[Congressional Record Volume 150, Number 72 (Thursday, May 20, 2004)]
[Senate]
[Pages S6006-S6010]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. NELSON of Florida:
  S. 2472. A bill to require that notices to consumers of health and 
financial services include information on the outsourcing of sensitive 
personal information abroad, to require relevant Federal agencies to 
prescribe regulations to ensure the privacy and security of sensitive 
personal information outsourced abroad, to establish requirements for 
foreign call centers, and for other purposes; to the Committee on the 
Judiciary.
  Mr. NELSON of Florida. Mr. President, I rise today to express my deep 
concern about an issue that illustrates the continuing erosion of 
Americans' privacy rights. My concern is related to the practice of 
outsourcing. When U.S. companies outsource sensitive customer 
information for processing overseas, they may be outsourcing our 
privacy rights along with it.
  We all know that recently it has become popular for American 
companies to send internal paperwork to be done in other countries, by 
foreign companies.
  When a U.S. company allows a foreign company to process customer 
data, the foreign company may be given access to the most sensitive 
types of customer information. Our health records, bank account 
numbers, social security numbers, tax forms, and credit card numbers 
are now being

[[Page S6007]]

shipped abroad--without the knowledge of the customer and beyond the 
reach of U.S. privacy laws.
  This phenomenon means that consumers are almost powerless to stop 
foreign scam artists from misusing their sensitive information. What 
types of abuses can occur under this scenario?
  In one recent shocking example, a U.S. hospital hired a medical 
transcriber in Pakistan through a subcontractor to work with sensitive 
patient health  information. Later, the foreign worker claimed that she 
had not been paid for her work.

   So, you know what she did? She threatened to post patients' medical 
records online unless she was paid. Luckily, she got her paycheck and 
doesn't seem to have posted anything online.
   But this situation shows us the potential for gross violations of 
consumer privacy. The U.S. hospital said that it never even knew that 
the foreign transcriber had been hired through a subcontractor and it 
therefore had never bound her contractually to follow any privacy or 
security standards.
   Another potential abuse of offshoring sensitive customer data is 
identity theft. The illegal theft of someone's identity is a profoundly 
disturbing and costly problem in this information age.
   Moreover, illegal misuse of sensitive information also can have 
national security implications. For example, data about some of our 
Nation's power grids allegedly has been outsourced to companies 
overseas. Imagine the harm that terrorists might do if they got hold of 
that type of confidential information.
   As our global economy expands at such a rapid pace, we simply cannot 
tolerate the outsourcing of American's privacy rights overseas. We need 
to be proactive on this potentially explosive issue. Make no mistake, 
the Pakistani transcriber incident is not the first or the last time 
that sensitive customer information becomes endangered in a foreign 
country. The time to act is now, instead of reacting only after our 
privacy rights are further eroded.
   In light of these circumstances, today I am introducing a bill--
along with Senator Feinstein--that begins to address these privacy and 
security concerns. The bill is called the INFO Act, which is short for 
The Increasing Notice of Foreign Outsourcing Act.
   The INFO Act is designed to help ensure that sensitive consumer 
information is protected and that U.S. companies can be held 
accountable for breakdowns in the security of customer information.
   Specifically, the INFO Act that we are introducing today would 
require the following things: First, U.S. companies in the health care 
industry and the financial industry must tell their customers that 
their sensitive health information and financial information is being 
processed by companies in foreign nations, where privacy safeguards may 
be less stringent.
   Second, U.S. companies in the health care industry and the financial 
industry must promise their customers that they are complying with U.S. 
privacy laws, which are designed to keep sensitive customer information 
secure even when it is outsourced.
   Third, U.S. companies in the health care industry and financial 
industry must make sure that each foreign company that is handling 
sensitive customer information has agreed by contract to meet U.S. 
privacy standards and to keep sensitive customer information secure.

  Fourth, U.S. companies may examine the business operations of the 
foreign company to make sure the foreign company is meeting privacy 
standards and is keeping sensitive customer information secure.
  Fifth, a foreign company must notify the U.S company of any data 
security breach. The U.S. company must then notify the U.S. regulatory 
agency, which can then hold the U.S. company accountable for the 
actions of the foreign company.
  Finally, an employee of a foreign call center must tell a U.S. 
customer where the employee is located, if the U.S. customer asks for 
this information.
  I strongly believe that we need to act now, before the privacy issues 
raised by offshoring begin to explode.
  Let me emphasize that I see this bill as both pro-consumer and pro-
business. Consumers will be informed about how their sensitive 
information is handled and they can learn when security breaches occur. 
Additionally, foreign companies that handle customer data will be held 
accountable to the U.S. company that gives them their work. And U.S. 
companies will be upfront in informing their customers about offshoring 
sensitive data before customer backlash occurs.
  With this sort of system in place, we hopefully can reduce the 
chances of customer data being misused, and allow U.S. companies to 
play on a level playing field where all interested parties know the 
rules of the game.
  I have a history of trying to solve consumer issues in ways that are 
not needlessly burdensome to U.S. businesses. That is why my office, as 
well as Senator Feinstein's office, has met several times with industry 
representatives during the development of this bill.
  I was interested to find ways for businesses to protect consumer 
privacy rights without having to sharply raise prices or limit products 
and services. I believe that the INFO Act has achieved those goals.
  Consumer privacy has always been one of my top priorities. Now, as 
always, I look forward to working with all interested parties to 
resolve this consumer privacy issue in a timely and effective manner.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2472

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Increasing Notice of Foreign 
     Outsourcing Act''.

     SEC. 2. HEALTH PRIVACY.

       (a) Foreign-Based Business Associate.--In this section, the 
     term ``foreign-based business associate'' means a business 
     associate, as defined under the regulations promulgated 
     pursuant to section 264(c) of the Health Insurance 
     Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 
     note), whose operation is based outside the United States and 
     that receives protected health information and processes such 
     information outside the United States.
       (b) Notices.--
       (1) In general.--The Secretary of Health and Human Services 
     (referred to in this section as the ``Secretary'') shall 
     revise the regulations prescribed pursuant to section 264(c) 
     of the Health Insurance Portability and Accountability Act of 
     1996 (42 U.S.C. 1320d-2 note) to require a covered entity (as 
     defined under such regulations and referred to in this 
     section as a ``covered entity''), that outsources protected 
     health information (as defined under such regulations and 
     referred to in this section as ``protected health 
     information''), outside the United States to include in such 
     entity's notice of privacy protections the following:
       (A) The following information in simple language:
       (i) Notification that the covered entity outsources 
     protected health information to foreign-based business 
     associates.
       (ii) Any risks and consequences to the privacy and security 
     of protected health information that arise as a result of the 
     processing of such information outside the United States.
       (iii) Additional measures the covered entity is taking to 
     protect the protected health information outsourced for 
     processing outside the United States.
       (B) A certification that the covered entity has taken 
     reasonable steps to ensure that the handling of protected 
     health information will be done in compliance with applicable 
     laws in all instances where protected health information is 
     processed outside the United States, including the reasons 
     for the certification.
       (2) Effective date.--A covered entity shall be required to 
     include in such entity's notice of privacy protections the 
     information and certification described in paragraph (1) for 
     notices issued on or after the date on which the Secretary 
     prescribes regulations pursuant to this section or the date 
     that is 365 days after the date of enactment of this Act, 
     whichever date is earlier. Nothing in this subsection shall 
     be construed to require a covered entity to reissue notices 
     issued before the date on which the Secretary prescribes 
     regulations pursuant to this section or the date that is 365 
     days after the date of enactment of this Act, whichever date 
     is earlier, to include in such notices the information and 
     certification described in paragraph (1).
       (c) Rulemaking.--
       (1) In general.--
       (A) Regulatory authority.--The Secretary shall--
       (i) prescribe such regulations consistent with paragraph 
     (2) as may be necessary to carry out this section with 
     respect to foreign outsourcing; and
       (ii) determine the appropriate penalties to impose upon a 
     covered entity for a violation of a provision of this 
     subsection or subsection (b).

[[Page S6008]]

       (B) Procedures and deadlines.--The regulations described in 
     subparagraph (A) shall be prescribed in accordance with all 
     applicable legal requirements and shall be issued in final 
     form not later than 365 days after the date of enactment of 
     this Act.
       (2) Necessary regulations.--The Secretary shall prescribe 
     regulations--
       (A) requiring that a contract between a covered entity and 
     such entity's foreign-based business associate contain a 
     provision that provides such entity with the right to audit 
     such associate, as needed, to monitor performance under the 
     contract; and
       (B) requiring that foreign-based business associates and 
     subcontractors of covered entities be contractually bound by 
     Federal privacy standards and security safeguards.
       (d) Breach of Security.--
       (1) Breach of security of the system.--In this subsection, 
     the term ``breach of security of the system''--
       (A) means the compromise of the security, confidentiality, 
     or integrity of computerized data that results in, or there 
     is a reasonable basis to conclude has resulted in, the 
     unauthorized acquisition of and access to protected health 
     information maintained by the covered entity, foreign-based 
     business associate, or subcontractor; and
       (B) does not include good faith acquisition of protected 
     health information by an employee or agent of the covered 
     entity, foreign-based business associate, or subcontractor 
     for the purposes of the entity, associate, or subcontractor, 
     if the protected health information is not used or subject to 
     further unauthorized disclosure.
       (2) Database security.--
       (A) Covered entity.--A covered entity--
       (i) that owns or licenses electronic data containing 
     protected health information shall, following the discovery 
     of a breach of security of the system containing such data, 
     notify the Secretary of such breach; or
       (ii) that receives a notification under subparagraph (B) of 
     a breach, shall notify the Secretary of such breach.
       (B) Other parties.--
       (i) Third party.--The Secretary shall require that a 
     contract between a covered entity and such entity's foreign-
     based business associate contain a provision that if the 
     foreign-based business associate (or any subcontractor of 
     such associate) owns or licenses electronic data containing 
     protected health information that was provided to the 
     associate through the covered entity, the associate (or 
     subcontractor) shall, following the discovery of a breach of 
     security of the system containing such data--

       (I) notify the entity from which it received the protected 
     health information of such breach; and
       (II) provide a description to the entity from which it 
     received the protected health information of any corrective 
     actions taken to guard against future security breaches.

       (ii) Notification process.--Each entity that receives a 
     notification under clause (i) shall notify the entity from 
     which it received the protected health information of such 
     breach until the notification reaches the foreign-based 
     business associate who shall, in turn, notify the covered 
     entity of such breach.
       (C) Timeliness of notification.--All notifications required 
     under subparagraphs (A) and (B) shall be made as expediently 
     as possible and without unreasonable delay following--
       (i) the discovery of a breach of security of the system; 
     and
       (ii) any measures necessary to determine the scope of the 
     breach, prevent further disclosures, and restore the 
     reasonable integrity of the data system.
       (3) Effective date.--This subsection shall take effect on 
     the expiration of the date that is 365 days after the date of 
     enactment of this subsection.

     SEC. 3. FINANCIAL PRIVACY.

       (a) Foreign-Based Business.--Section 509 of the Gramm-
     Leach-Bliley Act (15 U.S.C. 6809) is amended by adding at the 
     end the following:
       ``(12) Foreign-based business.--The term `foreign-based 
     business' means a nonaffiliated third party whose operation 
     is based outside the United States and that receives 
     nonpublic personal information and processes such information 
     outside the United States.''.
       (b) Financial Notices.--
       (1) In general.--Section 503(b) of the Gramm-Leach-Bliley 
     Act (15 U.S.C. 6803(b)) is amended--
       (A) in paragraph (3), by striking ``and'' after the 
     semicolon;
       (B) in paragraph (4), by striking the period at the end and 
     inserting ``; and''; and
       (C) by adding at the end the following:
       ``(5) if the financial institution outsources nonpublic 
     personal information outside the United States--
       ``(A) information informing the consumer in simple 
     language--
       ``(i) that the financial institution outsources nonpublic 
     personal information to foreign-based businesses;
       ``(ii) of any risks and consequences to the privacy and 
     security of an individual's nonpublic personal information 
     that arise as a result of the processing of such information 
     outside the United States; and
       ``(iii) of the additional measures the financial 
     institution is taking to protect the nonpublic personal 
     information outsourced for processing outside the United 
     States; and
       ``(B) a certification that the financial institution has 
     taken reasonable steps to ensure that the handling of 
     nonpublic personal information will be done in compliance 
     with applicable laws in all instances where nonpublic 
     personal information is processed outside the United States, 
     including the reasons for the certification.''.
       (2) Effective date.--A financial institution shall include 
     in such institution's disclosure the information and 
     certification described in the amendment made by paragraph 
     (1)(C) for disclosures provided on or after the date on which 
     the regulatory agency that has jurisdiction over such 
     institution pursuant to section 505 of the Gramm-Leach-Bliley 
     Act (15 U.S.C. 6805) prescribes regulations pursuant to the 
     amendments made by this section or the date that is 365 days 
     after the date of enactment of this Act, whichever date is 
     earlier. Nothing in this subsection, or the amendments made 
     by this subsection, shall be construed to require a financial 
     institution to reissue disclosures provided before the date 
     on which the regulatory agency that has jurisdiction over 
     such institution pursuant to section 505 of the Gramm-Leach-
     Bliley Act (15 U.S.C. 6805) prescribes regulations pursuant 
     to the amendments made by this section or the date that is 
     365 days after the date of enactment of this Act, whichever 
     date is earlier, to include in such disclosures the 
     information and certification described in the amendment made 
     by paragraph (1)(C).
       (c) Rulemaking.--Section 504 of the Gramm-Leach-Bliley Act 
     (15 U.S.C. 6804) is amended by adding at the end the 
     following:
       ``(c) Rulemaking on Foreign Outsourcing.--
       ``(1) In general.--
       ``(A) Regulatory authority.--The Federal banking agencies, 
     the National Credit Union Administration, the Secretary of 
     the Treasury, the Securities and Exchange Commission, and the 
     Federal Trade Commission (referred to in this subsection as 
     the `regulatory agencies') shall--
       ``(i) prescribe such regulations consistent with paragraph 
     (2) as may be necessary to carry out this subtitle with 
     respect to foreign outsourcing, with respect to the financial 
     institutions subject to their jurisdiction under section 505; 
     and
       ``(ii) determine the appropriate penalties to impose upon 
     financial institutions for a violation of a provision of this 
     subsection.
       ``(B) Coordination, consistency, and comparability.--The 
     regulatory agencies shall consult and coordinate with each 
     other for the purposes of assuring, to the extent possible, 
     that the regulations prescribed by each such agency are 
     consistent and comparable with the regulations prescribed by 
     the other such agencies.
       ``(C) Procedures and deadlines.--The regulations described 
     in subparagraph (A) shall be prescribed in accordance with 
     all applicable legal requirements and shall be issued in 
     final form not later than 365 days after the date of 
     enactment of this subsection.
       ``(2) Necessary regulations.--The regulatory agencies shall 
     prescribe regulations--
       ``(A) requiring that a contract between a financial 
     institution and such institution's foreign-based business 
     contain a provision that provides such institution with the 
     right to audit such business, as needed, to monitor 
     performance under the contract; and
       ``(B) requiring that foreign-based businesses and 
     subcontractors of financial institutions be contractually 
     bound by Federal privacy standards and security 
     safeguards.''.
       (d) Breach of Security.--Section 502 of the Gramm-Leach-
     Bliley Act (15 U.S.C. 6802) is amended by adding at the end 
     the following:
       ``(f) Breach of Security.--
       ``(1) Breach of security of the system.--In this 
     subsection, the term `breach of security of the system'--
       ``(A) means the compromise of the security, 
     confidentiality, or integrity of computerized data that 
     results in, or there is a reasonable basis to conclude has 
     resulted in, the unauthorized acquisition of and access to 
     nonpublic personal information maintained by the financial 
     institution, foreign-based business, or subcontractor; and
       ``(B) does not include good faith acquisition of nonpublic 
     personal information by an employee or agent of the financial 
     institution, foreign-based business, or subcontractor for the 
     purposes of the institution, business, or subcontractor, if 
     the nonpublic personal information is not used or subject to 
     further unauthorized disclosure.
       ``(2) Database security.--
       ``(A) Financial institution.--A financial institution--
       ``(i) that owns or licenses electronic data containing 
     nonpublic personal information shall, following the discovery 
     of a breach of security of the system containing such data, 
     notify the entity under which the institution is subject to 
     jurisdiction under section 505 of such breach; or
       ``(ii) that receives a notification under subparagraph (B) 
     of a breach, shall notify the entity under which the 
     institution is subject to jurisdiction under section 505 of 
     such breach.
       ``(B) Other parties.--
       ``(i) In general.--The Federal banking agencies, the 
     National Credit Union Administration, the Secretary of the 
     Treasury, the Securities and Exchange Commission, and the 
     Federal Trade Commission shall require, with respect to the 
     financial institutions subject to their jurisdiction under 
     section 505, that a contract between a financial institution 
     and such institution's foreign-based business contain a 
     provision that if the foreign-based business (or any 
     subcontractor

[[Page S6009]]

     of such business) owns or licenses electronic data containing 
     nonpublic personal information that was provided to the 
     business through the financial institution, the business (or 
     subcontractor) shall, following the discovery of a breach of 
     security of the system containing such data--

       ``(I) notify the entity from which it received the 
     nonpublic personal information of such breach; and
       ``(II) provide a description to the entity from which it 
     received the nonpublic personal information of any corrective 
     actions taken to guard against future security breaches.

       ``(ii) Notification process.--Each entity that receives a 
     notification under clause (i) shall notify the entity from 
     which it received the nonpublic personal information of such 
     breach until the notification reaches the foreign-based 
     business who shall, in turn, notify the financial institution 
     of such breach.
       ``(C) Timeliness of notification.--All notifications 
     required under subparagraphs (A) and (B) shall be made as 
     expediently as possible and without unreasonable delay 
     following--
       ``(i) the discovery of a breach of security of the system; 
     and
       ``(ii) any measures necessary to determine the scope of the 
     breach, prevent further disclosures, and restore the 
     reasonable integrity of the data system.
       ``(3) Effective date.--This subsection shall take effect on 
     the expiration of the date that is 365 days after the date of 
     enactment of this subsection.''.

     SEC. 4. FOREIGN CALL CENTERS.

       (a) Foreign Call Center Defined.--In this section, the term 
     ``foreign call center'' means a foreign-based service 
     provider or a foreign-based subcontractor of such provider 
     that--
       (1) is unaffiliated with the entity that utilizes such 
     provider or subcontractor; and
       (2) provides customer-based service and sales or technical 
     assistance and expertise to individuals located in the United 
     States via the telephone, the Internet, or other 
     telecommunications and information technology.
       (b) Requirement.--A contract between a foreign call center 
     and an entity that utilizes such foreign call center to 
     initiate telephone calls to, or receive telephone calls from, 
     individuals shall include a requirement that each employee of 
     the foreign call center disclose the physical location of 
     such employee upon the request of such individual.
       (c) Certification Requirement.--An entity described in 
     subsection (b) shall submit an annual certification to the 
     Federal Trade Commission on whether or not the entity and its 
     subsidiaries, and the foreign call center employees and its 
     subsidiaries, have complied with subsection (b). Such annual 
     certifications shall be made available to the public.
       (d) Noncompliance.--An entity described in subsection (b) 
     or its subsidiaries that violates subsection (b) shall be 
     subject to such civil penalties as the Federal Trade 
     Commission prescribes under subsection (e).
       (e) Regulations.--Not later than 365 days after the date of 
     enactment of this Act, the Federal Trade Commission shall 
     prescribe such regulations as are necessary for effective 
     monitoring and compliance with this section. Such regulations 
     shall include appropriate civil penalties for noncompliance 
     with this section.

  Mrs. FEINSTEIN. Mr. President, I rise to introduce, along with my 
colleague, Senator Bill Nelson, the Increasing Notice of Foreign 
Outsourcing Act, or the INFO Act. This legislation will help safeguard 
Americans' most important and sensitive personal information when it is 
sent abroad for processing to countries that may have lax security and 
privacy standards.
  The bill will ensure that American companies notify consumers of a 
business's outsourcing practices. It will require American companies to 
certify the adequacy of their outsourcing protections. And it will 
require American companies to hold their foreign business partners 
accountable for protecting Americans' data.
  In order to protect the information of Americans that is now 
vulnerable abroad, this bill calls for the following key safeguards:
  First, the bill requires American health and financial companies to 
notify consumers when sending their information abroad, and to certify 
the safety of the overseas processing. We drafted provisions carefully 
to minimize the burden on businesses, so they will expand on privacy 
disclosures that companies already make under Federal law.
  Second, American companies processing health or financial data must 
include clauses in contracts with their foreign partners to allow 
audits of their foreign information processors and to enforce American 
privacy standards.
  Third, the bill creates a system to inform American companies and 
Federal regulators of any security breaches involving American health 
or financial information at facilities operated outside the United 
States.
  And fourth, the bill gives Americans the right to have workers at 
foreign call centers disclose where they are calling from.
  The bill also gives Federal agencies the power to enforce these 
provisions. It is important to emphasize that this bill is drafted to 
minimize the burdens on businesses, by expanding on existing privacy 
data and security laws.
  While many are concerned about how outsourcing abroad hurts American 
workers, outsourcing also poses risks to the security and privacy of 
American consumers' personal data. The recent wave of international 
outsourcing means that we are flooding the entire world with our most 
sensitive information.
  Once sent abroad, the information is at risk because our Federal laws 
do not apply to foreign companies operating overseas. Another reason is 
because many foreign countries have far weaker security laws than our 
own. For instance, India still has no laws to protect personal and 
private data. And still another reason is because it is extremely 
difficult for Americans to use foreign courts to sue foreign companies 
that misuse American data.
  These factors leave the most intimate details of the lives of 
uncountable Americans vulnerable to lax security and to malicious 
identity thieves.
  And there is even more at stake. Information outsourcing poses a 
direct risk to national security. We are painfully aware that some 
people want to steal the identity of individual Americans in order to 
evade our homeland defenses and harm us all.
  International information outsourcing has skyrocketed in recent 
years. Consider the following:
  Tax returns for about 200,000 Americans were prepared in India this 
year. To put this number in context, India workers processed only about 
1,000 U.S. tax returns 2 years ago. Tax returns have Americans' names, 
Social Security numbers, income, employers, addresses, and other 
details.
  The American Association of Medical Transcription estimates that 10 
percent of all medical transcription of doctors' notes is being done 
abroad.
  An executive from Trans Union, one of the major credit agencies in 
the United States, told The San Francisco Chronicle that:

       A hundred percent of our mail regarding customer disputes 
     is going to go to India at some point.

  If anyone doubts the risk that international outsourcing poses to 
Americans, consider these incidents:
  Recently, a low-paid transcriber in Pakistan was working as a 
subcontractor to the University of California Medical Center in San 
Francisco. That foreign worker threatened to post confidential patient 
information on the Internet unless the university coaxed her boss into 
paying some of her bills.
  Three weeks later, a strikingly similar incident occurred with a 
worker in Bangalore, India.
  In another incident, in Noida, India, an employee working at a call 
center used an American's credit card information to buy electronics 
equipment from Sony.
  Also in India, there is a burgeoning black market in personal 
identity information. According to one report, stolen names, addresses, 
phone numbers, the bank a person has an account with, and even bank 
account numbers are sold on the streets for mere pennies.
  These are just a few incidents. No one knows how many other times 
workers have done similar things. And that is a big part of the 
problem. It is not merely that Americans' identities are vulnerable 
when sent abroad. The problem is that American companies obscure how 
much outsourcing they do, and when they are doing it.
  For example, according to the San Jose Mercury News, a worker at a 
call center dealing with State benefits refused to identify his 
location. The supervisor, when she picked up the call, refused to say 
anything more than that she worked for Citicorp.
  In essence, the problem of obscurity is so bad that we can list only 
a few incidents reported by the media. How many security breaches have 
taken place? Have consumers been informed when their information is 
abroad and at risk? How much money has this cost consumers? We don't 
know.

[[Page S6010]]

  And so far, American regulatory agencies have been unable to say 
despite their oversight of these industries. And American companies 
have stayed mum. We need to break the silence.
  The fact is, our Government is simply not doing enough to protect 
consumers. Earlier this month I received a letter from John D. Hawke, 
Jr., who is the U.S. Comptroller of the Currency. He heads one of the 
agencies that regulates U.S. financial institutions and banks.
  Mr. Hawke wrote to me that the Office of the Comptroller of the 
Currency, known as the OCC, does not directly regulate foreign 
contractors that work for U.S. banks. Specifically, he wrote:

       [T]he OCC focuses its supervisory reviews regarding foreign 
     servicing relationships on whether the serviced banks have 
     adequate procedures in place. . . .

  That means the OCC is focusing on the American companies, not the 
foreign ones.
  I also learned from the OCC that it already suggests certain 
safeguards for American banks to use when they hire foreign information 
processors. The OCC asks U.S. banks to use contract provisions to make 
sure that foreign companies use secure methods to process data, and to 
let the U.S. companies audit the foreign companies.
  But the OCC only suggests that companies adopt these safeguards. The 
legislation we are introducing today would take safeguards like the 
OCC's a step further, and make them mandatory.
  Now is the time to act. We know that there are criminal syndicates, 
such as in Nigeria, that have fraudulently obtained bank information to 
steal untold fortunes. We can hardly imagine the damage such 
organizations can do with a vast new source of sensitive financial data 
from international information outsourcing.
  In short, this bill accomplishes four goals crucial to protecting 
Americans' sensitive data sent abroad. It requires companies to give 
notice that they send consumers' sensitive data abroad. It ensures that 
U.S. companies can audit their foreign partners, and impose U.S. 
privacy standards on them. It establishes a system to ensure that 
foreign and U.S. companies will report security breaches to the U.S. 
Government. And it allows American consumers to demand to know where 
foreign call centers are located.
  This bill helps to protect outsourced information while minimizing 
burdens on American businesses. I urge my colleagues to join us in this 
effort.

                          ____________________