science, and Transportation

                            December 5, 2007

                Reported by Mr. Inouye, with amendments
  [Omit the part struck through and insert the part printed in italic]

_______________________________________________________________________

                                 A BILL


 
   To strengthen data protection and safeguards, require data breach 
           notification, and further prevent identity theft.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Identity Theft 
Prevention Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Protection of sensitive personal information.
Sec. 3. Notification of security breach risk.
Sec. 4. Security freeze.
Sec. 5. Information security and consumer privacy advisory committee.
Sec. 6. Related crime study.
Sec. 7. Prohibition on technology mandates.
Sec. 8. Enforcement.
Sec. 9. Enforcement by State attorneys general.
Sec. 10. Preemption of State law.
<DELETED>Sec. 11. Definitions.
<DELETED>Sec. 12. Authorization of appropriations.
<DELETED>Sec. 13. Effective dates.
</DELETED>Sec. 11. Social Security number protection.
Sec. 12. Protection of information at Federal agencies.
Sec. 13. Definitions.
Sec. 14. Authorization of appropriations.
Sec. 15. Effective dates.

SEC. 2. PROTECTION OF SENSITIVE PERSONAL INFORMATION.

    (a) In General.--A covered entity shall develop, implement, 
maintain, and enforce a written program for the security of sensitive 
personal information the entity collects, maintains, sells, transfers, 
or disposes of, containing administrative, technical, and physical 
safeguards--
            (1) to ensure the security and confidentiality of such 
        data;
            (2) to protect against any anticipated threats or hazards 
        to the security or integrity of such data; and
            (3) to protect against unauthorized access to, or use of, 
        such data that could result in substantial harm to any 
        individual.
    (b) Compliance With FTC Standards Required.--A covered entity that 
is in full compliance with the requirements of the Commission's rules 
on Standards for Safeguarding Customer Information and Disposal of 
Consumer Report Information and Records is deemed to be in compliance 
with the requirements of subsection (a).
    (c) Regulations.--Not later than 1 year after the date of enactment 
of this Act, the Commission shall promulgate regulations, in accordance 
with section 553 of title 5, United States Code, that require 
procedures for authenticating the credentials of any third party to 
which sensitive personal information is to be transferred or sold by a 
covered entity.

SEC. 3. NOTIFICATION OF SECURITY BREACH RISK.

    (a) Security Breaches Affecting 1,000 or More Individuals.--
            (1) In general.--If a covered entity discovers a breach of 
        security that affects 1,000 or more individuals, then, 
        <DELETED>before conducting the notification required by 
        subsection (c), </DELETED>within 5 business days after the 
        discovery of the breach of security, it shall--
                    (A) report the breach to the Commission (or other 
                appropriate Federal regulator under section 8); and
                    (B) notify all consumer reporting agencies 
                described in section 603(p)(1) of the Fair Credit 
                Reporting Act (15 U.S.C. 1681a(p)(1)) of the breach.
            (2) FTC Website Publication.--Whenever the Commission 
        receives a report under paragraph (1)(A), after the 
        notification required by subsection (c) has begun, it shall 
        post a report of the breach of security on its website without 
        disclosing any sensitive personal information pertaining to the 
        individuals affected (including their names).
            (3) Contents of report.--The report described in paragraph 
        (2) shall include--
                    (A) the number of individuals impacted by the 
                breach of security; and
                    (B) confirmation that the covered entity has taken 
                action to comply with the requirements of subsection 
                (c).
    (b) Security Breaches Affecting Fewer Than 1,000 Individuals.--
            (1) In general.--If a covered entity discovers a breach of 
        security that affects the sensitive personal information of 
        fewer than <DELETED>1,000 </DELETED>1,000, but more than 50, 
        individuals and determines that the breach of security does not 
        create a reasonable risk of identity theft, it shall report the 
        breach to the Commission (or other appropriate Federal 
        regulator under section 8).
            (2) Report contents.--The report shall contain the number 
        of individuals affected and the type of information that was 
        exposed because of the breach of security.
            (3) Limitation on commission response.--With respect to a 
        report under paragraph (1) received by the Commission, the 
        Commission may not--
                    (A) disclose any sensitive personal information 
                relating to the individuals (including their names); or
                    (B) publish such a report on its website.
        <DELETED>    (4) Determination of reasonable risk of identity 
        theft.--</DELETED>
                <DELETED>    (A) In general.--If a covered entity 
                cannot make a determination as to whether the breach of 
                security creates a reasonable risk of identity theft, 
                it may request guidance from the Commission in writing 
                as to a suggested course of action that may be required 
                under this Act.</DELETED>
                <DELETED>    (B) Time and manner of response.--The 
                Commission shall respond to a request from a covered 
                entity under subparagraph (A) in writing within 5 
                business days after the date on which it receives the 
                request.</DELETED>
    (c) Notification of Consumers.--
            (1) In general.--A covered entity shall use due diligence 
        to investigate any suspected breach of security affecting 
        sensitive personal information maintained by that covered 
        entity. If, after the exercise of such due diligence, the 
        covered entity discovers a breach of security and determines 
        that the breach of security creates a reasonable risk of 
        identity theft, the covered entity shall notify each such 
        individual. In determining whether a reasonable risk of 
        identity theft exists, a covered entity shall consider such 
        factors as whether--
                    (A) data containing sensitive personal information 
                is usable or could be made usable by an unauthorized 
                third party; and
                    (B) the data is in the possession and control of an 
                unauthorized third party.
            (2) Direct relationship with consumer required.--
        <DELETED>The </DELETED>Where the breach involves a situation in 
        which an entity has a direct relationship with consumers, the 
        notice required by paragraph (1) must be provided by the entity 
        which has a direct relationship with the parties whose 
        information was subject to the breach. Unless there is an 
        agreement to the contrary, the entity providing the notice 
        shall be compensated for the cost of the notice required by the 
        covered entity subject to the breach of security.
            (3) Determination of reasonable risk of identity theft.--
                    (A) In general.--If a covered entity cannot make a 
                determination as to whether the breach of security 
                creates a reasonable risk of identity theft, it may 
                request guidance from the Commission or relevant 
                enforcement agency in writing as to a suggested course 
                of action that may be required under this Act.
                    (B) Time and manner of response.--The Commission or 
                relevant enforcement agency shall respond to a request 
                from a covered entity under subparagraph (A) in writing 
                within 5 business days after the date on which it 
                receives the request.
    (d) Methods of Notification; Notice Content.--
            (1) In general.--A covered entity shall provide notice 
        pursuant to subsection (c) by--
                    (A) written notice;
                <DELETED>    (B) electronic notice, if such notice is 
                consistent with the provisions of the Electronic 
                Signatures in Global and National Commerce Act (15 
                U.S.C. 7001 et seq.); or</DELETED>
                    (B) electronic notice, if the primary method used 
                by the covered entity to communicate with the 
                individual is by electronic means, or the individual 
                has consented to receive such notice and the notice is 
                consistent with the provisions of the Electronic 
                Signatures in Global and National Commerce Act (15 
                U.S.C. 7001 et seq.); or
                    (C) substitute notice, if the covered entity does 
                not have sufficient contact information for the 
                individuals to be notified, consisting of--
                            (i) notice by electronic mail when the 
                        covered entity has an electronic mail address 
                        for affected individuals;
                            (ii) conspicuous posting of the security 
                        breach on the Internet website of the covered 
                        entity for a reasonable period, if the covered 
                        entity maintains a website (except that the 
                        information posted may not disclose any 
                        sensitive personal information pertaining to 
                        the affected individuals (including their 
                        names)); and
                            (iii) notification to major statewide media 
                        of the breach of security.
            (2) Content of notice.--The notice required under 
        paragraphs (1)(A) and (B) shall consist of--
                    (A) the name of the individual whose information 
                was the subject of the breach of security;
                    (B) the name of the covered entity that was the 
                subject of the breach of security;
                    (C) a description of the categories of sensitive 
                personal information of the individual that were the 
                subject of the breach of security;
                    (D) the date of discovery of such breach of 
                security; and
                    (E) the toll-free numbers necessary to contact--
                            (i) each covered entity that was the 
                        subject of the breach of security;
                            (ii) each nationwide credit reporting 
                        agency; and
                            (iii) the Commission.
    (e) Timing of Notification.--
            (1) In general.--Except as provided in paragraph (2), 
        notice required by subsection (c) shall be given--
                    (A) in a manner that is consistent with any 
                measures necessary to determine the scope of the breach 
                and restore the security and integrity of the data 
                system; and
                    (B) in the most expeditious manner practicable, but 
                not later than 25 business days after the date on which 
                the breach of security was discovered by the covered 
                entity.
            (2) Law enforcement and national or homeland security 
        related delays.--Notwithstanding paragraph (1), the giving of 
        notice as required by that paragraph may be delayed for a 
        reasonable period of time if--
                    (A) a Federal or State law enforcement agency 
                determines that the timely giving of notice under 
                subsections (a) and (c), as required by paragraph (1), 
                would materially impede a civil or criminal 
                investigation; or
                    (B) a Federal national security or homeland 
                security agency determines that such timely giving of 
                notice would threaten national or homeland security.
    (f) Certain Service Providers.--Section 2 and subsections (a), (b), 
and (c) of this section do not apply to electronic communication of a 
third party stored by a cable operator, information service, or 
telecommunications carrier in the network of such operator, service or 
carrier in the course of transferring or transmitting such 
communication. Any term used in this subsection that is defined in the 
Communications Act of 1934 (47 U.S.C. 151 et seq.) has the meaning 
given it in that Act.

SEC. 4. SECURITY FREEZE.

    (a) In General.--
            (1) Emplacement.--A consumer may place a security freeze on 
        the consumer's credit report by making a request to a consumer 
        credit reporting agency in writing, by telephone, or through a 
        secure electronic connection if such a connection is made 
        available by the consumer credit reporting agency.
            (2) Consumer disclosure.--If a consumer requests a security 
        freeze, the consumer credit reporting agency shall disclose to 
        the consumer the process of placing and removing the security 
        freeze. A consumer credit reporting agency may not imply or 
        inform a consumer that the placement or presence of a security 
        freeze on the consumer's credit report may negatively affect 
        the consumer's credit score.
    (b) Effect of Security Freeze.--
            (1) Release of information blocked.--If a security freeze 
        is in place on a consumer's credit report, a consumer credit 
        reporting agency may not release the credit report for consumer 
        credit review purposes to a third party without prior express 
        authorization from the consumer.
            (2) Information provided to third parties.--Paragraph (1) 
        does not prevent a consumer credit reporting agency from 
        advising a third party that a security freeze is in effect with 
        respect to the consumer's credit report. If a third party, in 
        connection with a request for information in any circumstance 
        under which a consumer credit reporting agency may furnish a 
        consumer report under section 604(a) of the Fair Credit 
        Reporting Act (15 U.S.C. 1681b), requests access to a consumer 
        credit report on which a security freeze is in place, the third 
        party may treat any application associated with the request as 
        incomplete.
            (3) Consumer credit score not affected.--The placement of a 
        security freeze on a credit report may not be taken into 
        account for any purpose in determining the credit score of the 
        consumer to whom the account relates.
    (c) Removal; Temporary Suspension.--
            (1) In general.--Except as provided in paragraphs (2)(B) 
        and (4), a security freeze shall remain in place until the 
        consumer requests that the security freeze be removed. A 
        consumer may remove a security freeze on the consumer's credit 
        report by making a request to a consumer credit reporting 
        agency in writing, by telephone, or through a secure electronic 
        connection made available by the consumer credit reporting 
        agency.
            (2) Conditions.--A consumer credit reporting agency may 
        remove a security freeze placed on a consumer's credit report 
        only--
                    (A) upon the consumer's request, pursuant to 
                paragraph (1); or
                    (B) if the agency determines that the consumer's 
                credit report was frozen due to a material 
                misrepresentation of fact by the consumer.
            (3) Notification to consumer.--If a consumer credit 
        reporting agency intends to remove a freeze upon a consumer's 
        credit report pursuant to paragraph <DELETED>(2)(B) or (4), 
        </DELETED>2(B) the consumer credit reporting agency shall 
        notify the consumer in writing prior to removing the freeze on 
        the consumer's credit report.
            (4) Temporary suspension.--A consumer may have a security 
        freeze on the consumer's credit report temporarily suspended by 
        making a request to a consumer credit reporting agency in 
        <DELETED>writing </DELETED>writing, by telephone, or through a 
        secure electronic connection made available by the consumer 
        credit reporting agency and--
                    (A) specifying beginning and ending dates for the 
                period during which the security freeze is not to apply 
                to that consumer's credit report; or
                    (B) specifying a specific third party to which 
                access to the credit report may be granted 
                notwithstanding the freeze.
    (d) Response Times; Notification of Other Entities.--
            (1) In general.--A consumer credit reporting agency shall--
                    (A) place a security freeze on a consumer's credit 
                report under subsection (a) no later than 3 business 
                days after receiving a request from the consumer under 
                subsection (a)(1);
                    (B) remove a security freeze within 3 business days 
                after receiving a request for removal from the consumer 
                under subsection (c); and
                    (C) temporarily suspend a security freeze within 1 
                business day after receiving a request under subsection 
                (c)(4).
            (2) Notification of other covered entities.--If the 
        consumer requests in writing, by telephone, or by secure 
        electronic connection to a consumer credit reporting agency 
        described in section 603(p) of the Fair Credit Reporting Act 
        (15 U.S.C. 1681a(p)) that other covered entities be notified of 
        the request, the consumer credit reporting agency shall notify 
        all other consumer credit reporting agencies described in 
        section <DELETED>603(p)(1) </DELETED>603(p) of the Fair Credit 
        Reporting Act (15 U.S.C. <DELETED>1681a(p)(1)) 
        </DELETED>1681a(p)) of the request within 1 day of receiving 
        the request.
            (3) Implementation by other covered entities.--A consumer 
        credit reporting agency described in section 603(p) of the Fair 
        Credit Reporting Act (15 U.S.C. 1681a(p)) that is notified of a 
        request under paragraph (2) to place, remove, or temporarily 
        suspend a security freeze on a consumer's credit report shall--
                    (A) ensure the validity of the request, including 
                verifying the identity of the requesting consumer, 
                within 3 business days after receiving the 
                notification; and
                    (B) place, remove, or temporarily suspend the 
                security freeze on that credit report within 3 business 
                days after validating the request, including verifying 
                the identity of the requesting consumer and securing 
                the fee under subsection (h)(1), if applicable.
    (e) Confirmation.--Except as provided in subsection (c)(3), 
whenever a consumer credit reporting agency places, removes, or 
temporarily suspends a security freeze on a consumer's credit report at 
the request of that consumer under subsection (a) or (c), respectively, 
it shall send a written confirmation thereof to the consumer within 10 
business days after placing, removing, or temporarily suspending the 
security freeze on the credit report. This subsection does not apply to 
the placement, removal, or temporary suspension of a security freeze by 
a consumer credit reporting agency because of a notification received 
under subsection (d)(2).
    (f) ID Required.--A consumer credit reporting agency may not place, 
remove, or temporarily suspend a security freeze on a consumer's credit 
report at the consumer's request unless the consumer provides proper 
identification (within the meaning of section 610(a)(1) of the Fair 
Credit Reporting Act (15 U.S.C. 1681(h)(a)(1)) and the regulations 
thereunder.
    (g) Exceptions.--This section does not apply to the use of a 
consumer credit report by any of the following:
            (1) A person or entity, or a subsidiary, affiliate, or 
        agent of that person or entity, or an assignee of a financial 
        obligation owing by the consumer to that person or entity, or a 
        prospective assignee of a financial obligation owing by the 
        consumer to that person or entity in conjunction with the 
        proposed purchase of the financial obligation, with which the 
        consumer has or had prior to assignment an account or contract, 
        including a demand deposit account, or to whom the consumer 
        issued a negotiable instrument, for the purposes of reviewing 
        the account or collecting the financial obligation owing for 
        the account, contract, or negotiable instrument.
            (2) Any Federal, State or local agency, law enforcement 
        agency, trial court, or private collection agency acting 
        pursuant to a court order, warrant, subpoena, or other 
        compulsory process.
            (3) A child support agency or its agents or assigns acting 
        pursuant to subtitle D of title IV of the Social Security Act 
        (42 U.S.C. et seq.) or similar State law.
            (4) The Department of Health and Human Services, a similar 
        State agency, or the agents or assigns of the Federal or State 
        agency acting to investigate medicare or medicaid fraud.
            (5) The Internal Revenue Service or a State or municipal 
        taxing authority, or a State department of motor vehicles, or 
        any of the agents or assigns of these Federal, State, or 
        municipal agencies acting to investigate or collect delinquent 
        taxes or unpaid court orders or to fulfill any of their other 
        statutory responsibilities.
            (6) Any person or entity administering a credit file 
        monitoring subscription to which the consumer has subscribed.
            (7) Any person or entity for the purpose of providing a 
        consumer with a copy of the consumer's credit report or credit 
        score upon the consumer's request.
            (8) Except when access is restricted to a specific third 
        party during a temporary suspension of a security freeze under 
        subsection (c)(4)(B), any person who seeks access during the 
        time period that a security freeze is temporarily suspended for 
        the purpose of facilitating the extension of credit or another 
        permissible use.
    (h) Fees.--
            (1) In general.--Except as provided in paragraph (2), a 
        consumer credit reporting agency may charge a fee, not in 
        excess of $10, for placing a security freeze on a consumer's 
        credit report. A consumer reporting agency may not charge a 
        consumer for up to 2 requests per year per credit reporting 
        agency for temporary suspension of a security freeze. If the 
        consumer requests more than 2 temporary suspensions of a 
        security freeze from a credit reporting agency within a year, 
        then that consumer credit reporting agency may charge the 
        consumer a fee for each such additional request, but that 
        consumer credit reporting agency may not charge in excess of $5 
        per request. A consumer credit reporting agency may not charge 
        a consumer for removing a security freeze.
            (2) Fees prohibited.--
                    (A) ID theft victims.--A consumer credit reporting 
                agency may not charge a fee for placing, removing, or 
                temporarily suspending a security freeze on a 
                consumer's credit report if--
                            (i) the consumer is a victim of identity 
                        theft;
                            (ii) the consumer requests the security 
                        freeze in writing;
                            (iii) the consumer has filed a police 
                        report with respect to the theft, or an 
                        identity theft report (as defined in section 
                        603(q)(4) of the Fair Credit Reporting Act (15 
                        U.S.C. 1681a(q)(4))), within 180 days after the 
                        theft occurred or was discovered by the 
                        consumer; and
                            (iv) the consumer provides a copy of the 
                        report to the credit reporting agency.
                    (B) Categorical classes.--A consumer credit 
                reporting agency may not charge a fee for placing, 
                removing, or temporarily suspending a credit freeze on 
                a consumer's credit report if the consumer requesting 
                it--
                            (i) has attained the age of 65 years;
                            (ii) is on active duty or in the ready 
                        reserve component of an armed force of the 
                        United States; or
                            (iii) is the spouse of an individual 
                        described in clause (ii).
    (i) Limitation on Information Changes in Frozen Reports.--
            (1) In general.--If a security freeze is in place on a 
        consumer's credit report, a consumer credit reporting agency 
        may not change any of the following official information in 
        that credit report without sending a written confirmation of 
        the change to the consumer within 30 days after the change is 
        made:
                    (A) Name.
                    (B) Date of birth.
                    (C) Social security account number.
                    (D) Address.
            (2) Confirmation.--Paragraph (1) does not require written 
        confirmation for technical modifications of a consumer's 
        official information, including name and street abbreviations, 
        complete spellings, or transposition of numbers or letters. In 
        the case of an address change, the written confirmation shall 
        be sent to both the new address and to the former address.
    (j) Certain Entity Exemptions.--
            (1) Resellers and other agencies.--
                    (A) In general.--Except as provided in subparagraph 
                (B), the provisions of this Act do not apply to a 
                consumer credit reporting agency that acts only as a 
                reseller of credit information by assembling and 
                merging information contained in the data base of 
                another consumer credit reporting agency or multiple 
                consumer credit reporting agencies, and does not 
                maintain a permanent data base of credit information 
                from which new consumer credit reports are produced.
                    (B) Reseller to honor freezes placed by consumer 
                reporting agencies.--Section 4(b), and, to the extent 
                applicable, <DELETED>section 8 </DELETED>sections 8 and 
                9 of this Act apply to a consumer credit reporting 
                agency described in subparagraph (A).
            (2) Other exempted entities.--The following entities are 
        not required to place a security freeze in a credit report:
                    (A) A check services or fraud prevention services 
                company, which issues reports on incidents of fraud or 
                authorizations for the purpose of approving or 
                processing negotiable instruments, electronic funds 
                transfers, or similar methods of payments.
                    (B) A deposit account information service company, 
                which issues reports regarding account closures due to 
                fraud, substantial overdrafts, ATM abuse, or similar 
                negative information regarding a consumer, to inquiring 
                banks or other financial institutions for use only in 
                reviewing a consumer request for a deposit account at 
                the inquiring bank or financial institution.

SEC. 5. INFORMATION SECURITY AND CONSUMER PRIVACY ADVISORY COMMITTEE.

    (a) Establishment.--Not later than 90 days after the date of 
enactment of this Act, the Chairman of the Commission shall establish 
the Information Security and Consumer Privacy Advisory Committee.
    (b) Membership.--The Advisory Committee shall consist of 5 members 
appointed by the Chairman after appropriate consultations with relevant 
interested <DELETED>parties. </DELETED>parties, including 
representatives of the small business community. Of the 5 members, the 
Advisory Committee shall contain at least 1 member from each of the 
following groups:
            (1) A non-profit consumer advocacy group.
            (2) A business organization that collects personally 
        identifiable information.
            (3) A state Attorney General's office.
    (c) Chairperson.--The Advisory Committee members shall elect 1 
member to serve as chairperson of the Advisory Committee.
    (d) Functions.--The Advisory Committee shall collect, review, 
disseminate, and advise on <DELETED>best practices </DELETED>guidance 
for covered entities to protect sensitive personal information stored 
and transferred.
    (e) Report.--Not later than 12 months after the date on which the 
Advisory Committee is established under subsection (a) and annually 
thereafter, the Advisory Committee shall submit to Congress a report on 
its findings.
    (f) No Termination.--Section 14(a)(2) of the Federal Advisory 
Committee Act (5 U.S.C. App 14(a)(2)) shall not apply to the Advisory 
Committee.

SEC. 6. RELATED CRIME STUDY.

    (a) In General.--The Federal Trade Commission, in conjunction with 
the Department of Justice and other Federal agencies, shall undertake a 
study of--
            (1) the correlation between methamphetamine use and 
        identity theft crimes;
            (2) the needs of law enforcement to address methamphetamine 
        crimes related to identity theft, including production, 
        trafficking, and the purchase of precursor chemicals; and
            (3) the Federal Government's role in addressing and 
        deterring identity theft crimes.
    (b) Report.--Not later than <DELETED>18 months </DELETED>9 months 
after the date of enactment of this Act, the Commission shall submit a 
report of its findings and recommendations to the Congress that 
includes--
            (1) a detailed analysis of the correlation between 
        methamphetamine use and identity theft crimes;
            (2) the needs of law enforcement to address methamphetamine 
        crimes related to identity theft including production, 
        trafficking, and the purchase of precursor chemicals related to 
        methamphetamine;
            (3) the Federal Government's role in addressing and 
        deterring identity theft crimes; and
            (4) specific recommendations for means of reducing and 
        preventing crimes involving methamphetamine and identity theft, 
        including recommendations for best practices for local law 
        enforcement agencies.

SEC. 7. PROHIBITION ON TECHNOLOGY MANDATES.

    Nothing in this Act shall be construed to permit the Commission to 
issue regulations that require or impose a specific technology, 
product, <DELETED>technological standards, or solution. </DELETED>or 
technological standards.

SEC. 8. ENFORCEMENT.

    (a) Enforcement by Commission.--Except as provided in subsection 
(c), this Act shall be enforced by the Commission.
    (b) Violation Is Unfair or Deceptive Act or Practice.--The 
violation of any provision of this Act shall be treated as an unfair or 
deceptive act or practice proscribed under a rule issued under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (c) Enforcement by Certain Other Agencies.--Compliance with this 
Act shall be enforced exclusively under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks, <DELETED>and any 
                subsidiaries of such entities (except brokers, dealers, 
                persons providing insurance, investment companies, and 
                investment advisers), </DELETED>by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act (12 U.S.C. 601 and 
                611), <DELETED>and bank holding companies and their 
                nonbank subsidiaries or affiliates (except brokers, 
                dealers, persons providing insurance, investment 
                companies and investment advisers), </DELETED>by the 
                Board of Governors of the Federal Reserve System;
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System), insured State branches of foreign banks, 
                <DELETED>and any subsidiaries of such entities (except 
                brokers, dealers, persons providing insurance, 
                investment companies and investment advisers), 
                </DELETED>by the Board of Directors of the Federal 
                Deposit Insurance Corporation; and
                    (D) savings associations the deposits of which are 
                insured by the Federal Deposit Insurance Corporation, 
                <DELETED>and any subsidiaries of such savings 
                associations (except brokers, dealers, persons 
                providing insurance, investment companies and 
                investment advisers), </DELETED>by the Director of the 
                Office of Thrift Supervision;
            (2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the Board of the National Credit Union Administration Board 
        with respect to any Federal credit <DELETED>union and any 
        subsidiaries of such a credit </DELETED>union;
            (3) the Securities and Exchange Act of 1934 (15 U.S.C. 78a 
        et seq.) by the Securities and Exchange Commission with respect 
        to--
                    (A) a broker or dealer subject to that Act;
                    (B) an investment company subject to the Investment 
                Company Act of 1940 (15 U.S.C. 80a-1 et seq.); and
                    (C) an investment advisor subject to the Investment 
                Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.); and
            (4) State insurance law, in the case of any person engaged 
        in providing insurance, by the applicable State insurance 
        authority of the State in which the person is domiciled.
    (d) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (c) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (c), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this Act, any other authority conferred on it by law.
    (e) Other Authority Not Affected.--Nothing in this Act shall be 
construed to limit or affect in any way the Commission's authority to 
bring enforcement actions or take any other measure under the Federal 
Trade Commission Act (15 U.S.C. 41 et seq.) or any other provision of 
law.
    (f) Compliance With Gramm-Leach-Bliley Act.--
            (1) Notice.--Any covered entity that is subject to the 
        Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), and gives 
        notice in compliance with the notification requirements 
        established for such covered entities under title V of that Act 
        is deemed to be in compliance with section 3 of this Act.
            (2) Safeguards.--Any covered entity that is subject to the 
        Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), and fulfills 
        the information protection requirements established for such 
        entities under title V of the Act and under section 607(a) of 
        the Fair Credit Reporting Act (15 U.S.C. 1681e(a)) to protect 
        sensitive personal information shall be deemed to be in 
        compliance with section 2 of this Act.

SEC. 9. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--Except as provided in section 8(c), a State, as 
parens patriae, may bring a civil action on behalf of its residents in 
an appropriate state or district court of the United States to enforce 
the provisions of this Act, to obtain damages, restitution, or other 
compensation on behalf of such residents, or to obtain such further and 
other relief as the court may deem appropriate, whenever the attorney 
general of the State has reason to believe that the interests of the 
residents of the State have been or are being threatened or adversely 
affected by a covered entity that violates this Act or a regulation 
under this Act.
    (b) Notice.--The State shall serve written notice to the Commission 
(or other appropriate Federal regulator under section 8) of any civil 
action under subsection (a) at least 60 days prior to initiating such 
civil action. The notice shall include a copy of the complaint to be 
filed to initiate such civil action, except that if it is not feasible 
for the State to provide such prior notice, the State shall provide 
such notice immediately upon instituting such civil action.
    (c) Authority To Intervene.--Upon receiving the notice required by 
subsection (b), the Commission (or other appropriate Federal regulator 
under section 8) may intervene in such civil action and upon 
intervening--
            (1) be heard on all matters arising in such civil action; 
        and
            (2) file petitions for appeal of a decision in such civil 
        action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall prevent the attorney 
general of a State from exercising the powers conferred on the attorney 
general by the laws of such State to conduct investigations or to 
administer oaths or affirmations or to compel the attendance of 
witnesses or the production of documentary and other evidence.
    (e) Venue; Service of Process.--In a civil action brought under 
subsection (a)--
            (1) the venue shall be a judicial district in which--
                    (A) the covered entity operates; or
                    (B) the covered entity was authorized to do 
                business;
            (2) process may be served without regard to the territorial 
        limits of the district or of the State in which the civil 
        action is instituted; and
            (3) a person who participated with a covered entity in an 
        alleged violation that is being litigated in the civil action 
        may be joined in the civil action without regard to the 
        residence of the person.
    (f) Limitation on State Action While Federal Action Is Pending.--If 
the Commission (or other appropriate Federal agency under section 8) 
has instituted a civil action or an administrative action for violation 
of this Act, no State attorney general, or official or agency of a 
State, may bring an action under this subsection during the pendency of 
that action against any defendant named in the complaint of the 
Commission or the other agency for any violation of this Act alleged in 
the complaint.
    (g) Recovery of Reasonable Costs and Fees.--If the attorney general 
of the State prevails in any civil action under subsection (a), it can 
recover reasonable costs and attorney fees from the covered entity.

SEC. 10. PREEMPTION OF STATE LAW.

    (a) Notice.--This Act preempts any State or local law, regulation, 
or rule that requires a covered entity to notify individuals of 
breaches of security pertaining to them.
    (b) Information Security Programs.--This Act preempts any State or 
local law, regulation, or rule that requires a covered entity to 
develop, implement, maintain, or enforce information security programs 
to which this Act applies.
    (c) Security Freeze.--
            (1) In general.--This Act shall not be construed as 
        superseding, altering, or affecting any statute, regulation, 
        order, or interpretation in effect in any State with regards to 
        consumer credit reporting agencies compliance with a consumer's 
        request to place, remove, or temporarily suspend the 
        prohibition on the release by a credit reporting agency of 
        information from its files on that consumer, except to the 
        extent that such statute, regulation, order, or interpretation 
        is inconsistent with the provisions of this Act, and then only 
        to the extent of the inconsistency.
            (2) Greater protection under state law.--For purposes of 
        this section, a State statute, regulation, order, or 
        interpretation is not inconsistent with the provisions of this 
        subtitle if the protection <DELETED>of </DELETED>afforded by 
        such statute, regulation, order, or interpretation 
        <DELETED>affords </DELETED>any person is greater than the 
        protection provided under this Act in regards to credit 
        reporting agencies compliance with a consumer's request to 
        place, remove, or temporarily suspend the prohibition on the 
        release by a consumer credit reporting agency of information 
        from its files on that consumer.
    (d) Social Security Account Numbers.--Section 11 of this Act, and 
the amendments made by that section, preempt any State or local law, 
regulation, or rule prohibiting or limiting the collection, 
solicitation, sale, provision, or display of social security account 
numbers of the types described in section 11.
    <DELETED>(d) </DELETED>(e) Limitation of Preemption.--Federal 
preemption under this Act shall only apply to matters expressly 
described in subsection <DELETED>(a) or (b) </DELETED>(a), (b), or (d) 
of this section, and shall have no effect on other State or local laws, 
regulations, or rules over covered entities.

SEC. 11. SOCIAL SECURITY NUMBER PROTECTION.

    (a) Prohibition of Unnecessary Solicitation of Social Security 
Numbers.--
            (1) In General.--Unless there is a specific use of a social 
        security account number for which no other identifier 
        reasonably can be used, a covered entity may not solicit a 
        social security account number from an individual except for 
        the following purposes:
                    (A) For use in an identification, verification, 
                accuracy, or identity proofing process.
                    (B) For any purpose permitted under the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.) or the Gramm-
                Leach-Bliley Act (15 U.S.C. 6802(e)).
                    (C) To comply with the requirement of Federal, 
                State, or local law.
            (2) Exceptions.--Paragraph (1) does not apply to the 
        solicitation of a social security account number--
                    (A) for the purpose of obtaining a consumer report 
                for any purpose permitted under the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.),
                    (B) by a consumer reporting agency for the purpose 
                of authenticating or obtaining appropriate proof of a 
                consumer's identity, as required under that Act;
                    (C) for any purpose permitted under section 502(e) 
                of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(e)); or
                    (D) to the extent necessary for verifying the 
                accuracy of information submitted by an individual to a 
                covered entity, its agents, contractors, or employees 
                or for the purpose of authenticating or obtaining 
                appropriate proof of an individual's identity;
                    (E) to identify or locate missing or abducted 
                children, witnesses, criminals, fugitives, parties to 
                lawsuits, parents delinquent in child support payments, 
                organ and bone marrow donors, pension fund 
                beneficiaries, and missing heirs;
                    (F) to the extent necessary to prevent, detect, or 
                investigate fraud, unauthorized transactions, or other 
                financial liability or to facilitate the enforcement of 
                an obligation of, or collection of a debt from, a 
                consumer, provided that the person selling, providing, 
                displaying, or obtaining the social security account 
                number does not do so for marketing purposes.
    (b) Prohibition of the Display of Social Security Numbers on 
Employee Identification Cards, Etc.--
            (1) In general.--A covered entity may not display an 
        individual's security account number (or any derivative of such 
        number) on any card or tag that is commonly provided to 
        employees (or to their family members), faculty, staff, or 
        students for purposes of identification.
            (2) Driver's licenses.--A State may not display the social 
        security account number of an individual on driver's licenses 
        issued by that State.
    (c) Prohibition of Prisoner Access to Social Security Numbers.--
            (1) In general.--Section 205(c)(2)(C) of the Social 
        Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at 
        the end the following:
                            ``(x) No executive, legislative, or 
                        judicial agency or instrumentality of the 
                        Federal Government or of a State or political 
                        subdivision thereof (or person acting as an 
                        agent of such an agency or instrumentality) may 
                        employ, or enter into a contract for the use or 
                        employment of, prisoners in any capacity that 
                        would allow such prisoners access to the social 
                        security account numbers of other individuals. 
                        For purposes of this clause, the term 
                        `prisoner' means an individual who is confined 
                        in a jail, prison, or other penal institution 
                        or correctional facility, serving community 
                        service as a term of probation or parole, or 
                        serving a sentence through a work-furlough 
                        program.''.
            (2) Treatment of current arrangements.--In the case of--
                    (A) prisoners employed as described in clause (x) 
                of section 205(c)(2)(C) of the Social Security Act (42 
                U.S.C. 405(c)(2)(C)), as added by paragraph (1), on the 
                date of enactment of this Act: and
                    (B) contracts described in such clause in effect on 
                such date,
        the amendment made by paragraph (1) shall take effect 90 days 
        after the date of enactment of this Act.
    (d) Prohibition of Sale and Display of Social Security Numbers to 
the General Public.--
            (1) In general.--Except as provided in paragraph (2), it 
        shall be unlawful for any person--
                    (A) to sell, purchase, or provide a social security 
                account number, to the general public or display to the 
                general public social security account numbers; or
                    (B) to obtain or use any individual's social 
                security account number for the purpose of locating or 
                identifying such individual with the intent to 
                physically injure or harm such individual or using the 
                identity of such individual for any illegal purpose.
            (2) Exceptions.--Notwithstanding paragraph (1), and subject 
        to paragraph (3), a social security account number may be sold, 
        provided, displayed, or obtained by any person--
                    (A) to the extent necessary for law enforcement or 
                national security purposes;
                    (B) to the extent necessary for public health 
                purposes;
                    (C) to the extent necessary in emergency situations 
                to protect the health or safety of 1 or more 
                individuals;
                    (D) to the extent that the sale or display is 
                required, authorized, or permitted under any law of the 
                United States or of any State, county, or municipality;
                    (E) for any purposes allowed under the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.) or the Gramm-
                Leach-Bliley Act (15 U.S.C. 6802(e));
                    (F) to the extent necessary for verifying the 
                accuracy of information submitted by an individual to a 
                covered entity, its agents, contractors, or employees 
                or for the purpose of authenticating or obtaining 
                appropriate proof of the individual's identity;
                    (G) to the extent necessary to identify or locate 
                missing or abducted children, witnesses to an ongoing 
                or potential civil or criminal lawsuit, criminals, 
                criminal suspects, parties to lawsuits, parents 
                delinquent in child support payments, organ and bone 
                marrow donors, pension fund beneficiaries, missing 
                heirs, and for similar legal, medical, or family 
                related purposes, if the person selling, providing, 
                displaying, or obtaining the social security account 
                number does not do so for marketing purposes;
                    (H) to the extent necessary to prevent, detect, or 
                investigate fraud, unauthorized transactions, or other 
                financial liability or to facilitate the enforcement of 
                an obligation of, or collection of a debt from, a 
                consumer, if the person selling, providing, displaying, 
                or obtaining the social security account number does 
                not do so for marketing purposes;
                    (I) to the extent the transmission of the number is 
                incidental to, and in the course of, the sale, lease, 
                franchising, or merger of all, or a portion of, a 
                business; or
                    (J) to the extent necessary for research (other 
                than market research) conducted by an agency or 
                instrumentality of the United States or of a State or 
                political subdivision thereof (or an agent of such an 
                agency or instrumentality) for the purpose of advancing 
                the public good, on the condition that the researcher 
                provides adequate assurances that--
                            (i) the social security account numbers 
                        will not be used to harass, target, or publicly 
                        reveal information concerning any identifiable 
                        individuals;
                            (ii) information about identifiable 
                        individuals obtained from the research will not 
                        be used to make decisions that directly affect 
                        the rights, benefits, or privileges of specific 
                        individuals; and
                            (iii) the researcher has in place 
                        appropriate safeguards to protect the privacy 
                        and confidentiality of any information about 
                        identifiable individuals, including procedures 
                        to ensure that the social security account 
                        numbers will be encrypted or otherwise 
                        appropriately secured from unauthorized 
                        disclosure; or
                    (K) to the extent that the transmission of the 
                social security account number is incidental to the 
                sale or provision of a document lawfully obtained 
                from--
                            (i) the Federal Government or a State or 
                        local government, that the document has been 
                        made available to the general public; or
                            (ii) the document has been made available 
                        to the general public via widely distributed 
                        media.
            (2) Limitation.--Paragraph (1)(K) does not apply to 
        information obtained from publicly available sources or from 
        Federal, State, or local government records if that information 
        is combined with information obtained from non-public sources.
            (3) Consensual sale.--Notwithstanding paragraph (1), a 
        social security account number assigned to an individual may be 
        sold, provided, or displayed to the general public by any 
        person to the extent consistent with such individual's 
        voluntary and affirmative written consent to the sale, 
        provision, or display of the social security account number 
        only if--
                    (A) the terms of the consent and the right to 
                refuse consent are presented to the individual in a 
                clear, conspicuous, and understandable manner;
                    (B) the individual is placed under no obligation to 
                provide consent to any such sale or display; and
                    (C) the terms of the consent authorize the 
                individual to limit the sale, provision, or display to 
                purposes directly associated with the transaction with 
                respect to which the consent is sought.

SEC. 12. PROTECTION OF INFORMATION AT FEDERAL AGENCIES.

    (a) Data Security Standards.--Each agency shall develop, implement, 
maintain, and enforce a written program for the security of sensitive 
personal information the agency collects, maintains, sells, transfers, 
or disposes of, containing administrative, technical and physical 
safeguards--
            (1) to insure the security and confidentiality of such 
        data;
            (2) to protect against any anticipated threats or hazards 
        to the security of such data; and
            (3) to protect against unauthorized access to, or use of, 
        such data that could result in substantial harm to any 
        individual misuse of such information, which could result in 
        substantial harm or inconvenience to a consumer.
    (b) Security Breach Notification Standards.--Each agency shall use 
due diligence to investigate any suspected breach of security affecting 
sensitive personal information maintained by the agency. If, after the 
exercise of such due diligence, the agency discovers a breach and 
determines that the breach of security creates a reasonable risk of 
identity theft, the agency shall notify each such individual as 
prescribed in section 3(d) and (e).
    (c) Agency.--The term `agency' has the same meaning given such term 
in section 551(1) of title 5, United States Code.
    (d) Enforcement.--The Inspector General of each Federal agency will 
be responsible for enforcing the provisions of this Act in accordance 
with the Inspector General Act.

<DELETED>SEC. 11. DEFINITIONS.</DELETED>

SEC. 13. DEFINITIONS.

    In this Act:
            (1) Breach of security.--The term ``breach of security'' 
        means unauthorized access to and acquisition of data in any 
        form or format containing sensitive personal information that 
        compromises the security or confidentiality of such 
        information.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Consumer credit reporting agency.--The term ``consumer 
        credit reporting agency'' means any person which, for monetary 
        fees, dues, or on a cooperative nonprofit basis, regularly 
        engages in whole or in part in the practice of assembling or 
        evaluating consumer credit information or other information on 
        consumers for the purpose of furnishing credit reports to third 
        parties, and which uses any means or facility of interstate 
        commerce for the purpose of preparing or furnishing credit 
        reports.
            (4) Covered entity.--The term ``covered entity'' means a 
        sole proprietorship, partnership, corporation, trust, estate, 
        cooperative, association, or other commercial entity, and any 
        charitable, educational, or nonprofit organization, that 
        acquires, maintains, or utilizes sensitive personal 
        information.
            (5) Credit report.--The term ``credit report'' means a 
        consumer report, as defined in section 603(d) of the Federal 
        Fair Credit Reporting Act (15 U.S.C. 1681a(p)), as well as any 
        associated credit score that is used or expected to be used or 
        collected in whole or in part for the purpose of serving as a 
        factor in establishing a consumer's eligibility for credit for 
        personal, family or household purposes.
            (6) Identity theft.--The term ``identity theft'' means the 
        unauthorized acquisition, purchase, sale, or use by any person 
        of an individual's sensitive personal information that--
                    (A) violates section 1028 of title 18, United 
                States Code, or any provision of State law in pari 
                materia; or
                    (B) results in harm to the individual whose 
                sensitive personal information was used.
            (7) Reasonable risk of identity theft.--The term 
        ``reasonable risk of identity theft'' means that the 
        preponderance of the evidence available to the covered entity 
        that has experienced a breach of security establishes that 
        identity theft for 1 or more individuals from the breach of 
        security is forseeable.
            (8) Reviewing the account.--The term ``reviewing the 
        account'' includes activities related to account maintenance, 
        monitoring, credit line increases, and account upgrades and 
        enhancements.
            (9) Sensitive personal information.--
                    (A) In general.--Except as provided in 
                subparagraphs (B), (C), and (D), the term ``sensitive 
                personal information'' means an individual's name, 
                address, or telephone number combined with 1 or more of 
                the following data elements related to that individual:
                            (i) Social security account number or an 
                        employer identification number that is the same 
                        as or is derived from the social security 
                        account number of that individual.
                            (ii) Financial account number, or credit 
                        card or debit card number of such individual, 
                        combined with any required security code, 
                        access code, or password that would permit 
                        access to such individual's <DELETED>account. 
                        </DELETED>account number or card number.
                            (iii) State driver's license identification 
                        number or State resident identification number.
                    (B) Password accounts.--<DELETED>An </DELETED>The 
                term ``sensitive personal information'' also includes 
                an account identifier combined with a password, PIN, or 
                security code to access the account, for any consumer 
                account from which any of the following can occur 
                without further authentication after login:
                            (i) A financial transaction.
                            (ii) A purchase of goods or services.
                            (iii) A charge to a payment card or 
                        account.
                            (iv) A charge to a credit card or account.
                            (v) Access to the account that reveals 
                        sufficient information to engage in any 
                        activity described in clause (i), (ii), (iii), 
                        or (iv).
                    (C) FTC modifications.--The Commission may, through 
                a rulemaking proceeding in accordance with section 553 
                of title 5, United States Code, designate other 
                identifying information that may be used to effectuate 
                identity theft as sensitive personal information for 
                purposes of this Act and limit or exclude any 
                information described in subparagraph (A) from the 
                definition of sensitive personal information for 
                purposes of this Act.
                    (D) Exception.--The term ``sensitive personal 
                information'' does not include information that is 
                obtained from--
                            (i) Federal, State, or local governments 
                        that has been made available to the general 
                        public; or
                            (ii) widely distributed media.
                The exception provided by this subparagraph does not 
                apply if the information obtained from Federal, State, 
                or local government records or widely distributed media 
                is combined with information obtained from non-public 
                sources.
                <DELETED>    (E) Public records.--Nothing in this Act 
                prohibits a covered entity from obtaining, aggregating, 
                or using sensitive personal information it lawfully 
                obtains from public records in a manner that does not 
                violate this Act.</DELETED>
                    (E) Burden of proof.--In an enforcement action 
                brought pursuant to section 8 or 9 of this Act, the 
                covered entity shall have the burden of demonstrating 
                that it has obtained the information from a source 
                permitted as an exception in this paragraph.
            (11) Social security account number.--The term ``social 
        security account number'' means a social security account 
        number that contains more than 5 digits of the full 9-digit 
        number assigned by the Social Security Administration but does 
        not include social security account numbers to the extent that 
        they are included in a publicly available information source, 
        such as news reports, books, periodicals, or directories or 
        Federal, State, or local government records.

<DELETED>SEC. 12. AUTHORIZATION OF APPROPRIATIONS.</DELETED>

SEC. 14. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Commission 
$2,000,000 for each of fiscal years 2007 through 2011 to carry out this 
Act.

<DELETED>SEC. 13. EFFECTIVE DATES.</DELETED>

SEC. 15. EFFECTIVE DATES.

    (a) In General.--Except as provided in subsections (b) and (c), the 
provisions of this Act take effect upon its enactment.
    (b) Implementation of Security Program.--A covered entity shall 
implement the program required by section 2(a) within 6 months after 
the date of enactment of this Act.
    (c) Provisions Requiring Rulemaking.--The Commission shall initiate 
1 or more rulemaking proceedings under sections 2(c), 3, and 4 
(including a rulemaking proceeding to determine what constitutes proper 
identification within the meaning of section 610(a)(1) of the Fair 
Credit Reporting Act (15 U.S.C. 1681(h)(a)(1))) within 45 days after 
the date of enactment of this Act. The Commission shall promulgate all 
final rules pursuant to those rulemaking proceedings within 1 year 
after the date of enactment of this Act. The provisions of sections 
2(c), 3, and 4 shall take effect on the same date 6 months after the 
date on which the Commission promulgates the last final rule under the 
proceeding or proceedings commenced under the preceding sentence.
    (d) Preemption.--Section 10 shall take effect at the same time as 
sections 2(c), 3, and 4 take effect.
                                                       Calendar No. 520

110th CONGRESS

  1st Session

                                S. 1178

                          [Report No. 110-235]

_______________________________________________________________________

                                 A BILL

   To strengthen data protection and safeguards, require data breach 
           notification, and further prevent identity theft.

_______________________________________________________________________

                            December 5, 2007

                        Reported with amendments