To require Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information.

January 24, 2005

Mrs. FEINSTEIN introduced the following bill; which was read twice and referred to the Committee on the Judiciary

To require Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Notification of Risk to Personal Data Act'.

SEC. 2. DEFINITIONS.

In this Act, the following definitions shall apply:

(1) AGENCY- The term `agency' has the same meaning given such term in section 551(1) of title 5, United States Code.

(2) BREACH OF SECURITY OF THE SYSTEM- The term `breach of security of the system'--

(A) means the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to personal information maintained by the person or business; and

(B) does not include good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business, if the personal information is not used or subject to further unauthorized disclosure.

(3) PERSON- The term `person' has the same meaning given such term in section 551(2) of title 5, United States Code.

(4) PERSONAL INFORMATION- The term `personal information' means an individual's last name in combination with any 1 or more of the following data elements, when either the name or the data elements are not encrypted:

(A) Social security number.

(B) Driver's license number or State identification number.

(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

(5) SUBSTITUTE NOTICE- The term `substitute notice' means--

(A) e-mail notice, if the agency or person has an e-mail address for the subject persons;

(B) conspicuous posting of the notice on the Internet site of the agency or person, if the agency or person maintains an Internet site; or

(C) notification to major media.

SEC. 3. DATABASE SECURITY.

(a) Disclosure of Security Breach-

(1) IN GENERAL- Any agency, or person engaged in interstate commerce, that owns or licenses electronic data containing personal information shall, following the discovery of a breach of security of the system containing such data, notify any resident of the United States whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(2) NOTIFICATION OF OWNER OR LICENSEE- Any agency, or person engaged in interstate commerce, in possession of electronic data containing personal information that the agency does not own or license shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data.

(3) TIMELINESS OF NOTIFICATION- Except as provided in paragraph (4), all notifications required under paragraph (1) or (2) shall be made as expediently as possible and without unreasonable delay following--

(A) the discovery by the agency or person of a breach of security of the system; and

(B) any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.

(4) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT PURPOSES- If a law enforcement agency determines that the notification required under this subsection would impede a criminal investigation, such notification may be delayed until such law enforcement agency determines that the notification will no longer compromise such investigation.

(5) METHODS OF NOTICE- An agency, or person engaged in interstate commerce, shall be in compliance with this subsection if it provides the resident, owner, or licensee, as appropriate, with--

(A) written notification;

(B) e-mail notice, if the person or business has an e-mail address for the subject person; or

(C) substitute notice, if--

(i) the agency or person demonstrates that the cost of providing direct notice would exceed $250,000;

(ii) the affected class of subject persons to be notified exceeds 500,000; or

(iii) the agency or person does not have sufficient contact information for those to be notified.

(6) ALTERNATIVE NOTIFICATION PROCEDURES- Notwithstanding any other obligation under this subsection, an agency, or person engaged in interstate commerce, shall be deemed to be in compliance with this subsection if the agency or person--

(A) maintains its own reasonable notification procedures as part of an information security policy for the treatment of personal information; and

(B) notifies subject persons in accordance with its information security policy in the event of a breach of security of the system.

(7) REASONABLE NOTIFICATION PROCEDURES- As used in paragraph (6), with respect to a breach of security of the system involving personal information described in section 2(4)(C), the term `reasonable notification procedures' means procedures that--

(A) use a security program reasonably designed to block unauthorized transactions before they are charged to the customer's account;

(B) provide for notice to be given by the owner or licensee of the database, or another party acting on behalf of such owner or licensee, after the security program indicates that the breach of security of the system has resulted in fraud or unauthorized transactions, but does not necessarily require notice in other circumstances; and

(C) are subject to examination for compliance with the requirements of this Act by 1 or more Federal functional regulators (as defined in section 509 of the Gramm-Leach Bliley Act (15 U.S.C. 6809)), with respect to the operation of the security program and the notification procedures.

(b) Civil Remedies-

(1) PENALTIES- Any agency, or person engaged in interstate commerce, that violates this section shall be subject to a fine of not more than $5,000 per violation, to a maximum of $25,000 per day while such violations persist.

(2) EQUITABLE RELIEF- Any person engaged in interstate commerce that violates, proposes to violate, or has violated this section may be enjoined from further violations by a court of competent jurisdiction.

(3) OTHER RIGHTS AND REMEDIES- The rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law.

(c) Enforcement- The Federal Trade Commission is authorized to enforce compliance with this section, including the assessment of fines under subsection (b)(1).

SEC. 4. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

(a) In General-

(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that is prohibited under this Act, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to--

(A) enjoin that practice;

(B) enforce compliance with this Act;

(C) obtain damage, restitution, or other compensation on behalf of residents of the State; or

(D) obtain such other relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General--

(i) written notice of the action; and

(ii) a copy of the complaint for the action.

(B) EXEMPTION-

(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.

(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the time the State attorney general files the action.

(b) Construction- For purposes of bringing any civil action under subsection (a), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to--

(1) conduct investigations;

(2) administer oaths or affirmations; or

(3) compel the attendance of witnesses or the production of documentary and other evidence.

(c) Venue; Service of Process-

(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--

(A) is an inhabitant; or

(B) may be found.

SEC. 5. EFFECT ON STATE LAW.

The provisions of this Act shall supersede any inconsistent provisions of law of any State or unit of local government relating to the notification of any resident of the United States of any breach of security of an electronic database containing such resident's personal information (as defined in this Act), except as provided under sections 1798.82 and 1798.29 of the California Civil Code.

SEC. 6. EFFECTIVE DATE.

This Act shall take effect on the expiration of the date which is 6 months after the date of enactment of this Act.

END