[Congressional Record Volume 143, Number 45 (Wednesday, April 16, 1997)]
[Senate]
[Pages S3292-S3294]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mrs. FEINSTEIN (for herself and Mr. Grassley):
  S. 600. A bill to protect the privacy of the individual with respect 
to the social security number and other personal information, and for 
other purposes; to the Committee on Finance.


              THE PERSONAL INFORMATION PRIVACY ACT OF 1997

  Mrs. FEINSTEIN. Mr. President, today, along with my distinguished 
colleague, Senator Charles Grassley, I am introducing the Personal 
Information Privacy Act of 1997. This legislation limits the 
accessibility and unauthorized commercial use of social security 
numbers, unlisted telephone numbers, and certain other types of 
sensitive personal information.
  In November, the news media reported that companies were distributing 
social security numbers along with other private information in their 
online personal locator or look-up services.
  In fact, I found that my own social security number was accessible to 
users of the Internet. My staff retrieved it in less than 3 minutes. I 
have the printout in my files.
  Some of the larger and more visible companies have now discontinued 
the practice of displaying social security numbers directly on the 
computer screens of Internet users. Other enterprises have failed to 
modify their practices. One problem thwarting efforts to protect our 
citizens' privacy is that there are thousands of information providers 
on the Internet and elsewhere in the electronic arena--it is impossible 
to get a comprehensive picture of who is doing what, and where.
  But one fact is clear, distributing social security numbers on the 
Internet is only the tip of the iceberg.
  Too many firms profit from renting and selling social security 
numbers, unlisted telephone numbers, and other forms of sensitive 
personal information. List compilers and list brokers use records of 
consumer purchases and other transactions--including medical 
purchases--along with financial, demographic, and other data to create 
increasingly detailed profiles of individuals.
  The growth of interactive communications has generated an explosive 
growth in information about our interests, our activities, and our 
illnesses--about the personal choices we make when we order products, 
inquire about services, participate in workshops, and visit sites on 
the Net.

  A Newsday article titled ``Your Life as an Open Book'' recently 
reported that an individual's call to a toll free number to learn the 
daily pollen count resulted in a disclosure to a pharmaceutical company 
that the caller was likely to have an interest in pollen remedies.
  It is true that knowledge about personal interests, circumstances, 
and activities can help companies tailor their products to individual 
needs and target their marketing efforts. But there need to be 
limitations.
  Prior to the widespread use of computers, individual records were 
stored on paper in Government file cabinets at scattered locations 
around the country. These records were difficult to obtain. Now, with 
networked computers, multiple sets of records can be merged or matched 
with one another, creating highly detailed portraits of our interests, 
our allergies, food preferences, musical tastes, levels of wealth, 
gender, ethnicity, homes, and neighborhoods. These records can be 
disseminated around the world in seconds.
  What is the result? In addition to receiving floods of unwanted mail 
solicitations, people are losing control over their own identities. We 
don't know where this information is going, or how it is being used. We 
don't know how much is out there, and who is getting it. Our private 
lives are becoming commodities with tremendous value in the 
marketplace, yet we, the owners of the information, often do not derive 
the benefits. Information about us can be used to our detriment.
  As an example, the widespread availability of Social Security numbers 
and other personal information has led to an exponential growth in 
identity theft, whereby criminals are able to assume the identities of 
others to gain access to charge accounts and bank accounts, to obtain 
the personal records of others, and to steal Government benefits.
  In 1992, Joe Gutierrez, a retired Air Force chief master sergeant in 
California became a victim of identity theft when a man used his Social 
Security number to open 20 fraudulent accounts. To this day, Mr. 
Gutierrez has been hounded by creditors and their collection agencies. 
``It is pure hell,'' he said in an interview with the San Diego Union 
Tribune. ``They have called me a cheat, a deadbeat, a bum. They have 
questioned my character, my integrity, and my upbringing.''
  As an additional problem, the unauthorized distribution of personal 
information can lead to public safety concerns, including stalking of 
battered spouses, celebrities, and other citizens.
  There are very few laws to protect personal privacy in the United 
States. The Privacy Act of 1974 is limited, and applies only to the use 
of personal information by the Government.

[[Page S3293]]

  With minor exceptions, the collection and use of personal information 
by the private sector is virtually unregulated. In other words, private 
companies have nearly unlimited authority to compile and sell 
information about individuals. As technology becomes more 
sophisticated, the ability to collect, synthesize and distribute 
personal information is growing exponentially.
  The Personal Information Privacy Act of 1997 will help cut off the 
dissemination of Social Security numbers, unlisted telephone numbers, 
and other personal information at the source.
  First, the bill amends the Fair Credit Reporting Act to ensure the 
confidentiality of personal information in the credit headers 
accompanying credit reports. Credit headers contain personal 
identification information which serves to link individuals to their 
credit reports.
  Currently, credit bureaus routinely sell and rent credit header 
information to mailing list brokers and marketing companies. This is 
not the use for which this information was intended.
  The bill we are introducing today would prevent credit bureaus from 
disseminating Social Security numbers, unlisted telephone numbers, 
dates of birth, past addresses, and mothers' maiden names. This is 
important because this kind of information is subject to serious 
abuse--to open fraudulent charge accounts, to manipulate bank accounts, 
and to gain access to the personal records of others.
  An exception is provided for information that citizens have chosen to 
list in their local phone directories. This means that phone numbers 
and addresses may be released if they already are available in phone 
directories.
  As a second means of limiting the circulation of Social Security 
numbers, the bill restricts the dissemination of Social Security 
numbers by State departments of motor vehicles. Specifically, the bill 
amends certain exemptions to the Driver's Protection Act of 1994.

  The legislation would prohibit State departments of motor vehicles 
from disseminating Social Security numbers for bulk distribution for 
surveys, marketing, or solicitations.
  The bill requires uses of Social Security numbers by State 
Departments of Motor Vehicles to be consistent with the uses authorized 
by the Social Security Act and by other statutes explicitly authorizing 
their use.
  In addition to the above measures which will limit the accessibility 
of Social Security numbers, the Personal Information Privacy Act of 
1997 penalizes the unauthorized commercial use of Social Security 
numbers.
  Specifically, the bill amends the Social Security Act to prohibit the 
commercial use of a Social Security number in the absence of the 
owner's written consent. Exceptions are provided for uses authorized by 
the Social Security Act, the Privacy Act of 1974, and other statutes 
specifically authorizing such use.
  I believe this bill represents a major step in protecting the privacy 
of our citizens, and I urge my colleagues to support it. I ask 
unanimous consent that the text of the bill be included in the Record 
following our remarks.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                 S. 600

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Personal Information Privacy 
     Act of 1997''.

     SEC. 2. CONFIDENTIAL TREATMENT OF CREDIT HEADER INFORMATION.

       Section 603(d) of the Fair Credit Reporting Act (15 U.S.C. 
     1681a(d)) is amended by inserting after the first sentence 
     the following: ``The term also includes any other identifying 
     information of the consumer, except the name, address, and 
     telephone number of the consumer if listed in a residential 
     telephone directory available in the locality of the 
     consumer.''.

     SEC. 3. PROTECTING PRIVACY BY PROHIBITING USE OF THE SOCIAL 
                   SECURITY NUMBER FOR COMMERCIAL PURPOSES WITHOUT 
                   CONSENT.

       (a) In General.--Part A of title XI of the Social Security 
     Act (42 U.S.C. 1301 et seq.) is amended by adding at the end 
     the following:


 ``prohibition of certain misuses of the social security account number

       ``Sec. 1146. (a) Prohibition of Commercial Acquisition or 
     Distribution.--No person may buy, sell, offer for sale, take 
     or give in exchange, or pledge or give in pledge any 
     information for the purpose, in whole or in part, of 
     conveying by means of such information any individual's 
     social security account number, or any derivative of such 
     number, without the written consent of such individual.
       ``(b) Prohibition of Use as Personal Identification 
     Number.--No person may utilize any individual's social 
     security account number, or any derivative of such number, 
     for purposes of identification of such individual without the 
     written consent of such individual.
       ``(c) Prerequisites for Consent.--In order for consent to 
     exist under subsection (a) or (b), the person engaged in, or 
     seeking to engage in, an activity described in such 
     subsection shall--
       ``(1) inform the individual of all the purposes for which 
     the number will be utilized and the persons to whom the 
     number will be known; and
       ``(2) obtain affirmatively expressed consent in writing.
       ``(d) Exceptions.--Nothing in this section shall be 
     construed to prohibit any use of social security account 
     numbers permitted or required under section 205(c)(2) of this 
     Act, section 7(a)(2) of the Privacy Act of 1974 (5 U.S.C. 
     552a note; 88 Stat. 1909), or section 6109(d) of the Internal 
     Revenue Code of 1986.
       ``(e) Civil Action in United States District Court; 
     Damages; Attorneys Fees and Costs; Nonexclusive Nature of 
     Remedy.--
       ``(1) In general.--Any individual aggrieved by any act of 
     any person in violation of this section may bring a civil 
     action in a United States district court to recover--
       ``(A) such preliminary and equitable relief as the court 
     determines to be appropriate; and
       ``(B) the greater of--
       ``(i) actual damages; and
       ``(ii) liquidated damages of $25,000 or, in the case of a 
     violation that was willful and resulted in profit or monetary 
     gain, $50,000.
       ``(2) Attorney's fees and costs.--In the case of a civil 
     action brought under paragraph (1) in which the aggrieved 
     individual has substantially prevailed, the court may assess 
     against the respondent a reasonable attorney's fee and other 
     litigation costs and expenses (including expert fees) 
     reasonably incurred.
       ``(3) Statute of limitations.--No action may be commenced 
     under this subsection more than 3 years after the date on 
     which the violation was or should reasonably have been 
     discovered by the aggrieved individual.
       ``(4) Nonexclusive remedy.--The remedy provided under this 
     subsection shall be in addition to any other lawful remedy 
     available to the individual.
       ``(f) Civil Money Penalties.--
       ``(1) In general.--Any person who the Commissioner of 
     Social Security determines has violated this section shall be 
     subject, in addition to any other penalties that may be 
     prescribed by law, to--
       ``(A) a civil money penalty of not more than $25,000 for 
     each such violation, and
       ``(B) a civil money penalty of not more than $500,000, if 
     violations have occurred with such frequency as to constitute 
     a general business practice.
       ``(2) Determination of violations.--Any violation committed 
     contemporaneously with respect to the social security account 
     numbers of 2 or more individuals by means of mail, 
     telecommunication, or otherwise shall be treated as a 
     separate violation with respect to each such individual.
       ``(3) Enforcement procedures.--The provisions of section 
     1128A (other than subsections (a), (b), (f), (h), (i), (j), 
     and (m), and the first sentence of subsection (c)) and the 
     provisions of subsections (d) and (e) of section 205 shall 
     apply to civil money penalties under this subsection in the 
     same manner as such provisions apply to a penalty or 
     proceeding under section 1128A(a), except that, for purposes 
     of this paragraph, any reference in section 1128A to the 
     Secretary shall be deemed a reference to the Commissioner of 
     Social Security.
       ``(g) Regulation by States.--Nothing in this section shall 
     be construed to prohibit any State authority from enacting or 
     enforcing laws consistent with this section for the 
     protection of privacy.''.
       (b) Effective Date.--The amendment made by this section 
     applies with respect to violations occurring on and after the 
     date which is 2 years after the date of enactment of this 
     Act.

      SEC. 4. RESTRICTION ON USE OF SOCIAL SECURITY NUMBERS BY 
                   STATE DEPARTMENTS OF MOTOR VEHICLES.

       (a) Restriction on Governmental Use.--Section 2721(b)(1) of 
     title 18, United States Code, is amended by striking ``its 
     functions.'' and inserting ``its functions, but in the case 
     of social security numbers, only to the extent permitted or 
     required under section 205(c)(2) of the Social Security Act 
     (42 U.S.C. 405(c)(2)), section 7(a)(2) of the Privacy Act of 
     1974 (5 U.S.C. 552a note, 88 Stat. 1909), section 6109(d) of 
     the Internal Revenue Code of 1986, or any other provision of 
     law specifically identifying such use.''.
       (b) Prohibition of Use by Marketing Companies.--Section 
     2721(b)(12) of title 18, United States Code, is amended by 
     striking ``For'' and inserting ``Except in the case of social 
     security numbers, for''.

  Mr. GRASSLEY. Mr. President, I rise today to join my colleague, Mrs. 
Feinstein, in introducing important legislation. This legislation, the 
Personal Information Privacy Act of 1997, is a

[[Page S3294]]

solid first step toward keeping our personal information from being 
misused.
  In this amazing time of technology explosion, new challenges face our 
society. New technology makes information more readily available for 
many uses. This information helps the college student write a better 
term paper, it helps businesses function more effectively, and it helps 
professionals to stay better informed of developments in their fields. 
The technology that provides this ready access to infinite information 
also helps friends and families communicate across continents, 
increases the feasibility of working from a home office, and provides 
many other advantages.
  However, with these advantages come added risk. Dissemination of 
information is generally good, but dissemination of all information is 
not good. Technology can help people with bad intentions find their 
victims. It can also give people access to personal information that we 
would rather they not have. With minimal information and a few 
keystrokes, virtually anyone could have your lifetime credit history 
and personal wages downloaded to their computer. For this reason, it is 
important that we work to make sure some personal information stays out 
of the hands of people we have never met, whose intentions we don't 
know.
  One of the most important functions of lawmaking is to make sure that 
law keeps up with society, and in this case, technology. The bill that 
Senator Feinstein and I are introducing today is a solid first step. I 
will soon be introducing additional legislation affecting the Internet 
because I believe it is important that we talk about issues related to 
new technologies; that we exchange ideas. And at the end of the day, we 
must preserve the confidentiality of personal information and the 
safety of individuals.

                          ____________________