[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[S. 1208 Introduced in Senate (IS)]

  1st Session
                                S. 1208

   To provide additional security and privacy protection for social 
                       security account numbers.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 25, 2007

  Mr. Dorgan introduced the following bill; which was read twice and 
                  referred to the Committee on Finance

_______________________________________________________________________

                                 A BILL


 
   To provide additional security and privacy protection for social 
                       security account numbers.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Social Security Account Number 
Protection Act''.

SEC. 2. SOCIAL SECURITY NUMBER PROTECTION.

    (a) Prohibition of Unnecessary Solicitation of Social Security 
Numbers.--
            (1) In General.--Unless there is a specific use of a social 
        security account number for which no other identifier 
        reasonably can be used, a covered entity may not solicit a 
        social security account number from an individual except for 
        the following purposes:
                    (A) For use in an identification, verification, 
                accuracy, or identity proofing process.
                    (B) For any purpose permitted under the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.) or the Gramm-
                Leach-Bliley Act (15 U.S.C. 6802(e)).
                    (C) To comply with the requirement of Federal, 
                State, or local law.
            (2) Exceptions.--Paragraph (1) does not apply to the 
        solicitation of a social security account number--
                    (A) for the purpose of obtaining a consumer report 
                for any purpose permitted under the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.),
                    (B) by a consumer reporting agency for the purpose 
                of authenticating or obtaining appropriate proof of a 
                consumer's identity, as required under that Act;
                    (C) for any purpose permitted under section 502(e) 
                of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(e)); or
                    (D) to the extent necessary for verifying the 
                accuracy of information submitted by an individual to a 
                covered entity, its agents, contractors, or employees 
                or for the purpose of authenticating or obtaining 
                appropriate proof of an individual's identity;
                    (E) to identity or locate missing or abducted 
                children, witnesses, criminals, fugitives, parties to 
                lawsuits, parents delinquent in child support payments, 
                organ and bone marrow donors, pension fund 
                beneficiaries, and missing heirs;
                    (F) to the extent necessary to prevent, detect, or 
                investigate fraud, unauthorized transactions, or other 
                financial liability or to facilitate the enforcement of 
                an obligation of, or collection of a debt from, a 
                consumer, provided that the person selling, providing, 
                displaying, or obtaining the social security account 
                number does not do so for marketing purposes.
    (b) Prohibition of the Display of Social Security Numbers on 
Employee Identification Cards, etc.--
            (1) D23/In general.--A covered entity may not display an 
        individual's security account number (or any derivative of such 
        number) on any card or tag that is commonly provided to 
        employees (or to their family members), faculty, staff, or 
        students for purposes of identification.
            (2) Driver's licenses.--A State may not display the social 
        security account number of an individual on driver's licenses 
        issued by that State.
    (c) Prohibition of Prisoner Access to Social Security Numbers.--
            (1) In general.--Section 205(c)(2)(C) of the Social 
        Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at 
        the end the following:
                            ``(x) No executive, legislative, or 
                        judicial agency or instrumentality of the 
                        Federal Government or of a State or political 
                        subdivision thereof (or person acting as an 
                        agent of such an agency or instrumentality) may 
                        employ, or enter into a contract for the use or 
                        employment of, prisoners in any capacity that 
                        would allow such prisoners access to the social 
                        security account numbers of other individuals. 
                        For purposes of this clause, the term 
                        `prisoner' means an individual who is confined 
                        in a jail, prison, or other penal institution 
                        or correctional facility, serving community 
                        service as a term of probation or parole, or 
                        serving a sentence through a work-furlough 
                        program.''.
            (2) Treatment of current arrangements.--In the case of--
                    (A) prisoners employed as described in clause (x) 
                of section 205(c)(2)(C) of the Social Security Act (42 
                U.S.C. 405(c)(2)(C)), as added by paragraph (1), on the 
                date of enactment of this Act; and
                    (B) contracts described in such clause in effect on 
                such date,
        the amendment made by paragraph (1) shall take effect 90 days 
        after the date of enactment of this Act.
    (d) Prohibition of Sale and Display of Social Security Numbers to 
the General Public.--
            (1) In general.--Except as provided in paragraph (2), it 
        shall be unlawful for any person--
                    (A) to sell, purchase, or provide a social security 
                account number, to the general public or display to the 
                general public social security account numbers; or
                    (B) to obtain or use any individual's social 
                security account number for the purpose of locating or 
                identifying such individual with the intent to 
                physically injure or harm such individual or using the 
                identity of such individual for any illegal purpose.
            (2) Exceptions.--Notwithstanding paragraph (1), and subject 
        to paragraph (4), a social security account number may be sold, 
        provided, displayed, or obtained by any person--
                    (A) to the extent necessary for law enforcement or 
                national security purposes;
                    (B) to the extent necessary for public health 
                purposes;
                    (C) to the extent necessary in emergency situations 
                to protect the health or safety of 1 or more 
                individuals;
                    (D) to the extent that the sale or display is 
                required, authorized, or permitted under any law of the 
                United States or of any State (or political subdivision 
                thereof);
                    (E) for any purposes allowed under the Fair Credit 
                Reporting Act (15 U.S.C. 1681 et seq.) or the Gramm-
                Leach-Bliley Act (15 U.S.C. 6802(e));
                    (F) to the extent necessary for verifying the 
                accuracy of information submitted by an individual to a 
                covered entity, its agents, contractors, or employees 
                or for the purpose of authenticating or obtaining 
                appropriate proof of the individual's identity;
                    (G) to the extent necessary to identify or locate 
                missing or abducted children, witnesses to an ongoing 
                or potential civil or criminal lawsuit, criminals, 
                criminal suspects, parties to lawsuits, parents 
                delinquent in child support payments, organ and bone 
                marrow donors, pension fund beneficiaries, missing 
                heirs, and for similar legal, medical, or family 
                related purposes, if the person selling, providing, 
                displaying, or obtaining the social security account 
                number does not do so for marketing purposes;
                    (H) to the extent necessary to prevent, detect, or 
                investigate fraud, unauthorized transactions, or other 
                financial liability or to facilitate the enforcement of 
                an obligation of, or collection of a debt from, a 
                consumer, if the person selling, providing, displaying, 
                or obtaining the social security account number does 
                not do so for marketing purposes;
                    (I) to the extent the transmission of the number is 
                incidental to, and in the course of, the sale, lease, 
                franchising, or merger of all, or a portion of, a 
                business; or
                    (J) to the extent necessary for research (other 
                than market research) conducted by an agency or 
                instrumentality of the United States or of a State or 
                political subdivision thereof (or an agent of such an 
                agency or instrumentality) for the purpose of advancing 
                the public good, on the condition that the researcher 
                provides adequate assurances that--
                            (i) the social security account numbers 
                        will not be used to harass, target, or publicly 
                        reveal information concerning any identifiable 
                        individuals;
                            (ii) information about identifiable 
                        individuals obtained from the research will not 
                        be used to make decisions that directly affect 
                        the rights, benefits, or privileges of specific 
                        individuals; and
                            (iii) the researcher has in place 
                        appropriate safeguards to protect the privacy 
                        and confidentiality of any information about 
                        identifiable individuals, including procedures 
                        to ensure that the social security account 
                        numbers will be encrypted or otherwise 
                        appropriately secured from unauthorized 
                        disclosure; or
                    (K) to the extent that the transmission of the 
                social security account number is incidental to the 
                sale or provision of a document lawfully obtained 
                from--
                            (i) the Federal Government or a State or 
                        local government, that the document has been 
                        made available to the general public; or
                            (ii) the document has been made available 
                        to the general public via widely distributed 
                        media.
            (3) Limitation.--Paragraph (2)(K) does not apply to 
        information obtained from publicly available sources or from 
        Federal, State, or local government records if that information 
        is combined with information obtained from non-public sources.
            (4) Consensual sale.--Notwithstanding paragraph (1), a 
        social security account number assigned to an individual may be 
        sold, provided, or displayed to the general public by any 
        person to the extent consistent with such individual's 
        voluntary and affirmative written consent to the sale, 
        provision, or display of the social security account number 
        only if--
                    (A) the terms of the consent and the right to 
                refuse consent are presented to the individual in a 
                clear, conspicuous, and understandable manner;
                    (B) the individual is placed under no obligation to 
                provide consent to any such sale or display; and
                    (C) the terms of the consent authorize the 
                individual to limit the sale, provision, or display to 
                purposes directly associated with the transaction with 
                respect to which the consent is sought.

SEC. 3. ENFORCEMENT.

    (a) Enforcement by Commission.--Except as provided in subsection 
(c), this Act shall be enforced by the Commission.
    (b) Violation is Unfair or Deceptive Act or Practice.--The 
violation of any provision of this Act shall be treated as an unfair or 
deceptive act or practice proscribed under a rule issued under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).
    (c) Enforcement by Certain Other Agencies.--Compliance with this 
Act shall be enforced exclusively under--
            (1) section 8 of the Federal Deposit Insurance Act (12 
        U.S.C. 1818), in the case of--
                    (A) national banks, and Federal branches and 
                Federal agencies of foreign banks by the Office of the 
                Comptroller of the Currency;
                    (B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act (12 U.S.C. 601 and 
                611) by the Board of Governors of the Federal Reserve 
                System;
                    (C) banks insured by the Federal Deposit Insurance 
                Corporation (other than members of the Federal Reserve 
                System), insured State branches of foreign banks by the 
                Board of Directors of the Federal Deposit Insurance 
                Corporation; and
                    (D) savings associations the deposits of which are 
                insured by the Federal Deposit Insurance Corporation by 
                the Director of the Office of Thrift Supervision;
            (2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
        by the Board of the National Credit Union Administration Board 
        with respect to any Federal credit union;
            (3) the Securities and Exchange Act of 1934 (15 U.S.C. 78a 
        et seq.) by the Securities and Exchange Commission with respect 
        to--
                    (A) a broker or dealer subject to that Act;
                    (B) an investment company subject to the Investment 
                Company Act of 1940 (15 U.S.C. 80a-1 et seq.); and
                    (C) an investment advisor subject to the Investment 
                Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.); and
            (4) State insurance law, in the case of any person engaged 
        in providing insurance, by the applicable State insurance 
        authority of the State in which the person is domiciled.
    (d) Exercise of Certain Powers.--For the purpose of the exercise by 
any agency referred to in subsection (c) of its powers under any Act 
referred to in that subsection, a violation of this Act is deemed to be 
a violation of a requirement imposed under that Act. In addition to its 
powers under any provision of law specifically referred to in 
subsection (c), each of the agencies referred to in that subsection may 
exercise, for the purpose of enforcing compliance with any requirement 
imposed under this Act, any other authority conferred on it by law.
    (e) Other Authority Not Affected.--Nothing in this Act shall be 
construed to limit or affect in any way the Commission's authority to 
bring enforcement actions or take any other measure under the Federal 
Trade Commission Act (15 U.S.C. 41 et seq.) or any other provision of 
law.
    (f) Compliance With Gramm-Leach-Bliley Act.--
            (1) Notice.--Any covered entity that is subject to the 
        Gramm-Leach-Bliley Act (15 U.S.C. 6801 et. seq.), and gives 
        notice in compliance with the notification requirements 
        established for such covered entities under title V of that Act 
        is deemed to be in compliance with section 3 of this Act.
            (2) Safeguards.--Any covered entity that is subject to the 
        Gramm-Leach-Bliley Act (15 U.S.C. 6801 et. seq.), and fulfills 
        the information protection requirements established for such 
        entities under title V of the Act and under section 607(a) of 
        the Fair Credit Reporting Act (15 U.S.C. 1681e(a)) to protect 
        sensitive personal information shall be deemed to be in 
        compliance with section 2 of this Act.

SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--Except as provided in section 3(c), a State, as 
parens patriae, may bring a civil action on behalf of its residents in 
an appropriate state or district court of the United States to enforce 
the provisions of this Act, to obtain damages, restitution, or other 
compensation on behalf of such residents, or to obtain such further and 
other relief as the court may deem appropriate, whenever the attorney 
general of the State has reason to believe that the interests of the 
residents of the State have been or are being threatened or adversely 
affected by a covered entity that violates this Act or a regulation 
under this Act.
    (b) Notice.--The State shall serve written notice to the Commission 
(or other appropriate Federal regulator under section 3) of any civil 
action under subsection (a) at least 60 days prior to initiating such 
civil action. The notice shall include a copy of the complaint to be 
filed to initiate such civil action, except that if it is not feasible 
for the State to provide such prior notice, the State shall provide 
such notice immediately upon instituting such civil action.
    (c) Authority To Intervene.--Upon receiving the notice required by 
subsection (b), the Commission (or other appropriate Federal regulator 
under section 8) may intervene in such civil action and upon 
intervening--
            (1) be heard on all matters arising in such civil action; 
        and
            (2) file petitions for appeal of a decision in such civil 
        action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall prevent the attorney 
general of a State from exercising the powers conferred on the attorney 
general by the laws of such State to conduct investigations or to 
administer oaths or affirmations or to compel the attendance of 
witnesses or the production of documentary and other evidence.
    (e) Venue; Service of Process.--I