[Congressional Record Volume 149, Number 119 (Wednesday, September 3, 2003)]
[Senate]
[Pages S11034-S11038]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Ms. CANTWELL (for herself and Mr. Enzi):
  S. 1581. A bill to mitigate the harm to individuals through the 
Nation who have been victimized by identity theft, to prevent identity 
theft, and for other purposes; to the Committee on the Judiciary.
  Ms. CANTWELL. Mr. President, I rise today to re-introduce legislation 
critical to helping victims of identity theft. This legislation, the 
Identity Theft Victims Assistance Act, passed the Senate by unanimous 
consent in the 107th Congress, and I look forward to its passage again 
this Congress. Last year, the legislation had strong bipartisan 
support, as evidenced by the fact that Senator Mike Enzi is 
cosponsoring it again. The bill has broad support from law enforcement, 
consumers' groups, and privacy advocates. Last year, the National 
Center for the Victims of Crime, the Fraternal Order of Police, 
Consumers Union, Identity Theft Resource Center, U.S. Public Interest 
Group, Police Executive Forum, Privacy Rights Clearinghouse, and 
Amazon.com supported the bill. Twenty-two State Attorneys General 
signed a letter supporting the legislation.
  Identity theft is the fastest-growing crime in the country. The 
Federal Trade Commission found that complaints of identity theft 
increased 87 percent between 2001 and 2002, and over 161,000 complaints 
were received by the agency last year. A July 2003 study by Gartner 
Inc. found that there was a 79-percent increase in identity theft in

[[Page S11035]]

the past year alone. Identity theft now accounts for 43 percent of 
consumer fraud complaints and leads the list of consumer frauds. It is 
an insidious crime because it often occurs without the victim's 
knowledge, yet leaves scars on their credit records and reputations 
that can last for years, and cost thousands of dollars to repair.
  The Secret Service has estimated that consumers lose $745 million to 
the problem each year, and this number is clearly growing as the number 
of identity thefts increases. When a victim realizes that his or her 
identity was stolen it's just the beginning of their troubles. The FTC 
estimates that it costs the average victim $1,000 in long-distance 
phone calls, notary charges, mailing costs and lost wages to get his or 
her financial life back in order after an identity thief strikes. The 
Identity Theft Resource Center estimates that average identity theft 
victims spend 175 hours to clear their records.
  But the costs are not confined to consumers--identity theft hits 
businesses and the economy, too. Identity theft-related losses suffered 
by MasterCard and Visa jumped from $79.9 million in 1996 to $144.3 
million in 2000. One study estimates that by 2006 identity theft will 
cost the financial institution sector alone $8 billion per year.
  To take just one of many examples from my state, Jenni D'Avis of Mill 
Creek, Washington, had her Social Security number stolen when a thief 
took her mail and found the number listed on a letter from her 
community college. The criminal used the number to obtain a state 
identification card, and in turn used that to get credit. In just 23 
days, the thief ran up $100,000 in bad debt--all in Jenni's name. Once 
she became aware of the problem, she had to become a ``Nancy Drew,'' 
and track down information. Businesses were reluctant to give her the 
information she needed to determine the extent of the problem and clear 
her name and credit record. She is still repairing the damage.
  Sadly, Jenni's story is not unique. Victims of identity theft have 
difficulty restoring their credit and regaining control of their 
identity, in part, because they have no simple means to show creditors 
and credit reporting agencies that they are who they say they are. In 
order to prove fraud, a victim often needs copies of creditors records, 
such as applications and information, and records from the companies 
the identity thief did business with. Ironically, victims have 
difficulty obtaining these business records because the victim's 
personally identifying information does not match the information on 
file with the business.

  This bill fixes that problem. The Identify Theft Victims Assistance 
Act creates a standardized national process for a person to establish 
he or she is a victim of identity theft for purposes of tracing 
fraudulent credit transactions and obtaining the evidence to repair 
them. It requires the Federal Trade Commission to make available a 
simple certificate that, when notarized, provides certainty to 
businesses and financial institutions that the person is who they claim 
to be, is a victim of identity theft, and has filed claims with both 
local law enforcement and the FTC. With this document in hand, the 
victim can then obtain from businesses the records they need.
  The need for a national system is readily apparent, as identity theft 
is increasingly a crime that crosses State lines. One of the greatest 
challenges identity theft presents to law enforcement is that a stolen 
identity is used to create false identities in many different 
localities in different states. Although identity theft is a federal 
crime, most often, state and local law enforcement agencies are 
responsible for investigating and prosecuting the crimes. Yet law 
enforcement has yet to fully recognize the serious nature of the 
problem or to develop a coordinated investigative strategy. For 
example, in the case of Michael Calip of Centralia, Washington, 
identity thieves not only ran up $60,000 in debts, they also committed 
crimes using his name--trashing his credit record and creating a 
criminal record. Michael tracked the thieves to Wyoming, but had 
difficulty convincing local authorities there to pursue his case.
  My bill for the first time also permits a victim to designate the 
investigating agency, either local or State law enforcement or Federal 
investigators, to act as their agents in obtaining evidence of identity 
theft. This both eases the burden on the victim and aids police in 
investigating suspected identity theft rings. In addition it requires 
the existing Identity Theft Coordinating Committee to consult with 
State and local law enforcement agencies.
  Acquiring the evidence of the fraudulent use of identity currently 
can be an enormous and time-consuming problem for victims. The Identity 
Theft Victims Assistance Act makes this job easier by establishing that 
any business presented with the FTC certificate identifying the person 
as a victim of identity theft, together with a police report and a 
government issued photo ID must deliver copies of all the financial 
records that document the fraud to the victim within 20 days. This is a 
critically important change from current law because it guarantees that 
victims will be able to obtain the evidence they need while also 
providing businesses more certainty that they are not violating 
someone's privacy or providing sensitive information to the wrong 
parties. It also provides new liability protections for businesses that 
make a good faith effort to assist victims of identity theft.
  Of course, the greatest harm to consumers victimized by theft of 
their identity is often a bad credit rating or a poor credit score that 
results from fraudulent use of the consumer's identity. According to 
the FTC, it often takes about a year for people to discover someone is 
using personal information for fraudulent purposes, allowing 
significant damage to otherwise stellar credit records. Even after a 
consumer reports to a credit reporting agency that they have been 
victimized by identity theft, the consumer often can not get the 
reporting agencies to block reporting of activities that resulted from 
the identity theft.
  My bill again requires that presentation of the FTC certificate, 
police report and photo identification establish that the person is in 
fact a victim of identity theft and requires credit-reporting agencies 
to block information that appears on a victim's credit report as a 
result of the identity theft. It also changes current law that requires 
individuals to bring suit against a credit reporting agency within two 
years from the time the agency commits a violation of laws on fair 
reporting of credit. This makes little sense, since it may be years 
before a misrepresentation comes to the attention of a victim of 
identity theft. The bill requires that the statute of limitations begin 
ticking from the time when a consumer discovers or has reason to know 
that a misrepresentation by a credit reporting agency has occurred.
  The bill leaves in place State laws that are more stringent and 
provides that either Federal prosecutors or State Attorney Generals may 
enforce this law.
  Jenni and Michael's stories illustrate the unique problems victims of 
identity theft face. Although penalties exist for identity thieves, no 
remedies are available for their victims. The scope of the problem is 
made worse because it's too easy for a criminal to steal someone's 
identity and cause serious harm before the theft is even discovered. 
And when these criminals cross state lines, it can be even harder for 
victims to trace the problem and repair the damage. For these reasons, 
it's imperative that we pass federal legislation for the victims of 
identity theft.
  The government, creditors and credit reporting agencies have a shared 
responsibility to assist identity theft victims mitigate the harm that 
results from frauds perpetrated in the victim's name. We need to build 
up the law enforcement network, already started by the Federal Trade 
Commission and other federal agencies under the Identity Theft and 
Assumption Deterrence Act of 1998. We need to further improve law 
enforcement coordination, particularly between the various local and 
state jurisdictions combating identity theft and the associated crimes.
  We also need to provide better and timelier information to businesses 
so they can head off fraud before it happens. That is why my bill also 
expands the jurisdiction of the interagency coordinating committee 
established under the Internet False Identification Act of 2000. 
Currently, the coordination committee has the mandate to study

[[Page S11036]]

and report to Congress on federal investigation and enforcement of 
identity theft crimes. The Identity Theft Victims Assistance Act 
broadens the mandate for the coordinating committee to consider state 
and local enforcement of identity theft law and specifically requires 
the committee to examine and recommend what assistance the federal 
government can provide state and local law enforcement agencies to 
better coordinate in the battle against identity theft.
  There is no doubt about the scope of the problem: identity theft is 
already a major problem, and it's getting worse. We must provide 
victims with the tools they need to regain control of their lives. The 
Identity Theft Victims Assistance of 2003 will help victims of identity 
theft recover their identity and restore their good credit. I look 
forward to working with my colleagues to promptly enact this bill into 
law.
  I ask unanimous consent that the text of the legislation be printed 
in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1581

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Identity Theft Victims 
     Assistance Act of 2003''.

     SEC. 2. FINDINGS.

       Congress finds the following:
       (1) The crime of identity theft is the fastest growing 
     crime in the United States. According to a recent estimate, 
     7,000,000 Americans were victims of identity theft in the 
     past year, a 79 percent increase over previous estimates.
       (2) Stolen identities are often used to perpetuate crimes 
     in many cities and States, making it more difficult for 
     consumers to restore their respective identities.
       (3) Identity theft cost consumers more than $745,000,000 in 
     1998 and has increased dramatically in the last few years. It 
     has been estimated that identity theft victims within the 
     business community lose an average of $17,000.
       (4) Identity theft is ruinous to the good name and credit 
     of consumers whose identities are misappropriated, and 
     consumers may be denied otherwise deserved credit and may 
     have to spend enormous time, effort, and money to restore 
     their respective identities.
       (5) As of the date of enactment of this Act, a national 
     mechanism does not exist to assist identity theft victims to 
     obtain evidence of identity theft, restore their credit, and 
     regain control of their respective identities.
       (6) Consumers who are victims of identity theft need a 
     nationally standardized means of--
       (A) establishing their true identities and claims of 
     identity theft to all business entities, credit reporting 
     agencies, and Federal and State law enforcement agencies;
       (B) obtaining information documenting fraudulent 
     transactions from business entities;
       (C) reporting identity theft to consumer credit reporting 
     agencies.
       (7) Business entities, credit reporting agencies, and 
     government agencies have a shared responsibility to assist 
     victims of identity theft to mitigate the harm caused by any 
     fraud perpetrated in the name of the victims.

     SEC. 3. TREATMENT OF IDENTITY THEFT MITIGATION.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding after section 1028 the following:

     ``Sec. 1028A. Treatment of identity theft mitigation

       ``(a) Definitions.--As used in this section--
       ``(1) the term `business entity' means any corporation, 
     trust, partnership, sole proprietorship, or unincorporated 
     association, including any financial service provider, 
     financial information repository, creditor (as that term is 
     defined in section 103 of the Truth in Lending Act (15 U.S.C. 
     1602)), telecommunications, utilities, or other service 
     provider;
       ``(2) the term `consumer' means an individual;
       ``(3) the term `financial information' means information 
     identifiable as relating to an individual consumer that 
     concerns the amount and conditions of the assets, 
     liabilities, or credit of the consumer, including--
       ``(A) account numbers and balances;
       ``(B) nonpublic personal information, as that term is 
     defined in section 509 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6809); and
       ``(C) codes, passwords, social security numbers, tax 
     identification numbers, State identifier numbers issued by a 
     State department of licensing, and other information used for 
     the purpose of account access or transaction initiation;
       ``(4) the term `financial information repository' means a 
     person engaged in the business of providing services to 
     consumers who have a credit, deposit, trust, stock, or other 
     financial services account or relationship with that person;
       ``(5) the term `identity theft' means a violation of 
     section 1028 or any other similar provision of applicable 
     Federal or State law;
       ``(6) the term `means of identification' has the same 
     meaning given the term in section 1028;
       ``(7) the term `victim' means a consumer whose means of 
     identification or financial information has been used or 
     transferred (or has been alleged to have been used or 
     transferred) without the authority of that consumer with the 
     intent to commit, or with the intent to aid or abet, an 
     identity theft; and
       ``(8) the terms not defined in this section or otherwise 
     defined in section 3(s) of the Federal Deposit Insurance Act 
     (12 U.S.C. 1813(s)) shall have the meaning given to them in 
     section 1(b) of the International Banking Act of 1978 (12 
     U.S.C. 3101).
       ``(b) Information Available to Victims.--
       ``(1) In general.--A business entity that has provided 
     credit, provided, for consideration, products, goods, or 
     services, accepted payment, otherwise entered into a 
     commercial transaction for consideration with a person that 
     has made unauthorized use of the means of identification of 
     the victim, or possesses information relating to such 
     transaction, shall, not later than 20 days after the receipt 
     of a written request by the victim, meeting the requirements 
     of subsection (c), provide, without charge, a copy of all 
     application and business transaction information related to 
     the transaction being alleged as an identity theft to--
       ``(A) the victim;
       ``(B) any Federal, State, or local governing law 
     enforcement agency or officer specified by the victim in such 
     a request; or
       ``(C) any law enforcement agency investigating the identity 
     theft and authorized by the victim to take receipt of records 
     provided under this section.
       ``(2) Rule of construction.--
       ``(A) In general.--No provision of Federal or State law 
     (except a law involving the non-disclosure of information 
     related to a pending Federal criminal investigation) 
     prohibiting the disclosure of financial information by a 
     business entity to third parties shall be used to deny 
     disclosure of information to the victim under this section.
       ``(B) Limitation.--Except as provided in subparagraph (A), 
     nothing in this section permits a business entity to disclose 
     information that the business entity is otherwise prohibited 
     from disclosing under any other applicable provision of 
     Federal or State law.
       ``(c) Verification of Identity and Claim.--Unless a 
     business entity, at its discretion, is otherwise able to 
     verify the identity of a victim making a request under 
     subsection (b)(1), the victim shall provide to the business 
     entity--
       ``(1) as proof of positive identification, at the election 
     of the business entity--
       ``(A) the presentation of a government-issued 
     identification card;
       ``(B) personally identifying information of the same type 
     as was provided to the business entity by the unauthorized 
     person; or
       ``(C) personally identifying information that the business 
     entity typically requests from new applicants or for new 
     transactions at the time of the victim's request for 
     information; and
       ``(2) as proof of a claim of identity theft, at the 
     election of the business entity--
       ``(A) a copy of a police report evidencing the claim of the 
     victim of identity theft;
       ``(B) a properly completed copy of a standardized affidavit 
     of identity theft developed and made available by the Federal 
     Trade Commission; or
       ``(C) any properly completed affidavit of fact that is 
     acceptable to the business entity for that purpose.
       ``(d) Verification Standard.--Prior to releasing records 
     pursuant to subsection (b), a business entity shall take 
     reasonable steps to verify the identity of the alleged victim 
     requesting such records.
       ``(e) Limitation on Liability.--No business entity may be 
     held liable for a disclosure, made in good faith and 
     reasonable judgment pursuant to, and in compliance with, this 
     section, where such disclosure is made--
       ``(1) for the purpose of detection, investigation, or 
     prosecution of identity theft; or
       ``(2) to assist a victim in recovery of fines, restitution, 
     rehabilitation of the credit of the victim, or such other 
     relief as may be appropriate.
       ``(f) Authority To Decline To Provide Information.--A 
     business entity may decline to provide information under 
     subsection (b) if, in the exercise of good faith and 
     reasonable judgment, the business entity determines that--
       ``(1) this section does not require disclosure of the 
     information;
       ``(2) the request for the information is based on a 
     misrepresentation of fact by the victim relevant to the 
     request for information; or
       ``(3) the information requested is Internet navigational 
     data or similar information about a person's visit to a 
     website or online service.
       ``(g) No New Recordkeeping Obligation.--Nothing in this 
     section creates an obligation on the part of a business 
     entity to obtain, retain, or maintain information or records 
     that are not otherwise required to be obtained, retained, or 
     maintained in the ordinary course of its business or under 
     other applicable law.
       ``(h) Enforcement.--
       ``(1) Injunctive actions by the attorney general.--
       ``(A) In general.--Whenever it appears that a business 
     entity to which this section applies has engaged, is engaged, 
     or is about to engage, in any act or practice constituting a 
     violation of this section, the Attorney General of the United 
     States may bring

[[Page S11037]]

     a civil action in an appropriate district court of the United 
     States to--
       ``(i) enjoin such act or practice;
       ``(ii) enforce compliance with this section; and
       ``(iii) obtain such other equitable relief as the court 
     determines to be appropriate.
       ``(B) Other injunctive relief.--Upon a proper showing in 
     the action under subparagraph (A), the court shall grant a 
     permanent injunction or a temporary restraining order without 
     bond.
       ``(2) Administrative enforcement.--
       ``(A) Federal trade commission.--
       ``(i) In general.--Except to the extent that administrative 
     enforcement is specifically committed to another agency under 
     subparagraph (B), a violation of this section shall be deemed 
     an unfair or deceptive act or practice in violation of the 
     Federal Trade Commission Act (15 U.S.C. 41 et seq.), for 
     purposes of the exercise by the Federal Trade Commission of 
     its functions and powers under that Act.
       ``(ii) Available functions and powers.--All of the 
     functions and powers of the Federal Trade Commission under 
     the Federal Trade Commission Act are available to the 
     Commission to enforce compliance by any person with this 
     section.
       ``(B) Other federal agencies.--Compliance with any 
     requirements under this section may be enforced--
       ``(i) under section 8 of the Federal Deposit Insurance Act 
     (12 U.S.C. 1818)--

       ``(I) by the Office of the Comptroller of the Currency, 
     with respect to national banks, and Federal branches and 
     Federal agencies of foreign banks (except brokers, dealers, 
     persons providing insurance, investment companies, and 
     investment advisers);
       ``(II) by the Board of Governors of the Federal Reserve 
     System, with respect to member banks of the Federal Reserve 
     System (other than national banks), branches and agencies of 
     foreign banks (other than Federal branches, Federal agencies, 
     and insured State branches of foreign banks), commercial 
     lending companies owned or controlled by foreign banks, and 
     organizations operating under section 25 or 25A of the 
     Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et seq.);
       ``(III) by the Board of Directors of the Federal Deposit 
     Insurance Corporation, with respect to banks insured by the 
     Federal Deposit Insurance Corporation (other than members of 
     the Federal Reserve System), insured State branches of 
     foreign banks, and any subsidiaries of such entities (except 
     brokers, dealers, persons providing insurance, investment 
     companies, and investment advisers); and
       ``(IV) by the Director of the Office of Thrift Supervision, 
     with respect to savings associations, the deposits of which 
     are insured by the Federal Deposit Insurance Corporation, and 
     any subsidiaries of such savings associations (except 
     brokers, dealers, persons providing insurance, investment 
     companies, and investment advisers);

       ``(ii) by the Board of the National Credit Union 
     Administration, under the Federal Credit Union Act (12 U.S.C. 
     1751 et seq.), with respect to any federally insured credit 
     union, and any subsidiaries of such credit union;
       ``(iii) by the Securities and Exchange Commission, under 
     the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.), 
     with respect to any broker or dealer;
       ``(iv) by the Securities and Exchange Commission, under the 
     Investment Company Act of 1940 (15 U.S.C. 80a-1 et seq.), 
     with respect to investment companies;
       ``(v) by the Securities and Exchange Commission, under the 
     Investment Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.), 
     with respect to investment advisers registered with the 
     Commission under such Act;
       ``(vi) by the Secretary of Transportation, under subtitle 
     IV of title 49, with respect to all carriers subject to the 
     jurisdiction of the Surface Transportation Board;
       ``(vii) by the Secretary of Transportation, under part A of 
     subtitle VII of title 49, with respect to any air carrier or 
     any foreign air carrier subject to that part; and
       ``(viii) by the Secretary of Agriculture, under the Packers 
     and Stockyards Act, 1921 (7 U.S.C. 181 et seq.), except as 
     provided in section 406 of that Act (7 U.S.C. 226, 2271), 
     with respect to any activities subject to that Act.
       ``(C) Agency powers.--
       ``(i) In general.--A violation of any requirement imposed 
     under this section shall be deemed to be a violation of a 
     requirement imposed under any Act referred to under 
     subparagraph (B), for the purpose of the exercise by any 
     agency referred to under subparagraph (B) of its powers under 
     any such Act.
       ``(ii) Rule of construction.--Nothing in this section shall 
     be construed to prevent a Federal agency from exercising the 
     powers conferred upon such agency by Federal law to--

       ``(I) conduct investigations;
       ``(II) administer oaths or affirmations; or
       ``(III) compel the attendance of witnesses or the 
     production of documentary or other evidence.

       ``(3) Parens patriae authority.--
       ``(A) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been, or is threatened to be, 
     adversely affected by a violation of this section by any 
     business entity, the State, as parens patriae, may bring a 
     civil action on behalf of the residents of the State in a 
     district court of the United States of appropriate 
     jurisdiction to--
       ``(i) enjoin that practice;
       ``(ii) enforce compliance with this section;
       ``(iii) obtain damages--

       ``(I) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of the 
     State; and
       ``(II) punitive damages, if the violation is willful or 
     intentional; and

       ``(iv) obtain such other equitable relief as the court may 
     consider to be appropriate.
       ``(B) Notice.--Before filing an action under subparagraph 
     (A), the attorney general of the State involved shall, if 
     practicable, provide to the Attorney General of the United 
     States, and where applicable, to the appropriate Federal 
     agency with the authority to enforce this section under 
     paragraph (2)--
       ``(i) a written notice of the action; and
       ``(ii) a copy of the complaint for the action.
       ``(4) Intervention.--
       ``(A) In general.--On receiving notice of an action under 
     paragraph (3), the Attorney General of the United States, and 
     any Federal agency with authority to enforce this section 
     under paragraph (2), shall have the right to intervene in 
     that action.
       ``(B) Effect of intervention.--Any person or agency under 
     subparagraph (A) that intervenes in an action under paragraph 
     (2) shall have the right to be heard on all relevant matters 
     arising therein.
       ``(C) Service of process.--Upon the request of the Attorney 
     General of the United States or any Federal agency with the 
     authority to enforce this section under paragraph (2), the 
     attorney general of a State that has filed an action under 
     this section shall, pursuant to rule 4(d)(4) of the Federal 
     Rules of Civil Procedure, serve the Attorney General of the 
     United States or the head of such Federal agency, with a copy 
     of the complaint.
       ``(5) Construction.--For purposes of bringing any civil 
     action under this subsection, nothing in this section shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on such attorney general by 
     the laws of that State to--
       ``(A) conduct investigations;
       ``(B) administer oaths or affirmations; or
       ``(C) compel the attendance of witnesses or the production 
     of documentary and other evidence.
       ``(6) Limitation on state action while federal action is 
     pending.--In any case in which an action is instituted by or 
     on behalf of the Attorney General of the United States, or 
     appropriate Federal regulator authorized under paragraph (2), 
     for a violation of this section, no State may, during the 
     pendency of that action, institute an action under this 
     section against any defendant named in the complaint in that 
     action for such violation.
       ``(7) Venue; service of process.--
       ``(A) Venue.--Any action brought under this subsection may 
     be brought in the district court of the United States--
       ``(i) where the defendant resides;
       ``(ii) where the defendant is doing business; or
       ``(iii) that meets applicable requirements relating to 
     venue under section 1391 of title 28.
       ``(B) Service of process.--In an action brought under this 
     subsection, process may be served in any district in which 
     the defendant--
       ``(i) resides;
       ``(ii) is doing business; or
       ``(iii) may be found.
       ``(8) Affirmative defense.--In any civil action brought to 
     enforce this section, it is an affirmative defense (which the 
     defendant must establish by a preponderance of the evidence) 
     for a business entity to file an affidavit or answer stating 
     that--
       ``(A) the business entity has made a reasonably diligent 
     search of its available business records; and
       ``(B) the records requested under this section do not exist 
     or are not available.
       ``(9) No private right of action.--Nothing in this section 
     shall be construed to provide a private right of action or 
     claim for relief.''.
       (b) Clerical Amendment.--The table of sections at the 
     beginning of chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1028 
     the following new item:

``1028A. Treatment of identity theft mitigation.''.

     SEC. 4. AMENDMENTS TO THE FAIR CREDIT REPORTING ACT.

       (a) Consumer Reporting Agency Blocking of Information 
     Resulting From Identity Theft.--Section 611 of the Fair 
     Credit Reporting Act (15 U.S.C. 1681i) is amended by adding 
     at the end the following:
       ``(e) Block of Information Resulting From Identity Theft.--
       ``(1) Block.--Except as provided in paragraph (3) and not 
     later than 30 days after the date of receipt of proof of the 
     identity of a consumer and an official copy of a police 
     report evidencing the claim of the consumer of identity 
     theft, a consumer reporting agency shall block the reporting 
     of any information identified by the consumer in the file of 
     the consumer resulting from the identity theft, so that the 
     information cannot be reported.
       ``(2) Notification.--A consumer reporting agency shall 
     promptly notify the furnisher of information identified by 
     the consumer under paragraph (1)--
       ``(A) that the information may be a result of identity 
     theft;
       ``(B) that a police report has been filed;
       ``(C) that a block has been requested under this 
     subsection; and

[[Page S11038]]

       ``(D) of the effective date of the block.
       ``(3) Authority to decline or rescind.--
       ``(A) In general.--A consumer reporting agency may decline 
     to block, or may rescind any block, of consumer information 
     under this subsection if--
       ``(i) in the exercise of good faith and reasonable 
     judgment, the consumer reporting agency finds that--

       ``(I) the information was blocked due to a 
     misrepresentation of fact by the consumer relevant to the 
     request to block; or
       ``(II) the consumer knowingly obtained possession of goods, 
     services, or moneys as a result of the blocked transaction or 
     transactions, or the consumer should have known that the 
     consumer obtained possession of goods, services, or moneys as 
     a result of the blocked transaction or transactions; or

       ``(ii) the consumer agrees that the blocked information or 
     portions of the blocked information were blocked in error.
       ``(B) Notification to consumer.--If the block of 
     information is declined or rescinded under this paragraph, 
     the affected consumer shall be notified promptly, in the same 
     manner as consumers are notified of the reinsertion of 
     information under subsection (a)(5)(B).
       ``(C) Significance of block.--For purposes of this 
     paragraph, if a consumer reporting agency rescinds a block, 
     the presence of information in the file of a consumer prior 
     to the blocking of such information is not evidence of 
     whether the consumer knew or should have known that the 
     consumer obtained possession of any goods, services, or 
     monies as a result of the block.
       ``(4) Exceptions.--
       ``(A) Negative information data.--A consumer reporting 
     agency shall not be required to comply with this subsection 
     when such agency is issuing information for authorizations, 
     for the purpose of approving or processing negotiable 
     instruments, electronic funds transfers, or similar methods 
     of payment, based solely on negative information, including--
       ``(i) dishonored checks;
       ``(ii) accounts closed for cause;
       ``(iii) substantial overdrafts;
       ``(iv) abuse of automated teller machines; or
       ``(v) other information which indicates a risk of fraud 
     occurring.
       ``(B) Resellers.--
       ``(i) No reseller file.--The provisions of this subsection 
     do not apply to a consumer reporting agency if the consumer 
     reporting agency--

       ``(I) does not maintain a file on the consumer from which 
     consumer reports are produced;
       ``(II) is not, at the time of the request of the consumer 
     under paragraph (1), otherwise furnishing or reselling a 
     consumer report concerning the information identified by the 
     consumer; and
       ``(III) informs the consumer, by any means, that the 
     consumer may report the identity theft to the Federal Trade 
     Commission to obtain consumer information regarding identity 
     theft.

       ``(ii) Reseller with file.--The sole obligation of the 
     consumer reporting agency under this subsection, with regard 
     to any request of a consumer under this subsection, shall be 
     to block the consumer report maintained by the consumer 
     reporting agency from any subsequent use if--

       ``(I) the consumer, in accordance with the provisions of 
     paragraph (1), identifies, to a consumer reporting agency, 
     information in the file of the consumer that resulted from 
     identity theft;
       ``(II) the consumer reporting agency is acting as a 
     reseller of the identified information by assembling or 
     merging information about that consumer which is contained in 
     the database of not less than 1 other consumer reporting 
     agency; and
       ``(III) the consumer reporting agency does not store or 
     maintain a database of information obtained for resale from 
     which new consumer reports are produced.

       ``(iii) Notice.--In carrying out its obligation under 
     clause (ii), the consumer reporting agency shall provide a 
     notice to the consumer of the decision to block the file. 
     Such notice shall contain the name, address, and telephone 
     number of each consumer reporting agency from which the 
     consumer information was obtained for resale.''.
       (b) False Claims.--Section 1028 of title 18, United States 
     Code, is amended by adding at the end the following:
       ``(j) Any person who knowingly falsely claims to be a 
     victim of identity theft for the purpose of obtaining the 
     blocking of information by a consumer reporting agency under 
     section 611(e)(1) of the Fair Credit Reporting Act (15 U.S.C. 
     1681i(e)(1)) shall be fined under this title, imprisoned not 
     more than 3 years, or both.''.
       (c) Statute of Limitations.--Section 618 of the Fair Credit 
     Reporting Act (15 U.S.C. 1681p) is amended to read as 
     follows:

     ``SEC. 618. JURISDICTION OF COURTS; LIMITATION ON ACTIONS.

       ``(a) In General.--Except as provided in subsections (b) 
     and (c), an action to enforce any liability created under 
     this title may be brought in any appropriate United States 
     district court without regard to the amount in controversy, 
     or in any other court of competent jurisdiction, not later 
     than 2 years from the date of the defendant's violation of 
     any requirement under this title.
       ``(b) Willful Misrepresentation.--In any case in which the 
     defendant has materially and willfully misrepresented any 
     information required to be disclosed to an individual under 
     this title, and the information misrepresented is material to 
     the establishment of the liability of the defendant to that 
     individual under this title, an action to enforce a liability 
     created under this title may be brought at any time within 2 
     years after the date of discovery by the individual of the 
     misrepresentation.
       ``(c) Identity Theft.--An action to enforce a liability 
     created under this title may be brought not later than 4 
     years from the date of the defendant's violation if--
       ``(1) the plaintiff is the victim of an identity theft; or
       ``(2) the plaintiff--
       ``(A) has reasonable grounds to believe that the plaintiff 
     is the victim of an identity theft; and
       ``(B) has not materially and willfully misrepresented such 
     a claim.''.

     SEC. 5. COORDINATING COMMITTEE STUDY OF COORDINATION BETWEEN 
                   FEDERAL, STATE, AND LOCAL AUTHORITIES IN 
                   ENFORCING IDENTITY THEFT LAWS.

       (a) Membership; Term.--Section 2 of the Internet False 
     Identification Prevention Act of 2000 (18 U.S.C. 1028 note) 
     is amended--
       (1) in subsection (b), by striking ``and the Commissioner 
     of Immigration and Naturalization'' and inserting ``the 
     Commissioner of Immigration and Naturalization, the Chairman 
     of the Federal Trade Commission, the Postmaster General, and 
     the Commissioner of the United States Customs Service,''; and
       (2) in subsection (c), by striking ``2 years after the 
     effective date of this Act.'' and inserting ``on December 28, 
     2005.''.
       (b) Consultation.--Section 2 of the Internet False 
     Identification Prevention Act of 2000 (18 U.S.C. 1028 note) 
     is amended--
       (1) by redesignating subsection (d) as subsection (e); and
       (2) by inserting after subsection (c) the following:
       ``(d) Consultation.--In discharging its duties, the 
     coordinating committee shall consult with interested parties, 
     including State and local law enforcement agencies, State 
     attorneys general, representatives of business entities (as 
     that term is defined in section 4 of the Identity Theft 
     Victims Assistance Act of 2003), including telecommunications 
     and utility companies, and organizations representing 
     consumers.''.
       (c) Report Distribution and Contents.--Section 2(e) of the 
     Internet False Identification Prevention Act of 2000 (18 
     U.S.C. 1028 note) (as redesignated by subsection (b)) is 
     amended--
       (1) by striking paragraph (1) and inserting the following:
       ``(1) In general.--The Attorney General and the Secretary 
     of the Treasury, at the end of each year of the existence of 
     the coordinating committee, shall report on the activities of 
     the coordinating committee to--
       ``(A) the Committee on the Judiciary of the Senate;
       ``(B) the Committee on the Judiciary of the House of 
     Representatives;
       ``(C) the Committee on Banking, Housing, and Urban Affairs 
     of the Senate; and
       ``(D) the Committee on Financial Services of the House of 
     Representatives.'';
       (2) in subparagraph (E), by striking ``and'' at the end; 
     and
       (3) by striking subparagraph (F) and inserting the 
     following:
       ``(F) a comprehensive description of Federal assistance 
     provided to State and local law enforcement agencies to 
     address identity theft;
       ``(G) a comprehensive description of coordination 
     activities between Federal, State, and local law enforcement 
     agencies that address identity theft; and
       ``(H) recommendations in the discretion of the President, 
     if any, for legislative or administrative changes that 
     would--
       ``(i) facilitate more effective investigation and 
     prosecution of cases involving--

       ``(I) identity theft; and
       ``(II) the creation and distribution of false 
     identification documents;

       ``(ii) improve the effectiveness of Federal assistance to 
     State and local law enforcement agencies and coordination 
     between Federal, State, and local law enforcement agencies; 
     and
       ``(iii) simplify efforts by a person necessary to rectify 
     the harm that results from the theft of the identity of such 
     person.''.

                          ____________________