[House Report 110-191]
[From the U.S. Government Publishing Office]



110th Congress                                            Rept. 110-191
                        HOUSE OF REPRESENTATIVES
 1st Session                                                     Part 1

======================================================================



 
             SOCIAL SECURITY NUMBER PROTECTION ACT OF 2007

                                _______
                                

                 June 13, 2007.--Ordered to be printed

                                _______
                                

 Mr. Dingell, from the Committee on Energy and Commerce, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 948]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on Energy and Commerce, to whom was referred 
the bill (H.R. 948) to strengthen the authority of the Federal 
Government to protect individuals from certain acts and 
practices in the sale and purchase of Social Security numbers 
and Social Security account numbers, and for other purposes, 
having considered the same, report favorably thereon with an 
amendment and recommend that the bill as amended do pass.

                                CONTENTS

                                                                   Page
Amendment........................................................     2
Purpose and Summary..............................................     5
Background and Need for Legislation..............................     5
Hearings.........................................................     7
Committee Consideration..........................................     8
Committee Votes..................................................     8
Committee Oversight Findings.....................................     8
Statement of General Performance Goals and Objectives............     8
New Budget Authority, Entitlement Authority, and Tax Expenditures     8
Earmarks and Tax and Tariff Benefits.............................     8
Committee Cost Estimate..........................................     8
Congressional Budget Office Estimate.............................     8
Federal Mandates Statement.......................................    11
Advisory Committee Statement.....................................    11
Constitutional Authority Statement...............................    11
Applicability to Legislative Branch..............................    11
Section-by-Section Analysis of the Legislation...................    11
Changes in Existing Law Made by the Bill, as Reported............    14

                               AMENDMENT

    The amendment is as follows:
    Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Social Security Number Protection Act 
of 2007''.

SEC. 2. DEFINITIONS.

  In this Act:
          (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
          (2) Person.--The term ``person'' means any individual, 
        partnership, corporation, trust, estate, cooperative, 
        association, or any other entity.
          (3) Sale.--The term ``sale'' means obtaining, directly or 
        indirectly, anything of value in exchange for a Social Security 
        number. Such term does not include the submission of such 
        numbers as part of the process for applying for any type of 
        Government benefit or programs (such as grant or loan 
        applications or welfare or other public assistance programs). 
        Such term also does not include transfers of such numbers as 
        part of a data matching program under the Computer Matching and 
        Privacy Protection Act.
          (4) Purchase.--The term ``purchase'' means providing directly 
        or indirectly, anything of value in exchange for a Social 
        Security number. Such term does not include the submission of 
        such numbers as part of the process for applying for any type 
        of Government benefit or programs (such as grant or loan 
        applications or welfare or other public assistance programs). 
        Such term also does not include transfers of such numbers as 
        part of a data matching program under the Computer Matching and 
        Privacy Protection Act.
          (5) Social security number.--The term ``Social Security 
        number'' means the social security account number assigned to 
        an individual under section 205(c)(2)(B) of the Social Security 
        Act (42 U.S.C. 405(c)(2)(B)).
          (6) State.--The term ``State'' means any State of the United 
        States, the District of Columbia, Puerto Rico, the Northern 
        Mariana Islands, the United States Virgin Islands, Guam, 
        American Samoa, and any territory or possession of the United 
        States.

SEC. 3. PROHIBITION ON CERTAIN USES OF SOCIAL SECURITY NUMBERS.

  (a) Prohibition.--Except as provided under regulations issued by the 
Commission under subsection (c), it shall be unlawful for any person 
to--
          (1) intentionally display the Social Security number of 
        another individual on a website that is generally accessible to 
        the public or provide an individual with access to the Social 
        Security number of another individual through the Internet;
          (2) require an individual who is customer of or member 
        associated with such person to use that individual's Social 
        Security number as a password for access to any good or 
        service, including access to any account of that individual or 
        any protected access website; or
          (3) display the Social Security number of any individual on 
        any membership or identity card issued by such person.
  (b) Enforcement.--A violation of subsection (a) shall be treated as 
an unfair and deceptive act or practice in violation of a regulation 
under section 18(a)(1)(B) of the Federal Trade Commission Act (15 
U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. 
The Commission shall enforce this section in the same manner, by the 
same means, and with the same jurisdiction, powers, and duties as 
though all applicable terms and provisions of the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a 
part of this section. Any person who violates subsection (a) shall be 
subject to the penalties and entitled to the privileges and immunities 
provided in that Act.
  (c) Exceptions.--Not later than 9 months after the date of enactment 
of this Act, the Commission shall promulgate rules providing for any 
exceptions to the prohibition in subsection (a) for circumstances which 
the Commission considers appropriate and consistent with the public 
interest, the protection of consumers, and the purposes of this Act.

SEC. 4. REGULATION OF THE SALE AND PURCHASE OF SOCIAL SECURITY NUMBERS.

  (a) Prohibition.--It shall be unlawful for any person to sell or 
purchase a Social Security number in a manner that violates a 
regulation promulgated by the Commission under subsection (b) of this 
section.
  (b) Regulations.--
          (1) Restrictions authorized.--The Commission, after 
        consultation with the Commissioner of Social Security, the 
        Attorney General, and other agencies as the Commission deems 
        appropriate, shall promulgate regulations restricting the sale 
        and purchase of Social Security numbers and any unfair or 
        deceptive acts or practices in connection with the sale and 
        purchase of Social Security numbers.
          (2) Limitations on restrictions.--In promulgating such 
        regulations, the Commission shall impose restrictions and 
        conditions on the sale and purchase of Social Security numbers 
        that are no broader than necessary--
                  (A) to provide reasonable assurance that Social 
                Security numbers will not be used to commit or 
                facilitate fraud, deception, or crime; and
                  (B) to prevent an undue risk of bodily, emotional, or 
                financial harm to individuals.
        For purposes of subparagraph (B), the Commission shall consider 
        the nature, likelihood, and severity of the anticipated harm; 
        the nature, likelihood, and extent of any benefits that could 
        be realized from the sale or purchase of the numbers; and any 
        other relevant factors.
          (3) Exceptions.--The regulations promulgated pursuant to 
        paragraph (1) shall include exceptions which permit the sale 
        and purchase of Social Security numbers--
                  (A) to the extent necessary for law enforcement or 
                national security purposes;
                  (B) to the extent necessary for public health 
                purposes;
                  (C) to the extent necessary in emergency situations 
                to protect the health or safety of 1 or more 
                individuals;
                  (D) to the extent necessary for research conducted 
                for the purpose of advancing public knowledge, on the 
                condition that the researcher provides adequate 
                assurances that--
                          (i) the Social Security numbers will not be 
                        used to harass, target, or publicly reveal 
                        information concerning any identifiable 
                        individuals;
                          (ii) information about identifiable 
                        individuals obtained from the research will not 
                        be used to make decisions that directly affect 
                        the rights, benefits, or privileges of specific 
                        individuals; and
                          (iii) the researcher has in place appropriate 
                        safeguards to protect the privacy and 
                        confidentiality of any information about 
                        identifiable individuals;
                  (E) to the extent consistent with an individual's 
                voluntary and affirmative written consent to the sale 
                or purchase of a Social Security number that has been 
                assigned to that individual;
                  (F) to the extent necessary for legitimate consumer 
                credit verification, if the Social Security numbers 
                used for such verification are redacted in accordance 
                with uniform redaction standards established by the 
                Commission in such regulations; and
                  (G) under other appropriate circumstances as the 
                Commission may determine and as are consistent with the 
                principles in paragraph (2).
  (c) Rulemaking.--
          (1) Deadline for action.--Not later than 1 year after the 
        date of enactment of this Act, the Commission shall promulgate 
        the regulations under subsection (b) of this section, in 
        accordance with section 553 of title 5, United States Code.
          (2) Effective dates.--Subsection (a) and the regulations 
        promulgated under subsection (b) shall take effect 30 days 
        after the date on which the final regulations issued under this 
        section are published in the Federal Register.
  (d) Enforcement.--Any violation of a regulation promulgated under 
subsection (b) of this section shall be treated as a violation of a 
regulation under section 18(a)(1)(B) of the Federal Trade Commission 
Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or 
practices.
  (e) Administration and Enforcement.--
          (1) The commission.--The Commission shall prevent any person 
        from violating this section, and any regulation promulgated 
        thereunder, in the same manner, by the same means, and with the 
        same jurisdiction, powers, and duties as though all applicable 
        terms and provisions of the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.) were incorporated into and made a part of 
        this Act. Any person who violates such regulation shall be 
        subject to the penalties and entitled to the privileges and 
        immunities provided in the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.) as though all applicable terms and 
        provisions of the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.) were incorporated into and made a part of this Act. 
        Nothing contained in this Act shall be construed to limit the 
        authority of the Commission under any other provision of law.
          (2) Actions by states.--
                  (A) Civil actions.--In any case in which the attorney 
                general of a State has reason to believe that an 
                interest of the residents of that State has been or is 
                threatened or adversely affected by an act or practice 
                that violates any regulation of the Commission 
                promulgated under subsection (b), the State, as parens 
                patriae, may bring a civil action on behalf of the 
                residents of the State in a district court of the 
                United States of appropriate jurisdiction, to--
                          (i) enjoin that act or practice;
                          (ii) enforce compliance with the regulation;
                          (iii) obtain civil penalties in an amount of 
                        $11,000 per violation not to exceed a total of 
                        $5,000,000; or
                          (iv) obtain such other legal and equitable 
                        relief as the district court may consider to be 
                        appropriate.
                Before filing an action under this subsection, the 
                attorney general of the State involved shall provide to 
                the Commission and to the Attorney General a written 
                notice of that action and a copy of the complaint for 
                that action. If the State attorney general determines 
                that it is not feasible to provide the notice described 
                in this subparagraph before the filing of the action, 
                the State attorney general shall provide the written 
                notice and the copy of the complaint to the Commission 
                and to the Attorney General as soon after the filing of 
                the complaint as practicable.
                  (B) Commission and attorney general authority.--On 
                receiving notice under subparagraph (A), the Commission 
                and the Attorney General each shall have the right--
                          (i) to move to stay the action, pending the 
                        final disposition of a pending Federal matter 
                        as described in subparagraph (c);
                          (ii) to intervene in an action under clause 
                        (I);
                          (iii) upon so intervening, to be heard on all 
                        matters arising therein; and
                          (iv) to file petitions for appeal.
                  (C) Pending criminal proceedings.--If the Attorney 
                General has instituted a criminal proceeding or the 
                Commission has instituted a civil action for a 
                violation of this Act or any regulations thereunder, no 
                State may, during the pendency of such proceeding or 
                action, bring an action under this section against any 
                defendant named in the criminal proceeding or civil 
                action for any violation of this section that is 
                alleged in that proceeding or action.
                  (D) Rule of construction.--For purposes of bringing 
                any civil action under subparagraph (A), nothing in 
                this Act shall be construed to prevent an attorney 
                general of a State from exercising the powers conferred 
                on the attorney general by the laws of that State to 
                conduct investigations, administer oaths and 
                affirmations, or compel the attendance of witnesses or 
                the production of documentary and other evidence.
                  (E) Venue; service of process.--Any action brought 
                under this section may be brought in any district court 
                of the United States that meets applicable requirements 
                relating to venue under section 1391 of title 28, 
                United States Code. In an action brought under this 
                section, process may be served in any district in which 
                the defendant is an inhabitant or may be found.

SEC. 5. STUDY ON FEASIBILITY OF BANNING SOCIAL SECURITY AS AN 
                    AUTHENTICATOR.

  (a) Study.--The Commission shall conduct a study to determine--
          (1) the extent of the use of Social Security numbers as a 
        primary means of authenticating identity;
          (2) the extent of the use of Social Security numbers for 
        verification in commercial transactions; and
          (3) the feasibility of a prohibition on such use.
The study shall also examine possible alternatives to Social Security 
numbers for verification purposes and uses in authenticating identity.
  (b) Report.--The Commission shall transmit to Congress a report of 
the study, including any recommendations, not later than 1 year after 
the date of the enactment of this Act.

SEC. 6. EFFECT ON OTHER LAWS.

  This Act supersedes any provision of a statute, regulation, or rule 
of a State or political subdivision of a State that expressly--
          (1) prohibits the uses of Social Security numbers described 
        in section 3(a); or
          (2) restricts or prohibits the sale or purchase of Social 
        Security numbers in a manner similar to the regulations 
        promulgated under section 4(b).

                          PURPOSE AND SUMMARY

    The purpose of H.R. 948, the Social Security Number 
Protection Act of 2007, is to prohibit the public display and 
the purchase and sale of citizens' Social Security numbers in 
interstate commerce in violation of rules to be promulgated by 
the Federal Trade Commission (FTC). H.R. 948 makes it unlawful 
to intentionally display Social Security numbers on a Web site 
or to provide access thereto through the Internet, to display 
Social Security numbers on membership or identity cards, or to 
require customers to use Social Security numbers as passwords 
for access to any goods or services, account, or protected 
access Web site. H.R. 948 also requires the FTC to promulgate 
rules within one year, after consultation with the Attorney 
General and Commissioner of Social Security, restricting the 
sale and purchase of Social Security numbers. The regulations 
should be broad enough to prevent Social Security numbers from 
being used to commit fraud, deception, or crime, and prevent 
risk of bodily, emotional, or financial harm to individuals. 
H.R. 948 requires, however, certain exemptions from the 
prohibition for legitimate purposes including emergencies, 
public health, and law enforcement.

                  BACKGROUND AND NEED FOR LEGISLATION

    Consumer transactions account for more than two-thirds of 
the U.S. gross domestic product at this time, and information 
sharing is of particular importance to the U.S. economy. The 
exchange of information among businesses is linked to broad 
economic benefits, including the widespread availability and 
low cost of consumer credit, based in part upon real time 
authentication and verification. Notwithstanding the benefits 
of information sharing, however, consumers, businesses, and 
governmental entities have begun to focus on the privacy 
implications of information practices. The same technological 
advances in information networks that benefit consumers are 
increasingly misused for purposes that can harm consumers when 
information is accessible to unauthorized parties.
    Adopting fair information practices became more common 
among businesses in the mid 1990s. The common elements of fair 
information practices are: notice, choice, access, security, 
and enforcement. There is wide variance in the extent to which 
businesses adhere to these information practices. Even among 
the entities that have embraced these fair information 
practices, there is disagreement about the right mix of self-
regulation, legislation, and technology in protecting privacy.
    Historically, Congress has taken a sector-by-sector 
approach to privacy and has mandated discrete protections for 
certain personal information used for commercial purposes, upon 
a showing that a particular use harmed or threatened to harm 
the American consumer. This industry-by-industry approach 
differs from the comprehensive approach attempted by other 
nations, such as the European Union's Data Protection 
Directive. Together those sector specific statutes encompass a 
significant portion of U.S. commercial activity, though they 
are significantly different in the protections afforded to 
consumers. The following is a small sample of Federal statutes 
addressing the issue of information privacy: the Children's 
Online Privacy Protection Act, the Cable Communications Policy 
Act, the Telecommunications Act of 1996, the Telephone Consumer 
Protection Act, the Electronic Communications Privacy Act, the 
Health Insurance Portability Protection Act, the Fair Credit 
Reporting Act, the Gramm-Leach-Bliley Act, the Family 
Educational Rights and Privacy Act, the Video Privacy 
Protection Act, the Driver's Privacy Protection Act, and 
wiretap statutes.
    The need to address privacy concerns has grown 
exponentially with the prevalence of digitized personal 
information that can be stored, transferred, and theoretically 
accessed by limitless parties depending on the data safeguards 
or protections. Such information sharing may require the 
authentication and validation of individuals' identities. In 
many cases, individuals' Social Security numbers have become 
the default identifier.
    Originally created by the Federal Government to administer 
the Social Security program, the numbers were intended only to 
track employee contributions to the system and administer 
benefits but were prohibited from any other use. Congress later 
authorized the use of Social Security numbers as taxpayer 
identification numbers for the IRS. Over time, however, the 
numbers have become default identification and verification for 
many other purposes. The Federal Government requires virtually 
every individual in the United States to obtain and maintain a 
Social Security number in order to pay taxes, to qualify for 
Social Security benefits, or to seek employment. An unintended 
consequence of these requirements is that Social Security 
numbers have become tools that can be used to facilitate crime, 
fraud, and invasions of the privacy of the individuals to whom 
the numbers are assigned. Because the Federal Government 
created and maintains this system, and because the Federal 
Government does not permit persons to exempt themselves from 
those requirements, the Committee finds it is appropriate for 
the Government to take steps to stem the abuse of this system.
    The Committee notes that Congress attempted to limit the 
use of Social Security numbers with the passage of the Privacy 
Act of 1974. This law applied only to government agencies, 
however, and did not restrict the private sector. As a result 
of the lack of restrictions, Social Security numbers have 
become synonymous with an individual's identity as the number 
is tied directly to nearly all financial accounts, as well as 
patient records of health-care providers and other business 
entities. While there are clear benefits associated with the 
ability to authenticate and verify an individual--including the 
provision of instantaneous credit, combating fraudulent 
transactions, and accurately identifying or locating 
individuals whose name has changed and is otherwise unable to 
be located--the Social Security number has become the 
singularly most important means of identifying and 
authenticating an individual, increasing its value in the eyes 
of identity thieves and fraudsters.
    The Committee finds that the inappropriate sale or purchase 
of Social Security numbers is a significant factor in a growing 
range of illegal activities, including fraud, identity theft, 
and, in some cases, stalking and other violent crimes. It is 
the identifying information associated with a Social Security 
number that presents the largest potential threats to 
individuals. Because an individual's information is linked to 
the Social Security number, access to the Social Security 
number opens the individuals' identity and related information 
to the possibility of the information being available to 
unauthorized parties or for unauthorized purposes. The 
Committee found that this can facilitate the commission of 
criminal activities and also can result in serious invasions of 
individual privacy.
    The Committee seeks to stop the unauthorized access to and 
use of an individual's Social Security number as a result of a 
commercial transaction to purchase or sell the numbers. For 
example, identity theft crimes have risen substantially over 
the past decade in part because Social Security numbers and 
other information necessary to perpetrate the crime are often 
easily available for purchase by potential criminals. The 
Committee's related investigation into the practice of 
pretexting--fraudulently impersonating someone else to acquire 
detailed information (usually over the phone) about another 
person--demonstrated that access to an individual's personal 
information is often only limited to the provision of a Social 
Security number. Once a Social Security number is obtained, 
access to detailed personal information associated with the 
Social Security number is readily accessible. With this 
information in hand, a criminal can commit identity theft in 
numerous ways, including opening new accounts in the name of 
the individual attached to the Social Security number.
    Although account fraud is one of the most common crimes 
perpetrated by criminals, the Committee is aware of other harm, 
including violent crimes, that can occur when Social Security 
numbers are easily available for purchase. The Committee is 
concerned the range of harms and crimes that can be perpetrated 
will only increase if prohibitions are not enacted to restrict 
the proliferation of the commercial availability of 
individuals' Social Security numbers. No one should seek to 
profit from the sale of Social Security numbers. Consequently, 
there is a need for enactment of legislation that will offer 
individuals assigned such numbers necessary protections from 
the public display or the sale and purchase of Social Security 
numbers in circumstances that might facilitate unlawful conduct 
or that might otherwise likely result in unfair or deceptive 
practices. The Committee observes that the Office of Management 
and Budget recently released a memorandum advising Federal 
departments and agencies to review their use of Social Security 
numbers and come up with a plan in 120 days to eliminate their 
unnecessary collection and use within 18 months. Action on the 
Committee's bipartisan legislation is critical and timely.

                                HEARINGS

    No hearings were held on H.R. 948 this year. However, in 
the 109th Congress, the Subcommittee on Commerce, Trade, and 
Consumer Protection held a hearing on Thursday, May 11, 2006 
entitled ``Social Security Numbers in Commerce: Reconciling 
Beneficial Uses with Threats to Privacy'' which examined H.R. 
1078, substantially similar legislation considered in the 109th 
Congress, as well as other legislative proposals to increase 
privacy protections for Social Security numbers. Testimony was 
received from the following: The Honorable Jon Leibowitz, 
Commissioner, Federal Trade Commission; Mr. Oliver I. Ireland, 
Partner, Morrison & Foerster, testifying on behalf of the 
Financial Services Industry Association; Ms. Susan McDonald, 
President, Pension Benefit Information; Ms. Lauren Steinfeld, 
Former Associate Chief Counsel, Office of Management and the 
Budget, Mr. H. Randy Lively Jr., President and CEO, American 
Financial Services Association; and Mr. Marc Rotenberg, 
Executive Director, Electronic Privacy Information Center.

                        COMMITTEE CONSIDERATION

    On Wednesday, May 10, 2007, the Committee on Energy and 
Commerce met in open markup session and ordered H.R. 948 
favorably reported to the House, amended, by a voice vote, a 
quorum being present.

                            COMMITTEE VOTES

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the record votes 
on the motion to report legislation and amendments thereto. 
There were no record votes taken in connection with ordering 
H.R. 948 reported. A motion by Mr. Dingell to order H.R. 948 
reported to the House, amended, was agreed to by a voice vote.

                      COMMITTEE OVERSIGHT FINDINGS

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the oversight findings of the 
Committee are reflected in the preceding portions of this 
report.

         STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    The purpose of the legislation is to reduce harm to 
individuals that results from the public display or the 
purchase or sale of their Social Security number.

   NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES

    Regarding compliance with clause 3(c)(2) of rule XIII of 
the Rules of the House of Representatives, the Committee finds 
that H.R. 948, the Social Security Number Protection Act of 
2007, would result in no new or increased budget authority, 
entitlement authority, or tax expenditures or revenues.

                  EARMARKS AND TAX AND TARIFF BENEFITS

    Regarding compliance with clause 9 of rule XXI of the Rules 
of the House of Representatives, H.R. 948 does not contain any 
Congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(d), 9(e), or 9(f) of rule XXI.

                        COMMITTEE COST ESTIMATE

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.

                  CONGRESSIONAL BUDGET OFFICE ESTIMATE

    Pursuant to clause 3(c)(3) of rule XIII of the Rules of the 
House of Representatives, the following is the cost estimate 
provided by the Congressional Budget Office pursuant to section 
402 of the Congressional Budget Act of 1974:

                                                      May 25, 2007.
Hon. John D. Dingell,
Chairman, Committee on Energy and Commerce,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 948, the Social 
Security Number Protection Act of 2007.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Susan Willie.
            Sincerely,
                                                   Peter R. Orszag.
    Enclosure.

H.R. 948--Social Security Number Protection Act of 2007

    Summary: H.R. 948 would prohibit the sale or purchase of 
Social Security numbers (SSNs) as well as certain other 
activities related to their display or use. The Federal Trade 
Commission (FTC) would be required to develop regulations to 
enforce the new prohibitions. CBO estimates that promulgating 
and enforcing those regulations would not have a significant 
effect on federal spending.
    Enacting the bill could increase federal revenues from 
civil penalties assessed for violations of the new regulations, 
but CBO estimates that any such increase would not be 
significant in any year. Enacting the bill would not affect 
direct spending.
    H.R. 948 contains intergovernmental mandates as defined in 
the Unfunded Mandates Reform Act (UMRA). The bill would preempt 
state and local laws that restrict the use, sale, or purchase 
of Social Security numbers, but CBO estimates that the costs of 
those mandates would be small and would not exceed the 
threshold established in UMRA ($66 million in 2007, adjusted 
annually for inflation).
    H.R. 948 would impose private-sector mandates as defined in 
the UMRA. It would prohibit any entity in the private sector 
from selling or purchasing a Social Security number in 
violation of the regulations that the Federal Trade Commission 
would issue. The bill also would prohibit certain uses of 
Social Security numbers. The cost to the private sector of 
complying with those mandates is uncertain because it would 
depend on regulations that have not yet been promulgated. 
Therefore, CBO cannot determine whether the aggregate cost of 
mandates in the bill would exceed the annual threshold 
established by UMRA for private sector mandates ($131 million 
in 2007, adjusted annually for inflation).
    Estimated cost to the Federal Government: H.R. 948 would 
make it illegal to display an individual's SSN on a public Web 
site or on a membership or identity card, to require the use of 
a SSN as a password for access to services, or to sell or 
purchase SSNs. The bill would require the FTC to develop and 
enforce those new prohibitions.
    Based on information from the FTC, CBO estimates that the 
cost to develop regulations limiting the display and use of 
SSNs as well as their sale and purchase would be less than 
$500,000 per year. Such costs would be subject to the 
availability of appropriated funds. The costs of this 
legislation would fall within budget function 370 (commerce and 
housing credit).
    Enacting H.R. 948 could increase federal revenues from 
civil penalties assessed for violations of the new regulations. 
CBO estimates, however, that any additional revenues that would 
result from enacting the bill would not be significant because 
of the relatively small number of cases likely to be involved.
    Estimated impact on state, local, and tribal governments: 
H.R. 948 contains intergovernmental mandates as defined in 
UMRA. In particular, the bill would require state attorneys 
general to notify the FTC of any action taken under the bill, 
allow the FTC to intervene in those actions, and limit the 
actions that attorneys general may take in certain 
circumstances. Also, provisions regarding the use, sale, or 
purchase of Social Security numbers would preempt state laws. 
CBO estimates that the aggregate costs, if any, to state, 
local, and tribal governments of complying with the mandates in 
the bill would be small and would not exceed the threshold 
established in UMRA ($66 million in 2007, adjusted annually for 
inflation).
    CBO believes that the bill would grant no new authority to 
the FTC to regulate the activities of state and local 
governments. Under current law, the courts have ruled that the 
FTC does not have jurisdiction over those governments or over 
public universities. Furthermore, the bill's provisions apply 
to ``persons,'' a term that does not include sovereigns such as 
state, local, or tribal governments. We expect, therefore, that 
the provisions of the bill regarding the use, sale, and 
purchase of Social Security numbers would not apply to such 
entities.
    Estimated impact on the private sector: H.R. 948 contains 
private-sector mandates as defined in UMRA. It would prohibit 
any entity from selling or purchasing a Social Security number 
(SSN) in violation of regulations that the FTC would issue to 
implement this legislation. The bill also would prohibit the 
display of Social Security numbers on any Web site that is 
generally accessible to the public or on any membership or 
identity cards. In addition, the bill would prohibit anyone 
from requiring that a consumer use a Social Security number as 
a password. The FTC would be required to ensure that the 
restrictions and conditions on the sale or purchase of SSNs are 
no broader than necessary to provide reasonable assurance that 
SSNs will not be used to commit or facilitate fraud, deception, 
or crime, and to prevent an undue risk of bodily, emotional, or 
financial harm to individuals.
    H.R. 948 is aimed at prohibiting activities that have no 
legitimate purpose; however, despite the exemptions in the 
bill, some entities engaging in legitimate activities might be 
forced to change their business practices as a result of the 
legislation. The cost to the private sector of complying with 
the mandates in the bill is uncertain because it would depend 
on regulations that have not yet been promulgated. 
Consequently, CBO cannot determine whether the aggregate cost 
of mandates in H.R. 948 would exceed the annual threshold 
established by UMRA for private-sector mandates ($131 million 
in 2007, adjusted annually for inflation).
    Estimate prepared by: Federal Costs: Susan Willie; Impact 
on state, local, and tribal governments: Elizabeth Cove; Impact 
on the private sector: Fatimot Ladipo.
    Estimate approved by: Robert A. Sunshine, Assistant 
Director for Budget Analysis.

                       FEDERAL MANDATES STATEMENT

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                      ADVISORY COMMITTEE STATEMENT

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                   CONSTITUTIONAL AUTHORITY STATEMENT

    Pursuant to clause 3(d)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee finds that the 
Constitutional authority for this legislation is provided in 
Article I, section 8, clause 3, which grants Congress the power 
to regulate commerce with foreign nations, among the several 
States, and with the Indian Tribes.

                  APPLICABILITY TO LEGISLATIVE BRANCH

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION

Section 1. Short title

    Section 1 defines this Act as the ``Social Security 
Protection Act of 2007''.

Section 2. Definitions

    Section 2 defines terms to be used in this Act: including, 
``Commission,'' ``person,'' ``sale,'' ``purchase,'' ``Social 
Security number,'' and ``State.''
    The terms ``sale'' and ``purchase'' are broadly defined to 
include, respectively, obtaining or providing, directly or 
indirectly, anything of value in exchange for a Social Security 
number. Both of the latter terms, ``sale'' and ``purchase,'' 
are specifically defined to exclude two sets of circumstances: 
(1) the submission of such numbers as part of the process for 
applying for any type of government benefit or program (e.g., 
grant or loan applications or welfare or other public 
assistance programs); and (2) the transfers of such numbers as 
part of a data matching program under the Computer Matching and 
Privacy Protection Act of 1988. The term ``State'' is defined 
broadly to include both States of the United States and other 
political subdivisions of the United States, such as its 
territories and possessions.

Section 3. Prohibition on certain uses of social security numbers

    Section 3 prohibits the use of Social Security numbers in 
specific circumstances, except as provided under regulations 
promulgated by the FTC. Subsection 3(a)(1) would make it 
unlawful for any person to intentionally display the Social 
Security number of another individual on a Web site that is 
generally accessible to the public or provide an individual 
with access to the Social Security number of another individual 
through the Internet. Subsection 3(a)(2) would make it unlawful 
to require an individual who is a customer of or member 
associated with such person to use that individual's Social 
Security number as a password for access to any good or 
service, including access to any account of that individual or 
any protected access website. Subsection 3(a)(3) would make it 
unlawful to display the Social Security number of any 
individual on any membership or identity card issued by such 
person. Subsection 3(b) stipulates that a violation of 
subsection (a) shall be treated as an unfair and deceptive act 
or practice under section 18(a)(1)(B) of the Federal Trade 
Commission Act. Any person who violates subsection (a) shall be 
subject to the penalties and entitled to the privileges and 
immunities provided in the Federal Trade Commission Act. 
Subsection 3(c) directs the FTC to promulgate rules that 
provide for any exceptions to the prohibitions in subsection 
(a) for circumstances that the FTC considers appropriate and 
consistent with the public interest, the protection of 
consumers, and the purposes of this Act. The Committee 
understands that access to Social Security numbers is essential 
to many vital government and commercial operations, such as 
database accuracy and fraud prevention. The Committee believes, 
however, that there is no legitimate reason why, for example, 
Web site operators should be displaying, providing access to, 
or selling Social Security numbers to the general public. The 
intent of this section is to stop the public display of Social 
Security numbers. The Committee believes that such activity 
poses a substantial threat to consumers of identity theft and 
financial account fraud.

Section 4. Regulation of the sale and purchase of social security 
        numbers

    Section 4 provides for the prohibition of the sale or 
purchase of Social Security numbers in violation of regulations 
promulgated by the FTC. The FTC shall promulgate regulations 
within one year of enactment restricting the sale and purchase 
and defining unfair and deceptive acts related to the sale and 
purchase of Social Security numbers. The FTC regulations shall 
also include exceptions for certain enumerated purposes 
consistent with the intent of the legislation.
    Subsection 4(a) would establish the general prohibition of 
the sale and purchase of a Social Security number in a manner 
that violates a regulation promulgated by the FTC under 
subsection (b). Subsection 4(b)(1) would direct the FTC, after 
consultation with the Commissioner of Social Security, the 
Attorney General, and other agencies as the FTC deems 
appropriate, to promulgate regulations restricting the sale and 
purchase of Social Security numbers and any unfair and 
deceptive acts and practices in connection with the sale and 
purchase of those numbers. Subsection 4(b)(2) would require the 
FTC to impose restrictions and conditions on the sale and 
purchase of Social Security numbers and Social Security account 
numbers that are no broader than necessary (A) to provide 
reasonable assurance that such numbers will not be used to 
commit or facilitate fraud, deception, or crime; and (B) to 
prevent an undue risk of bodily, emotional, or financial harm 
to individuals (taking into account the nature, likelihood, and 
severity of the anticipated harm and the extent of any benefits 
that might be realized from the sale or purchase of the numbers 
and any other relevant factors).
    Subsection 4(b)(3) would require the FTC to establish in 
those regulations exceptions for seven categories of situations 
in which the sale and purchase of Social Security numbers would 
be permitted: (1) to the extent necessary for law enforcement 
or national security purposes; (2) to the extent necessary for 
public health purposes; (3) to the extent necessary in 
emergency situations to protect the health and safety of one or 
more individuals; (4) to the extent necessary for research to 
advance public knowledge (including, but not limited to, 
scientific, epidemiological, and social scientific research) 
conducted for the purpose of advancing public knowledge, on the 
condition that for such research the researcher provides 
adequate assurances that (i) the Social Security numbers will 
not be used to harass, target, or publicly reveal information 
concerning any identifiable individual(s); (ii) information 
about identifiable individuals obtained from the research will 
not be used to make decisions that directly affect the rights, 
benefits, or privileges of specific individuals; and (iii) the 
researcher has in place appropriate safeguards to protect the 
privacy and confidentiality of any information about 
identifiable individuals; (5) to the extent consistent with an 
individual's voluntary and affirmative written consent to the 
sale or purchase of a particular Social Security number that 
has been assigned to that individual; (6) to the extent 
necessary for legitimate consumer credit verification, if the 
Social Security numbers used for such verification are redacted 
in accordance with uniform redaction standards issued by the 
FTC in such regulations, and (7) under other appropriate 
circumstances as the FTC may determine and as are consistent 
with the paragraph (2). Under any of these seven exceptions, 
when Federal departments and agencies have Social Security 
numbers in systems of records, the legal protections of the 
Privacy Act, 5 U.S.C. Sec. 552a, will apply.
    The Committee intends that the FTC's regulations will 
address, among other things, growing concerns about the ability 
of companies to demand that consumers provide them with a full 
Social Security number as a condition of doing business. The 
Committee intends that the FTC, in crafting uniform redaction 
standards pursuant to 4(b)(3)(F), shall protect against the 
threat that a persons' full Social Security number could be 
uncovered. For example, such standards shall protect against 
the threat that a person's full Social Security number could be 
identified by combining the redacted number with other data 
which might otherwise reasonably be available about the 
individual and which could facilitate replication of the full 
number, such as the individual's date of birth or place of 
birth.
    Subsection 4(c)(1) would direct the FTC to promulgate the 
regulations under subsection 4(b) not later than one year after 
the date of enactment of the bill. Subsection 4(a), and 
regulations promulgated under subsection 4(b), shall take 
effect thirty days after the date on which the final 
regulations issued under subsection 4(b) are published in the 
Federal Register. Subsection 4(d) would direct that any 
violation of a regulation promulgated under subsection 4(b) 
shall be treated as a violation of a regulation under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
Sec. 57a(a)(1)(B)) regarding unfair or deceptive acts or 
practices.
    Subsection 4(e)(1) would set forth the FTC's authority to 
prevent violations of Section 3 and the regulations promulgated 
under Section 4, and provide that violators of such rules shall 
be subject to the penalties, and entitled to the privileges and 
immunities provided in the Federal Trade Commission Act as 
though all applicable terms and provisions of that Act were 
incorporated into and made a part of this bill. Subsection 
4(e)(2) would authorize any State attorney general to bring a 
parens patriae action in a United States district court, in any 
case in which that attorney general has reason to believe that 
an interest of the residents of that State has been or is 
threatened or adversely affected by an act or practice that 
violates any regulation under Section 4(b) of the Act. The 
relief that the State attorney general may seek would include 
injunctive relief, enforcement of compliance with the 
regulation, obtaining damages, restitution, and other 
compensation on behalf of the State's residents (including 
civil penalties up to $11,000 per violation, not to exceed a 
maximum of $5,000,000) and any other legal or equitable relief 
as the district court may consider to be appropriate. This 
subsection also contains provisions for notice to the FTC and 
the Department of Justice when such actions are brought; 
litigation-related rights that the FTC and the Department each 
would have in such actions; a provision precluding States from 
filing such parens patriae actions if the Department has 
instituted a prosecution for criminal violations or the FTC has 
instituted civil litigation for civil violations of the Act; a 
provision clarifying the ability of a State attorney general to 
use investigatory powers under the laws of that State; and 
procedural provisions for venue and service of process.

Section 5. Study of feasibility of banning social security as an 
        authenticator

    Section 5 directs the FTC to conduct a study to determine: 
(1) the extent of the use of Social Security numbers as a 
primary means of authenticating identity; (2) the extent of the 
use of Social Security numbers for verification in commercial 
transactions; (3) the feasibility of a prohibition on such use; 
and (4) possible alternatives to Social Security numbers for 
verification purposes and uses in authenticating identity. The 
FTC shall transmit to Congress a report of the study, including 
recommendations, no later than one year after the date of 
enactment of this Act.

Section 6. Effect on other laws

    Section 6 preempts any State laws that expressly: (1) 
prohibits the uses of Social Security numbers described in 
Section 3(a); or (2) restricts or prohibits the sale or 
purchase of Social Security numbers in a manner similar to the 
regulations promulgated under Section 4(b).

         CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    H.R. 948 does not amend any existing Federal statute.

                                  
