[Congressional Record Volume 153, Number 67 (Wednesday, April 25, 2007)]
[Senate]
[Pages S5093-S5095]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. DORGAN:
  S. 1208. A bill to provide additional security and privacy protection 
for social security account numbers; to the Committee on Finance.
  Mr. DORGAN. Mr. President, today I am introducing a piece of 
legislation called the ``Social Security Account Number Protection 
Act'' that would restrict the ability of companies to sell or purchase 
Social Security numbers.
  Let me describe why this legislation is so necessary.
  On February 15, 2005, Georgia-based data warehouser ChoicePoint 
disclosed that it had compromised the private customer data of 145,000 
individuals. Criminals posing as legitimate small business people had 
purchased files on about 145,000 people, some of whom were later 
defrauded.
  One of the critical pieces of information that ChoicePoint sold to 
these criminals was Social Security numbers. That's Social Security 
numbers of 145,000 people in all 50 states.
  Here is a statistic that I found incredible: Choice Point has 17,000 
business ``customers'' for such information. Can you imagine your 
Social Security number potentially being sold to 117,000 businesses? 
And that's just one of the companies that was selling databases that 
included Social Security numbers at the time.
  I bet that most Americans were surprised to find out that it was 
perfectly legal for companies to sell their Social Security numbers to 
tens of thousands of other companies. If you took a national survey and 
asked Americans this question: ``Do you think that private companies 
should have the ability to purchase and sell your Social Security 
number?'' I assure you that the answer would overwhelmingly be ``no.''
  In the 109th Congress, when the Senate Commerce Committee marked up 
S. 1408, the ID Theft Protection Act, I offered an amendment that very 
simply said that it should be illegal to sell or purchase Social 
Security numbers.
  This as a commonsense amendment, and it passed unanimously. The ID 
Theft Protection Act was reported by the Commerce Committee in December 
2005, but the bill did not make it to the Senate floor.
  But the problem of ID theft has not gone away. In its most recent 
survey, the Better Business Bureau estimated that approximately 8.9 
million Americans were victims of identity theft in 2006. The total 
U.S. annual identity fraud cost is an estimated $52.6 billion per year.
  We will shortly be marking up another ID theft bill in the 110th 
Congress, through the Commerce Committee. The bill the Commerce 
Committee is considering now does not have provisions restricting the 
sale or purchase of Social Security numbers, and I intend to offset an 
amendment to fix that, with the language that I am introducing as 
standalone legislation today.
  I should note that the FTC issued a report on ID theft just this 
month, which emphasized the importance of protecting Social Security 
numbers.
  The FTC report said the following about Social Security numbers: 
``Consumer information is the currency of identity theft, and perhaps 
the most valuable piece of information for the thief is the SSN. The 
SSN and a name can be used in many cases to open an account and obtain 
credit or other benefits in the victim's name.''
  In fact elsewhere in the report, the FTC underscored that Social 
Security numbers are ``the most valuable commodity for an identity 
thief.''
  One of the FTC's top recommendations was that federal agencies should 
reduce the unnecessary use of Social Security numbers.
  And it's clear that the FTC heard from many Americans who were 
unhappy with the widespread overuse of Social Security numbers. Indeed, 
the FTC report notes that one of the main concerns that Americans have 
in protecting their identity is ``the overuse of Social Security 
numbers as identifiers.''
  It stands to reason that the more that Social Security numbers are 
sold from one business to another for marketing and other commercial 
purposes, the greater the chance that the numbers will be lost, 
misplaced, stolen, leaked, or otherwise fall into the wrong hands.
  Now, I'll be the first to recognize that there are some instances 
where the use of Social security numbers is appropriate. So my 
amendment has a number of reasonable exceptions to the prohibition on 
the sale of Social Security numbers, for purposes such as national 
security, public health, law enforcement, administration of federal or 
state tax laws, credit reporting agencies, prevention and investigation 
of ID theft, and tracking of missing and abducted children.
  What's more, my bill allows an ``opt-in'' clause. That is, it allows 
individuals, if they so choose, to agree in writing to have their 
Social Security number sold or purchased by others--provided the 
individual provides his affirmative consent, and the individual is not 
obligated to provide the Social Security number as a condition for 
conducting a transaction.
  I think these are reasonable exemptions.
  I should add that in the 109th Congress, Senators Specter and Leahy 
also introduced S. 1332, a bill that similarly restricts the sale of 
Social Security numbers.
  So this is a bipartisan concept, and I hope that my legislation will 
have bipartisan support when it reaches the floor of the U.S. Senate.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 1208

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Social Security Account 
     Number Protection Act''.

     SEC. 2. SOCIAL SECURITY NUMBER PROTECTION.

       (a) Prohibition of Unnecessary Solicitation of Social 
     Security Numbers.--
       (1) In general.--Unless there is a specific use of a social 
     security account number for which no other identifier 
     reasonably can be used, a covered entity may not solicit a 
     social security account number from an individual except for 
     the following purposes:
       (A) For use in an identification, verification, accuracy, 
     or identity proofing process.
       (B) For any purpose permitted under the Fair Credit 
     Reporting Act (15 U.S.C. 1681 et seq.) or the Gramm-Leach-
     Bliley Act (15 U.S.C. 6802(e)).
       (C) To comply with the requirement of Federal, State, or 
     local law.
       (2) Exceptions.--Paragraph (1) does not apply to the 
     solicitation of a social security account number--
       (A) for the purpose of obtaining a consumer report for any 
     purpose permitted under the Fair Credit Reporting Act (15 
     U.S.C. 1681 et seq.),
       (B) by a consumer reporting agency for the purpose of 
     authenticating or obtaining appropriate proof of a consumer's 
     identity, as required under that Act;
       (C) for any purpose permitted under section 502(e) of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6802(e)); or
       (D) to the extent necessary for verifying the accuracy of 
     information submitted by an individual to a covered entity, 
     its agents, contractors, or employees or for the purpose of 
     authenticating or obtaining appropriate proof of an 
     individual's identity;
       (E) to identity or locate missing or abducted children, 
     witnesses, criminals, fugitives, parties to lawsuits, parents 
     delinquent in child support payments, organ and bone marrow 
     donors, pension fund beneficiaries, and missing heirs;
       (F) to the extent necessary to prevent, detect, or 
     investigate fraud, unauthorized transactions, or other 
     financial liability or to facilitate the enforcement of an 
     obligation of, or collection of a debt from, a consumer, 
     provided that the person selling, providing, displaying, or 
     obtaining the social security account number does not do so 
     for marketing purposes.
       (b) Prohibition of the Display of Social Security Numbers 
     on Employee Identification Cards, Etc.--
       (1) In general.--A covered entity may not display an 
     individual's security account number (or any derivative of 
     such number) on any card or tag that is commonly provided to 
     employees (or to their family members), faculty, staff, or 
     students for purposes of identification.
       (2) Driver's licenses.--A State may not display the social 
     security account number of an individual on driver's licenses 
     issued by that State.
       (c) Prohibition of Prisoner Access to Social Security 
     Numbers.--
       (1) In general.--Section 205(c)(2)(C) of the Social 
     Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at 
     the end the following:
       ``(x) No executive, legislative, or judicial agency or 
     instrumentality of the Federal Government or of a State or 
     political subdivision thereof (or person acting as an agent 
     of such an agency or instrumentality) may employ, or enter 
     into a contract for the use or employment of, prisoners in 
     any capacity that would allow such prisoners access to the 
     social security account numbers of other individuals. For 
     purposes of this clause, the term `prisoner' means an 
     individual who is confined in a jail, prison, or other penal 
     institution or correctional facility, serving

[[Page S5094]]

     community service as a term of probation or parole, or 
     serving a sentence through a work-furlough program.''.
       (2) Treatment of current arrangements.--In the case of--
       (A) prisoners employed as described in clause (x) of 
     section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 
     405(c)(2)(C)), as added by paragraph (1), on the date of 
     enactment of this Act: and
       (B) contracts described in such clause in effect on such 
     date,

     the amendment made by paragraph (1) shall take effect 90 days 
     after the date of enactment of this Act.
       (d) Prohibition of Sale and Display of Social Security 
     Numbers to the General Public.--
       (1) In general.--Except as provided in paragraph (2), it 
     shall be unlawful for any person--
       (A) to sell, purchase, or provide a social security account 
     number, to the general public or display to the general 
     public social security account numbers; or
       (B) to obtain or use any individual's social security 
     account number for the purpose of locating or identifying 
     such individual with the intent to physically injure or harm 
     such individual or using the identity of such individual for 
     any illegal purpose.
       (2) Exceptions.--Notwithstanding paragraph (1), and subject 
     to paragraph (3), a social security account number may be 
     sold, provided, displayed, or obtained by any person--
       (A) to the extent necessary for law enforcement or national 
     security purposes;
       (B) to the extent necessary for public health purposes;
       (C) to the extent necessary in emergency situations to 
     protect the health or safety of 1 or more individuals;
       (D) to the extent that the sale or display is required, 
     authorized, or permitted under any law of the United States 
     or of any State (or political subdivision thereof);
       (E) for any purposes allowed under the Fair Credit 
     Reporting Act (15 U.S.C. 1681 et seq.) or the Gramm-Leach-
     Bliley Act (15 U.S.C. 6802(e));
       (F) to the extent necessary for verifying the accuracy of 
     information submitted by an individual to a covered entity, 
     its agents, contractors, or employees or for the purpose of 
     authenticating or obtaining appropriate proof of the 
     individual's identity;
       (G) to the extent necessary to identify or locate missing 
     or abducted children, witnesses to an ongoing or potential 
     civil or criminal lawsuit, criminals, criminal suspects, 
     parties to lawsuits, parents delinquent in child support 
     payments, organ and bone marrow donors, pension fund 
     beneficiaries, missing heirs, and for similar legal, medical, 
     or family related purposes, if the person selling, providing, 
     displaying, or obtaining the social security account number 
     does not do so for marketing purposes;
       (H) to the extent necessary to prevent, detect, or 
     investigate fraud, unauthorized transactions, or other 
     financial liability or to facilitate the enforcement of an 
     obligation of, or collection of a debt from, a consumer, if 
     the person selling, providing, displaying, or obtaining the 
     social security account number does not do so for marketing 
     purposes;
       (I) to the extent the transmission of the number is 
     incidental to, and in the course of, the sale, lease, 
     franchising, or merger of all, or a portion of, a business; 
     or
       (J) to the extent necessary for research (other than market 
     research) conducted by an agency or instrumentality of the 
     United States or of a State or political subdivision thereof 
     (or an agent of such an agency or instrumentality) for the 
     purpose of advancing the public good, on the condition that 
     the researcher provides adequate assurances that--
       (i) the social security account numbers will not be used to 
     harass, target, or publicly reveal information concerning any 
     identifiable individuals;
       (ii) information about identifiable individuals obtained 
     from the research will not be used to make decisions that 
     directly affect the rights, benefits, or privileges of 
     specific individuals; and
       (iii) the researcher has in place appropriate safeguards to 
     protect the privacy and confidentiality of any information 
     about identifiable individuals, including procedures to 
     ensure that the social security account numbers will be 
     encrypted or otherwise appropriately secured from 
     unauthorized disclosure; or
       (K) to the extent that the transmission of the social 
     security account number is incidental to the sale or 
     provision of a document lawfully obtained from--
       (i) the Federal Government or a State or local government, 
     that the document has been made available to the general 
     public; or
       (ii) the document has been made available to the general 
     public via widely distributed media.
       (2) Limitation.--Paragraph (1)(K) does not apply to 
     information obtained from publicly available sources or from 
     Federal, State, or local government records if that 
     information is combined with information obtained from non-
     public sources.
       (3) Consensual sale.--Notwithstanding paragraph (1), a 
     social security account number assigned to an individual may 
     be sold, provided, or displayed to the general public by any 
     person to the extent consistent with such individual's 
     voluntary and affirmative written consent to the sale, 
     provision, or display of the social security account number 
     only if--
       (A) the terms of the consent and the right to refuse 
     consent are presented to the individual in a clear, 
     conspicuous, and understandable manner;
       (B) the individual is placed under no obligation to provide 
     consent to any such sale or display; and
       (C) the terms of the consent authorize the individual to 
     limit the sale, provision, or display to purposes directly 
     associated with the transaction with respect to which the 
     consent is sought.

     SEC. 3. ENFORCEMENT.

       (a) Enforcement by Commission.--Except as provided in 
     subsection (c), this Act shall be enforced by the Commission.
       (b) Violation is Unfair or Deceptive Act or Practice.--The 
     violation of any provision of this Act shall be treated as an 
     unfair or deceptive act or practice proscribed under a rule 
     issued under section 18(a)(1)(B) of the Federal Trade 
     Commission Act (15 U.S.C. 57a(a)(1)(B)).
       (c) Enforcement by Certain Other Agencies.--Compliance with 
     this Act shall be enforced exclusively under--
       (1) section 8 of the Federal Deposit Insurance Act (12 
     U.S.C. 1818), in the case of--
       (A) national banks, and Federal branches and Federal 
     agencies of foreign banks by the Office of the Comptroller of 
     the Currency;
       (B) member banks of the Federal Reserve System (other than 
     national banks), branches and agencies of foreign banks 
     (other than Federal branches, Federal agencies, and insured 
     State branches of foreign banks), commercial lending 
     companies owned or controlled by foreign banks, organizations 
     operating under section 25 or 25A of the Federal Reserve Act 
     (12 U.S.C. 601 and 611) by the Board of Governors of the 
     Federal Reserve System;
       (C) banks insured by the Federal Deposit Insurance 
     Corporation (other than members of the Federal Reserve 
     System), insured State branches of foreign banks by the Board 
     of Directors of the Federal Deposit Insurance Corporation; 
     and
       (D) savings associations the deposits of which are insured 
     by the Federal Deposit Insurance Corporation by the Director 
     of the Office of Thrift Supervision;
       (2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) 
     by the Board of the National Credit Union Administration 
     Board with respect to any Federal credit union;
       (3) the Securities and Exchange Act of 1934 (15 U.S.C. 78a 
     et seq.) by the Securities and Exchange Commission with 
     respect to--
       (A) a broker or dealer subject to that Act;
       (B) an investment company subject to the Investment Company 
     Act of 1940 (15 U.S.C. 80a-1 et seq.); and
       (C) an investment advisor subject to the Investment 
     Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.); and
       (4) State insurance law, in the case of any person engaged 
     in providing insurance, by the applicable State insurance 
     authority of the State in which the person is domiciled.
       (d) Exercise of Certain Powers.--For the purpose of the 
     exercise by any agency referred to in subsection (c) of its 
     powers under any Act referred to in that subsection, a 
     violation of this Act is deemed to be a violation of a 
     requirement imposed under that Act. In addition to its powers 
     under any provision of law specifically referred to in 
     subsection (c), each of the agencies referred to in that 
     subsection may exercise, for the purpose of 2enforcing 
     compliance with any requirement imposed under this Act, any 
     other authority conferred on it by law.
       (e) Other Authority Not Affected.--Nothing in this Act 
     shall be construed to limit or affect in any way the 
     Commission's authority to bring enforcement actions or take 
     any other measure under the Federal Trade Commission Act (15 
     U.S.C. 41 et seq.) or any other provision of law.
       (f) Compliance With Gramm-Leach-Bliley Act.--
       (1) Notice.--Any covered entity that is subject to the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6801 et. seq.), and gives 
     notice in compliance with the notification requirements 
     established for such covered entities under title V of that 
     Act is deemed to be in compliance with section 3 of this Act.
       (2) Safeguards.--Any covered entity that is subject to the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6801 et. seq.), and 
     fulfills the information protection requirements established 
     for such entities under title V of the Act and under section 
     607(a) of the Fair Credit Reporting Act (15 U.S.C. 1681e(a)) 
     to protect sensitive personal information shall be deemed to 
     be in compliance with section 2 of this Act.

     SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

       (a) In General.--Except as provided in section 3(c), a 
     State, as parens patriae, may bring a civil action on behalf 
     of its residents in an appropriate state or district court of 
     the United States to enforce the provisions of this Act, to 
     obtain damages, restitution, or other compensation on behalf 
     of such residents, or to obtain such further and other relief 
     as the court may deem appropriate, whenever the attorney 
     general of the State has reason to believe that the interests 
     of the residents of the State have been or are being 
     threatened or adversely affected by a covered entity that 
     violates this Act or a regulation under this Act.
       (b) Notice.--The State shall serve written notice to the 
     Commission (or other appropriate Federal regulator under 
     section 3) of any civil action under subsection (a) at least

[[Page S5095]]

     60 days prior to initiating such civil action. The notice 
     shall include a copy of the complaint to be filed to initiate 
     such civil action, except that if it is not feasible for the 
     State to provide such prior notice, the State shall provide 
     such notice immediately upon instituting such civil action.
       (c) Authority To Intervene.--Upon receiving the notice 
     required by subsection (b), the Commission (or other 
     appropriate Federal regulator under section 8) may intervene 
     in such civil action and upon intervening--
       (1) be heard on all matters arising in such civil action; 
     and
       (2) file petitions for appeal of a decision in such civil 
     action.
       (d) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this section shall 
     prevent the attorney general of a State from exercising the 
     powers conferred on the attorney general by the laws of such 
     State to conduct investigations or to administer oaths or 
     affirmations or to compel the attendance of witnesses or the 
     production of documentary and other evidence.
       (e) Venue; Service of Process.--In a civil action brought 
     under subsection (a)--
       (1) the venue shall be a judicial district in which--
       (A) the covered entity operates; or
       (B) the covered entity was authorized to do business;
       (2) process may be served without regard to the territorial 
     limits of the district or of the State in which the civil 
     action is instituted; and
       (3) a person who participated with a covered entity in an 
     alleged violation that is being litigated in the civil action 
     may be joined in the civil action without regard to the 
     residence of the person.
       (f) Limitation on State Action While Federal Action Is 
     Pending.--If the Commission (or other appropriate Federal 
     agency under section 3) has instituted a civil action or an 
     administrative action for violation of this Act, no State 
     attorney general, or official or agency of a State, may bring 
     an action under this subsection during the pendency of that 
     action against any defendant named in the complaint of the 
     Commission or the other agency for any violation of this Act 
     alleged in the complaint.

     SEC. 5. DEFINITIONS.

       In this Act:
       (1) Commission.--The term ``Commission'' means the Federal 
     Trade Commission.
       (2) Social security account number.--The term ``social 
     security account number'' means a social security account 
     number that contains more than 5 digits of the full 9-digit 
     number assigned by the Social Security Administration but 
     does not include social security account numbers to the 
     extent that they are included in a publicly available 
     information source, such as news reports, books, periodicals, 
     or directories or Federal, State, or local government 
     records.
                                 ______