Personal Data Privacy and Security Act of 2005

109th CONGRESS
1st Session

S. 1789

To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

IN THE SENATE OF THE UNITED STATES

September 29, 2005

Mr. SPECTER (for himself, Mr. LEAHY, Mrs. FEINSTEIN, and Mr. FEINGOLD) introduced the following bill; which was read twice and referred to the Committee on the Judiciary

A BILL

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

(a) Short Title- This Act may be cited as the `Personal Data Privacy and Security Act of 2005'.

(b) Table of Contents- The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Sec. 2. Findings.

Sec. 3. Definitions.

TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY

Sec. 101. Fraud and related criminal activity in connection with unauthorized access to personally identifiable information.

Sec. 102. Organized criminal activity in connection with unauthorized access to personally identifiable information.

Sec. 103. Concealment of security breaches involving sensitive personally identifiable information.

Sec. 104. Aggravated fraud in connection with computers.

Sec. 105. Review and amendment of Federal sentencing guidelines related to fraudulent access to or misuse of digitized or electronic personally identifiable information.

TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF PERSONALLY IDENTIFIABLE INFORMATION

Sec. 201. Grants for State and local enforcement.

Sec. 202. Authorization of appropriations.

TITLE III--DATA BROKERS

Sec. 301. Transparency and accuracy of data collection.

Sec. 302. Enforcement.

Sec. 303. Relation to State laws.

Sec. 304. Effective date.

TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

Subtitle A--Data Privacy and Security Program

Sec. 401. Purpose and applicability of data privacy and security program.

Sec. 402. Requirements for a personal data privacy and security program.

Sec. 403. Enforcement.

Sec. 404. Relation to State laws.

Subtitle B--Security Breach Notification

Sec. 421. Right to notice of security breach.

Sec. 422. Notice procedures.

Sec. 423. Content of notice.

Sec. 424. Risk assessment and fraud prevention notice exemptions.

Sec. 425. Victim protection assistance.

Sec. 426. Enforcement.

Sec. 427. Relation to State laws.

Sec. 428. Study on securing personally identifiable information in the digital era.

Sec. 429. Reporting on risk assessment exemption.

Sec. 430. Authorization of appropriations.

Sec. 431. Reporting on risk assessment exemption.

Sec. 432. Effective date.

TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

Sec. 501. General Services Administration review of contracts.

Sec. 502. Requirement to audit information security practices of contractors and third party business entities.

Sec. 503. Privacy impact assessment of government use of commercial information services containing personally identifiable information.

Sec. 504. Implementation of Chief Privacy Officer requirements.

SEC. 2. FINDINGS.

Congress finds that--

(1) databases of personally identifiable information are increasingly prime targets of hackers, identity thieves, rogue employees, and other criminals, including organized and sophisticated criminal operations;

(2) identity theft is a serious threat to the nation's economic stability, homeland security, the development of e-commerce, and the privacy rights of Americans;

(3) over 9,300,000 individuals were victims of identity theft in America last year;

(4) security breaches are a serious threat to consumer confidence, homeland security, e-commerce, and economic stability;

(5) it is important for business entities that own, use, or license personally identifiable information to adopt reasonable procedures to ensure the security, privacy, and confidentially of that personally identifiable information;

(6) individuals whose personal information has been compromised or who have been victims of identity theft should receive the necessary information and assistance to mitigate their damages and to restore the integrity of their personal information and identities;

(7) data brokers have assumed a significant role in providing identification, authentication, and screening services, and related data collection and analyses for commercial, nonprofit, and government operations;

(8) data misuse and use of inaccurate data have the potential to cause serious or irreparable harm to an individual's livelihood, privacy, and liberty and undermine efficient and effective business and government operations;

(9) there is a need to insure that data brokers conduct their operations in a manner that prioritizes fairness, transparency, accuracy, and respect for the privacy of consumers;

(10) government access to commercial data can potentially improve safety, law enforcement, and national security; and

(11) because government use of commercial data containing personal information potentially affects individual privacy, and law enforcement and national security operations, there is a need for Congress to exercise oversight over government use of commercial data.

SEC. 3. DEFINITIONS.

In this Act:

(1) AGENCY- The term `agency' has the same meaning given such term in section 551 of title 5, United States Code.

(2) AFFILIATE- The term `affiliate' means persons related by common ownership or by corporate control.

(3) BUSINESS ENTITY- The term `business entity' means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, venture established to make a profit, or nonprofit, and any contractor, subcontractor, affiliate, or licensee thereof engaged in interstate commerce.

(4) IDENTITY THEFT- The term `identity theft' means a violation of section 1028 of title 18, United States Code, or any other similar provision of applicable State law.

(5) DATA BROKER- The term `data broker' means a business entity which for monetary fees, dues, or on a cooperative nonprofit basis, currently or regularly engages, in whole or in part, in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information primarily for the purposes of providing such information to nonaffiliated third parties on a nationwide basis on more than 5,000 individuals who are not the customers or employees of the business entity or affiliate.

(6) DATA FURNISHER- The term `data furnisher' means any agency, governmental entity, organization, corporation, trust, partnership, sole proprietorship, unincorporated association, venture established to make a profit, or nonprofit, and any contractor, subcontractor, affiliate, or licensee thereof, that serves as a source of information for a data broker.

(7) PERSONAL ELECTRONIC RECORD- The term `personal electronic record' means data associated with an individual contained in a database, networked or integrated databases, or other data system that holds sensitive personally identifiable information of that individual and is provided to non-affiliated third parties.

(8) PERSONALLY IDENTIFIABLE INFORMATION- The term `personally identifiable information' means any information, or compilation of information, in electronic or digital form serving as a means of identification, as defined by section 1028(d)(7) of title 18, United State Code.

(9) PUBLIC RECORD SOURCE- The term `public record source' means any agency, Federal court, or State court that maintains personally identifiable information in records available to the public.

(10) SECURITY BREACH-

(A) IN GENERAL- The term `security breach' means compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to sensitive personally identifiable information.

(B) EXCLUSION- The term `security breach' does not include--

(i) a good faith acquisition of sensitive personally identifiable information by a business entity or agency, or an employee or agent of a business entity or agency, if the sensitive personally identifiable information is not subject to further unauthorized disclosure; or

(ii) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements.

(11) SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION- The term `sensitive personally identifiable information' means any information or compilation of information, in electronic or digital form that includes:

(A) An individual's name in combination with any 1 of the following data elements:

(i) A non-truncated social security number, driver's license number, passport number, or alien registration number.

(ii) Any 2 of the following:

(I) Information that relates to--

(aa) the past, present, or future physical or mental health or condition of an individual;

(bb) the provision of health care to an individual; or

(cc) the past, present, or future payment for the provision of health care to an individual.

(II) Home address or telephone number.

(III) Mother's maiden name, if identified as such.

(IV) Month, day, and year of birth.

(iii) Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation.

(iv) A unique electronic identification number, user name, or routing code in combination with the associated security code, access code, or password.

(v) Any other information regarding an individual determined appropriate by the Federal Trade Commission.

(B) A financial account number or credit or debit card number in combination with the required security code, access code, or password.

TITLE I--ENHANCING PUNISHMENT FOR IDENTITY THEFT AND OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY

SEC. 101. FRAUD AND RELATED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.

Section 1030(a)(2) of title 18, United States Code, is amended--

(1) in subparagraph (B), by striking `or' after the semicolon;

(2) in subparagraph (C), by inserting `or' after the semicolon; and

(3) by adding at the end the following:

`(D) information contained in the databases or systems of a data broker, or in other personal electronic records, as such terms are defined in section 3 of the Personal Data Privacy and Security Act of 2005;'.

SEC. 102. ORGANIZED CRIMINAL ACTIVITY IN CONNECTION WITH UNAUTHORIZED ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION.

Section 1961(1) of title 18, United States Code, is amended by inserting `section 1030(a)(2)(D)(relating to fraud and related activity in connection with unauthorized access to personally identifiable information,' before `section 1084'.

SEC. 103. CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION.

(a) In General- Chapter 47 of title 18, United States Code, is amended by adding at the end the following:

`Sec. 1039. Concealment of security breaches involving sensitive personally identifiable information

`(a) Whoever, having knowledge of a security breach and the obligation to provide notice of such breach to individuals under title IV of the Personal Data Privacy and Security Act of 2005, and having not otherwise qualified for an exemption from providing notice under section 422 of such Act, intentionally and willfully conceals the fact of such security breach which causes economic damages to 1 or more persons, shall be fined under this title or imprisoned not more than 5 years, or both.

`(b) For purposes of subsection (a), the term `person' means any individual, corporation, company, association, firm, partnership, society, or joint stock company.'.

(b) Conforming and Technical Amendments- The table of sections for chapter 47 of title 18, United States Code, is amended by adding at the end the following:

`1039. Concealment of security breaches involving personally identifiable information.'.

(c) Enforcement Authority- The United States Secret Service shall have the authority to investigate offenses under this section.

SEC. 104. AGGRAVATED FRAUD IN CONNECTION WITH COMPUTERS.

(a) In General- Chapter 47 of title 18, United States Code, is amended by adding after section 1030 the following:

`Sec. 1030A. Aggravated fraud in connection with computers

`(a) In General- Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly obtains, accesses, or transmits, without lawful authority, a means of identification of another person may, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of up to 2 years.

`(b) Consecutive Sentences- Notwithstanding any other provision of law, should a court in its discretion impose an additional sentence under subsection (a)--

`(1) no term of imprisonment imposed on a person under this section shall run concurrently, except as provided in paragraph (3), with any other term of imprisonment imposed on such person under any other provision of law, including any term of imprisonment imposed for the felony during which the means of identifications was obtained, accessed, or transmitted;

`(2) in determining any term of imprisonment to be imposed for the felony during which the means of identification was obtained, accessed, or transmitted, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and

`(3) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section.

`(c) Definition- For purposes of this section, the term `felony violation enumerated in subsection (c)' means any offense that is a felony violation of paragraphs (2) through (7) of section 1030(a).'.

(b) Conforming and Technical Amendments- The table of sections for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following new item:

`1030A. Aggravated fraud in connection with computers.'.

SEC. 105. REVIEW AND AMENDMENT OF FEDERAL SENTENCING GUIDELINES RELATED TO FRAUDULENT ACCESS TO OR MISUSE OF DIGITIZED OR ELECTRONIC PERSONALLY IDENTIFIABLE INFORMATION.

(a) Review and Amendment- Not later than 180 days after the date of enactment of this Act, the United States Sentencing Commission, pursuant to its authority under section 994 of title 28, United States Code, and in accordance with this section, shall review and, if appropriate, amend the Federal sentencing guidelines (including its policy statements) applicable to persons convicted of using fraud to access, or misuse of, digitized or electronic personally identifiable information, including identity theft or any offense under--

(1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of title 18, United States Code; or

(2) any other relevant provision.

(b) Requirements- In carrying out the requirements of this section, the United States Sentencing Commission shall--

(1) ensure that the Federal sentencing guidelines (including its policy statements) reflect--

(A) the serious nature of the offenses and penalties referred to in this Act;

(B) the growing incidences of theft and misuse of digitized or electronic personally identifiable information, including identity theft; and

(2) consider the extent to which the Federal sentencing guidelines (including its policy statements) adequately address violations of the sections amended by this Act to--

(A) sufficiently deter and punish such offenses; and

(B) adequately reflect the enhanced penalties established under this Act;

(3) maintain reasonable consistency with other relevant directives and sentencing guidelines;

(4) account for any additional aggravating or mitigating circumstances that might justify exceptions to the generally applicable sentencing ranges;

(5) consider whether to provide a sentencing enhancement for those convicted of the offenses described in subsection (a), if the conduct involves--

(A) the online sale of fraudulently obtained or stolen personally identifiable information;

(B) the sale of fraudulently obtained or stolen personally identifiable information to an individual who is engaged in terrorist activity or aiding other individuals engaged in terrorist activity; or

(C) the sale of fraudulently obtained or stolen personally identifiable information to finance terrorist activity or other criminal activities;

(6) make any necessary conforming changes to the Federal sentencing guidelines to ensure that such guidelines (including its policy statements) as described in subsection (a) are sufficiently stringent to deter, and adequately reflect crimes related to fraudulent access to, or misuse of, personally identifiable information; and

(7) ensure that the Federal sentencing guidelines adequately meet the purposes of sentencing under section 3553(a)(2) of title 18, United States Code.

(c) Emergency Authority to Sentencing Commission- The United States Sentencing Commission may, as soon as practicable, promulgate amendments under this section in accordance with procedures established in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 994 note) as though the authority under that Act had not expired.

TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING CRIMES RELATED TO FRAUDULENT, UNAUTHORIZED, OR OTHER CRIMINAL USE OF PERSONALLY IDENTIFIABLE INFORMATION

SEC. 201. GRANTS FOR STATE AND LOCAL ENFORCEMENT.

(a) In General- Subject to the availability of amounts provided in advance in appropriations Acts, the Assistant Attorney General for the Office of Justice Programs of the Department of Justice may award a grant to a State to establish and develop programs to increase and enhance enforcement against crimes related to fraudulent, unauthorized, or other criminal use of personally identifiable information.

(b) Application- A State seeking a grant under subsection (a) shall submit an application to the Assistant Attorney General for the Office of Justice Programs of the Department of Justice at such time, in such manner, and containing such information as the Assistant Attorney General may require.

(c) Use of Grant Amounts- A grant awarded to a State under subsection (a) shall be used by a State, in conjunction with units of local government within that State, State and local courts, other States, or combinations thereof, to establish and develop programs to--

(1) assist State and local law enforcement agencies in enforcing State and local criminal laws relating to crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information;

(2) assist State and local law enforcement agencies in educating the public to prevent and identify crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information;

(3) educate and train State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information;

(4) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; and

(5) facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information with State and local law enforcement officers and prosecutors, including the use of multi-jurisdictional task forces.

(d) Assurances and Eligibility- To be eligible to receive a grant under subsection (a), a State shall provide assurances to the Attorney General that the State--

(1) has in effect laws that penalize crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information, such as penal laws prohibiting--

(A) fraudulent schemes executed to obtain personally identifiable information;

(B) schemes executed to sell or use fraudulently obtained personally identifiable information; and

(2) will provide an assessment of the resource needs of the State and units of local government within that State, including criminal justice resources being devoted to the investigation and enforcement of laws related to crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; and

(3) will develop a plan for coordinating the programs funded under this section with other federally funded technical assistant and training programs, including directly funded local programs such as the Local Law Enforcement Block Grant program (described under the heading `Violent Crime Reduction Programs, State and Local Law Enforcement Assistance' of the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1998 (Public Law 105-119)).

(e) Matching Funds- The Federal share of a grant received under this section may not exceed 90 percent of the total cost of a program or proposal funded under this section unless the Attorney General waives, wholly or in part, the requirements of this subsection.

SEC. 202. AUTHORIZATION OF APPROPRIATIONS.

(a) In General- There is authorized to be appropriated to carry out this title $25,000,000 for each of fiscal years 2006 through 2009.

(b) Limitations- Of the amount made available to carry out this title in any fiscal year not more than 3 percent may be used by the Attorney General for salaries and administrative expenses.

(c) Minimum Amount- Unless all eligible applications submitted by a State or units of local government within a State for a grant under this title have been funded, the State, together with grantees within the State (other than Indian tribes), shall be allocated in each fiscal year under this title not less than 0.75 percent of the total amount appropriated in the fiscal year for grants pursuant to this title, except that the United States Virgin Islands, American Samoa, Guam, and the Northern Mariana Islands each shall be allocated 0.25 percent.

(d) Grants to Indian Tribes- Notwithstanding any other provision of this title, the Attorney General may use amounts made available under this title to make grants to Indian tribes for use in accordance with this title.

TITLE III--DATA BROKERS

SEC. 301. TRANSPARENCY AND ACCURACY OF DATA COLLECTION.

(a) In General- Data brokers engaging in interstate commerce are subject to the requirements of this title for any product or service offered to third parties that allows access, use, compilation, distribution, processing, analyzing, or evaluation of sensitive personally identifiable information.

(b) Limitation- Notwithstanding any other paragraph of this title, this section shall not apply to--

(1) data brokers engaging in interstate commerce for any offered product or service currently subject to, and in compliance with, access and accuracy protections similar to those under subsections (c) through (f) of this section under the Fair Credit Reporting Act (Public Law 91-508), or the Gramm-Leach Bliley Act (Public Law 106-102);

(2) data brokers engaging in interstate commerce for any offered product or service currently in compliance with the requirements for such entities under the Health Insurance Portability and Accountability Act (Public Law 104-191), and implementing regulations;

(3) information in a personal electronic record held by a data broker if--

(A) the data broker maintains such information solely pursuant to a license agreement with another business entity; and

(B) the business entity providing such information to the data broker pursuant to a license agreement either complies with the provisions of this section or qualifies for this exemption; and

(4) information in a personal record that--

(A) the data broker has identified as inaccurate, but maintains for the purpose of aiding the data broker in preventing inaccurate information from entering an individual's personal electronic record; and

(B) is not maintained primarily for the purpose of transmitting or otherwise providing that information, or assessments based on that information, to non-affiliated third parties.

(1) IN GENERAL- A data broker shall, upon the request of an individual, clearly and accurately disclose to such individual for a reasonable fee all personal electronic records pertaining to that individual maintained for disclosure to third parties in the ordinary course of business in the databases or systems of the data broker at the time of the request.

(2) INFORMATION ON HOW TO CORRECT INACCURACIES- The disclosures required under paragraph (1) shall also include guidance to individuals on the processes and procedures for demonstrating and correcting any inaccuracies.

(d) Creation of an Accuracy Resolution Process- A data broker shall develop and publish on its website timely and fair processes and procedures for responding to claims of inaccuracies, including procedures for correcting inaccurate information in the personal electronic records it maintains on individuals.

(e) Accuracy Resolution Process-

(1) INFORMATION FROM A PUBLIC RECORD SOURCE-

(A) IN GENERAL- If an individual notifies a data broker of a dispute as to the completeness or accuracy of information, and the data broker determines that such information is derived from a public record source, the data broker shall determine within 30 days whether the information in its system accurately and completely records the information offered by the public record source.

(B) DATA BROKER ACTIONS- If a data broker determines under subparagraph (A) that the information in its systems--

(i) does not accurately and completely record the information offered by a public record source, the data broker shall correct any inaccuracies or incompleteness, and provide to such individual written notice of such changes; and

(ii) does accurately and completely record the information offered by a public record source, the data broker shall--

(I) provide such individual with the name, address, and telephone contact information of the public record source; and

(II) notify such individual of the right to add for a period of 90 days to the personal electronic record of the individual maintained by the data broker notice of the dispute under subsection (f).

(2) INVESTIGATION OF DISPUTED INFORMATION NOT FROM A PUBLIC RECORD SOURCE- If the completeness or accuracy of any nonpublic record source disclosed to an individual under subsection (c) is disputed by the individual and such individual notifies the data broker directly of such dispute, the data broker shall, before the end of the 30-day period beginning on the date on which the data broker receives the notice of the dispute--

(A) investigate free of charge and record the current status of the disputed information; or

(B) delete the item from the individuals data file in accordance with paragraph (8).

(3) EXTENSION OF PERIOD TO INVESTIGATE- Except as provided in paragraph (4), the 30-day period described in paragraph (1) may be extended for not more than 15 additional days if a data broker receives information from the individual during that 30-day period that is relevant to the investigation.

(4) LIMITATIONS ON EXTENSION OF PERIOD TO INVESTIGATE- Paragraph (3) shall not apply to any investigation in which, during the 30-day period described in paragraph (1), the information that is the subject of the investigation is found to be inaccurate or incomplete or a data broker determines that the information cannot be verified.

(5) NOTICE IDENTIFYING THE DATA FURNISHER- If the completeness or accuracy of any information disclosed to an individual under subsection (c) is disputed by the individual, a data broker shall provide upon the request of the individual, the name, business address, and telephone contact information of any data furnisher who provided an item of information in dispute.

(6) DETERMINATION THAT DISPUTE IS FRIVOLOUS OR IRRELEVANT-

(A) IN GENERAL- Notwithstanding paragraphs (1) through (4), a data broker may decline to investigate or terminate an investigation of information disputed by an individual under those paragraphs if the data broker reasonably determines that the dispute by the individual is frivolous or irrelevant, including by reason of a failure by the individual to provide sufficient information to investigate the disputed information.

(B) NOTICE- Not later than 5 business days after making any determination in accordance with subparagraph (A) that a dispute is frivolous or irrelevant, a data broker shall notify the individual of such determination by mail, or if authorized by the individual, by any other means available to the data broker.

(i) the reasons for the determination under subparagraph (A); and

(ii) identification of any information required to investigate the disputed information, which may consist of a standardized form describing the general nature of such information.

(7) CONSIDERATION OF INDIVIDUAL INFORMATION- In conducting any investigation with respect to disputed information in the personal electronic record of any individual, a data broker shall review and consider all relevant information submitted by the individual in the period described in paragraph (2) with respect to such disputed information.

(8) TREATMENT OF INACCURATE OR UNVERIFIABLE INFORMATION-

(A) IN GENERAL- If, after any review of public record information under paragraph (1) or any investigation of any information disputed by an individual under paragraphs (2) through (4), an item of information is found to be inaccurate or incomplete or cannot be verified, a data broker shall promptly delete that item of information from the individual's personal electronic record or modify that item of information, as appropriate, based on the results of the investigation.

(B) NOTICE TO INDIVIDUALS OF REINSERTION OF PREVIOUSLY DELETED INFORMATION- If any information that has been deleted from an individual's personal electronic record pursuant to subparagraph (A) is reinserted in the personal electronic record of the individual, a data broker shall, not later than 5 days after reinsertion, notify the individual of the reinsertion and identify any data furnisher not previously disclosed in writing, or if authorized by the individual for that purpose, by any other means available to the data broker, unless such notification has been previously given under this subsection.

(i) IN GENERAL- Not later than 5 business days after the completion of an investigation under paragraph (2), a data broker shall provide written notice to an individual of the results of the investigation, by mail or, if authorized by the individual for that purpose, by other means available to the data broker.

(ii) ADDITIONAL REQUIREMENT- Before the expiration of the 5-day period, as part of, or in addition to such notice, a data broker shall, in writing, provide to an individual--

(I) a statement that the investigation is completed;

(II) a report that is based upon the personal electronic record of such individual as that personal electronic record is revised as a result of the investigation;

(III) a notice that, if requested by the individual, a description of the procedures used to determine the accuracy and completeness of the information shall be provided to the individual by the data broker, including the business name, address, and telephone number of any data furnisher of information contacted in connection with such information; and

(IV) a notice that the individual has the right to request notifications under subsection (f).

(D) DESCRIPTION OF INVESTIGATION PROCEDURES- Not later than 15 days after receiving a request from an individual for a description referred to in subparagraph (C)(ii)(III), a data broker shall provide to the individual such a description.

(E) EXPEDITED DISPUTE RESOLUTION- If by no later than 3 business days after the date on which a data broker receives notice of a dispute from an individual of information in the personal electronic record of such individual in accordance with paragraph (2), a data broker resolves such dispute in accordance with subparagraph (A) by the deletion of the disputed information, then the data broker shall not be required to comply with subsections (e) and (f) with respect to that dispute if the data broker provides to the individual, by telephone or other means authorized by the individual, prompt notice of the deletion.

(f) Notice of Dispute-

(1) IN GENERAL- If the completeness or accuracy of any information disclosed to an individual under subsection (c) is disputed and unless there is a reasonable ground to believe that such dispute is frivolous or irrelevant, an individual may request that the data broker indicate notice of the dispute for a period of--

(A) 30 days for information from a nonpublic record source; and

(B) 90 days for information from a public record source.

(2) COMPLIANCE- A data broker shall be deemed in compliance with the requirements under paragraph (1) by either--

(A) allowing the individual to file a brief statement setting forth the nature of the dispute under paragraph (3); or

(B) using an alternative notice method that--

(i) clearly flags the disputed information for third parties accessing the information; and

(ii) provides a means for third parties to obtain further information regarding the nature of the dispute.

(3) CONTENTS OF STATEMENT- A data broker may limit statements made under paragraph (2)(A) to not more than 100 words if it provides an individual with assistance in writing a clear summary of the dispute or until the dispute is resolved.

(g) Additional Requirements- The Federal Trade Commission may exempt certain classes of data brokers from this title in a rulemaking process pursuant to section 553 of title 5, United States Code.

SEC. 302. ENFORCEMENT.

(a) Civil Penalties-

(1) PENALTIES- Any data broker that violates the provisions of section 301 shall be subject to civil penalties of not more than $1,000 per violation per day, with a maximum of $15,000 per day, while such violations persist.

(2) INTENTIONAL OR WILLFUL VIOLATION- A data broker that intentionally or willfully violates the provisions of section 301 shall be subject to additional penalties in the amount of $1,000 per violation per day, with a maximum of an additional $15,000 per day, while such violations persist.

(3) EQUITABLE RELIEF- A data broker engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction.

(4) OTHER RIGHTS AND REMEDIES- The rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law.

(b) Injunctive Actions by the Attorney General-

(1) IN GENERAL- Whenever it appears that a data broker to which this title applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this title, the Attorney General may bring a civil action in an appropriate district court of the United States to--

(A) enjoin such act or practice;

(B) enforce compliance with this title;

(i) in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and

(ii) punitive damages, if the violation is willful or intentional; and

(D) obtain such other relief as the court determines to be appropriate.

(2) OTHER INJUNCTIVE RELIEF- Upon a proper showing in the action under paragraph (1), the court shall grant a permanent injunction or a temporary restraining order without bond.

(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates this title, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to--

(A) enjoin that act or practice;

(B) enforce compliance with this title;

(i) damages in the sum of actual damages, restitution, or other compensation on behalf of affected residents of the State; and

(ii) punitive damages, if the violation is willful or intentional; or

(D) obtain such other legal and equitable relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General--

(i) a written notice of that action; and

(ii) a copy of the complaint for that action.

(B) EXCEPTION- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action.

(C) NOTIFICATION WHEN PRACTICABLE- In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Attorney General as soon after the filing of the complaint as practicable.

(3) ATTORNEY GENERAL AUTHORITY- Upon receiving notice under paragraph (2), the Attorney General shall have the right to--

(A) move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4);

(B) intervene in an action brought under paragraph (1); and

(4) PENDING PROCEEDINGS- If the Attorney General has instituted a proceeding or action for a violation of this title or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action.

(5) RULE OF CONSTRUCTION- For purposes of bringing any civil action under paragraph (1), nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

(A) conduct investigations;

(B) administer oaths and affirmations; or

(6) VENUE; SERVICE OF PROCESS-

(A) VENUE- Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1931 of title 28, United States Code.

(B) SERVICE OF PROCESS- In an action brought under this subsection process may be served in any district in which the defendant--

(i) is an inhabitant; or

(ii) may be found.

(d) No Private Cause of Action- Nothing in this title establishes a private cause of action against a data broker for violation of any provision of this title.

SEC. 303. RELATION TO STATE LAWS.

No requirement or prohibition may be imposed under the laws of any State with respect to any subject matter regulated under section 301, relating to individual access to, and correction of, personal electronic records held by databrokers.

SEC. 304. EFFECTIVE DATE.

This title shall take effect 180 days after the date of enactment of this Act and shall be implemented pursuant to a State by State rollout schedule set by the Federal Trade Commission, but in no case shall full implementation and effect of this title occur later than 1 year and 180 days after the date of enactment of this Act.

TITLE IV--PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION

Subtitle A--Data Privacy and Security Program

SEC. 401. PURPOSE AND APPLICABILITY OF DATA PRIVACY AND SECURITY PROGRAM.

(a) Purpose- The purpose of this subtitle is to ensure standards for developing and implementing administrative, technical, and physical safeguards to protect the privacy, security, confidentiality, integrity, storage, and disposal of sensitive personally identifiable information.

(b) In General- A business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons is subject to the requirements for a data privacy and security program under section 402 for protecting sensitive personally identifiable information.

(1) financial institutions--

(A) subject to the data security requirements and implementing regulations under the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); and

(B) subject to--

(i) examinations for compliance with the requirements of this Act by 1 or more Federal or State functional regulators (as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)); or

(ii) compliance with part 314 of title 16, Code of Federal Regulations; or

(2) `covered entities' subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.), including the data security requirements and implementing regulations of that Act.

(d) Safe Harbor- A business entity shall be deemed in compliance with the privacy and security program requirements under section 402 if the business entity complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of sensitive personally identifiable information involved in the ordinary course of business of such business entity.

SEC. 402. REQUIREMENTS FOR A PERSONAL DATA PRIVACY AND SECURITY PROGRAM.

(a) Personal Data Privacy and Security Program- Unless otherwise limited under section 401(c), a business entity subject to this subtitle shall comply with the following safeguards and any others identified by the Federal Trade Commission in a rulemaking process pursuant to section 553 of title 5, United States Code, to protect the privacy and security of sensitive personally identifiable information:

(1) SCOPE- A business entity shall implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities.

(2) DESIGN- The personal data privacy and security program shall be designed to--

(A) ensure the privacy, security, and confidentiality of personal electronic records;

(B) protect against any anticipated vulnerabilities to the privacy, security, or integrity of personal electronic records; and

(C) protect against unauthorized access to use of personal electronic records that could result in substantial harm or inconvenience to any individual.

(3) RISK ASSESSMENT- A business entity shall--

(A) identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information or systems containing sensitive personally identifiable information;

(B) assess the likelihood of and potential damage from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; and

(C) assess the sufficiency of its policies, technologies, and safeguards in place to control and minimize risks from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information.

(4) RISK MANAGEMENT AND CONTROL- Each business entity shall--

(A) design its personal data privacy and security program to control the risks identified under paragraph (3); and

(B) adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of the activities of the business entity that--

(i) control access to systems and facilities containing sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals;

(ii) detect actual and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access; and

(iii) protect sensitive personally identifiable information during use, transmission, storage, and disposal by encryption or other reasonable means (including as directed for disposal of records under section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w) and the implementing regulations of such Act as set forth in section 682 of title 16, Code of Federal Regulations).

(b) Training- Each business entity subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the data security program of the business entity.

(1) IN GENERAL- Each business entity subject to this subtitle shall take steps to ensure regular testing of key controls, systems, and procedures of the personal data privacy and security program to detect, prevent, and respond to attacks or intrusions, or other system failures.

(2) FREQUENCY- The frequency and nature of the tests required under paragraph (1) shall be determined by the risk assessment of the business entity under subsection (a)(3).

(d) Relationship to Service Providers- In the event a business entity subject to this subtitle engages service providers not subject to this subtitle, such business entity shall--

(1) exercise appropriate due diligence in selecting those service providers for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and

(2) require those service providers by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing entities subject to this section, section 401, and subtitle B.

(e) Periodic Assessment and Personal Data Privacy and Security Modernization- Each business entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its data privacy and security program in light of any relevant changes in--

(1) technology;

(2) the sensitivity of personally identifiable information;

(3) internal or external threats to personally identifiable information; and

(4) the changing business arrangements of the business entity, such as--

(A) mergers and acquisitions;

(B) alliances and joint ventures;

(D) bankruptcy; and

(E) changes to sensitive personally identifiable information systems.

(f) Implementation Time Line- Not later than 1 year after the date of enactment of this Act, a business entity subject to the provisions of this subtitle shall implement a data privacy and security program pursuant to this subtitle.

SEC. 403. ENFORCEMENT.

(a) Civil Penalties-

(1) IN GENERAL- Any business entity that violates the provisions of sections 401 or 402 shall be subject to civil penalties of not more than $5,000 per violation per day, with a maximum of $35,000 per day, while such violations persist.

(2) INTENTIONAL OR WILLFUL VIOLATION- A business entity that intentionally or willfully violates the provisions of sections 401 or 402 shall be subject to additional penalties in the amount of $5,000 per violation per day, with a maximum of an additional $35,000 per day, while such violations persist.

(3) EQUITABLE RELIEF- A business entity engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction.

(4) OTHER RIGHTS AND REMEDIES- The rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law

(b) Injunctive Actions by the Attorney General-

(1) IN GENERAL- Whenever it appears that a business entity or agency to which this subtitle applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this subtitle, the Attorney General may bring a civil action in an appropriate district court of the United States to--

(A) enjoin such act or practice;

(B) enforce compliance with this subtitle; and

(i) in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and

(ii) punitive damages, if the violation is willful or intentional; and

(D) obtain such other relief as the court determines to be appropriate.

(2) OTHER INJUNCTIVE RELIEF- Upon a proper showing in the action under paragraph (1), the court shall grant a permanent injunction or a temporary restraining order without bond.

(1) CIVIL ACTIONS- In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates this subtitle, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to--

(A) enjoin that act or practice;

(B) enforce compliance with this subtitle;

(i) damages in the sum of actual damages, restitution, or other compensation on behalf of affected residents of the State; and

(ii) punitive damages, if the violation is willful or intentional; or

(D) obtain such other legal and equitable relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General--

(i) a written notice of that action; and

(ii) a copy of the complaint for that action.

(3) ATTORNEY GENERAL AUTHORITY- Upon receiving notice under paragraph (2), the Attorney General shall have the right to--

(A) move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4);

(B) intervene in an action brought under paragraph (1); and

(5) RULE OF CONSTRUCTION- For purposes of bringing any civil action under paragraph (1) nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to--

(A) conduct investigations;

(B) administer oaths and affirmations; or

(6) VENUE; SERVICE OF PROCESS-

(B) SERVICE OF PROCESS- In an action brought under this subsection process may be served in any district in which the defendant--

(i) is an inhabitant; or

(ii) may be found.

(d) No Private Cause of Action- Nothing in this title establishes a private cause of action against a business entity for violation of any provision of this subtitle.

SEC. 404. RELATION TO STATE LAWS.

(a) In General- No State may--

(1) require an entity described in section 401(c) to comply with this subtitle or any regulation promulgated thereunder; and

(2) require an entity in compliance with the safe harbor established under section 401(d), to comply with any other provision of this subtitle.

(b) Effect of Subtitle A- Except as provided in subsection (a), this subtitle does not annul, alter, affect, or exempt any person subject to the provisions of this subtitle from complying with the laws of any State with respect to security programs for sensitive personally identifiable information, except to the extent that those laws are inconsistent with any provisions of this subtitle, and then only to the extent of such inconsistency.

Subtitle B--Security Breach Notification

SEC. 421. NOTICE TO INDIVIDUALS.

(a) In General- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach maintained by the agency or business entity that contains such information, notify any resident of the United States whose sensitive personally identifiable information was subject to the security breach.

(b) Obligation of Owner or Licensee-

(1) NOTICE TO OWNER OR LICENSEE- Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach containing such information.

(2) NOTICE BY OWNER, LICENSEE OR OTHER DESIGNATED THIRD PARTY- Noting in this subtitle shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a).

(3) BUSINESS ENTITY RELIEVED FROM GIVING NOTICE- A business entity obligated to give notice under subsection (a) shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification.

(1) IN GENERAL- All notifications required under this section shall be made without unreasonable delay following--

(A) the discovery by the agency or business entity of a security breach; and

(B) any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.

(2) BURDEN OF PROOF- The agency, business entity, owner, or licensee required to provide notification under this section shall have the burden of demonstrating that all notifications were made as required under this subtitle, including evidence demonstrating the necessity of any delay.

(d) Delay of Notification Authorized for Law Enforcement Purposes-

(1) IN GENERAL- If a law enforcement agency determines that the notification required under this section would impede a criminal investigation, such notification may be delayed upon the written request of the law enforcement agency.

(2) EXTENDED DELAY OF NOTIFICATION- If the notification required under subsection (a) is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement delay was invoked unless a law enforcement agency provides written notification that further delay is necessary.

SEC. 422. EXEMPTIONS.

(a) Exemption for National Security and Law Enforcement-

(1) IN GENERAL- Section 421 shall not apply to an agency if the head of the agency certifies, in writing, that notification of the security breach as required by section 421 reasonably could be expected to--

(A) cause damage to the national security; or

(B) hinder a law enforcement investigation or the ability of the agency to conduct law enforcement investigations.

(2) LIMITS ON CERTIFICATIONS- The head of an agency may not execute a certification under paragraph (1) to--

(A) conceal violations of law, inefficiency, or administrative error;

(B) prevent embarrassment to a business entity, organization, or agency; or

(3) NOTICE- In every case in which a head of an agency issues a certification under paragraph (1), the certification, accompanied by a concise description of the factual basis for the certification, shall be immediately provided to the Congress.

(b) Risk Assessment Exemption- An agency or business entity will be exempt from the notice requirements under section 421, if--

(1) a risk assessment concludes that there is no significant risk that the security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach;

(2) without unreasonable delay, but not later than 45 days after the discovery of a security breach, unless extended by the United States Secret Service, the business entity notifies the United States Secret Service, in writing, of--

(A) the results of the risk assessment;

(B) its decision to invoke the risk assessment exemption; and

(3) the United States Secret Service does not indicate, in writing, within 10 days from receipt of the decision, that notice should be given.

(1) IN GENERAL- A business entity will be exempt from the notice requirement under section 421 if the business entity utilizes or participates in a security program that--

(A) is designed to block the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and

(B) provides for notice after a security breach that has resulted in fraud or unauthorized transactions.

(2) LIMITATION- The exemption by this subsection does not apply if the information subject to the security breach includes, in addition to an account number, sensitive personally identifiable information.

SEC. 423. METHODS OF NOTICE.

An agency, or business entity shall be in compliance with section 421 if it provides:

(1) INDIVIDUAL NOTICE-

(A) Written notification to the last known home mailing address of the individual in the records of the agency or business entity; or

(B) E-mail notice, if the individual has consented to receive such notice and the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001).

(2) MEDIA NOTICE- If more than 5,000 residents of a State or jurisdiction are impacted, notice to major media outlets serving that State or jurisdiction.

SEC. 424. CONTENT OF NOTIFICATION.

(a) In General- Regardless of the method by which notice is provided to individuals under section 423, such notice shall include, to the extent possible--

(1) a description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, acquired by an unauthorized person;

(2) a toll-free number--

(A) that the individual may use to contact the agency or business entity, or the agent of the agency or business entity; and

(B) from which the individual may learn--

(i) what types of sensitive personally identifiable information the agency or business entity maintained about that individual or about individuals in general; and

(ii) whether or not the agency or business entity maintained sensitive personally identifiable information about that individual; and

(3) the toll-free contact telephone numbers and addresses for the major credit reporting agencies.

(b) Additional Content- Notwithstanding section 429, a State may require that a notice under subsection (a) shall also include information regarding victim protection assistance provided for by that State.

SEC. 425. COORDINATION OF NOTIFICATION WITH CREDIT REPORTING AGENCIES.

If an agency or business entity is required to provide notification to more than 1,000 individuals under section 421(a), the agency or business entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of the timing and distribution of the notices.

SEC. 426. NOTICE TO LAW ENFORCEMENT.

(a) Secret Service- Any business entity or agency required to give notice under section 421 shall also give notice to the United States Secret Service if the security breach impacts--

(1) more than 10,000 individuals nationwide;

(2) a database, networked or integrated databases, or other data system associated with the sensitive personally identifiable information on more than 1,000,000 individuals nationwide;

(3) databases owned by the Federal Government; or

(4) primarily sensitive personally identifiable information of employees and contractors of the Federal Government involved in national security or law enforcement.

(b) Notice to Other Law Enforcement Agencies- The United States Secret Service shall be responsible for notifying--

(1)(A) the Federal Bureau of Investigation, if the security breach involves espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service under section 3056(a) of title 18, United States Code; and

(B) the United States Postal Inspection Service, if the security breach involves mail fraud; and

(2) the attorney general of each State affected by the security breach.

(c) 30-DAY RULE- The notices to Federal law enforcement and the attorney general of each State affected by a security breach required under this section shall be delivered without unreasonable delay, but not later than 30 days after discovery of the events requiring notice.

SEC. 427. CIVIL REMEDIES.

(a) Penalties- Any agency, or business entity engaged in interstate commerce, that violates this subtitle shall be subject to a fine of--

(1) not more than $1,000 per individual per day whose sensitive personally identity information was, or is reasonably believed to have been, acquired by an unauthorized person; or

(2) not more than $50,000 per day while the failure to give notice under this subtitle persists.

(b) Equitable Relief- Any agency or business entity that violates, proposes to violate, or has violated this subtitle may be enjoined from further violations by a court of competent jurisdiction.

(c) Other Rights and Remedies- The rights and remedies available under this subtitle are cumulative and shall not affect any other rights and remedies available under law.

(d) Fraud Alert- Section 605A(b)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting `, or evidence that the consumer has received notice that the consumer's financial information has or may have been compromised,' after `identity theft report'.

(e) Injunctive Actions by the Attorney General- Whenever it appears that a business entity or agency to which this subtitle applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this subtitle, the Attorney General may bring a civil action in an appropriate district court of the United States to--

(1) enjoin such act or practice;

(2) enforce compliance with this subtitle;

(3) obtain damages--

(A) in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and

(B) punitive damages, if the violation is willful or intentional; and

(4) obtain such other relief as the court determines to be appropriate.

SEC. 428. ENFORCEMENT BY STATE ATTORNEYS GENERAL.

(a) In General-

(1) CIVIL ACTIONS- In any case in which the attorney general of a State, or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any agency or business entity in a practice that is prohibited under this subtitle, the State, as parens patriae on behalf of the residents of the State, or the State or local law enforcement agency on behalf of the residents of the agency's jurisdiction, may bring a civil action on behalf of the residents of the State or jurisdiction in a district court of the United States of appropriate jurisdiction or any other court of competent jurisdiction, including a State court, to--

(A) enjoin that practice;

(B) enforce compliance with this subtitle;

(D) obtain such other relief as the court may consider to be appropriate.

(2) NOTICE-

(A) IN GENERAL- Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General of the United States--

(i) written notice of the action; and

(ii) a copy of the complaint for the action.

(B) EXEMPTION-

(i) IN GENERAL- Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subtitle, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action.

(ii) NOTIFICATION- In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the time the State attorney general files the action.

(b) Federal Proceedings- Upon receiving notice under subsection (a)(2), the Attorney General shall have the right to--

(1) move to stay the action, pending the final disposition of a pending Federal proceeding or action;

(2) intervene in an action brought under subsection (a)(2); and

(3) file petitions for appeal.

(c) Pending Proceedings- If the Attorney General has instituted a proceeding or action for a violation of this subtitle or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subtitle against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action.

(d) Construction- For purposes of bringing any civil action under subsection (a), nothing in this subtitle regarding notification shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to--

(1) conduct investigations;

(2) administer oaths or affirmations; or

(3) compel the attendance of witnesses or the production of documentary and other evidence.

(e) Venue; Service of Process-

(1) VENUE- Any action brought under subsection (a) may be brought in--

(A) the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or

(B) another court of competent jurisdiction.

(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--

(A) is an inhabitant; or

(B) may be found.

(f) No Private Cause of Action- Nothing in this subtitle establishes a private cause of action against a data broker for violation of any provision of this subtitle.

SEC. 429. EFFECT ON FEDERAL AND STATE LAW.

The provisions of this subtitle shall supersede any other provision of Federal law or any provision of law of any State relating to notification of a security breach, except as provided in section 424(b).

SEC. 430. AUTHORIZATION OF APPROPRIATIONS.

There are authorized to be appropriated such sums as may be necessary to cover the costs incurred by the United States Secret Service to carry out investigations and risk assessments of security breaches as required under this subtitle.

SEC. 431. REPORTING ON RISK ASSESSMENT EXEMPTION.

The United States Secret Service shall report to Congress not later than 18 months after the date of enactment of this Act, and upon the request by Congress thereafter, on the number and nature of the security breaches described in the notices filed by those business entities invoking the risk assessment exemption under section 422(b) and the response of the United States Secret Service to those notices.

SEC. 432. EFFECTIVE DATE.

This subtitle shall take effect on the expiration of the date which is 90 days after the date of enactment of this Act.

TITLE V--GOVERNMENT ACCESS TO AND USE OF COMMERCIAL DATA

SEC. 501. GENERAL SERVICES ADMINISTRATION REVIEW OF CONTRACTS.

(a) In General- In considering contract awards totaling more than $500,000 and entered into after the date of enactment of this Act with data brokers, the Administrator of the General Services Administration shall evaluate--

(1) the data privacy and security program of a data broker to ensure the privacy and security of data containing personally identifiable information, including whether such program adequately addresses privacy and security threats created by malicious software or code, or the use of peer-to-peer file sharing software;

(2) the compliance of a data broker with such program;

(3) the extent to which the databases and systems containing personally identifiable information of a data broker have been compromised by security breaches; and

(4) the response by a data broker to such breaches, including the efforts by such data broker to mitigate the impact of such breaches.

(b) Compliance Safe Harbor- The data privacy and security program of a data broker shall be deemed sufficient for the purposes of subsection (a), if the data broker complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of personally identifiable information involved in the ordinary course of business of such data broker.

(c) Penalties- In awarding contracts with data brokers for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating personally identifiable information, the Administrator of the General Services Administration shall--

(1) include monetary or other penalties--

(A) for failure to comply with subtitles A and B of title IV of this Act; or

(B) if a contractor knows or has reason to know that the personally identifiable information being provided is inaccurate, and provides such inaccurate information; and

(2) require a data broker that engages service providers not subject to subtitle A of title IV for responsibilities related to sensitive personally identifiable information to--

(A) exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiable information;

(B) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the personally identifiable information at issue; and

(C) require such service providers, by contract, to implement ad maintain appropriate measures designed to meet the objectives and requirements in title IV.

(d) Limitation- The penalties under subsection (c) shall not apply to a data broker providing information that is accurately and completely recorded from a public record source.

SEC. 502. REQUIREMENT TO AUDIT INFORMATION SECURITY PRACTICES OF CONTRACTORS AND THIRD PARTY BUSINESS ENTITIES.

Section 3544(b) of title 44, United States Code, is amended--

(1) in paragraph (7)(C)(iii), by striking `and' after the semicolon;

(2) in paragraph (8), by striking the period and inserting `; and'; and

(3) by adding at the end the following:

`(9) procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the information systems or operations of the agency involving personally identifiable information (as that term is defined in section 3 of the Personal Data Privacy and Security Act of 2005) and ensuring remedial action to address any significant deficiencies.'.

SEC. 503. PRIVACY IMPACT ASSESSMENT OF GOVERNMENT USE OF COMMERCIAL INFORMATION SERVICES CONTAINING PERSONALLY IDENTIFIABLE INFORMATION.

(a) In General- Section 208(b)(1) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended--

(1) in subparagraph (A)(i), by striking `or'; and

(2) in subparagraph (A)(ii), by striking the period and inserting `; or'; and

(3) by inserting after clause (ii) the following:

`(iii) purchasing or subscribing for a fee to personally identifiable information from a data broker (as such terms are defined in section 3 of the Personal Data Privacy and Security Act of 2005).'.

(b) Limitation- Notwithstanding any other provision of law, commencing 1 year after the date of enactment of this Act, no Federal department or agency may enter into a contract with a data broker to access for a fee any database consisting primarily of personally identifiable information concerning United States persons (other than news reporting or telephone directories) unless the head of such department or agency--

(1) completes a privacy impact assessment under section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note), which shall subject to the provision in that Act pertaining to sensitive information, include a description of--

(A) such database;

(B) the name of the data broker from whom it is obtained; and

(2) adopts regulations that specify--

(A) the personnel permitted to access, analyze, or otherwise use such databases;

(B) standards governing the access, analysis, or use of such databases;

(C) any standards used to ensure that the personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal department or agency;

(D) standards limiting the retention and redisclosure of personally identifiable information obtained from such databases;

(E) procedures ensuring that such data meet standards of accuracy, relevance, completeness, and timeliness;

(F) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases;

(G) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases;

(H) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and

(I) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases; and

(3) incorporates into the contract or other agreement totaling more than $500,000, provisions--

(A) providing for penalties--

(i) for failure to comply with title IV of this Act; or

(ii) if the entity knows or has reason to know that the personally identifiable information being provided to the Federal department or agency is inaccurate, and provides such inaccurate information.

(B) requiring a data broker that engages service providers not subject to subtitle A of title IV for responsibilities related to sensitive personally identifiable information to--

(i) exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiable information;

(ii) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the personally identifiable information at issue; and

(iii) require such service providers, by contract, to implement ad maintain appropriate measures designed to meet the objectives and requirements in title IV.

(c) Limitation on Penalties- The penalties under paragraph (3)(A) shall not apply to a data broker providing information that is accurately and completely recorded from a public record source.

(d) Individual Screening Programs-

(1) IN GENERAL- Notwithstanding any other provision of law, commencing one year after the date of enactment of this Act, no Federal department or agency may use commercial databases or contract with a data broker to implement an individual screening program unless such program is--

(A) congressionally authorized; and

(B) subject to regulations developed by notice and comment that--

(i) establish a procedure to enable individuals, who suffer an adverse consequence because the screening system determined that they might pose a security threat, to appeal such determination and correct information contained in the system;

(ii) ensure that Federal and commercial databases that will be used to establish the identity of individuals or otherwise make assessments of individuals under the system will not produce a large number of false positives or unjustified adverse consequences;

(iii) ensure the efficacy and accuracy of all of the search tools that will be used and ensure that the department or agency can make an accurate predictive assessment of those who may constitute a threat;

(iv) establish an internal oversight board to oversee and monitor the manner in which the system is being implemented;

(v) establish sufficient operational safeguards to reduce the opportunities for abuse;

(vi) implement substantial security measures to protect the system from unauthorized access;

(vii) adopt policies establishing the effective oversight of the use and operation of the system; and

(viii) ensure that there are no specific privacy concerns with the technological architecture of the system; and

(2) DEFINITION- As used in this subsection, the term `individual screening program'--

(A) means a system that relies on personally identifiable information from commercial databases to--

(i) evaluate all or most individuals seeking to exercise a particular right or privilege under Federal law; and

(ii) determine whether such individuals are on a terrorist watch list or otherwise pose a security threat; and

(B) does not include any program or system to grant security clearances.

(e) Study of Government Use-

(1) SCOPE OF STUDY- Not later than 180 days after the date of enactment of this Act, the Comptroller General of the United States shall conduct a study and audit and prepare a report on Federal agency use of data brokers or commercial databases containing personally identifiable information, including the impact on privacy and security, and the extent to which Federal contracts include sufficient provisions to ensure privacy and security protections, and penalties for failures in privacy and security practices.

(2) REPORT- A copy of the report required under paragraph (1) shall be submitted to Congress.

SEC. 504. IMPLEMENTATION OF CHIEF PRIVACY OFFICER REQUIREMENTS.

(a) Designation of the Chief Privacy Officer- Pursuant to the requirements under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (division H of Public Law 108-447; 118 Stat. 3199) that each agency designate a Chief Privacy Officer, the Department of Justice shall implement such requirements by designating a department-wide Chief Privacy Officer, whose primary role shall be to fulfill the duties and responsibilities of Chief Privacy Officer and who shall report directly to the Deputy Attorney General.

(b) Duties and Responsibilities of Chief Privacy Officer- In addition to the duties and responsibilities outlined under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (division H of Public Law 108-447; 118 Stat. 3199), the Department of Justice Chief Privacy Officer shall--

(1) oversee the Department of Justice's implementation of the requirements under section 603 to conduct privacy impact assessments of the use of commercial data containing personally identifiable information by the Department;

(2) promote the use of law enforcement technologies that sustain privacy protections, and assure that the implementation of such technologies relating to the use, collection, and disclosure of personally identifiable information preserve the privacy and security of such information; and

(3) coordinate with the Privacy and Civil Liberties Oversight Board, established in the Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108-458), in implementing paragraphs (1) and (2) of this subsection.

END