
	
		II
		Calendar No. 168
		110th CONGRESS
		1st Session
		S. 495
		[Report No. 110–70]
		IN THE SENATE OF THE UNITED STATES
		
			February 6, 2007
			Mr. Leahy (for himself,
			 Mr. Specter, Mr. Feingold, Mr.
			 Schumer, Mr. Sanders,
			 Mr. Brown, and Mr. Cardin) introduced the following bill; which was
			 read twice and referred to the
			 Committee on the
			 Judiciary
		
		
			May 23, 2007
			Reported by Mr. Leahy,
			 with amendments
			Omit the part struck through and insert the part
			 printed in italic
		
		A BILL
		To prevent and mitigate identity theft, to ensure
		  privacy, to provide notice of security breaches, and to enhance criminal
		  penalties, law enforcement assistance, and other protections against security
		  breaches, fraudulent access, and misuse of personally identifiable
		  information.
	
	
		1.Short title; table of
			 contents
			(a)Short
			 titleThis Act may be cited
			 as the Personal Data Privacy and
			 Security Act of 2007.
			(b)Table of
			 contentsThe table of contents of this Act is as follows:
				
					Sec. 1. Short title; table of contents.
					Sec. 2. Findings.
					Sec. 3. Definitions.
					TITLE I—Enhancing punishment for identity theft and other
				violations of data privacy and security
					Sec. 101. Organized criminal activity in connection with
				unauthorized access to personally identifiable information.
					Sec. 102. Concealment of security breaches involving sensitive
				personally identifiable information.
					Sec. 103. Review and amendment of Federal sentencing guidelines
				related to fraudulent access to or misuse of digitized or electronic personally
				identifiable information.
					Sec. 104. Effects
				of identity theft on bankruptcy proceedings.
					TITLE II—Data brokers
					Sec. 201. Transparency and accuracy of data
				collection.
					Sec. 202. Enforcement.
					Sec. 203. Relation to state laws.
					Sec. 204. Effective date.
					TITLE III—Privacy and security of personally identifiable
				information 
					Subtitle A—A data privacy and security program
					Sec. 301. Purpose and applicability of data privacy and
				security program.
					Sec. 302. Requirements for a personal data privacy and security
				program.
					Sec. 303. Enforcement.
					Sec. 304. Relation to other laws.
					Subtitle B—Security breach notification
					Sec. 311. Notice to individuals.
					Sec. 312. Exemptions.
					Sec. 313. Methods of notice.
					Sec. 314. Content of notification.
					Sec. 315. Coordination of notification with credit reporting
				agencies.
					Sec. 316. Notice to law enforcement.
					Sec. 317. Enforcement.
					Sec. 318. Enforcement by State attorneys general.
					Sec. 319. Effect on Federal and State law.
					Sec. 320. Authorization of appropriations.
					Sec. 321. Reporting on risk assessment exemptions.
					Sec. 322. Effective date.
					Subtitle
				C—Office of Federal Identity Protection
					Sec. 331. Office
				of Federal Identity Protection.
					TITLE IV—Government access to and use of commercial
				data
					Sec. 401. General services administration review of
				contracts.
					Sec. 402. Requirement to audit information security practices
				of contractors and third party business entities.
					Sec. 403. Privacy impact assessment of government use of
				commercial information services containing personally identifiable
				information.
					Sec. 404. Implementation of chief privacy officer
				requirements.
				
			2.FindingsCongress finds that—
			(1)databases of
			 personally identifiable information are increasingly prime targets of hackers,
			 identity thieves, rogue employees, and other criminals, including organized and
			 sophisticated criminal operations;
			(2)identity theft is
			 a serious threat to the nation’s economic stability, homeland security, the
			 development of e-commerce, and the privacy rights of Americans;
			(3)over 9,300,000
			 individuals were victims of identity theft in America last year;
			(4)security breaches
			 are a serious threat to consumer confidence, homeland security, e-commerce, and
			 economic stability;
			(5)it is important
			 for business entities that own, use, or license personally identifiable
			 information to adopt reasonable procedures to ensure the security, privacy, and
			 confidentiality of that personally identifiable information;
			(6)individuals whose
			 personal information has been compromised or who have been victims of identity
			 theft should receive the necessary information and assistance to mitigate their
			 damages and to restore the integrity of their personal information and
			 identities;
			(7)data brokers have
			 assumed a significant role in providing identification, authentication, and
			 screening services, and related data collection and analyses for commercial,
			 nonprofit, and government operations;
			(8)data misuse and
			 use of inaccurate data have the potential to cause serious or irreparable harm
			 to an individual’s livelihood, privacy, and liberty and undermine efficient and
			 effective business and government operations;
			(9)there is a need
			 to insure that data brokers conduct their operations in a manner that
			 prioritizes fairness, transparency, accuracy, and respect for the privacy of
			 consumers;
			(10)government
			 access to commercial data can potentially improve safety, law enforcement, and
			 national security; and
			(11)because
			 government use of commercial data containing personal information potentially
			 affects individual privacy, and law enforcement and national security
			 operations, there is a need for Congress to exercise oversight over government
			 use of commercial data.
			3.DefinitionsIn this Act:
			(1)AgencyThe
			 term agency has the same meaning given such term in section 551 of
			 title 5, United States Code.
			(2)AffiliateThe
			 term affiliate means persons related by common ownership or by
			 corporate control.
			(3)Business
			 entityThe term business entity means any
			 organization, corporation, trust, partnership, sole proprietorship,
			 unincorporated association, or venture established to make a
			 profit, or nonprofit,
			 and any contractor, subcontractor, affiliate, or licensee thereof engaged in
			 interstate commerce.
			(4)Identity
			 theftThe term identity theft means a violation of
			 section 1028 of title 18, United States Code.
			(5)Data
			 brokerThe term data broker means a business entity
			 which for monetary fees or dues regularly engages in the practice of
			 collecting, transmitting, or providing access to sensitive personally
			 identifiable information on more than 5,000 individuals who are not the
			 customers or employees of that business entity or affiliate primarily for the
			 purposes of providing such information to nonaffiliated third parties on an
			 interstate basis.
			(6)Data
			 furnisherThe term data furnisher means any agency,
			 organization, corporation, trust, partnership, sole proprietorship,
			 unincorporated association, or nonprofit that serves as a source of information
			 for a data broker.
			(7)EncryptionThe
			 term encryption—
				(A)means the protection of
			 data in electronic form, in storage or in transit, using an encryption
			 technology that has been adopted by an established standards setting body which
			 renders such data indecipherable in the absence of associated cryptographic
			 keys necessary to enable decryption of such data; and
				(B)includes appropriate
			 management and safeguards of such cryptographic keys so as to protect the
			 integrity of the encryption.
				(78)Personal
			 electronic record
				(A)In
			 generalThe term personal electronic record means
			 data associated with an individual contained in a database, networked or
			 integrated databases, or other data system that
			 holdsis provided to non-affiliated third parties and
			 includes sensitive personally identifiable information
			 ofabout that individual
			 and is provided to
			 nonaffiliated third parties.
				(B)ExclusionsThe
			 term personal electronic record does not include—
					(i)any
			 data related to an individual’s past purchases of consumer goods; or
					(ii)any proprietary
			 assessment or evaluation of an individual or any proprietary assessment or
			 evaluation of information about an individual.
					(89)Personally
			 identifiable informationThe term personally identifiable
			 information means any information, or compilation of information, in
			 electronic or digital form serving as a means of identification, as defined by
			 section 1028(d)(7) of title 18, United States Code.
			(910)Public record
			 sourceThe term public record source means the
			 Congress, any agency, any State or local government agency, the government of
			 the District of Columbia and governments of the territories or possessions of
			 the United States, and Federal, State or local courts, courts martial and
			 military commissions, that maintain personally identifiable information in
			 records available to the public.
			(1011)Security
			 breach
				(A)In
			 generalThe term security breach means compromise of
			 the security, confidentiality, or integrity of computerized data through
			 misrepresentation or actions that result in, or there is a reasonable basis to
			 conclude has resulted in, acquisition of or access to sensitive personally
			 identifiable information that is unauthorized or in excess of
			 authorization.
				(B)ExclusionThe
			 term security breach does not include—
					(i)a
			 good faith acquisition of sensitive personally identifiable information by a
			 business entity or agency, or an employee or agent of a business entity or
			 agency, if the sensitive personally identifiable information is not subject to
			 further unauthorized disclosure; or
					(ii)the release of a
			 public record, or information derived from a single public record, not
			 otherwise subject to confidentiality or nondisclosure requirement, or
			 information obtained from a news report or periodical.
					(ii)the release of a public
			 record not otherwise subject to confidentiality or nondisclosure
			 requirements.
					(1112)Sensitive
			 personally identifiable informationThe term sensitive
			 personally identifiable information means any information or compilation
			 of information, in electronic or digital form that includes—
				(A)an individual's
			 first and last name or first initial and last name in combination with any 1 of
			 the following data elements:
					(i)A
			 non-truncated social security number, driver's license number, passport number,
			 or alien registration number.
					(ii)Any 2 of the
			 following:
						(I)Home address or
			 telephone number.
						(II)Mother's maiden
			 name, if identified as such.
						(III)Month, day, and
			 year of birth.
						(iii)Unique
			 biometric data such as a finger print, voice print, a retina or iris image, or
			 any other unique physical representation.
					(iv)A
			 unique account identifier, electronic identification number, user name, or
			 routing code in combination with any associated security code, access code, or
			 password that is required for an individual to obtain money, goods, services,
			 or any other thing of value; or
					(B)a financial
			 account number or credit or debit card number in combination with any security
			 code, access code or password that is required for an individual to obtain
			 credit, withdraw funds, or engage in a financial transaction.
				IEnhancing
			 punishment for identity theft and other violations of data privacy and
			 security
			101.Organized
			 criminal activity in connection with unauthorized access to personally
			 identifiable informationSection 1961(1) of title 18, United States
			 Code, is amended by inserting section 1030(a)(2)(D) (relating to fraud
			 and related activity in connection with unauthorized access to sensitive
			 personally identifiable information as defined in the
			 Personal Data Privacy and Security Act of
			 2007, before section 1084.
			102.Concealment of
			 security breaches involving sensitive personally identifiable
			 information
				(a)In
			 generalChapter 47 of title
			 18, United States Code, is amended by adding at the end the following:
					
						1040.Concealment
				of security breaches involving sensitive personally identifiable
				information
							(a)Whoever, having
				knowledge of a security breach and of the obligation to provide notice of such
				breach to individuals under title III of the Personal Data Privacy and Security Act of
				2007, and having not otherwise qualified for an exemption from
				providing notice under section 312 of such Act, intentionally and willfully
				conceals the fact of such security breach and which breach causes economic
				damage to 1 or more persons, shall be fined under this title or imprisoned not
				more than 5 years, or both.
							(b)For purposes of
				subsection (a), the term person has the same meaning as in section
				1030(e)(12) of title 18, United States Code.
							(c)Any person
				seeking an exemption under section 312(b) of the
				Personal Data Privacy and Security Act of
				2007 shall be immune from prosecution under this section if the
				United States Secret Service does not indicate, in writing, that such notice be
				given under section 312(b)(3) of such
				Act
							.
				(b)Conforming and
			 technical amendmentsThe
			 table of sections for chapter 47 of title 18, United States Code, is amended by
			 adding at the end the following:
					
						
							1040. Concealment of security breaches
				involving personally identifiable
				information.
						
						.
				(c)Enforcement
			 authority
					(1)In
			 generalThe United States Secret Service shall have the authority
			 to investigate offenses under this section.
					(2)Non-exclusivityThe
			 authority granted in paragraph (1) shall not be exclusive of any existing
			 authority held by any other Federal agency.
					103.Review and
			 amendment of Federal sentencing guidelines related to fraudulent access to or
			 misuse of digitized or electronic personally identifiable information
				(a)Review and
			 amendmentThe United States Sentencing Commission, pursuant to
			 its authority under section 994 of title 28, United States Code, and in
			 accordance with this section, shall review and, if appropriate, amend the
			 Federal sentencing guidelines (including its policy statements) applicable to
			 persons convicted of using fraud to access, or misuse of, digitized or
			 electronic personally identifiable information, including identity theft or any
			 offense under—
					(1)sections 1028,
			 1028A, 1030, 1030A, 2511, and 2701 of title 18, United States Code; and
					(2)any other
			 relevant provision.
					(b)RequirementsIn carrying out the requirements of this
			 section, the United States Sentencing Commission shall—
					(1)ensure that the
			 Federal sentencing guidelines (including its policy statements) reflect—
						(A)the serious
			 nature of the offenses and penalties referred to in this Act;
						(B)the growing
			 incidences of theft and misuse of digitized or electronic personally
			 identifiable information, including identity theft; and
						(C)the need to
			 deter, prevent, and punish such offenses;
						(2)consider the
			 extent to which the Federal sentencing guidelines (including its policy
			 statements) adequately address violations of the sections amended by this Act
			 to—
						(A)sufficiently
			 deter and punish such offenses; and
						(B)adequately
			 reflect the enhanced penalties established under this Act;
						(3)maintain
			 reasonable consistency with other relevant directives and sentencing
			 guidelines;
					(4)account for any
			 additional aggravating or mitigating circumstances that might justify
			 exceptions to the generally applicable sentencing ranges;
					(5)consider whether
			 to provide a sentencing enhancement for those convicted of the offenses
			 described in subsection (a), if the conduct involves—
						(A)the online sale
			 of fraudulently obtained or stolen personally identifiable information;
						(B)the sale of
			 fraudulently obtained or stolen personally identifiable information to an
			 individual who is engaged in terrorist activity or aiding other individuals
			 engaged in terrorist activity; or
						(C)the sale of
			 fraudulently obtained or stolen personally identifiable information to finance
			 terrorist activity or other criminal activities;
						(6)make any
			 necessary conforming changes to the Federal sentencing guidelines to ensure
			 that such guidelines (including its policy statements) as described in
			 subsection (a) are sufficiently stringent to deter, and adequately reflect
			 crimes related to fraudulent access to, or misuse of, personally identifiable
			 information; and
					(7)ensure that the
			 Federal sentencing guidelines adequately meet the purposes of sentencing under
			 section 3553(a)(2) of title 18, United States Code.
					(c)Emergency
			 authority to sentencing commissionThe United States Sentencing
			 Commission may, as soon as practicable, promulgate amendments under this
			 section in accordance with procedures established in section 21(a) of the
			 Sentencing Act of 1987 (28 U.S.C. 994 note) as though the authority under that
			 Act had not expired.
				104.Effects of identity
			 theft on bankruptcy proceedings
				(a)DefinitionsSection
			 101 of title 11, United States Code, is amended—
					(1)by redesignating
			 paragraph (27B) as paragraph (27D); and
					(2)by inserting after
			 paragraph (27A) the following:
						
							(27B)identity
				theft means a fraud committed or attempted using the personally
				identifiable information of another person;
							(27C)identity theft
				victim means a debtor who, as a result of an identify theft in any
				consecutive 12-month period during the 3-year period before the date on which a
				petition is filed under this title, had claims asserted against such debtor in
				excess of the least of—
								(A)$20,000;
								(B)50 percent of all claims
				asserted against such debtor; or
								(C)25 percent of the
				debtor's gross income for such 12-month
				period.
								.
					(b)ProhibitionSection
			 707(b) of title 11, United States Code, is amended by adding at the end the
			 following:
					
						(8)No
				judge, United States trustee (or bankruptcy administrator, if any), trustee, or
				other party in interest may file a motion under paragraph (2) if the debtor is
				an identity theft
				victim.
						.
				IIData
			 brokers
			201.Transparency
			 and accuracy of data collection
				(a)In
			 generalData brokers engaging in interstate commerce are subject
			 to the requirements of this title for any product or service offered to third
			 parties that allows access or use of sensitive personally identifiable
			 information.
				(b)LimitationNotwithstanding
			 any other provision of this title, this section shall not apply to—
					(1)any product or
			 service offered by a data broker engaging in interstate commerce where such
			 product or service is currently subject to, and in compliance with, access and
			 accuracy protections similar to those under subsections (c) through (f) of this
			 section under the Fair Credit Reporting Act (Public Law 91–508);
					(2)any data broker
			 that is subject to regulation under the Gramm-Leach-Bliley Act (Public Law
			 106–102);
					(3)any data broker
			 currently subject to and in compliance with the data security requirements for
			 such entities under the Health Insurance Portability and Accountability Act
			 (Public Law 104–191), and its implementing regulations;
					(4)information in a
			 personal electronic record that—
						(A)the data broker
			 has identified as inaccurate, but maintains for the purpose of aiding the data
			 broker in preventing inaccurate information from entering an individual's
			 personal electronic record; and
						(B)is not maintained
			 primarily for the purpose of transmitting or otherwise providing that
			 information, or assessments based on that information, to non-affiliated third
			 parties; and
						(5)information
			 concerning proprietary methodologies, techniques, scores, or algorithms
			 relating to fraud prevention not normally provided to third parties in the
			 ordinary course of business.
					(c)Disclosures to
			 individuals
					(1)In
			 generalA data broker shall, upon the request of an individual,
			 disclose to such individual for a reasonable fee all personal electronic
			 records pertaining to that individual maintained specifically for disclosure to
			 third parties that request information on that individual in the ordinary
			 course of business in the databases or systems of the data broker at the time
			 of such request.
					(2)Information on
			 how to correct inaccuraciesThe disclosures required under
			 paragraph (1) shall also include guidance to individuals on procedures for
			 correcting inaccuracies.
					(d)Disclosure to
			 individuals of adverse actions taken by third parties
					(1)In
			 generalIn addition to any other rights established under this
			 Act, if a person takes any adverse action with respect to any individual that
			 is based, in whole or in part, on any information contained in a personal
			 electronic record that is maintained, updated, or otherwise owned or possessed
			 by a data broker, such person, at no cost to the affected individual, shall
			 provide—
						(A)written or electronic
			 notice of the adverse action to the individual;
						(B)to the individual, in
			 writing or electronically, the name, address, and telephone number of the data
			 broker that furnished the information to the person;
						(C)a copy of the information
			 such person obtained from the data broker; and
						(D)information to the
			 individual on the procedures for correcting any inaccuracies in such
			 information.
						(2)Accepted methods of
			 noticeA person shall be in compliance with the notice
			 requirements under paragraph (1) if such person provides written or electronic
			 notice in the same manner and using the same methods as are required under
			 section 313(1) of this Act.
					(de)Accuracy
			 resolution process
					(1)Information
			 from a public record or licensor
						(A)In
			 generalIf an individual notifies a data broker of a dispute as
			 to the completeness or accuracy of information disclosed to such individual
			 under subsection (c) that is obtained from a public record source or a license
			 agreement, such data broker shall determine within 30 days whether the
			 information in its system accurately and completely records the information
			 available from the public record source or
			 licensor or public record
			 source.
						(B)Data broker
			 actionsIf a data broker determines under subparagraph (A) that
			 the information in its systems does not accurately and completely record the
			 information available from a public record source or licensor, the data broker
			 shall—
							(i)correct any
			 inaccuracies or incompleteness, and provide to such individual written notice
			 of such changes; and
							(ii)provide such
			 individual with the contact information of the public record or
			 licensor.
							(2)Information not
			 from a public record source or licensorIf an individual notifies
			 a data broker of a dispute as to the completeness or accuracy of information
			 not from a public record or licensor that was disclosed to the individual under
			 subsection (c), the data broker shall, within 30 days of receiving notice of
			 such dispute—
						(A)review and
			 consider free of charge any information submitted by such individual that is
			 relevant to the completeness or accuracy of the disputed information;
			 and
						(B)correct any
			 information found to be incomplete or inaccurate and provide notice to such
			 individual of whether and what information was corrected, if any.
						(3)Extension of
			 review periodThe 30-day period described in paragraph (1) may be
			 extended for not more than 30 additional days if a data broker receives
			 information from the individual during the initial 30-day period that is
			 relevant to the completeness or accuracy of any disputed information.
					(4)Notice
			 identifying the data furnisherIf the completeness or accuracy of
			 any information not from a public record source or licensor that was disclosed
			 to an individual under subsection (c) is disputed by such individual, the data
			 broker shall provide, upon the request of such individual, the contact
			 information of any data furnisher that provided the disputed
			 information.
					(5)Determination
			 that dispute is frivolous or irrelevant
						(A)In
			 generalNotwithstanding paragraphs (1) through (3), a data broker
			 may decline to investigate or terminate a review of information disputed by an
			 individual under those paragraphs if the data broker reasonably determines that
			 the dispute by the individual is frivolous or intended to perpetrate
			 fraud.
						(B)NoticeA
			 data broker shall notify an individual of a determination under subparagraph
			 (A) within a reasonable time by any means available to such data broker.
						202.Enforcement
				(a)Civil
			 penalties
					(1)PenaltiesAny
			 data broker that violates the provisions of section 201 shall be subject to
			 civil penalties of not more than $1,000 per violation per day while such
			 violations persist, up to a maximum of $250,000 per violation.
					(2)Intentional or
			 willful violationA data broker that intentionally or willfully
			 violates the provisions of section 201 shall be subject to additional penalties
			 in the amount of $1,000 per violation per day, to a maximum of an additional
			 $250,000 per violation, while such violations persist.
					(3)Equitable
			 reliefA data broker engaged in interstate commerce that violates
			 this section may be enjoined from further violations by a court of competent
			 jurisdiction.
					(4)Other rights
			 and remediesThe rights and remedies available under this
			 subsection are cumulative and shall not affect any other rights and remedies
			 available under law.
					(b)Federal trade
			 commission authorityAny data broker shall have the provisions of
			 this title enforced against it by the Federal Trade Commission.
				(c)State
			 enforcement
					(1)Civil
			 actionsIn any case in which the attorney general of a State or
			 any State or local law enforcement agency authorized by the State attorney
			 general or by State statute to prosecute violations of consumer protection law,
			 has reason to believe that an interest of the residents of that State has been
			 or is threatened or adversely affected by the acts or practices of a data
			 broker that violate this title, the State may bring a civil action on behalf of
			 the residents of that State in a district court of the United States of
			 appropriate jurisdiction, or any other court of competent jurisdiction,
			 to—
						(A)enjoin that act
			 or practice;
						(B)enforce
			 compliance with this title; or
						(C)obtain civil
			 penalties of not more than $1,000 per violation per day while such violations
			 persist, up to a maximum of $250,000 per violation.
						(2)Notice
						(A)In
			 generalBefore filing an action under this subsection, the
			 attorney general of the State involved shall provide to the Federal Trade
			 Commission—
							(i)a
			 written notice of that action; and
							(ii)a
			 copy of the complaint for that action.
							(B)ExceptionSubparagraph
			 (A) shall not apply with respect to the filing of an action by an attorney
			 general of a State under this subsection, if the attorney general of a State
			 determines that it is not feasible to provide the notice described in
			 subparagraph (A) before the filing of the action.
						(C)Notification
			 when practicableIn an action described under subparagraph (B),
			 the attorney general of a State shall provide the written notice and the copy
			 of the complaint to the Federal Trade Commission as soon after the filing of
			 the complaint as practicable.
						(3)Federal trade
			 commission authorityUpon receiving notice under paragraph (2),
			 the Federal Trade Commission shall have the right to—
						(A)move to stay the
			 action, pending the final disposition of a pending Federal proceeding or action
			 as described in paragraph (4);
						(B)intervene in an
			 action brought under paragraph (1); and
						(C)file petitions
			 for appeal.
						(4)Pending
			 proceedingsIf the Federal Trade Commission has instituted a
			 proceeding or civil action for a violation of this title, no attorney general
			 of a State may, during the pendency of such proceeding or civil action, bring
			 an action under this subsection against any defendant named in such civil
			 action for any violation that is alleged in that civil action.
					(5)Rule of
			 constructionFor purposes of bringing any civil action under
			 paragraph (1), nothing in this title shall be construed to prevent an attorney
			 general of a State from exercising the powers conferred on the attorney general
			 by the laws of that State to—
						(A)conduct
			 investigations;
						(B)administer oaths
			 and affirmations; or
						(C)compel the
			 attendance of witnesses or the production of documentary and other
			 evidence.
						(6)Venue; service
			 of process
						(A)VenueAny
			 action brought under this subsection may be brought in the district court of
			 the United States that meets applicable requirements relating to venue under
			 section 1391 of title 28, United States Code.
						(B)Service of
			 processIn an action brought under this subsection process may be
			 served in any district in which the defendant—
							(i)is
			 an inhabitant; or
							(ii)may be
			 found.
							(d)No private
			 cause of actionNothing in this title establishes a private cause
			 of action against a data broker for violation of any provision of this
			 title.
				203.Relation to
			 state lawsNo requirement or
			 prohibition may be imposed under the laws of any State with respect to any
			 subject matter regulated under section 201, relating to individual access to,
			 and correction of, personal electronic records held by data brokers.
			204.Effective
			 dateThis title shall take
			 effect 180 days after the date of enactment of this Act.
			IIIPrivacy and
			 security of personally identifiable information 
			AA
			 data privacy and security program
				301.Purpose and
			 applicability of data privacy and security program
					(a)PurposeThe
			 purpose of this subtitle is to ensure standards for developing and implementing
			 administrative, technical, and physical safeguards to protect the security of
			 sensitive personally identifiable information.
					(b)In
			 generalA business entity engaging in interstate commerce that
			 involves collecting, accessing, transmitting, using, storing, or disposing of
			 sensitive personally identifiable information in electronic or digital form on
			 10,000 or more United States persons is subject to the requirements for a data
			 privacy and security program under section 302 for protecting sensitive
			 personally identifiable information.
					(c)LimitationsNotwithstanding
			 any other obligation under this subtitle, this subtitle does not apply
			 to:
						(1)Financial
			 institutionsFinancial institutions—
							(A)subject to the
			 data security requirements and implementing regulations under the
			 Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); and
							(B)subject
			 to—
								(i)examinations for
			 compliance with the requirements of this Act by a Federal Functional Regulator
			 or State Insurance Authority (as those terms are defined in section 509 of the
			 Gramm-Leach-Bliley Act (15 U.S.C. 6809)); or
								(ii)compliance with
			 part 314 of title 16, Code of Federal Regulations.
								(2)HIPPA regulated
			 entities
							(A)Covered
			 entitiesCovered entities subject to the Health Insurance
			 Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.), including
			 the data security requirements and implementing regulations of that Act.
							(B)Business
			 entitiesA business entity shall be deemed in compliance with the
			 privacy and security program requirements under section 302 if the business
			 entity is acting as a business associate as that term is defined
			 in the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C.
			 1301 et seq.) and is in compliance with requirements imposed under that Act and
			 its implementing regulations.
							(3)Public
			 recordsPublic records not otherwise subject to a confidentiality
			 or nondisclosure requirement, or information obtained from a news report or
			 periodical.
						(d)Safe
			 harbors
						(1)In
			 generalA business entity shall be deemed in compliance with the
			 privacy and security program requirements under section 302 if the business
			 entity complies with or provides protection equal to industry standards, as
			 identified by the Federal Trade Commission, that are applicable to the type of
			 sensitive personally identifiable information involved in the ordinary course
			 of business of such business entity.
						(2)LimitationNothing
			 in this subsection shall be construed to permit, and nothing does permit, the
			 Federal Trade Commission to issue regulations requiring, or according greater
			 legal status to, the implementation of or application of a specific technology
			 or technological specifications for meeting the requirements of this
			 title.
						302.Requirements
			 for a personal data privacy and security program
					(a)Personal data
			 privacy and security programA business entity subject to this
			 subtitle shall comply with the following safeguards and any other
			 administrative, technical, or physical safeguards identified by the Federal
			 Trade Commission in a rulemaking process pursuant to section 553 of title 5,
			 United States Code, for the protection of sensitive personally identifiable
			 information:
						(1)ScopeA
			 business entity shall implement a comprehensive personal data privacy and
			 security program that includes administrative, technical, and physical
			 safeguards appropriate to the size and complexity of the business entity and
			 the nature and scope of its activities.
						(2)DesignThe
			 personal data privacy and security program shall be designed to—
							(A)ensure the
			 privacy, security, and confidentiality of sensitive personally identifying
			 information;
							(B)protect against
			 any anticipated vulnerabilities to the privacy, security, or integrity of
			 sensitive personally identifying information; and
							(C)protect against
			 unauthorized access to use of sensitive personally identifying information that
			 could result in substantial harm or inconvenience to any individual.
							(3)Risk
			 assessmentA business entity shall—
							(A)identify
			 reasonably foreseeable internal and external vulnerabilities that could result
			 in unauthorized access, disclosure, use, or alteration of sensitive personally
			 identifiable information or systems containing sensitive personally
			 identifiable information;
							(B)assess the
			 likelihood of and potential damage from unauthorized access, disclosure, use,
			 or alteration of sensitive personally identifiable information;
							(C)assess the
			 sufficiency of its policies, technologies, and safeguards in place to control
			 and minimize risks from unauthorized access, disclosure, use, or alteration of
			 sensitive personally identifiable information; and
							(D)assess the
			 vulnerability of sensitive personally identifiable information during
			 destruction and disposal of such information, including through the disposal or
			 retirement of hardware.
							(4)Risk management
			 and controlEach business entity shall—
							(A)design its
			 personal data privacy and security program to control the risks identified
			 under paragraph (3); and
							(B)adopt measures
			 commensurate with the sensitivity of the data as well as the size, complexity,
			 and scope of the activities of the business entity that—
								(i)control access to
			 systems and facilities containing sensitive personally identifiable
			 information, including controls to authenticate and permit access only to
			 authorized individuals;
								(ii)detect actual
			 and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or
			 alteration of sensitive personally identifiable information, including by
			 employees and other individuals otherwise authorized to have access;
								(iii)protect
			 sensitive personally identifiable information during use, transmission,
			 storage, and disposal by encryption, redaction, or access controls that are widely
			 accepted as an effective industry practice or industry standard,
			 or other reasonable means (including as directed for disposal of
			 records under section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w)
			 and the implementing regulations of such Act as set forth in section 682 of
			 title 16, Code of Federal Regulations);
			 and
								(iv)ensure that
			 sensitive personally identifiable information is properly destroyed and
			 disposed of, including during the destruction of computers, diskettes, and
			 other electronic media that contain sensitive personally identifiable
			 information.; and
								(v)trace access to records
			 containing sensitive personally identifiable information so that the business
			 entity can determine who accessed or acquired such sensitive personally
			 identifiable information pertaining to specific individuals; and
								(vi)ensure that no third
			 party or customer of the business entity is authorized to access or acquire
			 sensitive personally identifiable information without the business entity first
			 performing sufficient due diligence to ascertain, with reasonable certainty,
			 that such information is being sought for a valid legal purpose.
			 
								(b)TrainingEach
			 business entity subject to this subtitle shall take steps to ensure employee
			 training and supervision for implementation of the data security program of the
			 business entity.
					(c)Vulnerability
			 testing
						(1)In
			 generalEach business entity subject to this subtitle shall take
			 steps to ensure regular testing of key controls, systems, and procedures of the
			 personal data privacy and security program to detect, prevent, and respond to
			 attacks or intrusions, or other system failures.
						(2)FrequencyThe
			 frequency and nature of the tests required under paragraph (1) shall be
			 determined by the risk assessment of the business entity under subsection
			 (a)(3).
						(d)Relationship to
			 service providersIn the event a business entity subject to this
			 subtitle engages service providers not subject to this subtitle, such business
			 entity shall—
						(1)exercise
			 appropriate due diligence in selecting those service providers for
			 responsibilities related to sensitive personally identifiable information, and
			 take reasonable steps to select and retain service providers that are capable
			 of maintaining appropriate safeguards for the security, privacy, and integrity
			 of the sensitive personally identifiable information at issue; and
						(2)require those
			 service providers by contract to implement and maintain appropriate measures
			 designed to meet the objectives and requirements governing entities subject to
			 section 301, this section, and subtitle B.
						(e)Periodic
			 assessment and personal data privacy and security
			 modernizationEach business entity subject to this subtitle shall
			 on a regular basis monitor, evaluate, and adjust, as appropriate its data
			 privacy and security program in light of any relevant changes in—
						(1)technology;
						(2)the sensitivity
			 of personally identifiable information;
						(3)internal or
			 external threats to personally identifiable information; and
						(4)the changing
			 business arrangements of the business entity, such as—
							(A)mergers and
			 acquisitions;
							(B)alliances and
			 joint ventures;
							(C)outsourcing
			 arrangements;
							(D)bankruptcy;
			 and
							(E)changes to
			 sensitive personally identifiable information systems.
							(f)Implementation
			 time lineNot later than 1 year after the date of enactment of
			 this Act, a business entity subject to the provisions of this subtitle shall
			 implement a data privacy and security program pursuant to this subtitle.
					303.Enforcement
					(a)Civil
			 penalties
						(1)In
			 generalAny business entity that violates the provisions of
			 sections 301 or 302 shall be subject to civil penalties of not more than $5,000
			 per violation per day while such a violation exists, with a maximum of $500,000
			 per violation.
						(2)Intentional or
			 willful violationA business entity that intentionally or
			 willfully violates the provisions of sections 301 or 302 shall be subject to
			 additional penalties in the amount of $5,000 per violation per day while such a
			 violation exists, with a maximum of an additional $500,000 per
			 violation.
						(3)Equitable
			 reliefA business entity engaged in interstate commerce that
			 violates this section may be enjoined from further violations by a court of
			 competent jurisdiction.
						(4)Other rights
			 and remediesThe rights and remedies available under this section
			 are cumulative and shall not affect any other rights and remedies available
			 under law.
						(b)Federal trade
			 commission authorityAny data broker shall have the provisions of
			 this subtitle enforced against it by the Federal Trade Commission.
					(c)State
			 enforcement
						(1)Civil
			 actionsIn any case in which the attorney general of a State or
			 any State or local law enforcement agency authorized by the State attorney
			 general or by State statute to prosecute violations of consumer protection law,
			 has reason to believe that an interest of the residents of that State has been
			 or is threatened or adversely affected by the acts or practices of a data
			 broker that violate this subtitle, the State may bring a civil action on behalf
			 of the residents of that State in a district court of the United States of
			 appropriate jurisdiction, or any other court of competent jurisdiction,
			 to—
							(A)enjoin that act
			 or practice;
							(B)enforce
			 compliance with this subtitle; or
							(C)obtain civil
			 penalties of not more than $5,000 per violation per day while such violations
			 persist, up to a maximum of $500,000 per violation.
							(2)Notice
							(A)In
			 generalBefore filing an action under this subsection, the
			 attorney general of the State involved shall provide to the Federal Trade
			 Commission—
								(i)a
			 written notice of that action; and
								(ii)a
			 copy of the complaint for that action.
								(B)ExceptionSubparagraph
			 (A) shall not apply with respect to the filing of an action by an attorney
			 general of a State under this subsection, if the attorney general of a State
			 determines that it is not feasible to provide the notice described in this
			 subparagraph before the filing of the action.
							(C)Notification
			 when practicableIn an action described under subparagraph (B),
			 the attorney general of a State shall provide the written notice and the copy
			 of the complaint to the Federal Trade Commission as soon after the filing of
			 the complaint as practicable.
							(3)Federal trade
			 commission authorityUpon receiving notice under paragraph (2),
			 the Federal Trade Commission shall have the right to—
							(A)move to stay the
			 action, pending the final disposition of a pending Federal proceeding or action
			 as described in paragraph (4);
							(B)intervene in an
			 action brought under paragraph (1); and
							(C)file petitions
			 for appeal.
							(4)Pending
			 proceedingsIf the Federal Trade Commission has instituted a
			 proceeding or action for a violation of this subtitle or any regulations
			 thereunder, no attorney general of a State may, during the pendency of such
			 proceeding or action, bring an action under this subsection against any
			 defendant named in such criminal proceeding or civil action for any violation
			 that is alleged in that proceeding or action.
						(5)Rule of
			 constructionFor purposes of bringing any civil action under
			 paragraph (1) nothing in this subtitle shall be construed to prevent an
			 attorney general of a State from exercising the powers conferred on the
			 attorney general by the laws of that State to—
							(A)conduct
			 investigations;
							(B)administer oaths
			 and affirmations; or
							(C)compel the
			 attendance of witnesses or the production of documentary and other
			 evidence.
							(6)Venue; service
			 of process
							(A)VenueAny
			 action brought under this subsection may be brought in the district court of
			 the United States that meets applicable requirements relating to venue under
			 section 1391 of title 28, United States Code.
							(B)Service of
			 processIn an action brought under this subsection process may be
			 served in any district in which the defendant—
								(i)is
			 an inhabitant; or
								(ii)may be
			 found.
								(d)No private
			 cause of actionNothing in this subtitle establishes a private
			 cause of action against a business entity for violation of any provision of
			 this subtitle.
					304.Relation to
			 other laws
					(a)In
			 generalNo State may require any business entity subject to this
			 subtitle to comply with any requirements with respect to administrative,
			 technical, and physical safeguards for the protection of sensitive personally
			 identifying information.
					(b)LimitationsNothing
			 in this subtitle shall be construed to modify, limit, or supersede the
			 operation of the Gramm-Leach-Bliley Act or its implementing regulations,
			 including those adopted or enforced by States.
					BSecurity breach
			 notification
				311.Notice to
			 individuals
					(a)In
			 generalAny agency, or business entity engaged in interstate
			 commerce, that uses, accesses, transmits, stores, disposes of or collects
			 sensitive personally identifiable information shall, following the discovery of
			 a security breach of the
			 systems or databases of such agency or business
			 entityof such
			 information, notify any resident of the United States whose
			 sensitive personally identifiable information has been, or is reasonably
			 believed to have been, accessed, or acquired.
					(b)Obligation of
			 owner or licensee
						(1)Notice to owner
			 or licenseeAny agency, or business entity engaged in interstate
			 commerce, that uses, accesses, transmits, stores, disposes of, or collects
			 sensitive personally identifiable information that the agency or business
			 entity does not own or license shall notify the owner or licensee of the
			 information following the discovery of a security breach involving such
			 information.
						(2)Notice by
			 owner, licensee or other designated third partyNothing in this
			 subtitle shall prevent or abrogate an agreement between an agency or business
			 entity required to give notice under this section and a designated third party,
			 including an owner or licensee of the sensitive personally identifiable
			 information subject to the security breach, to provide the notifications
			 required under subsection (a).
						(3)Business entity
			 relieved from giving noticeA business entity obligated to give
			 notice under subsection (a) shall be relieved of such obligation if an owner or
			 licensee of the sensitive personally identifiable information subject to the
			 security breach, or other designated third party, provides such
			 notification.
						(c)Timeliness of
			 notification
						(1)In
			 generalAll notifications required under this section shall be
			 made without unreasonable delay following the discovery by the agency or
			 business entity of a security breach.
						(2)Reasonable
			 delayReasonable delay under this subsection may include any time
			 necessary to determine the scope of the security breach, prevent further
			 disclosures, and restore the reasonable integrity of the data system and
			 provide notice to law enforcement when required.
						(3)Burden of
			 proofThe agency, business entity, owner, or licensee required to
			 provide notification under this section shall have the burden of demonstrating
			 that all notifications were made as required under this subtitle, including
			 evidence demonstrating the reasons for any delay.
						(d)Delay of
			 notification authorized for law enforcement purposes
						(1)In
			 generalIf a Federal law enforcement agency determines that the
			 notification required under this section would impede a criminal investigation,
			 such notification shall be delayed upon written notice from such Federal law
			 enforcement agency to the agency or business entity that experienced the
			 breach.
						(2)Extended delay
			 of notificationIf the notification required under subsection (a)
			 is delayed pursuant to paragraph (1), an agency or business entity shall give
			 notice 30 days after the day such law enforcement delay was invoked unless a
			 Federal law enforcement agency provides written notification that further delay
			 is necessary.
						(3)Law enforcement
			 immunityNo cause of action shall lie in any court against any
			 law enforcement agency for acts relating to the delay of notification for law
			 enforcement purposes under this subtitle.
						312.Exemptions
					(a)Exemption for
			 national security and law enforcement
						(1)In
			 generalSection 311 shall not apply to an agency or business
			 entity if the agency or business entity certifies, in writing, that
			 notification of the security breach as required by section 311 reasonably could
			 be expected to—
							(A)cause damage to
			 the national security; or
							(B)hinder a law
			 enforcement investigation or the ability of the agency to conduct law
			 enforcement investigations.
							(2)Limits on
			 certificationsAn agency
			 or business entity
			 may not execute a certification under paragraph (1) to—
							(A)conceal
			 violations of law, inefficiency, or administrative error;
							(B)prevent
			 embarrassment to a business entity, organization, or agency; or
							(C)restrain
			 competition.
							(3)NoticeIn
			 every case in which an agency or
			 business agency issues a certification under paragraph (1), the
			 certification, accompanied by a description of the factual basis for the
			 certification, shall be immediately provided to the United States Secret
			 Service.
						(4)Secret service review
			 of certifications
							(A)In
			 generalThe United States Secret Service may review a
			 certification provided by an agency under paragraph (3), and shall review a
			 certification provided by a business entity under paragraph (3), to determine
			 whether an exemption under paragraph (1) is merited. Such review shall be
			 completed not later than 10 business days after the date of receipt of the
			 certification, except as provided in paragraph (5)(C).
							(B)NoticeUpon
			 completing a review under subparagraph (A) the United States Secret Service
			 shall immediately notify the agency or business entity, in writing, of its
			 determination of whether an exemption under paragraph (1) is merited.
							(C)ExemptionThe
			 exemption under paragraph (1) shall not apply if the United States Secret
			 Service determines under this paragraph that the exemption is not
			 merited.
							(5)Additional authority of
			 the secret service
							(A)In
			 generalIn determining under paragraph (4) whether an exemption
			 under paragraph (1) is merited, the United States Secret Service may request
			 additional information from the agency or business entity regarding the basis
			 for the claimed exemption, if such additional information is necessary to
			 determine whether the exemption is merited.
							(B)Required
			 complianceAny agency or business entity that receives a request
			 for additional information under subparagraph (A) shall cooperate with any such
			 request.
							(C)TimingIf
			 the United States Secret Service requests additional information under
			 subparagraph (A), the United States Secret Service shall notify the agency or
			 business entity not later than 10 business days after the date of receipt of
			 the additional information whether an exemption under paragraph (1) is
			 merited.
							(b)Safe
			 harborAn agency or business entity will be exempt from the
			 notice requirements under section 311, if—
						(1)a risk assessment
			 concludes that there is no significant risk that the security breach has
			 resulted in, or will result in, harm to the individuals whose sensitive
			 personally identifiable information was subject to the security breach;
						(1)a risk assessment
			 concludes that—
							(A)there is no significant
			 risk that a security breach has resulted in, or will result in, harm to the
			 individuals whose sensitive personally identifiable information was subject to
			 the security breach, with the encryption of such information establishing a
			 presumption that no significant risk exists; or
							(B)there is no significant
			 risk that a security breach has resulted in, or will result in, harm to the
			 individuals whose sensitive personally identifiable information was subject to
			 the security breach, with the rendering of such sensitive personally
			 identifiable information indecipherable through the use of best practices or
			 methods, such as redaction, access controls, or other such mechanisms, which
			 are widely accepted as an effective industry practice, or an effective industry
			 standard, establishing a presumption that no significant risk exist;
							(2)without
			 unreasonable delay, but not later than 45 days after the discovery of a
			 security breach, unless extended by the United States Secret Service, the
			 agency or business entity notifies the United States Secret Service, in
			 writing, of—
							(A)the results of
			 the risk assessment; and
							(B)its decision to
			 invoke the risk assessment exemption; and
							(3)the United States
			 Secret Service does not indicate, in writing, within 10
			 business days from
			 receipt of the decision, that notice should be given.
						(c)Financial fraud
			 prevention exemption
						(1)In
			 generalA business entity will be exempt from the notice
			 requirement under section 311 if the business entity utilizes or participates
			 in a security program that—
							(A)is designed to
			 block the use of the sensitive personally identifiable information to initiate
			 unauthorized financial transactions before they are charged to the account of
			 the individual; and
							(B)provides for
			 notice to affected individuals after a security breach that has resulted in
			 fraud or unauthorized transactions.
							(2)LimitationThe
			 exemption by this subsection does not apply
			 if the information
			 subject to the security breach includes sensitive personally identifiable
			 information in addition to the sensitive personally identifiable information
			 identified in section 3if—
							(A)the information subject
			 to the security breach includes sensitive personally identifiable information,
			 other than a credit card or credit card security code, of any type of the
			 sensitive personally identifiable information identified in section 3;
			 or
							(B)the security breach includes both the
			 individual's credit card number and the individual’s first and last name.
			 
							313.Methods of
			 noticeAn agency, or business
			 entity shall be in compliance with section 311 if it provides both:
					(1)Individual
			 notice
						(A)Written
			 notification to the last known home mailing address of the individual in the
			 records of the agency or business entity;
						(B)Telephone notice
			 to the individual personally; or
						(C)Electronic notice, if the primary method
			 used by the agency or business entity to communicate with the individual is by
			 electronic means, orE-mail notice, if the individual
			 has consented to receive such notice and the notice is consistent with the
			 provisions permitting electronic transmission of notices under section 101 of
			 the Electronic Signatures in Global and National Commerce Act (15 U.S.C.
			 7001).
						(2)Media
			 noticeNotice to major media outlets serving a State or
			 jurisdiction, if the number of residents of such State whose sensitive
			 personally identifiable information was, or is reasonably believed to have
			 been, acquired by an unauthorized person exceeds 5,000.
					314.Content of
			 notification
					(a)In
			 generalRegardless of the method by which notice is provided to
			 individuals under section 313, such notice shall include, to the extent
			 possible—
						(1)a description of
			 the categories of sensitive personally identifiable information that was, or is
			 reasonably believed to have been, acquired by an unauthorized person;
						(2)a toll-free
			 number or, if the
			 primary method used by the agency or business entity to communicate with the
			 individual is by electronic means, an electronic mail
			 address—
							(A)that the
			 individual may use to contact the agency or business entity, or the agent of
			 the agency or business entity; and
							(B)from which the
			 individual may learn what types of sensitive personally identifiable
			 information the agency or business entity maintained about that individual;
			 and
							(3)the toll-free
			 contact telephone numbers and addresses for the major credit reporting
			 agencies.
						(b)Additional
			 contentNotwithstanding section 319, a State may require that a
			 notice under subsection (a) shall also include information regarding victim
			 protection assistance provided for by that State.
					315.Coordination
			 of notification with credit reporting agenciesIf an agency or business entity is required
			 to provide notification to more than
			 1,000
			 individuals5,000
			 individuals under section 311(a), the agency or business entity
			 shall also notify,
			 without unreasonable delay, all consumer reporting agencies
			 that compile and maintain files on consumers on a nationwide basis (as defined
			 in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of the
			 timing and distribution of the notices.
			 Such notice shall be given to the
			 consumer credit reporting agencies without unreasonable delay and, if it will
			 not delay notice to the affected individuals, prior to the distribution of
			 notices to the affected individuals.
				316.Notice to law
			 enforcement
					(a)Secret
			 serviceAny business entity or agency shall
			 give notice of a
			 security breach to the United States Secret
			 Servicenotify
			 the United States Secret Service of the fact that a security breach has
			 occurred if—
						(1)the number of
			 individuals whose sensitive personally identifying information was, or is
			 reasonably believed to have been acquired by an unauthorized person exceeds
			 10,000;
						(2)the security
			 breach involves a database, networked or integrated databases, or other data
			 system containing the sensitive personally identifiable information of more
			 than 1,000,000 individuals nationwide;
						(3)the security
			 breach involves databases owned by the Federal Government; or
						(4)the security
			 breach involves primarily sensitive personally identifiable information of
			 individuals known to the agency or business entity to be employees and
			 contractors of the Federal Government involved in national security or law
			 enforcement.
						(b)Notice to other
			 law enforcement agenciesThe United States Secret Service shall
			 be responsible for notifying—
						(1)the Federal
			 Bureau of Investigation, if the security breach involves espionage, foreign
			 counterintelligence, information protected against unauthorized disclosure for
			 reasons of national defense or foreign relations, or Restricted Data (as that
			 term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C.
			 2014(y)), except for offenses affecting the duties of the United States Secret
			 Service under section 3056(a) of title 18, United States Code;
						(2)the United States
			 Postal Inspection Service, if the security breach involves mail fraud;
			 and
						(3)the attorney
			 general of each State affected by the security breach.
						(c)14-Day
			 ruleThe notices to Federal law enforcement and the attorney
			 general of each State affected by a security breach required under this section
			 shall be delivered as promptly as possible, but not later than 14 days after
			 discovery of the events requiring notice.
					(c)Timing of
			 noticesThe notices required under this section shall be
			 delivered as follows:
						(1)Notice under subsection
			 (a) shall be delivered as promptly as possible, but not later than 14 days
			 after discovery of the events requiring notice.
						(2)Notice under subsection
			 (b) shall be delivered not later than 14 days after the Service receives notice
			 of a security breach from an agency or business entity.
						317.Enforcement
					(a)Civil actions
			 by the Attorney GeneralThe Attorney General may bring a civil
			 action in the appropriate United States district court against any business
			 entity that engages in conduct constituting a violation of this subtitle and,
			 upon proof of such conduct by a preponderance of the evidence, such business
			 entity shall be subject to a civil penalty of not more than $1,000 per day per
			 individual whose sensitive personally identifiable information was, or is
			 reasonably believed to have been, accessed or acquired by an unauthorized
			 person, up to a maximum of $1,000,000 per violation, unless such conduct is
			 found to be willful or intentional.
					(b)Injunctive
			 actions by the Attorney General
						(1)In
			 generalIf it appears that a business entity has engaged, or is
			 engaged, in any act or practice constituting a violation of this subtitle, the
			 Attorney General may petition an appropriate district court of the United
			 States for an order—
							(A)enjoining such
			 act or practice; or
							(B)enforcing
			 compliance with this subtitle.
							(2)Issuance of
			 orderA court may issue an order under paragraph (1), if the
			 court finds that the conduct in question constitutes a violation of this
			 subtitle.
						(c)Other rights
			 and remediesThe rights and remedies available under this
			 subtitle are cumulative and shall not affect any other rights and remedies
			 available under law.
					(d)Fraud
			 alertSection 605A(b)(1) of the Fair Credit Reporting Act (15
			 U.S.C. 1681c–1(b)(1)) is amended by inserting , or evidence that the
			 consumer has received notice that the consumer's financial information has or
			 may have been compromised, after identity theft
			 report.
					318.Enforcement by
			 State attorneys general
					(a)In
			 general
						(1)Civil
			 actionsIn any case in which the attorney general of a State or
			 any State or local law enforcement agency authorized by the State attorney
			 general or by State statute to prosecute violations of consumer protection law,
			 has reason to believe that an interest of the residents of that State has been
			 or is threatened or adversely affected by the engagement of a business entity
			 in a practice that is prohibited under this subtitle, the State or the State or
			 local law enforcement agency on behalf of the residents of the agency’s
			 jurisdiction, may bring a civil action on behalf of the residents of the State
			 or jurisdiction in a district court of the United States of appropriate
			 jurisdiction or any other court of competent jurisdiction, including a State
			 court, to—
							(A)enjoin that
			 practice;
							(B)enforce
			 compliance with this subtitle; or
							(C)civil penalties
			 of not more than $1,000 per day per individual whose sensitive personally
			 identifiable information was, or is reasonably believed to have been, accessed
			 or acquired by an unauthorized person, up to a maximum of $1,000,000 per
			 violation, unless such conduct is found to be willful or intentional.
							(2)Notice
							(A)In
			 generalBefore filing an action under paragraph (1), the attorney
			 general of the State involved shall provide to the Attorney General of the
			 United States—
								(i)written notice of
			 the action; and
								(ii)a
			 copy of the complaint for the action.
								(B)Exemption
								(i)In
			 generalSubparagraph (A) shall not apply with respect to the
			 filing of an action by an attorney general of a State under this subtitle, if
			 the State attorney general determines that it is not feasible to provide the
			 notice described in such subparagraph before the filing of the action.
								(ii)NotificationIn
			 an action described in clause (i), the attorney general of a State shall
			 provide notice and a copy of the complaint to the Attorney General at the time
			 the State attorney general files the action.
								(b)Federal
			 proceedingsUpon receiving notice under subsection (a)(2), the
			 Attorney General shall have the right to—
						(1)move to stay the
			 action, pending the final disposition of a pending Federal proceeding or
			 action;
						(2)initiate an
			 action in the appropriate United States district court under section 317 and
			 move to consolidate all pending actions, including State actions, in such
			 court;
						(3)intervene in an
			 action brought under subsection (a)(2); and
						(4)file petitions
			 for appeal.
						(c)Pending
			 proceedingsIf the Attorney General has instituted a proceeding
			 or action for a violation of this subtitle or any regulations thereunder, no
			 attorney general of a State may, during the pendency of such proceeding or
			 action, bring an action under this subtitle against any defendant named in such
			 criminal proceeding or civil action for any violation that is alleged in that
			 proceeding or action.
					(d)ConstructionFor
			 purposes of bringing any civil action under subsection (a), nothing in this
			 subtitle regarding notification shall be construed to prevent an attorney
			 general of a State from exercising the powers conferred on such attorney
			 general by the laws of that State to—
						(1)conduct
			 investigations;
						(2)administer oaths
			 or affirmations; or
						(3)compel the
			 attendance of witnesses or the production of documentary and other
			 evidence.
						(e)Venue; service
			 of process
						(1)VenueAny
			 action brought under subsection (a) may be brought in—
							(A)the district
			 court of the United States that meets applicable requirements relating to venue
			 under section 1391 of title 28, United States Code; or
							(B)another court of
			 competent jurisdiction.
							(2)Service of
			 processIn an action brought under subsection (a), process may be
			 served in any district in which the defendant—
							(A)is an inhabitant;
			 or
							(B)may be
			 found.
							(f)No private
			 cause of actionNothing in this subtitle establishes a private
			 cause of action against a business entity for violation of any provision of
			 this subtitle.
					319.Effect on
			 Federal and State lawThe
			 provisions of this subtitle shall supersede any other provision of Federal law
			 or any provision of law of any State relating to notification
			 by a business entity engaged in
			 interstate commerce or an agency of a security breach, except as
			 provided in section 314(b).
				320.Authorization
			 of appropriationsThere are
			 authorized to be appropriated such sums as may be necessary to cover the costs
			 incurred by the United States Secret Service to carry out investigations and
			 risk assessments of security breaches as required under this subtitle.
				321.Reporting on
			 risk assessment exemptionsThe
			 United States Secret Service shall report to Congress not later than 18 months
			 after the date of enactment of this Act, and upon the request by Congress
			 thereafter, on—
					(1)the number and
			 nature of the security breaches described in the notices filed by those
			 business entities invoking the risk assessment exemption under section 312(b)
			 and the response of the United States Secret Service to such notices;
			 and
					(2)the number and
			 nature of security breaches subject to the national security and law
			 enforcement exemptions under section 312(a), provided that such report may not
			 disclose the contents of any risk assessment provided to the United States
			 Secret Service pursuant to this subtitle.
					322.Effective
			 dateThis subtitle shall take
			 effect on the expiration of the date which is 90 days after the date of
			 enactment of this Act.
				COffice of Federal
			 Identity Protection
				331.Office of Federal
			 Identity Protection
					(a)EstablishmentThere is established in the Federal Trade
			 Commission an Office of Federal Identity Protection.
					(b)DutiesThe
			 Office of Federal Identity Protection shall be responsible for assisting each
			 consumer with—
						(1)addressing the
			 consequences of the theft or compromise of the personally identifiable
			 information of that consumer;
						(2)accessing remedies
			 provided under Federal law and providing information about remedies available
			 under State law;
						(3)restoring the accuracy
			 of—
							(A)the personally
			 identifiable information of that consumer; and
							(B)records containing the
			 personally identifiable information of that consumer that were stolen or
			 compromised; and
							(4)retrieving any stolen or
			 compromised personally identifiable information of that consumer.
						(c)ActivitiesIn order to perform the duties required
			 under subsection (b), the Office of Federal Identity Protection shall carry out
			 the following activities:
						(1)Establish a website, easily and
			 conspicuously accessible from ftc.gov, dedicated to assisting consumers with
			 the retrieval of the stolen or compromised personally identifiable information
			 of the consumer.
						(2)Maintain a toll-free phone number to help
			 answer questions concerning identity theft from consumers.
						(3)Establish online and offline
			 consumer-service teams to assist consumers seeking the retrieval of the
			 personally identifiable information of the consumer.
						(4)Provide guidance and
			 information to service organizations or pro bono legal services programs that
			 offer individualized assistance or counseling to victims of identity
			 theft.
						(5)Establish a reasonable standard for
			 determining when an individual becomes a victim of identity theft.
						(6)Issue certifications to individuals who,
			 under the standard described in paragraph (5), are identity theft
			 victims.
						(7)Permit an individual to use the Office of
			 Federal Identity Protection certification—
							(A)in all Federal, State, and local
			 jurisdictions, in lieu of a police report or any other document required by
			 State or local law, as a prerequisite to accessing business records of
			 transactions done by someone claiming to be the individual; and
							(B)to establish the
			 eligibility of that individual for—
								(i)the fraud alert
			 protections under section 605A of the Fair Credit Reporting Act (15 U.S.C.
			 1681c–1); and
								(ii)the reporting
			 protections under section 605B(a) of the Fair Credit Reporting Act (15 U.S.C.
			 1681c–2(a)).
								(8)Coordinate, as the Office
			 determines necessary, with the designated Chief Privacy Officer of each Federal
			 agency, or any other designated senior official in such agency in charge of
			 privacy, in order to meet the duties of assisting consumers as required under
			 subsection (b).
						(9)In addition to the requirements in
			 paragraphs (1) through (7), the Federal Trade Commission shall promulgate
			 regulations that enable the Office of Federal Identity Protection to help
			 consumers restore their stolen or otherwise compromised personally identifiable
			 information quickly and inexpensively.
						(d)Authorization of
			 appropriationsThere are
			 authorized to be appropriated for the Office of Federal Identity Protection
			 such sums as are necessary for fiscal year 2008 and each of the 4 succeeding
			 fiscal years.
					IVGovernment
			 access to and use of commercial data
			401.General
			 services administration review of contracts
				(a)In
			 generalIn considering contract awards totaling more than
			 $500,000 and entered into after the date of enactment of this Act with data
			 brokers, the Administrator of the General Services Administration shall
			 evaluate—
					(1)the data privacy
			 and security program of a data broker to ensure the privacy and security of
			 data containing personally identifiable information, including whether such
			 program adequately addresses privacy and security threats created by malicious
			 software or code, or the use of peer-to-peer file sharing software;
					(2)the compliance of
			 a data broker with such program;
					(3)the extent to
			 which the databases and systems containing personally identifiable information
			 of a data broker have been compromised by security breaches; and
					(4)the response by a
			 data broker to such breaches, including the efforts by such data broker to
			 mitigate the impact of such security breaches.
					(b)Compliance safe
			 harborThe data privacy and security program of a data broker
			 shall be deemed sufficient for the purposes of subsection (a), if the data
			 broker complies with or provides protection equal to industry standards, as
			 identified by the Federal Trade Commission, that are applicable to the type of
			 personally identifiable information involved in the ordinary course of business
			 of such data broker.
				(c)PenaltiesIn
			 awarding contracts with data brokers for products or services related to
			 access, use, compilation, distribution, processing, analyzing, or evaluating
			 personally identifiable information, the Administrator of the General Services
			 Administration shall—
					(1)include monetary
			 or other penalties—
						(A)for failure to
			 comply with subtitles A and B of title III; or
						(B)if a contractor
			 knows or has reason to know that the personally identifiable information being
			 provided is inaccurate, and provides such inaccurate information; and
						(2)require a data
			 broker that engages service providers not subject to subtitle A of title III
			 for responsibilities related to sensitive personally identifiable information
			 to—
						(A)exercise
			 appropriate due diligence in selecting those service providers for
			 responsibilities related to personally identifiable information;
						(B)take reasonable
			 steps to select and retain service providers that are capable of maintaining
			 appropriate safeguards for the security, privacy, and integrity of the
			 personally identifiable information at issue; and
						(C)require such
			 service providers, by contract, to implement and maintain appropriate measures
			 designed to meet the objectives and requirements in title III.
						(d)LimitationThe
			 penalties under subsection (c) shall not apply to a data broker providing
			 information that is accurately and completely recorded from a public record
			 source or licensor.
				402.Requirement to
			 audit information security practices of contractors and third party business
			 entitiesSection 3544(b) of
			 title 44, United States Code, is amended—
				(1)in paragraph
			 (7)(C)(iii), by striking and after the semicolon;
				(2)in paragraph (8),
			 by striking the period and inserting ; and; and
				(3)by adding at the
			 end the following:
					
						(9)procedures for
				evaluating and auditing the information security practices of contractors or
				third party business entities supporting the information systems or operations
				of the agency involving personally identifiable information (as that term is
				defined in section 3 of the Personal Data
				Privacy and Security Act of 2007) and ensuring remedial action to
				address any significant
				deficiencies.
						.
				403.Privacy impact
			 assessment of government use of commercial information services containing
			 personally identifiable information
				(a)In
			 generalSection 208(b)(1) of the E-Government Act of 2002 (44
			 U.S.C. 3501 note) is amended—
					(1)in subparagraph
			 (A)(i), by striking or; and
					(2)in subparagraph
			 (A)(ii), by striking the period and inserting ; or; and
					(3)by inserting
			 after clause (ii) the following:
						
							(iii)purchasing or
				subscribing for a fee to personally identifiable information from a data broker
				(as such terms are defined in section 3 of the
				Personal Data Privacy and Security Act of
				2007).
							.
					(b)LimitationNotwithstanding
			 any other provision of law, commencing 1 year after the date of enactment of
			 this Act, no Federal agency may enter into a contract with a data broker to
			 access for a fee any database consisting primarily of personally identifiable
			 information concerning United States persons (other than news reporting or
			 telephone directories) unless the head of such department or agency—
					(1)completes a
			 privacy impact assessment under section 208 of the E-Government Act of 2002 (44
			 U.S.C. 3501 note), which shall subject to the provision in that Act pertaining
			 to sensitive information, include a description of—
						(A)such
			 database;
						(B)the name of the
			 data broker from whom it is obtained; and
						(C)the amount of the
			 contract for use;
						(2)adopts
			 regulations that specify—
						(A)the personnel
			 permitted to access, analyze, or otherwise use such databases;
						(B)standards
			 governing the access, analysis, or use of such databases;
						(C)any standards
			 used to ensure that the personally identifiable information accessed, analyzed,
			 or used is the minimum necessary to accomplish the intended legitimate purpose
			 of the Federal agency;
						(D)standards
			 limiting the retention and redisclosure of personally identifiable information
			 obtained from such databases;
						(E)procedures
			 ensuring that such data meet standards of accuracy, relevance, completeness,
			 and timeliness;
						(F)the auditing and
			 security measures to protect against unauthorized access, analysis, use, or
			 modification of data in such databases;
						(G)applicable
			 mechanisms by which individuals may secure timely redress for any adverse
			 consequences wrongly incurred due to the access, analysis, or use of such
			 databases;
						(H)mechanisms, if
			 any, for the enforcement and independent oversight of existing or planned
			 procedures, policies, or guidelines; and
						(I)an outline of
			 enforcement mechanisms for accountability to protect individuals and the public
			 against unlawful or illegitimate access or use of databases; and
						(3)incorporates into
			 the contract or other agreement totaling more than $500,000, provisions—
						(A)providing for
			 penalties—
							(i)for
			 failure to comply with title III of this Act; or
							(ii)if
			 the entity knows or has reason to know that the personally identifiable
			 information being provided to the Federal department or agency is inaccurate,
			 and provides such inaccurate information; and
							(B)requiring a data
			 broker that engages service providers not subject to subtitle A of title III
			 for responsibilities related to sensitive personally identifiable information
			 to—
							(i)exercise
			 appropriate due diligence in selecting those service providers for
			 responsibilities related to personally identifiable information;
							(ii)take reasonable
			 steps to select and retain service providers that are capable of maintaining
			 appropriate safeguards for the security, privacy, and integrity of the
			 personally identifiable information at issue; and
							(iii)require such
			 service providers, by contract, to implement and maintain appropriate measures
			 designed to meet the objectives and requirements in title III.
							(c)Limitation on
			 penaltiesThe penalties under subsection (b)(3)(A) shall not
			 apply to a data broker providing information that is accurately and completely
			 recorded from a public record source.
				(d)Study of
			 government use
					(1)Scope of
			 studyNot later than 180 days after the date of enactment of this
			 Act, the Comptroller General of the United States shall conduct a study and
			 audit and prepare a report on Federal agency use of data brokers or commercial
			 databases containing personally identifiable information, including the impact
			 on privacy and security, and the extent to which Federal contracts include
			 sufficient provisions to ensure privacy and security protections, and penalties
			 for failures in privacy and security practices.
					(2)ReportA
			 copy of the report required under paragraph (1) shall be submitted to
			 Congress.
					(d)Study of government
			 use
					(1)Scope of
			 studyNot later than 180 days after the date of enactment of this
			 Act, the Comptroller General of the United States shall conduct a study and
			 audit and prepare a report on Federal agency actions to address the
			 recommendations in the Government Accountability Office's April 2006 report on
			 agency adherence to key privacy principles in using data brokers or commercial
			 databases containing personally identifiable information.
					(2)ReportA
			 copy of the report required under paragraph (1) shall be submitted to
			 Congress.
					404.Implementation
			 of chief privacy officer requirements
				(a)Designation of
			 the chief privacy officerPursuant to the requirements under
			 section 522 of the Transportation, Treasury, Independent Agencies, and General
			 Government Appropriations Act, 2005 (division H of Public Law 108–447; 118
			 Stat. 3199) that each agency designate a Chief Privacy Officer, the Department
			 of Justice shall implement such requirements by designating a department-wide
			 Chief Privacy Officer, whose primary role shall be to fulfill the duties and
			 responsibilities of Chief Privacy Officer and who shall report directly to the
			 Deputy Attorney General.
				(b)Duties and
			 responsibilities of chief privacy officerIn addition to the
			 duties and responsibilities outlined under section 522 of the Transportation,
			 Treasury, Independent Agencies, and General Government Appropriations Act, 2005
			 (division H of Public Law 108–447; 118 Stat. 3199), the Department of Justice
			 Chief Privacy Officer shall—
					(1)oversee the
			 Department of Justice’s implementation of the requirements under section 403 to
			 conduct privacy impact assessments of the use of commercial data containing
			 personally identifiable information by the Department; and
					(2)coordinate with
			 the Privacy and Civil Liberties Oversight Board, established in the
			 Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108–458),
			 in implementing this section.
					
	
		May 23, 2007
		Reported with amendments
	
