[Congressional Bills 111th Congress]
[From the U.S. Government Publishing Office]
[S. 1490 Reported in Senate (RS)]

                                                       Calendar No. 208
111th CONGRESS
  1st Session
                                S. 1490

 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 22, 2009

   Mr. Leahy (for himself, Mr. Brown, Mr. Feingold, Mr. Schumer, Mr. 
  Specter, Mr. Cardin, and Mr. Hatch) introduced the following bill; 
  which was read twice and referred to the Committee on the Judiciary

                            November 5, 2009

                 Reported by Mr. Leahy, with amendments
  [Omit the part struck through and insert the part printed in italic]

_______________________________________________________________________

                                 A BILL


 
 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Personal Data 
Privacy and Security Act of 2009''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Organized criminal activity in connection with unauthorized 
                            access to personally identifiable 
                            information.
Sec. 102. Concealment of security breaches involving sensitive 
                            personally identifiable information.
Sec. 103. Review and amendment of Federal sentencing guidelines related 
                            to fraudulent access to or misuse of 
                            digitized or electronic personally 
                            identifiable information.
Sec. 104. Effects of identity theft on bankruptcy proceedings.
                         TITLE II--DATA BROKERS

Sec. 201. Transparency and accuracy of data collection.
Sec. 202. Enforcement.
Sec. 203. Relation to State laws.
Sec. 204. Effective date.
 TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

Sec. 301. Purpose and applicability of data privacy and security 
                            program.
Sec. 302. Requirements for a personal data privacy and security 
                            program.
Sec. 303. Enforcement.
Sec. 304. Relation to other laws.
                Subtitle B--Security Breach Notification

Sec. 311. Notice to individuals.
Sec. 312. Exemptions.
Sec. 313. Methods of notice.
Sec. 314. Content of notification.
Sec. 315. Coordination of notification with credit reporting agencies.
Sec. 316. Notice to law enforcement.
Sec. 317. Enforcement.
Sec. 318. Enforcement by State attorneys general.
Sec. 319. Effect on Federal and State law.
Sec. 320. Authorization of appropriations.
Sec. 321. Reporting on risk assessment exemptions.
Sec. 322. Effective date.
       <DELETED>Subtitle C--Office of Federal Identity Protection

<DELETED>Sec. 331. Office of Federal Identity Protection.
   <DELETED>TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

<DELETED>Sec. 401. General services administration review of contracts.
<DELETED>Sec. 402. Requirement to audit information security practices 
                            of contractors and third party business 
                            entities.
<DELETED>Sec. 403. Privacy impact assessment of government use of 
                            commercial information services containing 
                            personally identifiable information.
<DELETED>Sec. 404. Implementation of chief privacy officer 
                            requirements.

</DELETED>SEC. 2. FINDINGS.

    Congress finds that--
            (1) databases of personally identifiable information are 
        increasingly prime targets of hackers, identity thieves, rogue 
        employees, and other criminals, including organized and 
        sophisticated criminal operations;
            (2) identity theft is a serious threat to the Nation's 
        economic stability, homeland security, the development of e-
        commerce, and the privacy rights of Americans;
            (3) over 9,300,000 individuals were victims of identity 
        theft in America last year;
            (4) security breaches are a serious threat to consumer 
        confidence, homeland security, e-commerce, and economic 
        stability;
            (5) it is important for business entities that own, use, or 
        license personally identifiable information to adopt reasonable 
        procedures to ensure the security, privacy, and confidentiality 
        of that personally identifiable information;
            (6) individuals whose personal information has been 
        compromised or who have been victims of identity theft should 
        receive the necessary information and assistance to mitigate 
        their damages and to restore the integrity of their personal 
        information and identities;
            (7) data brokers have assumed a significant role in 
        providing identification, authentication, and screening 
        services, and related data collection and analyses for 
        commercial, nonprofit, and government operations;
            (8) data misuse and use of inaccurate data have the 
        potential to cause serious or irreparable harm to an 
        individual's livelihood, privacy, and liberty and undermine 
        efficient and effective business and government operations;
            (9) there is a need to ensure that data brokers conduct 
        their operations in a manner that prioritizes fairness, 
        transparency, accuracy, and respect for the privacy of 
        consumers;
            (10) government access to commercial data can potentially 
        improve safety, law enforcement, and national security; and
            (11) because government use of commercial data containing 
        personal information potentially affects individual privacy, 
        and law enforcement and national security operations, there is 
        a need for Congress to exercise oversight over government use 
        of commercial data.

SEC. 3. DEFINITIONS.

    In this Act, the following definitions shall apply:
            (1) Agency.--The term ``agency'' has the same meaning given 
        such term in section 551 of title 5, United States Code.
            (2) Affiliate.--The term ``affiliate'' means persons 
        related by common ownership or by corporate control.
            (3) Business entity.--The term ``business entity'' means 
        any organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or venture 
        established to make a profit, or nonprofit.
            (4) Identity theft.--The term ``identity theft'' means a 
        violation of section 1028 of title 18, United States Code.
            (5) Data broker.--The term ``data broker'' means a business 
        entity which for monetary fees or dues regularly engages in the 
        practice of collecting, transmitting, or providing access to 
        sensitive personally identifiable information on more than 
        5,000 individuals who are not the customers or employees of 
        that business entity or affiliate primarily for the purposes of 
        providing such information to nonaffiliated third parties on an 
        interstate basis.
            (6) Data furnisher.--The term ``data furnisher'' means any 
        agency, organization, corporation, trust, partnership, sole 
        proprietorship, unincorporated association, or nonprofit that 
        serves as a source of information for a data broker.
            (7) Encryption.--The term ``encryption''--
                    (A) means the protection of data in electronic 
                form, in storage or in transit, using an encryption 
                technology that has been adopted by <DELETED>an 
                established</DELETED>a widely accepted standards 
                setting body or, has been widely accepted as an 
                effective industry practice which renders such data 
                indecipherable in the absence of associated 
                cryptographic keys necessary to enable decryption of 
                such data; and
                    (B) includes appropriate management and safeguards 
                of such cryptographic keys so as to protect the 
                integrity of the encryption.
            (8) Personal electronic record.--
                    (A) In general.--The term ``personal electronic 
                record'' means data associated with an individual 
                contained in a database, networked or integrated 
                databases, or other data system that is provided to 
                nonaffiliated third parties and includes sensitive 
                personally identifiable information about that 
                individual.
                    (B) Exclusions.--The term ``personal electronic 
                record'' does not include--
                            (i) any data related to an individual's 
                        past purchases of consumer goods; or
                            (ii) any proprietary assessment or 
                        evaluation of an individual or any proprietary 
                        assessment or evaluation of information about 
                        an individual.
            (9) Personally identifiable information.--The term 
        ``personally identifiable information'' means any information, 
        or compilation of information, in electronic or digital form 
        serving as a means of identification, as defined by section 
        1028(d)(7) of title 18, United State Code.
            (10) Public record source.--The term ``public record 
        source'' means the Congress, any agency, any State or local 
        government agency, the government of the District of Columbia 
        and governments of the territories or possessions of the United 
        States, and Federal, State or local courts, courts martial and 
        military commissions, that maintain personally identifiable 
        information in records available to the public.
            (11) Security breach.--
                    (A) In general.--The term ``security breach'' means 
                compromise of the security, confidentiality, or 
                integrity of computerized data through 
                misrepresentation or actions that result in, or there 
                is a reasonable basis to conclude has resulted in, 
                acquisition of or access to sensitive personally 
                identifiable information that is unauthorized or in 
                excess of authorization and which present a significant 
                risk of harm or fraud to any individual.
                    (B) Exclusion.--The term ``security breach'' does 
                not include--
                            (i) a good faith acquisition of sensitive 
                        personally identifiable information by a 
                        business entity or agency, or an employee or 
                        agent of a business entity or agency, if the 
                        sensitive personally identifiable information 
                        is not subject to further unauthorized 
                        disclosure; or
                            (ii) the release of a public record not 
                        otherwise subject to confidentiality or 
                        nondisclosure requirements.
            (12) Sensitive personally identifiable information.--The 
        term ``sensitive personally identifiable information'' means 
        any information or compilation of information, in electronic or 
        digital form that includes--
                    (A) an individual's first and last name or first 
                initial and last name in combination with any 1 of the 
                following data elements:
                            (i) A non-truncated social security number, 
                        driver's license number, passport number, or 
                        alien registration number.
                            (ii) Any 2 of the following:
                                    (I) Home address or telephone 
                                number.
                                    (II) Mother's maiden name, if 
                                identified as such.
                                    (III) Month, day, and year of 
                                birth.
                            (iii) Unique biometric data such as a 
                        finger print, voice print, a retina or iris 
                        image, or any other unique physical 
                        representation.
                            (iv) A unique account identifier, 
                        electronic identification number, user name, or 
                        routing code in combination with any associated 
                        security code, access code, or password that is 
                        required for an individual to obtain money, 
                        goods, services, or any other thing of value; 
                        or
                    (B) a financial account number or credit or debit 
                card number in combination with any security code, 
                access code, or password that is required for an 
                individual to obtain credit, withdraw funds, or engage 
                in a financial transaction.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED 
              ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.

    Section 1961(1) of title 18, United States Code, is amended by 
inserting ``section 1030(a)(2)(D) (relating to fraud and related 
activity in connection with unauthorized access to sensitive personally 
identifiable information as defined in the Personal Data Privacy and 
Security Act of 2009,'' before ``section 1084''.

SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE 
              PERSONALLY IDENTIFIABLE INFORMATION.

    (a) In General.--Chapter 47 of title 18, United States Code, is 
amended by adding at the end the following:
``Sec. 1041. Concealment of security breaches involving sensitive 
              personally identifiable information
    ``(a) Whoever, having knowledge of a security breach and of the 
obligation to provide notice of such breach to individuals under title 
III of the Personal Data Privacy and Security Act of 2009, and having 
not otherwise qualified for an exemption from providing notice under 
section 312 of such Act, intentionally and willfully conceals the fact 
of such security breach and which breach causes economic damage to 1 or 
more persons, shall be fined under this title or imprisoned not more 
than 5 years, or both.
    ``(b) For purposes of subsection (a), the term `person' has the 
same meaning as in section 1030(e)(12) of title 18, United States Code.
    ``(c) Any person seeking an exemption under section 312(b) of the 
Personal Data Privacy and Security Act of 2009 shall be immune from 
prosecution under this section if the United States Secret Service does 
not indicate, in writing, that such notice be given under section 
312(b)(3) of such Act.''.
    (b) Conforming and Technical Amendments.--The table of sections for 
chapter 47 of title 18, United States Code, is amended by adding at the 
end the following:

``1041. Concealment of security breaches involving personally 
                            identifiable information.''.
    (c) Enforcement Authority.--
            (1) In general.--The United States Secret Service shall 
        have the authority to investigate offenses under this section.
            (2) Nonexclusivity.--The authority granted in paragraph (1) 
        shall not be exclusive of any existing authority held by any 
        other Federal agency.

SEC. 103. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED 
              TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR 
              ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.

    (a) Review and Amendment.--The United States Sentencing Commission, 
pursuant to its authority under section 994 of title 28, United States 
Code, and in accordance with this section, shall review and, if 
appropriate, amend the Federal sentencing guidelines (including its 
policy statements) applicable to persons convicted of using fraud to 
access, or misuse of, digitized or electronic personally identifiable 
information, including identity theft or any offense under--
            (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of 
        title 18, United States Code; and
            (2) any other relevant provision.
    (b) Requirements.--In carrying out the requirements of this 
section, the United States Sentencing Commission shall--
            (1) ensure that the Federal sentencing guidelines 
        (including its policy statements) reflect--
                    (A) the serious nature of the offenses and 
                penalties referred to in this Act;
                    (B) the growing incidences of theft and misuse of 
                digitized or electronic personally identifiable 
                information, including identity theft; and
                    (C) the need to deter, prevent, and punish such 
                offenses;
            (2) consider the extent to which the Federal sentencing 
        guidelines (including its policy statements) adequately address 
        violations of the sections amended by this Act to--
                    (A) sufficiently deter and punish such offenses; 
                and
                    (B) adequately reflect the enhanced penalties 
                established under this Act;
            (3) maintain reasonable consistency with other relevant 
        directives and sentencing guidelines;
            (4) account for any additional aggravating or mitigating 
        circumstances that might justify exceptions to the generally 
        applicable sentencing ranges;
            (5) consider whether to provide a sentencing enhancement 
        for those convicted of the offenses described in subsection 
        (a), if the conduct involves--
                    (A) the online sale of fraudulently obtained or 
                stolen personally identifiable information;
                    (B) the sale of fraudulently obtained or stolen 
                personally identifiable information to an individual 
                who is engaged in terrorist activity or aiding other 
                individuals engaged in terrorist activity; or
                    (C) the sale of fraudulently obtained or stolen 
                personally identifiable information to finance 
                terrorist activity or other criminal activities;
            (6) make any necessary conforming changes to the Federal 
        sentencing guidelines to ensure that such guidelines (including 
        its policy statements) as described in subsection (a) are 
        sufficiently stringent to deter, and adequately reflect crimes 
        related to fraudulent access to, or misuse of, personally 
        identifiable information; and
            (7) ensure that the Federal sentencing guidelines 
        adequately meet the purposes of sentencing under section 
        3553(a)(2) of title 18, United States Code.
    (c) Emergency Authority to Sentencing Commission.--The United 
States Sentencing Commission may, as soon as practicable, promulgate 
amendments under this section in accordance with procedures established 
in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 994 note) as 
though the authority under that Act had not expired.

SEC. 104. EFFECTS OF IDENTITY THEFT ON BANKRUPTCY PROCEEDINGS.

    (a) Definitions.--Section 101 of title 11, United States Code, is 
amended--
            (1) by redesignating paragraph (27B) as paragraph (27D); 
        and
            (2) by inserting after paragraph (27A) the following:
            ``(27) The term `identity theft' means a fraud committed or 
        attempted using the personally identifiable information of 
        another person.
            ``(28) The term `identity theft victim' means a debtor who, 
        as a result of an identify theft in any consecutive 12-month 
        period during the 3-year period before the date on which a 
        petition is filed under this title, had claims asserted against 
        such debtor in excess of the least of--
                    ``(A) $20,000;
                    ``(B) 50 percent of all claims asserted against 
                such debtor; or
                    ``(C) 25 percent of the debtor's gross income for 
                such 12-month period.''.
    (b) Prohibition.--Section 707(b) of title 11, United States Code, 
is amended by adding at the end the following:
    ``(8) No judge, United States trustee (or bankruptcy administrator, 
if any), trustee, or other party in interest may file a motion under 
paragraph (2) if the debtor is an identity theft victim.''.

                         TITLE II--DATA BROKERS

SEC. 201. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.

    (a) In General.--Data brokers engaging in interstate commerce are 
subject to the requirements of this title for any product or service 
offered to third parties that allows access or use of sensitive 
personally identifiable information.
    (b) Limitation.--Notwithstanding any other provision of this title, 
this section shall not apply to--
            (1) any product or service offered by a data broker 
        engaging in interstate commerce where such product or service 
        is currently subject to, and in compliance with, access and 
        accuracy protections similar to those under subsections (c) 
        through <DELETED>(f)</DELETED>(e) of this section under the 
        Fair Credit Reporting Act (Public Law 91-508);
            (2) any data broker that is subject to regulation under the 
        Gramm-Leach-Bliley Act (Public Law 106-102);
            (3) any data broker currently subject to and in compliance 
        with the data security requirements for such entities under the 
        Health Insurance Portability and Accountability Act (Public Law 
        104-191), and its implementing regulations;
            (4) information in a personal electronic record that--
                    (A) the data broker has identified as inaccurate, 
                but maintains for the purpose of aiding the data broker 
                in preventing inaccurate information from entering an 
                individual's personal electronic record; and
                    (B) is not maintained primarily for the purpose of 
                transmitting or otherwise providing that information, 
                or assessments based on that information, to 
                nonaffiliated third parties; <DELETED>and
        </DELETED>    (5) information concerning proprietary 
        methodologies, techniques, scores, or algorithms relating to 
        fraud prevention not normally provided to third parties in the 
        ordinary course of business<DELETED>.</DELETED> ; and
            (6) information that is used for legitimate governmental or 
        fraud prevention purposes that would be compromised by 
        disclosure to the individual. 
    (c) Disclosures to Individuals.--
            (1) In general.--A data broker shall, upon the request of 
        an individual, disclose to such individual for a reasonable fee 
        all personal electronic records pertaining to that individual 
        maintained specifically for disclosure to third parties that 
        request information on that individual in the ordinary course 
        of business in the databases or systems of the data broker at 
        the time of such request.
            (2) Information on how to correct inaccuracies.--The 
        disclosures required under paragraph (1) shall also include 
        guidance to individuals on procedures for correcting 
        inaccuracies.
    (d) Disclosure to Individuals of Adverse Actions Taken by Third 
Parties.--
            (1) In general.--In addition to any other rights 
        established under this Act, if a person takes any adverse 
        action with respect to any individual that is based, in whole 
        or in part, on any information contained in a personal 
        electronic record that is maintained, updated, or otherwise 
        owned or possessed by a data broker, such person, at no cost to 
        the affected individual, shall provide--
                    (A) written or electronic notice of the adverse 
                action to the individual;
                    (B) to the individual, in writing or 
                electronically, the name, address, and telephone number 
                of the data broker that furnished the information to 
                the person;
                    (C) a copy of the information such person obtained 
                from the data broker; and
                    (D) information to the individual on the procedures 
                for correcting any inaccuracies in such information.
            (2) Accepted methods of notice.--A person shall be in 
        compliance with the notice requirements under paragraph (1) if 
        such person provides written or electronic notice in the same 
        manner and using the same methods as are required under section 
        313(1) of this Act.
    (e) Accuracy Resolution Process.--
            (1) Information from a public record or licensor.--
                    (A) In general.--If an individual notifies a data 
                broker of a dispute as to the completeness or accuracy 
                of information disclosed to such individual under 
                subsection (c) that is obtained from a public record 
                source or a license agreement, such data broker shall 
                determine within 30 days whether the information in its 
                system accurately and completely records the 
                information available from the licensor or public 
                record source.
                    (B) Data broker actions.--If a data broker 
                determines under subparagraph (A) that the information 
                in its systems does not accurately and completely 
                record the information available from a public record 
                source or licensor, the data broker shall--
                            (i) correct any inaccuracies or 
                        incompleteness, and provide to such individual 
                        written notice of such changes; and
                            (ii) provide such individual with the 
                        contact information of the public record or 
                        licensor.
            (2) Information not from a public record source or 
        licensor.--If an individual notifies a data broker of a dispute 
        as to the completeness or accuracy of information not from a 
        public record or licensor that was disclosed to the individual 
        under subsection (c), the data broker shall, within 30 days of 
        receiving notice of such dispute--
                    (A) review and consider free of charge any 
                information submitted by such individual that is 
                relevant to the completeness or accuracy of the 
                disputed information; and
                    (B) correct any information found to be incomplete 
                or inaccurate and provide notice to such individual of 
                whether and what information was corrected, if any.
            (3) Extension of review period.--The 30-day period 
        described in paragraph (1) may be extended for not more than 30 
        additional days if a data broker receives information from the 
        individual during the initial 30-day period that is relevant to 
        the completeness or accuracy of any disputed information.
            (4) Notice identifying the data furnisher.--If the 
        completeness or accuracy of any information not from a public 
        record source or licensor that was disclosed to an individual 
        under subsection (c) is disputed by such individual, the data 
        broker shall provide, upon the request of such individual, the 
        contact information of any data furnisher that provided the 
        disputed information.
            (5) Determination that dispute is frivolous or 
        irrelevant.--
                    (A) In general.--Notwithstanding paragraphs (1) 
                through (3), a data broker may decline to investigate 
                or terminate a review of information disputed by an 
                individual under those paragraphs if the data broker 
                reasonably determines that the dispute by the 
                individual is frivolous or intended to perpetrate 
                fraud.
                    (B) Notice.--A data broker shall notify an 
                individual of a determination under subparagraph (A) 
                within a reasonable time by any means available to such 
                data broker.

SEC. 202. ENFORCEMENT.

    (a) Civil Penalties.--
            (1) Penalties.--Any data broker that violates the 
        provisions of section 201 shall be subject to civil penalties 
        of not more than $1,000 per violation per day while such 
        violations persist, up to a maximum of $250,000 per violation.
            (2) Intentional or willful violation.--A data broker that 
        intentionally or willfully violates the provisions of section 
        201 shall be subject to additional penalties in the amount of 
        $1,000 per violation per day, to a maximum of an additional 
        $250,000 per violation, while such violations persist.
            (3) Equitable relief.--A data broker engaged in interstate 
        commerce that violates this section may be enjoined from 
        further violations by a court of competent jurisdiction.
            (4) Other rights and remedies.--The rights and remedies 
        available under this subsection are cumulative and shall not 
        affect any other rights and remedies available under law.
    (b) Federal Trade Commission Authority.--Any data broker shall have 
the provisions of this title enforced against it by the Federal Trade 
Commission.
    (c) State Enforcement.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a data broker that violate this title, the State 
        may bring a civil action on behalf of the residents of that 
        State in a district court of the United States of appropriate 
        jurisdiction, or any other court of competent jurisdiction, 
        to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this title; or
                    (C) obtain civil penalties of not more than $1,000 
                per violation per day while such violations persist, up 
                to a maximum of $250,000 per violation.
            (2) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Federal Trade Commission--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in 
                subparagraph (A) before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described under subparagraph (B), the attorney general 
                of a State shall provide the written notice and the 
                copy of the complaint to the Federal Trade Commission 
                as soon after the filing of the complaint as 
                practicable.
            (3) Federal trade commission authority.--Upon receiving 
        notice under paragraph (2), the Federal Trade Commission shall 
        have the right to--
                    (A) move to stay the action, pending the final 
                disposition of a pending Federal proceeding or action 
                as described in paragraph (4);
                    (B) intervene in an action brought under paragraph 
                (1); and
                    (C) file petitions for appeal.
            (4) Pending proceedings.--If the Federal Trade Commission 
        has instituted a proceeding or civil action for a violation of 
        this title, no attorney general of a State may, during the 
        pendency of such proceeding or civil action, bring an action 
        under this subsection against any defendant named in such civil 
        action for any violation that is alleged in that civil action.
            (5) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1), nothing in this title shall 
        be construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths and affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (6) Venue; service of process.--
                    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1391 of title 28, 
                United States Code.
                    (B) Service of process.--In an action brought under 
                this subsection, process may be served in any district 
                in which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (d) No Private Cause of Action.--Nothing in this title establishes 
a private cause of action against a data broker for violation of any 
provision of this title.

SEC. 203. RELATION TO STATE LAWS.

    No requirement or prohibition may be imposed under the laws of any 
State with respect to any subject matter regulated under section 201, 
relating to individual access to, and correction of, personal 
electronic records held by data brokers.

SEC. 204. EFFECTIVE DATE.

    This title shall take effect 180 days after the date of enactment 
of this Act.

 TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

SEC. 301. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Purpose.--The purpose of this subtitle is to ensure standards 
for developing and implementing administrative, technical, and physical 
safeguards to protect the security of sensitive personally identifiable 
information.
    (b) In General.--A business entity engaging in interstate commerce 
that involves collecting, accessing, transmitting, using, storing, or 
disposing of sensitive personally identifiable information in 
electronic or digital form on 10,000 or more United States persons is 
subject to the requirements for a data privacy and security program 
under section 302 for protecting sensitive personally identifiable 
information.
    (c) Limitations.--Notwithstanding any other obligation under this 
subtitle, this subtitle does not apply to:
            (1) Financial institutions.--Financial institutions--
                    (A) subject to the data security requirements and 
                implementing regulations under the Gramm-Leach-Bliley 
                Act (15 U.S.C. 6801 et seq.); and
                    (B) subject to--
                            (i) examinations for compliance with the 
                        requirements of this Act by a Federal 
                        Functional Regulator or State Insurance 
                        Authority (as those terms are defined in 
                        section 509 of the Gramm-Leach-Bliley Act (15 
                        U.S.C. 6809)); or
                            (ii) compliance with part 314 of title 16, 
                        Code of Federal Regulations.
            (2) HIPPA regulated entities.--
                    (A) Covered entities.--Covered entities subject to 
                the Health Insurance Portability and Accountability Act 
                of 1996 (42 U.S.C. 1301 et seq.), including the data 
                security requirements and implementing regulations of 
                that Act.
                    (B) Business entities.--A business entity shall be 
                deemed in compliance with the privacy and security 
                program requirements under section 302 if the business 
                entity is acting as a ``business associate'' as that 
                term is defined in the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1301 et seq.) and 
                is in compliance with requirements imposed under that 
                Act and its implementing regulations.
            (3) Public records.--Public records not otherwise subject 
        to a confidentiality or nondisclosure requirement, or 
        information obtained from a news report or periodical.
    (d) Safe Harbors.--
            (1) In general.--A business entity shall be deemed in 
        compliance with the privacy and security program requirements 
        under section 302 if the business entity complies with or 
        provides protection equal to industry standards or widely 
        accepted as an effective industry practice, as identified by 
        the Federal Trade Commission, that are applicable to the type 
        of sensitive personally identifiable information involved in 
        the ordinary course of business of such business entity.
            (2) Limitation.--Nothing in this subsection shall be 
        construed to permit, and nothing does permit, the Federal Trade 
        Commission to issue regulations requiring, or according greater 
        legal status to, the implementation of or application of a 
        specific technology or technological specifications for meeting 
        the requirements of this title.

SEC. 302. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY 
              PROGRAM.

    (a) Personal Data Privacy and Security Program.--A business entity 
subject to this subtitle shall comply with the following safeguards and 
any other administrative, technical, or physical safeguards identified 
by the Federal Trade Commission in a rulemaking process pursuant to 
section 553 of title 5, United States Code, for the protection of 
sensitive personally identifiable information:
            (1) Scope.--A business entity shall implement a 
        comprehensive personal data privacy and security program that 
        includes administrative, technical, and physical safeguards 
        appropriate to the size and complexity of the business entity 
        and the nature and scope of its activities.
            (2) Design.--The personal data privacy and security program 
        shall be designed to--
                    (A) ensure the privacy, security, and 
                confidentiality of sensitive personally identifying 
                information;
                    (B) protect against any anticipated vulnerabilities 
                to the privacy, security, or integrity of sensitive 
                personally identifying information; and
                    (C) protect against unauthorized access to use of 
                sensitive personally identifying information that could 
                <DELETED>result in substantial harm or inconvenience to 
                any individual</DELETED>create a significant risk of 
                harm or fraud to any individual.
            (3) Risk assessment.--A business entity shall--
                    (A) identify reasonably foreseeable internal and 
                external vulnerabilities that could result in 
                unauthorized access, disclosure, use, or alteration of 
                sensitive personally identifiable information or 
                systems containing sensitive personally identifiable 
                information;
                    (B) assess the likelihood of and potential damage 
                from unauthorized access, disclosure, use, or 
                alteration of sensitive personally identifiable 
                information;
                    (C) assess the sufficiency of its policies, 
                technologies, and safeguards in place to control and 
                minimize risks from unauthorized access, disclosure, 
                use, or alteration of sensitive personally identifiable 
                information; and
                    (D) assess the vulnerability of sensitive 
                personally identifiable information during destruction 
                and disposal of such information, including through the 
                disposal or retirement of hardware.
            (4) Risk management and control.--Each business entity 
        shall--
                    (A) design its personal data privacy and security 
                program to control the risks identified under paragraph 
                (3); and
                    (B) adopt measures commensurate with the 
                sensitivity of the data as well as the size, 
                complexity, and scope of the activities of the business 
                entity that--
                            (i) control access to systems and 
                        facilities containing sensitive personally 
                        identifiable information, including controls to 
                        authenticate and permit access only to 
                        authorized individuals;
                            (ii) detect actual and attempted 
                        fraudulent, unlawful, or unauthorized access, 
                        disclosure, use, or alteration of sensitive 
                        personally identifiable information, including 
                        by employees and other individuals otherwise 
                        authorized to have access;
                            (iii) protect sensitive personally 
                        identifiable information during use, 
                        transmission, storage, and disposal by 
                        encryption, redaction, or access controls that 
                        are widely accepted as an effective industry 
                        practice or industry standard, or other 
                        reasonable means (including as directed for 
                        disposal of records under section 628 of the 
                        Fair Credit Reporting Act (15 U.S.C. 1681w) and 
                        the implementing regulations of such Act as set 
                        forth in section 682 of title 16, Code of 
                        Federal Regulations);
                            (iv) ensure that sensitive personally 
                        identifiable information is properly destroyed 
                        and disposed of, including during the 
                        destruction of computers, diskettes, and other 
                        electronic media that contain sensitive 
                        personally identifiable information;
                            (v) trace access to records containing 
                        sensitive personally identifiable information 
                        so that the business entity can determine who 
                        accessed or acquired such sensitive personally 
                        identifiable information pertaining to specific 
                        individuals; and
                            (vi) ensure that no third party or customer 
                        of the business entity is authorized to access 
                        or acquire sensitive personally identifiable 
                        information without the business entity first 
                        performing sufficient due diligence to 
                        ascertain, with reasonable certainty, that such 
                        information is being sought for a valid legal 
                        purpose.
    (b) Training.--Each business entity subject to this subtitle shall 
take steps to ensure employee training and supervision for 
implementation of the data security program of the business entity.
    (c) Vulnerability Testing.--
            (1) In general.--Each business entity subject to this 
        subtitle shall take steps to ensure regular testing of key 
        controls, systems, and procedures of the personal data privacy 
        and security program to detect, prevent, and respond to attacks 
        or intrusions, or other system failures.
            (2) Frequency.--The frequency and nature of the tests 
        required under paragraph (1) shall be determined by the risk 
        assessment of the business entity under subsection (a)(3).
    (d) Relationship to Service Providers.--In the event a business 
entity subject to this subtitle engages service providers not subject 
to this subtitle, such business entity shall--
            (1) exercise appropriate due diligence in selecting those 
        service providers for responsibilities related to sensitive 
        personally identifiable information, and take reasonable steps 
        to select and retain service providers that are capable of 
        maintaining appropriate safeguards for the security, privacy, 
        and integrity of the sensitive personally identifiable 
        information at issue; and
            (2) require those service providers by contract to 
        implement and maintain appropriate measures designed to meet 
        the objectives and requirements governing entities subject to 
        section 301, this section, and subtitle B.
    (e) Periodic Assessment and Personal Data Privacy and Security 
Modernization.--Each business entity subject to this subtitle shall on 
a regular basis monitor, evaluate, and adjust, as appropriate its data 
privacy and security program in light of any relevant changes in--
            (1) technology;
            (2) the sensitivity of personally identifiable information;
            (3) internal or external threats to personally identifiable 
        information; and
            (4) the changing business arrangements of the business 
        entity, such as--
                    (A) mergers and acquisitions;
                    (B) alliances and joint ventures;
                    (C) outsourcing arrangements;
                    (D) bankruptcy; and
                    (E) changes to sensitive personally identifiable 
                information systems.
    (f) Implementation Timeline.--Not later than 1 year after the date 
of enactment of this Act, a business entity subject to the provisions 
of this subtitle shall implement a data privacy and security program 
pursuant to this subtitle.

SEC. 303. ENFORCEMENT.

    (a) Civil Penalties.--
            (1) In general.--Any business entity that violates the 
        provisions of sections 301 or 302 shall be subject to civil 
        penalties of not more than $5,000 per violation per day while 
        such a violation exists, with a maximum of $500,000 per 
        violation.
            (2) Intentional or willful violation.--A business entity 
        that intentionally or willfully violates the provisions of 
        sections 301 or 302 shall be subject to additional penalties in 
        the amount of $5,000 per violation per day while such a 
        violation exists, with a maximum of an additional $500,000 per 
        violation.
            (3) Equitable relief.--A business entity engaged in 
        interstate commerce that violates this section may be enjoined 
        from further violations by a court of competent jurisdiction.
            (4) Other rights and remedies.--The rights and remedies 
        available under this section are cumulative and shall not 
        affect any other rights and remedies available under law.
    (b) Federal Trade Commission Authority.--Any <DELETED>data 
broker</DELETED>business entity shall have the provisions of this 
subtitle enforced against it by the Federal Trade Commission.
    (c) State Enforcement.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the acts or 
        practices of a <DELETED>data broker</DELETED>business entity 
        that violate this subtitle, the State may bring a civil action 
        on behalf of the residents of that State in a district court of 
        the United States of appropriate jurisdiction, or any other 
        court of competent jurisdiction, to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with this subtitle; or
                    (C) obtain civil penalties of not more than $5,000 
                per violation per day while such violations persist, up 
                to a maximum of $500,000 per violation.
            (2) Notice.--
                    (A) In general.--Before filing an action under this 
                subsection, the attorney general of the State involved 
                shall provide to the Federal Trade Commission--
                            (i) a written notice of that action; and
                            (ii) a copy of the complaint for that 
                        action.
                    (B) Exception.--Subparagraph (A) shall not apply 
                with respect to the filing of an action by an attorney 
                general of a State under this subsection, if the 
                attorney general of a State determines that it is not 
                feasible to provide the notice described in this 
                subparagraph before the filing of the action.
                    (C) Notification when practicable.--In an action 
                described under subparagraph (B), the attorney general 
                of a State shall provide the written notice and the 
                copy of the complaint to the Federal Trade Commission 
                as soon after the filing of the complaint as 
                practicable.
            (3) Federal trade commission authority.--Upon receiving 
        notice under paragraph (2), the Federal Trade Commission shall 
        have the right to--
                    (A) move to stay the action, pending the final 
                disposition of a pending Federal proceeding or action 
                as described in paragraph (4);
                    (B) intervene in an action brought under paragraph 
                (1); and
                    (C) file petitions for appeal.
            (4) Pending proceedings.--If the Federal Trade Commission 
        has instituted a proceeding or action for a violation of this 
        subtitle or any regulations thereunder, no attorney general of 
        a State may, during the pendency of such proceeding or action, 
        bring an action under this subsection against any defendant 
        named in such criminal proceeding or civil action for any 
        violation that is alleged in that proceeding or action.
            (5) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1) nothing in this subtitle shall 
        be construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths and affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (6) Venue; service of process.--
                    (A) Venue.--Any action brought under this 
                subsection may be brought in the district court of the 
                United States that meets applicable requirements 
                relating to venue under section 1391 of title 28, 
                United States Code.
                    (B) Service of process.--In an action brought under 
                this subsection, process may be served in any district 
                in which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (d) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.

SEC. 304. RELATION TO OTHER LAWS.

    (a) In General.--No State may require any business entity subject 
to this subtitle to comply with any requirements with respect to 
administrative, technical, and physical safeguards for the protection 
of sensitive personally identifying information.
    (b) Limitations.--Nothing in this subtitle shall be construed to 
modify, limit, or supersede the operation of the Gramm-Leach-Bliley Act 
or its implementing regulations, including those adopted or enforced by 
States.

                Subtitle B--Security Breach Notification

SEC. 311. NOTICE TO INDIVIDUALS.

    (a) In General.--Any agency, or business entity engaged in 
interstate commerce, that uses, accesses, transmits, stores, disposes 
of or collects sensitive personally identifiable information shall, 
following the discovery of a security breach of such information, 
notify any resident of the United States whose sensitive personally 
identifiable information has been, or is reasonably believed to have 
been, accessed, or acquired.
    (b) Obligation of Owner or Licensee.--
            (1) Notice to owner or licensee.--Any agency, or business 
        entity engaged in interstate commerce, that uses, accesses, 
        transmits, stores, disposes of, or collects sensitive 
        personally identifiable information that the agency or business 
        entity does not own or license shall notify the owner or 
        licensee of the information following the discovery of a 
        security breach involving such information.
            (2) Notice by owner, licensee or other designated third 
        party.--Nothing in this subtitle shall prevent or abrogate an 
        agreement between an agency or business entity required to give 
        notice under this section and a designated third party, 
        including an owner or licensee of the sensitive personally 
        identifiable information subject to the security breach, to 
        provide the notifications required under subsection (a).
            (3) Business entity relieved from giving notice.--A 
        business entity obligated to give notice under subsection (a) 
        shall be relieved of such obligation if an owner or licensee of 
        the sensitive personally identifiable information subject to 
        the security breach, or other designated third party, provides 
        such notification.
    (c) Timeliness of Notification.--
            (1) In general.--All notifications required under this 
        section shall be made without unreasonable delay following the 
        discovery by the agency or business entity of a security 
        breach.
            (2) Reasonable delay.--Reasonable delay under this 
        subsection may include any time necessary to determine the 
        scope of the security breach, prevent further disclosures, and 
        restore the reasonable integrity of the data system and provide 
        notice to law enforcement when required.
            (3) Burden of proof.--The agency, business entity, owner, 
        or licensee required to provide notification under this section 
        shall have the burden of demonstrating that all notifications 
        were made as required under this subtitle, including evidence 
        demonstrating the reasons for any delay.
    (d) Delay of Notification Authorized for Law Enforcement 
Purposes.--
            (1) In general.--If a Federal law enforcement agency 
        determines that the notification required under this section 
        would impede a criminal investigation, such notification shall 
        be delayed upon written notice from such Federal law 
        enforcement agency to the agency or business entity that 
        experienced the breach.
            (2) Extended delay of notification.--If the notification 
        required under subsection (a) is delayed pursuant to paragraph 
        (1), an agency or business entity shall give notice 30 days 
        after the day such law enforcement delay was invoked unless a 
        Federal law enforcement agency provides written notification 
        that further delay is necessary.
            (3) Law enforcement immunity.--No cause of action shall lie 
        in any court against any law enforcement agency for acts 
        relating to the delay of notification for law enforcement 
        purposes under this subtitle.

SEC. 312. EXEMPTIONS.

    (a) Exemption for National Security and Law Enforcement.--
            (1) In general.--Section 311 shall not apply to an agency 
        or business entity if the agency or business entity certifies, 
        in writing, that notification of the security breach as 
        required by section 311 reasonably could be expected to--
                    (A) cause damage to the national security; or
                    (B) hinder a law enforcement investigation or the 
                ability of the agency to conduct law enforcement 
                investigations.
            (2) Limits on certifications.--An agency or business entity 
        may not execute a certification under paragraph (1) to--
                    (A) conceal violations of law, inefficiency, or 
                administrative error;
                    (B) prevent embarrassment to a business entity, 
                organization, or agency; or
                    (C) restrain competition.
            (3) Notice.--In every case in which an agency or business 
        agency issues a certification under paragraph (1), the 
        certification, accompanied by a description of the factual 
        basis for the certification, shall be immediately provided to 
        the United States Secret Service.
            (4) Secret service review of certifications.--
                    (A) In general.--The United States Secret Service 
                may review a certification provided by an agency under 
                paragraph (3), and shall review a certification 
                provided by a business entity under paragraph (3), to 
                determine whether an exemption under paragraph (1) is 
                merited. Such review shall be completed not later than 
                10 business days after the date of receipt of the 
                certification, except as provided in paragraph (5)(C).
                    (B) Notice.--Upon completing a review under 
                subparagraph (A) the United States Secret Service shall 
                immediately notify the agency or business entity, in 
                writing, of its determination of whether an exemption 
                under paragraph (1) is merited.
                    (C) Exemption.--The exemption under paragraph (1) 
                shall not apply if the United States Secret Service 
                determines under this paragraph that the exemption is 
                not merited.
            (5) Additional authority of the secret service.--
                    (A) In general.--In determining under paragraph (4) 
                whether an exemption under paragraph (1) is merited, 
                the United States Secret Service may request additional 
                information from the agency or business entity 
                regarding the basis for the claimed exemption, if such 
                additional information is necessary to determine 
                whether the exemption is merited.
                    (B) Required compliance.--Any agency or business 
                entity that receives a request for additional 
                information under subparagraph (A) shall cooperate with 
                any such request.
                    (C) Timing.--If the United States Secret Service 
                requests additional information under subparagraph (A), 
                the United States Secret Service shall notify the 
                agency or business entity not later than 10 business 
                days after the date of receipt of the additional 
                information whether an exemption under paragraph (1) is 
                merited.
    (b) Safe Harbor.--An agency or business entity will be exempt from 
the notice requirements under section 311, if--
            (1) a risk assessment concludes that--
                    (A) there is no significant risk that a security 
                breach has resulted in, or will result in, harm to the 
                individuals whose sensitive personally identifiable 
                information was subject to the security breach, with 
                the encryption of such information establishing a 
                presumption that no significant risk exists; or
                    (B) there is no significant risk that a security 
                breach has resulted in, or will result in, harm to the 
                individuals whose sensitive personally identifiable 
                information was subject to the security breach, with 
                the rendering of such sensitive personally identifiable 
                information indecipherable through the use of best 
                practices or methods, such as redaction, access 
                controls, or other such mechanisms, which are widely 
                accepted as an effective industry practice, or an 
                effective industry standard, establishing a presumption 
                that no significant risk exists;
            (2) without unreasonable delay, but not later than 45 days 
        after the discovery of a security breach, unless extended by 
        the United States Secret Service, the agency or business entity 
        notifies the United States Secret Service, in writing, of--
                    (A) the results of the risk assessment; and
                    (B) its decision to invoke the risk assessment 
                exemption; and
            (3) the United States Secret Service does not indicate, in 
        writing, within 10 business days from receipt of the decision, 
        that notice should be given.
    (c) Financial Fraud Prevention Exemption.--
            (1) In general.--A business entity will be exempt from the 
        notice requirement under section 311 if the business entity 
        utilizes or participates in a security program that--
                    (A) is designed to block the use of the sensitive 
                personally identifiable information to initiate 
                unauthorized financial transactions before they are 
                charged to the account of the individual; and
                    (B) provides for notice to affected individuals 
                after a security breach that has resulted in fraud or 
                unauthorized transactions.
            (2) Limitation.--The exemption by this subsection does not 
        apply if--
                    (A) the information subject to the security breach 
                includes sensitive personally identifiable information, 
                other than a credit card or credit card security code, 
                of any type of the sensitive personally identifiable 
                information identified in section 3; or
                    (B) the security breach includes both the 
                individual's credit card number and the individual's 
                first and last name.

SEC. 313. METHODS OF NOTICE.

    An agency or business entity shall be in compliance with section 
311 if it provides both:
            (1) Individual notice.--Notice to individuals by 1 of the 
        following means:
                    (A) Written notification to the last known home 
                mailing address of the individual in the records of the 
                agency or business entity.
                    (B) Telephone notice to the individual personally.
                    (C) E-mail notice, if the individual has consented 
                to receive such notice and the notice is consistent 
                with the provisions permitting electronic transmission 
                of notices under section 101 of the Electronic 
                Signatures in Global and National Commerce Act (15 
                U.S.C. 7001).
            (2) Media notice.--Notice to major media outlets serving a 
        State or jurisdiction, if the number of residents of such State 
        whose sensitive personally identifiable information was, or is 
        reasonably believed to have been, accessed or acquired by an 
        unauthorized person exceeds 5,000.

SEC. 314. CONTENT OF NOTIFICATION.

    (a) In General.--Regardless of the method by which notice is 
provided to individuals under section 313, such notice shall include, 
to the extent possible--
            (1) a description of the categories of sensitive personally 
        identifiable information that was, or is reasonably believed to 
        have been, accessed or acquired by an unauthorized person;
            (2) a toll-free number--
                    (A) that the individual may use to contact the 
                agency or business entity, or the agent of the agency 
                or business entity; and
                    (B) from which the individual may learn what types 
                of sensitive personally identifiable information the 
                agency or business entity maintained about that 
                individual; and
            (3) the toll-free contact telephone numbers and addresses 
        for the major credit reporting agencies.
    (b) Additional Content.--Notwithstanding section 319, a State may 
require that a notice under subsection (a) shall also include 
information regarding victim protection assistance provided for by that 
State.

SEC. 315. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.

    If an agency or business entity is required to provide notification 
to more than 5,000 individuals under section 311(a), the agency or 
business entity shall also notify all consumer reporting agencies that 
compile and maintain files on consumers on a nationwide basis (as 
defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 
1681a(p)) of the timing and distribution of the notices. Such notice 
shall be given to the consumer credit reporting agencies without 
unreasonable delay and, if it will not delay notice to the affected 
individuals, prior to the distribution of notices to the affected 
individuals.

SEC. 316. NOTICE TO LAW ENFORCEMENT.

    (a) Secret Service.--Any business entity or agency shall notify the 
United States Secret Service of the fact that a security breach has 
occurred if--
            (1) the number of individuals whose sensitive personally 
        identifying information was, or is reasonably believed to have 
        been accessed or acquired by an unauthorized person exceeds 
        10,000;
            (2) the security breach involves a database, networked or 
        integrated databases, or other data system containing the 
        sensitive personally identifiable information of more than 
        1,000,000 individuals nationwide;
            (3) the security breach involves databases owned by the 
        Federal Government; or
            (4) the security breach involves primarily sensitive 
        personally identifiable information of individuals known to the 
        agency or business entity to be employees and contractors of 
        the Federal Government involved in national security or law 
        enforcement.
    (b) Notice to Other Law Enforcement Agencies.--The United States 
Secret Service shall be responsible for notifying--
            (1) the Federal Bureau of Investigation, if the security 
        breach involves espionage, foreign counterintelligence, 
        information protected against unauthorized disclosure for 
        reasons of national defense or foreign relations, or Restricted 
        Data (as that term is defined in section 11y of the Atomic 
        Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses 
        affecting the duties of the United States Secret Service under 
        section 3056(a) of title 18, United States Code;
            (2) the United States Postal Inspection Service, if the 
        security breach involves mail fraud; and
            (3) the attorney general of each State affected by the 
        security breach.
    (c) Timing of Notices.--The notices required under this section 
shall be delivered as follows:
            (1) Notice under subsection (a) shall be delivered as 
        promptly as possible, but not later than 14 days after 
        discovery of the events requiring notice.
            (2) Notice under subsection (b) shall be delivered not 
        later than 14 days after the Service receives notice of a 
        security breach from an agency or business entity.

SEC. 317. ENFORCEMENT.

    (a) Civil Actions by the Attorney General.--The Attorney General 
may bring a civil action in the appropriate United States district 
court against any business entity that engages in conduct constituting 
a violation of this subtitle and, upon proof of such conduct by a 
preponderance of the evidence, such business entity shall be subject to 
a civil penalty of not more than $1,000 per day per individual whose 
sensitive personally identifiable information was, or is reasonably 
believed to have been, accessed or acquired by an unauthorized person, 
up to a maximum of $1,000,000 per violation, unless such conduct is 
found to be willful or intentional.
    (b) Injunctive Actions by the Attorney General.--
            (1) In general.--If it appears that a business entity has 
        engaged, or is engaged, in any act or practice constituting a 
        violation of this subtitle, the Attorney General may petition 
        an appropriate district court of the United States for an 
        order--
                    (A) enjoining such act or practice; or
                    (B) enforcing compliance with this subtitle.
            (2) Issuance of order.--A court may issue an order under 
        paragraph (1), if the court finds that the conduct in question 
        constitutes a violation of this subtitle.
    (c) Other Rights and Remedies.--The rights and remedies available 
under this subtitle are cumulative and shall not affect any other 
rights and remedies available under law.
    (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting 
Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence 
that the consumer has received notice that the consumer's financial 
information has or may have been compromised,'' after ``identity theft 
report''.

SEC. 318. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

    (a) In General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State statute to 
        prosecute violations of consumer protection law, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the engagement 
        of a business entity in a practice that is prohibited under 
        this subtitle, the State or the State or local law enforcement 
        agency on behalf of the residents of the agency's jurisdiction, 
        may bring a civil action on behalf of the residents of the 
        State or jurisdiction in a district court of the United States 
        of appropriate jurisdiction or any other court of competent 
        jurisdiction, including a State court, to--
                    (A) enjoin that practice;
                    (B) enforce compliance with this subtitle; or
                    (C) civil penalties of not more than $1,000 per day 
                per individual whose sensitive personally identifiable 
                information was, or is reasonably believed to have 
                been, accessed or acquired by an unauthorized person, 
                up to a maximum of $1,000,000 per violation, unless 
                such conduct is found to be willful or intentional.
            (2) Notice.--
                    (A) In general.--Before filing an action under 
                paragraph (1), the attorney general of the State 
                involved shall provide to the Attorney General of the 
                United States--
                            (i) written notice of the action; and
                            (ii) a copy of the complaint for the 
                        action.
                    (B) Exemption.--
                            (i) In general.--Subparagraph (A) shall not 
                        apply with respect to the filing of an action 
                        by an attorney general of a State under this 
                        subtitle, if the State attorney general 
                        determines that it is not feasible to provide 
                        the notice described in such subparagraph 
                        before the filing of the action.
                            (ii) Notification.--In an action described 
                        in clause (i), the attorney general of a State 
                        shall provide notice and a copy of the 
                        complaint to the Attorney General at the time 
                        the State attorney general files the action.
    (b) Federal Proceedings.--Upon receiving notice under subsection 
(a)(2), the Attorney General shall have the right to--
            (1) move to stay the action, pending the final disposition 
        of a pending Federal proceeding or action;
            (2) initiate an action in the appropriate United States 
        district court under section 317 and move to consolidate all 
        pending actions, including State actions, in such court;
            (3) intervene in an action brought under subsection (a)(2); 
        and
            (4) file petitions for appeal.
    (c) Pending Proceedings.--If the Attorney General has instituted a 
proceeding or action for a violation of this subtitle or any 
regulations thereunder, no attorney general of a State may, during the 
pendency of such proceeding or action, bring an action under this 
subtitle against any defendant named in such criminal proceeding or 
civil action for any violation that is alleged in that proceeding or 
action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this subtitle regarding notification shall 
be construed to prevent an attorney general of a State from exercising 
the powers conferred on such attorney general by the laws of that State 
to--
            (1) conduct investigations;
            (2) administer oaths or affirmations; or
            (3) compel the attendance of witnesses or the production of 
        documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under subsection (a) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        subsection (a), process may be served in any district in which 
        the defendant--
                    (A) is an inhabitant; or
                    (B) may be found.
    (f) No Private Cause of Action.--Nothing in this subtitle 
establishes a private cause of action against a business entity for 
violation of any provision of this subtitle.

SEC. 319. EFFECT ON FEDERAL AND STATE LAW.

    The provisions of this subtitle shall supersede any other provision 
of Federal law or any provision of law of any State relating to 
notification by a business entity engaged in interstate commerce or an 
agency of a security breach, except as provided in section 314(b).

SEC. 320. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated such sums as may be 
necessary to cover the costs incurred by the United States Secret 
Service to carry out investigations and risk assessments of security 
breaches as required under this subtitle.

SEC. 321. REPORTING ON RISK ASSESSMENT EXEMPTIONS.

    The United States Secret Service shall report to Congress not later 
than 18 months after the date of enactment of this Act, and upon the 
request by Congress thereafter, on--
            (1) the number and nature of the security breaches 
        described in the notices filed by those business entities 
        invoking the risk assessment exemption under section 312(b) and 
        the response of the United States Secret Service to such 
        notices; and
            (2) the number and nature of security breaches subject to 
        the national security and law enforcement exemptions under 
        section 312(a), provided that such report may not disclose the 
        contents of any risk assessment provided to the United States 
        Secret Service pursuant to this subtitle.

SEC. 322. EFFECTIVE DATE.

    This subtitle shall take effect on the expiration of the date which 
is 90 days after the date of enactment of this Act.

  <DELETED>Subtitle C--Office of Federal Identity Protection</DELETED>

<DELETED>SEC. 331. OFFICE OF FEDERAL IDENTITY PROTECTION.</DELETED>

<DELETED>    (a) Establishment.--There is established in the Federal 
Trade Commission an Office of Federal Identity Protection.</DELETED>
<DELETED>    (b) Duties.--The Office of Federal Identity Protection 
shall be responsible for assisting each consumer with--</DELETED>
        <DELETED>    (1) addressing the consequences of the theft or 
        compromise of the personally identifiable information of that 
        consumer;</DELETED>
        <DELETED>    (2) accessing remedies provided under Federal law 
        and providing information about remedies available under State 
        law;</DELETED>
        <DELETED>    (3) restoring the accuracy of--</DELETED>
                <DELETED>    (A) the personally identifiable 
                information of that consumer; and</DELETED>
                <DELETED>    (B) records containing the personally 
                identifiable information of that consumer that were 
                stolen or compromised; and</DELETED>
        <DELETED>    (4) retrieving any stolen or compromised 
        personally identifiable information of that consumer.</DELETED>
<DELETED>    (c) Activities.--In order to perform the duties required 
under subsection (b), the Office of Federal Identity Protection shall 
carry out the following activities:</DELETED>
        <DELETED>    (1) Establish a website, easily and conspicuously 
        accessible from ftc.gov, dedicated to assisting consumers with 
        the retrieval of the stolen or compromised personally 
        identifiable information of the consumer.</DELETED>
        <DELETED>    (2) Maintain a toll-free phone number to help 
        answer questions concerning identity theft from 
        consumers.</DELETED>
        <DELETED>    (3) Establish online and offline consumer-service 
        teams to assist consumers seeking the retrieval of the 
        personally identifiable information of the consumer.</DELETED>
        <DELETED>    (4) Provide guidance and information to service 
        organizations or pro bono legal services programs that offer 
        individualized assistance or counseling to victims of identity 
        theft.</DELETED>
        <DELETED>    (5) Establish a reasonable standard for 
        determining when an individual becomes a victim of identity 
        theft.</DELETED>
        <DELETED>    (6) Issue certifications to individuals who, under 
        the standard described in paragraph (5), are identity theft 
        victims.</DELETED>
        <DELETED>    (7) Permit an individual to use the Office of 
        Federal Identity Protection certification--</DELETED>
                <DELETED>    (A) in all Federal, State, and local 
                jurisdictions, in lieu of a police report or any other 
                document required by State or local law, as a 
                prerequisite to accessing business records of 
                transactions done by someone claiming to be the 
                individual; and</DELETED>
                <DELETED>    (B) to establish the eligibility of that 
                individual for--</DELETED>
                        <DELETED>    (i) the fraud alert protections 
                        under section 605A of the Fair Credit Reporting 
                        Act (15 U.S.C. 1681c-1); and</DELETED>
                        <DELETED>    (ii) the reporting protections 
                        under section 605B(a) of the Fair Credit 
                        Reporting Act (15 U.S.C. 1681c-2(a)).</DELETED>
        <DELETED>    (8) Coordinate, as the Office determines 
        necessary, with the designated Chief Privacy Officer of each 
        Federal agency, or any other designated senior official in such 
        agency in charge of privacy, in order to meet the duties of 
        assisting consumers as required under subsection (b).</DELETED>
        <DELETED>    (9) In addition to the requirements in paragraphs 
        (1) through (7), the Federal Trade Commission shall promulgate 
        regulations that enable the Office of Federal Identity 
        Protection to help consumers restore their stolen or otherwise 
        compromised personally identifiable information quickly and 
        inexpensively.</DELETED>
<DELETED>    (d) Authorization of Appropriations.--There are authorized 
to be appropriated for the Office of Federal Identity Protection such 
sums as are necessary for fiscal year 2010 and each of the 4 succeeding 
fiscal years.</DELETED>

       TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

SEC. 401. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.

    (a) In General.--In considering contract awards totaling more than 
$500,000 and entered into after the date of enactment of this Act with 
data brokers, the Administrator of the General Services Administration 
shall evaluate--
            (1) the data privacy and security program of a data broker 
        to ensure the privacy and security of data containing 
        personally identifiable information, including whether such 
        program adequately addresses privacy and security threats 
        created by malicious software or code, or the use of peer-to-
        peer file sharing software;
            (2) the compliance of a data broker with such program;
            (3) the extent to which the databases and systems 
        containing personally identifiable information of a data broker 
        have been compromised by security breaches; and
            (4) the response by a data broker to such breaches, 
        including the efforts by such data broker to mitigate the 
        impact of such security breaches.
    (b) Compliance Safe Harbor.--The data privacy and security program 
of a data broker shall be deemed sufficient for the purposes of 
subsection (a), if the data broker complies with or provides protection 
equal to industry standards, as identified by the Federal Trade 
Commission, that are applicable to the type of personally identifiable 
information involved in the ordinary course of business of such data 
broker.
    (c) Penalties.--In awarding contracts with data brokers for 
products or services related to access, use, compilation, distribution, 
processing, analyzing, or evaluating personally identifiable 
information, the Administrator of the General Services Administration 
shall--
            (1) include monetary or other penalties--
                    (A) for failure to comply with subtitles A and B of 
                title III; or
                    (B) if a contractor knows or has reason to know 
                that the personally identifiable information being 
                provided is inaccurate, and provides such inaccurate 
                information; and
            (2) require a data broker that engages service providers 
        not subject to subtitle A of title III for responsibilities 
        related to sensitive personally identifiable information to--
                    (A) exercise appropriate due diligence in selecting 
                those service providers for responsibilities related to 
                personally identifiable information;
                    (B) take reasonable steps to select and retain 
                service providers that are capable of maintaining 
                appropriate safeguards for the security, privacy, and 
                integrity of the personally identifiable information at 
                issue; and
                    (C) require such service providers, by contract, to 
                implement and maintain appropriate measures designed to 
                meet the objectives and requirements in title III.
    (d) Limitation.--The penalties under subsection (c) shall not apply 
to a data broker providing information that is accurately and 
completely recorded from a public record source or licensor.

SEC. 402. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF 
              CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.

    Section 3544(b) of title 44, United States Code, is amended--
            (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
        semicolon;
            (2) in paragraph (8), by striking the period and inserting 
        ``; and''; and
            (3) by adding at the end the following:
            ``(9) procedures for evaluating and auditing the 
        information security practices of contractors or third party 
        business entities supporting the information systems or 
        operations of the agency involving personally identifiable 
        information (as that term is defined in section 3 of the 
        Personal Data Privacy and Security Act of 2009) and ensuring 
        remedial action to address any significant deficiencies.''.

SEC. 403. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL 
              INFORMATION SERVICES CONTAINING PERSONALLY IDENTIFIABLE 
              INFORMATION.

    (a) In General.--Section 208(b)(1) of the E-Government Act of 2002 
(44 U.S.C. 3501 note) is amended--
            (1) in subparagraph (A)(i), by striking ``or''; and
            (2) in subparagraph (A)(ii), by striking the period and 
        inserting ``; or''; and
            (3) by inserting after clause (ii) the following:
                            ``(iii) purchasing or subscribing for a fee 
                        to personally identifiable information from a 
                        data broker (as such terms are defined in 
                        section 3 of the Personal Data Privacy and 
                        Security Act of 2009).''.
    (b) Limitation.--Notwithstanding any other provision of law, 
commencing 1 year after the date of enactment of this Act, no Federal 
agency may enter into a contract with a data broker to access for a fee 
any database consisting primarily of personally identifiable 
information concerning United States persons (other than news reporting 
or telephone directories) unless the head of such department or 
agency--
            (1) completes a privacy impact assessment under section 208 
        of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
        shall subject to the provision in that Act pertaining to 
        sensitive information, include a description of--
                    (A) such database;
                    (B) the name of the data broker from whom it is 
                obtained; and
                    (C) the amount of the contract for use;
            (2) adopts regulations that specify--
                    (A) the personnel permitted to access, analyze, or 
                otherwise use such databases;
                    (B) standards governing the access, analysis, or 
                use of such databases;
                    (C) any standards used to ensure that the 
                personally identifiable information accessed, analyzed, 
                or used is the minimum necessary to accomplish the 
                intended legitimate purpose of the Federal agency;
                    (D) standards limiting the retention and 
                redisclosure of personally identifiable information 
                obtained from such databases;
                    (E) procedures ensuring that such data meet 
                standards of accuracy, relevance, completeness, and 
                timeliness;
                    (F) the auditing and security measures to protect 
                against unauthorized access, analysis, use, or 
                modification of data in such databases;
                    (G) applicable mechanisms by which individuals may 
                secure timely redress for any adverse consequences 
                wrongly incurred due to the access, analysis, or use of 
                such databases;
                    (H) mechanisms, if any, for the enforcement and 
                independent oversight of existing or planned 
                procedures, policies, or guidelines; and
                    (I) an outline of enforcement mechanisms for 
                accountability to protect individuals and the public 
                against unlawful or illegitimate access or use of 
                databases; and
            (3) incorporates into the contract or other agreement 
        totaling more than $500,000, provisions--
                    (A) providing for penalties--
                            (i) for failure to comply with title III of 
                        this Act; or
                            (ii) if the entity knows or has reason to 
                        know that the personally identifiable 
                        information being provided to the Federal 
                        department or agency is inaccurate, and 
                        provides such inaccurate information; and
                    (B) requiring a data broker that engages service 
                providers not subject to subtitle A of title III for 
                responsibilities related to sensitive personally 
                identifiable information to--
                            (i) exercise appropriate due diligence in 
                        selecting those service providers for 
                        responsibilities related to personally 
                        identifiable information;
                            (ii) take reasonable steps to select and 
                        retain service providers that are capable of 
                        maintaining appropriate safeguards for the 
                        security, privacy, and integrity of the 
                        personally identifiable information at issue; 
                        and
                            (iii) require such service providers, by 
                        contract, to implement and maintain appropriate 
                        measures designed to meet the objectives and 
                        requirements in title III.
    (c) Limitation on Penalties.--The penalties under subsection 
(b)(3)(A) shall not apply to a data broker providing information that 
is accurately and completely recorded from a public record source.
    (d) Study of Government Use.--
            (1) Scope of study.--Not later than 180 days after the date 
        of enactment of this Act, the Comptroller General of the United 
        States shall conduct a study and audit and prepare a report on 
        Federal agency actions to address the recommendations in the 
        Government Accountability Office's April 2006 report on agency 
        adherence to key privacy principles in using data brokers or 
        commercial databases containing personally identifiable 
        information.
            (2) Report.--A copy of the report required under paragraph 
        (1) shall be submitted to Congress.

SEC. 404. IMPLEMENTATION OF CHIEF PRIVACY OFFICER REQUIREMENTS.

    (a) Designation of the Chief Privacy Officer.--Pursuant to the 
requirements under section 522 of the Transportation, Treasury, 
Independent Agencies, and General Government Appropriations Act, 2005 
(division H of Public Law 108-447; 118 Stat. 3199) that each agency 
designate a Chief Privacy Officer, the Department of Justice shall 
implement such requirements by designating a department-wide Chief 
Privacy Officer, whose primary role shall be to fulfill the duties and 
responsibilities of Chief Privacy Officer and who shall report directly 
to the Deputy Attorney General.
    (b) Duties and Responsibilities of Chief Privacy Officer.--In 
addition to the duties and responsibilities outlined under section 522 
of the Transportation, Treasury, Independent Agencies, and General 
Government Appropriations Act, 2005 (division H of Public Law 108-447; 
118 Stat. 3199), the Department of Justice Chief Privacy Officer 
shall--
            (1) oversee the Department of Justice's implementation of 
        the requirements under section 403 to conduct privacy impact 
        assessments of the use of commercial data containing personally 
        identifiable information by the Department; and
            (2) coordinate with the Privacy and Civil Liberties 
        Oversight Board, established in the Intelligence Reform and 
        Terrorism Prevention Act of 2004 (Public Law 108-458), in 
        implementing this section.
                                                       Calendar No. 208

111th CONGRESS

  1st Session

                                S. 1490

_______________________________________________________________________

                                 A BILL

 To prevent and mitigate identity theft, to ensure privacy, to provide 
  notice of security breaches, and to enhance criminal penalties, law 
    enforcement assistance, and other protections against security 
  breaches, fraudulent access, and misuse of personally identifiable 
                              information.

_______________________________________________________________________

                            November 5, 2009

                        Reported with amendments