[Congressional Record Volume 147, Number 26 (Thursday, March 1, 2001)]
[Senate]
[Pages S1788-S1789]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. NELSON of Florida:
  S. 450. A bill to amend the Gramm-Leach-Bliley Act to provide for 
enhanced protection of nonpublic personal information, including health 
information, and for other purposes; to the Committee on Banking, 
Housing, and Urban Affairs.
  S. 451. A bill to establish civil and criminal penalties for the sale 
or purchase of a social security number; to the Committee on Finance.
  Mr. NELSON of Florida. Mr. President, I rise today to express my 
grave concern about the administration's decision that apparently 
favors the interests of big insurance companies over the health privacy 
rights of Americans.
  I was dismayed to learn on Tuesday that the Secretary of Health and 
Human Services prevented new medical privacy rules from coming into 
effect. In essence, these rules would have prevented doctors and 
insurers from sharing private medical information about their patients.
  The delay ostensibly is to allow further discussion. But it makes no 
sense. The rules have been debated in Washington for nearly 10 years. 
The Secretary's decision was unfortunate. There are no acceptable 
excuses for their delay. Consumers deserve to have their personally 
identifiable information protected from prying eyes.
  I promised the people of my State in the course of the last 6 to 8 
months of the discussion in the course of the campaign that I would 
make protecting their privacy one of my top priorities, because too 
often these days, personally identifiable medical and financial 
information is being shared, bought, or sold, and it is being done 
without the consent of the consumer. This practice must stop. It is our 
job to pass legislation that will stop it.
  Today, I am going to be introducing two bills that begin to address 
aspects of the privacy crisis. Both bills build upon the undeniable 
principle that information gathered for one purpose should never be 
disclosed, made available, or otherwise used for another purpose 
without the consumer's consent.
  Clearly, we should be able to share information with our doctor that 
we don't want revealed to other people, particularly an employer or a 
money lender. I am going to work hard to try to pass these privacy 
protections for every American.
  The first bill prohibits banks and financial institutions from 
selling or sharing private customer information. I strongly believe 
that financial institutions should not be allowed to pass along 
confidential customer, financial, or medical information to affiliates, 
business partners, or others who wish to turn a profit from an 
individual's personal data.
  I have a little bit of background in this because 6 years ago, when I 
had the privilege of being the elected insurance commissioner of the 
State of Florida, there was a case in front of the U.S. Supreme Court 
entitled Barnett Banks v. Bill Nelson, in my capacity as insurance 
commissioner. The issue was on a technical question of a 1916 Federal 
law as to whether or not banks could sell insurance. The Court ruled, 
on the basis of that law, that it pertained to the business of 
insurance, the upshot of which was that banks could sell insurance. In 
our argument, we noted that if that occurred, there was always the 
possibility that you had to protect against coercion and protect 
against privacy rights being invaded.
  As a result of that unanimous Supreme Court decision, Congress then, 
in 1999, enacted the Financial Services Modernization Act. In the 11th 
hour of the closing of the session in October, the promise was made 
that, if you can pass this bill now, we will come back next year--the 
year 2000--and enact the privacy protections. That promise was not 
fulfilled in the year 2000.

  For under the present condition of the law, there is a gaping 
loophole on privacy protection. In an era of mergers, under the new 
law, banks can now join with insurance companies and then evaluate the 
medical information of their affiliates' policyholders before deciding 
whether or not to issue a loan.
  What my legislation will do is require the express written consent of 
the consumer before any personally identifiable medical information can 
be shared or sold, and the express consent of the consumer before any 
personally identifiable financial information can be shared or sold.
  For the consumer, privacy should always be the assumption. To prevent 
coercion, this legislation I am introducing prohibits banks and 
financial companies from denying service to customers who refuse to 
consent to the sale of their personally identifiable financial and 
medical information. To make sure financial institutions take this law 
seriously, under the legislation, officers of the company can incur 
personal liability for failing to comply.
  This is a serious problem: the invasion of our privacy under the 
current condition of the law. It demands a serious remedy. I am going 
to be encouraging all of our colleagues to join with me and fulfill the 
promise that the Congress made in 1999 in the enactment of the 
Financial Services Modernization Act by plugging this gaping loophole 
where there is no privacy protection.
  There is a second bill that I am introducing today. It makes the 
selling or purchasing of an individual's Social Security number a 
Federal crime. Social Security numbers are often the key to unlocking 
vast stores of personal information, both in the private sector and the 
Federal Government. If there is any personal identification number, it 
is the Social Security number. We look all around us and we see that 
identity theft has grown at an alarming rate during the past decade--in 
many cases, through the Social Security number abuse.
  My goodness, we have heard of credit cards being established in 
somebody else's name by the theft of their Social Security number and 
running up huge bills. We have heard these stories over and over, and 
even the confusion caused by identity theft, where crimes are reported 
to be attributed to an individual who does not have anything to do with 
it.
  When a Social Security number falls into the wrong hands, tremendous 
financial and personal damage can be incurred. To tackle this terrible 
problem, this legislation that I am introducing today establishes 
criminal and monetary penalties. The bill creates both prison terms and 
fines of up to $100,000 for buying or selling Social Security numbers.
  I hope in this field of privacy protection that the Senate is going 
to ultimately fulfill the promise that it made 2 years ago and move 
quickly in this session to protect the privacy of our American 
citizens.
  I ask unanimous consent that the text of both bills be printed in the 
Record.
  There being no objection, the bills were ordered to be printed in the 
Record, as follows:

                                 S. 450

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Financial Institution 
     Privacy Protection Act of 2001''.

     SEC. 2. PROTECTION OF PRIVATE HEALTH INFORMATION.

       Section 509(4) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6809(4)) is amended by adding at the end the following:
       ``(D) The term `nonpublic personal information' includes 
     health information, defined as any information, including 
     genetic information, demographic information, and tissue 
     samples collected from an individual, whether oral or 
     recorded in any form or medium--
       ``(i) that is created or received by a health care 
     provider, health researcher, health plan, health oversight 
     agency, public health authority, employer, health or life 
     insurer, school or university; and
       ``(ii) that --
       ``(I) relates to the past, present, or future physical or 
     mental health or condition of an individual (including 
     individual cells and their components), the provision of 
     health

[[Page S1789]]

     care to an individual, or the past, present, or future 
     payment for the provision of health care to an individual; 
     and
       ``(II) that identifies an individual, or with respect to 
     which there is a reasonable basis to believe that the 
     information can be used to identify an individual.''.

     SEC. 3. OPT-IN FOR SHARING OF INFORMATION.

       Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) 
     is amended--
       (1) in subsection (a)--
       (A) by inserting ``any affiliate or'' before ``a 
     nonaffiliated'';
       (B) by striking ``unless such'' and inserting the 
     following: ``unless--
       ``(1) the institution provides''; and
       (C) by striking the period at the end and inserting the 
     following: ``; and
       ``(2) the consumer to whom the information pertains--
       ``(A) has affirmatively consented (in writing, in the case 
     of health information, as defined in section 509(4)(D)), in 
     accordance with rules prescribed under section 504, to the 
     disclosure of such information; and
       ``(B) has not withdrawn such consent.''; and
       (2) by striking subsection (b) and inserting the following:
       ``(b) Denial of Service Prohibited.--A financial 
     institution may not deny a financial product or a financial 
     service to any consumer based on the refusal by the consumer 
     to grant the consent required by this section.''.

     SEC. 4. COMPLIANCE OFFICERS.

       Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) 
     is amended by adding at the end the following:
       ``(c) Compliance Officers.--Each financial institution 
     shall designate a privacy compliance officer, who shall be 
     responsible for ensuring compliance by the institution with 
     the requirements of this title and the privacy policies of 
     the institution.''.

     SEC. 5. LIABILITY.

       Section 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6805) 
     is amended by adding at the end the following:
       ``(e) Civil Penalties.--The Attorney General of the United 
     States may bring a civil action in the appropriate district 
     court of the United States against any financial institution 
     that engages in conduct constituting a violation of this 
     title, and, upon proof of such violation--
       ``(1) the financial institution shall be subject to a civil 
     penalty of not more than $100,000 for each such violation; 
     and
       ``(2) the officers and directors of the financial 
     institution shall be subject to, and shall be personally 
     liable for, a civil penalty of not more than $10,000 for each 
     such violation.''.
                                  ____


                                 S. 451

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1 SHORT TITLE.

       This Act may be cited as the ``Social Security Number 
     Protection Act of 2001''.

     SEC. 2. PROHIBITION OF THE SALE OR PURCHASE OF A SOCIAL 
                   SECURITY NUMBER.

       (a) Definitions.--In this section:
       (1) Purchase.--The term ``purchase'' means providing 
     directly or indirectly, anything of value in exchange for a 
     social security number.
       (2) Sale.--The term ``sale'' means obtaining, directly or 
     indirectly, anything of value in exchange for a social 
     security number.
       (3) Social security number.--The term ``social security 
     number'' has the meaning given that term in section 208(c) of 
     the Social Security Act (42 U.S.C. 408(c)), and includes a 
     social security account number (as defined in such section) 
     and any identifying portion or derivative of such a number.
       (b) Prohibition of the Sale or Purchase of a Social 
     Security Number.--No person may sell or purchase a social 
     security number.
       (c) Civil Money Penalties.--
       (1) In general.--Any person who the Attorney General 
     determines has violated subsection (b) shall be subject, in 
     addition to any other penalties that may be prescribed by 
     law, to a civil money penalty of not more than--
       (A) in the case of an individual, $10,000 for each such 
     violation; and
       (B) in the case of any other person, $100,000 for each such 
     violation.
       (2) Enforcement procedures.--The provisions of section 
     1128A of the Social Security Act (42 U.S.C. 1320a-7a) (other 
     than subsections (a), (b), (f), (h), (i), (j), and (m), and 
     the first sentence of subsection (c)), and the provisions of 
     subsections (d) and (e) of section 205 of the Social Security 
     Act (42 U.S.C. 405), shall apply to a civil money penalty 
     imposed under this subsection in the same manner as such 
     provisions apply, respectively, to a penalty or proceeding 
     under section 1128A(a) of that Act or to a hearing, 
     investigation, or other proceeding authorized or directed 
     under title II of that Act, except that, for purposes of this 
     paragraph, any reference in section 1128A of that Act to 
     ``the Secretary'' and any reference in section 205 of that 
     Act to ``the Commissioner of Social Security'' shall be 
     deemed to be a reference to the ``Attorney General''.
       (d) Criminal Sanctions.--Section 208(a) of the Social 
     Security Act (42 U.S.C. 408(a)) is amended--
       (1) in paragraph (8), by inserting ``or'' after the 
     semicolon; and
       (2) by inserting after paragraph (8) the following new 
     paragraph:
       ``(9) knowingly and willfully sells or purchases (as such 
     terms are defined in section 2(a) of the Social Security 
     Number Protection Act of 2001) a social security number (as 
     defined in subsection (c));''.
                                 ______