Specter, Leahy Introduce
Personal Data Privacy And Security Act Of 2005

WASHINGTON, D.C. (Wednesday, June 29) - Senator Arlen Specter (R-Pa.), Chairman of the Senate Judiciary Committee, and Senator Patrick Leahy (D-Vt.), the panel’s ranking member, introduced Wednesday the Personal Data Privacy and Security Act of 2005, legislation that would help consumers better protect the privacy of their personal information in the face of recurrent data security breaches across the country.

Their bill draws from testimony earlier this year (April 13, 2005) at the Judiciary Committee’s hearing on electronic data security after serious data breaches at ChoicePoint and LexisNexis.  Since then breaches at several other firms have also exposed millions of Americans to identity theft by leaking or losing their personal data, which included names, addresses, and sometimes Social Security numbers.  In the most recent case, CardSystems, a company that services credit cards for MasterCard International, Visa and other brands, acknowledged that its databases had been compromised, potentially exposing information about more than 40 million cardholders.

“We are in a field of phenomenal electronic advances,” Senator Specter said.  “We are now seeing breaches in the security of those advances, and it has become a matter of serious consequence for our individual privacy and law enforcement, which rely upon these electronic mechanisms to identify suspects and pursue legitimate law enforcement interests.”

“Our laws need to keep pace with technology,” said Leahy. “Insecure databases have become low-hanging fruit for hackers looking to steal identities and commit fraud during a time when we are seeing a troubling rise in organized rings that target personal data to sell in online, virtual bazaars.”  Leahy also testified before the Banking, Housing and Urban Affairs Committee earlier this year on the issue.   

Key features of the Specter-Leahy legislation include:

§         Increasing criminal penalties for identity theft involving electronic personal data by (1) increasing penalties for computer fraud when such fraud involves personal data, (2) adding fraud involving unauthorized access to personal information as a predicate offense for RICO and (3) making it a crime to intentionally or willfully conceal a security breach involving personal data;

§         Giving individuals access to, and the opportunity to correct, any personal information held by data brokers;

§         Requiring entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data;

§         Requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data;

§         Limits the buying, selling or displaying of a social security number without consent from the individual whose number it is, prohibits companies from requiring individuals to use social security numbers as their account numbers and places limits on when companies can force individuals to turn over those numbers in order to obtain goods or services, and bars government agencies from posting public records that contain Social Security numbers on the Internet; and

§         Requiring the government to establish rules protecting privacy and security when it uses data broker information, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.

# # # # #

(Leahy’s Statement on the Introduction of the Bill) 

Statement of Senator Patrick Leahy
On The Introduction Of
The Specter-Leahy Personal Data Privacy and Security Act of 2005
June 29, 2005

Mr. LEAHY.  Mr. President, today we introduce the Specter-Leahy Personal Data Privacy and Security Act of 2005.  Reforms are urgently needed to protect Americans’ privacy and to secure their personal data.  There have been steady waves of security breaches over the past six months, with the latest involving a database containing 40 million credit card numbers at a company that most Americans never knew existed. 

These security breaches are a window on a broader, more challenging trend.  Advanced technologies have improved our lives and can help make us safer.  Private data about Americans has become a hot commodity.  This personal and financial information about each of us suddenly is a treasure trove, valuable and vulnerable, but our privacy and security laws have not kept pace.  The reality is that in the digital era, a robust market has developed for collecting and selling personal information.  Today, all types of corporate and governmental entities routinely traffic in billions of digitized personal records about Americans. 

The data broker market has exploded in size to meet this demand.  Insecure databases are now low-hanging fruit for hackers looking to steal identities and commit fraud.  We are seeing a rise in organized rings that target personal data to sell in online, virtual bazaars. 

In this information-saturated age, the use of personal data has significant consequences for every American.  People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly.  This trend raises new threats to our personal security as well as to our privacy.  In one disturbing case, a stalker purchased the Social Security number of a woman with whom he was obsessed, used that information to track her down.  He killed her, and then shot himself.

Americans everywhere are wondering, “Why do all these companies have my personal information?  What are they doing with it?  Why aren’t they protecting it better?”  And they are right to wonder.  It is time for Congress to catch up with the data market and to show the American people that we are aware of these threats and will protect the privacy and security of their personal information. 

Chairman Specter and I have worked closely together over many months to craft comprehensive legislation to fix key vulnerabilities in our information economy.  We thought through these issues carefully and took the time needed to develop well-balanced, focused legislation that provides strong protections where necessary.  We also provide tough penalties and consequences for failing to protect Americans’ most personal information.  Reforms like these are long overdue.  This issue and our legislation deserve to become a key part of this year’s domestic agenda so that we can achieve some positive changes in areas that affect the everyday lives of Americans.

First, our bill requires data brokers to let people know what information they have about them, and to allow people to correct inaccurate information.  These principles have precedent from the credit report context, and we have adapted them in a way that makes sense for the data brokering industry.  It’s a simple matter of fairness.

Second, we would require companies that have databases with personal information on Americans to establish and implement data privacy and security programs.  Any company that wants to be trusted by the public in this day and age must vigilantly protect databases housing Americans’ private data.  They also have a responsibility in the next link in the security chain, to make sure that contractors hired to process data are on the up-and-up and secure.  This is critical as Americans’ personal information is increasingly processed overseas. 

Third, our bill requires notice when sensitive personal information has been compromised.  The American people have a right to know when they are at risk because of corporate failures to protect their data, or when a criminal has infiltrated data systems.  The notice rules in our bill were crafted carefully to ensure that the trigger for notice is tied to risk and to recognize important fraud prevention techniques that already exist.  But our priority was making sure that victims have that critical information as a roadmap providing the assistance necessary to protect themselves, their families and their financial well-being.

Fourth, our bill provides tough new protections for Social Security numbers, which are the keys to unlocking so much of our financial and personal lives.  The use of Social Security numbers has expanded well beyond the intended purposes.  Some uses provide important benefits, but others have made Americans vulnerable.  Social Security numbers are for sale online for small fees.  Earlier this year, it was reported that a payroll and benefits company put the Social Security numbers of 1,000 workers on postcards – on postcards - brazenly visible for anyone to see.  Worse still, those postcards described in detail how those Social Security numbers could be used to access employee benefits online.  This is unacceptable, and this bill would make that kind of disregard and sloppiness illegal. 

Finally, our bill addresses the government’s use of personal data.  We are living in a world where the government is increasingly looking to the private sector to get personal data that it could not legally collect on its own without oversight and appropriate protections.  So ingrained has the data broker-government partnership become that a ChoicePoint executive stated, “We do act as an intelligence agency, gathering data, applying analytics.”  While these relationships can help protect us, there must be oversight and appropriate protections. 

The recent decision to award Choicepoint an IRS contract highlights this tension.  It is especially galling right now to be rewarding firms that have been so careless with the public’s confidential information.  The dust has not yet settled and the investigations are incomplete on ChoicePoint’s lax security practices.  We should at least take a pause before rewarding such missteps with even more government contracts.  This bill would place privacy and security front and center in evaluating whether data brokers can be trusted with government contracts that involve sensitive information about the American people.  It would require contract reviews that include these considerations, audits to ensure good practice, and contract penalties for failure to protect data privacy and security.

The Specter-Leahy legislation meets other key goals.  It provides tough monetary and criminal penalties for compromising personal data or failing to provide necessary protections.  This creates an incentive for companies to protect personal information, especially when there is no commercial relationship between individuals and companies using their data.

Our legislation also carefully balances the need for federal uniformity and state leadership.  States are often on the forefront of protecting privacy and spurring change.  The California security breach law has been an important lesson.  My state of Vermont was among the first – if not the first – to require individual consent before sharing financial information with third parties, and to require a person or business to obtain consent from individuals before reviewing their credit reports.  The role of states is important, and our bill identifies areas that require uniformity while leaving the states free to act elsewhere as they see fit.  We also would authorize an additional $100 million over 4 years to help state law enforcement fight misuse of personal information.

This is a solid bill - a comprehensive bill ­- that not only deals with providing Americans notice when they have already been hurt, but also deals with the underlying problem of lax security and lack of accountability in dealing with their most personal and private information.

I commend Senator Specter for his leadership on this emerging problem.  A number of us have been working on these issues -- Senator Feinstein, Senator Nelson, Senator Cantwell and Senator Schumer, among others.  I appreciate and recognize their hard work and look forward to making progress together.  I am pleased to work closely with Senator Specter on this and believe that we have a bill that significantly advances the ball in protecting Americans.

# # # # #

(Summary of the Key Features of the Bill)

Summary Of The
Specter-Leahy Personal Data Privacy And Security Act Of 2005
June 29, 2005

• Provides Americans notice when they have been harmed, and also addresses the underlying problem of lax security and lack of accountability in dealing with personal data.
   
• Requires data brokers to let individuals know what information they have about them, and where appropriate, allow individuals to correct inaccurate information.
   
• Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data.
   
• Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised.  The trigger for notice is tied to risk of harm, and there are exemptions for notice where the risk is de minimis or where fraud prevention techniques prevent harm to consumers.  Also requires that companies provide victim protection assistance, specifically free access to credit reports and credit monitoring services, to individuals notified that their personal data has been breached.
   
• Prohibits the display and sale of Social Security numbers (SSNs) without consent, with exceptions for law enforcement and other authorized purposes, and prohibits companies from requiring individuals to use their SSNs as account numbers.  Also, prohibits companies from requiring individuals to turn over SSNs as a prerequisite for receiving goods and services, with exceptions for background checks, consumer reports and law enforcement.
   
• Addresses the government’s use of personal data by requiring: (1) the General Services Administration to evaluate the privacy and security practices of potential government contractors handling personal data, and include penalties in government contracts for failure to protect data privacy and security; (2) Federal departments and agencies to audit the information security practices of commercial data brokers hired for projects involving personal data; (3) Federal departments and agencies to conduct privacy impact assessments on their use of commercial databases with personal data, to adopt regulations to ensure the security and privacy of data obtained through commercial data brokers and to include protections and penalties in contracts with data brokers to protect data privacy and security; and (4) federal departments and agencies to seek Congressional approval before establishing programs that rely on commercial data brokers to screen individuals and to establish security and privacy measures for such uses.
   
• Provides tough monetary penalties for failing to provide privacy and security protections and notices of security breaches, and toughens criminal penalties for those who infiltrate systems to compromise personal data or attempt to cover-up security breaches.
   
• Balances the need for federal uniformity and state leadership by identifying areas that require uniformity while leaving the states free to act elsewhere as they see fit.
   
• Authorizes an additional $100 million over 4 years to help state law enforcement fight misuse of personal information.

# # # # #

(Section by Section of the Bill)

Section-By-Section Summary
Of The Personal Data Privacy And Security Act of 2005
June 29, 2005

TITLE I – ENHANCING PUNISHMENT FOR IDENTITY THEFT
AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY

Section 101 – Fraud and Related Criminal Activity in Connection with Unauthorized Access to Personally Identifiable Information

Section 101 extends the criminal computer fraud statute to cover unauthorized access of information contained in the databases or systems of a data broker, or in other personal electronic records.  The statute already covers unauthorized access of information contained in a financial record of a financial institution or card issuer in a consumer reporting agency file on a consumer.

Section 102 -   Organized Criminal Activity in Connection with Unauthorized Access to Personally Identifiable Information

Section 102 amends the Racketeer Influenced and Corrupt Organizations (RICO) statute to address the emergence of sophisticated criminal organizations trafficking in large amounts of personally identifiable information.  Specifically, this section amends the definition of racketeering activity in 18 U.S.C. § 1961 to include fraud and related activity in connection with unauthorized access to personally identifiable information.  The definition currently includes similar provisions, such as fraud and related activities in connection with identification documents and financial institution fraud.

Section 103 – Concealment of Security Breaches Involving Personally Identifiable Information.

Section 103 makes it a crime for a person who knows of a security breach requiring notice to individuals under Title IV of this Act to intentionally and willfully conceal the fact of, or information related to, that security breach.  Punishment is either a fine under Title 18, or imprisonment of up to 5 years, or both.

            Section 104 – Aggravated Fraud in Connection with Computers

Section 104 creates a new crime of aggravated fraud in connection with computers.  Any person who, during and in relation to a felony violation of the computer fraud law, knowingly obtains, accesses or transmits a means of identification of another person without lawful authority, may be imprisoned for up to 2 years in addition to the punishment provided for such felony. 

Section 105 – Review and Amendment of Federal Sentencing Guidelines Related to Fraudulent Access to or Misuse of Digitized or Electronic Personally Identifiable Information

Section 105 directs the United States Sentencing Commission to review, and if necessary, amend the federal sentencing guidelines (including its policy statements) to ensure that they appropriately reflect the serious nature of, and deter crimes related to, the use of fraud to access or misuse digitized personally identifiable information.

TITLE II – ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT

            Section 201 – Grants for State and Local Enforcement

Section 201 establishes a program within the Office of Justice Programs of the Department of Justice to award funds to state and local law enforcement in combating activities related to fraudulent, unauthorized or other criminal use of personally identifiable information. 

            Section 202 – Authorization of Appropriations

Section 202 authorizes appropriations in the amount of $25 million for each of fiscal years 2006 through 2009 for this program.

TITLE III - DATA BROKERS

Title III addresses the data brokering industry that has come of age prompted by technology developments and changes in marketplace incentives.  Data brokers collect and sell billions of private and public records containing individuals’ personal information.  Many of these companies also provide products and services, including identity verification, background screening, risk assessments, individual digital dossiers, and tools for analyzing data. 

Although some of the products and services provided by data brokers are currently subject to privacy and security protections aimed at credit reporting agencies and the financial industry under the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLB), many are not subject to such protections.  In addition, there has been insufficient oversight of the industry’s practices, including the accuracy and handling of sensitive data.  These concerns have been highlighted by the security breaches at ChoicePoint, LexisNexis, Acxiom and many others, as well as reports on harm caused by inaccurate data records. 

Title III draws from the principles in FCRA to close these loopholes, provide additional oversight, and ensure privacy and security protections for all data broker products and services involving personally identifiable information.

For the purposes of this Act, the term data broker is defined as “a business entity which for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages, in whole or in part, in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals who are not the customers or employees of the business entity or affiliate.”

            Section 301 – Transparency and Accuracy of Data Collection

Section 301 applies disclosure and accuracy requirements to data brokers that engage in interstate commerce and offer any product or service to third parties that allows access, use, compilation, distribution, processing, analyzing or evaluating of personally identifiable information.  Section 301 requirements are not applicable to products and services already subject to similar disclosure and accuracy provisions under FCRA and GLB, and implementing regulations.

Access to Personal Electronic Records.  Section 301(b)(1) requires data brokers to disclose to individuals upon their request and for a reasonable fee the individual’s personal electronic records that the data broker maintains and provides to third parties. 

Process for Correcting Inaccurate Personal Electronic Records.  Sections 301(b)(2) and 301(c) require data brokers to establish and disclose a fair process for individuals to dispute, flag or correct any inaccuracies in their personal electronic records maintained by the data broker.  In addition, Section 301(d) sets minimum requirements for addressing inaccurate information obtained from both public and non-public record sources of information. 

Public record and non-public record information are treated differently on the theory that data brokers have less leeway in addressing and resolving claims of inaccuracy for information gathered from public record sources.  For public record information, Section 301(d)(1) requires data brokers to verify that they have accurately and completely recorded the information from the public record source, and to correct information that does not accurately and completely reflect public record information.  If the data broker determines that it has accurately recorded information from the public record source, the data brokers may simply identify and direct individuals to the public record source to address any further claims of inaccuracies. 

Section 301(d)(2) outlines procedures for correcting non-public record information.  Modeled after Section 611of FCRA, this provision requires data brokers to: (1) investigate disputed non-public record information within 30 days; (2) identify the source of the disputed information; (3) notify individuals about dispute procedures; (4) allow individuals to include a statement of dispute in the electronic records containing the disputed personal information for up to 90 days; (5) notify individuals of the results of the accuracy investigation; and (6) delete or correct inaccurate information, and provide notification of such changes to users or customers of data broker services in the previous 90 days.  Section 301(d) also allows data brokers to skip certain procedures in instances where disputes can be resolved within 3 days.

Section 302 – Enforcement

A data broker in violation of Section 301 is subject to penalties of $1,000 per violation per day with a maximum of $15,000 per day.  A data broker that intentionally or willfully violates the provisions of Section 301 is subject to additional penalties of $1,000 per violation per day, with a maximum of an additional $15,000 per day. 

The U.S. Attorney General may bring a civil action in U.S. district court for violations of Section 301.  This section also authorizes the attorney general of a State to bring a civil action on behalf of the residents of that State, upon advance notice to the U.S. Attorney General where practicable.  The U.S. Attorney General has the right to stay state actions pending disposition of federal actions, intervene or file petitions for appeal.

            Section 303 - Relation to State Laws

Modeled after the preemption provision in the Fair and Accurate Credit Transactions Act (FACT Act), Section 303 preempts state laws only to the extent they are: (1) inconsistent with Title III; or (2) address areas specifically subject to preemption by Section 303.  Specifically, Section 303 preempts state laws on subject matters regulated by Section 301.

            Section 304 - Effective Date

Title III takes effect 180 days after the date of enactment.

TITLE IV–  PRIVACY AND SECURITY OF

PERSONALLY IDENTIFIABLE INFORMATION

Subtitle A – Data Privacy and Security Program

Section 401 – Purpose and Applicability of Data Privacy and Security Program

Section 401 applies data privacy and security requirements to businesses entities engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing or disposing of personally identifiable information in electronic or digital form on 10,000 or more U.S. persons.  Section 401 exempts from the data privacy and security requirements of Section 502: (1) financial institutions subject to similar data privacy and security requirements under the Gramm-Leach-Bliley Act (GLB) and implementing regulations; and (2) “covered entities” subject to data security requirements pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and implementing regulations.

            Section 402 – Requirements for a Data Privacy and Security Program

Section 402 requires covered business entities to create a data privacy and security program.  The requirements in this section are partly modeled after those established by the Office of the Comptroller of the Currency for financial institutions in its Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. § 30.6 Appendix B (2005).   

A data privacy and security program must be designed to ensure security and confidentiality of personal electronic records, protect against vulnerabilities to the security and integrity of personal electronic records, and protect against unauthorized access and use of personally identifiable information contained in electronic records.  Section 402 requires a covered business entity to: (1) regularly assess, manage and control risks to data privacy and security consistent with the size, complexity and scope of its business; (2) publish or otherwise make available the terms of its program to the extent that such terms do not reveal information that comprise data security or privacy; (3) provide employee training to implement its data privacy and security program; (4) conduct tests to identify system vulnerabilities; (5) ensure that if service providers not also subject to these laws are retained, those service providers are capable of maintaining appropriate safeguards for personally identifiable information and are subject to contract requirements consistent with this Act; and (6) periodically assess its data privacy and security program to ensure that the program addresses current threats. 

Finally, business entities subject subtitle A must implement a data privacy and security program no later than 1 year after the date of enactment.

            Section 403 – Enforcement

Business entities that violate the data privacy and security program requirements in Sections 401 to 402 are subject to civil penalties of not more than $5,000 per violation per day, with a maximum of $35,000 per day, while such violations persist.  In addition, business entities that intentionally or willfully violate Sections 401 to 402 are subject to additional penalties of $5,000 per violation per day, with a maximum of $35,000 per day, while such violations persist.

The U.S. Attorney General may bring a civil action in U.S. district court for violations of Sections 401 and 402.  This section also authorizes the attorney general of a State to bring a civil action on behalf of the residents of that State, upon advance notice to the U.S. Attorney General where practicable.  The U.S. Attorney General has the right to stay state actions pending disposition of federal actions, intervene or file petitions for appeal.

            Section 404 - Relation to State Laws

Modeled after the preemption provision in the FACT Act, Section 404 preempts state laws only to the extent they are: (1) inconsistent with Title IV; or (2) address areas specifically subject to preemption by Section 404.  Specifically, Section 404 preempts state laws on subject matters regulated by Section 401(c), relating to entities exempted from compliance with the data privacy and security program requirements.

Subtitle B – Security Breach Notification

            Section 421 – Right to Notice of Security Breach

Section 421 applies the security breach notification requirements in Sections 421 to 425 to business entities and agencies that engage in interstate commerce that involves collecting, accessing, using, transmitting, storing, or disposing of sensitive personally identifiable information.  The term “sensitive personally identifiable information” is defined as

“any name or number used in conjunction with any other information to identify a specific individual, including any (A) name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (B) unique biometric data, such as (i) a fingerprint; (ii) a voice print; (iii) a retina or iris image; or (iv) any other unique physical representation; (C) unique electronic identification number, address, or routing code or (D) telecommunication identifying information or access device (as defined in section 1029(e) of title 18, United States Code).”

Unless specifically exempted or delayed, Section 421 requires a business entity or agency that engages in interstate commerce that involves collecting, accessing, using, transmitting, storing, or disposing of personally identifiable information to disclose security breaches of its systems or databases in its possession or direct control when such security breaches impact sensitive personally identifiable information. 

Specifically, the business entity or agency must give notice to residents of the United States whose sensitive personally identifiable information was impacted by the breach, consistent with the notice content requirements, law enforcement delay, risk assessment and fraud prevention exemption provisions in Sections 422 and 423.

The business entity or agency must also give notice to the United States Secret Service and state attorneys general if the security breach: (1) impacts more than 10,000 individuals nationwide; (2) impacts a database, networked or integrated databases, or other data systems associated with more than 1,000,000 individuals nationwide; (3) impacts databases owned or used by the Federal Government; or (4) involves sensitive personally identifiable information of employees or contractors of the Federal Government.  The Secret Service is required to give notice to the FBI to the extent the security breach involves espionage, foreign counterintelligence, or information protected against unauthorized disclosure for reasons of national defense or foreign relations or Restricted Data under 42 U.S.C. § 2014(y), and give notice to the United States Postal Inspection service to the extent the security breach may involve mail fraud.

When a security breach requires notice to more than 1,000 individuals, a business entity or agency must also give notice to consumer reporting agencies (CRAs) in anticipation of increased calls to CRAs from impacted consumers.

            Section 422 – Notice Procedures

Notice must be given expeditiously and without unreasonable delay after discovery of the breach, but in no case shall notice to federal law enforcement and state attorneys general be delivered more than 14 days after discovering the events requiring notice.  Notice to individuals should be written to an individual’s home address, but if the home address is unavailable, by telephone call to the last known home address.  In addition to a written notification, if a security breach requires notice to more than 1,000 individuals, the business entity shall also post a notice of the breach on its Internet site, if the business entity maintains a site.  If a security breach requires notice to more than 5,000 individuals in a State or jurisdiction, notice must also be given to major media outlets servicing that State or jurisdiction.

Subtitle B allows delay in notice to individuals and consumer reporting agencies if Federal law enforcement or the attorney general of a State determines that such notice would impede a criminal investigation.  However, notice cannot be delayed for law enforcement purposes beyond 30 days, unless Federal law enforcement provides written notification that further delay is necessary.

            Section 423 – Content of Notice

Section 423 specifies that notice under Section 421 shall detail the nature of the sensitive personally identifiable information impacted by the security breach.  Notice shall also include the availability of victim protection assistance pursuant to Section 425; guidance on how to request a fraud alert and the implications of such action; the availability of a summary of rights for identity theft victims from consumer reporting agencies under the Fair Credit Reporting Act; if applicable, notice that consumer reporting agencies have been notified of the security breach; and, if applicable, notice that the State where an individual resides has a statute that provides the individual the right to place a security freeze on their credit report.  Section 423 prohibits notices from including marketing information, sales offers or any solicitation regarding the collection of additional personally identifiable information.

            Section 424 – Risk Assessment and Fraud Prevention Notice Exemptions

Section 424 establishes two exemptions to the notice requirements under Section 421(a)(2)-(3).  First, Section 424 provides a “risk assessment exemption.”  Under this exemption, a business entity need not provide notice if a risk assessment conducted in consultation with Federal law enforcement and the attorney general of each State affected by the breach determines that the risk to individuals is de minimis. 

Second, Section 424 provides a “fraud prevention exemption.”  Under this exemption, a business entity need not provide notice if: (1) the nature of the sensitive personally identifiable information subject to the security breach cannot be used to facilitate transactions, or to facilitate identity theft to further transactions, with another business entity; (2) the business entity uses a security program reasonably designed to block the use of sensitive personally identifiable information to initiate unauthorized transactions; and (3) the business entity has a policy in place to provide notice and provides such notice if a security breach results in fraud or unauthorized transactions.

            Section 425 – Victim Protection Assistance

Section 425 requires any business entity or agency obligated to provide notice to U.S. residents under Section 421 to offer those residents free monthly access to a credit report and credit monitoring services for a period of one year from the date of the notice.

            Section 426 – Enforcement

Business entities that violate Sections 421 to 425 are subject to civil penalties of not more than $5,000 per violation per day, with a maximum of $55,000 per day, while such violations persist.  In addition, business entities that intentionally or willfully violate Sections 421 to 425 are subject to additional penalties of $5,000 per violation per day, with a maximum of $55,000 per day, while such violations persist.

The U.S. Attorney General may bring a civil action in U.S. district court for violations of Subtitle B.  This section also authorizes the attorney general of a State to bring a civil action on behalf of the residents of that State, upon advance notice to the U.S. Attorney General where practicable.  The U.S. Attorney General has the right to stay state actions pending disposition of federal actions, intervene or file petitions for appeal.

Section 427 - Relation to State Laws

Modeled after the preemption provision in the FACT Act, Section 427 preempts state laws only to the extent they are: (1) inconsistent with Title IV; or (2) address areas specifically subject to preemption by Section 427.  Specifically, Section 427 preempts state laws on subject matters regulated by: Section 3(9), relating to the definition of “security breach;” Section 421(a)(1)(A), (2), and (3), and 421(b), relating to the right to notice of security breach; Section 422, relating to notice procedures; and Section 424, relating to risk assessment and fraud prevention notice exemptions.

Section 428 – Study on Securing Personally Identifiable Information in the Digital Era

Section 428 requires the Department of Justice within 120 days of enactment to contract with the National Research Council of the National Academies to conduct a study on securing personally identifiable information in the digital era, and authorizes $850,000 for this purpose.  A report on the study is due to Congress within 18 months of the contract.

            Section 429 – Authorization of Appropriations. 

Section 429 authorizes funds for the U.S. Secret Service as may be necessary to carry out investigations and risk assessments of security breaches under the requirements of Subtitle B.

Sections 430 – Effective Date

Subtitle B takes effect 90 days after the date of enactment.

TITLE V – PROTECTION OF SOCIAL SECURITY NUMBERS

Section 501 – Social Security Number Protection

Section 501(a)-(b) prohibits the display, sale or purchase of Social Security numbers (SSNs) to third parties without an individual’s informed consent, unless expressly exempted.  An individual must be informed of the general purpose for the use of the SSN, to whom the SSN will be made available, and the scope of transactions permitted by the consent.  Section 501(c) extends this prohibition to public records of Federal agencies that contain SSNs extracted from other public records for the purpose of displaying or selling such numbers to the general public.

Section 501(d) exempts the following from this prohibition: (1) uses authorized, required or excepted under Federal law; (2) public health; (3) national security; (4) law enforcement; (5) research (subject to conditions); (6) government programs; (7) incidental to, or in the course of, the sale, lease, franchise or merger of a business; and (8) truncated displays of only the last four digits of the SSN.

Section 502 - Limits on Personal Disclosure of Social Security Numbers for Commercial Transactions and Accounts

Account Numbers.  Section 502(a) prohibits a business entity from requiring individuals to use their SSN as an account number or identifier when purchasing commercial goods or services.  In addition, a business entity may not deny individuals goods or service for refusing to use their SSN as an account number or identifier.  Account numbers and identifiers established prior to enactment are exempted.

Social Security Number Prerequisites for Goods and Services.  Section 502(a) also prohibits commercial entities from requiring individuals to provide SSNs when purchasing commercial goods or services, or from denying individuals goods or services for refusing to provide SSNs.  Exempted from this prohibition are: (1) consumer reports; (2) background checks by landlords, lessors, employers, voluntary service agencies, and other entities as determined by the U.S. Attorney General; (3) law enforcement; (4) Federal, State or local law requirement.  Violations of Section 502(a) are subject to civil and criminal penalties under the Social Security Act. 

Section 503 - Public Records

Unless specifically exempted, Section 503(a) extends to public records posted on the Internet or provided in an electronic form the Section 501(a) prohibition against the display, sale or purchase of SSNs to third parties without an individual’s informed consent.  Section 503(b) exempts from this prohibition: (1) public records containing only the last 4 digits of an individual’s SSN; and (2) records first posted on the Internet or provided in electronic medium prior to enactment.  In addition, 503(b) also clarifies that this prohibition should not be construed to limit law enforcement’s ability to access the full SSN of an individual.

Section 504 - Treatment of Social Security Numbers on Government Checks and Prohibition of Inmate Access

Section 504(a) prohibits the use of Social Security numbers on federal, state and local government checks issued for payment after three years following enactment.  In addition, Section 504(b) prohibits Federal, State or local agencies from employing or using prisoners in any capacity that would allow them access to SSNs of other individuals, and takes effect one year after enactment.

            Section 505 - Study and Report

Section 505 requires the Comptroller General to conduct a study and report to Congress on uses of Social Security numbers permitted, required or authorized under federal law, and the use of Social Security numbers in federal, state and local public records.  The report is due one year after enactment and should include: (1) an assessment of uses; (2) the impact on privacy and security; (3) recommendations on whether those uses should continue; (4) assessment of State compliance with current Social Security number protections; (5) advantages and disadvantages of social security numbers in public records; (6) the benefits and costs of requiring state and local governments to truncate, redact or remove SSNs; (7) assessment of federal truncation requirements; and (8) recommendations for the treatment of Social Security numbers in public records posted on the Internet or in electronic form prior to enactment.  The report is due one year after enactment.

Section 506 - Enforcement

Any person in violation of sections 501 or 502 is subject to penalties of $5,000 per violation per day with a maximum of $35,000 per day.  In addition, a person intentionally or willfully violates the provisions of sections 501 or 502 is subject to additional penalties of $5,000 per violation per day, with a maximum of an additional $35,000 per day. 

The U.S. Attorney General may bring a civil action in U.S. district court for violations of Title V.  This section also authorizes the attorney general of a State to bring a civil action on behalf of the residents of that State, upon advance notice to the U.S. Attorney General where practicable.  The U.S. Attorney General has the right to stay state actions pending disposition of federal actions, intervene or file petitions for appeal.

Section 507 – Relation to State Laws

Modeled after the preemption provision in the FACT Act, Section 507 preempts state laws only to the extent they are: (1) inconsistent with Title V; or (2) address areas specifically subject to preemption by Section 507.  Specifically, Section 507 preempts state laws on subject matters regulated by Section 501(b), relating to prerequisites for consent for the display, sale, or purchase of SSNs; Section 501(c), relating to harvesting Social Security numbers; and Section 504, relating to treatment of Social Security numbers on government checks and prohibition of inmate access.

TITLE VI – GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

Section 601 – General Services Administration Review of Government Contracts

Section 601 requires the General Services Administration (GSA), when issuing contracts, to review and consider government contractors’ programs for securing the privacy and security of personally identifiable information, contractors’ compliance with such programs, and any security breaches of contractors’ systems and responses to those breaches. 

In addition, GSA is required to include penalties in contracts involving personally identifiable information for: (1) failures to comply with the provisions of Title IV of this Act; (2) knowingly delivering inaccurate information; and (3) delivering information that the contractor has been notified is inaccurate and is in fact inaccurate.  This section also directs GSA to require contractors to provide updates to their federal department and agency customers of any changes or corrections to personally identifiable information provided under contract. 

Section 602 – Requirement to Audit Information Security Practices of Contractors and Third Party Business Entities

Section 602 updates the E-Government Act of 2002 to require that agencies include in their information security programs procedures for evaluating and auditing the information security practices of contractors or third-party business entities that support agency systems or operations involving personally identifiable information.  In addition, agencies must ensure remedial action to address significant deficiencies in the information security practices of such contractors and third party business entities.

Section 603 - Privacy Impact assessment of Government Use of Commercial Information Services Containing Personally Identifiable Information

Section 603 updates the E-Government Act of 2002 to require Federal departments and agencies purchasing or subscribing to personally identifiable information from a commercial entity to conduct privacy impact assessments on the use of those services. News reporting and telephone directory services are exempt from this requirement.   

In addition, Section 603(b) requires that the privacy impact assessments include descriptions of the database, the name of the provider and the contract amount.  Departments and agencies must adopt standards, including: for personnel access, analysis or use; limitations to ensure only legitimate government use; for retention and redisclosure of information; to ensure accuracy, relevance, completeness and timeliness; to promote auditing and security measures to protect against unauthorized use; to ensure redress procedures for adverse consequences; and to establish enforcement mechanisms. 

Departments and agencies must include in contracts and agreements with commercial data services: (1) penalties if the entity delivers personally identifiable information that it knows to be inaccurate, or has been informed is inaccurate and is in fact inaccurate; and (2) a requirement that the data providers inform Federal departments or agencies of any changes or corrections to personally identifiable information.  If the provisions in Section 603(b) are not implemented within 60 days of enactment, no Department or agency may procure or access any commercially available database consisting primarily of personally identifiable information (other than news reporting or telephone directories).

Section 603(c) requires protections where commercial data services are used to screen individuals.  These protections are modeled after similar provisions applied to the use of commercial data services for airline passenger screening in the Intelligence Reform and Terrorism Prevention Act of 2004.  Specifically, under Section 603(c) no Department or agency may use commercial databases to implement an individual screening program unless the program is congressionally authorized, and the program includes provisions to: ensure redress procedures for individuals suffering adverse consequences; ensure that use of commercial databases for screening will not produce a large number of false positives or unjustified adverse consequences; ensure the efficacy and accuracy of search tools; establish oversight policies; ensure the use of operational safeguards to reduce abuse; and ensure no specific privacy concerns with the technological architecture of screening systems.

Section 603(d) directs the Government Accountability Office to study, audit and report to Congress on Federal agency use of commercial databases, including the impact of that use on privacy and security, sufficiency of privacy and security protections, and the extent to which commercial data providers are penalized for privacy and security failures. 

            Section 604 – Implementation of Chief Privacy Officer Requirements

Section 604 facilitates the efficient and effective implementation of Section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act of 2005, which requires each agency to create a Chief Privacy Officer.  Specifically, Section 604 directs the Department of Justice to designate a department-wide Chief Privacy Officer, whose primary role is to fulfill the duties and responsibilities of Chief Privacy Officer.  The DOJ Chief Privacy Officer will report directly to the Deputy Attorney General.

Section 604 also stipulates responsibilities for the DOJ Chief Privacy Officer that are tailored to the mission of the Department and the requirements of this Act.  Specifically, this section directs the Chief Privacy Officer to: (1) oversee DOJ’s implementation of the privacy impact assessment requirement under Section 603; (2) promote the use of law enforcement technologies that sustain, rather than erode, privacy protections and ensure technologies relating to the use, collection and disclosure of personally identifiable information preserve privacy and security; and (3) coordinate implementation with the Privacy and Civil Liberties Oversight Board, established in the Intelligence Reform and Terrorism Prevention Act of 2004.

# # # # #