[Congressional Record Volume 151, Number 76 (Thursday, June 9, 2005)]
[Senate]
[Pages S6318-S6320]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. CORZINE:
  S. 1216. A bill to require financial institutions and financial 
service providers to notify customers of the unauthorized use of 
personal financial information, and for other purposes; to the 
Committee on Banking, Housing, and Urban Affairs.
  Mr. CORZINE. Mr. President, identity theft is a serious and growing 
concern facing our Nation's consumers. According to the Federal Trade 
Commission, nearly 10 million Americans were the victims of identity 
theft in 2003, three times the number of victims just 3 years earlier. 
Research shows that there are more than 13 identity thefts every 
minute.
  According to the Identity Theft Resource Center, identity theft 
victims spend on average nearly 600 hours recovering from the crime. 
Additional research indicates the costs of lost wages and income as a 
result of the crime can soar as high as $16,000 per incident. No one 
wants to suffer this kind of hardship.
  Events this week have further served to highlight how serious the 
problem has become. The announcement by Citigroup that a box of 
computer tapes containing information on 3.9 million customers was lost 
by United Parcel Service in my own State of New Jersey while in transit 
to a credit reporting agency is the latest in a line of recent, high 
profile incidents. In fact, I myself was a victim of a similar recent 
loss of computer tapes by Bank of America.
  In both of these cases, Citigroup and Bank of America acted 
responsibly and

[[Page S6319]]

notified possible victims in a prompt and timely manner. But this is 
not always the case.
  At the very least, consumers deserve to be made aware when their 
personal information has been compromised. Right now, they must hope 
that the laws of a few individual States, such as California, apply to 
their case, or that victimized institutions will act responsibly on 
their own.
  The legislation I am introducing today, the Financial Privacy Breach 
Notification Act of 2005, would protect consumers by requiring prompt 
notification by any financial institution or affiliated data broker in 
all cases, subject, of course, to the concerns of law enforcement 
agencies. It would also require automatic inclusion of fraud alerts in 
victim's credit files to minimize the damage done.
  Notification by itself won't solve everything, but it is an important 
first step that requires immediate attention. I intend to introduce 
more comprehensive legislation in the very near future to further 
protect consumers against the growing threat of identity theft, but 
requiring notification in a uniform fashion is an important and 
urgently needed first step.
  It is imperative that we take action to combat the growing threat of 
identity theft. This crime harms individuals and families, and drags 
down our economy in the form of lost productivity and capital. We can 
do more and we must do more.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1216

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Financial Privacy Breach 
     Notification Act of 2005''.

     SEC. 2. TIMELY NOTIFICATION OF UNAUTHORIZED ACCESS TO 
                   PERSONAL FINANCIAL INFORMATION.

       Subtitle B of title V of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6821 et seq.) is amended--
       (1) by redesignating sections 526 and 527 as sections 528 
     and 529, respectively; and
       (2) by inserting after section 525 the following:

     ``SEC. 526. NOTIFICATION TO CUSTOMERS OF UNAUTHORIZED ACCESS 
                   TO PERSONAL FINANCIAL INFORMATION.

       ``(a) Definitions.--In this section:
       ``(1) Breach.--The term `breach'--
       ``(A) means the unauthorized acquisition, or loss, of 
     computerized data or paper records which compromises the 
     security, confidentiality, or integrity of personal financial 
     information maintained by or on behalf of a financial 
     institution; and
       ``(B) does not include a good faith acquisition of personal 
     financial information by an employee or agent of a financial 
     institution for a business purpose of the institution, if the 
     personal financial information is not subject to further 
     unauthorized disclosure.
       ``(2) Personal financial information.--The term `personal 
     financial information' means the last name of an individual 
     in combination with any 1 or more of the following data 
     elements, when either the name or the data elements are not 
     encrypted:
       ``(A) Social security number.
       ``(B) Driver's license number or State identification 
     number.
       ``(C) Account number, credit or debit card number, in 
     combination with any required security code, access code, or 
     password that would permit access to the financial account of 
     an individual.
       ``(b) Notification to Customers Relating to Unauthorized 
     Access of Personal Financial Information.--
       ``(1) Financial institution requirement.--In any case in 
     which there has been a breach of personal financial 
     information at a financial institution, or such a breach is 
     reasonably believed to have occurred, the financial 
     institution shall promptly notify--
       ``(A) each customer affected by the violation or suspected 
     violation;
       ``(B) each consumer reporting agency described in section 
     603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a); 
     and
       ``(C) appropriate law enforcement agencies, in any case in 
     which the financial institution has reason to believe that 
     the breach or suspected breach affects a large number of 
     customers, including as described in subsection (e)(1)(C), 
     subject to regulations of the Federal Trade Commission.
       ``(2) Other entities.--For purposes of paragraph (1), any 
     person that maintains personal financial information for or 
     on behalf of a financial institution shall promptly notify 
     the financial institution of any case in which such customer 
     information has been, or is reasonably believed to have been, 
     breached.
       ``(c) Timeliness of Notification.--Notification required by 
     this section shall be made--
       ``(1) promptly and without unreasonable delay, upon 
     discovery of the breach or suspected breach; and
       ``(2) consistent with--
       ``(A) the legitimate needs of law enforcement, as provided 
     in subsection (d); and
       ``(B) any measures necessary to determine the scope of the 
     breach or restore the reasonable integrity of the information 
     security system of the financial institution.
       ``(d) Delays for Law Enforcement Purposes.--Notification 
     required by this section may be delayed if a law enforcement 
     agency determines that the notification would impede a 
     criminal investigation, and in any such case, notification 
     shall be made promptly after the law enforcement agency 
     determines that it would not compromise the investigation.
       ``(e) Form of Notice.--Notification required by this 
     section may be provided--
       ``(1) to a customer--
       ``(A) in written notification;
       ``(B) in electronic form, if the notice provided is 
     consistent with the provisions regarding electronic records 
     and signatures set forth in section 101 of the Electronic 
     Signatures in Global and National Commerce Act (15 U.S.C. 
     7001);
       ``(C) if the Federal Trade Commission determines that the 
     number of all customers affected by, or the cost of providing 
     notifications relating to, a single breach or suspected 
     breach would make other forms of notification prohibitive, or 
     in any case in which the financial institution certifies in 
     writing to the Federal Trade Commission that it does not have 
     sufficient customer contact information to comply with other 
     forms of notification, in the form of--
       ``(i) an e-mail notice, if the financial institution has 
     access to an e-mail address for the affected customer that it 
     has reason to believe is accurate;
       ``(ii) a conspicuous posting on the Internet website of the 
     financial institution, if the financial institution maintains 
     such a website; or
       ``(iii) notification through the media that a breach of 
     personal financial information has occurred or is suspected 
     that compromises the security, confidentiality, or integrity 
     of customer information of the financial institution; or
       ``(D) in such other form as the Federal Trade Commission 
     may by rule prescribe; and
       ``(2) to consumer reporting agencies and law enforcement 
     agencies (where appropriate), in such form as the Federal 
     Trade Commission may prescribe, by rule.
       ``(f) Content of Notification.--Each notification to a 
     customer under subsection (b) shall include--
       ``(1) a statement that--
       ``(A) credit reporting agencies have been notified of the 
     relevant breach or suspected breach; and
       ``(B) the credit report and file of the customer will 
     contain a fraud alert to make creditors aware of the breach 
     or suspected breach, and to inform creditors that the express 
     authorization of the customer is required for any new 
     issuance or extension of credit (in accordance with section 
     605(g) of the Fair Credit Reporting Act); and
       ``(2) such other information as the Federal Trade 
     Commission determines is appropriate.
       ``(g) Compliance.--Notwithstanding subsection (e), a 
     financial institution shall be deemed to be in compliance 
     with this section, if--
       ``(1) the financial institution has established a 
     comprehensive information security program that is consistent 
     with the standards prescribed by the appropriate regulatory 
     body under section 501(b);
       ``(2) the financial institution notifies affected customers 
     and consumer reporting agencies in accordance with its own 
     internal information security policies in the event of a 
     breach or suspected breach of personal financial information; 
     and
       ``(3) such internal security policies incorporate 
     notification procedures that are consistent with the 
     requirements of this section and the rules of the Federal 
     Trade Commission under this section.
       ``(h) Civil Penalties.--
       ``(1) Damages.--Any customer injured by a violation of this 
     section may institute a civil action to recover damages 
     arising from that violation.
       ``(2) Injunctions.--Actions of a financial institution in 
     violation or potential violation of this section may be 
     enjoined.
       ``(3) Cumulative effect.--The rights and remedies available 
     under this section are in addition to any other rights and 
     remedies available under applicable law.
       ``(i) Rules of Construction.--
       ``(1) In general.--Compliance with this section by a 
     financial institution shall not be construed to be a 
     violation of any provision of subtitle (A), or any other 
     provision of Federal or State law prohibiting the disclosure 
     of financial information to third parties.
       ``(2) Limitation.--Except as specifically provided in this 
     section, nothing in this section requires or authorizes a 
     financial institution to disclose information that it is 
     otherwise prohibited from disclosing under subtitle A or any 
     other provision of Federal or State law.
       ``(j) Enforcement.--The Federal Trade Commission is 
     authorized to enforce compliance with this section, including 
     the assessment of fines for violations of subsection 
     (b)(1).''.

[[Page S6320]]

     SEC. 3. EFFECTIVE DATE.

       This Act shall take effect on the expiration of the date 
     which is 6 months after the date of enactment of this Act.
                                 ______