[Congressional Record Volume 149, Number 96 (Thursday, June 26, 2003)]
[Senate]
[Pages S8738-S8740]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mrs. FEINSTEIN:
  S 1350. A bill to require Federal agencies, and persons engaged in 
interstate commerce, in possession of electronic data containing 
personal information, to disclose any unauthorized acquisition of such 
information; to the Committee on the Judiciary.
  Mrs. FEINSTEIN. Mr. President, I rise to introduce the Notification 
of Risk to Personal Data Act of 2003. This legislation will require 
that individuals are notified when their most sensitive personal 
information is stolen from a corporate or government database.
  Specifically, the bill would require government or private entities 
to notify individuals if a data breach has compromised their Social 
Security number, driver's license number, credit card number, debit 
card number, or financial account numbers.
  In most cases, if authorities know that someone is a victim of a 
crime, the victim is notified. But that isn't the case if an 
individual's most sensitive personal information is stolen from an 
electronic database.
  Unfortunately, data breaches are becoming all too common. Consider 
the following incidents which have compromised the records of hundreds 
of thousands of Americans.
  On April 5, 2002, a hacker broke into the electronic records of 
Steven P. Teale Data Center, the payroll facility for California State 
employees. The hacker compromises files containing the first initials, 
middle initials, and last names, Social Security numbers, and payroll 
deduction information of approximately 265,000 people. Despite the 
breathtaking potential harm of the crime, the breach was not publicly 
acknowledged and State employees were not made aware of their 
vulnerability to identify theft until May 24, 2002--17 days later.
  On December 14, 2002, TriWest Health Care Alliance, a company that 
provides health care coverage for military personnel and their 
families, was burglarized at its Phoenix, AZ offices. Thieves broke 
into a management suite and stole laptop computers and computer hard 
drives containing the names, addressed, telephone numbers, birth dates 
and Social Security numbers of 562,000 military service members, 
dependents and retirees, as well as medical claims records for people 
on active duty in the Persian Gulf.
  In February 2003, a hacker gained access to 10 million Visa, 
MasterCard, American Express Card and Discovery Card numbers from the 
databases of a credit processor, DPI Merchant services of Omaha, NE. 
Company officials maintained that the intruder did not obtain any 
personal information for these card numbers such as the account 
holder's name, address, telephone number or Social Security number. 
However, at least one bank canceled and replaced 8,800 cards when it 
found out about the security breach.
  And in March of this year, a University of Texas student was charged 
with hacking into the university's computer system and stealing 55,000 
Social Security numbers.
  These are just some examples of the types of breaches that are 
occurring today. Except for California, which as a notification law 
going into effect in July, no State of Federal law requires companies 
or agencies to tell individuals of the misappropriation of their 
personal data.
  I strongly believe Americans should be notified if a hacker gets 
access to their most personal data. This is both a matter of principle 
and a practical measure to curb identity theft.
  Let me take a moment to describe the proposed legislation.
  The Notification of Risk to Personal Data Act will set a national 
standard for notification of consumers when a data breach occurs.
  Specifically, the legislation requires a business or government 
entity to notify an individual when there is a reasonable basis to 
conclude that a hacker or other criminal has obtained unencrypted 
personal data maintained by the entity.
  Personal data is defined by the bill as an individual's Social 
Security number, State identification number, driver's license number, 
financial account number, or credit card number.
  The legislation's notification scheme minimizes the burdens on 
companies or agencies that must report a data breach.
  In general, notice would have to be provided to each person whose 
data was compromised in writing or through e-mail. But there are 
important exceptions.
  First, companies that have developed their own reasonable 
notification policies are given a safe harbor under the

[[Page S8739]]

bill and are exempted from its notification requirements.
  Second, encrypted data is exempted.
  Third, where it is too expensive or impractical, e.g., contact 
address information is incomplete, to notify every individual who is 
harmed, the bill allows entities to send out an alternative form of 
notice called ``substitute notice.'' Substitute notice includes posting 
notice on a website or notifying major media.
  Substitute notice would be triggered if any of the following factors 
exist: 1. the agency or person demonstrates that the cost of providing 
direct notice would exceed $250,000; 2. the affected class of subject 
persons to be notified exceeds 500,000; or 3. the agency or person does 
not have sufficient contact information to notify people whose 
information is at risk.
  The bill has a tough, but fair enforcement regime. Entities that fail 
to comply with the bill will be subject to fines by the Federal Trade 
Commission of $5,000 per violation or up to $25,000 per day while the 
violation persists. State Attorneys General can also file suit to 
enforce the statute.
  Additionally, the bill would allow California's new law to remain in 
effect, but preempt conflicting State laws. It is my understanding that 
legislators in a number of States are developing bills modeled after 
the California law. Reportedly, some of these bills have requirements 
that are inconsistent with the California legislation. It is not fair 
to put companies in a situation that forces them to comply with 
database notification laws of 50 different States.
  I strongly believe individuals have a right to be notified when their 
most sensitive information is compromised--because it is truly their 
information. Ask the ordinary person on the street if he or she would 
like to know if a criminal had illegally gained access to their 
personal information from a database--the answer will be a resounding 
yes.
  Enabling consumers to be notified in a timely manner of security 
breaches involving their personal data will help combat the growth 
scourge of identity theft. According to the Identity Theft Resources 
Center, a typical identity theft victim takes six to 12 months to 
discover that a fraud has been perpetuated against them.
  As Linda Foley, Executive Director of the Identity Theft Resources 
center puts it: ``Identity theft is a crime of opportunity and time is 
essential at every junction. Every minute that passes after the breach 
until detection and notification increases the damage done to the 
consumer victim, the commercial entities, and law enforcement's ability 
to track and catch the criminals. It takes less than a minute to fill 
out a credit application and to start an action that could permanently 
affect the victim's life. Multiply that times hundreds of minutes, 
hundreds of opportunities to use or sell the information stolen and you 
just begin to understand the enormity of the problem that the lack of 
notification can cause.''
  If individuals are informed of the theft of their Social Security 
numbers or other sensitive information, they can take immediate 
preventative action.
  They can place a fraud alert on their credit report to prevent crooks 
from obtaining credit cards in their name; they can monitor their 
credit reports to see if unauthorized activity has occurred; they can 
cancel any affected financial or consumer or utility accounts; they can 
change their phone numbers if necessary.
  I look forward to working with my colleagues to pass this vitally 
needed legislation. This bill will give ordinary Americans more control 
and confidence about the safety of their personal information. 
Americans will have the security of knowing that should a breach occur, 
they will be notified and be able to take protective action.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1350

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Notification of Risk to 
     Personal Data Act''.

     SEC. 2. DEFINITIONS.

       In this Act, the following definitions shall apply:
       (1) Agency.--The term ``agency'' has the same meaning given 
     such term in section 551(1) of title 5, United States Code.
       (2) Breach of security of the system.--The term ``breach of 
     security of the system''--
       (A) means the compromise of the security, confidentiality, 
     or integrity of computerized data that results in, or there 
     is a reasonable basis to conclude has resulted in, the 
     unauthorized acquisition of and access to personal 
     information maintained by the person or business; and
       (B) does not include good faith acquisition of personal 
     information by an employee or agent of the person or business 
     for the purposes of the person or business, if the personal 
     information is not used or subject to further unauthorized 
     disclosure.
       (3) Person.--The term ``person'' has the same meaning given 
     such term in section 551(2) of title 5, United States Code.
       (4) Personal information.--The term ``personal 
     information'' means an individual's last name in combination 
     with any 1 or more of the following data elements, when 
     either the name or the data elements are not encrypted:
       (A) Social security number.
       (B) Driver's license number or State identification number.
       (C) Account number, credit or debit card number, in 
     combination with any required security code, access code, or 
     password that would permit access to an individual's 
     financial account.
       (5) Substitute notice.--The term ``substitute notice'' 
     means--
       (A) e-mail notice, if the agency or person has an e-mail 
     address for the subject persons;
       (B) conspicuous posting of the notice on the Internet site 
     of the agency or person, if the agency or person maintains an 
     Internet site; or
       (C) notification to major media.

     SEC. 3. DATABASE SECURITY.

       (a) Disclosure of Security Breach.--
       (1) In general.--Any agency, or person engaged in 
     interstate commerce, that owns or licenses electronic data 
     containing personal information shall, following the 
     discovery of a breach of security of the system containing 
     such data, notify any resident of the United States whose 
     unencrypted personal information was, or is reasonably 
     believed to have been, acquired by an unauthorized person.
       (2) Notification of owner or licensee.--Any agency, or 
     person engaged in interstate commerce, in possession of 
     electronic data containing personal information that the 
     agency does not own or license shall notify the owner or 
     licensee of the information if the personal information was, 
     or is reasonably believed to have been, acquired by an 
     unauthorized person through a breach of security of the 
     system containing such data.
       (3) Timeliness of notification.--Except as provided in 
     paragraph (4), all notifications required under paragraph (1) 
     or (2) shall be made as expediently as possible and without 
     unreasonable delay following--
       (A) the discovery by the agency or person of a breach of 
     security of the system; and
       (B) any measures necessary to determine the scope of the 
     breach, prevent further disclosures, and restore the 
     reasonable integrity of the data system.
       (4) Delay of notification authorized for law enforcement 
     purposes.--If a law enforcement agency determines that the 
     notification required under this subsection would impede a 
     criminal investigation, such notification may be delayed 
     until such law enforcement agency determines that the 
     notification will no longer compromise such investigation.
       (5) Methods of notice.--An agency, or person engaged in 
     interstate commerce, shall be in compliance with this 
     subsection if it provides the resident, owner, or licensee, 
     as appropriate, with--
       (A) written notification;
       (B) e-mail notice, if the person or business has an e-mail 
     address for the subject person; or
       (C) substitute notice, if--
       (i) the agency or person demonstrates that the cost of 
     providing direct notice would exceed $250,000;
       (ii) the affected class of subject persons to be notified 
     exceeds 500,000; or
       (iii) the agency or person does not have sufficient contact 
     information for those to be notified.
       (6) Alternative notification procedures.--Notwithstanding 
     any other obligation under this subsection, an agency, or 
     person engaged in interstate commerce, shall be deemed to be 
     in compliance with this subsection if the agency or person--
       (A) maintains its own reasonable notification procedures as 
     part of an information security policy for the treatment of 
     personal information; and
       (B) notifies subject persons in accordance with its 
     information security policy in the event of a breach of 
     security of the system.
       (7) Reasonable notification procedures.--As used in 
     paragraph (6), with respect to a breach of security of the 
     system involving personal information described in section 
     2(4)(C), the term ``reasonable notification procedures'' 
     means procedures that--
       (A) use a security program reasonably designed to block 
     unauthorized transactions before they are charged to the 
     customer's account;

[[Page S8740]]

       (B) provide for notice to be given by the owner or licensee 
     of the database, or another party acting on behalf of such 
     owner or licensee, after the security program indicates that 
     the breach of security of the system has resulted in fraud or 
     unauthorized transactions, but does not necessarily require 
     notice in other circumstances; and
       (C) are subject to examination for compliance with the 
     requirements of this Act by 1 or more Federal functional 
     regulators (as defined in section 509 of the Gramm-Leach 
     Bliley Act (15 U.S.C. 6809)), with respect to the operation 
     of the security program and the notification procedures.
       (b) Civil Remedies.--
       (1) Penalties.--Any agency, or person engaged in interstate 
     commerce, that violates this section shall be subject to a 
     fine of not more than $5,000 per violation, to a maximum of 
     $25,000 per day while such violations persist.
       (2) Equitable relief.--Any person engaged in interstate 
     commerce that violates, proposes to violate, or has violated 
     this section may be enjoined from further violations by a 
     court of competent jurisdiction.
       (3) Other rights and remedies.--The rights and remedies 
     available under this subsection are cumulative and shall not 
     affect any other rights and remedies available under law.
       (c) Enforcement.--The Federal Trade Commission is 
     authorized to enforce compliance with this section, including 
     the assessment of fines under subsection (b)(1).

     SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by the engagement of any person in a 
     practice that is prohibited under this Act, the State, as 
     parens patriae, may bring a civil action on behalf of the 
     residents of the State in a district court of the United 
     States of appropriate jurisdiction to--
       (A) enjoin that practice;
       (B) enforce compliance with this Act;
       (C) obtain damage, restitution, or other compensation on 
     behalf of residents of the State; or
       (D) obtain such other relief as the court may consider to 
     be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Attorney General--
       (i) written notice of the action; and
       (ii) a copy of the complaint for the action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the State attorney general 
     determines that it is not feasible to provide the notice 
     described in such subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Attorney General at the time the 
     State attorney general files the action.
       (b) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this Act shall be 
     construed to prevent an attorney general of a State from 
     exercising the powers conferred on such attorney general by 
     the laws of that State to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (c) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.

     SEC. 5. EFFECT ON STATE LAW.

       The provisions of this Act shall supersede any inconsistent 
     provisions of law of any State or unit of local government 
     relating to the notification of any resident of the United 
     States of any breach of security of an electronic database 
     containing such resident's personal information (as defined 
     in this Act), except as provided under sections 1798.82 and 
     1798.29 of the California Civil Code.

     SEC. 6. EFFECTIVE DATE.

       This Act shall take effect on the expiration of the date 
     which is 6 months after the date of enactment of this Act.
                                 ______