U.S. Congress - Text of S.1260 as Introduced in Senate Data Security Act of 2007
The easiest way to email your members of Congress
Donate NowS.1260 - Data Security Act of 2007
A bill to protect information relating to consumers, to require notice of security breaches, and for other purposes.
Loading Bill Text
Rollover any line of text to comment and/or link to it.
S 1260 ISCommentsClose CommentsPermalink
To protect information relating to consumers, to require notice of security breaches, and for other purposes.CommentsClose CommentsPermalink
May 1, 2007
Mr. CARPER (for himself and Mr. BENNETT) introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban AffairsCommentsClose CommentsPermalink
To protect information relating to consumers, to require notice of security breaches, and for other purposes.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE.
This Act may be cited as the `Data Security Act of 2007'.CommentsClose CommentsPermalink
SEC. 2. DEFINITIONS.
For purposes of this Act, the following definitions shall apply:CommentsClose CommentsPermalink
(1) AFFILIATE- The term `affiliate' means any company that controls, is controlled by, or is under common control with another company.CommentsClose CommentsPermalink
(2) AGENCY- The term `agency' has the same meaning as in
(3) BREACH OF DATA SECURITY-CommentsClose CommentsPermalink
(A) IN GENERAL- The term `breach of data security' means the unauthorized acquisition of sensitive account information or sensitive personal information.CommentsClose CommentsPermalink
(B) EXCEPTION FOR DATA THAT IS NOT IN USABLE FORM-CommentsClose CommentsPermalink
(i) IN GENERAL- The term `breach of data security' does not include the unauthorized acquisition of sensitive account information or sensitive personal information that is maintained or communicated in a manner that is not usable--CommentsClose CommentsPermalink
(I) to commit identity theft; orCommentsClose CommentsPermalink
(II) to make fraudulent transactions on financial accounts.CommentsClose CommentsPermalink
(ii) RULE OF CONSTRUCTION- For purposes of this subparagraph, information that is maintained or communicated in a manner that is not usable includes any information that is maintained or communicated in an encrypted, redacted, altered, edited, or coded form.CommentsClose CommentsPermalink
(4) COMMISSION- The term `Commission' means the Federal Trade Commission.CommentsClose CommentsPermalink
(5) CONSUMER- The term `consumer' means an individual.CommentsClose CommentsPermalink
(6) CONSUMER REPORTING AGENCY THAT COMPILES AND MAINTAINS FILES ON CONSUMERS ON A NATIONWIDE BASIS- The term `consumer reporting agency that compiles and maintains files on consumers on a nationwide basis' has the same meaning as in section 603(p) of the Fair Credit Reporting Act (
(7) COVERED ENTITY-CommentsClose CommentsPermalink
(A) IN GENERAL- The term `covered entity' means any--CommentsClose CommentsPermalink
(i) entity, the business of which is engaging in financial activities, as described in section 4(k) of the Bank Holding Company Act of 1956 (
(ii) financial institution, including any institution described in section 313.3(k) of title 16, Code of Federal Regulations, as in effect on the date of enactment of this Act;CommentsClose CommentsPermalink
(iii) entity that maintains or otherwise possesses information that is subject to section 628 of the Fair Credit Reporting Act (
(iv) other individual, partnership, corporation, trust, estate, cooperative, association, or entity that maintains or communicates sensitive account information or sensitive personal information.CommentsClose CommentsPermalink
(B) EXCEPTION- The term `covered entity' does not include any agency or any other unit of Federal, State, or local government or any subdivision of such unit.CommentsClose CommentsPermalink
(8) FINANCIAL INSTITUTION- The term `financial institution' has the same meaning as in section 509 of the Gramm-Leach-Bliley Act (
(9) SENSITIVE ACCOUNT INFORMATION- The term `sensitive account information' means a financial account number relating to a consumer, including a credit card number or debit card number, in combination with any security code, access code, password, or other personal identification information required to access the financial account.CommentsClose CommentsPermalink
(10) SENSITIVE PERSONAL INFORMATION-CommentsClose CommentsPermalink
(A) IN GENERAL- The term `sensitive personal information' means the first and last name, address, or telephone number of a consumer, in combination with any of the following relating to such consumer:CommentsClose CommentsPermalink
(i) Social security account number.CommentsClose CommentsPermalink
(ii) Driver's license number or equivalent State identification number.CommentsClose CommentsPermalink
(iii) Taxpayer identification number.CommentsClose CommentsPermalink
(B) EXCEPTION- The term `sensitive personal information' does not include publicly available information that is lawfully made available to the general public from--CommentsClose CommentsPermalink
(i) Federal, State, or local government records; orCommentsClose CommentsPermalink
(ii) widely distributed media.CommentsClose CommentsPermalink
(11) SUBSTANTIAL HARM OR INCONVENIENCE-CommentsClose CommentsPermalink
(A) IN GENERAL- The term `substantial harm or inconvenience' means--CommentsClose CommentsPermalink
(i) material financial loss to, or civil or criminal penalties imposed on, a consumer, due to the unauthorized use of sensitive account information or sensitive personal information relating to such consumer; orCommentsClose CommentsPermalink
(ii) the need for a consumer to expend significant time and effort to correct erroneous information relating to the consumer, including information maintained by a consumer reporting agency, financial institution, or government entity, in order to avoid material financial loss, increased costs, or civil or criminal penalties, due to the unauthorized use of sensitive account information or sensitive personal information relating to such consumer.CommentsClose CommentsPermalink
(B) EXCEPTION- The term `substantial harm or inconvenience' does not include--CommentsClose CommentsPermalink
(i) changing a financial account number or closing a financial account; orCommentsClose CommentsPermalink
(ii) harm or inconvenience that does not result from identity theft or account fraud.CommentsClose CommentsPermalink
SEC. 3. PROTECTION OF INFORMATION AND SECURITY BREACH NOTIFICATION.
(a) Security Procedures Required-CommentsClose CommentsPermalink
(1) IN GENERAL- Each covered entity shall implement, maintain, and enforce reasonable policies and procedures to protect the confidentiality and security of sensitive account information and sensitive personal information which is maintained or is being communicated by or on behalf of a covered entity, from the unauthorized use of such information that is reasonably likely to result in substantial harm or inconvenience to the consumer to whom such information relates.CommentsClose CommentsPermalink
(2) LIMITATION- Any policy or procedure implemented or maintained under paragraph (1) shall be appropriate to the--CommentsClose CommentsPermalink
(A) size and complexity of a covered entity;CommentsClose CommentsPermalink
(B) nature and scope of the activities of such entity; andCommentsClose CommentsPermalink
(C) sensitivity of the consumer information to be protected.CommentsClose CommentsPermalink
(b) Investigation Required-CommentsClose CommentsPermalink
(1) IN GENERAL- If a covered entity determines that a breach of data security has or may have occurred in relation to sensitive account information or sensitive personal information that is maintained or is being communicated by, or on behalf of, such covered entity, the covered entity shall conduct an investigation--CommentsClose CommentsPermalink
(A) to assess the nature and scope of the breach;CommentsClose CommentsPermalink
(B) to identify any sensitive account information or sensitive personal information that may have been involved in the breach; andCommentsClose CommentsPermalink
(C) to determine if such information is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates.CommentsClose CommentsPermalink
(2) NEURAL NETWORKS AND INFORMATION SECURITY PROGRAMS- In determining the likelihood of misuse of sensitive account information under paragraph (1)(C), a covered entity shall consider whether any neural network or security program has detected, or is likely to detect or prevent, fraudulent transactions resulting from the breach of security.CommentsClose CommentsPermalink
(c) Notice Required- If a covered entity determines under subsection (b)(1)(C) that sensitive account information or sensitive personal information involved in a breach of data security is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates, such covered entity, or a third party acting on behalf of such covered entity, shall--CommentsClose CommentsPermalink
(1) notify, in the following order--CommentsClose CommentsPermalink
(A) the appropriate agency or authority identified in section 5;CommentsClose CommentsPermalink
(B) an appropriate law enforcement agency;CommentsClose CommentsPermalink
(C) any entity that owns, or is obligated on, a financial account to which the sensitive account information relates, if the breach involves a breach of sensitive account information;CommentsClose CommentsPermalink
(D) each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, if the breach involves sensitive personal information relating to 5,000 or more consumers; andCommentsClose CommentsPermalink
(E) all consumers to whom the sensitive account information or sensitive personal information relates; andCommentsClose CommentsPermalink
(2) take reasonable measures to restore the security and confidentiality of the sensitive account information or sensitive personal information involved in the breach.CommentsClose CommentsPermalink
(d) Compliance-CommentsClose CommentsPermalink
(1) IN GENERAL- A financial institution shall be deemed to be in compliance with--CommentsClose CommentsPermalink
(A) subsection (a), and any regulations prescribed under such subsection, if such institution maintains policies and procedures to protect the confidentiality and security of sensitive account information and sensitive personal information that are consistent with the policies and procedures of such institution that are designed to comply with the requirements of section 501(b) of the Gramm-Leach-Bliley Act (
(B) subsections (b) and (c), and any regulations prescribed under such subsections, if such institution--CommentsClose CommentsPermalink
(i)(I) maintains policies and procedures to investigate and provide notice to consumers of breaches of data security that are consistent with the policies and procedures of such institution that are designed to comply with the investigation and notice requirements established by regulations or guidance under section 501(b) of the Gramm-Leach-Bliley Act (
(II) is an affiliate of a bank holding company that maintains policies and procedures to investigate and provide notice to consumers of breaches of data security that are consistent with the policies and procedures of a bank that is an affiliate of such institution, and that bank's policies and procedures are designed to comply with the investigation and notice requirements established by any regulations or guidance under section 501(b) of the Gramm-Leach-Bliley Act (
(ii) provides for notice to the entities described under subparagraphs (B), (C), and (D) of subsection (c)(1), if notice is provided to consumers pursuant to the policies and procedures of such institution described in clause (i).CommentsClose CommentsPermalink
(2) DEFINITIONS- For purposes of this subsection, the terms `bank holding company' and `bank' shall have the same meaning given such terms under section 2 of the Bank Holding Company Act of 1956 (
SEC. 4. IMPLEMENTING REGULATIONS.
(a) In General- Except as provided under section 6, the agencies and authorities identified in section 5, with respect to the covered entities that are subject to the respective enforcement authority of such agencies and authorities, shall prescribe regulations to implement this Act.CommentsClose CommentsPermalink
(b) Coordination- Each agency and authority required to prescribe regulations under subsection (a) shall consult and coordinate with each other agency and authority identified in section 5 so that, to the extent possible, the regulations prescribed by each agency and authority are consistent and comparable.CommentsClose CommentsPermalink
(c) Method of Providing Notice to Consumers- The regulations required under subsection (a) shall--CommentsClose CommentsPermalink
(1) prescribe the methods by which a covered entity shall notify a consumer of a breach of data security under section 3; andCommentsClose CommentsPermalink
(2) allow a covered entity to provide such notice by--CommentsClose CommentsPermalink
(A) written, telephonic, or e-mail notification; orCommentsClose CommentsPermalink
(B) substitute notification, if providing written, telephonic, or e-mail notification is not feasible due to--CommentsClose CommentsPermalink
(i) lack of sufficient contact information for the consumers that must be notified; orCommentsClose CommentsPermalink
(ii) excessive cost to the covered entity.CommentsClose CommentsPermalink
(d) Content of Consumer Notice- The regulations required under subsection (a) shall--CommentsClose CommentsPermalink
(1) prescribe the content that shall be included in a notice of a breach of data security that is required to be provided to consumers under section 3; andCommentsClose CommentsPermalink
(2) require such notice to include--CommentsClose CommentsPermalink
(A) a description of the type of sensitive account information or sensitive personal information involved in the breach of data security;CommentsClose CommentsPermalink
(B) a general description of the actions taken by the covered entity to restore the security and confidentiality of the sensitive account information or sensitive personal information involved in the breach of data security; andCommentsClose CommentsPermalink
(C) the summary of rights of victims of identity theft prepared by the Commission under section 609(d) of the Fair Credit Reporting Act (
(e) Timing of Notice- The regulations required under subsection (a) shall establish standards for when a covered entity shall provide any notice required under section 3.CommentsClose CommentsPermalink
(f) Law Enforcement Delay- The regulations required under subsection (a) shall allow a covered entity to delay providing notice of a breach of data security to consumers under section 3 if a law enforcement agency requests such a delay in writing.CommentsClose CommentsPermalink
(g) Service Providers- The regulations required under subsection (a) shall--CommentsClose CommentsPermalink
(1) require any party that maintains or communicates sensitive account information or sensitive personal information on behalf of a covered entity to provide notice to that covered entity if such party determines that a breach of data security has, or may have, occurred with respect to such information; andCommentsClose CommentsPermalink
(2) ensure that there is only 1 notification responsibility with respect to a breach of data security.CommentsClose CommentsPermalink
(h) Timing of Regulations- The regulations required under subsection (a) shall--CommentsClose CommentsPermalink
(1) be issued in final form not later than 6 months after the date of enactment of this Act; andCommentsClose CommentsPermalink
(2) take effect not later than 6 months after the date on which they are issued in final form.CommentsClose CommentsPermalink
SEC. 5. ADMINISTRATIVE ENFORCEMENT.
(a) In General- Section 3, and the regulations required under section 4, shall be enforced exclusively under--CommentsClose CommentsPermalink
(1) section 8 of the Federal Deposit Insurance Act (
(A) a national bank, a Federal branch or Federal agency of a foreign bank, or any subsidiary thereof (other than a broker, dealer, person providing insurance, investment company, or investment adviser), by the Office of the Comptroller of the Currency;CommentsClose CommentsPermalink
(B) a member bank of the Federal Reserve System (other than a national bank), a branch or agency of a foreign bank (other than a Federal branch, Federal agency, or insured State branch of a foreign bank), a commercial lending company owned or controlled by a foreign bank, an organization operating under section 25 or 25A of the Federal Reserve Act (
(C) a bank, the deposits of which are insured by the Federal Deposit Insurance Corporation (other than a member of the Federal Reserve System), an insured State branch of a foreign bank, or any subsidiary thereof (other than a broker, dealer, person providing insurance, investment company, or investment adviser), by the Board of Directors of the Federal Deposit Insurance Corporation; andCommentsClose CommentsPermalink
(D) a savings association, the deposits of which are insured by the Federal Deposit Insurance Corporation, or any subsidiary thereof (other than a broker, dealer, person providing insurance, investment company, or investment adviser), by the Director of the Office of Thrift Supervision;CommentsClose CommentsPermalink
(2) the Federal Credit Union Act (
(3) the Securities Exchange Act of 1934 (15 U.S.C.78a et seq.), by the Securities and Exchange Commission with respect to any broker or dealer;CommentsClose CommentsPermalink
(4) the Investment Company Act of 1940 (
(5) the Investment Advisers Act of 1940 (
(6) the Commodity Exchange Act (
(7) the provisions of title XIII of the Housing and Community Development Act of 1992 (
(8) State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled; andCommentsClose CommentsPermalink
(9) the Federal Trade Commission Act (
(b) Extension of Federal Trade Commission Enforcement Authority- The authority of the Commission to enforce compliance with section 3, and the regulations required under section 4, under subsection (a)(8) shall--CommentsClose CommentsPermalink
(1) notwithstanding the Federal Aviation Act of 1958 (49 U.S.C. App. 1301 et seq.), include the authority to enforce compliance by air carriers and foreign air carriers; andCommentsClose CommentsPermalink
(2) notwithstanding the Packers and Stockyards Act (
(c) No Private Right of Action-CommentsClose CommentsPermalink
(1) IN GENERAL- This Act, and the regulations prescribed under this Act, may not be construed to provide a private right of action, including a class action with respect to any act or practice regulated under this Act.CommentsClose CommentsPermalink
(2) CIVIL AND CRIMINAL ACTIONS- No civil or criminal action relating to any act or practice governed under this Act, or the regulations prescribed under this Act, shall be commenced or maintained in any State court or under State law, including a pendent State claim to an action under Federal law.CommentsClose CommentsPermalink
SEC. 6. PROTECTION OF INFORMATION AT FEDERAL AGENCIES.
(a) Data Security Standards- Each agency shall implement appropriate standards relating to administrative, technical, and physical safeguards--CommentsClose CommentsPermalink
(1) to insure the security and confidentiality of the sensitive account information and sensitive personal information that is maintained or is being communicated by, or on behalf of, that agency;CommentsClose CommentsPermalink
(2) to protect against any anticipated threats or hazards to the security of such information; andCommentsClose CommentsPermalink
(3) to protect against misuse of such information, which could result in substantial harm or inconvenience to a consumer.CommentsClose CommentsPermalink
(b) Security Breach Notification Standards- Each agency shall implement appropriate standards providing for notification of consumers when such agency determines that sensitive account information or sensitive personal information that is maintained or is being communicated by, or on behalf of, such agency--CommentsClose CommentsPermalink
(1) has been acquired without authorization; andCommentsClose CommentsPermalink
(2) is reasonably likely to be misused in a manner causing substantial harm or inconvenience to the consumers to whom the information relates.CommentsClose CommentsPermalink
SEC. 7. RELATION TO STATE LAW.
No requirement or prohibition may be imposed under the laws of any State with respect to the responsibilities of any person to--CommentsClose CommentsPermalink
(1) protect the security of information relating to consumers that is maintained or communicated by, or on behalf of, such person;CommentsClose CommentsPermalink
(2) safeguard information relating to consumers from potential misuse;CommentsClose CommentsPermalink
(3) investigate or provide notice of the unauthorized access to information relating to consumers, or the potential misuse of such information for fraudulent, illegal, or other purposes; orCommentsClose CommentsPermalink
(4) mitigate any loss or harm resulting from the unauthorized access or misuse of information relating to consumers.CommentsClose CommentsPermalink
SEC. 8. DELAYED EFFECTIVE DATE FOR CERTAIN PROVISIONS.
(a) Covered Entities- Sections 3 and 7 shall take effect on the later of--CommentsClose CommentsPermalink
(1) 1 year after the date of enactment of this Act; orCommentsClose CommentsPermalink
(2) the effective date of the final regulations required under section 4.CommentsClose CommentsPermalink
(b) Agencies- Section 6 shall take effect 1 year after the date of enactment of this Act.CommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
OC Blog Articles Related To This Bill
- With SOPA Shelved, Congress Readies its Next Attack on the Internet Feb 13, 2012
- Anti-Web Censorship Bill Protest from Our Perspective at OC Feb 08, 2012
- Join the Public Mark-up of SOPA Nov 19, 2011
- Financial Crisis Inquiry Commission Report Drops Jan 27, 2011
- Securities and Exchange Commission Gets More Secretive Under FinReg Aug 04, 2010
Recent OC Blog Articles
- Yes, let's stride towards an open VCS for legislation (or, GitHub for laws on OC) May 23, 2012
- Contact Congress Today to #FreeTHOMAS May 17, 2012
- Yochai Benkler: Blueprint for Democratic Participation May 10, 2012
- New NDAA Would Give the Military Clandestine Cyberwar Powers May 08, 2012
- The Week Ahead in Congress May 07, 2012