[Congressional Record Volume 155, Number 1 (Tuesday, January 6, 2009)]
[Senate]
[Pages S116-S119]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mrs. FEINSTEIN:
  S. 139. A bill to require Federal agencies, and persons engaged in 
interstate commerce, in possession of data containing sensitive 
personally identifiable information, to disclose any breach of such 
information; to the Committee on the Judiciary.
  Mrs. FEINSTEIN. Mr. President, I rise to introduce the Data Breach 
Notification Act.
  This is a commonsense bill that is aimed at protecting personal 
information and preventing identity theft. The bill would require 
businesses and government agencies to notify individuals when their 
sensitive personal information has been exposed in a data breach.
  As many of you know, I have been urging the Senate to adopt this 
legislation since 2003, when California first imposed a State 
notification requirement.
  That legislation has helped consumers in my State. Federal data 
breach law would provide uniformity and protect consumers throughout 
the country.
  With every year that passes, the evidence in support of this 
legislation has only continued to mount.
  The cost of identity theft is enormous--estimated at more than $50 
billion per year. Some of the costs fall on businesses and banks, which 
suffer losses from fraudulent transactions. Some of the costs are also 
borne by consumers, whose finances and credit ratings are disrupted.
  Since the beginning of 2005, over 240 million data records containing 
individuals' sensitive personal data have been exposed in data 
breaches.
  It seems that not a week goes by without news of another security 
breach that exposes names, addresses, birth dates, social security 
numbers, or other personal data.
  These breaches have spawned a vast online market in stolen 
identities. Today, each person whose identity is sold on the internet 
faces a high risk of becoming a victim of identity theft. Each of them 
faces the expensive and time-consuming nightmare of trying to restore 
their finances and credit ratings.
  According to a report by the Identity Theft Resource Center, the news 
media reported more than 620 breaches involving personal information 
during 2008. That works out to about one data security breach every 14 
hours--and those are just the ones that are big enough to be covered in 
the media.
  Recent reports of security breaches involving sensitive personal data 
point out the extent of the problem.
  In December 2008, during a website development project at the Florida 
Agency for Workforce Innovation, the Social Security numbers of more 
than a quarter of a million people were accidentally posted online.
  In August of last year, an employee working weekends at Countrywide 
copied customer records from an office computer and then sold the 
personal information of an estimated 2,000,000 mortgage applicants.
  In May of 2007, a breach at the Transportation Security 
Administration made the names, Social Security numbers, birth dates, 
payroll information, and bank account information of more than 100,000 
former employees vulnerable to theft or sale.
  In January of that same year, hackers accessed information held by 
TJX stores, including more than 45 million credit card numbers and more 
than 455,000 merchandise records containing customers' drivers license 
numbers.
  In May of 2006, there was a breach at the Department of Veterans 
Affairs that involved the names, birth dates, and Social Security 
numbers of every veteran discharged from the military since 1975--more 
than 28 million veterans--every veteran discharged from the military 
since 1975.
  Another disturbing example took place last year at the State 
Department when the passport files of Senator Clinton, Senator McCain, 
and Senator Obama--the three leading presidential contenders at the 
time--were accessed by contractors working for the Department. Though 
the Department knew about the breaches right away, several months 
passed before our colleagues were told about the problem.
  Unfortunately, this delay is not surprising--because there is 
currently nothing to require a Federal agency to tell us when a 
security breach affects our personal data.
  That needs to change. That's what my bill does.
  Specifically, this legislation requires the Federal Government and 
private businesses to notify individuals when there has been a security 
breach involving their sensitive personal data; ensures that the notice 
is provided without unreasonable delay; creates very limited exceptions 
to notification for national security and law enforcement purposes, and 
when law enforcement certifies that there is there is no significant 
risk of harm to the individual; establishes penalties against those who 
do not provide the required notice. The provisions of the bill would be 
enforced by the Federal and State attorneys general; and pre-empts 
State laws so that there is a single, nationwide notification 
requirement.
  Data security breaches have real consequences. For one thing, they 
are bad for business because they lead to a loss of confidence--
especially in online commerce. A 2005 survey for Consumer Reports 
showed that 25 percent of Internet users stopped shopping online 
because of fears about identity theft. Of people who still shopped 
online, 29 percent said that they had cut back on how often they buy 
products on the Internet.
  Data breaches also pose serious harms for consumers. A November 2007 
report from the Federal Trade Commission revealed that identity theft 
victims spent as much as $5,000 of their own money--and as many as 
1,200 hours of their time--recovering from the harm to their finances 
caused by identity theft.
  While not all data breaches lead to identity theft, the cost of 
stolen identities is so enormous that we should be doing everything we 
can to solve this problem.
  The situation requires action. While Congress has been slow to act, 
the States have not. In the almost 6 years since the California law 
took effect, 43 States, the District of Columbia, Puerto Rico, and the 
Virgin Islands have passed similar laws.
  A report issued by the Federal Trade Commission in December 2008 
noted that these State data breach notification laws have had several 
indirect benefits; many businesses across the country have strengthened 
their safeguard practices in order to avoid data breaches.
  By forcing companies to consider the potential cost and liability 
that may ensue if information is compromised in a data breach, these 
laws have the indirect benefit of motivating companies to reassess 
their need to collect personally identifiable information in the first 
place.
  The same benefits would flow from Federal legislation. Additionally, 
the Data Breach Notification Act would improve the law by creating a 
single, uniform national standard.
  A September 2008 report issued by the President's Identity Theft Task 
Force again emphasized the need for a unified Federal standard to 
replace the patchwork of varied state laws currently in place. The 
December 2008 FTC report made the same point.
  A Federal bill will simplify the process of compliance and 
notification for

[[Page S117]]

businesses, while ensuring that all consumers get the information they 
need as soon as possible when breaches happen.
  We have already waited too long. The Judiciary Committee endorsed 
this bill unanimously during the last Congress. The epidemic of data 
breaches in our nation continues unabated. This is a common-sense bill 
that we should take action on now.
  I urge the Senate to pass the Data Breach Notification Act to give 
Americans the information they need to protect themselves from identity 
theft.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                 S. 139

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Data Breach Notification 
     Act''.

     SEC. 2. NOTICE TO INDIVIDUALS.

       (a) In General.--Any agency, or business entity engaged in 
     interstate commerce, that uses, accesses, transmits, stores, 
     disposes of or collects sensitive personally identifiable 
     information shall, following the discovery of a security 
     breach of such information notify any resident of the United 
     States whose sensitive personally identifiable information 
     has been, or is reasonably believed to have been, accessed, 
     or acquired.
       (b) Obligation of Owner or Licensee.--
       (1) Notice to owner or licensee.--Any agency, or business 
     entity engaged in interstate commerce, that uses, accesses, 
     transmits, stores, disposes of, or collects sensitive 
     personally identifiable information that the agency or 
     business entity does not own or license shall notify the 
     owner or licensee of the information following the discovery 
     of a security breach involving such information.
       (2) Notice by owner, licensee or other designated third 
     party.--Nothing in this Act shall prevent or abrogate an 
     agreement between an agency or business entity required to 
     give notice under this section and a designated third party, 
     including an owner or licensee of the sensitive personally 
     identifiable information subject to the security breach, to 
     provide the notifications required under subsection (a).
       (3) Business entity relieved from giving notice.--A 
     business entity obligated to give notice under subsection (a) 
     shall be relieved of such obligation if an owner or licensee 
     of the sensitive personally identifiable information subject 
     to the security breach, or other designated third party, 
     provides such notification.
       (c) Timeliness of Notification.--
       (1) In general.--All notifications required under this 
     section shall be made without unreasonable delay following 
     the discovery by the agency or business entity of a security 
     breach.
       (2) Reasonable delay.--Reasonable delay under this 
     subsection may include any time necessary to determine the 
     scope of the security breach, prevent further disclosures, 
     and restore the reasonable integrity of the data system and 
     provide notice to law enforcement when required.
       (3) Burden of proof.--The agency, business entity, owner, 
     or licensee required to provide notification under this 
     section shall have the burden of demonstrating that all 
     notifications were made as required under this Act, including 
     evidence demonstrating the reasons for any delay.
       (d) Delay of Notification Authorized for Law Enforcement 
     Purposes.--
       (1) In general.--If a Federal law enforcement agency 
     determines that the notification required under this section 
     would impede a criminal investigation, such notification 
     shall be delayed upon written notice from such Federal law 
     enforcement agency to the agency or business entity that 
     experienced the breach.
       (2) Extended delay of notification.--If the notification 
     required under subsection (a) is delayed pursuant to 
     paragraph (1), an agency or business entity shall give notice 
     30 days after the day such law enforcement delay was invoked 
     unless a Federal law enforcement agency provides written 
     notification that further delay is necessary.
       (3) Law enforcement immunity.--No cause of action shall lie 
     in any court against any law enforcement agency for acts 
     relating to the delay of notification for law enforcement 
     purposes under this Act.

     SEC. 3. EXEMPTIONS.

       (a) Exemption for National Security and Law Enforcement.--
       (1) In general.--Section 2 shall not apply to an agency or 
     business entity if the agency or business entity certifies, 
     in writing, that notification of the security breach as 
     required by section 2 reasonably could be expected to--
       (A) cause damage to the national security; or
       (B) hinder a law enforcement investigation or the ability 
     of the agency to conduct law enforcement investigations.
       (2) Limits on certifications.--An agency or business entity 
     may not execute a certification under paragraph (1) to--
       (A) conceal violations of law, inefficiency, or 
     administrative error;
       (B) prevent embarrassment to a business entity, 
     organization, or agency; or
       (C) restrain competition.
       (3) Notice.--In every case in which an agency or business 
     entity issues a certification under paragraph (1), the 
     certification, accompanied by a description of the factual 
     basis for the certification, shall be immediately provided to 
     the United States Secret Service.
       (4) Secret service review of certifications.--
       (A) In general.--The United States Secret Service may 
     review a certification provided by an agency under paragraph 
     (3), and shall review a certification provided by a business 
     entity under paragraph (3), to determine whether an exemption 
     under paragraph (1) is merited. Such review shall be 
     completed not later than 10 business days after the date of 
     receipt of the certification, except as provided in paragraph 
     (5)(C).
       (B) Notice.--Upon completing a review under subparagraph 
     (A) the United States Secret Service shall immediately notify 
     the agency or business entity, in writing, of its 
     determination of whether an exemption under paragraph (1) is 
     merited.
       (C) Exemption.--The exemption under paragraph (1) shall not 
     apply if the United States Secret Service determines under 
     this paragraph that the exemption is not merited.
       (5) Additional authority of the secret service.--
       (A) In general.--In determining under paragraph (4) whether 
     an exemption under paragraph (1) is merited, the United 
     States Secret Service may request additional information from 
     the agency or business entity regarding the basis for the 
     claimed exemption, if such additional information is 
     necessary to determine whether the exemption is merited.
       (B) Required compliance.--Any agency or business entity 
     that receives a request for additional information under 
     subparagraph (A) shall cooperate with any such request.
       (C) Timing.--If the United States Secret Service requests 
     additional information under subparagraph (A), the United 
     States Secret Service shall notify the agency or business 
     entity not later than 10 business days after the date of 
     receipt of the additional information whether an exemption 
     under paragraph (1) is merited.
       (b) Safe Harbor.--
       (1) In general.--An agency or business entity shall be 
     exempt from the notice requirements under section 2, if--
       (A) a risk assessment concludes that there is no 
     significant risk that a security breach has resulted in, or 
     will result in, harm to the individual whose sensitive 
     personally identifiable information was subject to the 
     security breach;
       (B) without unreasonable delay, but not later than 45 days 
     after the discovery of a security breach (unless extended by 
     the United States Secret Service), the agency or business 
     entity notifies the United States Secret Service, in writing, 
     of--
       (i) the results of the risk assessment; and
       (ii) its decision to invoke the risk assessment exemption; 
     and
       (C) the United States Secret Service does not indicate, in 
     writing, and not later than 10 business days after the date 
     of receipt of the decision described in subparagraph (B)(ii), 
     that notice should be given.
       (2) Presumptions.--There shall be a presumption that no 
     significant risk of harm to the individual whose sensitive 
     personally identifiable information was subject to a security 
     breach if such information--
       (A) was encrypted; or
       (B) was rendered indecipherable through the use of best 
     practices or methods, such as redaction, access controls, or 
     other such mechanisms, that are widely accepted as an 
     effective industry practice, or an effective industry 
     standard.
       (c) Financial Fraud Prevention Exemption.--
       (1) In general.--A business entity will be exempt from the 
     notice requirement under section 2 if the business entity 
     utilizes or participates in a security program that--
       (A) is designed to block the use of the sensitive 
     personally identifiable information to initiate unauthorized 
     financial transactions before they are charged to the account 
     of the individual; and
       (B) provides for notice to affected individuals after a 
     security breach that has resulted in fraud or unauthorized 
     transactions.
       (2) Limitation.--The exemption by this subsection does not 
     apply if--
       (A) the information subject to the security breach includes 
     sensitive personally identifiable information, other than a 
     credit card number or credit card security code, of any type; 
     or
       (B) the information subject to the security breach includes 
     both the individual's credit card number and the individual's 
     first and last name.

     SEC. 4. METHODS OF NOTICE.

       An agency, or business entity shall be in compliance with 
     section 2 if it provides both:
       (1) Individual notice.--
       (A) Written notification to the last known home mailing 
     address of the individual in the records of the agency or 
     business entity;
       (B) telephone notice to the individual personally; or
       (C) e-mail notice, if the individual has consented to 
     receive such notice and the notice is consistent with the 
     provisions permitting

[[Page S118]]

     electronic transmission of notices under section 101 of the 
     Electronic Signatures in Global and National Commerce Act (15 
     U.S.C. 7001).
       (2) Media notice.--Notice to major media outlets serving a 
     State or jurisdiction, if the number of residents of such 
     State whose sensitive personally identifiable information 
     was, or is reasonably believed to have been, acquired by an 
     unauthorized person exceeds 5,000.

     SEC. 5. CONTENT OF NOTIFICATION.

       (a) In General.--Regardless of the method by which notice 
     is provided to individuals under section 4, such notice shall 
     include, to the extent possible--
       (1) a description of the categories of sensitive personally 
     identifiable information that was, or is reasonably believed 
     to have been, acquired by an unauthorized person;
       (2) a toll-free number--
       (A) that the individual may use to contact the agency or 
     business entity, or the agent of the agency or business 
     entity; and
       (B) from which the individual may learn what types of 
     sensitive personally identifiable information the agency or 
     business entity maintained about that individual; and
       (3) the toll-free contact telephone numbers and addresses 
     for the major credit reporting agencies.
       (b) Additional Content.--Notwithstanding section 10, a 
     State may require that a notice under subsection (a) shall 
     also include information regarding victim protection 
     assistance provided for by that State.

     SEC. 6. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING 
                   AGENCIES.

       If an agency or business entity is required to provide 
     notification to more than 5,000 individuals under section 
     2(a), the agency or business entity shall also notify all 
     consumer reporting agencies that compile and maintain files 
     on consumers on a nationwide basis (as defined in section 
     603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) 
     of the timing and distribution of the notices. Such notice 
     shall be given to the consumer credit reporting agencies 
     without unreasonable delay and, if it will not delay notice 
     to the affected individuals, prior to the distribution of 
     notices to the affected individuals.

     SEC. 7. NOTICE TO LAW ENFORCEMENT.

       (a) Secret Service.--Any business entity or agency shall 
     notify the United States Secret Service of the fact that a 
     security breach has occurred if--
       (1) the number of individuals whose sensitive personally 
     identifying information was, or is reasonably believed to 
     have been acquired by an unauthorized person exceeds 10,000;
       (2) the security breach involves a database, networked or 
     integrated databases, or other data system containing the 
     sensitive personally identifiable information of more than 
     1,000,000 individuals nationwide;
       (3) the security breach involves databases owned by the 
     Federal Government; or
       (4) the security breach involves primarily sensitive 
     personally identifiable information of individuals known to 
     the agency or business entity to be employees and contractors 
     of the Federal Government involved in national security or 
     law enforcement.
       (b) Notice to Other Law Enforcement Agencies.--The United 
     States Secret Service shall be responsible for notifying--
       (1) the Federal Bureau of Investigation, if the security 
     breach involves espionage, foreign counterintelligence, 
     information protected against unauthorized disclosure for 
     reasons of national defense or foreign relations, or 
     Restricted Data (as that term is defined in section 11y of 
     the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for 
     offenses affecting the duties of the United States Secret 
     Service under section 3056(a) of title 18, United States 
     Code;
       (2) the United States Postal Inspection Service, if the 
     security breach involves mail fraud; and
       (3) the attorney general of each State affected by the 
     security breach.
       (c) Timing of Notices.--The notices required under this 
     section shall be delivered as follows:
       (1) Notice under subsection (a) shall be delivered as 
     promptly as possible, but not later than 14 days after 
     discovery of the events requiring notice.
       (2) Notice under subsection (b) shall be delivered not 
     later than 14 days after the United States Secret Service 
     receives notice of a security breach from an agency or 
     business entity.

     SEC. 8. ENFORCEMENT.

       (a) Civil Actions by the Attorney General.--The Attorney 
     General may bring a civil action in the appropriate United 
     States district court against any business entity that 
     engages in conduct constituting a violation of this Act and, 
     upon proof of such conduct by a preponderance of the 
     evidence, such business entity shall be subject to a civil 
     penalty of not more than $1,000 per day per individual whose 
     sensitive personally identifiable information was, or is 
     reasonably believed to have been, accessed or acquired by an 
     unauthorized person, up to a maximum of $1,000,000 per 
     violation, unless such conduct is found to be willful or 
     intentional.
       (b) Injunctive Actions by the Attorney General.--
       (1) In general.--If it appears that a business entity has 
     engaged, or is engaged, in any act or practice constituting a 
     violation of this Act, the Attorney General may petition an 
     appropriate district court of the United States for an 
     order--
       (A) enjoining such act or practice; or
       (B) enforcing compliance with this Act.
       (2) Issuance of order.--A court may issue an order under 
     paragraph (1), if the court finds that the conduct in 
     question constitutes a violation of this Act.
       (c) Other Rights and Remedies.--The rights and remedies 
     available under this Act are cumulative and shall not affect 
     any other rights and remedies available under law.
       (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit 
     Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by 
     inserting ``, or evidence that the consumer has received 
     notice that the consumer's financial information has or may 
     have been compromised,'' after ``identity theft report''.

     SEC. 9. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

       (a) In General.--
       (1) Civil actions.--In any case in which the attorney 
     general of a State or any State or local law enforcement 
     agency authorized by the State attorney general or by State 
     statute to prosecute violations of consumer protection law, 
     has reason to believe that an interest of the residents of 
     that State has been or is threatened or adversely affected by 
     the engagement of a business entity in a practice that is 
     prohibited under this Act, the State or the State or local 
     law enforcement agency on behalf of the residents of the 
     agency's jurisdiction, may bring a civil action on behalf of 
     the residents of the State or jurisdiction in a district 
     court of the United States of appropriate jurisdiction or any 
     other court of competent jurisdiction, including a State 
     court, to--
       (A) enjoin that practice;
       (B) enforce compliance with this Act; or
       (C) obtain civil penalties of not more than $1,000 per day 
     per individual whose sensitive personally identifiable 
     information was, or is reasonably believed to have been, 
     accessed or acquired by an unauthorized person, up to a 
     maximum of $1,000,000 per violation, unless such conduct is 
     found to be willful or intentional.
       (2) Notice.--
       (A) In general.--Before filing an action under paragraph 
     (1), the attorney general of the State involved shall provide 
     to the Attorney General of the United States--
       (i) written notice of the action; and
       (ii) a copy of the complaint for the action.
       (B) Exemption.--
       (i) In general.--Subparagraph (A) shall not apply with 
     respect to the filing of an action by an attorney general of 
     a State under this Act, if the State attorney general 
     determines that it is not feasible to provide the notice 
     described in such subparagraph before the filing of the 
     action.
       (ii) Notification.--In an action described in clause (i), 
     the attorney general of a State shall provide notice and a 
     copy of the complaint to the Attorney General at the time the 
     State attorney general files the action.
       (b) Federal Proceedings.--Upon receiving notice under 
     subsection (a)(2), the Attorney General shall have the right 
     to--
       (1) move to stay the action, pending the final disposition 
     of a pending Federal proceeding or action;
       (2) initiate an action in the appropriate United States 
     district court under section 8 and move to consolidate all 
     pending actions, including State actions, in such court;
       (3) intervene in an action brought under subsection (a)(2); 
     and
       (4) file petitions for appeal.
       (c) Pending Proceedings.--If the Attorney General has 
     instituted a proceeding or action for a violation of this Act 
     or any regulations thereunder, no attorney general of a State 
     may, during the pendency of such proceeding or action, bring 
     an action under this Act against any defendant named in such 
     criminal proceeding or civil action for any violation that is 
     alleged in that proceeding or action.
       (d) Rule of Construction.--For purposes of bringing any 
     civil action under subsection (a), nothing in this Act 
     regarding notification shall be construed to prevent an 
     attorney general of a State from exercising the powers 
     conferred on such attorney general by the laws of that State 
     to--
       (1) conduct investigations;
       (2) administer oaths or affirmations; or
       (3) compel the attendance of witnesses or the production of 
     documentary and other evidence.
       (e) Venue; Service of Process.--
       (1) Venue.--Any action brought under subsection (a) may be 
     brought in--
       (A) the district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code; or
       (B) another court of competent jurisdiction.
       (2) Service of process.--In an action brought under 
     subsection (a), process may be served in any district in 
     which the defendant--
       (A) is an inhabitant; or
       (B) may be found.
       (f) No Private Cause of Action.--Nothing in this Act 
     establishes a private cause of action against a business 
     entity for violation of any provision of this Act.

     SEC. 10. EFFECT ON FEDERAL AND STATE LAW.

       The provisions of this Act shall supersede any other 
     provision of Federal law or any provision of law of any State 
     relating to notification by a business entity engaged in 
     interstate commerce or an agency of a security breach, except 
     as provided in section 5(b).

[[Page S119]]

     SEC. 11. AUTHORIZATION OF APPROPRIATIONS.

       There are authorized to be appropriated such sums as may be 
     necessary to cover the costs incurred by the United States 
     Secret Service to carry out investigations and risk 
     assessments of security breaches as required under this Act.

     SEC. 12. REPORTING ON RISK ASSESSMENT EXEMPTIONS.

       (a) In General.--The United States Secret Service shall 
     report to Congress not later than 18 months after the date of 
     enactment of this Act, and upon the request by Congress 
     thereafter, on--
       (1) the number and nature of the security breaches 
     described in the notices filed by those business entities 
     invoking the risk assessment exemption under section 3(b) of 
     this Act and the response of the United States Secret Service 
     to such notices; and
       (2) the number and nature of security breaches subject to 
     the national security and law enforcement exemptions under 
     section 3(a) of this Act.
       (b) Report.--Any report submitted under subsection (a) 
     shall not disclose the contents of any risk assessment 
     provided to the United States Secret Service under this Act.

     SEC. 13. DEFINITIONS.

       In this Act, the following definitions shall apply:
       (1) Agency.--The term ``agency'' has the same meaning given 
     such term in section 551 of title 5, United States Code.
       (2) Affiliate.--The term ``affiliate'' means persons 
     related by common ownership or by corporate control.
       (3) Business entity.--The term ``business entity'' means 
     any organization, corporation, trust, partnership, sole 
     proprietorship, unincorporated association, venture 
     established to make a profit, or nonprofit, and any 
     contractor, subcontractor, affiliate, or licensee thereof 
     engaged in interstate commerce.
       (4) Encrypted.--The term ``encrypted''--
       (A) means the protection of data in electronic form, in 
     storage or in transit, using an encryption technology that 
     has been adopted by an established standards setting body 
     which renders such data indecipherable in the absence of 
     associated cryptographic keys necessary to enable decryption 
     of such data; and
       (B) includes appropriate management and safeguards of such 
     cryptographic keys so as to protect the integrity of the 
     encryption.
       (5) Personally identifiable information.--The term 
     ``personally identifiable information'' means any 
     information, or compilation of information, in electronic or 
     digital form serving as a means of identification, as defined 
     by section 1028(d)(7) of title 18, United State Code.
       (6) Security breach.--
       (A) In general.--The term ``security breach'' means 
     compromise of the security, confidentiality, or integrity of 
     computerized data through misrepresentation or actions that 
     result in, or there is a reasonable basis to conclude has 
     resulted in, acquisition of or access to sensitive personally 
     identifiable information that is unauthorized or in excess of 
     authorization.
       (B) Exclusion.--The term ``security breach'' does not 
     include--
       (i) a good faith acquisition of sensitive personally 
     identifiable information by a business entity or agency, or 
     an employee or agent of a business entity or agency, if the 
     sensitive personally identifiable information is not subject 
     to further unauthorized disclosure; or
       (ii) the release of a public record not otherwise subject 
     to confidentiality or nondisclosure requirements.
       (7) Sensitive personally identifiable information.--The 
     term ``sensitive personally identifiable information'' means 
     any information or compilation of information, in electronic 
     or digital form that includes--
       (A) an individual's first and last name or first initial 
     and last name in combination with any 1 of the following data 
     elements:
       (i) A non-truncated social security number, driver's 
     license number, passport number, or alien registration 
     number.
       (ii) Any 2 of the following:

       (I) Home address or telephone number.
       (II) Mother's maiden name, if identified as such.
       (III) Month, day, and year of birth.

       (iii) Unique biometric data such as a finger print, voice 
     print, a retina or iris image, or any other unique physical 
     representation.
       (iv) A unique account identifier, electronic identification 
     number, user name, or routing code in combination with any 
     associated security code, access code, or password that is 
     required for an individual to obtain money, goods, services 
     or any other thing of value; or
       (B) a financial account number or credit or debit card 
     number in combination with any security code, access code or 
     password that is required for an individual to obtain credit, 
     withdraw funds, or engage in a financial transaction.

     SEC. 14. EFFECTIVE DATE.

       This Act shall take effect on the expiration of the date 
     which is 90 days after the date of enactment of this Act.
                                 ______