[Congressional Record Volume 153, Number 22 (Tuesday, February 6, 2007)]
[Senate]
[Pages S1628-S1638]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Specter, Mr. Feingold, Mr. 
        Schumer, and Mr. Sanders):
  S. 495. A bill to prevent and mitigate identity theft, to ensure 
privacy, to provide notice of security breaches, and to enhance 
criminal penalties, law enforcement assistance, and other protections 
against security breaches, fraudulent access, and misuse of personally 
identifiable information; to the Committee on the Judiciary.
  Mr. LEAHY. Mr. President, today I am pleased to join Senator Specter 
in reintroducing the Leahy-Specter Personal Data Privacy and Security 
Act. This is a comprehensive data privacy package aimed at better 
protecting Americans' privacy. Senator Specter has been a valuable 
partner on this, and I also thank Majority Leader Reid for his 
leadership and commitment to enacting data privacy legislation this 
year.
  When Senator Specter and I introduced this bill in 2005, we had high 
hopes of bringing urgently needed data privacy reforms to the American 
people. The Judiciary Committee reported this bill favorably in 
November of 2005, but with the last Congress, it simply sat on the 
calendar. The leadership would not bring it forward.
  The irony is while they refused to bring it forward, the problems of 
data breaches remained a persistent and pernicious threat to Americans' 
privacy. Yesterday we learned that the Department of Veterans Affairs 
has lost a portable hard drive containing the sensitive personal 
information on as many as 48,000 veterans. I can imagine what the 
veterans in my State feel about that. I can imagine what the veterans 
in Montana feel about that.
  Last week, there was a major data breach involving a State computer 
server in my home State of Vermont. It jeopardized the financial data 
of at least 69,000 Vermonters whose personal financial information had 
been stored on the computer used by the Vermont Agency of Human 
Services. Can you imagine 69,000 people, in a State of barely over 
600,000 people.
  This is not unique to Vermont. Last month mega retailer TJX disclosed 
that it suffered a major computer breach involving credit and debt card 
purchases involving possibly hundreds of thousands of American 
consumers. And, even as disturbing as that is, while they knew about 
the breach in mid-December, none of those customers were told about it 
until a month later. It is as if a thief had gone to each one of their 
houses and stolen their data.
  Of course, all of this comes on the heels of the theft of the 
personal data of 26.5 million of our veterans and active-duty personnel 
at the VA last year. Think about this: You are a man or a woman serving 
your country in Afghanistan or Iraq, and this information is stolen--
with data about where you live and what family members are left at home 
while you are overseas. How do you think that makes you feel?
  According to the Privacy Rights Clearinghouse, more than 100 million 
records containing sensitive personal information have been involved in 
data security breaches since 2005. We need strong Federal data privacy 
and security laws to protect Americans' personal data, and to address 
the ills of lax data security.
  Our bill requires that data brokers let consumers know what sensitive 
personal information they have about them and to allow individuals to 
correct this. It is a simple matter of fairness. There is a clear 
precedent for our approach in the credit reporting context. Our bill 
also requires that companies who have databases with sensitive personal 
information about Americans establish and implement data privacy and 
security programs. In the information age, any company that wants to be 
trusted by the public must earn that trust by vigilantly protecting the 
databases that they use and maintain. In addition, our bill requires 
notice when sensitive personal information has been compromised. The 
American people need to know when they may be exposed to a data breach. 
Whether it is a government agency or a private company, if they lose 
your sensitive information, your Social Security number, your address, 
or anything about you,

[[Page S1629]]

you have a right to know. If they are holding that information about 
you, and they lose it, you have the right to know it has been lost.
  We also have tough criminal penalties for anyone who would 
intentionally or willfully conceal the fact that a data breach has 
occurred when that breach causes economic damage to consumers.
  Then finally, we address the important issue of the Government's use 
of personal data. This would require Federal agencies to notify 
affected individuals when Government data breaches occur.
  We should never have to worry about our Government having this 
information on us and losing it, but certainly in the last 2 or 3 
years, we have seen so many millions of files that have been lost or 
put in jeopardy. We live in a world in which our Government also is 
increasingly turning to the private sector to get personal data that 
they, in some instances, couldn't legally get on their own. To address 
this, our bill puts protecting Americans' privacy first and foremost: 
Government data has to be protected and we have to know if the 
Government falls down on the job.
  This is a comprehensive bill. It not only deals with the need to 
provide Americans notice when they have been victims of a data breach, 
it also deals with the underlying problems of lack of security and lack 
of accountability to prevent data breaches from occurring in the first 
place.
  Today, Americans live in a world where their most sensitive personal 
information can be accessed and sold to the highest bidder with a few 
keystrokes on their computer. Our privacy laws greatly lag behind both 
the capabilities of our technology and the cunning of identity thieves. 
This legislation closes that gap. I commend the leadership for being 
willing to bring up our data privacy bill. I wish that the leadership 
in the last Congress had brought this bill up last year. But, I am glad 
that the new leadership will do so this year.
  For the sake of all Americans, I urge all Senators to support this 
legislation and to act now to pass comprehensive data privacy and 
security legislation.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                 S. 495

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Personal 
     Data Privacy and Security Act of 2007''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

Sec. 101. Organized criminal activity in connection with unauthorized 
              access to personally identifiable information.
Sec. 102. Concealment of security breaches involving sensitive 
              personally identifiable information.
Sec. 103. Review and amendment of Federal sentencing guidelines related 
              to fraudulent access to or misuse of digitized or 
              electronic personally identifiable information.

                         TITLE II--DATA BROKERS

Sec. 201. Transparency and accuracy of data collection.
Sec. 202. Enforcement.
Sec. 203. Relation to State laws.
Sec. 204. Effective date.

 TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

Sec. 301. Purpose and applicability of data privacy and security 
              program.
Sec. 302. Requirements for a personal data privacy and security 
              program.
Sec. 303. Enforcement.
Sec. 304. Relation to other laws.

                Subtitle B--Security Breach Notification

Sec. 311. Notice to individuals.
Sec. 312. Exemptions.
Sec. 313. Methods of notice.
Sec. 314. Content of notification.
Sec. 315. Coordination of notification with credit reporting agencies.
Sec. 316. Notice to law enforcement.
Sec. 317. Enforcement.
Sec. 318. Enforcement by State attorneys general.
Sec. 319. Effect on Federal and State law.
Sec. 320. Authorization of appropriations.
Sec. 321. Reporting on risk assessment exemptions.
Sec. 322. Effective date.

       TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 401. General Services Administration review of contracts.
Sec. 402. Requirement to audit information security practices of 
              contractors and third party business entities.
Sec. 403. Privacy impact assessment of government use of commercial 
              information services containing personally identifiable 
              information.
Sec. 404. Implementation of chief privacy officer requirements.

     SEC. 2. FINDINGS.

       Congress finds that--
       (1) databases of personally identifiable information are 
     increasingly prime targets of hackers, identity thieves, 
     rogue employees, and other criminals, including organized and 
     sophisticated criminal operations;
       (2) identity theft is a serious threat to the nation's 
     economic stability, homeland security, the development of e-
     commerce, and the privacy rights of Americans;
       (3) over 9,300,000 individuals were victims of identity 
     theft in America last year;
       (4) security breaches are a serious threat to consumer 
     confidence, homeland security, e-commerce, and economic 
     stability;
       (5) it is important for business entities that own, use, or 
     license personally identifiable information to adopt 
     reasonable procedures to ensure the security, privacy, and 
     confidentiality of that personally identifiable information;
       (6) individuals whose personal information has been 
     compromised or who have been victims of identity theft should 
     receive the necessary information and assistance to mitigate 
     their damages and to restore the integrity of their personal 
     information and identities;
       (7) data brokers have assumed a significant role in 
     providing identification, authentication, and screening 
     services, and related data collection and analyses for 
     commercial, nonprofit, and government operations;
       (8) data misuse and use of inaccurate data have the 
     potential to cause serious or irreparable harm to an 
     individual's livelihood, privacy, and liberty and undermine 
     efficient and effective business and government operations;
       (9) there is a need to insure that data brokers conduct 
     their operations in a manner that prioritizes fairness, 
     transparency, accuracy, and respect for the privacy of 
     consumers;
       (10) government access to commercial data can potentially 
     improve safety, law enforcement, and national security; and
       (11) because government use of commercial data containing 
     personal information potentially affects individual privacy, 
     and law enforcement and national security operations, there 
     is a need for Congress to exercise oversight over government 
     use of commercial data.

     SEC. 3. DEFINITIONS.

       In this Act:
       (1) Agency.--The term ``agency'' has the same meaning given 
     such term in section 551 of title 5, United States Code.
       (2) Affiliate.--The term ``affiliate'' means persons 
     related by common ownership or by corporate control.
       (3) Business entity.--The term ``business entity'' means 
     any organization, corporation, trust, partnership, sole 
     proprietorship, unincorporated association, venture 
     established to make a profit, or nonprofit, and any 
     contractor, subcontractor, affiliate, or licensee thereof 
     engaged in interstate commerce.
       (4) Identity theft.--The term ``identity theft'' means a 
     violation of section 1028 of title 18, United States Code.
       (5) Data broker.--The term ``data broker'' means a business 
     entity which for monetary fees or dues regularly engages in 
     the practice of collecting, transmitting, or providing access 
     to sensitive personally identifiable information on more than 
     5,000 individuals who are not the customers or employees of 
     that business entity or affiliate primarily for the purposes 
     of providing such information to nonaffiliated third parties 
     on an interstate basis.
       (6) Data furnisher.--The term ``data furnisher'' means any 
     agency, organization, corporation, trust, partnership, sole 
     proprietorship, unincorporated association, or nonprofit that 
     serves as a source of information for a data broker.
       (7) Personal electronic record.--
       (A) In general.--The term ``personal electronic record'' 
     means data associated with an individual contained in a 
     database, networked or integrated databases, or other data 
     system that holds sensitive personally identifiable 
     information of that individual and is provided to 
     nonaffiliated third parties.
       (B) Exclusions.--The term ``personal electronic record'' 
     does not include--
       (i) any data related to an individual's past purchases of 
     consumer goods; or
       (ii) any proprietary assessment or evaluation of an 
     individual or any proprietary assessment or evaluation of 
     information about an individual.

[[Page S1630]]

       (8) Personally identifiable information.--The term 
     ``personally identifiable information'' means any 
     information, or compilation of information, in electronic or 
     digital form serving as a means of identification, as defined 
     by section 1028(d)(7) of title 18, United State Code.
       (9) Public record source.--The term ``public record 
     source'' means the Congress, any agency, any State or local 
     government agency, the government of the District of Columbia 
     and governments of the territories or possessions of the 
     United States, and Federal, State or local courts, courts 
     martial and military commissions, that maintain personally 
     identifiable information in records available to the public.
       (10) Security breach.--
       (A) In general.--The term ``security breach'' means 
     compromise of the security, confidentiality, or integrity of 
     computerized data through misrepresentation or actions that 
     result in, or there is a reasonable basis to conclude has 
     resulted in, acquisition of or access to sensitive personally 
     identifiable information that is unauthorized or in excess of 
     authorization.
       (B) Exclusion.--The term ``security breach'' does not 
     include--
       (i) a good faith acquisition of sensitive personally 
     identifiable information by a business entity or agency, or 
     an employee or agent of a business entity or agency, if the 
     sensitive personally identifiable information is not subject 
     to further unauthorized disclosure; or
       (ii) the release of a public record, or information derived 
     from a single public record, not otherwise subject to 
     confidentiality or nondisclosure requirement, or information 
     obtained from a news report or periodical.
       (11) Sensitive personally identifiable information.--The 
     term ``sensitive personally identifiable information'' means 
     any information or compilation of information, in electronic 
     or digital form that includes--
       (A) an individual's first and last name or first initial 
     and last name in combination with any 1 of the following data 
     elements:
       (i) A non-truncated social security number, driver's 
     license number, passport number, or alien registration 
     number.
       (ii) Any 2 of the following:

       (I) Home address or telephone number.
       (II) Mother's maiden name, if identified as such.
       (III) Month, day, and year of birth.

       (iii) Unique biometric data such as a finger print, voice 
     print, a retina or iris image, or any other unique physical 
     representation.
       (iv) A unique account identifier, electronic identification 
     number, user name, or routing code in combination with any 
     associated security code, access code, or password that is 
     required for an individual to obtain money, goods, services, 
     or any other thing of value; or
       (B) a financial account number or credit or debit card 
     number in combination with any security code, access code or 
     password that is required for an individual to obtain credit, 
     withdraw funds, or engage in a financial transaction.

 TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS 
                      OF DATA PRIVACY AND SECURITY

     SEC. 101. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH 
                   UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE 
                   INFORMATION.

       Section 1961(1) of title 18, United States Code, is amended 
     by inserting ``section 1030(a)(2)(D) (relating to fraud and 
     related activity in connection with unauthorized access to 
     sensitive personally identifiable information as defined in 
     the Personal Data Privacy and Security Act of 2007,'' before 
     ``section 1084''.

     SEC. 102. CONCEALMENT OF SECURITY BREACHES INVOLVING 
                   SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--Chapter 47 of title 18, United States 
     Code, is amended by adding at the end the following:

     ``Sec. 1040. Concealment of security breaches involving 
       sensitive personally identifiable information

       ``(a) Whoever, having knowledge of a security breach and of 
     the obligation to provide notice of such breach to 
     individuals under title III of the Personal Data Privacy and 
     Security Act of 2007, and having not otherwise qualified for 
     an exemption from providing notice under section 312 of such 
     Act, intentionally and willfully conceals the fact of such 
     security breach and which breach causes economic damage to 1 
     or more persons, shall be fined under this title or 
     imprisoned not more than 5 years, or both.
       ``(b) For purposes of subsection (a), the term `person' has 
     the same meaning as in section 1030(e)(12) of title 18, 
     United States Code.
       ``(c) Any person seeking an exemption under section 312(b) 
     of the Personal Data Privacy and Security Act of 2007 shall 
     be immune from prosecution under this section if the United 
     States Secret Service does not indicate, in writing, that 
     such notice be given under section 312(b)(3) of such Act''.
       (b) Conforming and Technical Amendments.--The table of 
     sections for chapter 47 of title 18, United States Code, is 
     amended by adding at the end the following:

``1040. Concealment of security breaches involving personally 
              identifiable information.''.
       (c) Enforcement Authority.--
       (1) In general.--The United States Secret Service shall 
     have the authority to investigate offenses under this 
     section.
       (2) Non-exclusivity.--The authority granted in paragraph 
     (1) shall not be exclusive of any existing authority held by 
     any other Federal agency.

     SEC. 103. REVIEW AND AMENDMENT OF FEDERAL SENTENCING 
                   GUIDELINES RELATED TO FRAUDULENT ACCESS TO OR 
                   MISUSE OF DIGITIZED OR ELECTRONIC PERSONALLY 
                   IDENTIFIABLE INFORMATION.

       (a) Review and Amendment.--The United States Sentencing 
     Commission, pursuant to its authority under section 994 of 
     title 28, United States Code, and in accordance with this 
     section, shall review and, if appropriate, amend the Federal 
     sentencing guidelines (including its policy statements) 
     applicable to persons convicted of using fraud to access, or 
     misuse of, digitized or electronic personally identifiable 
     information, including identity theft or any offense under--
       (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of 
     title 18, United States Code; and
       (2) any other relevant provision.
       (b) Requirements.--In carrying out the requirements of this 
     section, the United States Sentencing Commission shall--
       (1) ensure that the Federal sentencing guidelines 
     (including its policy statements) reflect--
       (A) the serious nature of the offenses and penalties 
     referred to in this Act;
       (B) the growing incidences of theft and misuse of digitized 
     or electronic personally identifiable information, including 
     identity theft; and
       (C) the need to deter, prevent, and punish such offenses;
       (2) consider the extent to which the Federal sentencing 
     guidelines (including its policy statements) adequately 
     address violations of the sections amended by this Act to--
       (A) sufficiently deter and punish such offenses; and
       (B) adequately reflect the enhanced penalties established 
     under this Act;
       (3) maintain reasonable consistency with other relevant 
     directives and sentencing guidelines;
       (4) account for any additional aggravating or mitigating 
     circumstances that might justify exceptions to the generally 
     applicable sentencing ranges;
       (5) consider whether to provide a sentencing enhancement 
     for those convicted of the offenses described in subsection 
     (a), if the conduct involves--
       (A) the online sale of fraudulently obtained or stolen 
     personally identifiable information;
       (B) the sale of fraudulently obtained or stolen personally 
     identifiable information to an individual who is engaged in 
     terrorist activity or aiding other individuals engaged in 
     terrorist activity; or
       (C) the sale of fraudulently obtained or stolen personally 
     identifiable information to finance terrorist activity or 
     other criminal activities;
       (6) make any necessary conforming changes to the Federal 
     sentencing guidelines to ensure that such guidelines 
     (including its policy statements) as described in subsection 
     (a) are sufficiently stringent to deter, and adequately 
     reflect crimes related to fraudulent access to, or misuse of, 
     personally identifiable information; and
       (7) ensure that the Federal sentencing guidelines 
     adequately meet the purposes of sentencing under section 
     3553(a)(2) of title 18, United States Code.
       (c) Emergency Authority to Sentencing Commission.--The 
     United States Sentencing Commission may, as soon as 
     practicable, promulgate amendments under this section in 
     accordance with procedures established in section 21(a) of 
     the Sentencing Act of 1987 (28 U.S.C. 994 note) as though the 
     authority under that Act had not expired.

                         TITLE II--DATA BROKERS

     SEC. 201. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.

       (a) In General.--Data brokers engaging in interstate 
     commerce are subject to the requirements of this title for 
     any product or service offered to third parties that allows 
     access or use of sensitive personally identifiable 
     information.
       (b) Limitation.--Notwithstanding any other provision of 
     this title, this section shall not apply to--
       (1) any product or service offered by a data broker 
     engaging in interstate commerce where such product or service 
     is currently subject to, and in compliance with, access and 
     accuracy protections similar to those under subsections (c) 
     through (f) of this section under the Fair Credit Reporting 
     Act (Public Law 91-508);
       (2) any data broker that is subject to regulation under the 
     Gramm-Leach-Bliley Act (Public Law 106-102);
       (3) any data broker currently subject to and in compliance 
     with the data security requirements for such entities under 
     the Health Insurance Portability and Accountability Act 
     (Public Law 104-191), and its implementing regulations;
       (4) information in a personal electronic record that--
       (A) the data broker has identified as inaccurate, but 
     maintains for the purpose of aiding the data broker in 
     preventing inaccurate information from entering an 
     individual's personal electronic record; and
       (B) is not maintained primarily for the purpose of 
     transmitting or otherwise providing that information, or 
     assessments based on that information, to non-affiliated 
     third parties; and

[[Page S1631]]

       (5) information concerning proprietary methodologies, 
     techniques, scores, or algorithms relating to fraud 
     prevention not normally provided to third parties in the 
     ordinary course of business.
       (c) Disclosures to Individuals.--
       (1) In general.--A data broker shall, upon the request of 
     an individual, disclose to such individual for a reasonable 
     fee all personal electronic records pertaining to that 
     individual maintained specifically for disclosure to third 
     parties that request information on that individual in the 
     ordinary course of business in the databases or systems of 
     the data broker at the time of such request.
       (2) Information on how to correct inaccuracies.--The 
     disclosures required under paragraph (1) shall also include 
     guidance to individuals on procedures for correcting 
     inaccuracies.
       (d) Accuracy Resolution Process.--
       (1) Information from a public record or licensor.--
       (A) In general.--If an individual notifies a data broker of 
     a dispute as to the completeness or accuracy of information 
     disclosed to such individual under subsection (c) that is 
     obtained from a public record source or a license agreement, 
     such data broker shall determine within 30 days whether the 
     information in its system accurately and completely records 
     the information available from the public record source or 
     licensor.
       (B) Data broker actions.--If a data broker determines under 
     subparagraph (A) that the information in its systems does not 
     accurately and completely record the information available 
     from a public record source or licensor, the data broker 
     shall--
       (i) correct any inaccuracies or incompleteness, and provide 
     to such individual written notice of such changes; and
       (ii) provide such individual with the contact information 
     of the public record or licensor.
       (2) Information not from a public record source or 
     licensor.--If an individual notifies a data broker of a 
     dispute as to the completeness or accuracy of information not 
     from a public record or licensor that was disclosed to the 
     individual under subsection (c), the data broker shall, 
     within 30 days of receiving notice of such dispute--
       (A) review and consider free of charge any information 
     submitted by such individual that is relevant to the 
     completeness or accuracy of the disputed information; and
       (B) correct any information found to be incomplete or 
     inaccurate and provide notice to such individual of whether 
     and what information was corrected, if any.
       (3) Extension of review period.--The 30-day period 
     described in paragraph (1) may be extended for not more than 
     30 additional days if a data broker receives information from 
     the individual during the initial 30-day period that is 
     relevant to the completeness or accuracy of any disputed 
     information.
       (4) Notice identifying the data furnisher.--If the 
     completeness or accuracy of any information not from a public 
     record source or licensor that was disclosed to an individual 
     under subsection (c) is disputed by such individual, the data 
     broker shall provide, upon the request of such individual, 
     the contact information of any data furnisher that provided 
     the disputed information.
       (5) Determination that dispute is frivolous or 
     irrelevant.--
       (A) In general.--Notwithstanding paragraphs (1) through 
     (3), a data broker may decline to investigate or terminate a 
     review of information disputed by an individual under those 
     paragraphs if the data broker reasonably determines that the 
     dispute by the individual is frivolous or intended to 
     perpetrate fraud.
       (B) Notice.--A data broker shall notify an individual of a 
     determination under subparagraph (A) within a reasonable time 
     by any means available to such data broker.

     SEC. 202. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) Penalties.--Any data broker that violates the 
     provisions of section 201 shall be subject to civil penalties 
     of not more than $1,000 per violation per day while such 
     violations persist, up to a maximum of $250,000 per 
     violation.
       (2) Intentional or willful violation.--A data broker that 
     intentionally or willfully violates the provisions of section 
     201 shall be subject to additional penalties in the amount of 
     $1,000 per violation per day, to a maximum of an additional 
     $250,000 per violation, while such violations persist.
       (3) Equitable relief.--A data broker engaged in interstate 
     commerce that violates this section may be enjoined from 
     further violations by a court of competent jurisdiction.
       (4) Other rights and remedies.--The rights and remedies 
     available under this subsection are cumulative and shall not 
     affect any other rights and remedies available under law.
       (b) Federal Trade Commission Authority.--Any data broker 
     shall have the provisions of this title enforced against it 
     by the Federal Trade Commission.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the acts or practices of a data broker that violate this 
     title, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction, or any other court of 
     competent jurisdiction, to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this title; or
       (C) obtain civil penalties of not more than $1,000 per 
     violation per day while such violations persist, up to a 
     maximum of $250,000 per violation.
       (2) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Federal Trade Commission--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in subparagraph (A) before the filing of the 
     action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the written notice and the copy of the complaint to 
     the Federal Trade Commission as soon after the filing of the 
     complaint as practicable.
       (3) Federal trade commission authority.--Upon receiving 
     notice under paragraph (2), the Federal Trade Commission 
     shall have the right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (4) Pending proceedings.--If the Federal Trade Commission 
     has instituted a proceeding or civil action for a violation 
     of this title, no attorney general of a State may, during the 
     pendency of such proceeding or civil action, bring an action 
     under this subsection against any defendant named in such 
     civil action for any violation that is alleged in that civil 
     action.
       (5) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1), nothing in this title shall 
     be construed to prevent an attorney general of a State from 
     exercising the powers conferred on the attorney general by 
     the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths and affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection process may be served in any district in which the 
     defendant--
       (i) is an inhabitant; or
       (ii) may be found.
       (d) No Private Cause of Action.--Nothing in this title 
     establishes a private cause of action against a data broker 
     for violation of any provision of this title.

     SEC. 203. RELATION TO STATE LAWS.

       No requirement or prohibition may be imposed under the laws 
     of any State with respect to any subject matter regulated 
     under section 201, relating to individual access to, and 
     correction of, personal electronic records held by data 
     brokers.

     SEC. 204. EFFECTIVE DATE.

       This title shall take effect 180 days after the date of 
     enactment of this Act.

 TITLE III--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

            Subtitle A--A Data Privacy and Security Program

     SEC. 301. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Purpose.--The purpose of this subtitle is to ensure 
     standards for developing and implementing administrative, 
     technical, and physical safeguards to protect the security of 
     sensitive personally identifiable information.
       (b) In General.--A business entity engaging in interstate 
     commerce that involves collecting, accessing, transmitting, 
     using, storing, or disposing of sensitive personally 
     identifiable information in electronic or digital form on 
     10,000 or more United States persons is subject to the 
     requirements for a data privacy and security program under 
     section 302 for protecting sensitive personally identifiable 
     information.
       (c) Limitations.--Notwithstanding any other obligation 
     under this subtitle, this subtitle does not apply to:
       (1) Financial institutions.--Financial institutions--
       (A) subject to the data security requirements and 
     implementing regulations under the Gramm-Leach-Bliley Act (15 
     U.S.C. 6801 et seq.); and
       (B) subject to--
       (i) examinations for compliance with the requirements of 
     this Act by a Federal Functional Regulator or State Insurance 
     Authority (as those terms are defined in section 509 of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6809)); or
       (ii) compliance with part 314 of title 16, Code of Federal 
     Regulations.
       (2) HIPPA regulated entities.--

[[Page S1632]]

       (A) Covered entities.--Covered entities subject to the 
     Health Insurance Portability and Accountability Act of 1996 
     (42 U.S.C. 1301 et seq.), including the data security 
     requirements and implementing regulations of that Act.
       (B) Business entities.--A business entity shall be deemed 
     in compliance with the privacy and security program 
     requirements under section 302 if the business entity is 
     acting as a ``business associate'' as that term is defined in 
     the Health Insurance Portability and Accountability Act of 
     1996 (42 U.S.C. 1301 et. seq.) and is in compliance with 
     requirements imposed under that Act and its implementing 
     regulations.
       (3) Public records.--Public records not otherwise subject 
     to a confidentiality or nondisclosure requirement, or 
     information obtained from a news report or periodical.
       (d) Safe Harbors.--
       (1) In general.--A business entity shall be deemed in 
     compliance with the privacy and security program requirements 
     under section 302 if the business entity complies with or 
     provides protection equal to industry standards, as 
     identified by the Federal Trade Commission, that are 
     applicable to the type of sensitive personally identifiable 
     information involved in the ordinary course of business of 
     such business entity.
       (2) Limitation.--Nothing in this subsection shall be 
     construed to permit, and nothing does permit, the Federal 
     Trade Commission to issue regulations requiring, or according 
     greater legal status to, the implementation of or application 
     of a specific technology or technological specifications for 
     meeting the requirements of this title.

     SEC. 302. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND 
                   SECURITY PROGRAM.

       (a) Personal Data Privacy and Security Program.--A business 
     entity subject to this subtitle shall comply with the 
     following safeguards and any other administrative, technical, 
     or physical safeguards identified by the Federal Trade 
     Commission in a rulemaking process pursuant to section 553 of 
     title 5, United States Code, for the protection of sensitive 
     personally identifiable information:
       (1) Scope.--A business entity shall implement a 
     comprehensive personal data privacy and security program that 
     includes administrative, technical, and physical safeguards 
     appropriate to the size and complexity of the business entity 
     and the nature and scope of its activities.
       (2) Design.--The personal data privacy and security program 
     shall be designed to--
       (A) ensure the privacy, security, and confidentiality of 
     sensitive personally identifying information;
       (B) protect against any anticipated vulnerabilities to the 
     privacy, security, or integrity of sensitive personally 
     identifying information; and
       (C) protect against unauthorized access to use of sensitive 
     personally identifying information that could result in 
     substantial harm or inconvenience to any individual.
       (3) Risk assessment.--A business entity shall--
       (A) identify reasonably foreseeable internal and external 
     vulnerabilities that could result in unauthorized access, 
     disclosure, use, or alteration of sensitive personally 
     identifiable information or systems containing sensitive 
     personally identifiable information;
       (B) assess the likelihood of and potential damage from 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information;
       (C) assess the sufficiency of its policies, technologies, 
     and safeguards in place to control and minimize risks from 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information; and
       (D) assess the vulnerability of sensitive personally 
     identifiable information during destruction and disposal of 
     such information, including through the disposal or 
     retirement of hardware.
       (4) Risk management and control.--Each business entity 
     shall--
       (A) design its personal data privacy and security program 
     to control the risks identified under paragraph (3); and
       (B) adopt measures commensurate with the sensitivity of the 
     data as well as the size, complexity, and scope of the 
     activities of the business entity that--
       (i) control access to systems and facilities containing 
     sensitive personally identifiable information, including 
     controls to authenticate and permit access only to authorized 
     individuals;
       (ii) detect actual and attempted fraudulent, unlawful, or 
     unauthorized access, disclosure, use, or alteration of 
     sensitive personally identifiable information, including by 
     employees and other individuals otherwise authorized to have 
     access;
       (iii) protect sensitive personally identifiable information 
     during use, transmission, storage, and disposal by encryption 
     or other reasonable means (including as directed for disposal 
     of records under section 628 of the Fair Credit Reporting Act 
     (15 U.S.C. 1681w) and the implementing regulations of such 
     Act as set forth in section 682 of title 16, Code of Federal 
     Regulations); and
       (iv) ensure that sensitive personally identifiable 
     information is properly destroyed and disposed of, including 
     during the destruction of computers, diskettes, and other 
     electronic media that contain sensitive personally 
     identifiable information.
       (b) Training.--Each business entity subject to this 
     subtitle shall take steps to ensure employee training and 
     supervision for implementation of the data security program 
     of the business entity.
       (c) Vulnerability Testing.--
       (1) In general.--Each business entity subject to this 
     subtitle shall take steps to ensure regular testing of key 
     controls, systems, and procedures of the personal data 
     privacy and security program to detect, prevent, and respond 
     to attacks or intrusions, or other system failures.
       (2) Frequency.--The frequency and nature of the tests 
     required under paragraph (1) shall be determined by the risk 
     assessment of the business entity under subsection (a)(3).
       (d) Relationship to Service Providers.--In the event a 
     business entity subject to this subtitle engages service 
     providers not subject to this subtitle, such business entity 
     shall--
       (1) exercise appropriate due diligence in selecting those 
     service providers for responsibilities related to sensitive 
     personally identifiable information, and take reasonable 
     steps to select and retain service providers that are capable 
     of maintaining appropriate safeguards for the security, 
     privacy, and integrity of the sensitive personally 
     identifiable information at issue; and
       (2) require those service providers by contract to 
     implement and maintain appropriate measures designed to meet 
     the objectives and requirements governing entities subject to 
     section 301, this section, and subtitle B.
       (e) Periodic Assessment and Personal Data Privacy and 
     Security Modernization.--Each business entity subject to this 
     subtitle shall on a regular basis monitor, evaluate, and 
     adjust, as appropriate its data privacy and security program 
     in light of any relevant changes in--
       (1) technology;
       (2) the sensitivity of personally identifiable information;
       (3) internal or external threats to personally identifiable 
     information; and
       (4) the changing business arrangements of the business 
     entity, such as--
       (A) mergers and acquisitions;
       (B) alliances and joint ventures;
       (C) outsourcing arrangements;
       (D) bankruptcy; and
       (E) changes to sensitive personally identifiable 
     information systems.
       (f) Implementation Time Line.--Not later than 1 year after 
     the date of enactment of this Act, a business entity subject 
     to the provisions of this subtitle shall implement a data 
     privacy and security program pursuant to this subtitle.

     SEC. 303. ENFORCEMENT.

       (a) Civil Penalties.--
       (1) In general.--Any business entity that violates the 
     provisions of sections 301 or 302 shall be subject to civil 
     penalties of not more than $5,000 per violation per day while 
     such a violation exists, with a maximum of $500,000 per 
     violation.
       (2) Intentional or willful violation.--A business entity 
     that intentionally or willfully violates the provisions of 
     sections 301 or 302 shall be subject to additional penalties 
     in the amount of $5,000 per violation per day while such a 
     violation exists, with a maximum of an additional $500,000 
     per violation.
       (3) Equitable relief.--A business entity engaged in 
     interstate commerce that violates this section may be 
     enjoined from further violations by a court of competent 
     jurisdiction.
       (4) Other rights and remedies.--The rights and remedies 
     available under this section are cumulative and shall not 
     affect any other rights and remedies available under law.
       (b) Federal Trade Commission Authority.--Any data broker 
     shall have the provisions of this subtitle enforced against 
     it by the Federal Trade Commission.
       (c) State Enforcement.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the acts or practices of a data broker that violate this 
     subtitle, the State may bring a civil action on behalf of the 
     residents of that State in a district court of the United 
     States of appropriate jurisdiction, or any other court of 
     competent jurisdiction, to--
       (A) enjoin that act or practice;
       (B) enforce compliance with this subtitle; or
       (C) obtain civil penalties of not more than $5,000 per 
     violation per day while such violations persist, up to a 
     maximum of $500,000 per violation.
       (2) Notice.--
       (A) In general.--Before filing an action under this 
     subsection, the attorney general of the State involved shall 
     provide to the Federal Trade Commission--
       (i) a written notice of that action; and
       (ii) a copy of the complaint for that action.
       (B) Exception.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subsection, if the attorney general of a 
     State determines that it is not feasible to provide the 
     notice described in this subparagraph before the filing of 
     the action.
       (C) Notification when practicable.--In an action described 
     under subparagraph (B), the attorney general of a State shall 
     provide the

[[Page S1633]]

     written notice and the copy of the complaint to the Federal 
     Trade Commission as soon after the filing of the complaint as 
     practicable.
       (3) Federal trade commission authority.--Upon receiving 
     notice under paragraph (2), the Federal Trade Commission 
     shall have the right to--
       (A) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action as described in 
     paragraph (4);
       (B) intervene in an action brought under paragraph (1); and
       (C) file petitions for appeal.
       (4) Pending proceedings.--If the Federal Trade Commission 
     has instituted a proceeding or action for a violation of this 
     subtitle or any regulations thereunder, no attorney general 
     of a State may, during the pendency of such proceeding or 
     action, bring an action under this subsection against any 
     defendant named in such criminal proceeding or civil action 
     for any violation that is alleged in that proceeding or 
     action.
       (5) Rule of construction.--For purposes of bringing any 
     civil action under paragraph (1) nothing in this subtitle 
     shall be construed to prevent an attorney general of a State 
     from exercising the powers conferred on the attorney general 
     by the laws of that State to--
       (A) conduct investigations;
       (B) administer oaths and affirmations; or
       (C) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (6) Venue; service of process.--
       (A) Venue.--Any action brought under this subsection may be 
     brought in the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (B) Service of process.--In an action brought under this 
     subsection process may be served in any district in which the 
     defendant--
       (i) is an inhabitant; or
       (ii) may be found.
       (d) No Private Cause of Action.--Nothing in this subtitle 
     establishes a private cause of action against a business 
     entity for violation of any provision of this subtitle.

     SEC. 304. RELATION TO OTHER LAWS.

       (a) In General.--No State may require any business entity 
     subject to this subtitle to comply with any requirements with 
     respect to administrative, technical, and physical safeguards 
     for the protection of sensitive personally identifying 
     information.
       (b) Limitations.--Nothing in this subtitle shall be 
     construed to modify, limit, or supersede the operation of the 
     Gramm-Leach-Bliley Act or its implementing regulations, 
     including those adopted or enforced by States.

                Subtitle B--Security Breach Notification

     SEC. 311. NOTICE TO INDIVIDUALS.

       (a) In General.--Any agency, or business entity engaged in 
     interstate commerce, that uses, accesses, transmits, stores, 
     disposes of or collects sensitive personally identifiable 
     information shall, following the discovery of a security 
     breach of the systems or databases of such agency or business 
     entity notify any resident of the United States whose 
     sensitive personally identifiable information has been, or is 
     reasonably believed to have been, accessed, or acquired.
       (b) Obligation of Owner or Licensee.--
       (1) Notice to owner or licensee.--Any agency, or business 
     entity engaged in interstate commerce, that uses, accesses, 
     transmits, stores, disposes of, or collects sensitive 
     personally identifiable information that the agency or 
     business entity does not own or license shall notify the 
     owner or licensee of the information following the discovery 
     of a security breach involving such information.
       (2) Notice by owner, licensee or other designated third 
     party.--Nothing in this subtitle shall prevent or abrogate an 
     agreement between an agency or business entity required to 
     give notice under this section and a designated third party, 
     including an owner or licensee of the sensitive personally 
     identifiable information subject to the security breach, to 
     provide the notifications required under subsection (a).
       (3) Business entity relieved from giving notice.--A 
     business entity obligated to give notice under subsection (a) 
     shall be relieved of such obligation if an owner or licensee 
     of the sensitive personally identifiable information subject 
     to the security breach, or other designated third party, 
     provides such notification.
       (c) Timeliness of Notification.--
       (1) In general.--All notifications required under this 
     section shall be made without unreasonable delay following 
     the discovery by the agency or business entity of a security 
     breach.
       (2) Reasonable delay.--Reasonable delay under this 
     subsection may include any time necessary to determine the 
     scope of the security breach, prevent further disclosures, 
     and restore the reasonable integrity of the data system and 
     provide notice to law enforcement when required.
       (3) Burden of proof.--The agency, business entity, owner, 
     or licensee required to provide notification under this 
     section shall have the burden of demonstrating that all 
     notifications were made as required under this subtitle, 
     including evidence demonstrating the reasons for any delay.
       (d) Delay of Notification Authorized for Law Enforcement 
     Purposes.--
       (1) In general.--If a Federal law enforcement agency 
     determines that the notification required under this section 
     would impede a criminal investigation, such notification 
     shall be delayed upon written notice from such Federal law 
     enforcement agency to the agency or business entity that 
     experienced the breach.
       (2) Extended delay of notification.--If the notification 
     required under subsection (a) is delayed pursuant to 
     paragraph (1), an agency or business entity shall give notice 
     30 days after the day such law enforcement delay was invoked 
     unless a Federal law enforcement agency provides written 
     notification that further delay is necessary.
       (3) Law enforcement immunity.--No cause of action shall lie 
     in any court against any law enforcement agency for acts 
     relating to the delay of notification for law enforcement 
     purposes under this subtitle.

     SEC. 312. EXEMPTIONS.

       (a) Exemption for National Security and Law Enforcement.--
       (1) In general.--Section 311 shall not apply to an agency 
     or business entity if the agency or business entity 
     certifies, in writing, that notification of the security 
     breach as required by section 311 reasonably could be 
     expected to--
       (A) cause damage to the national security; or
       (B) hinder a law enforcement investigation or the ability 
     of the agency to conduct law enforcement investigations.
       (2) Limits on certifications.--An agency may not execute a 
     certification under paragraph (1) to--
       (A) conceal violations of law, inefficiency, or 
     administrative error;
       (B) prevent embarrassment to a business entity, 
     organization, or agency; or
       (C) restrain competition.
       (3) Notice.--In every case in which an agency issues a 
     certification under paragraph (1), the certification, 
     accompanied by a description of the factual basis for the 
     certification, shall be immediately provided to the United 
     States Secret Service.
       (b) Safe Harbor.--An agency or business entity will be 
     exempt from the notice requirements under section 311, if--
       (1) a risk assessment concludes that there is no 
     significant risk that the security breach has resulted in, or 
     will result in, harm to the individuals whose sensitive 
     personally identifiable information was subject to the 
     security breach;
       (2) without unreasonable delay, but not later than 45 days 
     after the discovery of a security breach, unless extended by 
     the United States Secret Service, the agency or business 
     entity notifies the United States Secret Service, in writing, 
     of--
       (A) the results of the risk assessment; and
       (B) its decision to invoke the risk assessment exemption; 
     and
       (3) the United States Secret Service does not indicate, in 
     writing, within 10 days from receipt of the decision, that 
     notice should be given.
       (c) Financial Fraud Prevention Exemption.--
       (1) In general.--A business entity will be exempt from the 
     notice requirement under section 311 if the business entity 
     utilizes or participates in a security program that--
       (A) is designed to block the use of the sensitive 
     personally identifiable information to initiate unauthorized 
     financial transactions before they are charged to the account 
     of the individual; and
       (B) provides for notice to affected individuals after a 
     security breach that has resulted in fraud or unauthorized 
     transactions.
       (2) Limitation.--The exemption by this subsection does not 
     apply if the information subject to the security breach 
     includes sensitive personally identifiable information in 
     addition to the sensitive personally identifiable information 
     identified in section 3.

     SEC. 313. METHODS OF NOTICE.

       An agency, or business entity shall be in compliance with 
     section 311 if it provides both:
       (1) Individual notice.--
       (A) Written notification to the last known home mailing 
     address of the individual in the records of the agency or 
     business entity;
       (B) Telephone notice to the individual personally; or
       (C) Electronic notice, if the primary method used by the 
     agency or business entity to communicate with the individual 
     is by electronic means, or the individual has consented to 
     receive such notice and the notice is consistent with the 
     provisions permitting electronic transmission of notices 
     under section 101 of the Electronic Signatures in Global and 
     National Commerce Act (15 U.S.C. 7001).
       (2) Media notice.--Notice to major media outlets serving a 
     State or jurisdiction, if the number of residents of such 
     State whose sensitive personally identifiable information 
     was, or is reasonably believed to have been, acquired by an 
     unauthorized person exceeds 5,000.

     SEC. 314. CONTENT OF NOTIFICATION.

       (a) In General.--Regardless of the method by which notice 
     is provided to individuals under section 313, such notice 
     shall include, to the extent possible--
       (1) a description of the categories of sensitive personally 
     identifiable information that was, or is reasonably believed 
     to have been, acquired by an unauthorized person;
       (2) a toll-free number or, if the primary method used by 
     the agency or business entity to communicate with the 
     individual is by electronic means, an electronic mail 
     address--
       (A) that the individual may use to contact the agency or 
     business entity, or the agent of the agency or business 
     entity; and

[[Page S1634]]

       (B) from which the individual may learn what types of 
     sensitive personally identifiable information the agency or 
     business entity maintained about that individual; and
       (3) the toll-free contact telephone numbers and addresses 
     for the major credit reporting agencies.
       (b) Additional Content.--Notwithstanding section 319, a 
     State may require that a notice under subsection (a) shall 
     also include information regarding victim protection 
     assistance provided for by that State.

     SEC. 315. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING 
                   AGENCIES.

       If an agency or business entity is required to provide 
     notification to more than 1,000 individuals under section 
     311(a), the agency or business entity shall also notify, 
     without unreasonable delay, all consumer reporting agencies 
     that compile and maintain files on consumers on a nationwide 
     basis (as defined in section 603(p) of the Fair Credit 
     Reporting Act (15 U.S.C. 1681a(p)) of the timing and 
     distribution of the notices.

     SEC. 316. NOTICE TO LAW ENFORCEMENT.

       (a) Secret Service.--Any business entity or agency shall 
     give notice of a security breach to the United States Secret 
     Service if--
       (1) the number of individuals whose sensitive personally 
     identifying information was, or is reasonably believed to 
     have been acquired by an unauthorized person exceeds 10,000;
       (2) the security breach involves a database, networked or 
     integrated databases, or other data system containing the 
     sensitive personally identifiable information of more than 
     1,000,000 individuals nationwide;
       (3) the security breach involves databases owned by the 
     Federal Government; or
       (4) the security breach involves primarily sensitive 
     personally identifiable information of individuals known to 
     the agency or business entity to be employees and contractors 
     of the Federal Government involved in national security or 
     law enforcement.
       (b) Notice to Other Law Enforcement Agencies.--The United 
     States Secret Service shall be responsible for notifying--
       (1) the Federal Bureau of Investigation, if the security 
     breach involves espionage, foreign counterintelligence, 
     information protected against unauthorized disclosure for 
     reasons of national defense or foreign relations, or 
     Restricted Data (as that term is defined in section 11y of 
     the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for 
     offenses affecting the duties of the United States Secret 
     Service under section 3056(a) of title 18, United States 
     Code;
       (2) the United States Postal Inspection Service, if the 
     security breach involves mail fraud; and
       (3) the attorney general of each State affected by the 
     security breach.
       (c) 14-Day Rule.--The notices to Federal law enforcement 
     and the attorney general of each State affected by a security 
     breach required under this section shall be delivered as 
     promptly as possible, but not later than 14 days after 
     discovery of the events requiring notice.

     SEC. 317. ENFORCEMENT.

       (a) Civil Actions by the Attorney General.--The Attorney 
     General may bring a civil action in the appropriate United 
     States district court against any business entity that 
     engages in conduct constituting a violation of this subtitle 
     and, upon proof of such conduct by a preponderance of the 
     evidence, such business entity shall be subject to a civil 
     penalty of not more than $1,000 per day per individual whose 
     sensitive personally identifiable information was, or is 
     reasonably believed to have been, accessed or acquired by an 
     unauthorized person, up to a maximum of $1,000,000 per 
     violation, unless such conduct is found to be willful or 
     intentional.
       (b) Injunctive Actions by the Attorney General.--
       (1) In general.--If it appears that a business entity has 
     engaged, or is engaged, in any act or practice constituting a 
     violation of this subtitle, the Attorney General may petition 
     an appropriate district court of the United States for an 
     order--
       (A) enjoining such act or practice; or
       (B) enforcing compliance with this subtitle.
       (2) Issuance of order.--A court may issue an order under 
     paragraph (1), if the court finds that the conduct in 
     question constitutes a violation of this subtitle.
       (c) Other Rights and Remedies.--The rights and remedies 
     available under this subtitle are cumulative and shall not 
     affect any other rights and remedies available under law.
       (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit 
     Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by 
     inserting ``, or evidence that the consumer has received 
     notice that the consumer's financial information has or may 
     have been compromised,'' after ``identity theft report''.

     SEC. 318. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the engagement of a business entity in a practice that is 
     prohibited under this subtitle, the State or the State or 
     local law enforcement agency on behalf of the residents of 
     the agency's jurisdiction, may bring a civil action on behalf 
     of the residents of the State or jurisdiction in a district 
     court of the United States of appropriate jurisdiction or any 
     other court of competent jurisdiction, including a State 
     court, to--
       (A) enjoin that practice;
       (B) enforce compliance with this subtitle; or
       (C) civil penalties of not more than $1,000 per day per 
     individual whose sensitive personally identifiable 
     information was, or is reasonably believed to have been, 
     accessed or acquired by an unauthorized person, up to a 
     maximum of $1,000,000 per violation, unless such conduct is 
     found to be willful or intentional.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Attorney General of the United States--
       (i) written notice of the action; and
       (ii) a copy of the complaint for the action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this subtitle, if the State attorney general 
     determines that it is not feasible to provide the notice 
     described in such subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Attorney General at the time the 
     State attorney general files the action.
       (b) Federal Proceedings.--Upon receiving notice under 
     subsection (a)(2), the Attorney General shall have the right 
     to--
       (1) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action;
       (2) initiate an action in the appropriate United States 
     district court under section 317 and move to consolidate all 
     pending actions, including State actions, in such court;
       (3) intervene in an action brought under subsection (a)(2); 
     and
       (4) file petitions for appeal.
       (c) Pending Proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this 
     subtitle or any regulations thereunder, no attorney general 
     of a State may, during the pendency of such proceeding or 
     action, bring an action under this subtitle against any 
     defendant named in such criminal proceeding or civil action 
     for any violation that is alleged in that proceeding or 
     action.
       (d) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this subtitle 
     regarding notification shall be construed to prevent an 
     attorney general of a State from exercising the powers 
     conferred on such attorney general by the laws of that State 
     to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in--
       (A) the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code; or
       (B) another court of competent jurisdiction.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.
       (f) No Private Cause of Action.--Nothing in this subtitle 
     establishes a private cause of action against a business 
     entity for violation of any provision of this subtitle.

     SEC. 319. EFFECT ON FEDERAL AND STATE LAW.

       The provisions of this subtitle shall supersede any other 
     provision of Federal law or any provision of law of any State 
     relating to notification of a security breach, except as 
     provided in section 314(b).

     SEC. 320. AUTHORIZATION OF APPROPRIATIONS.

       There are authorized to be appropriated such sums as may be 
     necessary to cover the costs incurred by the United States 
     Secret Service to carry out investigations and risk 
     assessments of security breaches as required under this 
     subtitle.

     SEC. 321. REPORTING ON RISK ASSESSMENT EXEMPTIONS.

       The United States Secret Service shall report to Congress 
     not later than 18 months after the date of enactment of this 
     Act, and upon the request by Congress thereafter, on--
       (1) the number and nature of the security breaches 
     described in the notices filed by those business entities 
     invoking the risk assessment exemption under section 312(b) 
     and the response of the United States Secret Service to such 
     notices; and
       (2) the number and nature of security breaches subject to 
     the national security and law enforcement exemptions under 
     section 312(a), provided that such report may not disclose 
     the contents of any risk assessment provided to the United 
     States Secret Service pursuant to this subtitle.

     SEC. 322. EFFECTIVE DATE.

       This subtitle shall take effect on the expiration of the 
     date which is 90 days after the date of enactment of this 
     Act.

[[Page S1635]]

       TITLE IV--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

     SEC. 401. GENERAL SERVICES ADMINISTRATION REVIEW OF 
                   CONTRACTS.

       (a) In General.--In considering contract awards totaling 
     more than $500,000 and entered into after the date of 
     enactment of this Act with data brokers, the Administrator of 
     the General Services Administration shall evaluate--
       (1) the data privacy and security program of a data broker 
     to ensure the privacy and security of data containing 
     personally identifiable information, including whether such 
     program adequately addresses privacy and security threats 
     created by malicious software or code, or the use of peer-to-
     peer file sharing software;
       (2) the compliance of a data broker with such program;
       (3) the extent to which the databases and systems 
     containing personally identifiable information of a data 
     broker have been compromised by security breaches; and
       (4) the response by a data broker to such breaches, 
     including the efforts by such data broker to mitigate the 
     impact of such security breaches.
       (b) Compliance Safe Harbor.--The data privacy and security 
     program of a data broker shall be deemed sufficient for the 
     purposes of subsection (a), if the data broker complies with 
     or provides protection equal to industry standards, as 
     identified by the Federal Trade Commission, that are 
     applicable to the type of personally identifiable information 
     involved in the ordinary course of business of such data 
     broker.
       (c) Penalties.--In awarding contracts with data brokers for 
     products or services related to access, use, compilation, 
     distribution, processing, analyzing, or evaluating personally 
     identifiable information, the Administrator of the General 
     Services Administration shall--
       (1) include monetary or other penalties--
       (A) for failure to comply with subtitles A and B of title 
     III; or
       (B) if a contractor knows or has reason to know that the 
     personally identifiable information being provided is 
     inaccurate, and provides such inaccurate information; and
       (2) require a data broker that engages service providers 
     not subject to subtitle A of title III for responsibilities 
     related to sensitive personally identifiable information to--
       (A) exercise appropriate due diligence in selecting those 
     service providers for responsibilities related to personally 
     identifiable information;
       (B) take reasonable steps to select and retain service 
     providers that are capable of maintaining appropriate 
     safeguards for the security, privacy, and integrity of the 
     personally identifiable information at issue; and
       (C) require such service providers, by contract, to 
     implement and maintain appropriate measures designed to meet 
     the objectives and requirements in title III.
       (d) Limitation.--The penalties under subsection (c) shall 
     not apply to a data broker providing information that is 
     accurately and completely recorded from a public record 
     source or licensor.

     SEC. 402. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES 
                   OF CONTRACTORS AND THIRD PARTY BUSINESS 
                   ENTITIES.

       Section 3544(b) of title 44, United States Code, is 
     amended--
       (1) in paragraph (7)(C)(iii), by striking ``and'' after the 
     semicolon;
       (2) in paragraph (8), by striking the period and inserting 
     ``; and''; and
       (3) by adding at the end the following:
       ``(9) procedures for evaluating and auditing the 
     information security practices of contractors or third party 
     business entities supporting the information systems or 
     operations of the agency involving personally identifiable 
     information (as that term is defined in section 3 of the 
     Personal Data Privacy and Security Act of 2007) and ensuring 
     remedial action to address any significant deficiencies.''.

     SEC. 403. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF 
                   COMMERCIAL INFORMATION SERVICES CONTAINING 
                   PERSONALLY IDENTIFIABLE INFORMATION.

       (a) In General.--Section 208(b)(1) of the E-Government Act 
     of 2002 (44 U.S.C. 3501 note) is amended--
       (1) in subparagraph (A)(i), by striking ``or''; and
       (2) in subparagraph (A)(ii), by striking the period and 
     inserting ``; or''; and
       (3) by inserting after clause (ii) the following:
       ``(iii) purchasing or subscribing for a fee to personally 
     identifiable information from a data broker (as such terms 
     are defined in section 3 of the Personal Data Privacy and 
     Security Act of 2007).''.
       (b) Limitation.--Notwithstanding any other provision of 
     law, commencing 1 year after the date of enactment of this 
     Act, no Federal agency may enter into a contract with a data 
     broker to access for a fee any database consisting primarily 
     of personally identifiable information concerning United 
     States persons (other than news reporting or telephone 
     directories) unless the head of such department or agency--
       (1) completes a privacy impact assessment under section 208 
     of the E-Government Act of 2002 (44 U.S.C. 3501 note), which 
     shall subject to the provision in that Act pertaining to 
     sensitive information, include a description of--
       (A) such database;
       (B) the name of the data broker from whom it is obtained; 
     and
       (C) the amount of the contract for use;
       (2) adopts regulations that specify--
       (A) the personnel permitted to access, analyze, or 
     otherwise use such databases;
       (B) standards governing the access, analysis, or use of 
     such databases;
       (C) any standards used to ensure that the personally 
     identifiable information accessed, analyzed, or used is the 
     minimum necessary to accomplish the intended legitimate 
     purpose of the Federal agency;
       (D) standards limiting the retention and redisclosure of 
     personally identifiable information obtained from such 
     databases;
       (E) procedures ensuring that such data meet standards of 
     accuracy, relevance, completeness, and timeliness;
       (F) the auditing and security measures to protect against 
     unauthorized access, analysis, use, or modification of data 
     in such databases;
       (G) applicable mechanisms by which individuals may secure 
     timely redress for any adverse consequences wrongly incurred 
     due to the access, analysis, or use of such databases;
       (H) mechanisms, if any, for the enforcement and independent 
     oversight of existing or planned procedures, policies, or 
     guidelines; and
       (I) an outline of enforcement mechanisms for accountability 
     to protect individuals and the public against unlawful or 
     illegitimate access or use of databases; and
       (3) incorporates into the contract or other agreement 
     totaling more than $500,000, provisions--
       (A) providing for penalties--
       (i) for failure to comply with title III of this Act; or
       (ii) if the entity knows or has reason to know that the 
     personally identifiable information being provided to the 
     Federal department or agency is inaccurate, and provides such 
     inaccurate information; and
       (B) requiring a data broker that engages service providers 
     not subject to subtitle A of title III for responsibilities 
     related to sensitive personally identifiable information to--
       (i) exercise appropriate due diligence in selecting those 
     service providers for responsibilities related to personally 
     identifiable information;
       (ii) take reasonable steps to select and retain service 
     providers that are capable of maintaining appropriate 
     safeguards for the security, privacy, and integrity of the 
     personally identifiable information at issue; and
       (iii) require such service providers, by contract, to 
     implement and maintain appropriate measures designed to meet 
     the objectives and requirements in title III.
       (c) Limitation on Penalties.--The penalties under 
     subsection (b)(3)(A) shall not apply to a data broker 
     providing information that is accurately and completely 
     recorded from a public record source.
       (d) Study of Government Use.--
       (1) Scope of study.--Not later than 180 days after the date 
     of enactment of this Act, the Comptroller General of the 
     United States shall conduct a study and audit and prepare a 
     report on Federal agency use of data brokers or commercial 
     databases containing personally identifiable information, 
     including the impact on privacy and security, and the extent 
     to which Federal contracts include sufficient provisions to 
     ensure privacy and security protections, and penalties for 
     failures in privacy and security practices.
       (2) Report.--A copy of the report required under paragraph 
     (1) shall be submitted to Congress.

     SEC. 404. IMPLEMENTATION OF CHIEF PRIVACY OFFICER 
                   REQUIREMENTS.

       (a) Designation of the Chief Privacy Officer.--Pursuant to 
     the requirements under section 522 of the Transportation, 
     Treasury, Independent Agencies, and General Government 
     Appropriations Act, 2005 (division H of Public Law 108-447; 
     118 Stat. 3199) that each agency designate a Chief Privacy 
     Officer, the Department of Justice shall implement such 
     requirements by designating a department-wide Chief Privacy 
     Officer, whose primary role shall be to fulfill the duties 
     and responsibilities of Chief Privacy Officer and who shall 
     report directly to the Deputy Attorney General.
       (b) Duties and Responsibilities of Chief Privacy Officer.--
     In addition to the duties and responsibilities outlined under 
     section 522 of the Transportation, Treasury, Independent 
     Agencies, and General Government Appropriations Act, 2005 
     (division H of Public Law 108-447; 118 Stat. 3199), the 
     Department of Justice Chief Privacy Officer shall--
       (1) oversee the Department of Justice's implementation of 
     the requirements under section 403 to conduct privacy impact 
     assessments of the use of commercial data containing 
     personally identifiable information by the Department; and
       (2) coordinate with the Privacy and Civil Liberties 
     Oversight Board, established in the Intelligence Reform and 
     Terrorism Prevention Act of 2004 (Public Law 108-458), in 
     implementing this section.

  Mr. SPECTER. Mr. President, I seek recognition today to discuss the 
Personal Data Privacy and Security Act of 2007, which I am introducing 
with Senator Leahy. Not long ago, personal information--Social Security 
numbers, birthdates, mothers' maiden names, addresses--all remained 
relatively private. Some information--for example,

[[Page S1636]]

whether you had a mortgage on your home--might have been publicly 
available, but finding that information required a trip to the local 
courthouse. For the most part, the sheer difficulty of obtaining 
personal information kept it private. This privacy--what Justice 
Brandeis called the freedom to be left alone--has been a cherished 
value throughout American history.
  As everyday transactions increasingly occur electronically, personal 
information can be stored, transmitted and accessed much more easily. 
Most Americans have benefited from this change. Because personal 
information is available electronically, Americans enjoy the 
convenience of purchasing goods over the phone or on the Internet. They 
can obtain a home mortgage in a matter of hours. They can apply for a 
credit card while they wait at the store. The availability of such 
information also helps law enforcement agencies conduct investigations 
and apprehend criminals.
  In electronic form, personal information is both more valuable and 
more vulnerable. As the multitude of security breaches that have 
occurred over the past 2 years demonstrate, electronic information is 
more vulnerable because it can be accessed anonymously from afar and 
can be stolen in a split second. According to the Privacy Rights 
Clearing House, since February 2005, over 100 million records 
containing personal information have been subject to some sort of 
security breach. The first of these incidents to come to light involved 
commercial data broker ChoicePoint, which in February 2005 reported 
that identity thieves had gained access to personal information of 
163,000 people. The identity thieves had obtained the information by 
setting up sham accounts with ChoicePoint. ChoicePoint eventually 
settled with the FTC for $15 million, including $5 million for consumer 
redress. However, consumers might never have found out about the 
breach. The incident only came to light because of a law California had 
recently adopted requiring ChoicePoint and others to provide notice of 
security breaches involving personal information to California 
residents who were affected by the breach. As a result of the 
California law, Americans for the first time began learning that data 
brokers and others were routinely collecting and selling their personal 
information, and in so doing, they were not always keeping the 
information secure.
  After the ChoicePoint incident came a long series of security 
breaches involving major American companies. In March of 2005, Designer 
Shoe Warehouse reported that hackers had gained access to personal 
information, including credit card numbers, on over 100,000 of its 
customers. Weeks later, Lexis Nexis reported that hackers had gained 
access to the personal information of over 300,000 individuals. Other 
blue-chip companies where unauthorized persons have gained access to 
personal information include Wal-Mart, General Motors, Wachovia Bank, 
H&R Block, Honeywell, AT&T, Lloyd's of London, ARCO, Visa, MasterCard, 
Bank of America, FedEx, OfficeMax, Blue Cross Blue Shield and Ralph 
Lauren. The largest incident came in June 2005, when Card Systems, 
which processes payments for the country's largest banks and credit 
card companies, reported that hackers had accessed 40 million records 
containing personal information. Most recently, TJ Maxx Stores and 
MoneyGram both had the personal information of their customers stolen 
from their computer systems. This list only includes security breaches 
involving wrong-doers who were trying to obtain personal information. 
The list would be much longer had it included inadvertent disclosure of 
personal information or incidents involving stolen computers or other 
equipment that happened to contain personal information.
  A large number of colleges and universities have also suffered 
significant breaches, including the University of Southern California, 
which in July of 2005 reported that hackers has accessed 270,000 
records containing personal data. Other educational institutions that 
have been hacked include Boston College, Northwestern University, Tufts 
University, UCLA, Michigan State, Carnegie Mellon, Perdue, Stanford, 
Duke, the University of Iowa, the University of Colorado, and the 
University of Utah.
  Governments also have not been immune from attempts by identity 
thieves to obtain personal information. Hackers have accessed personal 
data at the Department of Defense, Department of Energy, the Air Force 
and the Department of Agriculture. Hackers obtained over half a million 
records containing personal data from a State agency in Georgia. The 
San Diego County Employees Retirement Association, the California 
Department of Corrections, the Nebraska Treasurers office, the city of 
Lubbock, TX, and a Women, Infants and Children (WIC) program in Hawaii 
have all been the victims of similar thefts.
  Electronic personal data is more valuable because identity thieves 
can steal a large volume of data and use it before anyone even knows 
their personal information has been compromised. For the last 5 years, 
identity theft has topped the FTC's list of consumer complaints. From 
2002 to 2004, the number of complaints rose 52 percent, to 246,570. Put 
another way, that's one complaint every 2 minutes. But this is only the 
tip of the iceberg. Not all consumers report identity theft to the FTC. 
Not all victims report identity theft to their local police. Sixty 
percent of those who did file a report with the FTC did not call their 
local police department. It stands to reason that many did not call the 
FTC.

  A recent study by the Better Business Bureau concluded that 8.9 
million Americans were victims of identity fraud in 2006, and that each 
victim lost approximately $6,300. Ultimately, it has been predicted 
that nearly 20 percent of Americans will become victims of identity 
theft. Worse, according to the study, it took victims an average of 40 
hours on the phone with creditors and credit bureaus to clear their 
names. I use the term ``clear'' loosely, because in many cases the 
damage caused by identity theft is irreversible. Victims will have 
fraud alerts on their credit reports for years to come, making it more 
difficult for them to open new accounts or make major purchases. Some 
will be erroneously contacted by collection agencies. Many will not 
even know they have been victimized until they try to get a car loan or 
a mortgage on a home.
  Individuals who have not yet been victims also suffer. Businesses 
lose nearly $50 billion a year from identity thieves posing as 
customers. These losses translate into increased prices for every 
consumer. All Americans are victims of identify theft, even if their 
own information remains secure.
  In some cases, the availability of electronic personal data can lead 
to tragedy. In 1999, a former high school classmate of Amy Lynn Boyer 
obtained her former work address and Social Security number from an on-
line data broker. Using this information, he called Amy's mother and 
posed as the former employer, convincing Amy's mom to give him Amy's 
new work address. He then drove to Amy's workplace and fatally shot 
her.
  In an effort to protect the privacy and security of our personal 
information, and prevent future tragedies, small and large, last 
Congress, Senator Leahy and I introduced the Personal Data Privacy and 
Security Act. The problem is one of large proportions and many have 
views on how to go about tackling it. Six committees, three on the 
House side and three on the Senate side, introduced legislation last 
Congress addressing data security. At least two other Senate committees 
became involved in the issue. It is my hope that the differences among 
committees and members can be bridged this Congress. The problem is 
simply too large to ignore.
  In an effort to start that process, Senator Leahy and I are again 
introducing the Personal Data Privacy and Security Act. We are 
reintroducing the bill in largely the same form that it was approved by 
the Judiciary Committee last Congress. The bill takes a comprehensive 
approach to the problem, an approach I believe is necessary. First, the 
legislation goes after identity thieves by increasing penalties for 
crimes involving electronic personal information. It also contains 
criminal penalties for those who intentionally conceal a security 
breach involving personal data. Those who actively conceal breaches 
attempt to protect themselves by gambling with the reputations and 
finances of innocent Americans. They deserve to be punished.

[[Page S1637]]

  The bill also empowers Americans to look after the privacy of their 
own information. The bill will allow individuals to gain access to 
their personal information when it is in the hands of commercial data 
brokers. For individuals who believe their information is wrong--
possibly because the activities of identity thieves--data brokers must 
provide assistance with correcting their information.
  The legislation also places some of the burden of protecting privacy 
on those that collect personal information. It will require the 
companies, government agencies, universities and others that deal with 
personal information to identify and remedy any weaknesses in their 
computer systems.
  Such measures will not always be enough. As I've already noted, the 
nature of electronic information makes it vulnerable even when 
reasonable steps are taken to protect it. Currently, over 30 States 
have adopted legislation requiring companies, agencies, universities 
and others to give notice when they experience a security breach that 
involves personal information. However, no Federal law imposes such a 
requirement. As a result, companies are forced to comply with over 30 
different State laws, an expensive and time-consuming endeavor.
  The Personal Data Privacy and Security Act requires that both 
affected individuals and law enforcement receive notice. Knowledge is 
power. Once individuals learn that their personal information is 
exposed, they can take steps to protect themselves. And, the company, 
school or agency that experienced the breach must help. They must 
provide individuals whose data was lost with credit monitoring. For 
large breaches, the media must be notified. Media reports over the 2 
years have made Americans far more aware of the problem of security 
breaches. Hopefully, we can raise awareness by continuing the practice 
of making public announcements. Notice will also give law enforcement a 
head start in catching those who steal personal information.
  Finally, this legislation will protect the privacy of all Americans 
by providing a check on the government's use of commercial databases. 
Federal law enforcement agencies use commercial databases to track 
criminals and criminal activity. Correctly used, these databases can be 
very useful tools in the fight against crime. However, there should be 
some check on their use. The bill makes it clear that protections 
similar to those provided by the Privacy Act are applied to the 
government's use of commercial databases. The legislation also aims at 
making sure the government's use of such data is secure.
  This bill represents a comprehensive effort to protect the privacy 
and security of the personal information of all Americans. The lives of 
most Americans have been made easier because our personal information 
is readily available to those who have a legitimate need for it. This 
legislation aims to keep such information out of the hands of those who 
have no legitimate need for it. I want to take a moment to thank my 
colleague, Senator Leahy, who has been tireless in his efforts to 
promote individual privacy. He has long fought these issues on the 
Senate floor and has been a leader in securing the privacy rights of 
all Americans. I urge my colleagues to join us in supporting this 
important legislation.
  Mr. FEINGOLD. Mr. President, I am proud to be an original cosponsor 
of the Personal Data Privacy and Security Act of 2007. This bill is a 
much-needed solution to the daunting problem of ensuring the privacy 
and the security of our personal data, which has become such a precious 
commodity.
  Several forces are converging to make our personal information more 
valuable--and more vulnerable--than ever. The world is digital and so 
is our personal data. In this day and age, almost everything we do 
results in a third party creating a digital record about us--digital 
records that we may not even realize exist. We seek the convenience of 
opening bank accounts, managing our credit cards, and making major 
purchases over the Internet. And we often complete these transactions 
without ever speaking to another person face-to-face or over the 
telephone. Businesses, nonprofits, and political parties are 
personalizing their messages, products, and services to a degree we've 
never seen before, and they are willing to invest significant amounts 
of money in collecting personal information about potential customers 
or donors. And we are living in an age where identity-based screening 
and security programs can be vitally important, resulting in more 
information being collected about individuals in an attempt to identify 
them accurately.
  As a result, personal information has become a hot commodity that is 
bought, sold, and--as so often happens when something becomes 
valuable--stolen.
  We are at a crossroads. We all know about the security breaches that 
have been on the front pages of newspapers. They have placed the 
identities of hundreds of thousands of Americans at risk. The fear 
among the American public is so widespread that it has become the basis 
of an entire ad campaign by a credit card company.
  But this is about much more than information security. Until 
California law required a company named ChoicePoint to notify 
individuals in 2005 that their information was compromised and that 
they might be vulnerable to identity theft, many Americans had never 
heard of ChoicePoint. As news stories focused on the data broker 
business, many Americans were surprised to discover that companies are 
creating digital dossiers about them that contain massive amounts of 
information, and that these companies sell that information to 
commercial and government entities. The revelations about these 
security breaches highlighted the fact that Americans need a better 
understanding of what happens to their information in a digital world--
and what kind of consequences they can face as a result.
  When I am back home in Wisconsin, I hear from people who do not 
understand why companies have the right to sell their sensitive 
personal information. I hear from people who are shocked to discover 
that personal information about them is available for free on the 
Internet.
  There is no question that data aggregators facilitate societal 
benefits, allowing consumers to obtain instant credit and personalized 
services, and allowing police officers to locate suspects. But these 
companies also gather a great deal of potentially sensitive information 
about individuals, and in many instances they go largely unregulated.
  Too many of my constituents feel that they have lost control over 
their own information. Congress must return some power to individual 
Americans so that we can all better understand and manage what happens 
to our own personal data.
  The Personal Data Privacy and Security Act takes a comprehensive 
approach to the privacy and security problems we face. It gives 
consumers back some control over their own information. The bill 
requires data brokers to allow consumers to access their own 
information and to investigate when consumers tell them that 
corrections are necessary. And it requires companies to give notice to 
affected consumers and to law enforcement if there is a serious 
security breach, so that individuals know their identity may be at risk 
and can take steps to protect themselves.
  In addition, the bill extends existing criminal law to ensure that it 
covers unauthorized access of data broker systems, as well as 
concealment of security breaches. It requires companies that buy and 
sell information to have appropriate data security systems in place. 
These protections will help safeguard against future privacy violations 
and security breaches in the commercial data industry. But that is not 
all this bill accomplishes.
  The bill also contains some critically important privacy and security 
provisions to govern the government's use of commercial data. This is 
an aspect of the data broker business that has not yet gotten as much 
attention in the wake of the security breaches over the past few years. 
The information gathered by these companies is not just sold to 
individuals and businesses; government agencies of all stripes also buy 
or subscribe to information from commercial sources. We all remember 
the discovery in 2005 that the Pentagon had a contract with a marketing 
firm to analyze commercial and other data about high school and college 
students.

[[Page S1638]]

  Although the government should be able to access commercial databases 
in appropriate circumstances, there are few existing rules or 
guidelines to ensure this information is used responsibly. Nor are 
there restrictions on the use of commercial data for powerful, 
intrusive data mining programs. The Privacy Act, which governs when 
government agencies themselves are collecting data, likely does not 
apply because the information is held outside the government and is not 
gathered solely at government direction.
  As a result, there is a great deal we do not know about government 
use of commercial data, even in clearly appropriate circumstances such 
as when the agency's goal is simply to locate an individual already 
suspected of a crime.
  We don't know under what circumstances government employees can 
obtain access to these databases or for what purposes. We don't know 
how government agencies evaluate the accuracy of the databases to which 
they subscribe. We don't know how the accuracy level of the data 
affects government use of the data. We don't know how employees are 
monitored to ensure they do not abuse their access to these databases. 
We don't know how those who misuse the information are punished. And we 
don't know how government agencies, particularly those engaged in 
sensitive national security investigations, ensure that the data 
brokers cannot keep records of who the government is investigating, 
records which themselves could create a huge security risk in light of 
the vulnerabilities that have come to the forefront in recent months.
  That is why I am so pleased that this bill includes provisions to 
address the government's use of commercial data. A comprehensive 
approach to data privacy and security would be incomplete without 
taking on this piece of the puzzle. The bill recognizes there are many 
legitimate reasons for government agencies to obtain commercially 
available data, but that they need to be subject to privacy and 
security protections. It takes a common sense approach, pushing 
government agencies to take basic steps to ensure that individuals' 
personal information is secure and only used for legitimate purposes, 
and that the commercial information the government is paying for and 
relying on is accurate and complete.
  Specifically, the bill would require that federal agencies that 
subscribe to commercial data adopt standards governing its use. These 
standards would reflect long-standing basic privacy principles. The 
bill would ensure that government agencies consider and determine which 
personnel will be permitted to access the information and under what 
circumstances; develop retention policies for this personal data and 
get rid of data they no longer need, minimizing the opportunity for 
abuse or theft; rely only on accurate and complete data, and penalize 
vendors who knowingly provide inaccurate information to the Federal 
Government; provide individuals who suffer adverse consequences as a 
result of the agency's reliance on commercial data with a redress 
mechanism; and establish enforcement mechanisms for those privacy 
policies.
  The bill also directs the General Services Administration to review 
government contracts for commercial data to make sure that vendors have 
appropriate security programs in place, and that they do not provide 
information to the government that they know to be inaccurate. And it 
requires agencies to audit the information security practices of their 
vendors.
  These are basic good government measures. They guarantee that the 
Federal Government is not wasting money on inaccurate data and that 
vendors are undertaking the security programs that they have promised 
and for which the government is paying.
  We live in a new digital world. The law may never fully keep up with 
technology, but we must make every effort we can. I am proud to be 
involved in this comprehensive, reasoned approach to privacy and 
security, and I hope it will move forward in this Congress. I 
congratulate Senators Leahy and Specter for their excellent work on 
this bill. This bill is important and it deserves serious 
consideration.
                                 ______