
	
		II
		110th CONGRESS
		1st Session
		S. 1202
		IN THE SENATE OF THE UNITED STATES
		
			April 24, 2007
			Mr. Sessions introduced
			 the following bill; which was read twice and referred to the
			 Committee on the
			 Judiciary
		
		A BILL
		To require agencies and persons in
		  possession of computerized data containing sensitive personal information, to
		  disclose security breaches where such breach poses a significant risk of
		  identity theft. 
	
	
		1.Short titleThis Act may be cited as the
			 Personal Data Protection Act of
			 2007.
		2.DefinitionsIn this Act:
			(1)AgencyThe term agency—
				(A)has the meaning given that term in section
			 551(1) of title 5, United States Code; and
				(B)includes any authority of a State or
			 political subdivision.
				(2)Breach of
			 security of the systemThe
			 term breach of security of the system—
				(A)means the compromise of the security of
			 computerized data containing sensitive personal information that establishes a
			 reasonable basis to conclude that a significant risk of identity theft to an
			 individual exists; and
				(B)does not include the compromise of the
			 security of computerized data, if the agency or person concludes, after
			 conducting a reasonable investigation, that there is not a significant risk of
			 identity theft to an individual, including a situation in which—
					(i)sensitive personal information is acquired
			 in good faith by an employee or agent of the agency or person and the
			 information is not subject to further unauthorized disclosure;
					(ii)an investigation by an appropriate law
			 enforcement agency, government agency, or official determines that there is not
			 a significant risk of identity theft; or
					(iii)the agency or person maintains or
			 participates in a security program reasonably designed to block unauthorized
			 transactions before they are charged to an individual’s account and the
			 security program does not indicate that the compromise of sensitive personal
			 information has resulted in fraud or unauthorized transactions.
					(3)Functional
			 regulatorThe term
			 functional regulator means—
				(A)the Office of the Comptroller of the
			 Currency with respect to national banks, and Federal branches, Federal agencies
			 of foreign banks, and any subsidiaries of such entities (except brokers,
			 dealers, persons providing insurance, investment companies, and investment
			 advisers);
				(B)the Board of Governors of the Federal
			 Reserve System with respect to member banks of the Federal Reserve System
			 (other than national banks), branches and agencies of foreign banks (other than
			 Federal branches, Federal agencies, and insured State branches of foreign
			 banks), commercial lending companies owned or controlled by foreign banks,
			 organizations operating under section 25 or 25A of the Federal Reserve Act (12
			 U.S.C. 601 and 611), bank and financial holding companies, and any nonbank
			 subsidiaries or affiliates of such entities (except brokers, dealers, persons
			 providing insurance, investment companies, and investment advisers);
				(C)the Board of Directors of the Federal
			 Deposit Insurance Corporation with respect to banks insured by the Federal
			 Deposit Insurance Corporation (other than members of the Federal Reserve
			 System), insured State branches of foreign banks, and any subsidiaries of such
			 entities (except brokers, dealers, persons providing insurance, investment
			 companies, and investment advisers);
				(D)the Director of the Office of Thrift
			 Supervision with respect to savings association the deposits of which are
			 insured by the Federal Deposit Insurance Corporation, savings and loan holding
			 companies, and any subsidiaries of such entities (except brokers, dealers,
			 persons providing insurance, investment companies, and investment
			 advisers);
				(E)the National Credit Union Administration
			 Board with respect to any Federal credit union and any subsidiaries of such an
			 entity;
				(F)the Secretary of Transportation with
			 respect to any air carrier or foreign air carrier subject to part A of subtitle
			 VII of title 49, United States Code;
				(G)the Secretary of Agriculture with respect
			 to any activities subject to the Packers and Stockyards Act, 1921 (7 U.S.C. 181
			 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226 and
			 227));
				(H)the Farm Credit Administration with respect
			 to any Federal land bank, Federal land bank association, Federal intermediate
			 credit bank, or production credit association;
				(I)the Securities and Exchange Commission with
			 respect to any broker or dealer, investment company or investment
			 adviser;
				(J)the applicable State insurance authority of
			 the State in which the person is domiciled with respect to any person engaged
			 in providing insurance;
				(K)the Federal Communications Commission with
			 respect to any entity subject to the jurisdiction of the Commission; and
				(L)the Federal Trade Commission with respect
			 to any other financial institution or other person that is not subject to the
			 jurisdiction of any agency or authority under subparagraphs (A) through
			 (K).
				(4)Identity
			 theftThe term identity
			 theft means a fraud committed using the sensitive personal information
			 of another individual with the intent to commit, or to aid or abet any unlawful
			 activity that constitutes a violation of section 1028 of title 18, United
			 States Code, and that results in economic loss to that individual.
			(5)PersonThe term person has the
			 meaning given that term in section 551(2) of title 5, United States
			 Code.
			(6)Personal
			 informationThe term
			 personal information means personally identifiable information
			 about a specific individual.
			(7)RedactedThe term redacted means
			 truncated so that not more than the last 4 digits of the social security
			 number, driver’s license number, State identification card number, or account
			 number are accessible as part of the data.
			(8)Sensitive
			 personal information
				(A)In
			 generalThe term
			 sensitive personal information means an individual’s first name
			 (or first initial) and last name in combination with any 1 or more of the
			 following data elements that relate to that individual (when the data elements
			 are not encrypted, redacted, or secured by any other method rendering that
			 element unreadable or unusable):
					(i)An individual’s social security
			 number.
					(ii)An individual’s driver’s license number or
			 equivalent State identification number.
					(iii)An individual’s financial account number,
			 or credit or debit card number, in combination with any required security code,
			 access code, or password that would permit access to an individual’s financial
			 account.
					(B)ExclusionsThe term sensitive personal
			 information does not include—
					(i)any list, description, or other grouping of
			 individuals (and publicly available information pertaining to them) that is
			 derived without using any sensitive personal information; or
					(ii)any information regardless of its source
			 that is lawfully made available to the general public in Federal, State, or
			 local government records.
					3.Database
			 security
			(a)In
			 generalAny agency or person
			 that owns or licenses computerized data containing sensitive personal
			 information shall develop, implement, and maintain reasonable security and
			 notification procedures and practices appropriate to the size and nature of the
			 agency or person and the nature of the information to ensure the security and
			 confidentiality of the personal information and protect it against any
			 unauthorized access, destruction, use, modification or disclosure.
			(b)Disclosure of
			 security breach
				(1)Notification of
			 individual
					(A)In
			 generalIf an agency or
			 person that owns or licenses computerized data containing sensitive personal
			 information, determines, after discovery and a reasonable investigation, or
			 notification under paragraph (2), that a significant risk of identity theft
			 exists as a result of a breach of security of the system of such agency or
			 person containing such data, the agency or person shall notify any individual
			 whose sensitive personal information was compromised.
					(B)Delay of
			 notificationIf a Federal law
			 enforcement agency of either appropriate domestic or foreign jurisdiction
			 determines that the notification required under this subsection would impede a
			 criminal or civil investigation, such notification may be delayed until such
			 Federal law enforcement agency determines that the notification will no longer
			 compromise such investigation.
					(2)Notification of
			 owner or licensor
					(A)In
			 generalAny agency or person in possession of computerized data
			 containing sensitive personal information that the agency or person does not
			 own or license shall notify and cooperate with the owner or licensor of the
			 information upon the discovery of a breach of security of the system of such
			 agency or person as expediently as possible and without unreasonable
			 delay.
					(B)Agreements to
			 notify individuals permissible
						(i)In
			 generalAny agency or person in possession of sensitive personal
			 information on behalf of the owner or licensor of such information may enter an
			 agreement with the owner or licensor regarding which person or entity will
			 provide any notice required under this subsection to an individual whose
			 sensitive personal information was compromised.
						(ii)Single
			 noticeThis subsection shall not be construed to require more
			 than a single notice to any individual for each breach of security of the
			 system relating to that individual.
						(iii)No
			 agreementIf an agency or person in possession of sensitive
			 personal information on behalf of the owner or licensor of such information
			 does not have an agreement described in clause (i) in effect on the date of a
			 breach of security of the system of that agency or person, the agency or person
			 that owns or licenses computerized data containing sensitive personal
			 information shall provide any notice required under this subsection.
						(3)Timeliness of
			 notification
					(A)In
			 generalAll notifications
			 required under paragraph (1) shall be made as expediently as possible and
			 without unreasonable delay following—
						(i)the discovery and reasonable investigation
			 by the agency or person of a breach of security of the system; and
						(ii)measures the agency or person takes that
			 are necessary to determine the scope of the breach, prevent further breaches,
			 determine whether there is a reasonable basis to conclude that a significant
			 risk of identity theft to an individual exists, restore the reasonable
			 integrity of the data system, and comply with applicable requirements of other
			 laws and regulations.
						(B)Expeditious
			 noticeAny measures described
			 in subparagraph (A)(ii) shall be undertaken as expediently as possible and
			 without unreasonable delay. Such measures shall not be undertaken for the
			 purpose of causing delay of notification.
					(4)Methods of
			 noticeAn agency or person
			 required to give notice under paragraph (1) shall be in compliance with this
			 subsection if it provides—
					(A)written notification to a mailing address
			 for the subject individual;
					(B)telephonic notification to a telephone
			 number for the subject individual;
					(C)e-mail notice to an e-mail address for the
			 subject individual; or
					(D)conspicuous posting of the notice on the
			 Internet site of the agency or person, if the agency or person maintains an
			 Internet site, or notification to major media, if—
						(i)the agency or person demonstrates that the
			 cost of providing direct notice under subparagraphs (A) through (C) of this
			 subsection would exceed $250,000;
						(ii)the affected class of subject individuals
			 to be notified exceeds 500,000; or
						(iii)the agency or person does not have
			 sufficient contact information for those to be notified.
						(5)Contents of
			 noticeNotice under this
			 subsection shall—
					(A)be given in a clear and conspicuous
			 manner;
					(B)describe the breach of security of the
			 system in general terms and the type of sensitive personal information
			 involved; and
					(C)include a toll-free telephone number or
			 website that individuals can use for further information and assistance.
					(6)Duty to
			 coordinate with consumer reporting agenciesBefore any agency or person provides notice
			 to more than 1,000 individuals at any time, or provides notice pursuant to
			 paragraph (4)(D), that sensitive personal information on the individuals was,
			 or may reasonably be expected to have been, the subject of a breach of security
			 of the system, the agency or person shall, without unreasonable delay—
					(A)notify any consumer reporting agency that
			 compiles and maintains files on consumers on a nationwide basis (as that term
			 is defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C.
			 1681a(p))) of the timing, content, and distribution of the notice,
			 including—
						(i)the number of individuals to whom the
			 notice will be given; or
						(ii)the type of notice provided under paragraph
			 (4)(D); and
						(B)conform the notice to individuals to be
			 delivered by such agency or person to accurately reflect, to the extent given
			 in such notice—
						(i)the method of contact reasonably specified
			 by each consumer reporting agency that compiles and maintains files on
			 consumers on a nationwide basis that such individuals are to use with respect
			 to the particular notice; and
						(ii)the responsibilities of a consumer
			 reporting agency that compiles and maintains files on consumers on a nationwide
			 basis under the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) and any
			 other applicable law.
						(7)Safe
			 harbors
					(A)Data
			 securityNotwithstanding any other obligation under this section,
			 a person that is in compliance with data security requirements under the laws,
			 rules, regulations, guidance, or guidelines established or enforced by the
			 functional regulator for that person shall be deemed to be in compliance with
			 subsection (a).
					(B)Breach
			 notificationNotwithstanding any other obligation under this
			 section, a person that is in compliance with breach notification procedures
			 under the laws, rules, regulations, guidance, or guidelines established or
			 enforced by the functional regulator for that person shall be deemed to be in
			 compliance with subsection (b).
					(8)Relation to
			 other provisionsNothing in
			 this Act shall be construed to modify, limit or supersede the operation of the
			 Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), the Gramm-Leach-Bliley Act
			 (Public Law 106–102; 113 Stat. 1338), or any other applicable provision of
			 Federal law
				(c)Civil
			 Remedies
				(1)Penalties
					(A)In
			 generalExcept as provided
			 under subparagraph (B), any agency or person that fails to give notice in
			 accordance with paragraph (1) through (4) of subsection (b) shall be subject
			 to—
						(i)a fine in an amount not to exceed $250,000
			 per breach of security of the system; or
						(ii)in the case of a violation of subsection
			 (a), such actual damages as may be proven.
						(B)Affirmative
			 defenseAn agency or person shall have an affirmative defense to
			 a fine under this paragraph if the breach of security of the system—
						(i)was not a result of the negligence of such
			 agency or person; and
						(ii)was the result of a fraud or other crime
			 committed by a third party.
						(2)Equitable
			 reliefAny person that
			 violates, proposes to violate, or has violated this section may be enjoined
			 from further violations by a court of competent jurisdiction.
				(3)Other rights
			 and remediesThe rights and
			 remedies available under this subsection are cumulative and shall not affect
			 any other rights and remedies available under law.
				(d)Enforcement
				(1)In
			 generalThe functional
			 regulator is authorized to enforce compliance with this section, including the
			 assessment of fines under subsection (c)(1).
				(2)Civil
			 actionsNo private right of
			 action or class action shall be brought under this Act. No person other than
			 the attorney general of a State may bring a civil action under the law of any
			 State if such action is premised in whole or in part upon the defendant
			 violating any provision of this Act.
				4.Enforcement by State
			 attorneys general
			(a)In
			 general
				(1)Civil
			 actionsIn any case in which
			 the attorney general of a State has reason to believe that an interest of the
			 residents of that State has been or is threatened or adversely affected by the
			 engagement of any person in a practice that is prohibited under this Act, the
			 State, as parens patriae, may bring a civil action on behalf of the residents
			 of the State in a United States district court of appropriate jurisdiction
			 to—
					(A)enjoin that practice;
					(B)enforce compliance with this Act; or
					(C)obtain damage, restitution, or other
			 compensation on behalf of residents of the State under the conditions and up to
			 the monetary limits set forth in section 3(c)(1).
					(2)Notice
					(A)In
			 generalBefore filing an
			 action under paragraph (1), the attorney general of the State shall provide the
			 Attorney General of the United States and the functional regulator—
						(i)written notice of the action; and
						(ii)a copy of the complaint for the
			 action.
						(B)Exemption
						(i)In
			 generalSubparagraph (A)
			 shall not apply with respect to the filing of an action by an attorney general
			 of a State under this subsection, if the State attorney general determines that
			 it is not feasible to provide the notice described in such subparagraph before
			 the filing of the action.
						(ii)NotificationIn an action described in clause (i), the
			 attorney general of a State shall provide notice and a copy of the complaint to
			 the functional regulator and the Attorney General at the time the State
			 attorney general files the action.
						(C)United States
			 attorney general priorityAfter having been notified, as provided in
			 subparagraph (A), the Attorney General shall have the right—
						(i)to file a civil action, subject to monetary
			 limits equal to those set forth in section 3(c)(1);
						(ii)to intervene in the action; and
						(iii)upon so intervening—
							(I)to be heard on all matters arising
			 therein;
							(II)to remove the action to the appropriate
			 United States district court; and
							(III)to file petitions for appeal.
							(D)Preemption
						(i)Action by
			 department of justiceIf the
			 Attorney General institutes a civil action or intervenes in an action under
			 this subsection, the functional regulator, a State attorney general, or an
			 official or agency of a State may not bring an action under this section for
			 any violation of this Act alleged in the complaint.
						(ii)Action by
			 functional regulatorIf the
			 functional regulator institutes a civil action or intervenes under section
			 3(d)(1) to enforce compliance with section 3, a State attorney general or
			 official or agency of a State, may not bring an action under this section for
			 any violation of this Act alleged in the complaint.
						(b)Limitations on
			 State actions
				(1)Violation of
			 injunction requiredA State
			 may not bring an action against a person under subsection (a)(1)(C)
			 unless—
					(A)the person has been enjoined from
			 committing the violation, in an action brought by the State under subsection
			 (a)(1)(A); and
					(B)the person has violated the
			 injunction.
					(2)Limitation on
			 damages recoverableIn an
			 action under subsection (a)(1)(C), a State may not recover any damages incurred
			 before the date of the violation of an injunction on which the action is
			 based.
				(c)ConstructionFor purposes of a civil action under
			 subsection (a), nothing in this Act shall be construed to prevent the attorney
			 general of a State from exercising the powers conferred on such attorney
			 general by the laws of that State to—
				(1)conduct investigations;
				(2)administer oaths or affirmations; or
				(3)compel the attendance of witnesses or the
			 production of documentary and other evidence.
				(d)Venue; Service
			 of Process
				(1)VenueAny action brought under subsection (a) may
			 be brought in the district court of the United States that meets applicable
			 requirements relating to venue under section 1391 of title 28, United States
			 Code.
				(2)Service of
			 processIn an action brought
			 under subsection (a), process may be served in any district in which the
			 defendant—
					(A)is an inhabitant; or
					(B)may be found.
					5.Effect on state
			 lawThe provisions of this Act
			 shall supersede any law, rule, or regulation of any State or unit of local
			 government that relates in any way to electronic information security standards
			 or the notification of any resident of the United States of any breach of
			 security pertaining to any collection of personal information about such
			 resident.
		6.Effective
			 dateThis Act shall take
			 effect on the expiration of the date which is 180 days after the date of
			 enactment of this Act.
		
