[Congressional Record Volume 156, Number 104 (Wednesday, July 14, 2010)]
[Senate]
[Pages S5851-S5853]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
By Mr. CARPER (for himself and Mr. Bennett):
S. 3579. A bill to protect information relating to consumers, to
require notice of security breaches, and for other purposes; to the
Committee on Banking, Housing, and Urban Affairs.
Mr. CARPER. Mr. President, I rise today with my colleague Senator
Bennett to introduce an important and bipartisan piece of legislation
that will help protect American's from identity and financial theft.
As you may have heard in the news, in 2009 Heartland Payment
Systems--a national company that processes payments for retailers and
restaurants located in nearly all 50 states--was hacked, leaving
possibly 100 million people at risk of identity fraud or financial
theft. These types of scenarios happen more than we would like and have
the potential to keep American's from getting a loan, a new bank
account, or--in worst case scenarios--from even paying the monthly
bills. This situation is simply unacceptable and this bill will help
address these serious problems.
Our bill requires entities such as financial institutions, retailers,
and Federal agencies to safeguard sensitive information before it is
compromised, investigate possible security breaches, and to notify
customers when there is a substantial risk of identity theft or account
fraud.
For example, these new requirements would apply to retailers who take
credit card information, data brokers who compile private information,
and government agencies that possess nonpublic personal information.
My colleague and I modeled our legislation after the data security
and breach-response regime established under the Gramm-Leach-Bliley Act
of 1999, and subsequent regulations. It also builds on existing law to
better ensure federal and state regulators comply with the law and to
make certain that data security procedures are uniformly applied.
Lastly, we need to replace the current patchwork of State and Federal
regulations for identity theft with a national law, like this one, that
provides uniform protections across the country. Our comprehensive
approach will better serve consumers by making it easier for businesses
and government agencies to take the steps necessary to adequately
protect all Americans from identity theft and account fraud.
I look forward to working with my colleagues to get this important
and necessary bill enacted before it is too late. I think everyone can
agree that our identities and bank accounts are some of the most
important aspects of our lives and that, if stolen, can at a minimum
make life extremely difficult.
Mr. President, I ask unanimous consent that the text of the bill be
printed in the Record.
There being no objection, the text of the bill was ordered to be
printed in the Record, as follows:
S. 3579
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Security Act of 2010''.
SEC. 2. DEFINITIONS.
For purposes of this Act, the following definitions shall
apply:
(1) Affiliate.--The term ``affiliate'' means any company
that controls, is controlled by, or is under common control
with another company.
(2) Agency.--The term ``agency'' has the same meaning as in
section 551(1) of title 5, United States Code.
(3) Breach of data security.--
(A) In general.--The term ``breach of data security'' means
the unauthorized acquisition of sensitive account information
or sensitive personal information.
(B) Exception for data that is not in usable form.--
(i) In general.--The term ``breach of data security'' does
not include the unauthorized acquisition of sensitive account
information or sensitive personal information that is
maintained or communicated in a manner that is not usable--
(I) to commit identity theft; or
(II) to make fraudulent transactions on financial accounts.
(ii) Rule of construction.--For purposes of this
subparagraph, information that is maintained or communicated
in a manner that is not usable includes any information that
is maintained or communicated in an encrypted, redacted,
altered, edited, or coded form.
(4) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(5) Consumer.--The term ``consumer'' means an individual.
(6) Consumer reporting agency that compiles and maintains
files on consumers on a nationwide basis.--The term
``consumer reporting agency that compiles and maintains files
on consumers on a nationwide basis'' has the same meaning as
in section 603(p) of the Fair Credit Reporting Act (15 U.S.C.
1681a(p)).
(7) Covered entity.--
(A) In general.--The term ``covered entity'' means any--
[[Page S5852]]
(i) entity, the business of which is engaging in financial
activities, as described in section 4(k) of the Bank Holding
Company Act of 1956 (12 U.S.C. 1843(k));
(ii) financial institution, including any institution
described in section 313.3(k) of title 16, Code of Federal
Regulations, as in effect on the date of enactment of this
Act;
(iii) entity that maintains or otherwise possesses
information that is subject to section 628 of the Fair Credit
Reporting Act (15 U.S.C. 1681w); or
(iv) other individual, partnership, corporation, trust,
estate, cooperative, association, or entity that maintains or
communicates sensitive account information or sensitive
personal information.
(B) Exception.--The term ``covered entity'' does not
include any agency or any other unit of Federal, State, or
local government or any subdivision of such unit.
(8) Financial institution.--The term ``financial
institution'' has the same meaning as in section 509 of the
Gramm-Leach-Bliley Act (15 U.S.C. 6809).
(9) Sensitive account information.--The term ``sensitive
account information'' means a financial account number
relating to a consumer, including a credit card number or
debit card number, in combination with any security code,
access code, password, or other personal identification
information required to access the financial account.
(10) Sensitive personal information.--
(A) In general.--The term ``sensitive personal
information'' means the first and last name, address, or
telephone number of a consumer, in combination with any of
the following relating to such consumer:
(i) Social security account number.
(ii) Driver's license number or equivalent State
identification number.
(iii) Taxpayer identification number.
(B) Exception.--The term ``sensitive personal information''
does not include publicly available information that is
lawfully made available to the general public from--
(i) Federal, State, or local government records; or
(ii) widely distributed media.
(11) Substantial harm or inconvenience.--
(A) In general.--The term ``substantial harm or
inconvenience'' means--
(i) material financial loss to, or civil or criminal
penalties imposed on, a consumer, due to the unauthorized use
of sensitive account information or sensitive personal
information relating to such consumer; or
(ii) the need for a consumer to expend significant time and
effort to correct erroneous information relating to the
consumer, including information maintained by a consumer
reporting agency, financial institution, or government
entity, in order to avoid material financial loss, increased
costs, or civil or criminal penalties, due to the
unauthorized use of sensitive account information or
sensitive personal information relating to such consumer.
(B) Exception.--The term ``substantial harm or
inconvenience'' does not include--
(i) changing a financial account number or closing a
financial account; or
(ii) harm or inconvenience that does not result from
identity theft or account fraud.
SEC. 3. PROTECTION OF INFORMATION AND SECURITY BREACH
NOTIFICATION.
(a) Security Procedures Required.--
(1) In general.--Each covered entity shall implement,
maintain, and enforce reasonable policies and procedures to
protect the confidentiality and security of sensitive account
information and sensitive personal information which is
maintained or is being communicated by or on behalf of a
covered entity, from the unauthorized use of such information
that is reasonably likely to result in substantial harm or
inconvenience to the consumer to whom such information
relates.
(2) Limitation.--Any policy or procedure implemented or
maintained under paragraph (1) shall be appropriate to the--
(A) size and complexity of a covered entity;
(B) nature and scope of the activities of such entity; and
(C) sensitivity of the consumer information to be
protected.
(b) Investigation Required.--
(1) In general.--If a covered entity determines that a
breach of data security has or may have occurred in relation
to sensitive account information or sensitive personal
information that is maintained or is being communicated by,
or on behalf of, such covered entity, the covered entity
shall conduct an investigation--
(A) to assess the nature and scope of the breach;
(B) to identify any sensitive account information or
sensitive personal information that may have been involved in
the breach; and
(C) to determine if such information is reasonably likely
to be misused in a manner causing substantial harm or
inconvenience to the consumers to whom the information
relates.
(2) Neural networks and information security programs.--In
determining the likelihood of misuse of sensitive account
information under paragraph (1)(C), a covered entity shall
consider whether any neural network or security program has
detected, or is likely to detect or prevent, fraudulent
transactions resulting from the breach of security.
(c) Notice Required.--If a covered entity determines under
subsection (b)(1)(C) that sensitive account information or
sensitive personal information involved in a breach of data
security is reasonably likely to be misused in a manner
causing substantial harm or inconvenience to the consumers to
whom the information relates, such covered entity, or a third
party acting on behalf of such covered entity, shall--
(1) notify, in the following order--
(A) the appropriate agency or authority identified in
section 5;
(B) an appropriate law enforcement agency;
(C) any entity that owns, or is obligated on, a financial
account to which the sensitive account information relates,
if the breach involves a breach of sensitive account
information;
(D) each consumer reporting agency that compiles and
maintains files on consumers on a nationwide basis, if the
breach involves sensitive personal information relating to
5,000 or more consumers; and
(E) all consumers to whom the sensitive account information
or sensitive personal information relates; and
(2) take reasonable measures to restore the security and
confidentiality of the sensitive account information or
sensitive personal information involved in the breach.
(d) Compliance.--
(1) In general.--A financial institution shall be deemed to
be in compliance with--
(A) subsection (a), and any regulations prescribed under
such subsection, if such institution maintains policies and
procedures to protect the confidentiality and security of
sensitive account information and sensitive personal
information that are consistent with the policies and
procedures of such institution that are designed to comply
with the requirements of section 501(b) of the Gramm-Leach-
Bliley Act (15 U.S.C. 6801(b)) and any regulations or
guidance prescribed under that section that are applicable to
such institution; and
(B) subsections (b) and (c), and any regulations prescribed
under such subsections, if such institution--
(i)(I) maintains policies and procedures to investigate and
provide notice to consumers of breaches of data security that
are consistent with the policies and procedures of such
institution that are designed to comply with the
investigation and notice requirements established by
regulations or guidance under section 501(b) of the Gramm-
Leach-Bliley Act (15 U.S.C. 6801(b)) that are applicable to
such institution; or
(II) is an affiliate of a bank holding company that
maintains policies and procedures to investigate and provide
notice to consumers of breaches of data security that are
consistent with the policies and procedures of a bank that is
an affiliate of such institution, and that bank's policies
and procedures are designed to comply with the investigation
and notice requirements established by any regulations or
guidance under section 501(b) of the Gramm-Leach-Bliley Act
(15 U.S.C. 6801(b)) that are applicable to that bank; and
(ii) provides for notice to the entities described under
subparagraphs (B), (C), and (D) of subsection (c)(1), if
notice is provided to consumers pursuant to the policies and
procedures of such institution described in clause (i).
(2) Definitions.--For purposes of this subsection, the
terms ``bank holding company'' and ``bank'' shall have the
same meaning given such terms under section 2 of the Bank
Holding Company Act of 1956 (12 U.S.C. 1841).
SEC. 4. IMPLEMENTING REGULATIONS.
(a) In General.--Except as provided under section 6, the
agencies and authorities identified in section 5, with
respect to the covered entities that are subject to the
respective enforcement authority of such agencies and
authorities, shall prescribe regulations to implement this
Act.
(b) Coordination.--Each agency and authority required to
prescribe regulations under subsection (a) shall consult and
coordinate with each other agency and authority identified in
section 5 so that, to the extent possible, the regulations
prescribed by each agency and authority are consistent and
comparable.
(c) Method of Providing Notice to Consumers.--The
regulations required under subsection (a) shall--
(1) prescribe the methods by which a covered entity shall
notify a consumer of a breach of data security under section
3; and
(2) allow a covered entity to provide such notice by--
(A) written, telephonic, or e-mail notification; or
(B) substitute notification, if providing written,
telephonic, or e-mail notification is not feasible due to--
(i) lack of sufficient contact information for the
consumers that must be notified; or
(ii) excessive cost to the covered entity.
(d) Content of Consumer Notice.--The regulations required
under subsection (a) shall--
(1) prescribe the content that shall be included in a
notice of a breach of data security that is required to be
provided to consumers under section 3; and
(2) require such notice to include--
(A) a description of the type of sensitive account
information or sensitive personal information involved in the
breach of data security;
(B) a general description of the actions taken by the
covered entity to restore the security and confidentiality of
the sensitive account information or sensitive personal
information involved in the breach of data security; and
[[Page S5853]]
(C) the summary of rights of victims of identity theft
prepared by the Commission under section 609(d) of the Fair
Credit Reporting Act (15 U.S.C. 1681g), if the breach of data
security involves sensitive personal information.
(e) Timing of Notice.--The regulations required under
subsection (a) shall establish standards for when a covered
entity shall provide any notice required under section 3.
(f) Law Enforcement Delay.--The regulations required under
subsection (a) shall allow a covered entity to delay
providing notice of a breach of data security to consumers
under section 3 if a law enforcement agency requests such a
delay in writing.
(g) Service Providers.--The regulations required under
subsection (a) shall--
(1) require any party that maintains or communicates
sensitive account information or sensitive personal
information on behalf of a covered entity to provide notice
to that covered entity if such party determines that a breach
of data security has, or may have, occurred with respect to
such information; and
(2) ensure that there is only 1 notification responsibility
with respect to a breach of data security.
(h) Timing of Regulations.--The regulations required under
subsection (a) shall--
(1) be issued in final form not later than 6 months after
the date of enactment of this Act; and
(2) take effect not later than 6 months after the date on
which they are issued in final form.
SEC. 5. ADMINISTRATIVE ENFORCEMENT.
(a) In General.--Section 3, and the regulations required
under section 4, shall be enforced exclusively under--
(1) section 8 of the Federal Deposit Insurance Act (12
U.S.C. 1818), in the case of--
(A) a national bank, a Federal branch or Federal agency of
a foreign bank, or any subsidiary thereof (other than a
broker, dealer, person providing insurance, investment
company, or investment adviser), by the Office of the
Comptroller of the Currency;
(B) a member bank of the Federal Reserve System (other than
a national bank), a branch or agency of a foreign bank (other
than a Federal branch, Federal agency, or insured State
branch of a foreign bank), a commercial lending company owned
or controlled by a foreign bank, an organization operating
under section 25 or 25A of the Federal Reserve Act (12 U.S.C.
601,604), or a bank holding company and its nonbank
subsidiary or affiliate (other than a broker, dealer, person
providing insurance, investment company, or investment
adviser), by the Board of Governors of the Federal Reserve
System;
(C) a bank, the deposits of which are insured by the
Federal Deposit Insurance Corporation (other than a member of
the Federal Reserve System), an insured State branch of a
foreign bank, or any subsidiary thereof (other than a broker,
dealer, person providing insurance, investment company, or
investment adviser), by the Board of Directors of the Federal
Deposit Insurance Corporation; and
(D) a savings association, the deposits of which are
insured by the Federal Deposit Insurance Corporation, or any
subsidiary thereof (other than a broker, dealer, person
providing insurance, investment company, or investment
adviser), by the Director of the Office of Thrift
Supervision;
(2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.),
by the National Credit Union Administration Board with
respect to any federally insured credit union;
(3) the Securities Exchange Act of 1934 (15 U.S.C.78a et
seq.), by the Securities and Exchange Commission with respect
to any broker or dealer;
(4) the Investment Company Act of 1940 (15 U.S.C. 80a-1 et
seq.), by the Securities and Exchange Commission with respect
to any investment company;
(5) the Investment Advisers Act of 1940 (15 U.S.C. 80b-1 et
seq.), by the Securities and Exchange Commission with respect
to any investment adviser registered with the Securities and
Exchange Commission under that Act;
(6) the Commodity Exchange Act (7 U.S.C. 1 et seq.), by the
Commodity Futures Trading Commission with respect to any
futures commission merchant, commodity trading advisor,
commodity pool operator, or introducing broker;
(7) the provisions of title XIII of the Housing and
Community Development Act of 1992 (12 U.S.C. 4501 et seq.),
by the Director of Federal Housing Enterprise Oversight (and
any successor to such functional regulatory agency) with
respect to the Federal National Mortgage Association, the
Federal Home Loan Mortgage Corporation, and any other entity
or enterprise (as defined in that title) subject to the
jurisdiction of such functional regulatory agency under that
title, including any affiliate of any such enterprise;
(8) State insurance law, in the case of any person engaged
in providing insurance, by the applicable State insurance
authority of the State in which the person is domiciled; and
(9) the Federal Trade Commission Act (15 U.S.C. 41 et
seq.), by the Commission for any other covered entity that is
not subject to the jurisdiction of any agency or authority
described under paragraphs (1) through (8).
(b) Extension of Federal Trade Commission Enforcement
Authority.--The authority of the Commission to enforce
compliance with section 3, and the regulations required under
section 4, under subsection (a)(8) shall--
(1) notwithstanding the Federal Aviation Act of 1958 (49
U.S.C. App. 1301 et seq.), include the authority to enforce
compliance by air carriers and foreign air carriers; and
(2) notwithstanding the Packers and Stockyards Act (7
U.S.C. 181 et seq.), include the authority to enforce
compliance by persons, partnerships, and corporations subject
to the provisions of that Act.
(c) No Private Right of Action.--
(1) In general.--This Act, and the regulations prescribed
under this Act, may not be construed to provide a private
right of action, including a class action with respect to any
act or practice regulated under this Act.
(2) Civil and criminal actions.--No civil or criminal
action relating to any act or practice governed under this
Act, or the regulations prescribed under this Act, shall be
commenced or maintained in any State court or under State
law, including a pendent State claim to an action under
Federal law.
SEC. 6. PROTECTION OF INFORMATION AT FEDERAL AGENCIES.
(a) Data Security Standards.--Each agency shall implement
appropriate standards relating to administrative, technical,
and physical safeguards--
(1) to insure the security and confidentiality of the
sensitive account information and sensitive personal
information that is maintained or is being communicated by,
or on behalf of, that agency;
(2) to protect against any anticipated threats or hazards
to the security of such information; and
(3) to protect against misuse of such information, which
could result in substantial harm or inconvenience to a
consumer.
(b) Security Breach Notification Standards.--Each agency
shall implement appropriate standards providing for
notification of consumers when such agency determines that
sensitive account information or sensitive personal
information that is maintained or is being communicated by,
or on behalf of, such agency--
(1) has been acquired without authorization; and
(2) is reasonably likely to be misused in a manner causing
substantial harm or inconvenience to the consumers to whom
the information relates.
SEC. 7. RELATION TO STATE LAW.
No requirement or prohibition may be imposed under the laws
of any State with respect to the responsibilities of any
person to--
(1) protect the security of information relating to
consumers that is maintained or communicated by, or on behalf
of, such person;
(2) safeguard information relating to consumers from
potential misuse;
(3) investigate or provide notice of the unauthorized
access to information relating to consumers, or the potential
misuse of such information for fraudulent, illegal, or other
purposes; or
(4) mitigate any loss or harm resulting from the
unauthorized access or misuse of information relating to
consumers.
SEC. 8. DELAYED EFFECTIVE DATE FOR CERTAIN PROVISIONS.
(a) Covered Entities.--Sections 3 and 7 shall take effect
on the later of--
(1) 1 year after the date of enactment of this Act; or
(2) the effective date of the final regulations required
under section 4.
(b) Agencies.--Section 6 shall take effect 1 year after the
date of enactment of this Act.
______