[Congressional Record Volume 151, Number 89 (Wednesday, June 29, 2005)]
[Senate]
[Pages S7620-S7632]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. SPECTER (for himself and Mr. Leahy):
  S. 1332. A bill to prevent and mitigate identity theft; to ensure 
privacy; and to enhance criminal penalties, law enforcement assistance, 
and other protections against security breaches, fraudulent access, and 
misuse of personally identifiable information; read the first time.
  Mr. SPECTER. Mr. President, I rise today to introduce S. 1332, the 
Personal Data Privacy and Security Act of 2005.
  Not too long ago, our personal information--our Social Security 
numbers, our date of birth, our mothers' maiden name, where we live-all 
remained relatively private. Where we live, and what we paid for our 
house, and whether we had a mortgage might have been publicly 
available, but finding that information out would require a trip to

[[Page S7621]]

the local recorders office. Our privacy was preserved by the sheer 
difficulty of obtaining the information. This privacy--the ability to 
be left alone--has been a cherished value throughout American history.
  As our day-to-day transactions have become electronic, more and more 
of our personal data has been stored, transmitted and accessed 
electronically. Almost all of us have benefited from this change. 
Because our personal information is available electronically, we can 
purchase goods and services over the phone or on the internet. We can 
obtain a mortgage or rent an apartment in a matter of hours. We can 
apply for a credit card while we wait at the store and purchase things 
on-line. The availability of such information also helps law 
enforcement agencies conduct investigations and catch criminals. The 
information has also been used to do good. In one instance, Associated 
Press journalists matched Social Security numbers obtained from data 
brokers to Mississippi prison data exposing eight school teachers who 
failed to report that they had been convicted of sex offenses or drug 
crimes.
  However, as Justice Warren prophetically wrote in the 1963 case, 
Lopez v. United States--a case balancing the privacy interests of an 
individual with the law enforcement needs of the government--``The 
fantastic advances in the field of electronic communication constitute 
a great danger to the privacy of the individual.'' In electronic form, 
our personal information is both more valuable and more vulnerable. As 
we have all witnessed in recent months, electronic data is more 
vulnerable because it can be accessed from afar and can be stolen in a 
split second. The problem first became apparent when data brokers, 
companies that buy and sell our personal data, announced that they had 
experienced large-scale breaches involving the personal data of 
hundreds of thousands of Americans. In February, ChoicePoint, one of 
the Nation's largest collectors of consumer information, notified over 
145,000 Americans of a system security breach. In March, LexisNexis 
announced that unauthorized persons posing as legitimate customers 
obtained personal the personal data of over 300,000 Americans.
  It soon became apparent that the problem extended beyond data 
brokers. In April, Carnegie Mellon University notified 19,000 students, 
alumni, faculty and staff that their personal data may have been 
compromised. In May, a data storage company lost information on 600,000 
current and former employees of Time Warner. In recent days, MasterCard 
announced 40 million credit card numbers belonging to U.S. consumers 
were accessed by a computer hacker--the largest breach yet.
  Even government agencies have not been immune. Personal data 
including Social Security numbers on nearly 6,000 current and former 
Federal Deposit Insurance Corporation employees was stolen early last 
year, some of which has been used for fraudulent purposes.
  Electronic personal data is more valuable because identity thieves 
can steal large volumes and use it before anyone knows. For the last 5 
years, Identity Theft has topped the FTC's list of consumer complaints. 
From 2002 to 2004, the number of complaints rose 52 percent, to 
246,570. Put another way, that's once every 2 minutes. But this is only 
the tip of the iceberg. Not all consumers report identity theft to the 
FTC. Not all victims report identity theft to their local police. Sixty 
percent of those who did file a report with the FTC did not call their 
local police department. It stands to reason that many did not call the 
FTC.
  A recent study by the Better Business Bureau concluded that 9.3 
million Americans were victims of identity fraud in 2004, and that each 
victim lost approximately $5,800. Ultimately, nearly 20 percent 
Americans will become victims of identity theft. Worse, according to 
the study, it took victims an average of 28 hours on the phone with 
creditors and credit bureaus to clear their names. I use the term 
``clear'' loosely, because in many cases the damage caused by identity 
theft is irreversible. Victims will have fraud alerts on their credit 
reports for years to come, making it more difficult to open new 
accounts or make major purchases. Some will be erroneously contacted by 
collection agencies.
  Individuals whose personal information is not stolen also suffer. 
Businesses lose nearly $50 billion a year from identity thieves posing 
as customers. These losses translate into increased prices for every 
consumer.
  In some cases, the availability of electronic personal data can lead 
to tragedy. In 1999, a former high school classmate of Amy Lynn Boyer 
obtained her former work address and social security number from an on-
line data broker. By calling her home and posing as the former 
employer, he convinced Amy's mom to give him Amy's work address. He 
then drove to Boyer's workplace and fatally shot her.
  In an effort to protect the privacy and security of our electronic 
personal information, and prevent future tragedies, small and large, my 
colleague Senator Leahy and I are introducing the Personal Data Privacy 
and Security Act of 2005. First, this legislation goes after identity 
thieves by increasing penalties for crimes involving electronic 
personal data. For example, it increases penalties for computer fraud 
when such fraud involves personal data. It also goes after those who 
intentionally expose Americans to identity theft by punishing those who 
intentionally conceal a security breach that involves personal data.
  The bill also empowers Americans to look after the privacy of their 
own data. The bill will allow individuals to obtain access to any 
personal information held by data brokers. For individuals who believe 
their information is wrong, data brokers must provide them with 
guidance on how to correct their information.
  The legislation also puts the burden those that store, transmit and 
access electronic personal data. It will require the companies, 
government agencies, universities that keep significant amounts of 
personal data to assess the vulnerability of their systems and to adopt 
policies that will address those vulnerabilities. Some entities will 
choose to encrypt the personal data that they store and transmit. 
Others will pick a means more appropriate their size and the 
sensitivity of their data.
  Of course, these provisions do not apply to data held by health care 
providers and financial institutions that is already regulated by other 
federal laws. This legislation fills in gaps left by other federal 
laws. It has become clear that many entities other than health care 
providers and financial institutions have large amounts of personal 
information. This legislation would require such entities to adequately 
protect their electronic data.
  Such measures will not always be enough. As I've already noted, the 
nature of electronic data makes it vulnerable even when those who hold 
it take reasonable steps to protect it. Currently, no federal law 
requires those who maintain our sensitive personal data to notify 
affected individuals when such data is lost or exposed. This 
legislation would require those who maintained such data to notify 
affected individuals as well as law enforcement. As everyone knows, 
knowledge is power. Once individuals learn that their personal 
information is exposed, they can take steps to protect themselves. And, 
the company, school or agency that experienced the breach must help. 
They must provide individuals whose data was lost with a monthly credit 
report and they must provide information on the identity theft victim 
assistance available to them. For large breaches, the media must be 
notified. Media reports over the past few months have made Americans 
far more aware of the problem of security breaches. Hopefully, we can 
continue to raise awareness by requiring data holders to continue the 
practice of making public announcements regarding large breaches. 
Notice will also give law enforcement a head start in the effort to 
prevent harm to individuals as a result of a breach.
  One of the most critical pieces of information that can be lost is 
one's Social Security number. We can all think of instances when we've 
been asked for our Social Security number to verify our identities--
utilities, doctors, schools--I could go on. In itself, this is not 
harmful. Problems arise however, when the Social Security number gets 
passed along to others without the person's knowledge or permission. 
The legislation would prohibit companies from buying, selling or 
displaying a Social Security number without consent

[[Page S7622]]

from the individual whose number it is. The bill also would prevent 
companies from requiring individuals to give their Social Security 
number in order to obtain goods or services. Finally, it would bar 
government agencies from posting public records that contain Social 
Security numbers on the internet. This legislation would not prevent 
the use of Social Security numbers altogether. We recognize that would 
not be practical. It would, however, protect the value of Social 
Security numbers by preventing their proliferation.
  Finally, this legislation will protect the privacy of all Americans 
by providing a check on the government's use of databases maintained by 
data brokers. As I've already noted, federal law enforcement uses 
electronic personal data maintained by data brokers to track criminals 
and criminal activity. Correctly used, these databases can be very 
useful tools in the fight against crime. However, there should be some 
check on their use. In addition, the legislation aims at making sure 
the government's use of such data is secure. It will require audits to 
ensure that data brokers are keeping law enforcement inquiries private.
  This bill represents a comprehensive effort to protect the privacy 
and security of electronic personal data. Our lives have all been made 
easier because our personal information is readily available to those 
who have a legitimate need for it. This legislation aims to keep such 
information out of the hands of those who have no legitimate need for 
it. I urge my colleagues to join me in supporting this important 
legislation. I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1332

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Personal 
     Data Privacy and Security Act of 2005''.
       (b) Table of Contents.--The table of contents for this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Fraud and related criminal activity in connection with 
              unauthorized access to personally identifiable 
              information.
Sec. 102. Organized criminal activity in connection with unauthorized 
              access to personally identifiable information.
Sec. 103. Concealment of security breaches involving personally 
              identifiable information.
Sec. 104. Aggravated fraud in connection with computers.
Sec. 105. Review and amendment of Federal sentencing guidelines related 
              to fraudulent access to or misuse of digitized or 
              electronic personally identifiable information.

  TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING 
 CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF 
                  PERSONALLY IDENTIFIABLE INFORMATION

Sec. 201. Grants for State and local enforcement.
Sec. 202. Authorization of appropriations.

                        TITLE III--DATA BROKERS

Sec. 301. Transparency and accuracy of data collection.
Sec. 302. Enforcement.
Sec. 303. Relation to State laws.
Sec. 304. Effective date.

 TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

             Subtitle A--Data Privacy and Security Program

Sec. 401. Purpose and applicability of data privacy and security 
              program.
Sec. 402. Requirements for a personal data privacy and security 
              program.
Sec. 403. Enforcement.
Sec. 404. Relation to State laws.

                Subtitle B--Security Breach Notification

Sec. 421. Right to notice of security breach.
Sec. 422. Notice procedures.
Sec. 423. Content of notice.
Sec. 424. Risk assessment and fraud prevention notice exemptions.
Sec. 425. Victim protection assistance.
Sec. 426. Enforcement.
Sec. 427. Relation to State laws.
Sec. 428. Study on securing personally identifiable information in the 
              digital era.
Sec. 429. Authorization of appropriations.
Sec. 430. Effective date.

             TITLE V--PROTECTION OF SOCIAL SECURITY NUMBERS

Sec. 501. Social Security number protection.
Sec. 502. Limits on personal disclosure of social security numbers for 
              commercial transactions and accounts.
Sec. 503. Public records.
Sec. 504. Treatment of social security numbers on government checks and 
              prohibition of inmate access.
Sec. 505. Study and report.
Sec. 506. Enforcement.
Sec. 507. Relation to State laws.

       TITLE VI--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 601. General Services Administration review of contracts.
Sec. 602. Requirement to audit information security practices of 
              contractors and third party business entities.
Sec. 603. Privacy impact assessment of government use of commercial 
              information services containing personally identifiable 
              information.
Sec. 604. Implementation of Chief Privacy Officer requirements.

     SEC. 2. FINDINGS.

       Congress finds that--
       (1) databases of personal identifiable information are 
     increasingly prime targets of hackers, identity thieves, 
     rogue employees, and other criminals, including organized and 
     sophisticated criminal operations;
       (2) identity theft is a serious threat to the nation's 
     economic stability, homeland security, the development of e-
     commerce, and the privacy rights of Americans;
       (3) over 9,300,000 individuals were victims of identity 
     theft in America last year;
       (4) security breaches are a serious threat to consumer 
     confidence, homeland security, e-commerce, and economic 
     stability;
       (5) it is important for business entities that own, use, or 
     license personally identifiable information to adopt 
     reasonable procedures to ensure the security, privacy, and 
     confidentially of that personally identifiable information;
       (6) individuals whose personal information has been 
     compromised or who have been victims of identity theft should 
     receive the necessary information and assistance to mitigate 
     their damages and to restore the integrity of their personal 
     information and identities;
       (7) data brokers have assumed a significant role in 
     providing identification, authentication, and screening 
     services, and related data collection and analyses for 
     commercial, nonprofit, and government operations;
       (8) data misuse and use of inaccurate data have the 
     potential to cause serious or irreparable harm to an 
     individual's livelihood, privacy, and liberty and undermine 
     efficient and effective business and government operations;
       (9) there is a need to insure that data brokers conduct 
     their operations in a manner that prioritizes fairness, 
     transparency, accuracy, and respect for the privacy of 
     consumers;
       (10) government access to commercial data can potentially 
     improve safety, law enforcement, and national security; and
       (11) because government misuse of commercial data endangers 
     privacy, security, and liberty, there is a need for Congress 
     to exercise oversight over government use of commercial data.

     SEC. 3. DEFINITIONS.

       In this Act:
       (1) Agency.--The term ``agency'' has the same meaning given 
     such term in section 551 of title 5, United States Code.
       (2) Affiliate.--The term ``affiliate'' means persons 
     related by common ownership or affiliated by corporate 
     control.
       (3) Business entity.--The term ``business entity'' means 
     any organization, corporation, trust, partnership, sole 
     proprietorship, unincorporated association, venture 
     established to make a profit, or nonprofit, and any 
     contractor, subcontractor, affiliate, or licensee thereof 
     engaged in interstate commerce.
       (4) Identity theft.--The term ``identity theft'' means a 
     violation of section 1028 of title 18, United States Code, or 
     any other similar provision of applicable State law.
       (5) Data broker.--The term ``data broker'' means a business 
     entity which for monetary fees, dues, or on a cooperative 
     nonprofit basis, regularly engages, in whole or in part, in 
     the practice of collecting, transmitting, or otherwise 
     providing personally identifiable information on a nationwide 
     basis on more than 5,000 individuals who are not the 
     customers or employees of the business entity or affiliate.
       (6) Data furnisher.--The term ``data furnisher'' means any 
     agency, governmental entity, organization, corporation, 
     trust, partnership, sole proprietorship, unincorporated 
     association, venture established to make a profit, or 
     nonprofit, and any contractor, subcontractor, affiliate, or 
     licensee thereof, that serves as a source of information for 
     a data broker.
       (7) Personal electronic record.--The term ``personal 
     electronic record'' means the

[[Page S7623]]

     compilation of personally identifiable information of an 
     individual (including information associated with that 
     personally identifiable information) in a database, networked 
     or integrated databases, or other data system.
       (8) Personally identifiable information.--The term 
     ``personally identifiable information'' means any 
     information, or compilation of information, in electronic or 
     digital form serving as a means of identification, as defined 
     by section 1028(d)(7) of title 18, United State Code.
       (9) Public record.--The term ``public record'' means any 
     item, collection, or grouping of information about an 
     individual that is maintained by an agency, including--
       (A) education, financial transactions, medical history, and 
     criminal or employment history containing the name of an 
     individual; and
       (B) the identifying number, symbol, or other identifying 
     particular assigned to an individual, such as--
       (i) a fingerprint;
       (ii) a voice print; or
       (iii) a photograph.
       (10) Security breach.--
       (A) In general.--The term ``security breach'' means 
     compromise of the security, confidentiality, or integrity of 
     computerized data through misrepresentation or actions that 
     result in, or there is a reasonable basis to conclude has 
     resulted in, the unauthorized acquisition of and access to 
     sensitive personally identifiable information.
       (B) Exclusion.--The term ``security breach'' does not 
     include a good faith acquisition of sensitive personally 
     identifiable information if the sensitive personally 
     identifiable information is not subject to further 
     unauthorized disclosure.
       (11) Sensitive personally identifiable information.--The 
     term ``sensitive personally identifiable information'' means 
     any name or number used in conjunction with any other 
     information to identify a specific individual, including 
     any--
       (A) name, social security number, date of birth, official 
     State or government issued driver's license or identification 
     number, alien registration number, government passport 
     number, employer or taxpayer identification number;
       (B) unique biometric data, such as--
       (i) a fingerprint;
       (ii) a voice print;
       (iii) a retina or iris image; or
       (iv) any other unique physical representation;
       (C) unique electronic identification number, address, or 
     routing code; or
       (D) telecommunication identifying information or access 
     device (as defined in section 1029(e) of title 18, United 
     States Code).

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

     SEC. 101. FRAUD AND RELATED CRIMINAL ACTIVITY IN CONNECTION 
                   WITH UNAUTHORIZED ACCESS TO PERSONALLY 
                   IDENTIFIABLE INFORMATION.

       Section 1030(a)(2) of title 18, United States Code, is 
     amended--
       (1) in subparagraph (B), by striking ``or'' after the 
     semicolon;
       (2) in subparagraph (C), by inserting ``or'' after the 
     semicolon; and
       (3) by adding at the end the following:
       ``(D) information contained in the databases or systems of 
     a data broker, or in other personal electronic records, as 
     such terms are defined in section 3 of the Personal Data 
     Privacy and Security Act of 2005;''.

     SEC. 102. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH 
                   UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
                   INFORMATION.

       Section 1961(1) of title 18, United States Code, is amended 
     by inserting ``section 1030(a)(2)(D)(relating to fraud and 
     related activity in connection with unauthorized access to 
     personally identifiable information,'' before ``section 
     1084''.

     SEC. 103. CONCEALMENT OF SECURITY BREACHES INVOLVING 
                   PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding at the end the following:

     ``Sec. 1039. Concealment of security breaches involving 
       personally identifiable information

       ``Whoever, having knowledge of a security breach requiring 
     notice to individuals under title IV of the Personal Data 
     Privacy and Security Act of 2005, intentionally and willfully 
     conceals the fact of, or information related to, such 
     security breach, shall be fined under this title or 
     imprisoned not more than 5 years, or both.''.
       (b) Conforming and Technical Amendments.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by adding at the end the following:

``1039. Concealment of security breaches involving personally 
              identifiable information.''.

     SEC. 104. AGGRAVATED FRAUD IN CONNECTION WITH COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding after section 1030 the following:

     ``Sec. 1030A. Aggravated fraud in connection with computers

       ``(a) In General.--Whoever, during and in relation to any 
     felony violation enumerated in subsection (c), knowingly 
     obtains, accesses, or transmits, without lawful authority, a 
     means of identification of another person may, in addition to 
     the punishment provided for such felony, be sentenced to a 
     term of imprisonment of up to 2 years.
       ``(b) Consecutive Sentences.--Notwithstanding any other 
     provision of law, should a court in its discretion impose an 
     additional sentence under subsection (a)--
       ``(1) no term of imprisonment imposed on a person under 
     this section shall run concurrently, except as provided in 
     paragraph (3), with any other term of imprisonment imposed on 
     such person under any other provision of law, including any 
     term of imprisonment imposed for the felony during which the 
     means of identifications was obtained, accessed, or 
     transmitted;
       ``(2) in determining any term of imprisonment to be imposed 
     for the felony during which the means of identification was 
     obtained, accessed, or transmitted, a court shall not in any 
     way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(3) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section.
       ``(c) Definition.--For purposes of this section, the term 
     `felony violation enumerated in subsection (c)' means any 
     offense that is a felony violation of paragraphs (2) through 
     (7) of section 1030(a).''.
       (b) Conforming and Technical Amendments.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following new item:

``1030A. Aggravated fraud in connection with computers.''.

     SEC. 105. REVIEW AND AMENDMENT OF FEDERAL SENTENCING 
                   GUIDELINES RELATED TO FRAUDULENT ACCESS TO OR 
                   MISUSE OF DIGITIZED OR ELECTRONIC PERSONALLY 
                   IDENTIFIABLE INFORMATION.

       (a) Review and Amendment.--Not later than 180 days after 
     the date of enactment of this Act, the United States 
     Sentencing Commission, pursuant to its authority under 
     section 994 of title 28, United States Code, and in 
     accordance with this section, shall review and, if 
     appropriate, amend the Federal sentencing guidelines 
     (including its policy statements) applicable to persons 
     convicted of using fraud to access, or misuse of, digitized 
     or electronic personally identifiable information, including 
     identity theft or any offense under--
       (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of 
     title 18, United States Code; or
       (2) any other relevant provision.
       (b) Requirements.--In carrying out the requirements of this 
     section, the United States Sentencing Commission shall--
       (1) ensure that the Federal sentencing guidelines 
     (including its policy statements) reflect--
       (A) the serious nature of the offenses and penalties 
     referred to in this Act;
       (B) the growing incidences of theft and misuse of digitized 
     or electronic personally identifiable information, including 
     identity theft; and
       (C) the need to deter, prevent, and punish such offenses;
       (2) consider the extent to which the Federal sentencing 
     guidelines (including its policy statements) adequately 
     address violations of the sections amended by this Act to--
       (A) sufficiently deter and punish such offenses; and
       (B) adequately reflect the enhanced penalties established 
     under this Act;
       (3) maintain reasonable consistency with other relevant 
     directives and sentencing guidelines;
       (4) account for any additional aggravating or mitigating 
     circumstances that might justify exceptions to the generally 
     applicable sentencing ranges;
       (5) consider whether to provide a sentencing enhancement 
     for those convicted of the offenses described in subsection 
     (a), if the conduct involves--
       (A) the online sale of fraudulently obtained or stolen 
     personally identifiable information;
       (B) the sale of fraudulently obtained or stolen personally 
     identifiable information to an individual who is engaged in 
     terrorist activity or aiding other individuals engaged in 
     terrorist activity; or
       (C) the sale of fraudulently obtained or stolen personally 
     identifiable information to finance terrorist activity or 
     other criminal activities;
       (6) make any necessary conforming changes to the Federal 
     sentencing guidelines to ensure that such guidelines 
     (including its policy statements) as described in subsection 
     (a) are sufficiently stringent to deter, and adequately 
     reflect crimes related to fraudulent access to, or misuse of, 
     personally identifiable information; and
       (7) ensure that the Federal sentencing guidelines 
     adequately meet the purposes of sentencing under section 
     3553(a)(2) of title 18, United States Code.
       (c) Emergency Authority to Sentencing Commission.--The 
     United States Sentencing Commission may, as soon as 
     practicable, promulgate amendments under this section in 
     accordance with procedures established in section 21(a) of 
     the Sentencing Act of 1987 (28

[[Page S7624]]

     U.S.C. 994 note) as though the authority under that Act had 
     not expired.

  TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING 
 CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF 
                  PERSONALLY IDENTIFIABLE INFORMATION

     SEC. 201. GRANTS FOR STATE AND LOCAL ENFORCEMENT.

       (a) In General.--Subject to the availability of amounts 
     provided in advance in appropriations Acts, the Assistant 
     Attorney General for the Office of Justice Programs of the 
     Department of Justice may award a grant to a State to 
     establish and develop programs to increase and enhance 
     enforcement against crimes related to fraudulent, 
     unauthorized, or other criminal use of personally 
     identifiable information.
       (b) Application.--A State seeking a grant under subsection 
     (a) shall submit an application to the Assistant Attorney 
     General for the Office of Justice Programs of the Department 
     of Justice at such time, in such manner, and containing such 
     information as the Assistant Attorney General may require.
       (c) Use of Grant Amounts.--A grant awarded to a State under 
     subsection (a) shall be used by a State, in conjunction with 
     units of local government within that State, State and local 
     courts, other States, or combinations thereof, to establish 
     and develop programs to--
       (1) assist State and local law enforcement agencies in 
     enforcing State and local criminal laws relating to crimes 
     involving the fraudulent, unauthorized, or other criminal use 
     of personally identifiable information;
       (2) assist State and local law enforcement agencies in 
     educating the public to prevent and identify crimes involving 
     the fraudulent, unauthorized, or other criminal use of 
     personally identifiable information;
       (3) educate and train State and local law enforcement 
     officers and prosecutors to conduct investigations and 
     forensic analyses of evidence and prosecutions of crimes 
     involving the fraudulent, unauthorized, or other criminal use 
     of personally identifiable information;
       (4) assist State and local law enforcement officers and 
     prosecutors in acquiring computer and other equipment to 
     conduct investigations and forensic analysis of evidence of 
     crimes involving the fraudulent, unauthorized, or other 
     criminal use of personally identifiable information; and
       (5) facilitate and promote the sharing of Federal law 
     enforcement expertise and information about the 
     investigation, analysis, and prosecution of crimes involving 
     the fraudulent, unauthorized, or other criminal use of 
     personally identifiable information with State and local law 
     enforcement officers and prosecutors, including the use of 
     multi-jurisdictional task forces.
       (d) Assurances and Eligibility.--To be eligible to receive 
     a grant under subsection (a), a State shall provide 
     assurances to the Attorney General that the State--
       (1) has in effect laws that penalize crimes involving the 
     fraudulent, unauthorized, or other criminal use of personally 
     identifiable information, such as penal laws prohibiting--
       (A) fraudulent schemes executed to obtain personally 
     identifiable information;
       (B) schemes executed to sell or use fraudulently obtained 
     personally identifiable information; and
       (C) online sales of personally identifiable information 
     obtained fraudulently or by other illegal means;
       (2) will provide an assessment of the resource needs of the 
     State and units of local government within that State, 
     including criminal justice resources being devoted to the 
     investigation and enforcement of laws related to crimes 
     involving the fraudulent, unauthorized, or other criminal use 
     of personally identifiable information; and
       (3) will develop a plan for coordinating the programs 
     funded under this section with other federally funded 
     technical assistant and training programs, including directly 
     funded local programs such as the Local Law Enforcement Block 
     Grant program (described under the heading ``Violent Crime 
     Reduction Programs, State and Local Law Enforcement 
     Assistance'' of the Departments of Commerce, Justice, and 
     State, the Judiciary, and Related Agencies Appropriations 
     Act, 1998 (Public Law 105-119)).
       (e) Matching Funds.--The Federal share of a grant received 
     under this section may not exceed 90 percent of the total 
     cost of a program or proposal funded under this section 
     unless the Attorney General waives, wholly or in part, the 
     requirements of this subsection.

     SEC. 202. AUTHORIZATION OF APPROPRIATIONS.

       (a) In General.--There is authorized to be appropriated to 
     carry out this title $25,000,000 for each of fiscal years 
     2006 through 2009.
       (b) Limitations.--Of the amount made available to carry out 
     this title in any fiscal year not more than 3 percent may be 
     used by the Attorney General for salaries and administrative 
     expenses.
       (c) Minimum Amount.--Unless all eligible applications 
     submitted by a State or units of local government within a 
     State for a grant under this title have been funded, the 
     State, together with grantees within the State (other than 
     Indian tribes), shall be allocated in each fiscal year under 
     this title not less than 0.75 percent of the total amount 
     appropriated in the fiscal year for grants pursuant to this 
     title, except that the United States Virgin Islands, American 
     Samoa, Guam, and the Northern Mariana Islands each shall be 
     allocated 0.25 percent.
       (d) Grants to Indian Tribes.--Notwithstanding any other 
     provision of this title, the Attorney General may use amounts 
     made available under this title to make grants to Indian 
     tribes for use in accordance with this title.

                        TITLE III--DATA BROKERS

     SEC. 301. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.

       (a) In General.--Data brokers engaging in interstate 
     commerce are subject to the requirements of this title for 
     any offered product or service offered to third parties that 
     allows access, use, compilation, distribution, processing, 
     analyzing, or evaluating personally identifiable information, 
     unless that product or service is currently subject to 
     similar protections under subsections (b) and (g) of this 
     section, the Fair Credit Reporting Act (Public Law 91-508), 
     or the Gramm-Leach Bliley Act (Public Law 106-102), and 
     implementing regulations.
       (b) Disclosures to Individuals.--
       (1) In general.--A data broker shall, upon the request of 
     an individual, clearly and accurately disclose to such 
     individual for a reasonable fee all personal electronic 
     records pertaining to that individual maintained for 
     disclosure to third parties in the databases or systems of 
     the data broker at the time of the request.
       (2) Information on how to correct inaccuracies.--The 
     disclosures required under paragraph (1) shall also include 
     guidance to individuals on the processes and procedures for 
     demonstrating and correcting any inaccuracies.
       (c) Creation of an Accuracy Resolution Process.--A data 
     broker shall develop and publish on its website timely and 
     fair processes and procedures for responding to claims of 
     inaccuracies, including procedures for correcting inaccurate 
     information in the personal electronic records it maintains 
     on individuals.
       (d) Accuracy Resolution Process.--
       (1) Public record information.--
       (A) In general.--If an individual notifies a data broker of 
     a dispute as to the completeness or accuracy of information, 
     and the data broker determines that such information is 
     derived from a public record source, the data broker shall 
     determine within 30 days whether the information in its 
     system accurately and completely records the information 
     offered by the public record source.
       (B) Data broker actions.--If a data broker determines under 
     subparagraph (A) that the information in its systems--
       (i) does not accurately and completely record the 
     information offered by a public record source, the data 
     broker shall correct any inaccuracies or incompleteness, and 
     provide to such individual written notice of such changes; 
     and
       (ii) does accurately and completely record the information 
     offered by a public record source, the data broker shall--

       (I) provide such individual with the name, address, and 
     telephone contact information of the public record source; 
     and
       (II) notify such individual of the right to add to the 
     personal electronic record of the individual maintained by 
     the data broker a statement disputing the accuracy or 
     completeness of the information for a period of 90 days under 
     subsection (e).

       (2) Investigation of disputed non-public record 
     information.--If the completeness or accuracy of any non-
     public record information disclosed to an individual under 
     subsection (b) is disputed by the individual and such 
     individual notifies the data broker directly of such dispute, 
     the data broker shall, before the end of the 30-day period 
     beginning on the date on which the data broker receives the 
     notice of the dispute--
       (A) investigate free of charge and record the current 
     status of the disputed information; or
       (B) delete the item from the individuals data file in 
     accordance with paragraph (8).
       (3) Extension of period to investigate.--Except as provided 
     in paragraph (4), the 30-day period described in paragraph 
     (1) may be extended for not more than 15 additional days if a 
     data broker receives information from the individual during 
     that 30-day period that is relevant to the investigation.
       (4) Limitations on extension of period to investigate.--
     Paragraph (3) shall not apply to any investigation in which, 
     during the 30-day period described in paragraph (1), the 
     information that is the subject of the investigation is found 
     to be inaccurate or incomplete or a data broker determines 
     that the information cannot be verified.
       (5) Notice identifying the data furnisher.--If the 
     completeness or accuracy of any information disclosed to an 
     individual under subsection (b) is disputed by the 
     individual, a data broker shall provide upon the request of 
     the individual, the name, business address, and telephone 
     contact information of any data furnisher who provided an 
     item of information in dispute.
       (6) Determination that dispute is frivolous or 
     irrelevant.--
       (A) In general.--Notwithstanding paragraphs (1) through 
     (4), a data broker may decline to investigate or terminate an 
     investigation of information disputed by an individual under 
     those paragraphs if the data broker reasonably determines 
     that the dispute by the individual is frivolous or 
     irrelevant, including by reason of a failure by the 
     individual to provide sufficient information to investigate 
     the disputed information.

[[Page S7625]]

       (B) Notice.--Not later than 5 business days after making 
     any determination in accordance with subparagraph (A) that a 
     dispute is frivolous or irrelevant, a data broker shall 
     notify the individual of such determination by mail, or if 
     authorized by the individual, by any other means available to 
     the data broker.
       (C) Contents of notice.--A notice under subparagraph (B) 
     shall include--
       (i) the reasons for the determination under subparagraph 
     (A); and
       (ii) identification of any information required to 
     investigate the disputed information, which may consist of a 
     standardized form describing the general nature of such 
     information.
       (7) Consideration of individual information.--In conducting 
     any investigation with respect to disputed information in the 
     personal electronic record of any individual, a data broker 
     shall review and consider all relevant information submitted 
     by the individual in the period described in paragraph (2) 
     with respect to such disputed information.
       (8) Treatment of inaccurate or unverifiable information.--
       (A) In general.--If, after any review of public record 
     information under paragraph (1) or any investigation of any 
     information disputed by an individual under paragraphs (2) 
     through (4), an item of information is found to be inaccurate 
     or incomplete or cannot be verified, a data broker shall 
     promptly delete that item of information from the 
     individual's personal electronic record or modify that item 
     of information, as appropriate, based on the results of the 
     investigation.
       (B) Notice to individuals of reinsertion of previously 
     deleted information.--If any information that has been 
     deleted from an individual's personal electronic record 
     pursuant to subparagraph (A) is reinserted in the personal 
     electronic record of the individual, a data broker shall, not 
     later than 5 days after reinsertion, notify the individual of 
     the reinsertion and identify any data furnisher not 
     previously disclosed in writing, or if authorized by the 
     individual for that purpose, by any other means available to 
     the data broker, unless such notification has been previously 
     given under this subsection.
       (C) Notice of results of investigation of disputed non-
     public record.--
       (i) In general.--Not later than 5 business days after the 
     completion of an investigation under paragraph (2), a data 
     broker shall provide written notice to an individual of the 
     results of the investigation, by mail or, if authorized by 
     the individual for that purpose, by other means available to 
     the data broker.
       (ii) Additional requirement.--Before the expiration of the 
     5-day period, as part of, or in addition to such notice, a 
     data broker shall, in writing, provide to an individual--

       (I) a statement that the investigation is completed;
       (II) a report that is based upon the personal electronic 
     record of such individual as that personal electronic record 
     is revised as a result of the investigation;
       (III) a notice that, if requested by the individual, a 
     description of the procedures used to determine the accuracy 
     and completeness of the information shall be provided to the 
     individual by the data broker, including the business name, 
     address, and telephone number of any data furnisher of 
     information contacted in connection with such information; 
     and
       (IV) a notice that the individual has the right to request 
     notifications under subsection (g).

       (D) Description of investigation procedures.--Not later 
     than 15 days after receiving a request from an individual for 
     a description referred to in subparagraph (C)(ii)(III), a 
     data broker shall provide to the individual such a 
     description.
       (E) Expedited dispute resolution.--If by no later than 3 
     business days after the date on which a data broker receives 
     notice of a dispute from an individual of information in the 
     personal electronic record of such individual in accordance 
     with paragraph (2), a data broker resolves such dispute in 
     accordance with subparagraph (A) by the deletion of the 
     disputed information, then the data broker shall not be 
     required to comply with subsections (e) and (f) with respect 
     to that dispute if the data broker provides--
       (i) to the individual, by telephone, prompt notice of the 
     deletion; and
       (ii) to the individual a right to request that the data 
     broker furnish notifications under subsection (g).
       (e) Statement of Dispute.--
       (1) In general.--If the completeness or accuracy of any 
     information disclosed to an individual under subsection (b) 
     is disputed, an individual may file a brief statement setting 
     forth the nature of the dispute.
       (2) Contents of statement.--A data broker may limit the 
     statements made pursuant to paragraph (1) to not more than 
     100 words if it provides an individual with assistance in 
     writing a clear summary of the dispute or until the dispute 
     is resolved, whichever is earlier.
       (f) Notification of Dispute in Subsequent Reports.--
     Whenever a statement of a dispute is filed under subsection 
     (e), unless there is a reasonable grounds to believe that it 
     is frivolous or irrelevant, a data broker shall, in any 
     subsequent report, product, or service containing the 
     information in question, clearly note that it is disputed by 
     an individual and provide either the statement of such 
     individual or a clear and accurate codification or summary 
     thereof for a period of 90 days after the data broker first 
     posts the statement of dispute.
       (g) Notification of Deletion of Disputed Information.--
     Following any deletion of information which is found to be 
     inaccurate or whose accuracy can no longer be verified, a 
     data broker shall, at the request of an individual, furnish 
     notification that the item has been deleted or the statement, 
     codification, or summary pursuant to subsection (e) or (f) to 
     any user or customer of the products or services of the data 
     broker who has within 90 days received a report with the 
     deleted or disputed information or has electronically 
     accessed the deleted or disputed information.

     SEC. 302. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) Penalties.--Any data broker that violates the 
     provisions of section 301 shall be subject to civil penalties 
     of not more than $1,000 per violation per day, with a maximum 
     of $15,000 per day, while such violations persist.
       (2) Intentional or willful violation.--A data broker that 
     intentionally or willfully violates the provisions of section 
     301 shall be subject to additional penalties in the amount of 
     $1,000 per violation per day, with a maximum of an additional 
     $15,000 per day, while such violations persist.
       (3) Equitable relief.--A data broker engaged in interstate 
     commerce that violates this section may be enjoined from 
     further violations by a court of competent jurisdiction.
       (4) Other rights and remedies.--The rights and remedies 
     available under this subsection are cumulative and shall not 
     affect any other rights and remedies available under law.
       (b) Injunctive Actions by the Attorney General.--
       (1) In general.--Whenever it appears that a data broker to 
     which this title applies has engaged, is engaged, or is about 
     to engage, in any act or practice constituting a violation of 
     this title, the Attorney General may bring a civil action in 
     an appropriate district court of the United States to--
       (A) enjoin such act or practice;
       (B) enforce compliance with this title;
       (C) obtain damages--
       (i) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of a State; 
     and
       (ii) punitive damages, if the violation is willful or 
     intentional; and
       (D) obtain such other relief as the court determines to be 
     appropriate.
       (2) Other injunctive relief.--Upon a proper showing in the 
     action under paragraph (1), the court shall grant a permanent 
     injunction or a temporary restraining order without bond.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by an act or practice that violates this 
     title, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction, or any other court of 
     competent jurisdiction, to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this title;
       (C) obtain--
       (i) damages in the sum of actual damages, restitution, or 
     other compensation on behalf of affected residents of the 
     State; and
       (ii) punitive damages, if the violation is willful or 
     intentional; or
       (D) obtain such other legal and equitable relief as the 
     court may consider to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Attorney General--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in this subparagraph before the filing of 
     the action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the written notice and the copy of the complaint to 
     the Attorney General as soon after the filing of the 
     complaint as practicable.
       (3) Attorney general authority.--Upon receiving notice 
     under paragraph (2), the Attorney General shall have the 
     right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (4) Pending proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this Act 
     or any regulations thereunder, no attorney general of a State 
     may, during the pendency of such proceeding or action, bring 
     an action under this subsection against any defendant named 
     in such criminal proceeding or civil action for any violation 
     that is alleged in that proceeding or action.
       (5) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1), nothing in this Act shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--

[[Page S7626]]

       (A) conduct investigations;
       (B) administer oaths and affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1931 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection process may be served in any district in which the 
     defendant--
       (i) is an inhabitant; or
       (ii) may be found.

     SEC. 303. RELATION TO STATE LAWS.

       (a) In General.--Except as provided in subsection (b), this 
     title does not annul, alter, affect, or exempt any person 
     subject to the provisions of this title from complying with 
     the laws of any State with respect to the access, use, 
     compilation, distribution, processing, analysis, and 
     evaluation of any personally identifiable information by data 
     brokers, except to the extent that those laws are 
     inconsistent with any provisions of this title, and then only 
     to the extent of such inconsistency.
       (b) Exceptions.--No requirement or prohibition may be 
     imposed under the laws of any State with respect to any 
     subject matter regulated under section 301, relating to 
     individual access to, and correction of, personal electronic 
     records.

     SEC. 304. EFFECTIVE DATE.

       This title shall take effect 180 days after the date of 
     enactment of this Act.

 TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

             Subtitle A--Data Privacy and Security Program

     SEC. 401. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Purpose.--The purpose of this subtitle is to ensure 
     standards for developing and implementing administrative, 
     technical, and physical safeguards to protect the privacy, 
     security, confidentiality, integrity, storage, and disposal 
     of personally identifiable information.
       (b) In General.--A business entity engaging in interstate 
     commerce that involves collecting, accessing, transmitting, 
     using, storing, or disposing of personally identifiable 
     information in electronic or digital form on 10,000 or more 
     United States persons is subject to the requirements for a 
     data privacy and security program under section 402 for 
     protecting personally identifiable information.
       (c) Limitations.--Notwithstanding any other obligation 
     under this subtitle, this subtitle does not apply to--
       (1) financial institutions subject to--
       (A) the data security requirements and implementing 
     regulations under the Gramm-Leach-Bliley Act (15 U.S.C. 6801 
     et seq.); and
       (B) examinations for compliance with the requirements of 
     this Act by 1 or more Federal functional regulators (as 
     defined in section 509 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6809)); or
       (2) ``covered entities'' subject to the Health Insurance 
     Portability and Accountability Act of 1996 (42 U.S.C. 1301 et 
     seq.), including the data security requirements and 
     implementing regulations of that Act.

     SEC. 402. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Personal Data Privacy and Security Program.--Unless 
     otherwise limited under section 401(c), a business entity 
     subject to this subtitle shall comply with the following 
     safeguards to protect the privacy and security of personally 
     identifiable information:
       (1) Scope.--A business entity shall implement a 
     comprehensive personal data privacy and security program, 
     written in 1 or more readily accessible parts, that includes 
     administrative, technical, and physical safeguards 
     appropriate to the size and complexity of the business entity 
     and the nature and scope of its activities.
       (2) Design.--The personal data privacy and security program 
     shall be designed to--
       (A) ensure the privacy, security, and confidentiality of 
     personal electronic records;
       (B) protect against any anticipated vulnerabilities to the 
     privacy, security, or integrity of personal electronic 
     records; and
       (C) protect against unauthorized access to use of personal 
     electronic records that could result in substantial harm or 
     inconvenience to any individual.
       (3) Risk assessment.--A business entity shall--
       (A) identify reasonably foreseeable internal and external 
     vulnerabilities that could result in unauthorized access, 
     disclosure, use, or alteration of personally identifiable 
     information or systems containing personally identifiable 
     information;
       (B) assess the likelihood of and potential damage from 
     unauthorized access, disclosure, use, or alteration of 
     personally identifiable information; and
       (C) assess the sufficiency of its policies, technologies, 
     and safeguards in place to control and minimize risks from 
     unauthorized access, disclosure, use, or alteration of 
     personally identifiable information.
       (4) Risk management and control.--Each business entity 
     shall--
       (A) design its personal data privacy and security program 
     to control the risks identified under paragraph (3); and
       (B) adopt measures commensurate with the sensitivity of the 
     data as well as the size, complexity, and scope of the 
     activities of the business entity that--
       (i) control access to systems and facilities containing 
     personally identifiable information, including controls to 
     authenticate and permit access only to authorized 
     individuals;
       (ii) detect actual and attempted fraudulent, unlawful, or 
     unauthorized access, disclosure, use, or alteration of 
     personally identifiable information, including by employees 
     and other individuals otherwise authorized to have access; 
     and
       (iii) protect personally identifiable information during 
     use, transmission, storage, and disposal by encryption or 
     other reasonable means (including as directed for disposal of 
     records under section 628 of the Fair Credit Reporting Act 
     (15 U.S.C. 1681w) and the implementing regulations of such 
     Act as set forth in section 682 of title 16, Code of Federal 
     Regulations).
       (5) Accountability.--Each business entity required to 
     establish a data security program under section 401 shall 
     publish on its website or make otherwise available the terms 
     of such program to the extent that such terms do not reveal 
     information that compromise data security or privacy.
       (b) Training.--Each business entity subject to this 
     subtitle shall take steps to ensure employee training and 
     supervision for implementation of the data security program 
     of the business entity.
       (c) Vulnerability Testing.--
       (1) In general.--Each business entity subject to this 
     subtitle shall take steps to ensure regular testing of key 
     controls, systems, and procedures of the personal data 
     privacy and security program to detect, prevent, and respond 
     to attacks or intrusions, or other system failures.
       (2) Frequency.--The frequency and nature of the tests 
     required under paragraph (1) shall be determined by the risk 
     assessment of the business entity under subsection (a)(3).
       (d) Relationship to Service Providers.--In the event a 
     business entity subject to this subtitle engages service 
     providers not subject to this subtitle, such business entity 
     shall--
       (1) exercise appropriate due diligence in selecting those 
     service providers for responsibilities related to personally 
     identifiable information, and take reasonable steps to select 
     and retain service providers that are capable of maintaining 
     appropriate safeguards for the security, privacy, and 
     integrity of the personally identifiable information at 
     issue; and
       (2) require those service providers by contract to 
     implement and maintain appropriate measures designed to meet 
     the objectives and requirements governing entities subject to 
     this section, section 401, and subtitle B.
       (e) Periodic Assessment and Personal Data Privacy and 
     Security Modernization.--Each business entity subject to this 
     subtitle shall on a regular basis monitor, evaluate, and 
     adjust, as appropriate its data privacy and security program 
     in light of any relevant changes in--
       (1) technology;
       (2) the sensitivity of personally identifiable information;
       (3) internal or external threats to personally identifiable 
     information; and
       (4) the changing business arrangements of the business 
     entity, such as--
       (A) mergers and acquisitions;
       (B) alliances and joint ventures;
       (C) outsourcing arrangements;
       (D) bankruptcy; and
       (E) changes to personally identifiable information systems.
       (f) Implementation Time Line.--Not later than 1 year after 
     the date of enactment of this Act, a business entity subject 
     to the provisions of this subtitle shall implement a data 
     privacy and security program pursuant to this subtitle.

     SEC. 403. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) In general.--Any business entity that violates the 
     provisions of sections 401 or 402 shall be subject to civil 
     penalties of not more than $5,000 per violation per day, with 
     a maximum of $35,000 per day, while such violations persist.
       (2) Intentional or willful violation.--A business entity 
     that intentionally or willfully violates the provisions of 
     sections 401 or 402 shall be subject to additional penalties 
     in the amount of $5,000 per violation per day, with a maximum 
     of an additional $35,000 per day, while such violations 
     persist.
       (3) Equitable relief.--A business entity engaged in 
     interstate commerce that violates this section may be 
     enjoined from further violations by a court of competent 
     jurisdiction.
       (4) Other rights and remedies.--The rights and remedies 
     available under this section are cumulative and shall not 
     affect any other rights and remedies available under law
       (b) Injunctive Actions by the Attorney General.--
       (1) In general.--Whenever it appears that a business entity 
     or agency to which this subtitle applies has engaged, is 
     engaged, or is about to engage, in any act or practice 
     constituting a violation of this subtitle, the Attorney 
     General may bring a civil action in an appropriate district 
     court of the United States to--
       (A) enjoin such act or practice;

[[Page S7627]]

       (B) enforce compliance with this subtitle; and
       (C) obtain damages--
       (i) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of a State; 
     and
       (ii) punitive damages, if the violation is willful or 
     intentional; and
       (D) obtain such other relief as the court determines to be 
     appropriate.
       (2) Other injunctive relief.--Upon a proper showing in the 
     action under paragraph (1), the court shall grant a permanent 
     injunction or a temporary restraining order without bond.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by an act or practice that violates this 
     subtitle, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction, or any other court of 
     competent jurisdiction, to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this subtitle;
       (C) obtain--
       (i) damages in the sum of actual damages, restitution, or 
     other compensation on behalf of affected residents of the 
     State; and
       (ii) punitive damages, if the violation is willful or 
     intentional; or
       (D) obtain such other legal and equitable relief as the 
     court may consider to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Attorney General--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in this subparagraph before the filing of 
     the action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the written notice and the copy of the complaint to 
     the Attorney General as soon after the filing of the 
     complaint as practicable.
       (3) Attorney general authority.--Upon receiving notice 
     under paragraph (2), the Attorney General shall have the 
     right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (4) Pending proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this Act 
     or any regulations thereunder, no attorney general of a State 
     may, during the pendency of such proceeding or action, bring 
     an action under this subsection against any defendant named 
     in such criminal proceeding or civil action for any violation 
     that is alleged in that proceeding or action.
       (5) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1) nothing in this Act shall be 
     construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths and affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1931 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection process may be served in any district in which the 
     defendant--
       (i) is an inhabitant; or
       (ii) may be found.

     SEC. 404. RELATION TO STATE LAWS.

       (a) In General.--Except as provided in subsection (b), this 
     title does not annul, alter, affect, or exempt any person 
     subject to the provisions of this title from complying with 
     the laws of any State with respect to security programs for 
     personally identifiable information, except to the extent 
     that those laws are inconsistent with any provisions of this 
     title, and then only to the extent of such inconsistency.
       (b) Exceptions.--No requirement or prohibition may be 
     imposed under the laws of any State with respect to any 
     subject matter regulated under section 401(c), relating to 
     entities exempted from compliance with subtitle A.

                Subtitle B--Security Breach Notification

     SEC. 421. RIGHT TO NOTICE OF SECURITY BREACH.

       (a) In General.--Unless delayed under section 422(d) or 
     exempted under section 424, any business entity or agency 
     engaged in interstate commerce that involves collecting, 
     accessing, using, transmitting, storing, or disposing of 
     personally identifiable information shall notify, following 
     the discovery of a security breach of its systems or 
     databases in its possession or direct control when such 
     security breach impacts sensitive personally identifiable 
     information--
       (1) if the security breach impacts more than 10,000 
     individuals nationwide, impacts a database, networked or 
     integrated databases, or other data system associated with 
     more than 1,000,000 individuals nationwide, impacts databases 
     owned or used by the Federal Government, or involves 
     sensitive personally identifiable information of employees 
     and contractors of the Federal Government--
       (A) the United States Secret Service, which shall be 
     responsible for notifying----
       (i) the Federal Bureau of Investigation, if the security 
     breach involves espionage, foreign counterintelligence, 
     information protected against unauthorized disclosure for 
     reasons of national defense or foreign relations, or 
     Restricted Data (as that term is defined in section 11y of 
     the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for 
     offenses affecting the duties of the United States Secret 
     Service under section 3056(a) of title 18, United States 
     Code; and
       (ii) the United States Postal Inspection Service, if the 
     security breach involves mail fraud; and
       (B) the attorney general of each State affected by the 
     security breach;
       (2) each consumer reporting agency described in section 
     603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a), 
     pursuant to subsection (b); and
       (3) any resident of the United States whose sensitive 
     personally identifiable information was subject to the 
     security breach, pursuant to sections 422 and 423, but in the 
     event a business entity or agency is unable to identify the 
     specific residents of the United States whose sensitive 
     personally identifiable information was impacted by a 
     security breach, the business entity or agency shall consult 
     with the United States Secret Service to determine the scope 
     of individuals who there is a reasonable basis to conclude 
     have been impacted by such breach and should receive notice.
       (b) Consumer Reporting Agencies.--Any business entity or 
     agency obligated to provide notice of a security breach to 
     more than 1,000 residents of the United States under 
     subsection (a)(3) shall inform consumer reporting agencies of 
     the fact and scope of such notices for the purpose of 
     facilitating and managing potential increases in consumer 
     inquiries and mitigating identity theft or other negative 
     consequences of the breach.

     SEC. 422. NOTICE PROCEDURES.

       (a) Timeliness of Notice.--
       (1) In general.--Except as provided in subsection (c), all 
     notices required under section 421 shall be issued 
     expeditiously and without unreasonable delay after discovery 
     of the events requiring notice.
       (2) 14-day rule.--The notices to Federal law enforcement 
     and the attorney general of each State affected by a security 
     breach required under section 421(a) shall be delivered not 
     later than 14 days after discovery of the events requiring 
     notice.
       (3) Required disclosure.--In complying with the notices 
     required under section 421, a business entity or agency shall 
     expeditiously and without unreasonable delay take reasonable 
     measures which are necessary to--
       (A) determine the scope and assess the impact of a breach 
     under section 421; and
       (B) restore the reasonable integrity of the data system.
       (b) Method.--Any business entity or agency obligated to 
     provide notice under section 421 shall be in compliance with 
     that section if they provide notice as follows:
       (1) Written notification.--By written notification to the 
     last known home address of the individual whose sensitive 
     personally identifiable information was breached, or if 
     unknown, notification via telephone call to the last known 
     home telephone number.
       (2) Internet posting.--If more than 1,000 residents of the 
     United States require notice under section 421 and if the 
     business entity or agency maintains an Internet site, 
     conspicuous posting of the notice on the Internet site of the 
     business entity or agency.
       (3) Media notice.--If more than 5,000 residents of a State 
     or jurisdiction are impacted, notice to major media outlets 
     serving that State or jurisdiction.
       (c) Delay of Notification for Law Enforcement Purposes.--
       (1) In general.--If Federal law enforcement or the attorney 
     general of a State determines that the notices required under 
     section 421(a) would impede a criminal investigation, such 
     notices may be delayed until such law enforcement agency 
     determines that the notices will no longer compromise such 
     investigation.
       (2) Extended delay of notification for law enforcement 
     purposes.--If a business entity or agency has delayed the 
     notices required under paragraphs (2) and (3) of section 
     421(a) as described in paragraph (1), the business entity or 
     agency shall give notice 30 days after the day such law 
     enforcement delay was invoked unless Federal law enforcement 
     provides written notification that further delay is 
     necessary.

     SEC. 423. CONTENT OF NOTICE.

       (a) In General.--A business entity or agency obligated to 
     provide notice to residents of the United States under 
     section 421(a)(3) shall clearly and concisely detail the 
     nature of the sensitive personally identifiable information 
     impacted by the security breach.
       (b) Content of Notice.--A notice under subsection (a) shall 
     include--
       (1) the availability of victim protection assistance 
     pursuant to section 425;
       (2) guidance on how to request that a fraud alert be placed 
     in the file of the individual

[[Page S7628]]

     maintained by consumer reporting agencies, pursuant to 
     section 605A of the Fair Credit Reporting Act (15 U.S.C. 
     1681c-1) and the implications of such actions;
       (3) the availability of a summary of rights for identity 
     theft victims from consumer reporting agencies, pursuant to 
     section 609 of the Fair Credit Reporting Act (15 U.S.C. 
     1681g);
       (4) if applicable, notice that the State where an 
     individual resides has a statute that provides the individual 
     the right to place a security freeze on their credit report; 
     and
       (5) if applicable, notice that consumer reporting agencies 
     have been notified of the security breach.
       (c) Marketing Not Allowed in Notice.--A notice under 
     subsection (a) may not include--
       (1) marketing information;
       (2) sales offers; or
       (3) any solicitation regarding the collection of additional 
     personally identifiable information from an individual.

     SEC. 424. RISK ASSESSMENT AND FRAUD PREVENTION NOTICE 
                   EXEMPTIONS.

       (a) Risk Assessment Exemption.--A business entity will be 
     exempt from the notice requirements under paragraphs (2) and 
     (3) of section 421(a), if a risk assessment conducted in 
     consultation with Federal law enforcement and the attorney 
     general of each State affected by a security breach concludes 
     that there is a de minimis risk of harm to the individuals 
     whose sensitive personally identifiable information was at 
     issue in the security breach.
       (b) Fraud Prevention Exemption.--A business entity will be 
     exempt from the notice requirement under section 421(a) if--
       (1) the nature of the sensitive personally identifiable 
     information subject to the security breach cannot be used to 
     facilitate transactions or facilitate identity theft to 
     further transactions with another business entity that is not 
     the business entity subject to the security breach 
     notification requirements of section 421;
       (2) the business entity utilizes a security program 
     reasonably designed to block the use of the sensitive 
     personally identifiable information to initiate unauthorized 
     transactions before they are charged to the account of the 
     individual; and
       (3) the business entity has a policy in place to provide 
     notice and provides such notice after a breach of the 
     security of the system has resulted in fraud or unauthorized 
     transactions, but does not necessarily require notice in 
     other circumstances.

     SEC. 425. VICTIM PROTECTION ASSISTANCE.

       Any business entity or agency obligated to provide notice 
     to residents of the United States under section 421(a)(3) 
     shall offer to those same residents to cover the cost of--
       (1) monthly access to a credit report for a period of 1 
     year from the date of notice provided under section 
     421(a)(3); and
       (2) credit-monitoring services for up to 1 year from the 
     date of notice provided under section 421(a)(3).

     SEC. 426. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) In general.--Any business entity that violates the 
     provisions of sections 421 through 425 shall be subject to 
     civil penalties of not more than $5,000 per violation per 
     day, with a maximum of $55,000 per day, while such violations 
     persist.
       (2) Intentional or willful violation.--A business entity 
     that intentionally or willfully violates the provisions of 
     sections 421 through 425 shall be subject to additional 
     penalties in the amount of $5,000 per violation per day, with 
     a maximum of an additional $55,000 per day, while such 
     violations persist.
       (3) Equitable relief.--A business entity engaged in 
     interstate commerce that violates this section may be 
     enjoined from further violations by a court of competent 
     jurisdiction.
       (4) Other rights and remedies.--The rights and remedies 
     available under this section are cumulative and shall not 
     affect any other rights and remedies available under law.
       (b) Injunctive Actions by the Attorney General.--
       (1) In general.--Whenever it appears that a business entity 
     or agency to which this subtitle applies has engaged, is 
     engaged, or is about to engage, in any act or practice 
     constituting a violation of this subtitle, the Attorney 
     General may bring a civil action in an appropriate district 
     court of the United States to--
       (A) enjoin such act or practice;
       (B) enforce compliance with this subtitle; and
       (C) obtain damages--
       (i) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of a State; 
     and
       (ii) punitive damages, if the violation is willful or 
     intentional; and
       (D) obtain such other relief as the court determines to be 
     appropriate.
       (2) Other injunctive relief.--Upon a proper showing in the 
     action under paragraph (1), the court shall grant a permanent 
     injunction or a temporary restraining order without bond.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been, or is threatened to be, 
     adversely affected by a violation of this subtitle, the 
     State, as parens patriae, may bring a civil action on behalf 
     of the residents of that State in a district court of the 
     United States of appropriate jurisdiction, or any other court 
     of competent jurisdiction, to--
       (A) enjoin that practice;
       (B) enforce compliance with this subtitle;
       (C) obtain damages--
       (i) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of that 
     State; and
       (ii) punitive damages, if the violation is willful or 
     intentional; and
       (D) obtain such other equitable relief as the court may 
     consider to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Attorney General--
       (i) written notice of the action; and
       (ii) a copy of the complaint for the action.
       (B) Exception.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in such subparagraph before the filing of 
     the action.
       (ii) Notification when practicable.--In an action described 
     in clause (i), the attorney general of a State shall provide 
     notice and a copy of the complaint to the Attorney General at 
     the time the attorney general of a State files the action.
       (3) Attorney general authority.--Upon receiving notice 
     under paragraph (2), the Attorney General shall have the 
     right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (4) Pending proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this Act 
     or any regulations thereunder, no attorney general of a State 
     may, during the pendency of such proceeding or action, bring 
     an action under this subsection against any defendant named 
     in such criminal proceeding or civil action for any violation 
     that is alleged in that proceeding or action.
       (5) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1), nothing in this subsection 
     shall be construed to prevent an attorney general of a State 
     from exercising the powers conferred on such attorney general 
     by the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths or affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection process may be served in any district in which the 
     defendant--
       (i) is an inhabitant; or
       (ii) may be found.

     SEC. 427. RELATION TO STATE LAWS.

       (a) In General.--Except as provided in subsection (b), this 
     title does not annul, alter, affect, or exempt any person 
     subject to the provisions of this title from complying with 
     the laws of any State with respect to protecting consumers 
     from the risk of theft or misuse of personally identifiable 
     information, except to the extent that those laws are 
     inconsistent with any provisions of this title, and then only 
     to the extent of such inconsistency.
       (b) Exceptions.--No requirement or prohibition may be 
     imposed under the laws of any State with respect to any 
     subject matter regulated under--
       (1) section 3(9), relating to the definition of ``security 
     breach'';
       (2) paragraphs (1)(A), (2), and (3) of subsection (a), and 
     subsection (b) of section 421, relating to the right to 
     notice of security breach;
       (3) section 422, relating to notice procedures;
       (4) section 423, relating to notice content, except that 
     nothing in this section shall prevent a State from requiring 
     notice of additional victim protection assistance by that 
     State; and
       (5) section 424, relating to risk assessment and fraud 
     prevention notice exemptions.

     SEC. 428. STUDY ON SECURING PERSONALLY IDENTIFIABLE 
                   INFORMATION IN THE DIGITAL ERA.

       (a) Requirement for Study.--Not later than 120 days after 
     the date of enactment of this Act, the Department of Justice 
     shall enter into a contract with the National Research 
     Council of the National Academies to conduct a study on 
     securing personally identifiable information in the digital 
     era.
       (b) Matters to Be Assessed in Review.--The study required 
     under subsection (a) shall include--
       (1) threats to the public posed by the unauthorized or 
     improper disclosure of personally identifiable information, 
     including threats to--
       (A) law enforcement;
       (B) homeland security;
       (C) individual citizens; and
       (D) commerce;
       (2) an assessment of the benefits and costs of currently 
     available strategies for securing

[[Page S7629]]

     personally identifiable information based on--
       (A) technology;
       (B) legislation;
       (C) regulation; or
       (D) public education;
       (3) research needed to develop additional strategies;
       (4) recommendations for congressional or other policy 
     actions to further minimize vulnerabilities to the threats 
     described in paragraph (1); and
       (5) other relevant issues that in the discretion of the 
     National Research Council warrant examination.
       (c) Time Line for Study and Requirement for Report.--Not 
     later than 18-month period beginning upon completion of the 
     performance of the contract described in subsection (a), the 
     National Research Council shall conduct the study and report 
     its findings, conclusions, and recommendations to Congress.
       (d) Federal Department and Agency Compliance.--Federal 
     departments and agencies shall comply with requests made by 
     the National Science Foundation, National Research Council, 
     and National Academies for information that is necessary to 
     assist in preparing the report required by subsection (c).
       (e) Authorization of Appropriations.--Of the amounts 
     authorized to be appropriated to the Department of Justice 
     for Department-wide activities, $850,000 shall be made 
     available to carry out the provisions of this section for 
     fiscal year 2006.

     SEC. 429. AUTHORIZATION OF APPROPRIATIONS.

       There is authorized to be appropriated such sums as may be 
     necessary to cover the costs incurred by the United States 
     Secret Service to carry out investigations and risk 
     assessments of security breaches as required under this 
     subtitle.

     SEC. 430. EFFECTIVE DATE.

       This subtitle shall take effect 90 days after the date of 
     enactment of this Act.

             TITLE V--PROTECTION OF SOCIAL SECURITY NUMBERS

     SEC. 501. SOCIAL SECURITY NUMBER PROTECTION.

       (a) In General.--No person may--
       (1) display any individual's social security number to a 
     third party without the voluntary and affirmatively expressed 
     consent of such individual; or
       (2) sell or purchase any social security number of an 
     individual without the voluntary and affirmatively expressed 
     consent of such individual.
       (b) Prerequisites for Consent.--To obtain the consent of an 
     individual under paragraphs (1) or (2) of subsection (a), the 
     person displaying, selling, or attempting to sell, 
     purchasing, or attempting to purchase the social security 
     number of such individual shall--
       (1) inform such individual of the general purpose for which 
     the social security number will be used, the types of persons 
     to whom the social security number may be available, and the 
     scope of transactions permitted by the consent; and
       (2) obtain the affirmatively expressed consent 
     (electronically or in writing) of such individual.
       (c) Harvested Social Security Numbers.--Subsection (a) 
     shall apply to any public record of a Federal agency that 
     contains social security numbers extracted from other public 
     records for the purpose of displaying or selling such numbers 
     to the general public.
       (d) Exceptions.--Nothing in this section shall be construed 
     to prohibit or limit the display, sale, or purchase of a 
     social security number--
       (1) as required, authorized, or excepted under Federal law;
       (2) to the extent necessary for a public health purpose, 
     including the protection of the health or safety of an 
     individual in an emergency situation;
       (3) to the extent necessary for a national security 
     purpose;
       (4) to the extent necessary for a law enforcement purpose, 
     including the investigation of fraud and the enforcement of a 
     child support obligation;
       (5) to the extent necessary for research conducted for the 
     purpose of advancing public knowledge, on the condition that 
     the researcher provides adequate assurances that--
       (A) the social security numbers will not be used to harass, 
     target, or publicly reveal information concerning any 
     individual;
       (B) information about individuals obtained from the 
     research will not be used to make decisions that directly 
     affect the rights, benefits, or privileges of specific 
     individuals; and
       (C) the researcher has in place appropriate safeguards to 
     protect the privacy and confidentiality of any information 
     about individuals;
       (6) if such a number is required to be submitted as part of 
     the process for applying for any type of Federal, State, or 
     local government benefit or program;
       (7) when the transmission of the number is incidental to, 
     and in the course of, the sale, lease, franchising, or merger 
     of all or a portion of a business; or
       (8) to the extent only the last 4 digits of a social 
     security number are displayed.

     SEC. 502. LIMITS ON PERSONAL DISCLOSURE OF SOCIAL SECURITY 
                   NUMBERS FOR COMMERCIAL TRANSACTIONS AND 
                   ACCOUNTS.

       (a) In General.--Part A of title XI of the Social Security 
     Act (42 U.S.C. 1301 et seq.) is amended by adding the 
     following:

     ``SEC. 1150A. LIMITS ON PERSONAL DISCLOSURE OF SOCIAL 
                   SECURITY NUMBERS FOR COMMERCIAL TRANSACTIONS 
                   AND ACCOUNTS.

       ``(a) Account Numbers.--
       ``(1) In general.--A business entity may not--
       ``(A) require an individual to use the social security 
     number of such individual as an account number or account 
     identifier when purchasing a commercial good or service; or
       ``(B) deny an individual goods or services for refusing to 
     accept the use of the social security number of such 
     individual as an account number or account identifier.
       ``(2) Existing account exception.--Paragraph (1) shall not 
     apply to any account number or account identifier established 
     prior to the date of enactment of this Act.
       ``(b) Social Security Number Prerequisites for Goods and 
     Services.--A business entity may not require an individual to 
     provide the social security number of such individual when 
     purchasing a commercial good or service or deny an individual 
     goods or services for refusing to provide that number except 
     for any purpose relating to--
       ``(1) obtaining a consumer report for any purpose permitted 
     under the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
       ``(2) a background check of the individual conducted by a 
     landlord, lessor, employer, or voluntary service agency;
       ``(3) law enforcement; or
       ``(4) a Federal, State, or local law requirement.
       ``(c) Application of Civil Money Penalties.--A violation of 
     this section shall be deemed to be a violation of section 
     1129(a).
       ``(d) Application of Criminal Penalties.--A violation of 
     this section shall be deemed to be a violation of section 
     208(a)(8).''.

     SEC. 503. PUBLIC RECORDS.

       (a) In General.--Except as provided in paragraph (2), 
     paragraphs (a) and (b) of section 501 shall apply to all 
     public records posted on the Internet or provided in an 
     electronic medium by, or on behalf of, a Federal agency.
       (b) Exceptions.--
       (1) Truncation and prior displays.--Section 501(a) shall 
     not apply to--
       (A) a public record which displays only the last 4 digits 
     of the social security number of an individual; and
       (B) any record or a category of public records first posted 
     on the Internet or provided in an electronic medium by, or on 
     behalf of, a Federal agency prior to the date of enactment of 
     this Act.
       (2) Law enforcement.--Nothing in this subsection shall be 
     construed to prevent an entity acting pursuant to a police 
     investigation or regulatory power of a domestic governmental 
     unit from accessing the full social security number of an 
     individual.

     SEC. 504. TREATMENT OF SOCIAL SECURITY NUMBERS ON GOVERNMENT 
                   CHECKS AND PROHIBITION OF INMATE ACCESS.

       (a) Prohibition of Use of Social Security Numbers on Checks 
     Issued for Payment by Governmental Entities.--
       (1) In general.--Section 205(c)(2)(C) of the Social 
     Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at 
     the end the following:
       ``(x) No Federal, State, or local agency may display the 
     social security account number of any individual, or any 
     derivative of such number, on any check issued for any 
     payment by the Federal, State, or local agency.''.
       (2) Effective date.--The amendment made under paragraph (1) 
     shall apply with respect to checks issued after the date that 
     is 3 years after the date of enactment of this Act.
       (b) Prohibition on Inmate Access to Social Security 
     Numbers.--
       (1) In general.--Section 205(c)(2)(C) of the Social 
     Security Act (42 U.S.C. 405(c)(2)(C)), as amended by 
     subsection (b), is further amended by adding at the end the 
     following:
       ``(xi)(I) No Federal, State, or local agency may employ, or 
     enter into a contract for the use or employment of, prisoners 
     in any capacity that would allow such prisoners access to the 
     social security account numbers of other individuals.
       ``(II) For purposes of this clause, the term `prisoner' 
     means an individual confined in a jail, prison, or other 
     penal institution or correctional facility pursuant to 
     conviction of such individual of a criminal offense.''.
       (2) Effective date.--The amendment made under paragraph (1) 
     shall apply with respect to employment of prisoners, or entry 
     into contract with prisoners, after the date that is 1 year 
     after the date of enactment of this Act.

     SEC. 505. STUDY AND REPORT.

       (a) By the Comptroller General.--The Comptroller General of 
     the United States (in this section referred to as the 
     ``Comptroller General'') shall conduct a study and prepare a 
     report on--
       (1) all of the uses of social security numbers permitted, 
     required, authorized, or excepted under any Federal law; and
       (2) the uses of social security numbers in Federal, State, 
     and local public records.
       (b) Content of Report.--The report required under 
     subsection (a) shall--
       (1) identify users of social security numbers under Federal 
     law;
       (2) include a detailed description of the uses allowed as 
     of the date of enactment of this Act;
       (3) describe the impact of such uses on privacy and data 
     security;

[[Page S7630]]

       (4) evaluate whether such uses should be continued or 
     discontinued by appropriate legislative action;
       (5) examine whether States are complying with prohibitions 
     on the display and use of social security numbers--
       (A) under the Privacy Act of 1974 (5 U.S.C. 552a et seq.); 
     and
       (B) the Driver's Privacy Protection Act of 1994 (18 U.S.C. 
     2721 et seq.);
       (6) include a review of the uses of social security numbers 
     in Federal, State, or local public records;
       (7) include a review of the manner in which public records 
     are stored (with separate reviews for both paper records and 
     electronic records);
       (8) include a review of the advantages, utility, and 
     disadvantages of public records that contain social security 
     numbers, including--
       (A) impact on law enforcement;
       (B) threats to homeland security; and
       (C) impact on personal privacy and security;
       (9) include an assessment of the costs and benefits to 
     State and local governments of truncating, redacting, or 
     removing social security numbers from public records, 
     including a review of current technologies and procedures for 
     truncating, redacting, or removing social security numbers 
     from public records (with separate assessments for both paper 
     and electronic records);
       (10) include an assessment of the benefits and costs to 
     businesses, non-profit organizations, and the general public 
     of requiring truncation, redaction, or removal of social 
     security numbers on public records (with separate assessments 
     for both paper and electronic records);
       (11) include an assessment of Federal and State 
     requirements to truncate social security numbers, and issue 
     recommendations on--
       (A) how to harmonize those requirements; and
       (B) whether to further extend truncation requirements, 
     taking into consideration the impact on accuracy and use;
       (12) include recommendations regarding whether subsection 
     (a) should apply to any record or category of public records 
     first posted on the Internet or provided in an electronic 
     medium by, or on behalf of, a Federal agency prior to the 
     date of enactment of this Act; and
       (13) include such recommendations for legislation based on 
     criteria the Comptroller General determines to be 
     appropriate.
       (c) Required Consultation.--In developing the report 
     required under this subsection, the Comptroller General shall 
     consult with--
       (1) the Administrative Office of the United States Courts;
       (2) the Conference of State Court Administrators;
       (3) the Department of Justice;
       (4) the Department of Homeland Security;
       (5) the Social Security Administration;
       (6) Sate and local governments that store, maintain, or 
     disseminate public records; and
       (7) other stakeholders, including members of the private 
     sector who routinely use public records that contain social 
     security numbers.
       (d) Timing of Report.--Not later than 1 year after the date 
     of enactment of this Act, the Comptroller General shall 
     report to Congress its findings under this section.

     SEC. 506. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) In general.--Any person that violates the provisions of 
     sections 501 or 502 shall be subject to civil penalties of 
     not more than $5,000 per violation per day, with a maximum of 
     $35,000 per day, while such violations persist.
       (2) Intentional or willful violation.--Any person who 
     intentionally or willfully violates the provisions of 
     sections 501 or 502 shall be subject to additional penalties 
     in the amount of $5,000 per violation per day, with a maximum 
     of an additional $35,000 per day, while such violations 
     persist.
       (3) Equitable relief.--Any person who engages in interstate 
     commerce that violates this section may be enjoined from 
     further violations by a court of competent jurisdiction.
       (4) Other rights and remedies.--The rights and remedies 
     available under this section are cumulative and shall not 
     affect any other rights and remedies available under law
       (b) Injunctive Actions by the Attorney General.--
       (1) In general.--Whenever it appears that a person to which 
     this title applies has engaged, is engaged, or is about to 
     engage, in any act or practice constituting a violation of 
     this title, the Attorney General may bring a civil action in 
     an appropriate district court of the United States to--
       (A) enjoin such act or practice;
       (B) enforce compliance with this title; and
       (C) obtain damages--
       (i) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of a State; 
     and
       (ii) punitive damages, if the violation is willful or 
     intentional; and
       (D) obtain such other relief as the court determines to be 
     appropriate.
       (2) Other injunctive relief.--Upon a proper showing in the 
     action under paragraph (1), the court shall grant a permanent 
     injunction or a temporary restraining order without bond.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by an act or practice that violates this 
     section, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction, or any other court of 
     competent jurisdiction, to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this Act;
       (C) obtain damages, restitution, or other compensation on 
     behalf of residents of that State; or
       (D) obtain such other legal and equitable relief as the 
     court may consider to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Attorney General--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in this subparagraph before the filing of 
     the action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the written notice and the copy of the complaint to 
     the Attorney General as soon after the filing of the 
     complaint as practicable.
       (3) Attorney general authority.--Upon receiving notice 
     under paragraph (2), the Attorney General shall have the 
     right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (4) Pending proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this Act 
     or any regulations thereunder, no attorney general of a State 
     may, during the pendency of such proceeding or action, bring 
     an action under this subsection against any defendant named 
     in such criminal proceeding or civil action for any violation 
     that is alleged in that proceeding or action.
       (5) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1), nothing in this Act shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths and affirmations;
       (C) or compel the attendance of witnesses or the production 
     of documentary and other evidence.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection process may be served in any district in which the 
     defendant--
       (i) is an inhabitant; or
       (ii) may be found.

     SEC. 507. RELATION TO STATE LAWS.

       (a) In General.--Except as provided in subsection (b), this 
     title does not annul, alter, affect, or exempt any person 
     subject to the provisions of this title from complying with 
     the laws of any State with respect to protecting and securing 
     social security numbers, except to the extent that those laws 
     are inconsistent with any provisions of this title, and then 
     only to the extent of such inconsistency.
       (b) Exceptions.--No requirement or prohibition may be 
     imposed under the laws of any State with respect to any 
     subject matter regulated under--
       (1) section 501(b), relating to prerequisites for consent 
     for the display, sale, or purchase of social security 
     numbers;
       (2) section 501(c), relating to harvesting of social 
     security numbers; and
       (3) section 504, relating to treatment of social security 
     numbers on government checks and prohibition of inmate 
     access.

       TITLE VI--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

     SEC. 601. GENERAL SERVICES ADMINISTRATION REVIEW OF 
                   CONTRACTS.

       (a) In General.--In considering contract awards entered 
     into after the date of enactment of this Act, the 
     Administrator of the General Services Administration shall 
     evaluate--
       (1) the program of a contractor to ensure the privacy and 
     security of data containing personally identifiable 
     information;
       (2) the compliance of a contractor with such program;
       (3) the extent to which the databases and systems 
     containing personally identifiable information of a 
     contractor have been compromised by security breaches; and
       (4) the response by a contractor to such breaches, 
     including the efforts of a contractor to mitigate the impact 
     of such breaches.
       (b) Penalties.--In awarding contracts for products or 
     services related to access, use, compilation, distribution, 
     processing, analyzing, or evaluating personally identifiable 
     information, the Administrator of the General Services 
     Administration shall include the following:

[[Page S7631]]

       (1) Monetary or other penalties--
       (A) for failure to comply with subtitles A and B of title 
     IV of this Act;
       (B) if a contractor knows or has reason to know that the 
     personally identifiable information being provided is 
     inaccurate, and provides such inaccurate information; or
       (C) if a contractor is notified by an individual that the 
     personally identifiable information being provided is 
     inaccurate and it is in fact inaccurate.
       (2) Accuracy update requirements that obligate a contractor 
     to provide notice to the Federal department or agency of any 
     changes or corrections to the personally identifiable 
     information provided under the contract.

     SEC. 602. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES 
                   OF CONTRACTORS AND THIRD PARTY BUSINESS 
                   ENTITIES.

       Section 3544(b) of title 44, United States Code, is 
     amended--
       (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
     semicolon;
       (2) in paragraph (8), by striking the period and inserting 
     ``; and''; and
       (3) by adding at the end the following:
       ``(9) procedures for evaluating and auditing the 
     information security practices of contractors or third party 
     business entities supporting the information systems or 
     operations of the agency involving personally identifiable 
     information, and ensuring remedial action to address any 
     significant deficiencies.''.

     SEC. 603. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF 
                   COMMERCIAL INFORMATION SERVICES CONTAINING 
                   PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--Section 208(b)(1) of the E-Government Act 
     of 2002 (44 U.S.C. 3501 note) is amended--
       (1) in subparagraph (A)(i), by striking ``or''; and
       (2) in subparagraph (A)(ii), by striking the period and 
     inserting ``; or''; and
       (3) by inserting after clause (ii) the following:
       ``(iii) purchasing or subscribing for a fee to personally 
     identifiable information from a commercial entity (other than 
     news reporting or telephone directories).''.
       (b) Limitation.--Notwithstanding any other provision of 
     law, commencing 60 days after the date of enactment of this 
     Act, no Federal department or agency may procure or access 
     any commercially available database consisting primarily of 
     personally identifiable information concerning United States 
     persons (other than news reporting or telephone directories) 
     unless the head of such department or agency--
       (1) completes a privacy impact assessment under section 208 
     of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
     shall include a description of--
       (A) such database;
       (B) the name of the commercial entity from whom it is 
     obtained; and
       (C) the amount of the contract for use;
       (2) adopts regulations that specify--
       (A) the personnel permitted to access, analyze, or 
     otherwise use such databases;
       (B) standards governing the access analysis, or use of such 
     databases;
       (C) any standards used to ensure that the personally 
     identifiable information accessed, analyzed, or used is the 
     minimum necessary to accomplish the intended legitimate 
     purpose of the Federal department or agency;
       (D) standards limiting the retention and redisclosure of 
     personally identifiable information obtained from such 
     databases;
       (E) procedures ensuring that such data meet standards of 
     accuracy, relevance, completeness, and timeliness;
       (F) the auditing and security measures to protect against 
     unauthorized access, analysis, use, or modification of data 
     in such databases;
       (G) applicable mechanisms by which individuals may secure 
     timely redress for any adverse consequences wrongly incurred 
     due to the access, analysis, or use of such databases;
       (H) mechanisms, if any, for the enforcement and independent 
     oversight of existing or planned procedures, policies, or 
     guidelines; and
       (I) an outline of enforcement mechanisms for accountability 
     to protect individuals and the public against unlawful or 
     illegitimate access or use of databases; and
       (3) incorporates into the contract or other agreement with 
     the commercial entity, provisions--
       (A) providing for penalties--
       (i) if the entity knows or has reason to know that the 
     personally identifiable information being provided to the 
     Federal department or agency is inaccurate, and provides such 
     inaccurate information; or
       (ii) if the entity is notified by an individual that the 
     personally identifiable information being provided to the 
     Federal department or agency is inaccurate and it is in fact 
     inaccurate; and
       (B) requiring commercial entities to inform Federal 
     departments or agencies to which they sell, disclose, or 
     provide access to personally identifiable information of any 
     changes or corrections to the personally identifiable 
     information.
       (c) Individual Screening Programs.--Notwithstanding any 
     other provision of law, commencing 60 days after the date of 
     enactment of this Act, no Federal department or agency may 
     use commercial databases to implement an individual screening 
     program unless such program is--
       (1) congressionally authorized; and
       (2) subject to regulations developed by notice and comment 
     that--
       (A) establish a procedure to enable individuals, who suffer 
     an adverse consequence because the screening system 
     determined that they might pose a security threat, to appeal 
     such determination and correct information contained in the 
     system;
       (B) ensure that Federal and commercial databases that will 
     be used to establish the identity of individuals or otherwise 
     make assessments of individuals under the system will not 
     produce a large number of false positives or unjustified 
     adverse consequences;
       (C) ensure the efficacy and accuracy of all of the search 
     tools that will be used and ensure that the department or 
     agency can make an accurate predictive assessment of those 
     who may constitute a threat;
       (D) establish an internal oversight board to oversee and 
     monitor the manner in which the system is being implemented;
       (E) establish sufficient operational safeguards to reduce 
     the opportunities for abuse;
       (F) implement substantial security measures to protect the 
     system from unauthorized access;
       (G) adopt policies establishing the effective oversight of 
     the use and operation of the system; and
       (H) ensure that there are no specific privacy concerns with 
     the technological architecture of the system.
       (d) Study of Government Use.--
       (1) Scope of study.--Not later than 180 days after the date 
     of enactment of this Act, the Comptroller General of the 
     United States shall conduct a study and audit and prepare a 
     report on Federal agency use of commercial databases, 
     including the impact on privacy and security, and the extent 
     to which Federal contracts include sufficient provisions to 
     ensure privacy and security protections, and penalties for 
     failures in privacy and security practices.
       (2) Report.--A copy of the report required under paragraph 
     (1) shall be submitted to Congress.

     SEC. 604. IMPLEMENTATION OF CHIEF PRIVACY OFFICER 
                   REQUIREMENTS.

       (a) Designation of the Chief Privacy Officer.--Pursuant to 
     the requirements under section 522 of the Transportation, 
     Treasury, Independent Agencies, and General Government 
     Appropriations Act, 2005 (Division H of Public Law 108-447; 
     118 Stat. 3199) that each agency designate a Chief Privacy 
     Officer, the Department of Justice shall implement such 
     requirements by designating a department-wide Chief Privacy 
     Officer, whose primary role shall be to fulfill the duties 
     and responsibilities of Chief Privacy Officer and who shall 
     report directly to the Deputy Attorney General.
       (b) Duties and Responsibilities of Chief Privacy Officer.--
     In addition to the duties and responsibilities outlined under 
     section 522 of the Transportation, Treasury, Independent 
     Agencies, and General Government Appropriations Act, 2005 
     (Division H of Public Law 108-447; 118 Stat. 3199), the 
     Department of Justice Chief Privacy Officer shall--
       (1) oversee the Department of Justice's implementation of 
     the requirements under section 603 to conduct privacy impact 
     assessments of the use of commercial data containing 
     personally identifiable information by the Department;
       (2) promote the use of law enforcement technologies that 
     sustain, rather than erode, privacy protections, and assure 
     that the implementation of such technologies relating to the 
     use, collection, and disclosure of personally identifiable 
     information preserve the privacy and security of such 
     information; and
       (3) coordinate with the Privacy and Civil Liberties 
     Oversight Board, established in the Intelligence Reform and 
     Terrorism Prevention Act of 2004 (Public Law 108-458), in 
     implementing paragraphs (1) and (2) of this subsection.
  Mr. LEAHY. Mr. President, today we introduce the Specter-Leahy 
Personal Data Privacy and Security Act of 2005. Reforms are urgently 
needed to protect Americans' privacy and to secure their personal data. 
There have been steady waves of security breaches over the past 6 
months, with the latest involving a database containing 40 million 
credit card numbers at a company that most Americans never knew 
existed.
  These security breaches are a window on a broader, more challenging 
trend. Advanced technologies have improved our lives and can help make 
us safer. Private data about Americans has become a hot commodity. This 
personal and financial information about each of us suddenly is a 
treasure trove, valuable and vulnerable, but our privacy and security 
laws have not kept pace. The reality is that in the digital era, a 
robust market has developed for collecting and selling personal 
information. Today, all types of corporate and governmental entities 
routinely traffic in billions of digitized personal records about 
Americans.
  The data broker market has exploded in size to meet this demand. 
Insecure databases are now low-hanging fruit for hackers looking to 
steal identities and commit fraud. We are seeing a rise

[[Page S7632]]

in organized rings that target personal data to sell in online, virtual 
bazaars.
  In this information-saturated age, the use of personal data has 
significant consequences for every American. People have lost jobs, 
mortgages and control over their credit and identities because personal 
information has been mishandled or listed incorrectly. This trend 
raises new threats to our personal security as well as to our privacy. 
In one disturbing case, a stalker purchased the Social Security number 
of a woman with whom he was obsessed, used that information to track 
her down. He killed her, and then shot himself.
  Americans everywhere are wondering, ``Why do all these companies have 
my personal information? What are they doing with it? Why aren't they 
protecting it better?'' And they are right to wonder. It is time for 
Congress to catch up with the data market and to show the American 
people that we are aware of these threats and will protect the privacy 
and security of their personal information.
  Chairman Specter and I have worked closely together over many months 
to craft comprehensive legislation to fix key vulnerabilities in our 
information economy. We thought through these issues carefully and took 
the time needed to develop well-balanced, focused legislation that 
provides strong protections where necessary. We also provide tough 
penalties and consequences for failing to protect Americans' most 
personal information. Reforms like these are long overdue. This issue 
and our legislation deserve to become a key part of this year's 
domestic agenda so that we can achieve some positive changes in areas 
that affect the everyday lives of Americans.
  First, our bill requires data brokers to let people know what 
information they have about them, and to allow people to correct 
inaccurate information. These principles have precedent from the credit 
report context, and we have adapted them in a way that makes sense for 
the data brokering industry. It's a simple matter of fairness.
  Second, we would require companies that have databases with personal 
information on Americans to establish and implement data privacy and 
security programs. Any company that wants to be trusted by the public 
in this day and age must vigilantly protect databases housing 
Americans' private data. They also have a responsibility in the next 
link in the security chain, to make sure that contractors hired to 
process data are on the up-and-up and secure. This is critical as 
Americans' personal information is increasingly processed overseas.
  Third, our bill requires notice when sensitive personal information 
has been compromised. The American people have a right to know when 
they are at risk because of corporate failures to protect their data, 
or when a criminal has infiltrated data systems. The notice rules in 
our bill were crafted carefully to ensure that the trigger for notice 
is tied to risk and to recognize important fraud prevention techniques 
that already exist. But our priority was making sure that victims have 
that critical information as a roadmap providing the assistance 
necessary to protect themselves, their families and their financial 
well-being.
  Fourth, our bill provides tough new protections for Social Security 
numbers, which are the keys to unlocking so much of our financial and 
personal lives. The use of Social Security numbers has expanded well 
beyond the intended purposes. Some uses provide important benefits, but 
others have made Americans vulnerable. Social Security numbers are for 
sale online for small fees. Earlier this year, it was reported that a 
payroll and benefits company put the Social Security numbers of 1,000 
workers on postcards--on postcards--brazenly visible for anyone to see. 
Worse still, those postcards described in detail how those Social 
Security numbers could be used to access employee benefits online. This 
is unacceptable, and this bill would make that kind of disregard and 
sloppiness illegal.
  Finally, our bill addresses the government's use of personal data. We 
are living in a world where the government is increasingly looking to 
the private sector to get personal data that it could not legally 
collect on its own without oversight and appropriate protections. So 
ingrained has the data broker-government partnership become that a 
ChoicePoint executive stated, ``We do act as an intelligence agency, 
gathering data, applying analytics.'' While these relationships can 
help protect us, there must be oversight and appropriate protections.
  The recent decision to award ChoicePoint an IRS contract highlights 
this tension. It is especially galling right now to be rewarding firms 
that have been so careless with the public's confidential information. 
The dust has not yet settled and the investigations are incomplete on 
ChoicePoint's lax security practices. We should at least take a pause 
before rewarding such missteps with even more government contracts. 
This bill would place privacy and security front and center in 
evaluating whether data brokers can be trusted with government 
contracts that involve sensitive information about the American people. 
It would require contract reviews that include these considerations, 
audits to ensure good practice, and contract penalties for failure to 
protect data privacy and security.

  The Specter-Leahy legislation meets other key goals. It provides 
tough monetary and criminal penalties for compromising personal data or 
failing to provide necessary protections. This creates an incentive for 
companies to protect personal information, especially when there is no 
commercial relationship between individuals and companies using their 
data.
  Our legislation also carefully balances the need for Federal 
uniformity and State leadership. States are often on the forefront of 
protecting privacy and spurring change. The California security breach 
law has been an important lesson. My State of Vermont was among the 
first--if not the first--to require individual consent before sharing 
financial information with third parties, and to require a person or 
business to obtain consent from individuals before reviewing their 
credit reports. The role of States is important, and our bill 
identifies areas that require uniformity while leaving the States free 
to act elsewhere as they see fit. We also would authorize an additional 
$100 million over 4 years to help state law enforcement fight misuse of 
personal information.
  This is a solid bill--a comprehensive bill--that not only deals with 
providing Americans notice when they have already been hurt, but also 
deals with the underlying problem of lax security and lack of 
accountability in dealing with their most personal and private 
information.
  I commend Senator Specter for his leadership on this emerging 
problem. A number of us have been working on these issues--Senator 
Feinstein, Senator Nelson, Senator Cantwell and Senator Schumer, among 
others. I appreciate and recognize their hard work and look forward to 
making progress together. I am pleased to work closely with Senator 
Specter on this and believe that we have a bill that significantly 
advances the ball in protecting Americans.
  I ask unanimous consent that a copy of the bill be printed in the 
Record.
                                 ______