[Congressional Record Volume 149, Number 116 (Thursday, July 31, 2003)]
[Senate]
[Pages S10661-S10665]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Ms. CANTWELL (for herself and Mr. Enzi):
  S. 1533. A bill to prevent the crime of identity theft, mitigate the 
harm to individuals throughout the Nation who have been victimized by 
identity theft, and for other purposes; to the Committee on the 
Judiciary.
  Ms. CANTWELL. Mr. President, I rise today to re-introduce legislation 
critical to helping victims of identity theft. This legislation, the 
Identity Theft Victims Assistance Act, passed the Senate by unanimous 
consent in the 107th Congress, and I look forward to its passage again 
this Congress. Last year, the legislation had strong bipartisan 
support, as evidenced by the fact that Senator Mike Enzi is 
cosponsoring it again. The bill has broad support from law enforcement, 
consumers' groups, and privacy advocates. Last year, the National 
Center for the Victims of Crime, the Fraternal Order of Police, 
Consumers Union, Identity Theft Resource Center, U.S. Public Interest 
Group, Police Executive Forum, Privacy Rights Clearinghouse, and 
Amazon.com supported the bill. Twenty-two state Attorneys General 
signed a letter supporting the legislation.
  Identity theft is the fastest-growing crime in the country. The 
Federal Trade Commission found that complaints of identity theft 
increased 87 percent between 2001 and 2002, and over 161,000 complaints 
were received by the agency last year. A July 2003 study by Gartner 
Inc. found that there was a 79 percent increase in identity theft in 
the past year alone. Identity theft now accounts for 43 percent of 
consumer fraud complaints and leads the list of consumer frauds. It is 
an insidious crime because it often occurs without the victim's 
knowledge, yet leaves scars on their credit records and reputations 
that can last for years, and cost thousands of dollars to repair.
  The Secret Service has estimated that consumers lose $745 million to 
the problem each year, and this number is clearly growing as the number 
of identity thefts increases. When a victim realizes that his or her 
identity was stolen it's just the beginning of their troubles. The FTC 
estimates that it costs the average victim $1,000 in long-distance 
phone calls, notary charges, mailing costs and lost wages to get his or 
her financial life back in order after an identity thief strikes. The 
Identity Theft Resources Center estimates that average identity theft 
victims spend 175 hours to clear their records.
  But the costs are not confined to consumers--identity theft hits 
businesses and the economy, too. Identity theft-related losses suffered 
by MasterCard and Visa jumped from $79.9 million in 1996 to $144.3 
million in 2000. One study estimates that by 2006 identity theft will 
cost the financial institution sector alone $8 billion per year.
  To take just one of many examples from my state, Jenni D'Avis of Mill 
Creek, Washington, had her Social Security number stolen when a thief 
took her mail and found the number listed on a letter from her 
community college. The criminal used the number to obtain a state 
identification card, and in turn used that to get credit. In just 23 
days, the thief ran up $100,000 in bad debt--all in Jenni's name. Once 
she became aware of the problem, she had to become a ``Nancy Drew,'' 
and track down information. Businesses were reluctant to give her the 
information she needed to determine the extent of the problem and clear 
her name and credit record. She is still repairing the damage.
  Sadly, Jenni's story is not unique. Victims of identity theft have 
difficulty restoring their credit and regaining control of their 
identity, in part, because they have no simple means to show creditors 
and credit reporting agencies that they are who they say they are. In 
order to prove fraud, a victim often needs copies of creditors records, 
such as applications and information, and records from the companies 
the identity thief did business with. Ironically, victims have 
difficulty obtaining these business records because the victim's 
personal identifying information does not match the information on file 
with the business.
  This bill fixes that problem. The Identity Theft Victims Assistance 
Act creates a standardized national process for a person to establish 
he or she is a victim of identity theft for purposes of tracing 
fraudulent credit transactions and obtaining the evidence to repair 
them. It requires the Federal Trade Commission to make available a 
simple certificate that, when notarized, provides certainty to 
businesses and financial institutions that the person is who they claim 
to be, is a victim of identity theft, and has filed claims with both 
local law enforcement and the FTC. With this document in hand, the 
victim can then obtain from businesses the records they need.
  The need for a national system is readily apparent, as identity theft 
is increasingly a crime that crosses state lines. One of the greatest 
challenges identity theft presents to law enforcement is that a stolen 
identity is used to create false identities in many different 
localities in different states. Although identity theft is a federal 
crime, most often, state and local law enforcement agencies are 
responsible for investigating and prosecuting the crimes. Yet law 
enforcement has yet to fully recognize the serious nature of the 
problem or to develop a coordinated investigative strategy. For 
example, in the case of Michael Calip of Centralia, Washington, 
identity thieves not only ran up $60,000 in debts, they also committed 
crimes using his name--trashing his credit record and creating a 
criminal record. Michael tracked the thieves to Wyoming, but had 
difficulty convincing local authorities there to pursue his case.
  My bill for the first time also permits a victim to designate the 
investigating agency, either local or state law enforcement or federal 
investigators, to act as their agents in obtaining evidence of identity 
theft. This both eases the burden on the victim and aids police in 
investigating suspected identity theft rings. In addition it requires 
the existing Identity Theft Coordinating Committee to consult with 
state and local law enforcement agencies.
  Acquiring the evidence of the fraudulent use of identity currently 
can be an enormous and time-consuming problem for victims. The Identity 
Theft Victims Assistance Act makes this job easier by establishing that 
any business presented with the FTC certificate identifying the person 
as a victim of identity theft, together with a police report and a 
government issued photo ID must deliver copies of all the financial 
records that document the fraud to the victim within 20 days. This is a 
critically important change from current law because it guarantees that 
victims will be able to obtain the evidence they need while also 
providing businesses more certainty that they are not violating 
someone's privacy or providing sensitive information to the wrong 
parties. It also provides new liability protections for businesses that 
make a good faith effort to assist victims of identity theft.
  Of course, the greatest harm to consumers victimized by theft of 
their identity is often a bad credit rating or a poor credit score that 
results from fraudulent use of the consumer's identity. According to 
the FTC, it often takes about a year for people to discover someone is 
using personal information for fraudulent purposes, allowing 
significant damage to otherwise stellar credit records. Even after a 
consumer reports to a credit reporting agency that they have been 
victimized by identity theft, the consumer often can not get the 
reporting agencies to block reporting of activities that resulted from 
the identity theft.

[[Page S10662]]

  My bill again requires that presentation of the FTC certificate, 
police report and photo identification establish that the person is in 
fact a victim of identity theft and requires credit-reporting agencies 
to block information that appears on a victim's credit report as a 
result of the identity theft. It also changes current law that requires 
individuals to bring suit against a credit reporting agency within two 
years from the time the agency commits a violation of laws on fair 
reporting of credit. This makes little sense, since it may be years 
before a misrepresentation comes to the attention of a victim of 
identity theft. The bill requires that the statute of limitations begin 
ticking from the time when a consumer discovers or has reason to know 
that a misrepresentation by a credit reporting agency has occurred.
  The bill leaves in place state laws that are more stringent and 
provides that either federal prosecutors or State Attorneys General may 
enforce this law.
  Jenni and Michael's stories illustrate the unique problems victims of 
identity theft face. Although penalties exist for identity thieves, no 
remedies are available for their victims. The scope of the problem is 
made worse because it's too easy for a criminal to steal someone's 
identity and cause serious harm before the theft is even discovered. 
And when these criminals cross state lines, it can be even harder for 
victims to trace the problem and repair the damage. For these reasons, 
it's imperative that we pass federal legislation for the victims of 
identity theft.
  The government, creditors and credit reporting agencies have a shared 
responsibility to assist identity theft victims mitigate the harm that 
results from frauds perpetrated in the victim's name. We need to build 
up the law enforcement network, already started by the Federal Trade 
Commission and other federal agencies under the Identity Theft and 
Assumption Deterrence Act of 1998. We need to further improve law 
enforcement coordination, particularly between the various local and 
state jurisdictions combating identity theft and the associated crimes.
  We also need to provide better and timelier information to businesses 
so they can head off fraud before it happens. That is why my bill also 
expands the jurisdiction of the interagency coordinating committee 
established under the Internet False Identification Act of 2000. 
Currently, the coordination committee has the mandate to study and 
report to Congress on federal investigation and enforcement of identity 
theft crimes. The Identity Theft Victims Assistance Act broadens the 
mandate for the coordinating committee to consider state and local 
enforcement of identity theft law and specifically requires the 
committee to examine and recommend what assistance the federal 
government can provide state and local law enforcement agencies to 
better coordinate in the battle against identity theft.
  Mr. President, there is no doubt about the scope of the problem: 
identity theft is already a major problem, and it's getting worse. We 
must provide victims with the tools they need to regain control of 
their lives. The Identity Theft Victims Assistance of 2003 will help 
victims of identity theft recover their identity and restore their good 
credit. I look forward to working with my colleagues to promptly enact 
this bill into law.
  I ask unanimous consent that the text of the legislation be printed 
in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1533

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Identity Theft Victims 
     Assistance Act of 2003''.

     SEC. 2. FINDINGS.

       Congress finds the following:
       (1) The crime of identity theft is the fastest growing 
     crime in the United States. According to a recent estimate, 
     7,000,000 Americans were victims of identity theft in the 
     past year, a 79 percent increase over previous estimates.
       (2) Stolen identities are often used to perpetuate crimes 
     in many cities and States, making it more difficult for 
     consumers to restore their respective identities.
       (3) Identity theft cost consumers more than $745,000,000 in 
     1998 and has increased dramatically in the last few years. 
     The credit card industry alone lost an estimated $144.3 
     million in 2000.
       (4) Identity theft is ruinous to the good name and credit 
     of consumers whose identities are misappropriated, and 
     consumers may be denied otherwise deserved credit and may 
     have to spend enormous time, effort, and money to restore 
     their respective identities.
       (5) Victims are often required to contact numerous Federal, 
     State, and local law enforcement agencies and creditors over 
     many years as each event of fraud arises.
       (6) As of the date of enactment of this Act, a national 
     mechanism does not exist to assist identity theft victims to 
     obtain evidence of identity theft, restore their credit, and 
     regain control of their respective identities.
       (7) Victims of identity theft need a nationally 
     standardized means of--
       (A) establishing their true identities and claims of 
     identity theft to all business entities, credit reporting 
     agencies, and Federal and State law enforcement agencies;
       (B) obtaining information documenting fraudulent 
     transactions from business entities;
       (C) reporting identity theft to consumer credit reporting 
     agencies.
       (8) One of the greatest law enforcement challenges posed by 
     identity theft is that stolen identities are often used to 
     perpetrate crimes in many different localities in different 
     States, and although identity theft is a Federal crime, most 
     often, State and local law enforcement agencies are 
     responsible for investigating and prosecuting the crimes.
       (9) Law enforcement, business entities, credit reporting 
     agencies, and government agencies have a shared 
     responsibility to assist victims of identity theft to 
     mitigate the harm caused by any fraud perpetrated in the name 
     of the victims.

     SEC. 3. TREATMENT OF IDENTITY THEFT MITIGATION.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding after section 1028 the following:

     ``Sec. 1028A. Treatment of identity theft mitigation

       ``(a) Definitions.--As used in this section--
       ``(1) the term `business entity' means any corporation, 
     trust, partnership, sole proprietorship, or unincorporated 
     association, including any financial service provider, 
     financial information repository, creditor (as that term is 
     defined in section 103 of the Truth in Lending Act (15 U.S.C. 
     1602)), telecommunications, utilities, or other service 
     provider;
       ``(2) the term `consumer' means an individual;
       ``(3) the term `financial information' means information 
     identifiable as relating to an individual consumer that 
     concerns the amount and conditions of the assets, 
     liabilities, or credit of the consumer, including--
       ``(A) account numbers and balances;
       ``(B) nonpublic personal information, as that term is 
     defined in section 509 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6809); and
       ``(C) codes, passwords, social security numbers, tax 
     identification numbers, State identifier numbers issued by a 
     State department of licensing, and other information used for 
     the purpose of account access or transaction initiation;
       ``(4) the term `financial information repository' means a 
     person engaged in the business of providing services to 
     consumers who have a credit, deposit, trust, stock, or other 
     financial services account or relationship with that person;
       ``(5) the term `identity theft' means a violation of 
     section 1028 or any other similar provision of applicable 
     Federal or State law;
       ``(6) the term `means of identification' has the same 
     meaning given the term in section 1028;
       ``(7) the term `victim' means a consumer whose means of 
     identification or financial information has been used or 
     transferred (or has been alleged to have been used or 
     transferred) without the authority of that consumer with the 
     intent to commit, or with the intent to aid or abet, an 
     identity theft; and
       ``(8) the terms not defined in this section or otherwise 
     defined in section 3(s) of the Federal Deposit Insurance Act 
     (12 U.S.C. 1813(s)) shall have the meaning given to them in 
     section 1(b) of the International Banking Act of 1978 (12 
     U.S.C. 3101).
       ``(b) Information Available to Victims.--
       ``(1) In general.--A business entity that possesses 
     information relating to an alleged identity theft, or that 
     has entered into a transaction, provided credit, provided, 
     for consideration, products, goods, or services, accepted 
     payment, otherwise entered into a commercial transaction for 
     consideration with a person that has made unauthorized use of 
     the means of identification of the victim, or possesses 
     information relating to such transaction, shall, not later 
     than 20 days after the receipt of a written request by the 
     victim, meeting the requirements of subsection (c), provide, 
     without charge, a copy of all application and business 
     transaction information related to the transaction being 
     alleged as an identity theft to--
       ``(A) the victim;
       ``(B) any Federal, State, or local governing law 
     enforcement agency or officer specified by the victim in such 
     a request; or
       ``(C) any law enforcement agency investigating the identity 
     theft and authorized by the victim to take receipt of records 
     provided under this section.
       ``(2) Rule of construction.--

[[Page S10663]]

       ``(A) In general.--No provision of Federal or State law 
     prohibiting the disclosure of financial information by a 
     business entity to third parties shall be used to deny 
     disclosure of information to the victim under this section.
       ``(B) Limitation.--Except as provided in subparagraph (A), 
     nothing in this section permits a business entity to disclose 
     information that the business entity is otherwise prohibited 
     from disclosing under any other applicable provision of 
     Federal or State law.
       ``(c) Verification of Identity and Claim.--Unless a 
     business entity, at its discretion, is otherwise able to 
     verify the identity of a victim making a request under 
     subsection (b)(1), the victim shall provide to the business 
     entity--
       ``(1) as proof of positive identification, at the election 
     of the business entity--
       ``(A) the presentation of a government-issued 
     identification card;
       ``(B) if providing proof by mail, a copy of a government-
     issued identification card; or
       ``(C) upon the request of the person seeking business 
     records, the business entity may inform the requesting person 
     of the categories of identifying information that the 
     unauthorized person provided the business entity as 
     personally identifying information, and may require the 
     requesting person to provide identifying information in those 
     categories; and
       ``(2) as proof of a claim of identity theft, at the 
     election of the business entity--
       ``(A) a copy of a police report evidencing the claim of the 
     victim of identity theft;
       ``(B) a properly completed copy of a standardized affidavit 
     of identity theft developed and made available by the Federal 
     Trade Commission; or
       ``(C) any properly completed affidavit of fact that is 
     acceptable to the business entity for that purpose.
       ``(d) Limitation on Liability.--No business entity may be 
     held liable for a disclosure, made in good faith and 
     reasonable judgment, to provide information under this 
     section with respect to an individual in connection with an 
     identity theft to other business entities, law enforcement 
     authorities, victims, or any person alleging to be a victim, 
     if--
       ``(1) the business entity complies with subsection (c); and
       ``(2) such disclosure was made--
       ``(A) for the purpose of detection, investigation, or 
     prosecution of identity theft; or
       ``(B) to assist a victim in recovery of fines, restitution, 
     rehabilitation of the credit of the victim, or such other 
     relief as may be appropriate.
       ``(e) Authority To Decline To Provide Information.--A 
     business entity may decline to provide information under 
     subsection (b) if, in the exercise of good faith and 
     reasonable judgment, the business entity determines that--
       ``(1) this section does not require disclosure of the 
     information;
       ``(2) the request for the information is based on a 
     misrepresentation of fact by the victim relevant to the 
     request for information; or
       ``(3) the information requested is Internet navigational 
     data or similar information about a person's visit to a 
     website or online service.
       ``(f) No New Recordkeeping Obligation.--Nothing in this 
     section creates an obligation on the part of a business 
     entity to obtain, retain, or maintain information or records 
     that are not otherwise required to be obtained, retained, or 
     maintained in the ordinary course of its business or under 
     other applicable law.
       ``(g) Affirmative Defense.--In any civil action brought to 
     enforce this section, it is an affirmative defense (which the 
     defendant must establish by a preponderance of the evidence) 
     for a business entity to file an affidavit or answer stating 
     that--
       ``(1) the business entity has made a reasonable diligent 
     search of its available business records; and
       ``(2) the records requested under this section do not exist 
     or are not available.
       ``(h) No Private Right of Action.--Nothing in this section 
     shall be construed to provide a private right of action or 
     claim for relief.
       ``(i) Enforcement.--
       ``(1) Injunctive actions by the attorney general.--
       ``(A) In general.--Whenever it appears that a business 
     entity to which this section applies has engaged, is engaged, 
     or is about to engage, in any act or practice constituting a 
     violation of this section, the Attorney General of the United 
     States may bring a civil action in an appropriate district 
     court of the United States to--
       ``(i) enjoin such act or practice;
       ``(ii) enforce compliance with this section; and
       ``(iii) obtain such other equitable relief as the court 
     determines to be appropriate.
       ``(B) Other injunctive relief.--Upon a proper showing in 
     the action under subparagraph (A), the court shall grant a 
     permanent injunction or a temporary restraining order without 
     bond.
       ``(2) Administrative enforcement.--
       ``(A) Federal trade commission.--
       ``(i) In general.--Except to the extent that administrative 
     enforcement is specifically committed to another agency under 
     subparagraph (B), a violation of this section shall be deemed 
     an unfair or deceptive act or practice in violation of the 
     Federal Trade Commission Act (15 U.S.C. 41 et seq.), for 
     purposes of the exercise by the Federal Trade Commission of 
     its functions and powers under that Act.
       ``(ii) Available functions and powers.--All of the 
     functions and powers of the Federal Trade Commission under 
     the Federal Trade Commission Act are available to the 
     Commission to enforce compliance by any person with this 
     section.
       ``(B) Other federal agencies.--Compliance with any 
     requirements under this section may be enforced--
       ``(i) under section 8 of the Federal Deposit Insurance Act 
     (12 U.S.C. 1818)--

       ``(I) by the Office of the Comptroller of the Currency, 
     with respect to national banks, and Federal branches and 
     Federal agencies of foreign banks (except brokers, dealers, 
     persons providing insurance, investment companies, and 
     investment advisers);
       ``(II) by the Board of Governors of the Federal Reserve 
     System, with respect to member banks of the Federal Reserve 
     System (other than national banks), branches and agencies of 
     foreign banks (other than Federal branches, Federal agencies, 
     and insured State branches of foreign banks), commercial 
     lending companies owned or controlled by foreign banks, and 
     organizations operating under section 25 or 25A of the 
     Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et seq.);
       ``(III) by the Board of Directors of the Federal Deposit 
     Insurance Corporation, with respect to banks insured by the 
     Federal Deposit Insurance Corporation (other than members of 
     the Federal Reserve System), insured State branches of 
     foreign banks, and any subsidiaries of such entities (except 
     brokers, dealers, persons providing insurance, investment 
     companies, and investment advisers); and
       ``(IV) by the Director of the Office of Thrift Supervision, 
     with respect to savings associations, the deposits of which 
     are insured by the Federal Deposit Insurance Corporation, and 
     any subsidiaries of such savings associations (except 
     brokers, dealers, persons providing insurance, investment 
     companies, and investment advisers);

       ``(ii) by the Board of the National Credit Union 
     Administration, under the Federal Credit Union Act (12 U.S.C. 
     1751 et seq.), with respect to any federally insured credit 
     union, and any subsidiaries of such credit union;
       ``(iii) by the Securities and Exchange Commission, under 
     the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.), 
     with respect to any broker or dealer;
       ``(iv) by the Securities and Exchange Commission, under the 
     Investment Company Act of 1940 (15 U.S.C. 80a-1 et seq.), 
     with respect to investment companies;
       ``(v) by the Securities and Exchange Commission, under the 
     Investment Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.), 
     with respect to investment advisers registered with the 
     Commission under such Act;
       ``(vi) by the Secretary of Transportation, under subtitle 
     IV of title 49, with respect to all carriers subject to the 
     jurisdiction of the Surface Transportation Board;
       ``(vii) by the Secretary of Transportation, under part A of 
     subtitle VII of title 49, with respect to any air carrier or 
     any foreign air carrier subject to that part; and
       ``(viii) by the Secretary of Agriculture, under the Packers 
     and Stockyards Act, 1921 (7 U.S.C. 181 et seq.), except as 
     provided in section 406 of that Act (7 U.S.C. 226, 2271), 
     with respect to any activities subject to that Act.
       ``(C) Agency powers.--
       ``(i) In general.--A violation of any requirement imposed 
     under this section shall be deemed to be a violation of a 
     requirement imposed under any Act referred to under 
     subparagraph (B), for the purpose of the exercise by any 
     agency referred to under subparagraph (B) of its powers under 
     any such Act.
       ``(ii) Rule of construction.--Nothing in this section shall 
     be construed to prevent a Federal agency from exercising the 
     powers conferred upon such agency by Federal law to--

       ``(I) conduct investigations;
       ``(II) administer oaths or affirmations; or
       ``(III) compel the attendance of witnesses or the 
     production of documentary or other evidence.

       ``(3) Parens patriae authority.--
       ``(A) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been, or is threatened to be, 
     adversely affected by a violation of this section by any 
     business entity, the State, as parens patriae, may bring a 
     civil action on behalf of the residents of the State in a 
     district court of the United States of appropriate 
     jurisdiction to--
       ``(i) enjoin that practice;
       ``(ii) enforce compliance with this section;
       ``(iii) obtain damages--

       ``(I) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of the 
     State; and
       ``(II) punitive damages, if the violation is willful or 
     intentional; and

       ``(iv) obtain such other equitable relief as the court may 
     consider to be appropriate.
       ``(B) Notice.--Before filing an action under subparagraph 
     (A), the attorney general of the State involved shall, if 
     practicable, provide to the Attorney General of the United 
     States, and where applicable, to the appropriate Federal 
     agency with the authority to enforce this section under 
     paragraph (2)--
       ``(i) a written notice of the action; and
       ``(ii) a copy of the complaint for the action.
       ``(4) Intervention.--
       ``(A) In general.--On receiving notice of an action under 
     paragraph (3), the Attorney

[[Page S10664]]

     General of the United States, and any Federal agency with 
     authority to enforce this section under paragraph (2), shall 
     have the right to intervene in that action.
       ``(B) Effect of intervention.--Any person or agency under 
     subparagraph (A) that intervenes in an action under paragraph 
     (2) shall have the right to be heard on all relevant matters 
     arising therein.
       ``(C) Service of process.--Upon the request of the Attorney 
     General of the United States or any Federal agency with the 
     authority to enforce this section under paragraph (2), the 
     attorney general of a State that has filed an action under 
     this section shall, pursuant to rule 4(d)(4) of the Federal 
     Rules of Civil Procedure, serve the Attorney General of the 
     United States or the head of such Federal agency, with a copy 
     of the complaint.
       ``(5) Construction.--For purposes of bringing any civil 
     action under this subsection, nothing in this section shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on such attorney general by 
     the laws of that State to--
       ``(A) conduct investigations;
       ``(B) administer oaths or affirmations; or
       ``(C) compel the attendance of witnesses or the production 
     of documentary and other evidence.
       ``(6) Limitation on state action while federal action is 
     pending.--In any case in which an action is instituted by or 
     on behalf of the Attorney General of the United States, or 
     appropriate Federal regulator authorized under paragraph (2), 
     for a violation of this section, no State may, during the 
     pendency of that action, institute an action under this 
     section against any defendant named in the complaint in that 
     action for such violation.
       ``(7) Venue; service of process.--
       ``(A) Venue.--Any action brought under this subsection may 
     be brought in the district court of the United States--
       ``(i) where the defendant resides;
       ``(ii) where the defendant is doing business; or
       ``(iii) that meets applicable requirements relating to 
     venue under section 1391 of title 28.
       ``(B) Service of process.--In an action brought under this 
     subsection, process may be served in any district in which 
     the defendant--
       ``(i) resides;
       ``(ii) is doing business; or
       ``(iii) may be found.''.
       (b) Clerical Amendment.--The table of sections at the 
     beginning of chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1028 
     the following new item:

``1028A. Treatment of identity theft mitigation.''.

     SEC. 4. AMENDMENTS TO THE FAIR CREDIT REPORTING ACT.

       (a) Consumer Reporting Agency Blocking of Information 
     Resulting From Identity Theft.--Section 611 of the Fair 
     Credit Reporting Act (15 U.S.C. 1681i) is amended by adding 
     at the end the following:
       ``(e) Block of Information Resulting From Identity Theft.--
       ``(1) Block.--Except as provided in paragraphs (4) and (5) 
     and not later than 30 days after the date of receipt of--
       ``(A) proof of the identity of a consumer; and
       ``(B) an official copy of a police report evidencing the 
     claim of the consumer of identity theft,

     a consumer reporting agency shall block the reporting of any 
     information identified by the consumer in the file of the 
     consumer resulting from the identity theft, so that the 
     information cannot be reported.
       ``(2) Reinvestigation.--A consumer reporting agency shall 
     reinvestigate any information that a consumer has requested 
     to be blocked under paragraph (1) in accordance with the 
     requirements of subsections (a) through (d).
       ``(3) Notification.--A consumer reporting agency shall, 
     within the time period specified in subsection (a)(2)(A)--
       ``(A) provide the furnisher of the information identified 
     by the consumer under paragraph (1) with the information 
     described in subsection (a)(2); and
       ``(B) notify the furnisher--
       ``(i) that the information may be a result of identity 
     theft;
       ``(ii) that a police report has been filed;
       ``(iii) that a block has been requested under this 
     subsection; and
       ``(iv) of the effective date of the block.
       ``(4) Authority to decline or rescind.--
       ``(A) In general.--A consumer reporting agency may at any 
     time decline to block, or may rescind any block, of consumer 
     information under this subsection if--
       ``(i) in the exercise of good faith and reasonable 
     judgment, the consumer reporting agency finds that--

       ``(I) the block was issued, or the request for a block was 
     made, based on a misrepresentation of fact by the consumer 
     relevant to the request to block; or
       ``(II) the consumer knowingly obtained possession of goods, 
     services, or money as a result of a transaction for which a 
     block has been requested, or the consumer should have known 
     that the consumer obtained possession of goods, services, or 
     money as a result of a transaction for which a block has been 
     requested; or

       ``(ii) the consumer agrees that the blocked information or 
     portions of the blocked information were blocked in error.
       ``(B) Notification to consumer.--If the block of 
     information is declined or rescinded under this paragraph, 
     the affected consumer shall be notified, in the same manner 
     and within the same time period as consumers are notified of 
     the reinsertion of information under subsection (a)(5)(B).
       ``(C) Significance of block.--For purposes of this 
     paragraph, if a consumer reporting agency rescinds a block, 
     the presence of information in the file of a consumer prior 
     to the blocking of such information is not evidence of 
     whether the consumer knew or should have known that the 
     consumer obtained possession of any goods, services, or 
     monies as a result of the transaction that was blocked.
       ``(5) Exception.--A consumer reporting agency shall not be 
     required to comply with this subsection when such agency is 
     issuing information for authorizations, for the purpose of 
     approving or processing negotiable instruments, electronic 
     funds transfers, or similar methods of payment, based solely 
     on negative information, including--
       ``(A) dishonored checks;
       ``(B) accounts closed for cause;
       ``(C) substantial overdrafts;
       ``(D) abuse of automated teller machines; or
       ``(E) other information which indicates a risk of fraud 
     occurring.''.
       (b) False Claims.--Section 1028 of title 18, United States 
     Code, is amended by adding at the end the following:
       ``(j) Any person who knowingly falsely claims to be a 
     victim of identity theft for the purpose of obtaining the 
     blocking of information by a consumer reporting agency under 
     section 611(e)(1) of the Fair Credit Reporting Act (15 U.S.C. 
     1681i(e)(1)) shall be fined under this title, imprisoned not 
     more than 3 years, or both.''.
       (c) Statute of Limitations.--
       (1) In general.--Section 618 of the Fair Credit Reporting 
     Act (15 U.S.C. 1681p) is amended to read as follows:

     ``SEC. 618. JURISDICTION OF COURTS; LIMITATION ON ACTIONS.

       ``(a) In General.--Except as provided in subsections (b) 
     and (c), an action to enforce any liability created under 
     this title may be brought in any appropriate United States 
     district court without regard to the amount in controversy, 
     or in any other court of competent jurisdiction, not later 
     than 2 years from the date of the defendant's violation of 
     any requirement under this title.
       ``(b) Willful Misrepresentation.--In any case in which the 
     defendant has materially and willfully misrepresented any 
     information required to be disclosed to an individual under 
     this title, and the information misrepresented is material to 
     the establishment of the liability of the defendant to that 
     individual under this title, an action to enforce a liability 
     created under this title may be brought at any time within 2 
     years after the date of discovery by the individual of the 
     misrepresentation.
       ``(c) Identity Theft.--An action to enforce a liability 
     created under this title may be brought not later than 5 
     years from the date of the defendant's violation if--
       ``(1) the plaintiff is the victim of an identity theft; or
       ``(2) the plaintiff--
       ``(A) has reasonable grounds to believe that the plaintiff 
     is the victim of an identity theft; and
       ``(B) has not materially and willfully misrepresented such 
     a claim.''.
       (2) Effective date.--The amendments made by this subsection 
     shall take effect 2 years from the date of enactment of this 
     Act.

     SEC. 5. COORDINATING COMMITTEE STUDY OF COORDINATION BETWEEN 
                   FEDERAL, STATE, AND LOCAL AUTHORITIES IN 
                   ENFORCING IDENTITY THEFT LAWS.

       (a) Membership; Term.--Section 2 of the Internet False 
     Identification Prevention Act of 2000 (18 U.S.C. 1028 note) 
     is amended--
       (1) in subsection (b), by striking ``and the Commissioner 
     of Immigration and Naturalization'' and inserting ``the 
     Commissioner of Immigration and Naturalization, the Chairman 
     of the Federal Trade Commission, the Postmaster General, and 
     the Commissioner of the United States Customs Service,''; and
       (2) in subsection (c), by striking ``2 years after the 
     effective date of this Act.'' and inserting ``on December 28, 
     2005.''.
       (b) Consultation.--Section 2 of the Internet False 
     Identification Prevention Act of 2000 (18 U.S.C. 1028 note) 
     is amended--
       (1) by redesignating subsection (d) as subsection (e); and
       (2) by inserting after subsection (c) the following:
       ``(d) Consultation.--In discharging its duties, the 
     coordinating committee shall consult with interested parties, 
     including State and local law enforcement agencies, State 
     attorneys general, representatives of business entities (as 
     that term is defined in section 4 of the Identity Theft 
     Victims Assistance Act of 2003), including telecommunications 
     and utility companies, and organizations representing 
     consumers.''.
       (c) Report Distribution and Contents.--Section 2(e) of the 
     Internet False Identification Prevention Act of 2000 (18 
     U.S.C. 1028 note) (as redesignated by subsection (b)) is 
     amended--
       (1) by striking paragraph (1) and inserting the following:
       ``(1) In general.--The Attorney General and the Secretary 
     of the Treasury, at the end of each year of the existence of 
     the coordinating committee, shall report on the activities of 
     the coordinating committee to--

[[Page S10665]]

       ``(A) the Committee on the Judiciary of the Senate;
       ``(B) the Committee on the Judiciary of the House of 
     Representatives;
       ``(C) the Committee on Banking, Housing, and Urban Affairs 
     of the Senate; and
       ``(D) the Committee on Financial Services of the House of 
     Representatives.'';
       (2) in subparagraph (E), by striking ``and'' at the end; 
     and
       (3) by striking subparagraph (F) and inserting the 
     following:
       ``(F) a comprehensive description of Federal assistance 
     provided to State and local law enforcement agencies to 
     address identity theft;
       ``(G) a comprehensive description of coordination 
     activities between Federal, State, and local law enforcement 
     agencies that address identity theft; and
       ``(H) recommendations in the discretion of the President, 
     if any, for legislative or administrative changes that 
     would--
       ``(i) facilitate more effective investigation and 
     prosecution of cases involving--

       ``(I) identity theft; and
       ``(II) the creation and distribution of false 
     identification documents;

       ``(ii) improve the effectiveness of Federal assistance to 
     State and local law enforcement agencies and coordination 
     between Federal, State, and local law enforcement agencies; 
     and
       ``(iii) simplify efforts by a person necessary to rectify 
     the harm that results from the theft of the identity of such 
     person.''.

  Mr. ENZI. Mr. President, every morning, from the time we wake up to 
the time we turn out the lights and go to sleep, we all spend a good 
portion of our day in cyberspace. Probably without thinking, each time 
we head out to the internet, we broadcast some very specific 
information about our lives as we use our computers for email. Each 
time we use our cell phones we rely on a sense of privacy about the 
information we convey, which may not be present. And, when we use hand 
held devices to send quick messages back and forth to friends, 
coworkers and family we assume no one else is listening or receiving 
our information, which often includes social security numbers, family 
names and even credit card and pin numbers.
  Cyberspace is a high tech criminal's dream and it has helped 
contribute to the fastest growing crime in America--identity theft.
  Simply put, identity theft is the ability to impersonate someone else 
and steal their credit, their money and even their identity for their 
own use.
  Although the use of high-tech devices has certainly contributed to 
the proliferation of identity theft, many individuals have been 
victimized by simple criminals who have carefully picked through trash 
cans and mailboxes to find old receipts and social security numbers. 
Regardless of the medium through which the information is collected, 
identity theft is the result of criminals who have learned how to 
manipulate a growing network of information--some public, some 
private--and then use that data to their own advantage.
  The problem with identity theft is that it is not confined to one 
state. It affects Americans from every walk of life from coast to 
coast. Some Americans may discover that someone else has been using 
their social security number to obtain fraudulent employment, while 
others learn that people have been using fraudulent identification 
cards to obtain lines of credit and then leaving innocent victims to 
deal with the bills they left behind.
  People from small States like Wyoming are not immune to this new 
crime wave. Although there are only 493,000 people in Wyoming, we have 
the same rate of identity theft per capita as is present anywhere else 
in the United States. That is why we have to approach this issue from 
every angle, taking a systemic approach that includes prevention, 
enforcement and assistance to victims of identity theft.
  Today, we will take the first step with victim's assistance for this 
crime. I believe we have to provide some real options for our 
constituents who are trying to recover from the trauma that identity 
theft has caused in their lives. That is why my colleague from 
Washington and I are introducing legislation that will make it easier 
for victims to get the information they need to begin reversing the 
damage and lasting effects of this crime. Our bill, the Identity Theft 
Victim's Assistance Act of 2003, is very similar to a bill we offered 
last year that passed the Senate unanimously in November. I expect and 
hope for the same result this year since this is a growing problem and 
the need for action on this issue grows more urgent with each passing 
day.
  Our bill includes key provisions that would allow victims to work 
with businesses to obtain information related to cases of identity 
theft and then contact credit reporting agencies to block false 
information on credit reports. In drafting this legislation we worked 
with all of the stakeholders to ensure a balance between the needs of 
consumers and the needs of small businesses, banks and other credit 
agencies.
  The reintroduction of this bill is timely given the recent hearings 
in the Senate Banking and Commerce Committees and recent action by both 
the House and Administration.
  Earlier this month, the House Financial Services Subcommittee 
reported a bill called the Fair and Accurate Credit Transactions Act. 
Also known as the FACT Act, the bill includes a provision nearly 
identical to Section 4 of our bill. Section 4 of our bill requires 
consumer credit reporting agencies to block information that appears on 
a victim's credit report as a result of identity theft, provided the 
victim did not knowingly obtain goods, services or money as a result of 
the blocked transaction.
  Our provision, which amends the Fair Credit Reporting Act, was also 
addressed in a recent hearing before the Senate Banking Committee. On 
July 10, the Chairman of the Federal Trade Commission testified that 
``blocking would mitigate the harm to consumers' credit record that can 
result from identity theft'' and recommended that this practice be 
codified.
  I am also encouraged by similar recommendations from the Treasury 
Department that would require credit reporting agencies to cease 
reporting allegedly fraudulent account information on consumer reports 
when the consumer submits a police report or similar document, unless 
there is a reason to believe the report is false.
  Providing consumers with the tools necessary to recover from identity 
theft is the first step in providing real relief to the hundreds of 
thousands of individuals whose lives have already been turned upside 
down by identity theft. I urge my colleagues to work with me as we move 
forward on this important issue and make progress on the 
reauthorization of critical legislation like the Fair Credit Reporting 
Act. We must take action this year before the crime of identity theft 
hurts the hundreds of thousands of working people and families who are 
expected to become victims this year.
                                 ______