U.S. Congress - Text of S.1202 as Introduced in Senate Personal Data Protection Act of 2007
The easiest way to email your members of Congress
Donate NowS.1202 - Personal Data Protection Act of 2007
A bill to require agencies and persons in possession of computerized data containing sensitive personal information, to disclose security breaches where such breach poses a significant risk of identity theft.
Loading Bill Text
Rollover any line of text to comment and/or link to it.
S 1202 ISCommentsClose CommentsPermalink
To require agencies and persons in possession of computerized data containing sensitive personal information, to disclose security breaches where such breach poses a significant risk of identity theft.CommentsClose CommentsPermalink
April 24, 2007
Mr. SESSIONS introduced the following bill; which was read twice and referred to the Committee on the JudiciaryCommentsClose CommentsPermalink
To require agencies and persons in possession of computerized data containing sensitive personal information, to disclose security breaches where such breach poses a significant risk of identity theft.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE.
This Act may be cited as the `Personal Data Protection Act of 2007'.CommentsClose CommentsPermalink
SEC. 2. DEFINITIONS.
In this Act:CommentsClose CommentsPermalink
(1) AGENCY- The term `agency'--CommentsClose CommentsPermalink
(A) has the meaning given that term in
(B) includes any authority of a State or political subdivision.CommentsClose CommentsPermalink
(2) BREACH OF SECURITY OF THE SYSTEM- The term `breach of security of the system'--CommentsClose CommentsPermalink
(A) means the compromise of the security of computerized data containing sensitive personal information that establishes a reasonable basis to conclude that a significant risk of identity theft to an individual exists; andCommentsClose CommentsPermalink
(B) does not include the compromise of the security of computerized data, if the agency or person concludes, after conducting a reasonable investigation, that there is not a significant risk of identity theft to an individual, including a situation in which--CommentsClose CommentsPermalink
(i) sensitive personal information is acquired in good faith by an employee or agent of the agency or person and the information is not subject to further unauthorized disclosure;CommentsClose CommentsPermalink
(ii) an investigation by an appropriate law enforcement agency, government agency, or official determines that there is not a significant risk of identity theft; orCommentsClose CommentsPermalink
(iii) the agency or person maintains or participates in a security program reasonably designed to block unauthorized transactions before they are charged to an individual's account and the security program does not indicate that the compromise of sensitive personal information has resulted in fraud or unauthorized transactions.CommentsClose CommentsPermalink
(3) FUNCTIONAL REGULATOR- The term `functional regulator' means--CommentsClose CommentsPermalink
(A) the Office of the Comptroller of the Currency with respect to national banks, and Federal branches, Federal agencies of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers);CommentsClose CommentsPermalink
(B) the Board of Governors of the Federal Reserve System with respect to member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (
(C) the Board of Directors of the Federal Deposit Insurance Corporation with respect to banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System), insured State branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers);CommentsClose CommentsPermalink
(D) the Director of the Office of Thrift Supervision with respect to savings association the deposits of which are insured by the Federal Deposit Insurance Corporation, savings and loan holding companies, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers);CommentsClose CommentsPermalink
(E) the National Credit Union Administration Board with respect to any Federal credit union and any subsidiaries of such an entity;CommentsClose CommentsPermalink
(F) the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to part A of subtitle VII of title 49, United States Code;CommentsClose CommentsPermalink
(G) the Secretary of Agriculture with respect to any activities subject to the Packers and Stockyards Act, 1921 (
(H) the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association;CommentsClose CommentsPermalink
(I) the Securities and Exchange Commission with respect to any broker or dealer, investment company or investment adviser;CommentsClose CommentsPermalink
(J) the applicable State insurance authority of the State in which the person is domiciled with respect to any person engaged in providing insurance;CommentsClose CommentsPermalink
(K) the Federal Communications Commission with respect to any entity subject to the jurisdiction of the Commission; andCommentsClose CommentsPermalink
(L) the Federal Trade Commission with respect to any other financial institution or other person that is not subject to the jurisdiction of any agency or authority under subparagraphs (A) through (K).CommentsClose CommentsPermalink
(4) IDENTITY THEFT- The term `identity theft' means a fraud committed using the sensitive personal information of another individual with the intent to commit, or to aid or abet any unlawful activity that constitutes a violation of
(5) PERSON- The term `person' has the meaning given that term in
(6) PERSONAL INFORMATION- The term `personal information' means personally identifiable information about a specific individual.CommentsClose CommentsPermalink
(7) REDACTED- The term `redacted' means truncated so that not more than the last 4 digits of the social security number, driver's license number, State identification card number, or account number are accessible as part of the data.CommentsClose CommentsPermalink
(8) SENSITIVE PERSONAL INFORMATION-CommentsClose CommentsPermalink
(A) IN GENERAL- The term `sensitive personal information' means an individual's first name (or first initial) and last name in combination with any 1 or more of the following data elements that relate to that individual (when the data elements are not encrypted, redacted, or secured by any other method rendering that element unreadable or unusable):CommentsClose CommentsPermalink
(i) An individual's social security number.CommentsClose CommentsPermalink
(ii) An individual's driver's license number or equivalent State identification number.CommentsClose CommentsPermalink
(iii) An individual's financial account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.CommentsClose CommentsPermalink
(B) EXCLUSIONS- The term `sensitive personal information' does not include--CommentsClose CommentsPermalink
(i) any list, description, or other grouping of individuals (and publicly available information pertaining to them) that is derived without using any sensitive personal information; orCommentsClose CommentsPermalink
(ii) any information regardless of its source that is lawfully made available to the general public in Federal, State, or local government records.CommentsClose CommentsPermalink
SEC. 3. DATABASE SECURITY.
(a) In General- Any agency or person that owns or licenses computerized data containing sensitive personal information shall develop, implement, and maintain reasonable security and notification procedures and practices appropriate to the size and nature of the agency or person and the nature of the information to ensure the security and confidentiality of the personal information and protect it against any unauthorized access, destruction, use, modification or disclosure.CommentsClose CommentsPermalink
(b) Disclosure of Security Breach-CommentsClose CommentsPermalink
(1) NOTIFICATION OF INDIVIDUAL-CommentsClose CommentsPermalink
(A) IN GENERAL- If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a reasonable investigation, or notification under paragraph (2), that a significant risk of identity theft exists as a result of a breach of security of the system of such agency or person containing such data, the agency or person shall notify any individual whose sensitive personal information was compromised.CommentsClose CommentsPermalink
(B) DELAY OF NOTIFICATION- If a Federal law enforcement agency of either appropriate domestic or foreign jurisdiction determines that the notification required under this subsection would impede a criminal or civil investigation, such notification may be delayed until such Federal law enforcement agency determines that the notification will no longer compromise such investigation.CommentsClose CommentsPermalink
(2) NOTIFICATION OF OWNER OR LICENSOR-CommentsClose CommentsPermalink
(A) IN GENERAL- Any agency or person in possession of computerized data containing sensitive personal information that the agency or person does not own or license shall notify and cooperate with the owner or licensor of the information upon the discovery of a breach of security of the system of such agency or person as expediently as possible and without unreasonable delay.CommentsClose CommentsPermalink
(B) AGREEMENTS TO NOTIFY INDIVIDUALS PERMISSIBLE-CommentsClose CommentsPermalink
(i) IN GENERAL- Any agency or person in possession of sensitive personal information on behalf of the owner or licensor of such information may enter an agreement with the owner or licensor regarding which person or entity will provide any notice required under this subsection to an individual whose sensitive personal information was compromised.CommentsClose CommentsPermalink
(ii) SINGLE NOTICE- This subsection shall not be construed to require more than a single notice to any individual for each breach of security of the system relating to that individual.CommentsClose CommentsPermalink
(iii) NO AGREEMENT- If an agency or person in possession of sensitive personal information on behalf of the owner or licensor of such information does not have an agreement described in clause (i) in effect on the date of a breach of security of the system of that agency or person, the agency or person that owns or licenses computerized data containing sensitive personal information shall provide any notice required under this subsection.CommentsClose CommentsPermalink
(3) TIMELINESS OF NOTIFICATION-CommentsClose CommentsPermalink
(A) IN GENERAL- All notifications required under paragraph (1) shall be made as expediently as possible and without unreasonable delay following--CommentsClose CommentsPermalink
(i) the discovery and reasonable investigation by the agency or person of a breach of security of the system; andCommentsClose CommentsPermalink
(ii) measures the agency or person takes that are necessary to determine the scope of the breach, prevent further breaches, determine whether there is a reasonable basis to conclude that a significant risk of identity theft to an individual exists, restore the reasonable integrity of the data system, and comply with applicable requirements of other laws and regulations.CommentsClose CommentsPermalink
(B) EXPEDITIOUS NOTICE- Any measures described in subparagraph (A)(ii) shall be undertaken as expediently as possible and without unreasonable delay. Such measures shall not be undertaken for the purpose of causing delay of notification.CommentsClose CommentsPermalink
(4) METHODS OF NOTICE- An agency or person required to give notice under paragraph (1) shall be in compliance with this subsection if it provides--CommentsClose CommentsPermalink
(A) written notification to a mailing address for the subject individual;CommentsClose CommentsPermalink
(B) telephonic notification to a telephone number for the subject individual;CommentsClose CommentsPermalink
(C) e-mail notice to an e-mail address for the subject individual; orCommentsClose CommentsPermalink
(D) conspicuous posting of the notice on the Internet site of the agency or person, if the agency or person maintains an Internet site, or notification to major media, if--CommentsClose CommentsPermalink
(i) the agency or person demonstrates that the cost of providing direct notice under subparagraphs (A) through (C) of this subsection would exceed $250,000;CommentsClose CommentsPermalink
(ii) the affected class of subject individuals to be notified exceeds 500,000; orCommentsClose CommentsPermalink
(iii) the agency or person does not have sufficient contact information for those to be notified.CommentsClose CommentsPermalink
(5) CONTENTS OF NOTICE- Notice under this subsection shall--CommentsClose CommentsPermalink
(A) be given in a clear and conspicuous manner;CommentsClose CommentsPermalink
(B) describe the breach of security of the system in general terms and the type of sensitive personal information involved; andCommentsClose CommentsPermalink
(C) include a toll-free telephone number or website that individuals can use for further information and assistance.CommentsClose CommentsPermalink
(6) DUTY TO COORDINATE WITH CONSUMER REPORTING AGENCIES- Before any agency or person provides notice to more than 1,000 individuals at any time, or provides notice pursuant to paragraph (4)(D), that sensitive personal information on the individuals was, or may reasonably be expected to have been, the subject of a breach of security of the system, the agency or person shall, without unreasonable delay--CommentsClose CommentsPermalink
(A) notify any consumer reporting agency that compiles and maintains files on consumers on a nationwide basis (as that term is defined in section 603(p) of the Fair Credit Reporting Act (
(i) the number of individuals to whom the notice will be given; orCommentsClose CommentsPermalink
(ii) the type of notice provided under paragraph (4)(D); andCommentsClose CommentsPermalink
(B) conform the notice to individuals to be delivered by such agency or person to accurately reflect, to the extent given in such notice--CommentsClose CommentsPermalink
(i) the method of contact reasonably specified by each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis that such individuals are to use with respect to the particular notice; andCommentsClose CommentsPermalink
(ii) the responsibilities of a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis under the Fair Credit Reporting Act (
(7) SAFE HARBORS-CommentsClose CommentsPermalink
(A) DATA SECURITY- Notwithstanding any other obligation under this section, a person that is in compliance with data security requirements under the laws, rules, regulations, guidance, or guidelines established or enforced by the functional regulator for that person shall be deemed to be in compliance with subsection (a).CommentsClose CommentsPermalink
(B) BREACH NOTIFICATION- Notwithstanding any other obligation under this section, a person that is in compliance with breach notification procedures under the laws, rules, regulations, guidance, or guidelines established or enforced by the functional regulator for that person shall be deemed to be in compliance with subsection (b).CommentsClose CommentsPermalink
(8) RELATION TO OTHER PROVISIONS- Nothing in this Act shall be construed to modify, limit or supersede the operation of the Fair Credit Reporting Act (
(c) Civil Remedies-CommentsClose CommentsPermalink
(1) PENALTIES-CommentsClose CommentsPermalink
(A) IN GENERAL- Except as provided under subparagraph (B), any agency or person that fails to give notice in accordance with paragraph (1) through (4) of subsection (b) shall be subject to--CommentsClose CommentsPermalink
(i) a fine in an amount not to exceed $250,000 per breach of security of the system; orCommentsClose CommentsPermalink
(ii) in the case of a violation of subsection (a), such actual damages as may be proven.CommentsClose CommentsPermalink
(B) AFFIRMATIVE DEFENSE- An agency or person shall have an affirmative defense to a fine under this paragraph if the breach of security of the system--CommentsClose CommentsPermalink
(i) was not a result of the negligence of such agency or person; andCommentsClose CommentsPermalink
(ii) was the result of a fraud or other crime committed by a third party.CommentsClose CommentsPermalink
(2) EQUITABLE RELIEF- Any person that violates, proposes to violate, or has violated this section may be enjoined from further violations by a court of competent jurisdiction.CommentsClose CommentsPermalink
(3) OTHER RIGHTS AND REMEDIES- The rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law.CommentsClose CommentsPermalink
(d) Enforcement-CommentsClose CommentsPermalink
(1) IN GENERAL- The functional regulator is authorized to enforce compliance with this section, including the assessment of fines under subsection (c)(1).CommentsClose CommentsPermalink
(2) CIVIL ACTIONS- No private right of action or class action shall be brought under this Act. No person other than the attorney general of a State may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.CommentsClose CommentsPermalink
SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) In General-CommentsClose CommentsPermalink
(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that is prohibited under this Act, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a United States district court of appropriate jurisdiction to--CommentsClose CommentsPermalink
(A) enjoin that practice;CommentsClose CommentsPermalink
(B) enforce compliance with this Act; orCommentsClose CommentsPermalink
(C) obtain damage, restitution, or other compensation on behalf of residents of the State under the conditions and up to the monetary limits set forth in section 3(c)(1).CommentsClose CommentsPermalink
(2) NOTICE-CommentsClose CommentsPermalink
(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State shall provide the Attorney General of the United States and the functional regulator--CommentsClose CommentsPermalink
(i) written notice of the action; andCommentsClose CommentsPermalink
(ii) a copy of the complaint for the action.CommentsClose CommentsPermalink
(B) EXEMPTION-CommentsClose CommentsPermalink
(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.CommentsClose CommentsPermalink
(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the functional regulator and the Attorney General at the time the State attorney general files the action.CommentsClose CommentsPermalink
(C) UNITED STATES ATTORNEY GENERAL PRIORITY- After having been notified, as provided in subparagraph (A), the Attorney General shall have the right--CommentsClose CommentsPermalink
(i) to file a civil action, subject to monetary limits equal to those set forth in section 3(c)(1);CommentsClose CommentsPermalink
(ii) to intervene in the action; andCommentsClose CommentsPermalink
(iii) upon so intervening--CommentsClose CommentsPermalink
(I) to be heard on all matters arising therein;CommentsClose CommentsPermalink
(II) to remove the action to the appropriate United States district court; andCommentsClose CommentsPermalink
(III) to file petitions for appeal.CommentsClose CommentsPermalink
(D) PREEMPTION-CommentsClose CommentsPermalink
(i) ACTION BY DEPARTMENT OF JUSTICE- If the Attorney General institutes a civil action or intervenes in an action under this subsection, the functional regulator, a State attorney general, or an official or agency of a State may not bring an action under this section for any violation of this Act alleged in the complaint.CommentsClose CommentsPermalink
(ii) ACTION BY FUNCTIONAL REGULATOR- If the functional regulator institutes a civil action or intervenes under section 3(d)(1) to enforce compliance with section 3, a State attorney general or official or agency of a State, may not bring an action under this section for any violation of this Act alleged in the complaint.CommentsClose CommentsPermalink
(b) Limitations on State Actions-CommentsClose CommentsPermalink
(1) VIOLATION OF INJUNCTION REQUIRED- A State may not bring an action against a person under subsection (a)(1)(C) unless--CommentsClose CommentsPermalink
(A) the person has been enjoined from committing the violation, in an action brought by the State under subsection (a)(1)(A); andCommentsClose CommentsPermalink
(B) the person has violated the injunction.CommentsClose CommentsPermalink
(2) LIMITATION ON DAMAGES RECOVERABLE- In an action under subsection (a)(1)(C), a State may not recover any damages incurred before the date of the violation of an injunction on which the action is based.CommentsClose CommentsPermalink
(c) Construction- For purposes of a civil action under subsection (a), nothing in this Act shall be construed to prevent the attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to--CommentsClose CommentsPermalink
(1) conduct investigations;CommentsClose CommentsPermalink
(2) administer oaths or affirmations; orCommentsClose CommentsPermalink
(3) compel the attendance of witnesses or the production of documentary and other evidence.CommentsClose CommentsPermalink
(d) Venue; Service of Process-CommentsClose CommentsPermalink
(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--CommentsClose CommentsPermalink
(A) is an inhabitant; orCommentsClose CommentsPermalink
(B) may be found.CommentsClose CommentsPermalink
SEC. 5. EFFECT ON STATE LAW.
The provisions of this Act shall supersede any law, rule, or regulation of any State or unit of local government that relates in any way to electronic information security standards or the notification of any resident of the United States of any breach of security pertaining to any collection of personal information about such resident.CommentsClose CommentsPermalink
SEC. 6. EFFECTIVE DATE.
This Act shall take effect on the expiration of the date which is 180 days after the date of enactment of this Act.CommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
OC Blog Articles Related To This Bill
- With SOPA Shelved, Congress Readies its Next Attack on the Internet Feb 13, 2012
- Anti-Web Censorship Bill Protest from Our Perspective at OC Feb 08, 2012
- Indefinite military detention for U.S. citizens now in the hands of a secretive conference committee Dec 08, 2011
- Read the Military Detention Bill Nov 29, 2011
- Join the Public Mark-up of SOPA Nov 19, 2011
Recent OC Blog Articles
- Yes, let's stride towards an open VCS for legislation (or, GitHub for laws on OC) May 23, 2012
- Contact Congress Today to #FreeTHOMAS May 17, 2012
- Yochai Benkler: Blueprint for Democratic Participation May 10, 2012
- New NDAA Would Give the Military Clandestine Cyberwar Powers May 08, 2012
- The Week Ahead in Congress May 07, 2012