[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[S. 1202 Introduced in Senate (IS)]







110th CONGRESS
  1st Session
                                S. 1202

  To require agencies and persons in possession of computerized data 
    containing sensitive personal information, to disclose security 
 breaches where such breach poses a significant risk of identity theft.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 24, 2007

 Mr. Sessions introduced the following bill; which was read twice and 
               referred to the Committee on the Judiciary

_______________________________________________________________________

                                 A BILL


 
  To require agencies and persons in possession of computerized data 
    containing sensitive personal information, to disclose security 
 breaches where such breach poses a significant risk of identity theft.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Personal Data Protection Act of 
2007''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency''--
                    (A) has the meaning given that term in section 
                551(1) of title 5, United States Code; and
                    (B) includes any authority of a State or political 
                subdivision.
            (2) Breach of security of the system.--The term ``breach of 
        security of the system''--
                    (A) means the compromise of the security of 
                computerized data containing sensitive personal 
                information that establishes a reasonable basis to 
                conclude that a significant risk of identity theft to 
                an individual exists; and
                    (B) does not include the compromise of the security 
                of computerized data, if the agency or person 
                concludes, after conducting a reasonable investigation, 
                that there is not a significant risk of identity theft 
                to an individual, including a situation in which--
                            (i) sensitive personal information is 
                        acquired in good faith by an employee or agent 
                        of the agency or person and the information is 
                        not subject to further unauthorized disclosure;
                            (ii) an investigation by an appropriate law 
                        enforcement agency, government agency, or 
                        official determines that there is not a 
                        significant risk of identity theft; or
                            (iii) the agency or person maintains or 
                        participates in a security program reasonably 
                        designed to block unauthorized transactions 
                        before they are charged to an individual's 
                        account and the security program does not 
                        indicate that the compromise of sensitive 
                        personal information has resulted in fraud or 
                        unauthorized transactions.
            (3) Functional regulator.--The term ``functional 
        regulator'' means--
                    (A) the Office of the Comptroller of the Currency 
                with respect to national banks, and Federal branches, 
                Federal agencies of foreign banks, and any subsidiaries 
                of such entities (except brokers, dealers, persons 
                providing insurance, investment companies, and 
                investment advisers);
                    (B) the Board of Governors of the Federal Reserve 
                System with respect to member banks of the Federal 
                Reserve System (other than national banks), branches 
                and agencies of foreign banks (other than Federal 
                branches, Federal agencies, and insured State branches 
                of foreign banks), commercial lending companies owned 
                or controlled by foreign banks, organizations operating 
                under section 25 or 25A of the Federal Reserve Act (12 
                U.S.C. 601 and 611), bank and financial holding 
                companies, and any nonbank subsidiaries or affiliates 
                of such entities (except brokers, dealers, persons 
                providing insurance, investment companies, and 
                investment advisers);
                    (C) the Board of Directors of the Federal Deposit 
                Insurance Corporation with respect to banks insured by 
                the Federal Deposit Insurance Corporation (other than 
                members of the Federal Reserve System), insured State 
                branches of foreign banks, and any subsidiaries of such 
                entities (except brokers, dealers, persons providing 
                insurance, investment companies, and investment 
                advisers);
                    (D) the Director of the Office of Thrift 
                Supervision with respect to savings association the 
                deposits of which are insured by the Federal Deposit 
                Insurance Corporation, savings and loan holding 
                companies, and any subsidiaries of such entities 
                (except brokers, dealers, persons providing insurance, 
                investment companies, and investment advisers);
                    (E) the National Credit Union Administration Board 
                with respect to any Federal credit union and any 
                subsidiaries of such an entity;
                    (F) the Secretary of Transportation with respect to 
                any air carrier or foreign air carrier subject to part 
                A of subtitle VII of title 49, United States Code;
                    (G) the Secretary of Agriculture with respect to 
                any activities subject to the Packers and Stockyards 
                Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in 
                section 406 of that Act (7 U.S.C. 226 and 227));
                    (H) the Farm Credit Administration with respect to 
                any Federal land bank, Federal land bank association, 
                Federal intermediate credit bank, or production credit 
                association;
                    (I) the Securities and Exchange Commission with 
                respect to any broker or dealer, investment company or 
                investment adviser;
                    (J) the applicable State insurance authority of the 
                State in which the person is domiciled with respect to 
                any person engaged in providing insurance;
                    (K) the Federal Communications Commission with 
                respect to any entity subject to the jurisdiction of 
                the Commission; and
                    (L) the Federal Trade Commission with respect to 
                any other financial institution or other person that is 
                not subject to the jurisdiction of any agency or 
                authority under subparagraphs (A) through (K).
            (4) Identity theft.--The term ``identity theft'' means a 
        fraud committed using the sensitive personal information of 
        another individual with the intent to commit, or to aid or abet 
        any unlawful activity that constitutes a violation of section 
        1028 of title 18, United States Code, and that results in 
        economic loss to that individual.
            (5) Person.--The term ``person'' has the meaning given that 
        term in section 551(2) of title 5, United States Code.
            (6) Personal information.--The term ``personal 
        information'' means personally identifiable information about a 
        specific individual.
            (7) Redacted.--The term ``redacted'' means truncated so 
        that not more than the last 4 digits of the social security 
        number, driver's license number, State identification card 
        number, or account number are accessible as part of the data.
            (8) Sensitive personal information.--
                    (A) In general.--The term ``sensitive personal 
                information'' means an individual's first name (or 
                first initial) and last name in combination with any 1 
                or more of the following data elements that relate to 
                that individual (when the data elements are not 
                encrypted, redacted, or secured by any other method 
                rendering that element unreadable or unusable):
                            (i) An individual's social security number.
                            (ii) An individual's driver's license 
                        number or equivalent State identification 
                        number.
                            (iii) An individual's financial account 
                        number, or credit or debit card number, in 
                        combination with any required security code, 
                        access code, or password that would permit 
                        access to an individual's financial account.
                    (B) Exclusions.--The term ``sensitive personal 
                information'' does not include--
                            (i) any list, description, or other 
                        grouping of individuals (and publicly available 
                        information pertaining to them) that is derived 
                        without using any sensitive personal 
                        information; or
                            (ii) any information regardless of its 
                        source that is lawfully made available to the 
                        general public in Federal, State, or local 
                        government records.

SEC. 3. DATABASE SECURITY.

    (a) In General.--Any agency or person that owns or licenses 
computerized data containing sensitive personal information shall 
develop, implement, and maintain reasonable security and notification 
procedures and practices appropriate to the size and nature of the 
agency or person and the nature of the information to ensure the 
security and confidentiality of the personal information and protect it 
against any unauthorized access, destruction, use, modification or 
disclosure.
    (b) Disclosure of Security Breach.--
            (1) Notification of individual.--
                    (A) In general.--If an agency or person that owns 
                or licenses computerized data containing sensitive 
                personal information, determines, after discovery and a 
                reasonable investigation, or notification under 
                paragraph (2), that a significant risk of identity 
                theft exists as a result of a breach of security of the 
                system of such agency or person containing such data, 
                the agency or person shall notify any individual whose 
                sensitive personal information was compromised.
                    (B) Delay of notification.--If a Federal law 
                enforcement agency of either appropriate domestic or 
                foreign jurisdiction determines that the notification 
                required under this subsection would impede a criminal 
                or civil investigation, such notification may be 
                delayed until such Federal law enforcement agency 
                determines that the notification will no longer 
                compromise such investigation.
            (2) Notification of owner or licensor.--
                    (A) In general.--Any agency or person in possession 
                of computerized data containing sensitive personal 
                information that the agency or person does not own or 
                license shall notify and cooperate with the owner or 
                licensor of the information upon the discovery of a 
                breach of security of the system of such agency or 
                person as expediently as possible and without 
                unreasonable delay.
                    (B) Agreements to notify individuals permissible.--
                            (i) In general.--Any agency or person in 
                        possession of sensitive personal information on 
                        behalf of the owner or licensor of such 
                        information may enter an agreement with the 
                        owner or licensor regarding which person or 
                        entity will provide any notice required under 
                        this subsection to an individual whose 
                        sensitive personal information was compromised.
                            (ii) Single notice.--This subsection shall 
                        not be construed to require more than a single 
                        notice to any individual for each breach of 
                        security of the system relating to that 
                        individual.
                            (iii) No agreement.--If an agency or person 
                        in possession of sensitive personal information 
                        on behalf of the owner or licensor of such 
                        information does not have an agreement 
                        described in clause (i) in effect on the date 
                        of a breach of security of the system of that 
                        agency or person, the agency or person that 
                        owns or licenses computerized data containing 
                        sensitive personal information shall provide 
                        any notice required under this subsection.
            (3) Timeliness of notification.--
                    (A) In general.--All notifications required under 
                paragraph (1) shall be made as expediently as possible 
                and without unreasonable delay following--
                            (i) the discovery and reasonable 
                        investigation by the agency or person of a 
                        breach of security of the system; and
                            (ii) measures the agency or person takes 
                        that are necessary to determine the scope of 
                        the breach, prevent further breaches, determine 
                        whether there is a reasonable basis to conclude 
                        that a significant risk of identity theft to an 
                        individual exists, restore the reasonable 
                        integrity of the data system, and comply with 
                        applicable requirements of other laws and 
                        regulations.
                    (B) Expeditious notice.--Any measures described in 
                subparagraph (A)(ii) shall be undertaken as expediently 
                as possible and without unreasonable delay. Such 
                measures shall not be undertaken for the purpose of 
                causing delay of notification.
            (4) Methods of notice.--An agency or person required to 
        give notice under paragraph (1) shall be in compliance with 
        this subsection if it provides--
                    (A) written notification to a mailing address for 
                the subject individual;
                    (B) telephonic notification to a telephone number 
                for the subject individual;
                    (C) e-mail notice to an e-mail address for the 
                subject individual; or
                    (D) conspicuous posting of the notice on the 
                Internet site of the agency or person, if the agency or 
                person maintains an Internet site, or notification to 
                major media, if--
                            (i) the agency or person demonstrates that 
                        the cost of providing direct notice under 
                        subparagraphs (A) through (C) of this 
                        subsection would exceed $250,000;
                            (ii) the affected class of subject 
                        individuals to be notified exceeds 500,000; or
                            (iii) the agency or person does not have 
                        sufficient contact information for those to be 
                        notified.
            (5) Contents of notice.--Notice under this subsection 
        shall--
                    (A) be given in a clear and conspicuous manner;
                    (B) describe the breach of security of the system 
                in general terms and the type of sensitive personal 
                information involved; and
                    (C) include a toll-free telephone number or website 
                that individuals can use for further information and 
                assistance.
            (6) Duty to coordinate with consumer reporting agencies.--
        Before any agency or person provides notice to more than 1,000 
        individuals at any time, or provides notice pursuant to 
        paragraph (4)(D), that sensitive personal information on the 
        individuals was, or may reasonably be expected to have been, 
        the subject of a breach of security of the system, the agency 
        or person shall, without unreasonable delay--
                    (A) notify any consumer reporting agency that 
                compiles and maintains files on consumers on a 
                nationwide basis (as that term is defined in section 
                603(p) of the Fair Credit Reporting Act (15 U.S.C. 
                1681a(p))) of the timing, content, and distribution of 
                the notice, including--
                            (i) the number of individuals to whom the 
                        notice will be given; or
                            (ii) the type of notice provided under 
                        paragraph (4)(D); and
                    (B) conform the notice to individuals to be 
                delivered by such agency or person to accurately 
                reflect, to the extent given in such notice--
                            (i) the method of contact reasonably 
                        specified by each consumer reporting agency 
                        that compiles and maintains files on consumers 
                        on a nationwide basis that such individuals are 
                        to use with respect to the particular notice; 
                        and
                            (ii) the responsibilities of a consumer 
                        reporting agency that compiles and maintains 
                        files on consumers on a nationwide basis under 
                        the Fair Credit Reporting Act (15 U.S.C. 1681 
                        et seq.) and any other applicable law.
            (7) Safe harbors.--
                    (A) Data security.--Notwithstanding any other 
                obligation under this section, a person that is in 
                compliance with data security requirements under the 
                laws, rules, regulations, guidance, or guidelines 
                established or enforced by the functional regulator for 
                that person shall be deemed to be in compliance with 
                subsection (a).
                    (B) Breach notification.--Notwithstanding any other 
                obligation under this section, a person that is in 
                compliance with breach notification procedures under 
                the laws, rules, regulations, guidance, or guidelines 
                established or enforced by the functional regulator for 
                that person shall be deemed to be in compliance with 
                subsection (b).
            (8) Relation to other provisions.--Nothing in this Act 
        shall be construed to modify, limit or supersede the operation 
        of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), the 
        Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338), or 
        any other applicable provision of Federal law
    (c) Civil Remedies.--
            (1) Penalties.--
                    (A) In general.--Except as provided under 
                subparagraph (B), any agency or person that fails to 
                give notice in accordance with paragraph (1) through 
                (4) of subsection (b) shall be subject to--
                            (i) a fine in an amount not to exceed 
                        $250,000 per breach of security of the system; 
                        or
                            (ii) in the case of a violation of 
                        subsection (a), such actual damages as may be 
                        proven.
                    (B) Affirmative defense.--An agency or person shall 
                have an affirmative defense to a fine under this 
                paragraph if the breach of security of the system--
                            (i) was not a result of the negligence of 
                        such agency or person; and
                            (ii) was the result of a fraud or other 
                        crime committed by a third party.
            (2) Equitable relief.--Any person that violates, proposes 
        to violate, or has violated this section may be enjoined from 
        further violations by a court of competent jurisdiction.
            (3) Other rights and remedies.--The rights and remedies 
        available under this subsection are cumulative and shall not 
        affect any other rights and remedies available under law.
    (d) Enforcement.--
            (1) In general.--The functional regulator is authorized to 
        enforce compliance with this section, including the assessment 
        of fines under subsection (c)(1).
            (2) Civil actions.--No private right of action or class 
        action shall be brought under this Act. No person other than 
        the attorney general of a State may bring a civil action under 
        the law of any State if such action is premised in whole or in 
        part upon the defendant violating any provision of this Act.

SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State has reason to believe that an interest of 
        the residents of that State has been or is threatened or 
        adversely affected by the engagement of any person in a 
        practice that is prohibited under this Act, the State, as 
        parens patriae, may bring a civil action on behalf of the 
        residents of the State in a United States district court of 
        appropriate jurisdiction to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this Act; or
                    (C) obtain damage, restitution, or other 
                compensation on behalf of residents of the State under 
                the conditions and up to the monetary limits set forth 
                in section 3(c)(1).
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State shall 
                provide the Attorney General of the United States and 
                the functional regulator--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subsection, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the functional regulator and the 
                        Attorney General at the time the State attorney 
                        general files the action.
                    (C) United states attorney general priority.--After 
                having been notified, as provided in subparagraph (A), 
                the Attorney General shall have the right--
                            (i) to file a civil action, subject to 
                        monetary limits equal to those set forth in 
                        section 3(c)(1);
                            (ii) to intervene in the action; and
                            (iii) upon so intervening--
                                    (I) to be heard on all matters 
                                arising therein;
                                    (II) to remove the action to the 
                                appropriate United States district 
                                court; and
                                    (III) to file petitions for appeal.
                    (D) Preemption.--
                            (i) Action by department of justice.--If 
                        the Attorney General institutes a civil action 
                        or intervenes in an action under this 
                        subsection, the functional regulator, a State 
                        attorney general, or an official or agency of a 
                        State may not bring an action under this 
                        section for any violation of this Act alleged 
                        in the complaint.
                            (ii) Action by functional regulator.--If 
                        the functional regulator institutes a civil 
                        action or intervenes under section 3(d)(1) to 
                        enforce compliance with section 3, a State 
                        attorney general or official or agency of a 
                        State, may not bring an action under this 
                        section for any violation of this Act alleged 
                        in the complaint.
    (b) Limitations on State Actions.--
            (1) Violation of injunction required.--A State may not 
        bring an action against a person under subsection (a)(1)(C) 
        unless--
                    (A) the person has been enjoined from committing 
                the violation, in an action brought by the State under 
                subsection (a)(1)(A); and
                    (B) the person has violated the injunction.
            (2) Limitation on damages recoverable.--In an action under 
        subsection (a)(1)(C), a State may not recover any damages 
        incurred before the date of the violation of an injunction on 
        which the action is based.
    (c) Construction.--For purposes of a civil action under subsection 
(a), nothing in this Act shall be construed to prevent the attorney 
general of a State from exercising the powers conferred on such 
attorney general by the laws of that State to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (d) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.

SEC. 5. EFFECT ON STATE LAW.

    The provisions of this Act shall supersede any law, rule, or 
regulation of any State or unit of local government that relates in any 
way to electronic information security standards or the notification of 
any resident of the United States of any breach of security pertaining 
to any collection of personal information about such resident.

SEC. 6. EFFECTIVE DATE.

    This Act shall take effect on the expiration of the date which is 
180 days after the date of enactment of this Act.
                                 <all>