[Congressional Record Volume 151, Number 124 (Thursday, September 29, 2005)]
[Senate]
[Pages S10725-S10734]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. SPECTER (for himself, Mr. Leahy, Mrs. Feinstein, and Mr. 
        Feingold):
  S. 1789. A bill to prevent and mitigate identity theft, to ensure 
privacy to provide notice of security breaches, and to enhance criminal 
penalties, law enforcement assistance, and other protections against 
security breaches, fraudulent access, and misuse of personally 
identifiable information; to the Committee on the Judiciary.
  Mr. SPECTER. Mr. President, I ask unanimous consent that the text of 
the bill be printed in the Record.
  There being no objection the bill was ordered to be printed in the 
Record, as follows:

                                S. 1789

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Personal 
     Data Privacy and Security Act of 2005''.
       (b) Table of Contents.--The table of contents for this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Fraud and related criminal activity in connection with 
              unauthorized access to personally identifiable 
              information.
Sec. 102. Organized criminal activity in connection with unauthorized 
              access to personally identifiable information.
Sec. 103. Concealment of security breaches involving sensitive 
              personally identifiable information.
Sec. 104. Aggravated fraud in connection with computers.
Sec. 105. Review and amendment of Federal sentencing guidelines related 
              to fraudulent access to or misuse of digitized or 
              electronic personally identifiable information.

  TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING 
 CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF 
                  PERSONALLY IDENTIFIABLE INFORMATION

Sec. 201. Grants for State and local enforcement.
Sec. 202. Authorization of appropriations.

                        TITLE III--DATA BROKERS

Sec. 301. Transparency and accuracy of data collection.

[[Page S10726]]

Sec. 302. Enforcement.
Sec. 303. Relation to State laws.
Sec. 304. Effective date.

 TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

             Subtitle A--Data Privacy and Security Program

Sec. 401. Purpose and applicability of data privacy and security 
              program.
Sec. 402. Requirements for a personal data privacy and security 
              program.
Sec. 403. Enforcement.
Sec. 404. Relation to State laws.

                Subtitle B--Security Breach Notification

Sec. 421. Right to notice of security breach.
Sec. 422. Notice procedures.
Sec. 423. Content of notice.
Sec. 424. Risk assessment and fraud prevention notice exemptions.
Sec. 425. Victim protection assistance.
Sec. 426. Enforcement.
Sec. 427. Relation to State laws.
Sec. 428. Study on securing personally identifiable information in the 
              digital era.
Sec. 429. Reporting on risk assessment exemption.
Sec. 430. Authorization of appropriations.
Sec. 431. Reporting on risk assessment exemption.
Sec. 432. Effective date.

        TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 501. General Services Administration review of contracts.
Sec. 502. Requirement to audit information security practices of 
              contractors and third party business entities.
Sec. 503. Privacy impact assessment of government use of commercial 
              information services containing personally identifiable 
              information.
Sec. 504. Implementation of Chief Privacy Officer requirements.

     SEC. 2. FINDINGS.

       Congress finds that--
       (1) databases of personally identifiable information are 
     increasingly prime targets of hackers, identity thieves, 
     rogue employees, and other criminals, including organized and 
     sophisticated criminal operations;
       (2) identity theft is a serious threat to the nation's 
     economic stability, homeland security, the development of e-
     commerce, and the privacy rights of Americans;
       (3) over 9,300,000 individuals were victims of identity 
     theft in America last year;
       (4) security breaches are a serious threat to consumer 
     confidence, homeland security, e-commerce, and economic 
     stability;
       (5) it is important for business entities that own, use, or 
     license personally identifiable information to adopt 
     reasonable procedures to ensure the security, privacy, and 
     confidentially of that personally identifiable information;
       (6) individuals whose personal information has been 
     compromised or who have been victims of identity theft should 
     receive the necessary information and assistance to mitigate 
     their damages and to restore the integrity of their personal 
     information and identities;
       (7) data brokers have assumed a significant role in 
     providing identification, authentication, and screening 
     services, and related data collection and analyses for 
     commercial, nonprofit, and government operations;
       (8) data misuse and use of inaccurate data have the 
     potential to cause serious or irreparable harm to an 
     individual's livelihood, privacy, and liberty and undermine 
     efficient and effective business and government operations;
       (9) there is a need to insure that data brokers conduct 
     their operations in a manner that prioritizes fairness, 
     transparency, accuracy, and respect for the privacy of 
     consumers;
       (10) government access to commercial data can potentially 
     improve safety, law enforcement, and national security; and
       (11) because government use of commercial data containing 
     personal information potentially affects individual privacy, 
     and law enforcement and national security operations, there 
     is a need for Congress to exercise oversight over government 
     use of commercial data.

     SEC. 3. DEFINITIONS.

       In this Act:
       (1) Agency.--The term ``agency'' has the same meaning given 
     such term in section 551 of title 5, United States Code.
       (2) Affiliate.--The term ``affiliate'' means persons 
     related by common ownership or by corporate control.
       (3) Business entity.--The term ``business entity'' means 
     any organization, corporation, trust, partnership, sole 
     proprietorship, unincorporated association, venture 
     established to make a profit, or nonprofit, and any 
     contractor, subcontractor, affiliate, or licensee thereof 
     engaged in interstate commerce.
       (4) Identity theft.--The term ``identity theft'' means a 
     violation of section 1028 of title 18, United States Code, or 
     any other similar provision of applicable State law.
       (5) Data broker.--The term ``data broker'' means a business 
     entity which for monetary fees, dues, or on a cooperative 
     nonprofit basis, currently or regularly engages, in whole or 
     in part, in the practice of collecting, transmitting, or 
     providing access to sensitive personally identifiable 
     information primarily for the purposes of providing such 
     information to nonaffiliated third parties on a nationwide 
     basis on more than 5,000 individuals who are not the 
     customers or employees of the business entity or affiliate.
       (6) Data furnisher.--The term ``data furnisher'' means any 
     agency, governmental entity, organization, corporation, 
     trust, partnership, sole proprietorship, unincorporated 
     association, venture established to make a profit, or 
     nonprofit, and any contractor, subcontractor, affiliate, or 
     licensee thereof, that serves as a source of information for 
     a data broker.
       (7) Personal electronic record.--The term ``personal 
     electronic record'' means data associated with an individual 
     contained in a database, networked or integrated databases, 
     or other data system that holds sensitive personally 
     identifiable information of that individual and is provided 
     to non-affiliated third parties.
       (8) Personally identifiable information.--The term 
     ``personally identifiable information'' means any 
     information, or compilation of information, in electronic or 
     digital form serving as a means of identification, as defined 
     by section 1028(d)(7) of title 18, United State Code.
       (9) Public record source.--The term ``public record 
     source'' means any agency, Federal court, or State court that 
     maintains personally identifiable information in records 
     available to the public.
       (10) Security breach.--
       (A) In general.--The term ``security breach'' means 
     compromise of the security, confidentiality, or integrity of 
     computerized data through misrepresentation or actions that 
     result in, or there is a reasonable basis to conclude has 
     resulted in, the unauthorized acquisition of and access to 
     sensitive personally identifiable information.
       (B) Exclusion.--The term ``security breach'' does not 
     include--
       (i) a good faith acquisition of sensitive personally 
     identifiable information by a business entity or agency, or 
     an employee or agent of a business entity or agency, if the 
     sensitive personally identifiable information is not subject 
     to further unauthorized disclosure; or
       (ii) the release of a public record not otherwise subject 
     to confidentiality or nondisclosure requirements.
       (11) Sensitive personally identifiable information.--The 
     term ``sensitive personally identifiable information'' means 
     any information or compilation of information, in electronic 
     or digital form that includes:
       (A) An individual's name in combination with any 1 of the 
     following data elements:
       (i) A non-truncated social security number, driver's 
     license number, passport number, or alien registration 
     number.
       (ii) Any 2 of the following:

       (I) Information that relates to--

       (aa) the past, present, or future physical or mental health 
     or condition of an individual;
       (bb) the provision of health care to an individual; or
       (cc) the past, present, or future payment for the provision 
     of health care to an individual.

       (II) Home address or telephone number.
       (III) Mother's maiden name, if identified as such.
       (IV) Month, day, and year of birth.

       (iii) Unique biometric data such as a finger print, voice 
     print, a retina or iris image, or any other unique physical 
     representation.
       (iv) A unique electronic identification number, user name, 
     or routing code in combination with the associated security 
     code, access code, or password.
       (v) Any other information regarding an individual 
     determined appropriate by the Federal Trade Commission.
       (B) A financial account number or credit or debit card 
     number in combination with the required security code, access 
     code, or password.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

     SEC. 101. FRAUD AND RELATED CRIMINAL ACTIVITY IN CONNECTION 
                   WITH UNAUTHORIZED ACCESS TO PERSONALLY 
                   IDENTIFIABLE INFORMATION.

       Section 1030(a)(2) of title 18, United States Code, is 
     amended--
       (1) in subparagraph (B), by striking ``or'' after the 
     semicolon;
       (2) in subparagraph (C), by inserting ``or'' after the 
     semicolon; and
       (3) by adding at the end the following:
       ``(D) information contained in the databases or systems of 
     a data broker, or in other personal electronic records, as 
     such terms are defined in section 3 of the Personal Data 
     Privacy and Security Act of 2005;''.

     SEC. 102. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH 
                   UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
                   INFORMATION.

       Section 1961(1) of title 18, United States Code, is amended 
     by inserting ``section 1030(a)(2)(D)(relating to fraud and 
     related activity in connection with unauthorized access to 
     personally identifiable information,'' before ``section 
     1084''.

     SEC. 103. CONCEALMENT OF SECURITY BREACHES INVOLVING 
                   SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding at the end the following:

[[Page S10727]]

     ``Sec. 1039. Concealment of security breaches involving 
       sensitive personally identifiable information

       ``(a) Whoever, having knowledge of a security breach and 
     the obligation to provide notice of such breach to 
     individuals under title IV of the Personal Data Privacy and 
     Security Act of 2005, and having not otherwise qualified for 
     an exemption from providing notice under section 422 of such 
     Act, intentionally and willfully conceals the fact of such 
     security breach which causes economic damages to 1 or more 
     persons, shall be fined under this title or imprisoned not 
     more than 5 years, or both.
       ``(b) For purposes of subsection (a), the term `person' 
     means any individual, corporation, company, association, 
     firm, partnership, society, or joint stock company.''.
       (b) Conforming and Technical Amendments.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by adding at the end the following:

``1039. Concealment of security breaches involving personally 
              identifiable information.''.

       (c) Enforcement Authority.--The United States Secret 
     Service shall have the authority to investigate offenses 
     under this section.

     SEC. 104. AGGRAVATED FRAUD IN CONNECTION WITH COMPUTERS.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding after section 1030 the following:

     ``Sec. 1030A. Aggravated fraud in connection with computers

       ``(a) In General.--Whoever, during and in relation to any 
     felony violation enumerated in subsection (c), knowingly 
     obtains, accesses, or transmits, without lawful authority, a 
     means of identification of another person may, in addition to 
     the punishment provided for such felony, be sentenced to a 
     term of imprisonment of up to 2 years.
       ``(b) Consecutive Sentences.--Notwithstanding any other 
     provision of law, should a court in its discretion impose an 
     additional sentence under subsection (a)--
       ``(1) no term of imprisonment imposed on a person under 
     this section shall run concurrently, except as provided in 
     paragraph (3), with any other term of imprisonment imposed on 
     such person under any other provision of law, including any 
     term of imprisonment imposed for the felony during which the 
     means of identifications was obtained, accessed, or 
     transmitted;
       ``(2) in determining any term of imprisonment to be imposed 
     for the felony during which the means of identification was 
     obtained, accessed, or transmitted, a court shall not in any 
     way reduce the term to be imposed for such crime so as to 
     compensate for, or otherwise take into account, any separate 
     term of imprisonment imposed or to be imposed for a violation 
     of this section; and
       ``(3) a term of imprisonment imposed on a person for a 
     violation of this section may, in the discretion of the 
     court, run concurrently, in whole or in part, only with 
     another term of imprisonment that is imposed by the court at 
     the same time on that person for an additional violation of 
     this section.
       ``(c) Definition.--For purposes of this section, the term 
     `felony violation enumerated in subsection (c)' means any 
     offense that is a felony violation of paragraphs (2) through 
     (7) of section 1030(a).''.
       (b) Conforming and Technical Amendments.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by inserting after the item relating to section 1030 
     the following new item:

``1030A. Aggravated fraud in connection with computers.''.

     SEC. 105. REVIEW AND AMENDMENT OF FEDERAL SENTENCING 
                   GUIDELINES RELATED TO FRAUDULENT ACCESS TO OR 
                   MISUSE OF DIGITIZED OR ELECTRONIC PERSONALLY 
                   IDENTIFIABLE INFORMATION.

       (a) Review and Amendment.--Not later than 180 days after 
     the date of enactment of this Act, the United States 
     Sentencing Commission, pursuant to its authority under 
     section 994 of title 28, United States Code, and in 
     accordance with this section, shall review and, if 
     appropriate, amend the Federal sentencing guidelines 
     (including its policy statements) applicable to persons 
     convicted of using fraud to access, or misuse of, digitized 
     or electronic personally identifiable information, including 
     identity theft or any offense under--
       (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of 
     title 18, United States Code; or
       (2) any other relevant provision.
       (b) Requirements.--In carrying out the requirements of this 
     section, the United States Sentencing Commission shall--
       (1) ensure that the Federal sentencing guidelines 
     (including its policy statements) reflect--
       (A) the serious nature of the offenses and penalties 
     referred to in this Act;
       (B) the growing incidences of theft and misuse of digitized 
     or electronic personally identifiable information, including 
     identity theft; and
       (C) the need to deter, prevent, and punish such offenses;
       (2) consider the extent to which the Federal sentencing 
     guidelines (including its policy statements) adequately 
     address violations of the sections amended by this Act to--
       (A) sufficiently deter and punish such offenses; and
       (B) adequately reflect the enhanced penalties established 
     under this Act;
       (3) maintain reasonable consistency with other relevant 
     directives and sentencing guidelines;
       (4) account for any additional aggravating or mitigating 
     circumstances that might justify exceptions to the generally 
     applicable sentencing ranges;
       (5) consider whether to provide a sentencing enhancement 
     for those convicted of the offenses described in subsection 
     (a), if the conduct involves--
       (A) the online sale of fraudulently obtained or stolen 
     personally identifiable information;
       (B) the sale of fraudulently obtained or stolen personally 
     identifiable information to an individual who is engaged in 
     terrorist activity or aiding other individuals engaged in 
     terrorist activity; or
       (C) the sale of fraudulently obtained or stolen personally 
     identifiable information to finance terrorist activity or 
     other criminal activities;
       (6) make any necessary conforming changes to the Federal 
     sentencing guidelines to ensure that such guidelines 
     (including its policy statements) as described in subsection 
     (a) are sufficiently stringent to deter, and adequately 
     reflect crimes related to fraudulent access to, or misuse of, 
     personally identifiable information; and
       (7) ensure that the Federal sentencing guidelines 
     adequately meet the purposes of sentencing under section 
     3553(a)(2) of title 18, United States Code.
       (c) Emergency Authority to Sentencing Commission.--The 
     United States Sentencing Commission may, as soon as 
     practicable, promulgate amendments under this section in 
     accordance with procedures established in section 21(a) of 
     the Sentencing Act of 1987 (28 U.S.C. 994 note) as though the 
     authority under that Act had not expired.

  TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING 
 CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF 
                  PERSONALLY IDENTIFIABLE INFORMATION

     SEC. 201. GRANTS FOR STATE AND LOCAL ENFORCEMENT.

       (a) In General.--Subject to the availability of amounts 
     provided in advance in appropriations Acts, the Assistant 
     Attorney General for the Office of Justice Programs of the 
     Department of Justice may award a grant to a State to 
     establish and develop programs to increase and enhance 
     enforcement against crimes related to fraudulent, 
     unauthorized, or other criminal use of personally 
     identifiable information.
       (b) Application.--A State seeking a grant under subsection 
     (a) shall submit an application to the Assistant Attorney 
     General for the Office of Justice Programs of the Department 
     of Justice at such time, in such manner, and containing such 
     information as the Assistant Attorney General may require.
       (c) Use of Grant Amounts.--A grant awarded to a State under 
     subsection (a) shall be used by a State, in conjunction with 
     units of local government within that State, State and local 
     courts, other States, or combinations thereof, to establish 
     and develop programs to--
       (1) assist State and local law enforcement agencies in 
     enforcing State and local criminal laws relating to crimes 
     involving the fraudulent, unauthorized, or other criminal use 
     of personally identifiable information;
       (2) assist State and local law enforcement agencies in 
     educating the public to prevent and identify crimes involving 
     the fraudulent, unauthorized, or other criminal use of 
     personally identifiable information;
       (3) educate and train State and local law enforcement 
     officers and prosecutors to conduct investigations and 
     forensic analyses of evidence and prosecutions of crimes 
     involving the fraudulent, unauthorized, or other criminal use 
     of personally identifiable information;
       (4) assist State and local law enforcement officers and 
     prosecutors in acquiring computer and other equipment to 
     conduct investigations and forensic analysis of evidence of 
     crimes involving the fraudulent, unauthorized, or other 
     criminal use of personally identifiable information; and
       (5) facilitate and promote the sharing of Federal law 
     enforcement expertise and information about the 
     investigation, analysis, and prosecution of crimes involving 
     the fraudulent, unauthorized, or other criminal use of 
     personally identifiable information with State and local law 
     enforcement officers and prosecutors, including the use of 
     multi-jurisdictional task forces.
       (d) Assurances and Eligibility.--To be eligible to receive 
     a grant under subsection (a), a State shall provide 
     assurances to the Attorney General that the State--
       (1) has in effect laws that penalize crimes involving the 
     fraudulent, unauthorized, or other criminal use of personally 
     identifiable information, such as penal laws prohibiting--
       (A) fraudulent schemes executed to obtain personally 
     identifiable information;
       (B) schemes executed to sell or use fraudulently obtained 
     personally identifiable information; and
       (C) online sales of personally identifiable information 
     obtained fraudulently or by other illegal means;
       (2) will provide an assessment of the resource needs of the 
     State and units of local government within that State, 
     including criminal justice resources being devoted to the 
     investigation and enforcement of laws

[[Page S10728]]

     related to crimes involving the fraudulent, unauthorized, or 
     other criminal use of personally identifiable information; 
     and
       (3) will develop a plan for coordinating the programs 
     funded under this section with other federally funded 
     technical assistant and training programs, including directly 
     funded local programs such as the Local Law Enforcement Block 
     Grant program (described under the heading ``Violent Crime 
     Reduction Programs, State and Local Law Enforcement 
     Assistance'' of the Departments of Commerce, Justice, and 
     State, the Judiciary, and Related Agencies Appropriations 
     Act, 1998 (Public Law 105-119)).
       (e) Matching Funds.--The Federal share of a grant received 
     under this section may not exceed 90 percent of the total 
     cost of a program or proposal funded under this section 
     unless the Attorney General waives, wholly or in part, the 
     requirements of this subsection.

     SEC. 202. AUTHORIZATION OF APPROPRIATIONS.

       (a) In General.--There is authorized to be appropriated to 
     carry out this title $25,000,000 for each of fiscal years 
     2006 through 2009.
       (b) Limitations.--Of the amount made available to carry out 
     this title in any fiscal year not more than 3 percent may be 
     used by the Attorney General for salaries and administrative 
     expenses.
       (c) Minimum Amount.--Unless all eligible applications 
     submitted by a State or units of local government within a 
     State for a grant under this title have been funded, the 
     State, together with grantees within the State (other than 
     Indian tribes), shall be allocated in each fiscal year under 
     this title not less than 0.75 percent of the total amount 
     appropriated in the fiscal year for grants pursuant to this 
     title, except that the United States Virgin Islands, American 
     Samoa, Guam, and the Northern Mariana Islands each shall be 
     allocated 0.25 percent.
       (d) Grants to Indian Tribes.--Notwithstanding any other 
     provision of this title, the Attorney General may use amounts 
     made available under this title to make grants to Indian 
     tribes for use in accordance with this title.

                        TITLE III--DATA BROKERS

     SEC. 301. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.

       (a) In General.--Data brokers engaging in interstate 
     commerce are subject to the requirements of this title for 
     any product or service offered to third parties that allows 
     access, use, compilation, distribution, processing, 
     analyzing, or evaluation of sensitive personally identifiable 
     information.
       (b) Limitation.--Notwithstanding any other paragraph of 
     this title, this section shall not apply to--
       (1) brokers engaging in interstate commerce for any offered 
     product or service currently subject to, and in compliance 
     with, access and accuracy protections similar to those under 
     subsections (c) through (f) of this section under the Fair 
     Credit Reporting Act (Public Law 91-508), or the Gramm-Leach 
     Bliley Act (Public Law 106-102);
       (2) data brokers engaging in interstate commerce for any 
     offered product or service currently in compliance with the 
     requirements for such entities under the Health Insurance 
     Portability and Accountability Act (Public Law 104-191), and 
     implementing regulations;
       (3) information in a personal electronic record held by a 
     data broker if--
       (A) the data broker maintains such information solely 
     pursuant to a license agreement with another business entity; 
     and
       (B) the business entity providing such information to the 
     data broker pursuant to a license agreement either complies 
     with the provisions of this section or qualifies for this 
     exemption; and
       (4) information in a personal record that--
       (A) the data broker has identified as inaccurate, but 
     maintains for the purpose of aiding the data broker in 
     preventing inaccurate information from entering an 
     individual's personal electronic record; and
       (B) is not maintained primarily for the purpose of 
     transmitting or otherwise providing that information, or 
     assessments based on that information, to non-affiliated 
     third parties.
       (c) Disclosures to Individuals.--
       (1) In general.--A data broker shall, upon the request of 
     an individual, clearly and accurately disclose to such 
     individual for a reasonable fee all personal electronic 
     records pertaining to that individual maintained for 
     disclosure to third parties in the ordinary course of 
     business in the databases or systems of the data broker at 
     the time of the request.
       (2) Information on how to correct inaccuracies.--The 
     disclosures required under paragraph (1) shall also include 
     guidance to individuals on the processes and procedures for 
     demonstrating and correcting any inaccuracies.
       (d) Creation of an Accuracy Resolution Process.--A data 
     broker shall develop and publish on its website timely and 
     fair processes and procedures for responding to claims of 
     inaccuracies, including procedures for correcting inaccurate 
     information in the personal electronic records it maintains 
     on individuals.
       (e) Accuracy Resolution Process.--
       (1) Information from a public record source.--
       (A) In general.--If an individual notifies a data broker of 
     a dispute as to the completeness or accuracy of information, 
     and the data broker determines that such information is 
     derived from a public record source, the data broker shall 
     determine within 30 days whether the information in its 
     system accurately and completely records the information 
     offered by the public record source.
       (B) Data broker actions.--If a data broker determines under 
     subparagraph (A) that the information in its systems--
       (i) does not accurately and completely record the 
     information offered by a public record source, the data 
     broker shall correct any inaccuracies or incompleteness, and 
     provide to such individual written notice of such changes; 
     and
       (ii) does accurately and completely record the information 
     offered by a public record source, the data broker shall--

       (I) provide such individual with the name, address, and 
     telephone contact information of the public record source; 
     and
       (II) notify such individual of the right to add for a 
     period of 90 days to the personal electronic record of the 
     individual maintained by the data broker notice of the 
     dispute under subsection (f).

       (2) Investigation of disputed information not from a public 
     record source.--If the completeness or accuracy of any 
     nonpublic record source disclosed to an individual under 
     subsection (c) is disputed by the individual and such 
     individual notifies the data broker directly of such dispute, 
     the data broker shall, before the end of the 30-day period 
     beginning on the date on which the data broker receives the 
     notice of the dispute--
       (A) investigate free of charge and record the current 
     status of the disputed information; or
       (B) delete the item from the individuals data file in 
     accordance with paragraph (8).
       (3) Extension of period to investigate.--Except as provided 
     in paragraph (4), the 30-day period described in paragraph 
     (1) may be extended for not more than 15 additional days if a 
     data broker receives information from the individual during 
     that 30-day period that is relevant to the investigation.
       (4) Limitations on extension of period to investigate.--
     Paragraph (3) shall not apply to any investigation in which, 
     during the 30-day period described in paragraph (1), the 
     information that is the subject of the investigation is found 
     to be inaccurate or incomplete or a data broker determines 
     that the information cannot be verified.
       (5) Notice identifying the data furnisher.--If the 
     completeness or accuracy of any information disclosed to an 
     individual under subsection (c) is disputed by the 
     individual, a data broker shall provide upon the request of 
     the individual, the name, business address, and telephone 
     contact information of any data furnisher who provided an 
     item of information in dispute.
       (6) Determination that dispute is frivolous or 
     irrelevant.--
       (A) In general.--Notwithstanding paragraphs (1) through 
     (4), a data broker may decline to investigate or terminate an 
     investigation of information disputed by an individual under 
     those paragraphs if the data broker reasonably determines 
     that the dispute by the individual is frivolous or 
     irrelevant, including by reason of a failure by the 
     individual to provide sufficient information to investigate 
     the disputed information.
       (B) Notice.--Not later than 5 business days after making 
     any determination in accordance with subparagraph (A) that a 
     dispute is frivolous or irrelevant, a data broker shall 
     notify the individual of such determination by mail, or if 
     authorized by the individual, by any other means available to 
     the data broker.
       (C) Contents of notice.--A notice under subparagraph (B) 
     shall include--
       (i) the reasons for the determination under subparagraph 
     (A); and
       (ii) identification of any information required to 
     investigate the disputed information, which may consist of a 
     standardized form describing the general nature of such 
     information.
       (7) Consideration of individual information.--In conducting 
     any investigation with respect to disputed information in the 
     personal electronic record of any individual, a data broker 
     shall review and consider all relevant information submitted 
     by the individual in the period described in paragraph (2) 
     with respect to such disputed information.
       (8) Treatment of inaccurate or unverifiable information.--
       (A) In general.--If, after any review of public record 
     information under paragraph (1) or any investigation of any 
     information disputed by an individual under paragraphs (2) 
     through (4), an item of information is found to be inaccurate 
     or incomplete or cannot be verified, a data broker shall 
     promptly delete that item of information from the 
     individual's personal electronic record or modify that item 
     of information, as appropriate, based on the results of the 
     investigation.
       (B) Notice to individuals of reinsertion of previously 
     deleted information.--If any information that has been 
     deleted from an individual's personal electronic record 
     pursuant to subparagraph (A) is reinserted in the personal 
     electronic record of the individual, a data broker shall, not 
     later than 5 days after reinsertion, notify the individual of 
     the reinsertion and identify any data furnisher not 
     previously disclosed in writing, or if authorized by the 
     individual for that purpose, by any other means available to 
     the data broker, unless such notification has been previously 
     given under this subsection.
       (C) Notice of results of investigation of disputed 
     information from a nonpublic record source.--

[[Page S10729]]

       (i) In general.--Not later than 5 business days after the 
     completion of an investigation under paragraph (2), a data 
     broker shall provide written notice to an individual of the 
     results of the investigation, by mail or, if authorized by 
     the individual for that purpose, by other means available to 
     the data broker.
       (ii) Additional requirement.--Before the expiration of the 
     5-day period, as part of, or in addition to such notice, a 
     data broker shall, in writing, provide to an individual--

       (I) a statement that the investigation is completed;
       (II) a report that is based upon the personal electronic 
     record of such individual as that personal electronic record 
     is revised as a result of the investigation;
       (III) a notice that, if requested by the individual, a 
     description of the procedures used to determine the accuracy 
     and completeness of the information shall be provided to the 
     individual by the data broker, including the business name, 
     address, and telephone number of any data furnisher of 
     information contacted in connection with such information; 
     and
       (IV) a notice that the individual has the right to request 
     notifications under subsection (f).

       (D) Description of investigation procedures.--Not later 
     than 15 days after receiving a request from an individual for 
     a description referred to in subparagraph (C)(ii)(III), a 
     data broker shall provide to the individual such a 
     description.
       (E) Expedited dispute resolution.--If by no later than 3 
     business days after the date on which a data broker receives 
     notice of a dispute from an individual of information in the 
     personal electronic record of such individual in accordance 
     with paragraph (2), a data broker resolves such dispute in 
     accordance with subparagraph (A) by the deletion of the 
     disputed information, then the data broker shall not be 
     required to comply with subsections (e) and (f) with respect 
     to that dispute if the data broker provides to the 
     individual, by telephone or other means authorized by the 
     individual, prompt notice of the deletion.
       (f) Notice of Dispute.--
       (1) In general.--If the completeness or accuracy of any 
     information disclosed to an individual under subsection (c) 
     is disputed and unless there is a reasonable ground to 
     believe that such dispute is frivolous or irrelevant, an 
     individual may request that the data broker indicate notice 
     of the dispute for a period of--
       (A) 30 days for information from a nonpublic record source; 
     and
       (B) 90 days for information from a public record source.
       (2) Compliance.--A data broker shall be deemed in 
     compliance with the requirements under paragraph (1) by 
     either--
       (A) allowing the individual to file a brief statement 
     setting forth the nature of the dispute under paragraph (3); 
     or
       (B) using an alternative notice method that--
       (i) clearly flags the disputed information for third 
     parties accessing the information; and
       (ii) provides a means for third parties to obtain further 
     information regarding the nature of the dispute.
       (3) Contents of statement.--A data broker may limit 
     statements made under paragraph (2)(A) to not more than 100 
     words if it provides an individual with assistance in writing 
     a clear summary of the dispute or until the dispute is 
     resolved.
       (g) Additional Requirements.--The Federal Trade Commission 
     may exempt certain classes of data brokers from this title in 
     a rulemaking process pursuant to section 553 of title 5, 
     United States Code.

     SEC. 302. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) Penalties.--Any data broker that violates the 
     provisions of section 301 shall be subject to civil penalties 
     of not more than $1,000 per violation per day, with a maximum 
     of $15,000 per day, while such violations persist.
       (2) Intentional or willful violation.--A data broker that 
     intentionally or willfully violates the provisions of section 
     301 shall be subject to additional penalties in the amount of 
     $1,000 per violation per day, with a maximum of an additional 
     $15,000 per day, while such violations persist.
       (3) Equitable relief.--A data broker engaged in interstate 
     commerce that violates this section may be enjoined from 
     further violations by a court of competent jurisdiction.
       (4) Other rights and remedies.--The rights and remedies 
     available under this subsection are cumulative and shall not 
     affect any other rights and remedies available under law.
       (b) Injunctive Actions by the Attorney General.--
       (1) In general.--Whenever it appears that a data broker to 
     which this title applies has engaged, is engaged, or is about 
     to engage, in any act or practice constituting a violation of 
     this title, the Attorney General may bring a civil action in 
     an appropriate district court of the United States to--
       (A) enjoin such act or practice;
       (B) enforce compliance with this title;
       (C) obtain damages--
       (i) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of a State; 
     and
       (ii) punitive damages, if the violation is willful or 
     intentional; and
       (D) obtain such other relief as the court determines to be 
     appropriate.
       (2) Other injunctive relief.--Upon a proper showing in the 
     action under paragraph (1), the court shall grant a permanent 
     injunction or a temporary restraining order without bond.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by an act or practice that violates this 
     title, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction, or any other court of 
     competent jurisdiction, to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this title;
       (C) obtain--
       (i) damages in the sum of actual damages, restitution, or 
     other compensation on behalf of affected residents of the 
     State; and
       (ii) punitive damages, if the violation is willful or 
     intentional; or
       (D) obtain such other legal and equitable relief as the 
     court may consider to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Attorney General--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in this subparagraph before the filing of 
     the action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the written notice and the copy of the complaint to 
     the Attorney General as soon after the filing of the 
     complaint as practicable.
       (3) Attorney general authority.--Upon receiving notice 
     under paragraph (2), the Attorney General shall have the 
     right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (4) Pending proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this 
     title or any regulations thereunder, no attorney general of a 
     State may, during the pendency of such proceeding or action, 
     bring an action under this subsection against any defendant 
     named in such criminal proceeding or civil action for any 
     violation that is alleged in that proceeding or action.
       (5) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1), nothing in this title shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths and affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1931 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection process may be served in any district in which the 
     defendant--
       (i) is an inhabitant; or
       (ii) may be found.
       (d) No Private Cause of Action.--Nothing in this title 
     establishes a private cause of action against a data broker 
     for violation of any provision of this title.

     SEC. 303. RELATION TO STATE LAWS.

       No requirement or prohibition may be imposed under the laws 
     of any State with respect to any subject matter regulated 
     under section 301, relating to individual access to, and 
     correction of, personal electronic records held by 
     databrokers.

     SEC. 304. EFFECTIVE DATE.

       This title shall take effect 180 days after the date of 
     enactment of this Act and shall be implemented pursuant to a 
     State by State rollout schedule set by the Federal Trade 
     Commission, but in no case shall full implementation and 
     effect of this title occur later than 1 year and 180 days 
     after the date of enactment of this Act.

 TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

             Subtitle A--Data Privacy and Security Program

     SEC. 401. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Purpose.--The purpose of this subtitle is to ensure 
     standards for developing and implementing administrative, 
     technical, and physical safeguards to protect the privacy, 
     security, confidentiality, integrity, storage, and disposal 
     of sensitive personally identifiable information.
       (b) In General.--A business entity engaging in interstate 
     commerce that involves collecting, accessing, transmitting, 
     using, storing, or disposing of sensitive personally 
     identifiable information in electronic or digital form on 
     10,000 or more United States

[[Page S10730]]

     persons is subject to the requirements for a data privacy and 
     security program under section 402 for protecting sensitive 
     personally identifiable information.
       (c) Limitations.--Notwithstanding any other obligation 
     under this subtitle, this subtitle does not apply to--
       (1) financial institutions--
       (A) subject to the data security requirements and 
     implementing regulations under the Gramm-Leach-Bliley Act (15 
     U.S.C. 6801 et seq.); and
       (B) subject to--
       (i) examinations for compliance with the requirements of 
     this Act by 1 or more Federal or State functional regulators 
     (as defined in section 509 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6809)); or
       (ii) compliance with part 314 of title 16, Code of Federal 
     Regulations; or
       (2) ``covered entities'' subject to the Health Insurance 
     Portability and Accountability Act of 1996 (42 U.S.C. 1301 et 
     seq.), including the data security requirements and 
     implementing regulations of that Act.
       (d) Safe Harbor.--A business entity shall be deemed in 
     compliance with the privacy and security program requirements 
     under section 402 if the business entity complies with or 
     provides protection equal to industry standards, as 
     identified by the Federal Trade Commission, that are 
     applicable to the type of sensitive personally identifiable 
     information involved in the ordinary course of business of 
     such business entity.

     SEC. 402. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Personal Data Privacy and Security Program.--Unless 
     otherwise limited under section 401(c), a business entity 
     subject to this subtitle shall comply with the following 
     safeguards and any others identified by the Federal Trade 
     Commission in a rulemaking process pursuant to section 553 of 
     title 5, United States Code, to protect the privacy and 
     security of sensitive personally identifiable information:
       (1) Scope.--A business entity shall implement a 
     comprehensive personal data privacy and security program that 
     includes administrative, technical, and physical safeguards 
     appropriate to the size and complexity of the business entity 
     and the nature and scope of its activities.
       (2) Design.--The personal data privacy and security program 
     shall be designed to--
       (A) ensure the privacy, security, and confidentiality of 
     personal electronic records;
       (B) protect against any anticipated vulnerabilities to the 
     privacy, security, or integrity of personal electronic 
     records; and
       (C) protect against unauthorized access to use of personal 
     electronic records that could result in substantial harm or 
     inconvenience to any individual.
       (3) Risk assessment.--A business entity shall--
       (A) identify reasonably foreseeable internal and external 
     vulnerabilities that could result in unauthorized access, 
     disclosure, use, or alteration of sensitive personally 
     identifiable information or systems containing sensitive 
     personally identifiable information;
       (B) assess the likelihood of and potential damage from 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information; and
       (C) assess the sufficiency of its policies, technologies, 
     and safeguards in place to control and minimize risks from 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information.
       (4) Risk management and control.--Each business entity 
     shall--
       (A) design its personal data privacy and security program 
     to control the risks identified under paragraph (3); and
       (B) adopt measures commensurate with the sensitivity of the 
     data as well as the size, complexity, and scope of the 
     activities of the business entity that--
       (i) control access to systems and facilities containing 
     sensitive personally identifiable information, including 
     controls to authenticate and permit access only to authorized 
     individuals;
       (ii) detect actual and attempted fraudulent, unlawful, or 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information, including by 
     employees and other individuals otherwise authorized to have 
     access; and
       (iii) protect sensitive personally identifiable information 
     during use, transmission, storage, and disposal by encryption 
     or other reasonable means (including as directed for disposal 
     of records under section 628 of the Fair Credit Reporting Act 
     (15 U.S.C. 1681w) and the implementing regulations of such 
     Act as set forth in section 682 of title 16, Code of Federal 
     Regulations).
       (b) Training.--Each business entity subject to this 
     subtitle shall take steps to ensure employee training and 
     supervision for implementation of the data security program 
     of the business entity.
       (c) Vulnerability Testing.--
       (1) In general.--Each business entity subject to this 
     subtitle shall take steps to ensure regular testing of key 
     controls, systems, and procedures of the personal data 
     privacy and security program to detect, prevent, and respond 
     to attacks or intrusions, or other system failures.
       (2) Frequency.--The frequency and nature of the tests 
     required under paragraph (1) shall be determined by the risk 
     assessment of the business entity under subsection (a)(3).
       (d) Relationship to Service Providers.--In the event a 
     business entity subject to this subtitle engages service 
     providers not subject to this subtitle, such business entity 
     shall--
       (1) exercise appropriate due diligence in selecting those 
     service providers for responsibilities related to sensitive 
     personally identifiable information, and take reasonable 
     steps to select and retain service providers that are capable 
     of maintaining appropriate safeguards for the security, 
     privacy, and integrity of the sensitive personally 
     identifiable information at issue; and
       (2) require those service providers by contract to 
     implement and maintain appropriate measures designed to meet 
     the objectives and requirements governing entities subject to 
     this section, section 401, and subtitle B.
       (e) Periodic Assessment and Personal Data Privacy and 
     Security Modernization.--Each business entity subject to this 
     subtitle shall on a regular basis monitor, evaluate, and 
     adjust, as appropriate its data privacy and security program 
     in light of any relevant changes in--
       (1) technology;
       (2) the sensitivity of personally identifiable information;
       (3) internal or external threats to personally identifiable 
     information; and
       (4) the changing business arrangements of the business 
     entity, such as--
       (A) mergers and acquisitions;
       (B) alliances and joint ventures;
       (C) outsourcing arrangements;
       (D) bankruptcy; and
       (E) changes to sensitive personally identifiable 
     information systems.
       (f) Implementation Time Line.--Not later than 1 year after 
     the date of enactment of this Act, a business entity subject 
     to the provisions of this subtitle shall implement a data 
     privacy and security program pursuant to this subtitle.

     SEC. 403. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) In general.--Any business entity that violates the 
     provisions of sections 401 or 402 shall be subject to civil 
     penalties of not more than $5,000 per violation per day, with 
     a maximum of $35,000 per day, while such violations persist.
       (2) Intentional or willful violation.--A business entity 
     that intentionally or willfully violates the provisions of 
     sections 401 or 402 shall be subject to additional penalties 
     in the amount of $5,000 per violation per day, with a maximum 
     of an additional $35,000 per day, while such violations 
     persist.
       (3) Equitable relief.--A business entity engaged in 
     interstate commerce that violates this section may be 
     enjoined from further violations by a court of competent 
     jurisdiction.
       (4) Other rights and remedies.--The rights and remedies 
     available under this section are cumulative and shall not 
     affect any other rights and remedies available under law
       (b) Injunctive Actions by the Attorney General.--
       (1) In general.--Whenever it appears that a business entity 
     or agency to which this subtitle applies has engaged, is 
     engaged, or is about to engage, in any act or practice 
     constituting a violation of this subtitle, the Attorney 
     General may bring a civil action in an appropriate district 
     court of the United States to--
       (A) enjoin such act or practice;
       (B) enforce compliance with this subtitle; and
       (C) obtain damages--
       (i) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of a State; 
     and
       (ii) punitive damages, if the violation is willful or 
     intentional; and
       (D) obtain such other relief as the court determines to be 
     appropriate.
       (2) Other injunctive relief.--Upon a proper showing in the 
     action under paragraph (1), the court shall grant a permanent 
     injunction or a temporary restraining order without bond.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State has reason to believe that an interest of 
     the residents of that State has been or is threatened or 
     adversely affected by an act or practice that violates this 
     subtitle, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction, or any other court of 
     competent jurisdiction, to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this subtitle;
       (C) obtain--
       (i) damages in the sum of actual damages, restitution, or 
     other compensation on behalf of affected residents of the 
     State; and
       (ii) punitive damages, if the violation is willful or 
     intentional; or
       (D) obtain such other legal and equitable relief as the 
     court may consider to be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Attorney General--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a

[[Page S10731]]

     State determines that it is not feasible to provide the 
     notice described in this subparagraph before the filing of 
     the action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the written notice and the copy of the complaint to 
     the Attorney General as soon after the filing of the 
     complaint as practicable.
       (3) Attorney general authority.--Upon receiving notice 
     under paragraph (2), the Attorney General shall have the 
     right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (4) Pending proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this 
     title or any regulations thereunder, no attorney general of a 
     State may, during the pendency of such proceeding or action, 
     bring an action under this subsection against any defendant 
     named in such criminal proceeding or civil action for any 
     violation that is alleged in that proceeding or action.
       (5) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1) nothing in this title shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths and affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1931 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection process may be served in any district in which the 
     defendant--
       (i) is an inhabitant; or
       (ii) may be found.
       (d) No Private Cause of Action.--Nothing in this title 
     establishes a private cause of action against a business 
     entity for violation of any provision of this subtitle.

     SEC. 404. RELATION TO STATE LAWS.

       (a) In General.--No State may--
       (1) require an entity described in section 401(c) to comply 
     with this subtitle or any regulation promulgated thereunder; 
     and
       (2) require an entity in compliance with the safe harbor 
     established under section 401(d), to comply with any other 
     provision of this subtitle.
       (b) Effect of Subtitle A.--Except as provided in subsection 
     (a), this subtitle does not annul, alter, affect, or exempt 
     any person subject to the provisions of this subtitle from 
     complying with the laws of any State with respect to security 
     programs for sensitive personally identifiable information, 
     except to the extent that those laws are inconsistent with 
     any provisions of this subtitle, and then only to the extent 
     of such inconsistency.

                Subtitle B--Security Breach Notification

     SEC. 421. NOTICE TO INDIVIDUALS.

       (a) In General.--Any agency, or business entity engaged in 
     interstate commerce, that uses, accesses, transmits, stores, 
     disposes of or collects sensitive personally identifiable 
     information shall, following the discovery of a security 
     breach maintained by the agency or business entity that 
     contains such information, notify any resident of the United 
     States whose sensitive personally identifiable information 
     was subject to the security breach.
       (b) Obligation of Owner or Licensee.--
       (1) Notice to owner or licensee.--Any agency, or business 
     entity engaged in interstate commerce, that uses, accesses, 
     transmits, stores, disposes of, or collects sensitive 
     personally identifiable information that the agency or 
     business entity does not own or license shall notify the 
     owner or licensee of the information following the discovery 
     of a security breach containing such information.
       (2) Notice by owner, licensee or other designated third 
     party.--Noting in this subtitle shall prevent or abrogate an 
     agreement between an agency or business entity required to 
     give notice under this section and a designated third party, 
     including an owner or licensee of the sensitive personally 
     identifiable information subject to the security breach, to 
     provide the notifications required under subsection (a).
       (3) Business entity relieved from giving notice.--A 
     business entity obligated to give notice under subsection (a) 
     shall be relieved of such obligation if an owner or licensee 
     of the sensitive personally identifiable information subject 
     to the security breach, or other designated third party, 
     provides such notification.
       (c) Timeliness of Notification.--
       (1) In general.--All notifications required under this 
     section shall be made without unreasonable delay following--
       (A) the discovery by the agency or business entity of a 
     security breach; and
       (B) any measures necessary to determine the scope of the 
     breach, prevent further disclosures, and restore the 
     reasonable integrity of the data system.
       (2) Burden of proof.--The agency, business entity, owner, 
     or licensee required to provide notification under this 
     section shall have the burden of demonstrating that all 
     notifications were made as required under this subtitle, 
     including evidence demonstrating the necessity of any delay.
       (d) Delay of Notification Authorized for Law Enforcement 
     Purposes.--
       (1) In general.--If a law enforcement agency determines 
     that the notification required under this section would 
     impede a criminal investigation, such notification may be 
     delayed upon the written request of the law enforcement 
     agency.
       (2) Extended delay of notification.--If the notification 
     required under subsection (a) is delayed pursuant to 
     paragraph (1), an agency or business entity shall give notice 
     30 days after the day such law enforcement delay was invoked 
     unless a law enforcement agency provides written notification 
     that further delay is necessary.

     SEC. 422. EXEMPTIONS.

       (a) Exemption for National Security and Law Enforcement.--
       (1) In general.--Section 421 shall not apply to an agency 
     if the head of the agency certifies, in writing, that 
     notification of the security breach as required by section 
     421 reasonably could be expected to--
       (A) cause damage to the national security; or
       (B) hinder a law enforcement investigation or the ability 
     of the agency to conduct law enforcement investigations.
       (2) Limits on certifications.--The head of an agency may 
     not execute a certification under paragraph (1) to--
       (A) conceal violations of law, inefficiency, or 
     administrative error;
       (B) prevent embarrassment to a business entity, 
     organization, or agency; or
       (C) restrain competition.
       (3) Notice.--In every case in which a head of an agency 
     issues a certification under paragraph (1), the 
     certification, accompanied by a concise description of the 
     factual basis for the certification, shall be immediately 
     provided to the Congress.
       (b) Risk Assessment Exemption.--An agency or business 
     entity will be exempt from the notice requirements under 
     section 421, if--
       (1) a risk assessment concludes that there is no 
     significant risk that the security breach has resulted in, or 
     will result in, harm to the individuals whose sensitive 
     personally identifiable information was subject to the 
     security breach;
       (2) without unreasonable delay, but not later than 45 days 
     after the discovery of a security breach, unless extended by 
     the United States Secret Service, the business entity 
     notifies the United States Secret Service, in writing, of--
       (A) the results of the risk assessment;
       (B) its decision to invoke the risk assessment exemption; 
     and
       (3) the United States Secret Service does not indicate, in 
     writing, within 10 days from receipt of the decision, that 
     notice should be given.
       (c) Financial Fraud Prevention Exemption.--
       (1) In general.--A business entity will be exempt from the 
     notice requirement under section 421 if the business entity 
     utilizes or participates in a security program that--
       (A) is designed to block the use of the sensitive 
     personally identifiable information to initiate unauthorized 
     financial transactions before they are charged to the account 
     of the individual; and
       (B) provides for notice after a security breach that has 
     resulted in fraud or unauthorized transactions.
       (2) Limitation.--The exemption by this subsection does not 
     apply if the information subject to the security breach 
     includes, in addition to an account number, sensitive 
     personally identifiable information.

     SEC. 423. METHODS OF NOTICE.

       An agency, or business entity shall be in compliance with 
     section 421 if it provides:
       (1) Individual notice.--
       (A) Written notification to the last known home mailing 
     address of the individual in the records of the agency or 
     business entity; or
       (B) E-mail notice, if the individual has consented to 
     receive such notice and the notice is consistent with the 
     provisions permitting electronic transmission of notices 
     under section 101 of the Electronic Signatures in Global and 
     National Commerce Act (15 U.S.C. 7001).
       (2) Media notice.--If more than 5,000 residents of a State 
     or jurisdiction are impacted, notice to major media outlets 
     serving that State or jurisdiction.

     SEC. 424. CONTENT OF NOTIFICATION.

       (a) In General.--Regardless of the method by which notice 
     is provided to individuals under section 423, such notice 
     shall include, to the extent possible--
       (1) a description of the categories of sensitive personally 
     identifiable information that was, or is reasonably believed 
     to have been, acquired by an unauthorized person;
       (2) a toll-free number--
       (A) that the individual may use to contact the agency or 
     business entity, or the agent of the agency or business 
     entity; and
       (B) from which the individual may learn--
       (i) what types of sensitive personally identifiable 
     information the agency or business entity maintained about 
     that individual or about individuals in general; and
       (ii) whether or not the agency or business entity 
     maintained sensitive personally identifiable information 
     about that individual; and

[[Page S10732]]

       (3) the toll-free contact telephone numbers and addresses 
     for the major credit reporting agencies.
       (b) Additional Content.--Notwithstanding section 429, a 
     State may require that a notice under subsection (a) shall 
     also include information regarding victim protection 
     assistance provided for by that State.

     SEC. 425. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING 
                   AGENCIES.

       If an agency or business entity is required to provide 
     notification to more than 1,000 individuals under section 
     421(a), the agency or business entity shall also notify, 
     without unreasonable delay, all consumer reporting agencies 
     that compile and maintain files on consumers on a nationwide 
     basis (as defined in section 603(p) of the Fair Credit 
     Reporting Act (15 U.S.C. 1681a(p)) of the timing and 
     distribution of the notices.

     SEC. 426. NOTICE TO LAW ENFORCEMENT.

       (a) Secret Service.--Any business entity or agency required 
     to give notice under section 421 shall also give notice to 
     the United States Secret Service if the security breach 
     impacts--
       (1) more than 10,000 individuals nationwide;
       (2) a database, networked or integrated databases, or other 
     data system associated with the sensitive personally 
     identifiable information on more than 1,000,000 individuals 
     nationwide;
       (3) databases owned by the Federal Government; or
       (4) primarily sensitive personally identifiable information 
     of employees and contractors of the Federal Government 
     involved in national security or law enforcement.
       (b) Notice to Other Law Enforcement Agencies.--The United 
     States Secret Service shall be responsible for notifying--
       (1)(A) the Federal Bureau of Investigation, if the security 
     breach involves espionage, foreign counterintelligence, 
     information protected against unauthorized disclosure for 
     reasons of national defense or foreign relations, or 
     Restricted Data (as that term is defined in section 11y of 
     the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for 
     offenses affecting the duties of the United States Secret 
     Service under section 3056(a) of title 18, United States 
     Code; and
       (B) the United States Postal Inspection Service, if the 
     security breach involves mail fraud; and
       (2) the attorney general of each State affected by the 
     security breach.
       (c) 30-Day Rule.--The notices to Federal law enforcement 
     and the attorney general of each State affected by a security 
     breach required under this section shall be delivered without 
     unreasonable delay, but not later than 30 days after 
     discovery of the events requiring notice.

     SEC. 427. CIVIL REMEDIES.

       (a) Penalties.--Any agency, or business entity engaged in 
     interstate commerce, that violates this subtitle shall be 
     subject to a fine of--
       (1) not more than $1,000 per individual per day whose 
     sensitive personally identity information was, or is 
     reasonably believed to have been, acquired by an unauthorized 
     person; or
       (2) not more than $50,000 per day while the failure to give 
     notice under this subtitle persists.
       (b) Equitable Relief.--Any agency or business entity that 
     violates, proposes to violate, or has violated this subtitle 
     may be enjoined from further violations by a court of 
     competent jurisdiction.
       (c) Other Rights and Remedies.--The rights and remedies 
     available under this subtitle are cumulative and shall not 
     affect any other rights and remedies available under law.
       (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit 
     Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by 
     inserting ``, or evidence that the consumer has received 
     notice that the consumer's financial information has or may 
     have been compromised,'' after ``identity theft report''.
       (e) Injunctive Actions by the Attorney General.--Whenever 
     it appears that a business entity or agency to which this 
     subtitle applies has engaged, is engaged, or is about to 
     engage, in any act or practice constituting a violation of 
     this subtitle, the Attorney General may bring a civil action 
     in an appropriate district court of the United States to--
       (1) enjoin such act or practice;
       (2) enforce compliance with this subtitle;
       (3) obtain damages--
       (A) in the sum of actual damages, restitution, and other 
     compensation on behalf of the affected residents of a State; 
     and
       (B) punitive damages, if the violation is willful or 
     intentional; and
       (4) obtain such other relief as the court determines to be 
     appropriate.

     SEC. 428. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State, or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the engagement of any agency or business entity in a practice 
     that is prohibited under this subtitle, the State, as parens 
     patriae on behalf of the residents of the State, or the State 
     or local law enforcement agency on behalf of the residents of 
     the agency's jurisdiction, may bring a civil action on behalf 
     of the residents of the State or jurisdiction in a district 
     court of the United States of appropriate jurisdiction or any 
     other court of competent jurisdiction, including a State 
     court, to--
       (A) enjoin that practice;
       (B) enforce compliance with this subtitle;
       (C) obtain damages, restitution, or other compensation on 
     behalf of residents of the State; or
       (D) obtain such other relief as the court may consider to 
     be appropriate.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Attorney General of the United States--
       (i) written notice of the action; and
       (ii) a copy of the complaint for the action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subtitle, if the State attorney general 
     determines that it is not feasible to provide the notice 
     described in such subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Attorney General at the time the 
     State attorney general files the action.
       (b) Federal Proceedings.--Upon receiving notice under 
     subsection (a)(2), the Attorney General shall have the right 
     to--
       (1) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action;
       (2) intervene in an action brought under subsection (a)(2); 
     and
       (3) file petitions for appeal.
       (c) Pending Proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this 
     subtitle or any regulations thereunder, no attorney general 
     of a State may, during the pendency of such proceeding or 
     action, bring an action under this subtitle against any 
     defendant named in such criminal proceeding or civil action 
     for any violation that is alleged in that proceeding or 
     action.
       (d) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this subtitle 
     regarding notification shall be construed to prevent an 
     attorney general of a State from exercising the powers 
     conferred on such attorney general by the laws of that State 
     to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in--
       (A) the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code; or
       (B) another court of competent jurisdiction.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.
       (f) No Private Cause of Action.--Nothing in this subtitle 
     establishes a private cause of action against a data broker 
     for violation of any provision of this subtitle.

     SEC. 429. EFFECT ON FEDERAL AND STATE LAW.

       The provisions of this subtitle shall supersede any other 
     provision of Federal law or any provision of law of any State 
     relating to notification of a security breach, except as 
     provided in section 424(b).

     SEC. 430. AUTHORIZATION OF APPROPRIATIONS.

       There are authorized to be appropriated such sums as may be 
     necessary to cover the costs incurred by the United States 
     Secret Service to carry out investigations and risk 
     assessments of security breaches as required under this 
     subtitle.

     SEC. 431. REPORTING ON RISK ASSESSMENT EXEMPTION.

       The United States Secret Service shall report to Congress 
     not later than 18 months after the date of enactment of this 
     Act, and upon the request by Congress thereafter, on the 
     number and nature of the security breaches described in the 
     notices filed by those business entities invoking the risk 
     assessment exemption under section 422(b) and the response of 
     the United States Secret Service to those notices.

     SEC. 432. EFFECTIVE DATE.

       This subtitle shall take effect on the expiration of the 
     date which is 90 days after the date of enactment of this 
     Act.

        TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

     SEC. 501. GENERAL SERVICES ADMINISTRATION REVIEW OF 
                   CONTRACTS.

       (a) In General.--In considering contract awards totaling 
     more than $500,000 and entered into after the date of 
     enactment of this Act with data brokers, the Administrator of 
     the General Services Administration shall evaluate--
       (1) the data privacy and security program of a data broker 
     to ensure the privacy and security of data containing 
     personally identifiable information, including whether such 
     program adequately addresses privacy and security threats 
     created by malicious software or code, or the use of peer-to-
     peer file sharing software;
       (2) the compliance of a data broker with such program;

[[Page S10733]]

       (3) the extent to which the databases and systems 
     containing personally identifiable information of a data 
     broker have been compromised by security breaches; and
       (4) the response by a data broker to such breaches, 
     including the efforts by such data broker to mitigate the 
     impact of such breaches.
       (b) Compliance Safe Harbor.--The data privacy and security 
     program of a data broker shall be deemed sufficient for the 
     purposes of subsection (a), if the data broker complies with 
     or provides protection equal to industry standards, as 
     identified by the Federal Trade Commission, that are 
     applicable to the type of personally identifiable information 
     involved in the ordinary course of business of such data 
     broker.
       (c) Penalties.--In awarding contracts with data brokers for 
     products or services related to access, use, compilation, 
     distribution, processing, analyzing, or evaluating personally 
     identifiable information, the Administrator of the General 
     Services Administration shall--
       (1) include monetary or other penalties--
       (A) for failure to comply with subtitles A and B of title 
     IV of this Act; or
       (B) if a contractor knows or has reason to know that the 
     personally identifiable information being provided is 
     inaccurate, and provides such inaccurate information; and
       (2) require a data broker that engages service providers 
     not subject to subtitle A of title IV for responsibilities 
     related to sensitive personally identifiable information to--
       (A) exercise appropriate due diligence in selecting those 
     service providers for responsibilities related to personally 
     identifiable information;
       (B) take reasonable steps to select and retain service 
     providers that are capable of maintaining appropriate 
     safeguards for the security, privacy, and integrity of the 
     personally identifiable information at issue; and
       (C) require such service providers, by contract, to 
     implement ad maintain appropriate measures designed to meet 
     the objectives and requirements in title IV.
       (d) Limitation.--The penalties under subsection (c) shall 
     not apply to a data broker providing information that is 
     accurately and completely recorded from a public record 
     source.

     SEC. 502. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES 
                   OF CONTRACTORS AND THIRD PARTY BUSINESS 
                   ENTITIES.

       Section 3544(b) of title 44, United States Code, is 
     amended--
       (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
     semicolon;
       (2) in paragraph (8), by striking the period and inserting 
     ``; and''; and
       (3) by adding at the end the following:
       ``(9) procedures for evaluating and auditing the 
     information security practices of contractors or third party 
     business entities supporting the information systems or 
     operations of the agency involving personally identifiable 
     information (as that term is defined in section 3 of the 
     Personal Data Privacy and Security Act of 2005) and ensuring 
     remedial action to address any significant deficiencies.''.

     SEC. 503. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF 
                   COMMERCIAL INFORMATION SERVICES CONTAINING 
                   PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--Section 208(b)(1) of the E-Government Act 
     of 2002 (44 U.S.C. 3501 note) is amended--
       (1) in subparagraph (A)(i), by striking ``or''; and
       (2) in subparagraph (A)(ii), by striking the period and 
     inserting ``; or''; and
       (3) by inserting after clause (ii) the following:
       ``(iii) purchasing or subscribing for a fee to personally 
     identifiable information from a data broker (as such terms 
     are defined in section 3 of the Personal Data Privacy and 
     Security Act of 2005).''.
       (b) Limitation.--Notwithstanding any other provision of 
     law, commencing 1 year after the date of enactment of this 
     Act, no Federal department or agency may enter into a 
     contract with a data broker to access for a fee any database 
     consisting primarily of personally identifiable information 
     concerning United States persons (other than news reporting 
     or telephone directories) unless the head of such department 
     or agency--
       (1) completes a privacy impact assessment under section 208 
     of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
     shall subject to the provision in that Act pertaining to 
     sensitive information, include a description of--
       (A) such database;
       (B) the name of the data broker from whom it is obtained; 
     and
       (C) the amount of the contract for use;
       (2) adopts regulations that specify--
       (A) the personnel permitted to access, analyze, or 
     otherwise use such databases;
       (B) standards governing the access, analysis, or use of 
     such databases;
       (C) any standards used to ensure that the personally 
     identifiable information accessed, analyzed, or used is the 
     minimum necessary to accomplish the intended legitimate 
     purpose of the Federal department or agency;
       (D) standards limiting the retention and redisclosure of 
     personally identifiable information obtained from such 
     databases;
       (E) procedures ensuring that such data meet standards of 
     accuracy, relevance, completeness, and timeliness;
       (F) the auditing and security measures to protect against 
     unauthorized access, analysis, use, or modification of data 
     in such databases;
       (G) applicable mechanisms by which individuals may secure 
     timely redress for any adverse consequences wrongly incurred 
     due to the access, analysis, or use of such databases;
       (H) mechanisms, if any, for the enforcement and independent 
     oversight of existing or planned procedures, policies, or 
     guidelines; and
       (I) an outline of enforcement mechanisms for accountability 
     to protect individuals and the public against unlawful or 
     illegitimate access or use of databases; and
       (3) incorporates into the contract or other agreement 
     totaling more than $500,000, provisions--
       (A) providing for penalties--
       (i) for failure to comply with title IV of this Act; or
       (ii) if the entity knows or has reason to know that the 
     personally identifiable information being provided to the 
     Federal department or agency is inaccurate, and provides such 
     inaccurate information.
       (B) requiring a data broker that engages service providers 
     not subject to subtitle A of title IV for responsibilities 
     related to sensitive personally identifiable information to--
       (i) exercise appropriate due diligence in selecting those 
     service providers for responsibilities related to personally 
     identifiable information;
       (ii) take reasonable steps to select and retain service 
     providers that are capable of maintaining appropriate 
     safeguards for the security, privacy, and integrity of the 
     personally identifiable information at issue; and
       (iii) require such service providers, by contract, to 
     implement ad maintain appropriate measures designed to meet 
     the objectives and requirements in title IV.
       (c) Limitation on Penalties.--The penalties under paragraph 
     (3)(A) shall not apply to a data broker providing information 
     that is accurately and completely recorded from a public 
     record source.
       (d) Individual Screening Programs.--
       (1) In general.--Notwithstanding any other provision of 
     law, commencing one year after the date of enactment of this 
     Act, no Federal department or agency may use commercial 
     databases or contract with a data broker to implement an 
     individual screening program unless such program is--
       (A) congressionally authorized; and
       (B) subject to regulations developed by notice and comment 
     that--
       (i) establish a procedure to enable individuals, who suffer 
     an adverse consequence because the screening system 
     determined that they might pose a security threat, to appeal 
     such determination and correct information contained in the 
     system;
       (ii) ensure that Federal and commercial databases that will 
     be used to establish the identity of individuals or otherwise 
     make assessments of individuals under the system will not 
     produce a large number of false positives or unjustified 
     adverse consequences;
       (iii) ensure the efficacy and accuracy of all of the search 
     tools that will be used and ensure that the department or 
     agency can make an accurate predictive assessment of those 
     who may constitute a threat;
       (iv) establish an internal oversight board to oversee and 
     monitor the manner in which the system is being implemented;
       (v) establish sufficient operational safeguards to reduce 
     the opportunities for abuse;
       (vi) implement substantial security measures to protect the 
     system from unauthorized access;
       (vii) adopt policies establishing the effective oversight 
     of the use and operation of the system; and
       (viii) ensure that there are no specific privacy concerns 
     with the technological architecture of the system; and
       (C) coordinated with the Terrorist Screening Center or any 
     such successor organization.
       (2) Definition.--As used in this subsection, the term 
     ``individual screening program''--
       (A) means a system that relies on personally identifiable 
     information from commercial databases to--
       (i) evaluate all or most individuals seeking to exercise a 
     particular right or privilege under Federal law; and
       (ii) determine whether such individuals are on a terrorist 
     watch list or otherwise pose a security threat; and
       (B) does not include any program or system to grant 
     security clearances.
       (e) Study of Government Use.--
       (1) Scope of study.--Not later than 180 days after the date 
     of enactment of this Act, the Comptroller General of the 
     United States shall conduct a study and audit and prepare a 
     report on Federal agency use of data brokers or commercial 
     databases containing personally identifiable information, 
     including the impact on privacy and security, and the extent 
     to which Federal contracts include sufficient provisions to 
     ensure privacy and security protections, and penalties for 
     failures in privacy and security practices.
       (2) Report.--A copy of the report required under paragraph 
     (1) shall be submitted to Congress.

     SEC. 504. IMPLEMENTATION OF CHIEF PRIVACY OFFICER 
                   REQUIREMENTS.

       (a) Designation of the Chief Privacy Officer.--Pursuant to 
     the requirements under section 522 of the Transportation, 
     Treasury,

[[Page S10734]]

     Independent Agencies, and General Government Appropriations 
     Act, 2005 (Division H of Public Law 108-447; 118 Stat. 3199) 
     that each agency designate a Chief Privacy Officer, the 
     Department of Justice shall implement such requirements by 
     designating a department-wide Chief Privacy Officer, whose 
     primary role shall be to fulfill the duties and 
     responsibilities of Chief Privacy Officer and who shall 
     report directly to the Deputy Attorney General.
       (b) Duties and Responsibilities of Chief Privacy Officer.--
     In addition to the duties and responsibilities outlined under 
     section 522 of the Transportation, Treasury, Independent 
     Agencies, and General Government Appropriations Act, 2005 
     (Division H of Public Law 108-447; 118 Stat. 3199), the 
     Department of Justice Chief Privacy Officer shall--
       (1) oversee the Department of Justice's implementation of 
     the requirements under section 603 to conduct privacy impact 
     assessments of the use of commercial data containing 
     personally identifiable information by the Department;
       (2) promote the use of law enforcement technologies that 
     sustain privacy protections, and assure that the 
     implementation of such technologies relating to the use, 
     collection, and disclosure of personally identifiable 
     information preserve the privacy and security of such 
     information; and
       (3) coordinate with the Privacy and Civil Liberties 
     Oversight Board, established in the Intelligence Reform and 
     Terrorism Prevention Act of 2004 (Public Law 108-458), in 
     implementing paragraphs (1) and (2) of this subsection.
  Mr. LEAHY. Mr. President, today we reintroduce the Specter-Leahy 
Personal Data Privacy and Security Act of 2005.
  Earlier this year, Senator Specter and I introduced a comprehensive 
bill to bring urgently needed reforms to protect Americans' privacy and 
to secure their personal data. Chairman Specter has shown great 
leadership on this issue, and I appreciate his dedication to solving 
these challenging problems through his willingness to work together to 
enhance this legislation as we have deemed appropriate. Since initial 
introduction of our bill, we have worked with Senator Feinstein and 
other members of the Judiciary Committee to address areas of concern 
and to perfect the bill. We have also worked closely with a wide 
variety of stakeholders and experts in these issues, which has also 
improved the bill.
  I especially thank Senator Feinstein for her dedication and resolve 
to address these difficult data security and privacy concerns. I 
commend her input and leadership, and I am pleased that she is joining 
as an original cosponsor of this revised bill. I also thank Senator 
Feingold for his commitment to ensuring that the government also acts 
responsibly in its use of our personal information and appreciate his 
support as an original cosponsor. This is a good bill--carefully 
calibrated to help remedy the problems we set out to address--and I 
look forward to continuing our efforts to pass effective legislation.
  We have teamed together and applied our collective wisdom to sort 
through these issues with care and precision. We took the time needed 
to develop well-balanced, focused legislation that provides strong 
protections where necessary, and that offers strong penalties and 
consequences as disincentives for those who fail to protect Americans' 
most personal information.
  Reforms like these are long overdue. As we look toward the end of the 
year, these necessary reforms should be included in our domestic 
priorities so that we can achieve some positive changes in areas that 
affect the everyday lives of Americans.
  First our bill requires data brokers to let people know what 
sensitive personal information they have about them, and to allow 
people to correct inaccurate information. These principles have 
precedent from the credit report context, and we have adapted them in a 
way that makes sense for the data brokering industry. This is a simple 
matter of fairness.
  Second, we would require companies that have databases with sensitive 
personal information on Americans to establish and implement data 
privacy and security programs. In the digital age, any company that 
wants to be trusted by the public must earn that trust by vigilantly 
protecting the databases they use and maintain which contain Americans' 
private data. They also have a responsibility in the next link in the 
security chain, to make sure that contractors hired to process data are 
adequately vetted to keep the personal information in these databases 
secure. This is increasingly important as Americans' personal 
information more and more is outsourced for processing overseas and 
beyond U.S. laws.

  Third, our bill requires notice when sensitive personal information 
has been compromised. The American people have a right to know when 
they are at risk because of corporate failures to protect their data, 
or when a criminal has infiltrated data systems. The notice rules in 
our bill were carefully crafted to ensure that the trigger for notice 
is tied to ``significant risk of harm'' with appropriate checks-and-
balances, in order to make sure that companies do not underreport. We 
also recognize important fraud prevention techniques that already 
exist. But our priority has been to make sure that victims have 
critical information as a roadmap that offers the assistance necessary 
to protect themselves, their families and their financial well-being.
  Finally, our bill addresses the government's use of personal data. We 
are living in a world in which our government increasingly is turning 
to the private sector to get personal data the government could not 
legally collect on its own without oversight and appropriate 
protections. This bill would place privacy and security front and 
center in evaluating whether data brokers can be trusted with 
government contracts that involve sensitive information about the 
American people. It would require contract reviews that include these 
considerations, audits to ensure good practice, and contract penalties 
for failure to protect data privacy and security.
  This legislation meets other key goals. It provides tough monetary 
and criminal penalties for compromising personal data or failing to 
provide necessary protections. This creates an incentive for companies 
to protect personal information, especially when there is no commercial 
relationship between individuals and companies using their data. We 
also would authorize an additional $100 million over four years to help 
state law enforcement agencies fight misuse of personal information.
  This is a solid bill--a comprehensive bill--that not only deals with 
the need to provide Americans notice when they have already been hurt, 
but that also deals with the underlying problem of lax security and 
lack of accountability in dealing with the public's most personal and 
private information.
  I commend Senator Specter for his leadership on this emerging 
problem. Senator Feinstein and Senator Feingold have long recognized 
the importance of data privacy and security, and I appreciate their 
support in this effort and on this bill. Other members on the Commerce 
Committee, such as Senator Nelson and Senator Cantwell, and on the 
Banking Committee, have also taken great strides in these areas as 
well, and we look forward to working closely with them to pass 
legislation this year.
                                 ______