To prevent identity theft, and for other purposes.

January 28, 2003

Mrs. FEINSTEIN (for herself, Mr. GRASSLEY, Mr. CORZINE, and Mr. GREGG) introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban Affairs

To prevent identity theft, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Identity Theft Prevention Act'.

SEC. 2. FINDINGS.

Congress finds that--

(1) the crime of identity theft has become one of the major law enforcement challenges of the new economy, as vast quantities of sensitive, personal information are now vulnerable to criminal interception and misuse;

(2) in November 2002, Americans were alerted to the dangers of identity theft when Federal prosecutors announced that 3 individuals had allegedly sold the credit and personal information of 30,000 people, the largest single identity theft case in United States history;

(3) hundreds of thousands of Americans are victims of identity theft each year, resulting in an annual cost to industry of more than $3,500,000,000.

(4) several indicators reveal that despite increased public awareness of the crime, the number of incidents of identity theft continues to rise;

(5) in December 2001, the Federal Trade Commission received an average of more than 3,000 identity theft calls per week, a 700 percent increase since the Identity Theft Data Clearinghouse began operation in November 1999;

(6) allegations of social security number fraud increased by 500 percent between 1998 and 2001, from 11,000 to 65,000;

(7) a national credit reporting agency reported that consumer requests for fraud alerts increased by 53 percent during fiscal year 2001;

(8) identity theft violates the privacy of American citizens and ruins their good names;

(9) victims of identity theft may suffer restricted access to credit and diminished employment opportunities, and may spend years repairing the damage to credit histories caused by identity theft;

(10) businesses and government agencies that handle sensitive personal information of consumers have a responsibility to protect this information from identity thieves; and

(11) the private sector can better protect consumers by implementing effective fraud alerts, affording greater consumer access to credit reports, truncating of credit card numbers, and establishing other prevention measures.

SEC. 3. IDENTITY THEFT PREVENTION.

(a) CHANGES OF ADDRESS-

(1) DUTY OF ISSUERS OF CREDIT- Section 132 of the Truth in Lending Act (15 U.S.C. 1642) is amended--

(A) by inserting `(a) IN GENERAL- ' before `No credit'; and

(B) by adding at the end the following:

`(b) CONFIRMATION OF CHANGES OF ADDRESS- If a card issuer receives a request for an additional credit card with respect to an existing credit account not later than 30 days after receiving notification of a change of address for that account, the card issuer shall--

`(1) not later than 5 days after sending the additional card to the new address, notify the cardholder of the request at both the new address and the former address; and

`(2) provide to the cardholder a means of promptly reporting incorrect changes.'.

(2) ENFORCEMENT-

(A) FEDERAL TRADE COMMISSION- Except as provided in subparagraph (B), compliance with section 132(b) of the Truth in Lending Act (as added by this subsection) shall be enforced by the Federal Trade Commission in the same manner and with the same power and authority as the Commission has under the Fair Debt Collection Practices Act to enforce compliance with that Act.

(B) OTHER AGENCIES IN CERTAIN CASES-

(i) IN GENERAL- Compliance with section 132(b) of the Truth in Lending Act shall be enforced under--

(I) section 8 of the Federal Deposit Insurance Act, in the case of a card issuer that is--

(aa) a national bank or a Federal branch or Federal agency of a foreign bank, by the Office of the Comptroller of the Currency;

(bb) a member bank of the Federal Reserve System (other than a national bank), a branch or agency of a foreign bank (other than a Federal branch, Federal agency, or insured State branch of a foreign bank), a commercial lending company owned or controlled by a foreign bank, or an organization operating under section 25 or 25A of the Federal Reserve Act, by the Board of Governors of the Federal Reserve System;

(cc) a bank insured by the Federal Deposit Insurance Corporation (other than a member of the Federal Reserve System or a national nonmember bank) or an insured State branch of a foreign bank, by the Board of Directors of the Federal Deposit Insurance Corporation; and

(dd) a savings association, the deposits of which are insured by the Federal Deposit Insurance Corporation, by the Director of the Office of Thrift Supervision; and

(II) the Federal Credit Union Act, by the Administrator of the National Credit Union Administration in the case of a card issuer that is a Federal credit union, as defined in that Act.

(C) VIOLATIONS TREATED AS VIOLATIONS OF OTHER LAWS-

(i) IN GENERAL- For the purpose of the exercise by any agency referred to in

this paragraph of its powers under any Act referred to in this paragraph, a violation of section 132(b) of the Truth in Lending Act (as added by this subsection) shall be deemed to be a violation of a requirement imposed under that Act.

(ii) AGENCY AUTHORITY- In addition to its powers under any provision of law specifically referred to in subparagraph (A) or (B), each of the agencies referred to in those subparagraphs may exercise, for the purpose of enforcing compliance with section 132(b) of the Truth in Lending Act, any other authority conferred on such agency by law.

(b) FRAUD ALERTS- Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is amended by adding at the end the following:

`(g) FRAUD ALERTS-

`(1) DEFINED TERM- In this subsection, the term `fraud alert' means a statement in the file of a consumer that notifies all prospective users of a consumer report made with respect to that consumer that--

`(A) the consumer's identity may have been used, without the consumer's consent, to fraudulently obtain goods or services in the consumer's name; and

`(B) the consumer does not authorize the issuance or extension of credit in the name of the consumer unless the issuer of such credit--

`(i) obtains express preauthorization from the consumer at a telephone number designated by the consumer; or

`(ii) utilizes another reasonable means of communications to obtain the express preauthorization of the consumer.

`(2) INCLUSION OF FRAUD ALERT IN CONSUMER FILE- Upon the request of a consumer and upon receiving proper identification, a consumer reporting agency shall include a fraud alert in the file of that consumer.

`(3) NOTICE SENT BY CONSUMER REPORTING AGENCIES- A consumer reporting agency shall notify each person procuring consumer credit information with respect to a consumer of the existence of a fraud alert in the file of that consumer, regardless of whether a full credit report, credit score, or summary report is requested.

`(4) PROCEDURES TO RECEIVE FRAUD ALERTS- Any person who uses a consumer credit report in connection with a credit transaction shall establish reasonable procedures to receive fraud alerts transmitted by consumer reporting agencies.

`(5) VIOLATIONS-

`(A) CONSUMER REPORTING AGENCY- Any consumer reporting agency that fails to notify any user of a consumer credit report of the existence of a fraud alert in that report shall be in violation of this section.

`(B) USER OF A CONSUMER REPORT- Any user of a consumer report that fails to comply with preauthorization procedures contained in a fraud alert and issues or extends credit in the name of the consumer to a person other than the consumer shall be in violation of this section.

`(6) EXCEPTIONS-

`(A) RESELLERS-

`(i) IN GENERAL- The provisions of this subsection do not apply to a consumer reporting agency that acts as a reseller of information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a permanent database of the assembled or merged information from which new consumer reports are produced.

`(ii) LIMITATION- A reseller of assembled or merged information shall preserve any fraud alert placed on a consumer report by another consumer reporting agency.

`(B) EXEMPT INSTITUTIONS- The requirement under this subsection to place a fraud alert in a consumer file shall not apply to--

`(i) a check services company, which issues authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments; or

`(ii) a demand deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a demand deposit account at the inquiring bank or financial institution.'.

SEC. 4. TRUNCATION OF CREDIT CARD ACCOUNT NUMBERS.

(a) IN GENERAL- Except as provided in this section, no person, firm, partnership, association, corporation, or limited liability company that accepts credit cards for the transaction of business shall print more than the last 5 digits of the credit card account number or the expiration date upon any receipt provided to the cardholder.

(b) LIMITATION- This section--

(1) applies only to receipts that are electronically printed; and

(2) does not apply to transactions in which the sole means of recording the cardholder's credit card account number is by handwriting or by an imprint or copy of the credit card.

(c) EFFECTIVE DATE- This section shall take effect--

(1) on the date that is 4 years after the date of enactment of this Act, with respect to any cash register or other machine or device that electronically prints receipts for credit card transactions that is in use prior to the date of enactment of this Act; and

(2) on the date that is 18 months after the date of enactment of this Act, with respect to any cash register or other machine or device that electronically prints receipts for credit card transactions that is first put into use on or after the date of enactment of this Act.

(d) EFFECT ON STATE LAW- Nothing in this section prevents a State from imposing requirements that are the same or substantially similar to the requirements of this section at any time before the effective date of this section.

SEC. 5. FREE ANNUAL CREDIT REPORT.

Section 612(c) of the Fair Credit Reporting Act (15 U.S.C. 1681j(c)) is amended to read as follows:

`(c) FREE ANNUAL DISCLOSURE- Upon the request of the consumer and without charge to the consumer, a consumer reporting agency shall make all the disclosures listed under section 609 once during any 12-month period.'.

END