Version	Word Count	Changes From Previous Version	Percent Change
Introduced in Senate	6,765	n/a	n/a
Reported in Senate	9,131	90 Show Changes Hide Changes	32%

Display Version Introduced in Senate Reported in Senate

S 1178 ISRSCommentsClose CommentsPermalink

110th CONGRESS 1st Session S. 1178

To strengthen data protection and safeguards, require data breach notification, and further prevent identity theft.CommentsClose CommentsPermalink

IN THE SENATE OF THE UNITED STATES

April 20, 2007

Mr. INOUYE (for himself, Mr. STEVENS, Mr. PRYOR, and Mr. SMITH, and Mr. NELSON of Florida) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and TransportationCommentsClose CommentsPermalink

A BILL

To strengthen data protection and safeguards, require data breach notification, and further prevent identity theft.CommentsClose CommentsPermalink

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, CommentsClose CommentsPermalink

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

(a) SHORT TITLE- This Act may be cited as the `Identity Theft Prevention Act'.CommentsClose CommentsPermalink





(b) TABLE OF CONTENTS- The table of contents for this Act is as follows:CommentsClose CommentsPermalink





Sec. 1. Short title; table of contents.CommentsClose CommentsPermalink





Sec. 2. Protection of sensitive personal information.CommentsClose CommentsPermalink





Sec. 3. Notification of security breach risk.CommentsClose CommentsPermalink





Sec. 4. Security freeze.CommentsClose CommentsPermalink





Sec. 5. Information security and consumer privacy advisory committee.CommentsClose CommentsPermalink





Sec. 6. Related crime study.CommentsClose CommentsPermalink





Sec. 7. Prohibition on technology mandates.CommentsClose CommentsPermalink





Sec. 8. Enforcement.CommentsClose CommentsPermalink





Sec. 9. Enforcement by State attorneys general.CommentsClose CommentsPermalink





Sec. 10. Preemption of State law.CommentsClose CommentsPermalink





Sec. 11. DefinitionsSocial Security number protection. CommentsClose CommentsPermalink





Sec. 12. Protection of information at Federal agencies. CommentsClose CommentsPermalink





Sec. 13. Definitions. CommentsClose CommentsPermalink





Sec. 14. Authorization of appropriations. CommentsClose CommentsPermalink





Sec. 135. Effective dates. CommentsClose CommentsPermalink

SEC. 2. PROTECTION OF SENSITIVE PERSONAL INFORMATION.

(a) IN GENERAL- A covered entity shall develop, implement, maintain, and enforce a written program for the security of sensitive personal information the entity collects, maintains, sells, transfers, or disposes of, containing administrative, technical, and physical safeguards--CommentsClose CommentsPermalink





(1) to ensure the security and confidentiality of such data;CommentsClose CommentsPermalink





(2) to protect against any anticipated threats or hazards to the security or integrity of such data; andCommentsClose CommentsPermalink





(3) to protect against unauthorized access to, or use of, such data that could result in substantial harm to any individual.CommentsClose CommentsPermalink





(b) COMPLIANCE WITH FTC STANDARDS REQUIRED- A covered entity that is in full compliance with the requirements of the Commission's rules on Standards for Safeguarding Customer Information and Disposal of Consumer Report Information and Records is deemed to be in compliance with the requirements of subsection (a).CommentsClose CommentsPermalink





(c) REGULATIONS- Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations, in accordance with section 553 of title 5, United States Code, that require procedures for authenticating the credentials of any third party to which sensitive personal information is to be transferred or sold by a covered entity.CommentsClose CommentsPermalink

SEC. 3. NOTIFICATION OF SECURITY BREACH RISK.

(a) Security Breaches Affecting 1,000 or More Individuals-CommentsClose CommentsPermalink





(1) IN GENERAL- If a covered entity discovers a breach of security that affects 1,000 or more individuals, then, [Struck out->]before conducting the notification required by subsection (c),[<-Struck out] within 5 business days after the discovery of the breach of security, it shall--CommentsClose CommentsPermalink





(A) report the breach to the Commission (or other appropriate Federal regulator under section 8); andCommentsClose CommentsPermalink





(B) notify all consumer reporting agencies described in section 603(p)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)(1)) of the breach.CommentsClose CommentsPermalink





(2) FTC WEBSITE PUBLICATION- Whenever the Commission receives a report under paragraph (1)(A), after the notification required by subsection (c) has begun, it shall post a report of the breach of security on its website without disclosing any sensitive personal information pertaining to the individuals affected (including their names).CommentsClose CommentsPermalink





(3) CONTENTS OF REPORT- The report described in paragraph (2) shall include--CommentsClose CommentsPermalink





(A) the number of individuals impacted by the breach of security; andCommentsClose CommentsPermalink





(B) confirmation that the covered entity has taken action to comply with the requirements of subsection (c).CommentsClose CommentsPermalink





(b) Security Breaches Affecting Fewer Than 1,000 Individuals-CommentsClose CommentsPermalink





(1) IN GENERAL- If a covered entity discovers a breach of security that affects the sensitive personal information of fewer than [Struck out->]1,000[<-Struck out] 1,000, but more than 1,00050, individuals and determines that the breach of security does not create a reasonable risk of identity theft, it shall report the breach to the Commission (or other appropriate Federal regulator under section 8).CommentsClose CommentsPermalink





(2) REPORT CONTENTS- The report shall contain the number of individuals affected and the type of information that was exposed because of the breach of security.CommentsClose CommentsPermalink





(3) LIMITATION ON COMMISSION RESPONSE- With respect to a report under paragraph (1) received by the Commission, the Commission may not--CommentsClose CommentsPermalink





(A) disclose any sensitive personal information relating to the individuals (including their names); orCommentsClose CommentsPermalink





(B) publish such a report on its website.CommentsClose CommentsPermalink





(4) Determination of reasonable risk of identity theft-(A) IN GENERAL- If a covered entity cannot make a determination as to whether the breach of security creates a reasonable risk of identity theft, it may request guidance from the Commission in writing as to a suggested course of action that may be required under this Act.(B) TIME AND MANNER OF RESPONSE- The Commission shall respond to a request from a covered entity under subparagraph (A) in writing within 5 business days after the date on which it receives the request.(c) NOTIFICATION OF CONSUMERS-CommentsClose CommentsPermalink





(1) IN GENERAL- A covered entity shall use due diligence to investigate any suspected breach of security affecting sensitive personal information maintained by that covered entity. If, after the exercise of such due diligence, the covered entity discovers a breach of security and determines that the breach of security creates a reasonable risk of identity theft, the covered entity shall notify each such individual. In determining whether a reasonable risk of identity theft exists, a covered entity shall consider such factors as whether--CommentsClose CommentsPermalink





(A) data containing sensitive personal information is usable or could be made usable by an unauthorized third party; andCommentsClose CommentsPermalink





(B) the data is in the possession and control of an unauthorized third party.CommentsClose CommentsPermalink





(2) DIRECT RELATIONSHIP WITH CONSUMER REQUIRED- T [Struck out->]The[<-Struck out] Where the breach involves a situation in which an entity has a direct relationship with consumers, the notice required by paragraph (1) must be provided by the entity which has a direct relationship with the parties whose information was subject to the breach. Unless there is an agreement to the contrary, the entity providing the notice shall be compensated for the cost of the notice required by the covered entity subject to the breach of security.CommentsClose CommentsPermalink





(3) Determination of reasonable risk of identity theft- CommentsClose CommentsPermalink





(A) IN GENERAL- If a covered entity cannot make a determination as to whether the breach of security creates a reasonable risk of identity theft, it may request guidance from the Commission or relevant enforcement agency in writing as to a suggested course of action that may be required under this Act. CommentsClose CommentsPermalink





(B) TIME AND MANNER OF RESPONSE- The Commission or relevant enforcement agency shall respond to a request from a covered entity under subparagraph (A) in writing within 5 business days after the date on which it receives the request. CommentsClose CommentsPermalink





(d) Methods of Notification; Notice Content-CommentsClose CommentsPermalink





(1) IN GENERAL- A covered entity shall provide notice pursuant to subsection (c) by--CommentsClose CommentsPermalink





(A) written notice;CommentsClose CommentsPermalink





(B) electronic notice, if suchthe primary method used by the covered entity to communicate with the individual is by electronic means, or the individual has consented to receive such notice and the notice is consistent with the provisions of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.); or CommentsClose CommentsPermalink





(C) substitute notice, if the covered entity does not have sufficient contact information for the individuals to be notified, consisting of--CommentsClose CommentsPermalink





(i) notice by electronic mail when the covered entity has an electronic mail address for affected individuals;CommentsClose CommentsPermalink





(ii) conspicuous posting of the security breach on the Internet website of the covered entity for a reasonable period, if the covered entity maintains a website (except that the information posted may not disclose any sensitive personal information pertaining to the affected individuals (including their names)); andCommentsClose CommentsPermalink





(iii) notification to major statewide media of the breach of security.CommentsClose CommentsPermalink





(2) CONTENT OF NOTICE- The notice required under paragraphs (1)(A) and (B) shall consist of--CommentsClose CommentsPermalink





(A) the name of the individual whose information was the subject of the breach of security;CommentsClose CommentsPermalink





(B) the name of the covered entity that was the subject of the breach of security;CommentsClose CommentsPermalink





(C) a description of the categories of sensitive personal information of the individual that were the subject of the breach of security;CommentsClose CommentsPermalink





(D) the date of discovery of such breach of security; andCommentsClose CommentsPermalink





(E) the toll-free numbers necessary to contact--CommentsClose CommentsPermalink





(i) each covered entity that was the subject of the breach of security;CommentsClose CommentsPermalink





(ii) each nationwide credit reporting agency; andCommentsClose CommentsPermalink





(iii) the Commission.CommentsClose CommentsPermalink





(e) Timing of Notification-CommentsClose CommentsPermalink





(1) IN GENERAL- Except as provided in paragraph (2), notice required by subsection (c) shall be given--CommentsClose CommentsPermalink





(A) in a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system; andCommentsClose CommentsPermalink





(B) in the most expeditious manner practicable, but not later than 25 business days after the date on which the breach of security was discovered by the covered entity.CommentsClose CommentsPermalink





(2) LAW ENFORCEMENT AND NATIONAL OR HOMELAND SECURITY RELATED DELAYS- Notwithstanding paragraph (1), the giving of notice as required by that paragraph may be delayed for a reasonable period of time if--CommentsClose CommentsPermalink





(A) a Federal or State law enforcement agency determines that the timely giving of notice under subsections (a) and (c), as required by paragraph (1), would materially impede a civil or criminal investigation; orCommentsClose CommentsPermalink





(B) a Federal national security or homeland security agency determines that such timely giving of notice would threaten national or homeland security.CommentsClose CommentsPermalink





(f) CERTAIN SERVICE PROVIDERS- Section 2 and subsections (a), (b), and (c) of this section do not apply to electronic communication of a third party stored by a cable operator, information service, or telecommunications carrier in the network of such operator, service or carrier in the course of transferring or transmitting such communication. Any term used in this subsection that is defined in the Communications Act of 1934 (47 U.S.C. 151 et seq.) has the meaning given it in that Act.CommentsClose CommentsPermalink

SEC. 4. SECURITY FREEZE.

(a) In General-CommentsClose CommentsPermalink





(1) EMPLACEMENT- A consumer may place a security freeze on the consumer's credit report by making a request to a consumer credit reporting agency in writing, by telephone, or through a secure electronic connection if such a connection is made available by the consumer credit reporting agency.CommentsClose CommentsPermalink





(2) CONSUMER DISCLOSURE- If a consumer requests a security freeze, the consumer credit reporting agency shall disclose to the consumer the process of placing and removing the security freeze. A consumer credit reporting agency may not imply or inform a consumer that the placement or presence of a security freeze on the consumer's credit report may negatively affect the consumer's credit score.CommentsClose CommentsPermalink





(b) Effect of Security Freeze-CommentsClose CommentsPermalink





(1) RELEASE OF INFORMATION BLOCKED- If a security freeze is in place on a consumer's credit report, a consumer credit reporting agency may not release the credit report for consumer credit review purposes to a third party without prior express authorization from the consumer.CommentsClose CommentsPermalink





(2) INFORMATION PROVIDED TO THIRD PARTIES- Paragraph (1) does not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report. If a third party, in connection with a request for information in any circumstance under which a consumer credit reporting agency may furnish a consumer report under section 604(a) of the Fair Credit Reporting Act (15 U.S.C. 1681b), requests access to a consumer credit report on which a security freeze is in place, the third party may treat any application associated with the request as incomplete.CommentsClose CommentsPermalink





(3) CONSUMER CREDIT SCORE NOT AFFECTED- The placement of a security freeze on a credit report may not be taken into account for any purpose in determining the credit score of the consumer to whom the account relates.CommentsClose CommentsPermalink





(c) Removal; Temporary Suspension-CommentsClose CommentsPermalink





(1) IN GENERAL- Except as provided in paragraphs (2)(B) and (4), a security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer may remove a security freeze on the consumer's credit report by making a request to a consumer credit reporting agency in writing, by telephone, or through a secure electronic connection made available by the consumer credit reporting agency.CommentsClose CommentsPermalink





(2) CONDITIONS- A consumer credit reporting agency may remove a security freeze placed on a consumer's credit report only--CommentsClose CommentsPermalink





(A) upon the consumer's request, pursuant to paragraph (1); orCommentsClose CommentsPermalink





(B) if the agency determines that the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer.CommentsClose CommentsPermalink





(3) NOTIFICATION TO CONSUMER- If a consumer credit reporting agency intends to remove a freeze upon a consumer's credit report pursuant to paragraph (2)(B) or (4), [Struck out->](2)(B) or (4),[<-Struck out] 2(B) the consumer credit reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer's credit report.CommentsClose CommentsPermalink





(4) TEMPORARY SUSPENSION- A consumer may have a security freeze on the consumer's credit report temporarily suspended by making a request to a consumer credit reporting agency in writing [Struck out->]writing[<-Struck out] writing, by telephone, or through a secure electronic connection made available by the consumer credit reporting agency and--CommentsClose CommentsPermalink





(A) specifying beginning and ending dates for the period during which the security freeze is not to apply to that consumer's credit report; orCommentsClose CommentsPermalink





(B) specifying a specific third party to which access to the credit report may be granted notwithstanding the freeze.CommentsClose CommentsPermalink





(d) Response Times; Notification of Other Entities-CommentsClose CommentsPermalink





(1) IN GENERAL- A consumer credit reporting agency shall--CommentsClose CommentsPermalink





(A) place a security freeze on a consumer's credit report under subsection (a) no later than 3 business days after receiving a request from the consumer under subsection (a)(1);CommentsClose CommentsPermalink





(B) remove a security freeze within 3 business days after receiving a request for removal from the consumer under subsection (c); andCommentsClose CommentsPermalink





(C) temporarily suspend a security freeze within 1 business day after receiving a request under subsection (c)(4).CommentsClose CommentsPermalink





(2) NOTIFICATION OF OTHER COVERED ENTITIES- If the consumer requests in writing, by telephone, or by secure electronic connection to a consumer credit reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) that other covered entities be notified of the request, the consumer credit reporting agency shall notify all other consumer credit reporting agencies described in section 603(p)(1 [Struck out->]603(p)(1)[<-Struck out] 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)(1)) of the request [Struck out->]1681a(p)(1))[<-Struck out] 1681a(p)) of the request within 1 day of receiving the request.CommentsClose CommentsPermalink





(3) IMPLEMENTATION BY OTHER COVERED ENTITIES- A consumer credit reporting agency that isdescribed in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) that is notified of a request under paragraph (2) to place, remove, or temporarily suspend a security freeze on a consumer's credit report shall--CommentsClose CommentsPermalink





(A) ensure the validity of the request, including verifying the identity of the requesting consumer, within 3 business days after receiving the notification; andCommentsClose CommentsPermalink





(B) place, remove, or temporarily suspend the security freeze on that credit report within 3 business days after validating the request, including verifying the identity of the requesting consumer and securing the fee under subsection (h)(1), if applicable.CommentsClose CommentsPermalink





(e) CONFIRMATION- Except as provided in subsection (c)(3), whenever a consumer credit reporting agency places, removes, or temporarily suspends a security freeze on a consumer's credit report at the request of that consumer under subsection (a) or (c), respectively, it shall send a written confirmation thereof to the consumer within 10 business days after placing, removing, or temporarily suspending the security freeze on the credit report. This subsection does not apply to the placement, removal, or temporary suspension of a security freeze by a consumer credit reporting agency because of a notification received under subsection (d)(2).CommentsClose CommentsPermalink





(f) ID REQUIRED- A consumer credit reporting agency may not place, remove, or temporarily suspend a security freeze on a consumer's credit report at the consumer's request unless the consumer provides proper identification (within the meaning of section 610(a)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681(h)(a)(1)) and the regulations thereunder.CommentsClose CommentsPermalink





(g) EXCEPTIONS- This section does not apply to the use of a consumer credit report by any of the following:CommentsClose CommentsPermalink





(1) A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument.CommentsClose CommentsPermalink





(2) Any Federal, State or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, subpoena, or other compulsory process.CommentsClose CommentsPermalink





(3) A child support agency or its agents or assigns acting pursuant to subtitle D of title IV of the Social Security Act (42 U.S.C. et seq.) or similar State law.CommentsClose CommentsPermalink





(4) The Department of Health and Human Services, a similar State agency, or the agents or assigns of the Federal or State agency acting to investigate medicare or medicaid fraud.CommentsClose CommentsPermalink





(5) The Internal Revenue Service or a State or municipal taxing authority, or a State department of motor vehicles, or any of the agents or assigns of these Federal, State, or municipal agencies acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of their other statutory responsibilities.CommentsClose CommentsPermalink





(6) Any person or entity administering a credit file monitoring subscription to which the consumer has subscribed.CommentsClose CommentsPermalink





(7) Any person or entity for the purpose of providing a consumer with a copy of the consumer's credit report or credit score upon the consumer's request.CommentsClose CommentsPermalink





(8) Except when access is restricted to a specific third party during a temporary suspension of a security freeze under subsection (c)(4)(B), any person who seeks access during the time period that a security freeze is temporarily suspended for the purpose of facilitating the extension of credit or another permissible use.CommentsClose CommentsPermalink





(h) Fees-CommentsClose CommentsPermalink





(1) IN GENERAL- Except as provided in paragraph (2), a consumer credit reporting agency may charge a fee, not in excess of $10, for placing a security freeze on a consumer's credit report. A consumer reporting agency may not charge a consumer for up to 2 requests per year per credit reporting agency for temporary suspension of a security freeze. If the consumer requests more than 2 temporary suspensions of a security freeze from a credit reporting agency within a year, then that consumer credit reporting agency may charge the consumer a fee for each such additional request, but that consumer credit reporting agency may not charge in excess of $5 per request. A consumer credit reporting agency may not charge a consumer for removing a security freeze.CommentsClose CommentsPermalink





(2) FEES PROHIBITED-CommentsClose CommentsPermalink





(A) ID THEFT VICTIMS- A consumer credit reporting agency may not charge a fee for placing, removing, or temporarily suspending a security freeze on a consumer's credit report if--CommentsClose CommentsPermalink





(i) the consumer is a victim of identity theft;CommentsClose CommentsPermalink





(ii) the consumer requests the security freeze in writing;CommentsClose CommentsPermalink





(iii) the consumer has filed a police report with respect to the theft, or an identity theft report (as defined in section 603(q)(4) of the Fair Credit Reporting Act (15 U.S.C. 1681a(q)(4))), within 180 days after the theft occurred or was discovered by the consumer; andCommentsClose CommentsPermalink





(iv) the consumer provides a copy of the report to the credit reporting agency.CommentsClose CommentsPermalink





(B) CATEGORICAL CLASSES- A consumer credit reporting agency may not charge a fee for placing, removing, or temporarily suspending a credit freeze on a consumer's credit report if the consumer requesting it--CommentsClose CommentsPermalink





(i) has attained the age of 65 years;CommentsClose CommentsPermalink





(ii) is on active duty or in the ready reserve component of an armed force of the United States; orCommentsClose CommentsPermalink





(iii) is the spouse of an individual described in clause (ii).CommentsClose CommentsPermalink





(i) Limitation on Information Changes in Frozen Reports-CommentsClose CommentsPermalink





(1) IN GENERAL- If a security freeze is in place on a consumer's credit report, a consumer credit reporting agency may not change any of the following official information in that credit report without sending a written confirmation of the change to the consumer within 30 days after the change is made:CommentsClose CommentsPermalink





(A) Name.CommentsClose CommentsPermalink





(B) Date of birth.CommentsClose CommentsPermalink





(C) Social security account number.CommentsClose CommentsPermalink





(D) Address.CommentsClose CommentsPermalink





(2) CONFIRMATION- Paragraph (1) does not require written confirmation for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.CommentsClose CommentsPermalink





(j) Certain Entity Exemptions-CommentsClose CommentsPermalink





(1) Resellers and other agencies-CommentsClose CommentsPermalink





(A) IN GENERAL- Except as provided in subparagraph (B), the provisions of this Act do not apply to a consumer credit reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the data base of another consumer credit reporting agency or multiple consumer credit reporting agencies, and does not maintain a permanent data base of credit information from which new consumer credit reports are produced.CommentsClose CommentsPermalink





(B) RESELLER TO HONOR FREEZES PLACED BY CONSUMER REPORTING AGENCIES- Section 4(b), and, to the extent applicable, section 8 [Struck out->]section 8[<-Struck out] sections 8 and 9 of this Act apply to a consumer credit reporting agency described in subparagraph (A).CommentsClose CommentsPermalink





(2) OTHER EXEMPTED ENTITIES- The following entities are not required to place a security freeze in a credit report:CommentsClose CommentsPermalink





(A) A check services or fraud prevention services company, which issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments.CommentsClose CommentsPermalink





(B) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution.CommentsClose CommentsPermalink

SEC. 5. INFORMATION SECURITY AND CONSUMER PRIVACY ADVISORY COMMITTEE.

(a) Establishment- Not later than 90 days after the date of enactment of this Act, the Chairman of the Commission shall establish the Information Security and Consumer Privacy Advisory Committee.CommentsClose CommentsPermalink





(b) Membership- The Advisory Committee shall consist of 5 members appointed by the Chairman after appropriate consultations with relevant interested parties [Struck out->]parties.[<-Struck out] parties, including representatives of the small business community. Of the 5 members, the Advisory Committee shall contain at least 1 member from each of the following groups:CommentsClose CommentsPermalink





(1) A non-profit consumer advocacy group.CommentsClose CommentsPermalink





(2) A business organization that collects personally identifiable information.CommentsClose CommentsPermalink





(3) A state Attorney General's office.CommentsClose CommentsPermalink





(c) CHAIRPERSON- The Advisory Committee members shall elect 1 member to serve as chairperson of the Advisory Committee.CommentsClose CommentsPermalink





(d) FUNCTIONS- The Advisory Committee shall collect, review, disseminate, and advise on best practices [Struck out->]best practices[<-Struck out] guidance for covered entities to protect sensitive personal information stored and transferred.CommentsClose CommentsPermalink





(e) REPORT- Not later than 12 months after the date on which the Advisory Committee is established under subsection (a) and annually thereafter, the Advisory Committee shall submit to Congress a report on its findings.CommentsClose CommentsPermalink





(f) NO TERMINATION- Section 14(a)(2) of the Federal Advisory Committee Act (5 U.S.C. App 14(a)(2)) shall not apply to the Advisory Committee.CommentsClose CommentsPermalink

SEC. 6. RELATED CRIME STUDY.

(a) IN GENERAL- The Federal Trade Commission, in conjunction with the Department of Justice and other Federal agencies, shall undertake a study of--CommentsClose CommentsPermalink





(1) the correlation between methamphetamine use and identity theft crimes;CommentsClose CommentsPermalink





(2) the needs of law enforcement to address methamphetamine crimes related to identity theft, including production, trafficking, and the purchase of precursor chemicals; andCommentsClose CommentsPermalink





(3) the Federal Government's role in addressing and deterring identity theft crimes.CommentsClose CommentsPermalink





(b) REPORT- Not later than 18 [Struck out->]18 months[<-Struck out] 9 months after the date of enactment of this Act, the Commission shall submit a report of its findings and recommendations to the Congress that includes--CommentsClose CommentsPermalink





(1) a detailed analysis of the correlation between methamphetamine use and identity theft crimes;CommentsClose CommentsPermalink





(2) the needs of law enforcement to address methamphetamine crimes related to identity theft including production, trafficking, and the purchase of precursor chemicals related to methamphetamine;CommentsClose CommentsPermalink





(3) the Federal Government's role in addressing and deterring identity theft crimes; andCommentsClose CommentsPermalink





(4) specific recommendations for means of reducing and preventing crimes involving methamphetamine and identity theft, including recommendations for best practices for local law enforcement agencies.CommentsClose CommentsPermalink

SEC. 7. PROHIBITION ON TECHNOLOGY MANDATES.

Nothing in this Act shall be construed to permit the Commission to issue regulations that require or impose a specific technology, product, [Struck out->]technological standards, or solution.[<-Struck out] or technological standards.CommentsClose CommentsPermalink

SEC. 8. ENFORCEMENT.

(a) ENFORCEMENT BY COMMISSION- Except as provided in subsection (c), this Act shall be enforced by the Commission.CommentsClose CommentsPermalink





(b) VIOLATION IS UNFAIR OR DECEPTIVE ACT OR PRACTICE- The violation of any provision of this Act shall be treated as an unfair or deceptive act or practice proscribed under a rule issued under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).CommentsClose CommentsPermalink





(c) ENFORCEMENT BY CERTAIN OTHER AGENCIES- Compliance with this Act shall be enforced exclusively under--CommentsClose CommentsPermalink





(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of--CommentsClose CommentsPermalink





(A) national banks, and Federal branches and Federal agencies of foreign banks, [Struck out->]and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers),[<-Struck out] by the Office of the Comptroller of the Currency;CommentsClose CommentsPermalink





(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 and 611), [Struck out->]and bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies and investment advisers),[<-Struck out] by the Board of Governors of the Federal Reserve System;CommentsClose CommentsPermalink





(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System), insured State branches of foreign banks, [Struck out->]and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies and investment advisers),[<-Struck out] by the Board of Directors of the Federal Deposit Insurance Corporation; andCommentsClose CommentsPermalink





(D) savings associations the deposits of which are insured by the Federal Deposit Insurance Corporation, [Struck out->]and any subsidiaries of such savings associations (except brokers, dealers, persons providing insurance, investment companies and investment advisers),[<-Struck out] by the Director of the Office of Thrift Supervision;CommentsClose CommentsPermalink





(2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the Board of the National Credit Union Administration Board with respect to any Federal credit union and any subsidiaries of such a credit [Struck out->]union and any subsidiaries of such a credit[<-Struck out] union;CommentsClose CommentsPermalink





(3) the Securities and Exchange Act of 1934 (15 U.S.C. 78a et seq.) by the Securities and Exchange Commission with respect to--CommentsClose CommentsPermalink





(A) a broker or dealer subject to that Act;CommentsClose CommentsPermalink





(B) an investment company subject to the Investment Company Act of 1940 (15 U.S.C. 80a-1 et seq.); andCommentsClose CommentsPermalink





(C) an investment advisor subject to the Investment Advisers Act of 1940 (15 U.S.C. 80b-1 et seq.); andCommentsClose CommentsPermalink





(4) State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled.CommentsClose CommentsPermalink





(d) EXERCISE OF CERTAIN POWERS- For the purpose of the exercise by any agency referred to in subsection (c) of its powers under any Act referred to in that subsection, a violation of this Act is deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (c), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this Act, any other authority conferred on it by law.CommentsClose CommentsPermalink





(e) OTHER AUTHORITY NOT AFFECTED- Nothing in this Act shall be construed to limit or affect in any way the Commission's authority to bring enforcement actions or take any other measure under the Federal Trade Commission Act (15 U.S.C. 41 et seq.) or any other provision of law.CommentsClose CommentsPermalink





(f) COMPLIANCE WITH GRAMM-LEACH-BLILEY ACT-CommentsClose CommentsPermalink





(1) NOTICE- Any covered entity that is subject to the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), and gives notice in compliance with the notification requirements established for such covered entities under title V of that Act is deemed to be in compliance with section 3 of this Act.CommentsClose CommentsPermalink





(2) SAFEGUARDS- Any covered entity that is subject to the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), and fulfills the information protection requirements established for such entities under title V of the Act and under section 607(a) of the Fair Credit Reporting Act (15 U.S.C. 1681e(a)) to protect sensitive personal information shall be deemed to be in compliance with section 2 of this Act.CommentsClose CommentsPermalink

SEC. 9. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

(a) IN GENERAL- Except as provided in section 8(c), a State, as parens patriae, may bring a civil action on behalf of its residents in an appropriate state or district court of the United States to enforce the provisions of this Act, to obtain damages, restitution, or other compensation on behalf of such residents, or to obtain such further and other relief as the court may deem appropriate, whenever the attorney general of the State has reason to believe that the interests of the residents of the State have been or are being threatened or adversely affected by a covered entity that violates this Act or a regulation under this Act.CommentsClose CommentsPermalink





(b) NOTICE- The State shall serve written notice to the Commission (or other appropriate Federal regulator under section 8) of any civil action under subsection (a) at least 60 days prior to initiating such civil action. The notice shall include a copy of the complaint to be filed to initiate such civil action, except that if it is not feasible for the State to provide such prior notice, the State shall provide such notice immediately upon instituting such civil action.CommentsClose CommentsPermalink





(c) AUTHORITY TO INTERVENE- Upon receiving the notice required by subsection (b), the Commission (or other appropriate Federal regulator under section 8) may intervene in such civil action and upon intervening--CommentsClose CommentsPermalink





(1) be heard on all matters arising in such civil action; andCommentsClose CommentsPermalink





(2) file petitions for appeal of a decision in such civil action.CommentsClose CommentsPermalink





(d) CONSTRUCTION- For purposes of bringing any civil action under subsection (a), nothing in this section shall prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of such State to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence.CommentsClose CommentsPermalink





(e) VENUE; SERVICE OF PROCESS- In a civil action brought under subsection (a)--CommentsClose CommentsPermalink





(1) the venue shall be a judicial district in which--CommentsClose CommentsPermalink





(A) the covered entity operates; orCommentsClose CommentsPermalink





(B) the covered entity was authorized to do business;CommentsClose CommentsPermalink





(2) process may be served without regard to the territorial limits of the district or of the State in which the civil action is instituted; andCommentsClose CommentsPermalink





(3) a person who participated with a covered entity in an alleged violation that is being litigated in the civil action may be joined in the civil action without regard to the residence of the person.CommentsClose CommentsPermalink





(f) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING- If the Commission (or other appropriate Federal agency under section 8) has instituted a civil action or an administrative action for violation of this Act, no State attorney general, or official or agency of a State, may bring an action under this subsection during the pendency of that action against any defendant named in the complaint of the Commission or the other agency for any violation of this Act alleged in the complaint.CommentsClose CommentsPermalink





(g) RECOVERY OF REASONABLE COSTS AND FEES- If the attorney general of the State prevails in any civil action under subsection (a), it can recover reasonable costs and attorney fees from the covered entity. CommentsClose CommentsPermalink

SEC. 10. PREEMPTION OF STATE LAW.

(a) NOTICE- This Act preempts any State or local law, regulation, or rule that requires a covered entity to notify individuals of breaches of security pertaining to them.CommentsClose CommentsPermalink





(b) INFORMATION SECURITY PROGRAMS- This Act preempts any State or local law, regulation, or rule that requires a covered entity to develop, implement, maintain, or enforce information security programs to which this Act applies.CommentsClose CommentsPermalink





(c) SECURITY FREEZE-CommentsClose CommentsPermalink





(1) IN GENERAL- This Act shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State with regards to consumer credit reporting agencies compliance with a consumer's request to place, remove, or temporarily suspend the prohibition on the release by a credit reporting agency of information from its files on that consumer, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this Act, and then only to the extent of the inconsistency.CommentsClose CommentsPermalink





(2) GREATER PROTECTION UNDER STATE LAW- For purposes of this section, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the protection of [Struck out->]of[<-Struck out] afforded by such statute, regulation, order, or interpretation affords any person is [Struck out->]affords[<-Struck out] any person is greater than the protection provided under this Act in regards to credit reporting agencies compliance with a consumer's request to place, remove, or temporarily suspend the prohibition on the release by a consumer credit reporting agency of information from its files on that consumer.CommentsClose CommentsPermalink





(d) SOCIAL SECURITY ACCOUNT NUMBERS- Section 11 of this Act, and the amendments made by that section, preempt any State or local law, regulation, or rule prohibiting or limiting the collection, solicitation, sale, provision, or display of social security account numbers of the types described in section 11. CommentsClose CommentsPermalink





[Struck out->](d)[<-Struck out] (e) LIMITATION OF PREEMPTION- Federal preemption under this Act shall only apply to matters expressly described in subsection (a) or (b [Struck out->](a) or (b)[<-Struck out] (a), (b), or (d) of this section, and shall have no effect on other State or local laws, regulations, or rules over covered entities.CommentsClose CommentsPermalink

SEC. 11. SOCIAL SECURITY NUMBER PROTECTION.

SEC. 13. DEFINITIONS.

In this Act:CommentsClose CommentsPermalink





(1) BREACH OF SECURITY- The term `breach of security' means unauthorized access to and acquisition of data in any form or format containing sensitive personal information that compromises the security or confidentiality of such information.CommentsClose CommentsPermalink





(2) COMMISSION- The term `Commission' means the Federal Trade Commission.CommentsClose CommentsPermalink





(3) CONSUMER CREDIT REPORTING AGENCY- The term `consumer credit reporting agency' means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing credit reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing credit reports.CommentsClose CommentsPermalink





(4) COVERED ENTITY- The term `covered entity' means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity, and any charitable, educational, or nonprofit organization, that acquires, maintains, or utilizes sensitive personal information.CommentsClose CommentsPermalink





(5) CREDIT REPORT- The term `credit report' means a consumer report, as defined in section 603(d) of the Federal Fair Credit Reporting Act (15 U.S.C. 1681a(p)), as well as any associated credit score that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit for personal, family or household purposes.CommentsClose CommentsPermalink





(6) IDENTITY THEFT- The term `identity theft' means the unauthorized acquisition, purchase, sale, or use by any person of an individual's sensitive personal information that--CommentsClose CommentsPermalink





(A) violates section 1028 of title 18, United States Code, or any provision of State law in pari materia; orCommentsClose CommentsPermalink





(B) results in harm to the individual whose sensitive personal information was used.CommentsClose CommentsPermalink





(7) REASONABLE RISK OF IDENTITY THEFT- The term `reasonable risk of identity theft' means that the preponderance of the evidence available to the covered entity that has experienced a breach of security establishes that identity theft for 1 or more individuals from the breach of security is forseeable.CommentsClose CommentsPermalink





(8) REVIEWING THE ACCOUNT- The term `reviewing the account' includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.CommentsClose CommentsPermalink





(9) Sensitive personal information-CommentsClose CommentsPermalink





(A) IN GENERAL- Except as provided in subparagraphs (B), (C), and (D), the term `sensitive personal information' means an individual's name, address, or telephone number combined with 1 or more of the following data elements related to that individual:CommentsClose CommentsPermalink





(i) Social security account number or an employer identification number that is the same as or is derived from the social security account number of that individual.CommentsClose CommentsPermalink





(ii) Financial account number, or credit card or debit card number of such individual, combined with any required security code, access code, or password that would permit access to such individual's account [Struck out->]account.[<-Struck out] account number or card number.CommentsClose CommentsPermalink





(iii) State driver's license identification number or State resident identification number.CommentsClose CommentsPermalink





(B) PASSWORD ACCOUNTS- A [Struck out->]An[<-Struck out] The term `sensitive personal information' also includes an account identifier combined with a password, PIN, or security code to access the account, for any consumer account from which any of the following can occur without further authentication after login:CommentsClose CommentsPermalink





(i) A financial transaction.CommentsClose CommentsPermalink





(ii) A purchase of goods or services.CommentsClose CommentsPermalink





(iii) A charge to a payment card or account.CommentsClose CommentsPermalink





(iv) A charge to a credit card or account.CommentsClose CommentsPermalink





(v) Access to the account that reveals sufficient information to engage in any activity described in clause (i), (ii), (iii), or (iv).CommentsClose CommentsPermalink





(C) FTC MODIFICATIONS- The Commission may, through a rulemaking proceeding in accordance with section 553 of title 5, United States Code, designate other identifying information that may be used to effectuate identity theft as sensitive personal information for purposes of this Act and limit or exclude any information described in subparagraph (A) from the definition of sensitive personal information for purposes of this Act.CommentsClose CommentsPermalink





(D) EXCEPTION- The term `sensitive personal information' does not include information that is obtained from--CommentsClose CommentsPermalink





(i) Federal, State, or local governments that has been made available to the general public; orCommentsClose CommentsPermalink





(ii) widely distributed media.CommentsClose CommentsPermalink





The exception provided by this subparagraph does not apply if the information obtained from Federal, State, or local government records or widely distributed media is combined with information obtained from non-public sources.CommentsClose CommentsPermalink





(E) PUBLIC RECORDS- Nothing in this Act prohibits a covered entity from obtaining, aggregating, or using sensitive personal information it lawfully obtains from public records in a manner thaBURDEN OF PROOF- In an enforcement action brought pursuant to section 8 or 9 of this Act, the covered entity shall have the burden of demonstrating that it has obtained the information from a source permitted as an exception in this paragraph. CommentsClose CommentsPermalink





(11) SOCIAL SECURITY ACCOUNT NUMBER- The term `social security account number' means a social security account number that contains more than 5 digits of the full 9-digit number assigned by the Social Security Administration but does not violate this Act.SEC. 12include social security account numbers to the extent that they are included in a publicly available information source, such as news reports, books, periodicals, or directories or Federal, State, or local government records. CommentsClose CommentsPermalink

SEC. 14. AUTHORIZATION OF APPROPRIATIONS.

There are authorized to be appropriated to the Commission $2,000,000 for each of fiscal years 2007 through 2011 to carry out this Act.CommentsClose CommentsPermalink

SEC. 15. EFFECTIVE DATES.

(a) IN GENERAL- Except as provided in subsections (b) and (c), the provisions of this Act take effect upon its enactment.CommentsClose CommentsPermalink





(b) IMPLEMENTATION OF SECURITY PROGRAM- A covered entity shall implement the program required by section 2(a) within 6 months after the date of enactment of this Act.CommentsClose CommentsPermalink





(c) PROVISIONS REQUIRING RULEMAKING- The Commission shall initiate 1 or more rulemaking proceedings under sections 2(c), 3, and 4 (including a rulemaking proceeding to determine what constitutes proper identification within the meaning of section 610(a)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681(h)(a)(1))) within 45 days after the date of enactment of this Act. The Commission shall promulgate all final rules pursuant to those rulemaking proceedings within 1 year after the date of enactment of this Act. The provisions of sections 2(c), 3, and 4 shall take effect on the same date 6 months after the date on which the Commission promulgates the last final rule under the proceeding or proceedings commenced under the preceding sentence.CommentsClose CommentsPermalink





(d) PREEMPTION- Section 10 shall take effect at the same time as sections 2(c), 3, and 4 take effect.CommentsClose CommentsPermalink