[House Report 110-191]
[From the U.S. Government Publishing Office]
110th Congress Rept. 110-191
HOUSE OF REPRESENTATIVES
1st Session Part 1
======================================================================
SOCIAL SECURITY NUMBER PROTECTION ACT OF 2007
_______
June 13, 2007.--Ordered to be printed
_______
Mr. Dingell, from the Committee on Energy and Commerce, submitted the
following
R E P O R T
[To accompany H.R. 948]
[Including cost estimate of the Congressional Budget Office]
The Committee on Energy and Commerce, to whom was referred
the bill (H.R. 948) to strengthen the authority of the Federal
Government to protect individuals from certain acts and
practices in the sale and purchase of Social Security numbers
and Social Security account numbers, and for other purposes,
having considered the same, report favorably thereon with an
amendment and recommend that the bill as amended do pass.
CONTENTS
Page
Amendment........................................................ 2
Purpose and Summary.............................................. 5
Background and Need for Legislation.............................. 5
Hearings......................................................... 7
Committee Consideration.......................................... 8
Committee Votes.................................................. 8
Committee Oversight Findings..................................... 8
Statement of General Performance Goals and Objectives............ 8
New Budget Authority, Entitlement Authority, and Tax Expenditures 8
Earmarks and Tax and Tariff Benefits............................. 8
Committee Cost Estimate.......................................... 8
Congressional Budget Office Estimate............................. 8
Federal Mandates Statement....................................... 11
Advisory Committee Statement..................................... 11
Constitutional Authority Statement............................... 11
Applicability to Legislative Branch.............................. 11
Section-by-Section Analysis of the Legislation................... 11
Changes in Existing Law Made by the Bill, as Reported............ 14
AMENDMENT
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Social Security Number Protection Act
of 2007''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Person.--The term ``person'' means any individual,
partnership, corporation, trust, estate, cooperative,
association, or any other entity.
(3) Sale.--The term ``sale'' means obtaining, directly or
indirectly, anything of value in exchange for a Social Security
number. Such term does not include the submission of such
numbers as part of the process for applying for any type of
Government benefit or programs (such as grant or loan
applications or welfare or other public assistance programs).
Such term also does not include transfers of such numbers as
part of a data matching program under the Computer Matching and
Privacy Protection Act.
(4) Purchase.--The term ``purchase'' means providing directly
or indirectly, anything of value in exchange for a Social
Security number. Such term does not include the submission of
such numbers as part of the process for applying for any type
of Government benefit or programs (such as grant or loan
applications or welfare or other public assistance programs).
Such term also does not include transfers of such numbers as
part of a data matching program under the Computer Matching and
Privacy Protection Act.
(5) Social security number.--The term ``Social Security
number'' means the social security account number assigned to
an individual under section 205(c)(2)(B) of the Social Security
Act (42 U.S.C. 405(c)(2)(B)).
(6) State.--The term ``State'' means any State of the United
States, the District of Columbia, Puerto Rico, the Northern
Mariana Islands, the United States Virgin Islands, Guam,
American Samoa, and any territory or possession of the United
States.
SEC. 3. PROHIBITION ON CERTAIN USES OF SOCIAL SECURITY NUMBERS.
(a) Prohibition.--Except as provided under regulations issued by the
Commission under subsection (c), it shall be unlawful for any person
to--
(1) intentionally display the Social Security number of
another individual on a website that is generally accessible to
the public or provide an individual with access to the Social
Security number of another individual through the Internet;
(2) require an individual who is customer of or member
associated with such person to use that individual's Social
Security number as a password for access to any good or
service, including access to any account of that individual or
any protected access website; or
(3) display the Social Security number of any individual on
any membership or identity card issued by such person.
(b) Enforcement.--A violation of subsection (a) shall be treated as
an unfair and deceptive act or practice in violation of a regulation
under section 18(a)(1)(B) of the Federal Trade Commission Act (15
U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
The Commission shall enforce this section in the same manner, by the
same means, and with the same jurisdiction, powers, and duties as
though all applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a
part of this section. Any person who violates subsection (a) shall be
subject to the penalties and entitled to the privileges and immunities
provided in that Act.
(c) Exceptions.--Not later than 9 months after the date of enactment
of this Act, the Commission shall promulgate rules providing for any
exceptions to the prohibition in subsection (a) for circumstances which
the Commission considers appropriate and consistent with the public
interest, the protection of consumers, and the purposes of this Act.
SEC. 4. REGULATION OF THE SALE AND PURCHASE OF SOCIAL SECURITY NUMBERS.
(a) Prohibition.--It shall be unlawful for any person to sell or
purchase a Social Security number in a manner that violates a
regulation promulgated by the Commission under subsection (b) of this
section.
(b) Regulations.--
(1) Restrictions authorized.--The Commission, after
consultation with the Commissioner of Social Security, the
Attorney General, and other agencies as the Commission deems
appropriate, shall promulgate regulations restricting the sale
and purchase of Social Security numbers and any unfair or
deceptive acts or practices in connection with the sale and
purchase of Social Security numbers.
(2) Limitations on restrictions.--In promulgating such
regulations, the Commission shall impose restrictions and
conditions on the sale and purchase of Social Security numbers
that are no broader than necessary--
(A) to provide reasonable assurance that Social
Security numbers will not be used to commit or
facilitate fraud, deception, or crime; and
(B) to prevent an undue risk of bodily, emotional, or
financial harm to individuals.
For purposes of subparagraph (B), the Commission shall consider
the nature, likelihood, and severity of the anticipated harm;
the nature, likelihood, and extent of any benefits that could
be realized from the sale or purchase of the numbers; and any
other relevant factors.
(3) Exceptions.--The regulations promulgated pursuant to
paragraph (1) shall include exceptions which permit the sale
and purchase of Social Security numbers--
(A) to the extent necessary for law enforcement or
national security purposes;
(B) to the extent necessary for public health
purposes;
(C) to the extent necessary in emergency situations
to protect the health or safety of 1 or more
individuals;
(D) to the extent necessary for research conducted
for the purpose of advancing public knowledge, on the
condition that the researcher provides adequate
assurances that--
(i) the Social Security numbers will not be
used to harass, target, or publicly reveal
information concerning any identifiable
individuals;
(ii) information about identifiable
individuals obtained from the research will not
be used to make decisions that directly affect
the rights, benefits, or privileges of specific
individuals; and
(iii) the researcher has in place appropriate
safeguards to protect the privacy and
confidentiality of any information about
identifiable individuals;
(E) to the extent consistent with an individual's
voluntary and affirmative written consent to the sale
or purchase of a Social Security number that has been
assigned to that individual;
(F) to the extent necessary for legitimate consumer
credit verification, if the Social Security numbers
used for such verification are redacted in accordance
with uniform redaction standards established by the
Commission in such regulations; and
(G) under other appropriate circumstances as the
Commission may determine and as are consistent with the
principles in paragraph (2).
(c) Rulemaking.--
(1) Deadline for action.--Not later than 1 year after the
date of enactment of this Act, the Commission shall promulgate
the regulations under subsection (b) of this section, in
accordance with section 553 of title 5, United States Code.
(2) Effective dates.--Subsection (a) and the regulations
promulgated under subsection (b) shall take effect 30 days
after the date on which the final regulations issued under this
section are published in the Federal Register.
(d) Enforcement.--Any violation of a regulation promulgated under
subsection (b) of this section shall be treated as a violation of a
regulation under section 18(a)(1)(B) of the Federal Trade Commission
Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or
practices.
(e) Administration and Enforcement.--
(1) The commission.--The Commission shall prevent any person
from violating this section, and any regulation promulgated
thereunder, in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all applicable
terms and provisions of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) were incorporated into and made a part of
this Act. Any person who violates such regulation shall be
subject to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act (15
U.S.C. 41 et seq.) as though all applicable terms and
provisions of the Federal Trade Commission Act (15 U.S.C. 41 et
seq.) were incorporated into and made a part of this Act.
Nothing contained in this Act shall be construed to limit the
authority of the Commission under any other provision of law.
(2) Actions by states.--
(A) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an
interest of the residents of that State has been or is
threatened or adversely affected by an act or practice
that violates any regulation of the Commission
promulgated under subsection (b), the State, as parens
patriae, may bring a civil action on behalf of the
residents of the State in a district court of the
United States of appropriate jurisdiction, to--
(i) enjoin that act or practice;
(ii) enforce compliance with the regulation;
(iii) obtain civil penalties in an amount of
$11,000 per violation not to exceed a total of
$5,000,000; or
(iv) obtain such other legal and equitable
relief as the district court may consider to be
appropriate.
Before filing an action under this subsection, the
attorney general of the State involved shall provide to
the Commission and to the Attorney General a written
notice of that action and a copy of the complaint for
that action. If the State attorney general determines
that it is not feasible to provide the notice described
in this subparagraph before the filing of the action,
the State attorney general shall provide the written
notice and the copy of the complaint to the Commission
and to the Attorney General as soon after the filing of
the complaint as practicable.
(B) Commission and attorney general authority.--On
receiving notice under subparagraph (A), the Commission
and the Attorney General each shall have the right--
(i) to move to stay the action, pending the
final disposition of a pending Federal matter
as described in subparagraph (c);
(ii) to intervene in an action under clause
(I);
(iii) upon so intervening, to be heard on all
matters arising therein; and
(iv) to file petitions for appeal.
(C) Pending criminal proceedings.--If the Attorney
General has instituted a criminal proceeding or the
Commission has instituted a civil action for a
violation of this Act or any regulations thereunder, no
State may, during the pendency of such proceeding or
action, bring an action under this section against any
defendant named in the criminal proceeding or civil
action for any violation of this section that is
alleged in that proceeding or action.
(D) Rule of construction.--For purposes of bringing
any civil action under subparagraph (A), nothing in
this Act shall be construed to prevent an attorney
general of a State from exercising the powers conferred
on the attorney general by the laws of that State to
conduct investigations, administer oaths and
affirmations, or compel the attendance of witnesses or
the production of documentary and other evidence.
(E) Venue; service of process.--Any action brought
under this section may be brought in any district court
of the United States that meets applicable requirements
relating to venue under section 1391 of title 28,
United States Code. In an action brought under this
section, process may be served in any district in which
the defendant is an inhabitant or may be found.
SEC. 5. STUDY ON FEASIBILITY OF BANNING SOCIAL SECURITY AS AN
AUTHENTICATOR.
(a) Study.--The Commission shall conduct a study to determine--
(1) the extent of the use of Social Security numbers as a
primary means of authenticating identity;
(2) the extent of the use of Social Security numbers for
verification in commercial transactions; and
(3) the feasibility of a prohibition on such use.
The study shall also examine possible alternatives to Social Security
numbers for verification purposes and uses in authenticating identity.
(b) Report.--The Commission shall transmit to Congress a report of
the study, including any recommendations, not later than 1 year after
the date of the enactment of this Act.
SEC. 6. EFFECT ON OTHER LAWS.
This Act supersedes any provision of a statute, regulation, or rule
of a State or political subdivision of a State that expressly--
(1) prohibits the uses of Social Security numbers described
in section 3(a); or
(2) restricts or prohibits the sale or purchase of Social
Security numbers in a manner similar to the regulations
promulgated under section 4(b).
PURPOSE AND SUMMARY
The purpose of H.R. 948, the Social Security Number
Protection Act of 2007, is to prohibit the public display and
the purchase and sale of citizens' Social Security numbers in
interstate commerce in violation of rules to be promulgated by
the Federal Trade Commission (FTC). H.R. 948 makes it unlawful
to intentionally display Social Security numbers on a Web site
or to provide access thereto through the Internet, to display
Social Security numbers on membership or identity cards, or to
require customers to use Social Security numbers as passwords
for access to any goods or services, account, or protected
access Web site. H.R. 948 also requires the FTC to promulgate
rules within one year, after consultation with the Attorney
General and Commissioner of Social Security, restricting the
sale and purchase of Social Security numbers. The regulations
should be broad enough to prevent Social Security numbers from
being used to commit fraud, deception, or crime, and prevent
risk of bodily, emotional, or financial harm to individuals.
H.R. 948 requires, however, certain exemptions from the
prohibition for legitimate purposes including emergencies,
public health, and law enforcement.
BACKGROUND AND NEED FOR LEGISLATION
Consumer transactions account for more than two-thirds of
the U.S. gross domestic product at this time, and information
sharing is of particular importance to the U.S. economy. The
exchange of information among businesses is linked to broad
economic benefits, including the widespread availability and
low cost of consumer credit, based in part upon real time
authentication and verification. Notwithstanding the benefits
of information sharing, however, consumers, businesses, and
governmental entities have begun to focus on the privacy
implications of information practices. The same technological
advances in information networks that benefit consumers are
increasingly misused for purposes that can harm consumers when
information is accessible to unauthorized parties.
Adopting fair information practices became more common
among businesses in the mid 1990s. The common elements of fair
information practices are: notice, choice, access, security,
and enforcement. There is wide variance in the extent to which
businesses adhere to these information practices. Even among
the entities that have embraced these fair information
practices, there is disagreement about the right mix of self-
regulation, legislation, and technology in protecting privacy.
Historically, Congress has taken a sector-by-sector
approach to privacy and has mandated discrete protections for
certain personal information used for commercial purposes, upon
a showing that a particular use harmed or threatened to harm
the American consumer. This industry-by-industry approach
differs from the comprehensive approach attempted by other
nations, such as the European Union's Data Protection
Directive. Together those sector specific statutes encompass a
significant portion of U.S. commercial activity, though they
are significantly different in the protections afforded to
consumers. The following is a small sample of Federal statutes
addressing the issue of information privacy: the Children's
Online Privacy Protection Act, the Cable Communications Policy
Act, the Telecommunications Act of 1996, the Telephone Consumer
Protection Act, the Electronic Communications Privacy Act, the
Health Insurance Portability Protection Act, the Fair Credit
Reporting Act, the Gramm-Leach-Bliley Act, the Family
Educational Rights and Privacy Act, the Video Privacy
Protection Act, the Driver's Privacy Protection Act, and
wiretap statutes.
The need to address privacy concerns has grown
exponentially with the prevalence of digitized personal
information that can be stored, transferred, and theoretically
accessed by limitless parties depending on the data safeguards
or protections. Such information sharing may require the
authentication and validation of individuals' identities. In
many cases, individuals' Social Security numbers have become
the default identifier.
Originally created by the Federal Government to administer
the Social Security program, the numbers were intended only to
track employee contributions to the system and administer
benefits but were prohibited from any other use. Congress later
authorized the use of Social Security numbers as taxpayer
identification numbers for the IRS. Over time, however, the
numbers have become default identification and verification for
many other purposes. The Federal Government requires virtually
every individual in the United States to obtain and maintain a
Social Security number in order to pay taxes, to qualify for
Social Security benefits, or to seek employment. An unintended
consequence of these requirements is that Social Security
numbers have become tools that can be used to facilitate crime,
fraud, and invasions of the privacy of the individuals to whom
the numbers are assigned. Because the Federal Government
created and maintains this system, and because the Federal
Government does not permit persons to exempt themselves from
those requirements, the Committee finds it is appropriate for
the Government to take steps to stem the abuse of this system.
The Committee notes that Congress attempted to limit the
use of Social Security numbers with the passage of the Privacy
Act of 1974. This law applied only to government agencies,
however, and did not restrict the private sector. As a result
of the lack of restrictions, Social Security numbers have
become synonymous with an individual's identity as the number
is tied directly to nearly all financial accounts, as well as
patient records of health-care providers and other business
entities. While there are clear benefits associated with the
ability to authenticate and verify an individual--including the
provision of instantaneous credit, combating fraudulent
transactions, and accurately identifying or locating
individuals whose name has changed and is otherwise unable to
be located--the Social Security number has become the
singularly most important means of identifying and
authenticating an individual, increasing its value in the eyes
of identity thieves and fraudsters.
The Committee finds that the inappropriate sale or purchase
of Social Security numbers is a significant factor in a growing
range of illegal activities, including fraud, identity theft,
and, in some cases, stalking and other violent crimes. It is
the identifying information associated with a Social Security
number that presents the largest potential threats to
individuals. Because an individual's information is linked to
the Social Security number, access to the Social Security
number opens the individuals' identity and related information
to the possibility of the information being available to
unauthorized parties or for unauthorized purposes. The
Committee found that this can facilitate the commission of
criminal activities and also can result in serious invasions of
individual privacy.
The Committee seeks to stop the unauthorized access to and
use of an individual's Social Security number as a result of a
commercial transaction to purchase or sell the numbers. For
example, identity theft crimes have risen substantially over
the past decade in part because Social Security numbers and
other information necessary to perpetrate the crime are often
easily available for purchase by potential criminals. The
Committee's related investigation into the practice of
pretexting--fraudulently impersonating someone else to acquire
detailed information (usually over the phone) about another
person--demonstrated that access to an individual's personal
information is often only limited to the provision of a Social
Security number. Once a Social Security number is obtained,
access to detailed personal information associated with the
Social Security number is readily accessible. With this
information in hand, a criminal can commit identity theft in
numerous ways, including opening new accounts in the name of
the individual attached to the Social Security number.
Although account fraud is one of the most common crimes
perpetrated by criminals, the Committee is aware of other harm,
including violent crimes, that can occur when Social Security
numbers are easily available for purchase. The Committee is
concerned the range of harms and crimes that can be perpetrated
will only increase if prohibitions are not enacted to restrict
the proliferation of the commercial availability of
individuals' Social Security numbers. No one should seek to
profit from the sale of Social Security numbers. Consequently,
there is a need for enactment of legislation that will offer
individuals assigned such numbers necessary protections from
the public display or the sale and purchase of Social Security
numbers in circumstances that might facilitate unlawful conduct
or that might otherwise likely result in unfair or deceptive
practices. The Committee observes that the Office of Management
and Budget recently released a memorandum advising Federal
departments and agencies to review their use of Social Security
numbers and come up with a plan in 120 days to eliminate their
unnecessary collection and use within 18 months. Action on the
Committee's bipartisan legislation is critical and timely.
HEARINGS
No hearings were held on H.R. 948 this year. However, in
the 109th Congress, the Subcommittee on Commerce, Trade, and
Consumer Protection held a hearing on Thursday, May 11, 2006
entitled ``Social Security Numbers in Commerce: Reconciling
Beneficial Uses with Threats to Privacy'' which examined H.R.
1078, substantially similar legislation considered in the 109th
Congress, as well as other legislative proposals to increase
privacy protections for Social Security numbers. Testimony was
received from the following: The Honorable Jon Leibowitz,
Commissioner, Federal Trade Commission; Mr. Oliver I. Ireland,
Partner, Morrison & Foerster, testifying on behalf of the
Financial Services Industry Association; Ms. Susan McDonald,
President, Pension Benefit Information; Ms. Lauren Steinfeld,
Former Associate Chief Counsel, Office of Management and the
Budget, Mr. H. Randy Lively Jr., President and CEO, American
Financial Services Association; and Mr. Marc Rotenberg,
Executive Director, Electronic Privacy Information Center.
COMMITTEE CONSIDERATION
On Wednesday, May 10, 2007, the Committee on Energy and
Commerce met in open markup session and ordered H.R. 948
favorably reported to the House, amended, by a voice vote, a
quorum being present.
COMMITTEE VOTES
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the record votes
on the motion to report legislation and amendments thereto.
There were no record votes taken in connection with ordering
H.R. 948 reported. A motion by Mr. Dingell to order H.R. 948
reported to the House, amended, was agreed to by a voice vote.
COMMITTEE OVERSIGHT FINDINGS
Pursuant to clause 3(c)(1) of rule XIII of the Rules of the
House of Representatives, the oversight findings of the
Committee are reflected in the preceding portions of this
report.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
The purpose of the legislation is to reduce harm to
individuals that results from the public display or the
purchase or sale of their Social Security number.
NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES
Regarding compliance with clause 3(c)(2) of rule XIII of
the Rules of the House of Representatives, the Committee finds
that H.R. 948, the Social Security Number Protection Act of
2007, would result in no new or increased budget authority,
entitlement authority, or tax expenditures or revenues.
EARMARKS AND TAX AND TARIFF BENEFITS
Regarding compliance with clause 9 of rule XXI of the Rules
of the House of Representatives, H.R. 948 does not contain any
Congressional earmarks, limited tax benefits, or limited tariff
benefits as defined in clause 9(d), 9(e), or 9(f) of rule XXI.
COMMITTEE COST ESTIMATE
The Committee adopts as its own the cost estimate prepared
by the Director of the Congressional Budget Office pursuant to
section 402 of the Congressional Budget Act of 1974.
CONGRESSIONAL BUDGET OFFICE ESTIMATE
Pursuant to clause 3(c)(3) of rule XIII of the Rules of the
House of Representatives, the following is the cost estimate
provided by the Congressional Budget Office pursuant to section
402 of the Congressional Budget Act of 1974:
May 25, 2007.
Hon. John D. Dingell,
Chairman, Committee on Energy and Commerce,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 948, the Social
Security Number Protection Act of 2007.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Susan Willie.
Sincerely,
Peter R. Orszag.
Enclosure.
H.R. 948--Social Security Number Protection Act of 2007
Summary: H.R. 948 would prohibit the sale or purchase of
Social Security numbers (SSNs) as well as certain other
activities related to their display or use. The Federal Trade
Commission (FTC) would be required to develop regulations to
enforce the new prohibitions. CBO estimates that promulgating
and enforcing those regulations would not have a significant
effect on federal spending.
Enacting the bill could increase federal revenues from
civil penalties assessed for violations of the new regulations,
but CBO estimates that any such increase would not be
significant in any year. Enacting the bill would not affect
direct spending.
H.R. 948 contains intergovernmental mandates as defined in
the Unfunded Mandates Reform Act (UMRA). The bill would preempt
state and local laws that restrict the use, sale, or purchase
of Social Security numbers, but CBO estimates that the costs of
those mandates would be small and would not exceed the
threshold established in UMRA ($66 million in 2007, adjusted
annually for inflation).
H.R. 948 would impose private-sector mandates as defined in
the UMRA. It would prohibit any entity in the private sector
from selling or purchasing a Social Security number in
violation of the regulations that the Federal Trade Commission
would issue. The bill also would prohibit certain uses of
Social Security numbers. The cost to the private sector of
complying with those mandates is uncertain because it would
depend on regulations that have not yet been promulgated.
Therefore, CBO cannot determine whether the aggregate cost of
mandates in the bill would exceed the annual threshold
established by UMRA for private sector mandates ($131 million
in 2007, adjusted annually for inflation).
Estimated cost to the Federal Government: H.R. 948 would
make it illegal to display an individual's SSN on a public Web
site or on a membership or identity card, to require the use of
a SSN as a password for access to services, or to sell or
purchase SSNs. The bill would require the FTC to develop and
enforce those new prohibitions.
Based on information from the FTC, CBO estimates that the
cost to develop regulations limiting the display and use of
SSNs as well as their sale and purchase would be less than
$500,000 per year. Such costs would be subject to the
availability of appropriated funds. The costs of this
legislation would fall within budget function 370 (commerce and
housing credit).
Enacting H.R. 948 could increase federal revenues from
civil penalties assessed for violations of the new regulations.
CBO estimates, however, that any additional revenues that would
result from enacting the bill would not be significant because
of the relatively small number of cases likely to be involved.
Estimated impact on state, local, and tribal governments:
H.R. 948 contains intergovernmental mandates as defined in
UMRA. In particular, the bill would require state attorneys
general to notify the FTC of any action taken under the bill,
allow the FTC to intervene in those actions, and limit the
actions that attorneys general may take in certain
circumstances. Also, provisions regarding the use, sale, or
purchase of Social Security numbers would preempt state laws.
CBO estimates that the aggregate costs, if any, to state,
local, and tribal governments of complying with the mandates in
the bill would be small and would not exceed the threshold
established in UMRA ($66 million in 2007, adjusted annually for
inflation).
CBO believes that the bill would grant no new authority to
the FTC to regulate the activities of state and local
governments. Under current law, the courts have ruled that the
FTC does not have jurisdiction over those governments or over
public universities. Furthermore, the bill's provisions apply
to ``persons,'' a term that does not include sovereigns such as
state, local, or tribal governments. We expect, therefore, that
the provisions of the bill regarding the use, sale, and
purchase of Social Security numbers would not apply to such
entities.
Estimated impact on the private sector: H.R. 948 contains
private-sector mandates as defined in UMRA. It would prohibit
any entity from selling or purchasing a Social Security number
(SSN) in violation of regulations that the FTC would issue to
implement this legislation. The bill also would prohibit the
display of Social Security numbers on any Web site that is
generally accessible to the public or on any membership or
identity cards. In addition, the bill would prohibit anyone
from requiring that a consumer use a Social Security number as
a password. The FTC would be required to ensure that the
restrictions and conditions on the sale or purchase of SSNs are
no broader than necessary to provide reasonable assurance that
SSNs will not be used to commit or facilitate fraud, deception,
or crime, and to prevent an undue risk of bodily, emotional, or
financial harm to individuals.
H.R. 948 is aimed at prohibiting activities that have no
legitimate purpose; however, despite the exemptions in the
bill, some entities engaging in legitimate activities might be
forced to change their business practices as a result of the
legislation. The cost to the private sector of complying with
the mandates in the bill is uncertain because it would depend
on regulations that have not yet been promulgated.
Consequently, CBO cannot determine whether the aggregate cost
of mandates in H.R. 948 would exceed the annual threshold
established by UMRA for private-sector mandates ($131 million
in 2007, adjusted annually for inflation).
Estimate prepared by: Federal Costs: Susan Willie; Impact
on state, local, and tribal governments: Elizabeth Cove; Impact
on the private sector: Fatimot Ladipo.
Estimate approved by: Robert A. Sunshine, Assistant
Director for Budget Analysis.
FEDERAL MANDATES STATEMENT
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
ADVISORY COMMITTEE STATEMENT
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
CONSTITUTIONAL AUTHORITY STATEMENT
Pursuant to clause 3(d)(1) of rule XIII of the Rules of the
House of Representatives, the Committee finds that the
Constitutional authority for this legislation is provided in
Article I, section 8, clause 3, which grants Congress the power
to regulate commerce with foreign nations, among the several
States, and with the Indian Tribes.
APPLICABILITY TO LEGISLATIVE BRANCH
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION
Section 1. Short title
Section 1 defines this Act as the ``Social Security
Protection Act of 2007''.
Section 2. Definitions
Section 2 defines terms to be used in this Act: including,
``Commission,'' ``person,'' ``sale,'' ``purchase,'' ``Social
Security number,'' and ``State.''
The terms ``sale'' and ``purchase'' are broadly defined to
include, respectively, obtaining or providing, directly or
indirectly, anything of value in exchange for a Social Security
number. Both of the latter terms, ``sale'' and ``purchase,''
are specifically defined to exclude two sets of circumstances:
(1) the submission of such numbers as part of the process for
applying for any type of government benefit or program (e.g.,
grant or loan applications or welfare or other public
assistance programs); and (2) the transfers of such numbers as
part of a data matching program under the Computer Matching and
Privacy Protection Act of 1988. The term ``State'' is defined
broadly to include both States of the United States and other
political subdivisions of the United States, such as its
territories and possessions.
Section 3. Prohibition on certain uses of social security numbers
Section 3 prohibits the use of Social Security numbers in
specific circumstances, except as provided under regulations
promulgated by the FTC. Subsection 3(a)(1) would make it
unlawful for any person to intentionally display the Social
Security number of another individual on a Web site that is
generally accessible to the public or provide an individual
with access to the Social Security number of another individual
through the Internet. Subsection 3(a)(2) would make it unlawful
to require an individual who is a customer of or member
associated with such person to use that individual's Social
Security number as a password for access to any good or
service, including access to any account of that individual or
any protected access website. Subsection 3(a)(3) would make it
unlawful to display the Social Security number of any
individual on any membership or identity card issued by such
person. Subsection 3(b) stipulates that a violation of
subsection (a) shall be treated as an unfair and deceptive act
or practice under section 18(a)(1)(B) of the Federal Trade
Commission Act. Any person who violates subsection (a) shall be
subject to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act.
Subsection 3(c) directs the FTC to promulgate rules that
provide for any exceptions to the prohibitions in subsection
(a) for circumstances that the FTC considers appropriate and
consistent with the public interest, the protection of
consumers, and the purposes of this Act. The Committee
understands that access to Social Security numbers is essential
to many vital government and commercial operations, such as
database accuracy and fraud prevention. The Committee believes,
however, that there is no legitimate reason why, for example,
Web site operators should be displaying, providing access to,
or selling Social Security numbers to the general public. The
intent of this section is to stop the public display of Social
Security numbers. The Committee believes that such activity
poses a substantial threat to consumers of identity theft and
financial account fraud.
Section 4. Regulation of the sale and purchase of social security
numbers
Section 4 provides for the prohibition of the sale or
purchase of Social Security numbers in violation of regulations
promulgated by the FTC. The FTC shall promulgate regulations
within one year of enactment restricting the sale and purchase
and defining unfair and deceptive acts related to the sale and
purchase of Social Security numbers. The FTC regulations shall
also include exceptions for certain enumerated purposes
consistent with the intent of the legislation.
Subsection 4(a) would establish the general prohibition of
the sale and purchase of a Social Security number in a manner
that violates a regulation promulgated by the FTC under
subsection (b). Subsection 4(b)(1) would direct the FTC, after
consultation with the Commissioner of Social Security, the
Attorney General, and other agencies as the FTC deems
appropriate, to promulgate regulations restricting the sale and
purchase of Social Security numbers and any unfair and
deceptive acts and practices in connection with the sale and
purchase of those numbers. Subsection 4(b)(2) would require the
FTC to impose restrictions and conditions on the sale and
purchase of Social Security numbers and Social Security account
numbers that are no broader than necessary (A) to provide
reasonable assurance that such numbers will not be used to
commit or facilitate fraud, deception, or crime; and (B) to
prevent an undue risk of bodily, emotional, or financial harm
to individuals (taking into account the nature, likelihood, and
severity of the anticipated harm and the extent of any benefits
that might be realized from the sale or purchase of the numbers
and any other relevant factors).
Subsection 4(b)(3) would require the FTC to establish in
those regulations exceptions for seven categories of situations
in which the sale and purchase of Social Security numbers would
be permitted: (1) to the extent necessary for law enforcement
or national security purposes; (2) to the extent necessary for
public health purposes; (3) to the extent necessary in
emergency situations to protect the health and safety of one or
more individuals; (4) to the extent necessary for research to
advance public knowledge (including, but not limited to,
scientific, epidemiological, and social scientific research)
conducted for the purpose of advancing public knowledge, on the
condition that for such research the researcher provides
adequate assurances that (i) the Social Security numbers will
not be used to harass, target, or publicly reveal information
concerning any identifiable individual(s); (ii) information
about identifiable individuals obtained from the research will
not be used to make decisions that directly affect the rights,
benefits, or privileges of specific individuals; and (iii) the
researcher has in place appropriate safeguards to protect the
privacy and confidentiality of any information about
identifiable individuals; (5) to the extent consistent with an
individual's voluntary and affirmative written consent to the
sale or purchase of a particular Social Security number that
has been assigned to that individual; (6) to the extent
necessary for legitimate consumer credit verification, if the
Social Security numbers used for such verification are redacted
in accordance with uniform redaction standards issued by the
FTC in such regulations, and (7) under other appropriate
circumstances as the FTC may determine and as are consistent
with the paragraph (2). Under any of these seven exceptions,
when Federal departments and agencies have Social Security
numbers in systems of records, the legal protections of the
Privacy Act, 5 U.S.C. Sec. 552a, will apply.
The Committee intends that the FTC's regulations will
address, among other things, growing concerns about the ability
of companies to demand that consumers provide them with a full
Social Security number as a condition of doing business. The
Committee intends that the FTC, in crafting uniform redaction
standards pursuant to 4(b)(3)(F), shall protect against the
threat that a persons' full Social Security number could be
uncovered. For example, such standards shall protect against
the threat that a person's full Social Security number could be
identified by combining the redacted number with other data
which might otherwise reasonably be available about the
individual and which could facilitate replication of the full
number, such as the individual's date of birth or place of
birth.
Subsection 4(c)(1) would direct the FTC to promulgate the
regulations under subsection 4(b) not later than one year after
the date of enactment of the bill. Subsection 4(a), and
regulations promulgated under subsection 4(b), shall take
effect thirty days after the date on which the final
regulations issued under subsection 4(b) are published in the
Federal Register. Subsection 4(d) would direct that any
violation of a regulation promulgated under subsection 4(b)
shall be treated as a violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
Sec. 57a(a)(1)(B)) regarding unfair or deceptive acts or
practices.
Subsection 4(e)(1) would set forth the FTC's authority to
prevent violations of Section 3 and the regulations promulgated
under Section 4, and provide that violators of such rules shall
be subject to the penalties, and entitled to the privileges and
immunities provided in the Federal Trade Commission Act as
though all applicable terms and provisions of that Act were
incorporated into and made a part of this bill. Subsection
4(e)(2) would authorize any State attorney general to bring a
parens patriae action in a United States district court, in any
case in which that attorney general has reason to believe that
an interest of the residents of that State has been or is
threatened or adversely affected by an act or practice that
violates any regulation under Section 4(b) of the Act. The
relief that the State attorney general may seek would include
injunctive relief, enforcement of compliance with the
regulation, obtaining damages, restitution, and other
compensation on behalf of the State's residents (including
civil penalties up to $11,000 per violation, not to exceed a
maximum of $5,000,000) and any other legal or equitable relief
as the district court may consider to be appropriate. This
subsection also contains provisions for notice to the FTC and
the Department of Justice when such actions are brought;
litigation-related rights that the FTC and the Department each
would have in such actions; a provision precluding States from
filing such parens patriae actions if the Department has
instituted a prosecution for criminal violations or the FTC has
instituted civil litigation for civil violations of the Act; a
provision clarifying the ability of a State attorney general to
use investigatory powers under the laws of that State; and
procedural provisions for venue and service of process.
Section 5. Study of feasibility of banning social security as an
authenticator
Section 5 directs the FTC to conduct a study to determine:
(1) the extent of the use of Social Security numbers as a
primary means of authenticating identity; (2) the extent of the
use of Social Security numbers for verification in commercial
transactions; (3) the feasibility of a prohibition on such use;
and (4) possible alternatives to Social Security numbers for
verification purposes and uses in authenticating identity. The
FTC shall transmit to Congress a report of the study, including
recommendations, no later than one year after the date of
enactment of this Act.
Section 6. Effect on other laws
Section 6 preempts any State laws that expressly: (1)
prohibits the uses of Social Security numbers described in
Section 3(a); or (2) restricts or prohibits the sale or
purchase of Social Security numbers in a manner similar to the
regulations promulgated under Section 4(b).
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
H.R. 948 does not amend any existing Federal statute.
�