108th CONGRESS
1st Session
H. R. 2617
To protect American consumers from identity theft and other forms
of fraud.
IN THE HOUSE OF REPRESENTATIVES
June 26, 2003
Mr. SHADEGG introduced the following bill; which was referred to the Committee
on Financial Services, and in addition to the Committees on Ways and Means,
and Energy and Commerce, for a period to be subsequently determined by the
Speaker, in each case for consideration of such provisions as fall within
the jurisdiction of the committee concerned
A BILL
To protect American consumers from identity theft and other forms
of fraud.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Consumer Identity and Information Security Act
of 2003'.
SEC. 2. PROHIBITED ACTIONS WITH RESPECT TO SOCIAL SECURITY NUMBERS.
(a) DEFINITIONS- For purposes of this section, the following definitions shall
apply:
(1) DISPLAY- The term `display' means to intentionally communicate or otherwise
make available (on the Internet or in any other manner) to the general public
an individual's social security number.
(2) PERSON- The term `person' means any individual, partnership, corporation,
trust, estate, cooperative, association, or any other entity.
(3) STATE- The term `State' means any State of the United States, the District
of Columbia, Puerto Rico, the Northern Mariana Islands, the United States
Virgin Islands, Guam, American Samoa, and any territory or possession of
the United States.
(b) PROHIBITED ACTIONS WITH RESPECT TO AN INDIVIDUAL'S SOCIAL SECURITY NUMBER-
Subject to subsections (c) and (d), no person may engage in any of the following:
(1) Display in any manner an individual's social security number.
(2) Print or otherwise display an individual's social security number on
any card, or other means of access, required for the individual to access
products or services provided by the person to the individual.
(3) Require an individual to transmit the individual's social security number
over the Internet, unless the connection is secure or the social security
number is encrypted.
(4) Require an individual to use the individual's social security number
to access an Internet Web site, unless a password, unique personal identification
number, or other authentication device is also required to access the Internet
Web site.
(5) Print or otherwise display an individual's social security number on
any communications by the person to the individual, unless Federal or State
law, or any Federal agency or any contractor with the Federal Government
(under color of Federal law), requires the individual's social security
number to be included on such documents.
(c) EXCEPTION FOR CERTAIN COMMUNICATIONS- Subsection (b)(5) shall not apply
with respect an individual's social security number included on documents
sent by mail--
(1) in connection with an application or enrollment process initiated by
the individual; or
(2) to establish, amend, or terminate an account held by the individual
with the person; or
(3) to verify the accuracy of the individual's social security number.
(d) EXCEPTION FOR PRIOR ON-GOING USE- Subsection (b) shall not apply to the
use by a person of an individual's social security number in a manner that
is inconsistent with such subsection if--
(1) the use by such person of the individual's social security number in
such manner began before the date of the enactment of this Act;
(2) the use by such person of the social security number in such manner
is continuous; and
(3) the person notifies the individual, in writing, before the end of the
30-day period beginning on the date of the enactment of this Act and annually
thereafter, that the individual has the right to require such person to
stop using the individual's social security number in a manner inconsistent
with subsection (b).
(e) INDIVIDUAL'S REQUEST TO STOP INCONSISTENT USE-
(1) IN GENERAL- If a person receives a written request from an individual
to stop using the individual's social security number in a manner that is
inconsistent with subsection (b), the person shall fully comply with such
request before the end of the 30-day period beginning on the date of the receipt
of the request.
(2) DENIAL OF PRODUCTS OR SERVICES PROHIBITED- A person may not deny any
product or service to an individual, or otherwise discriminate against such
individual in the provision of any such product or service, solely on the
basis that the individual submitted a request described in paragraph (1).
(f) COORDINATION WITH OTHER LAW-
(1) IN GENERAL- No provision of this section shall be construed as prohibiting
or limiting the display or use of an individual's social security number
by any person--
(A) to the extent required or authorized under any Federal or State law,
or by any Federal agency or any contractor with the Federal Government
(under color of Federal law);
(B) for internal verification or administrative purposes of the person;
(C) for a public health purpose, including the protection of the health
or safety of an individual in an emergency situation;
(D) for a national security purpose; or
(E) for a law enforcement purpose, including the investigation of fraud.
(A) IN GENERAL- The Secretary of Health and Human Services shall conduct
a study and prepare a report on all of the uses of social security numbers
permitted, required, authorized, or excepted under any Federal law and
State and local uses of social security numbers.
(B) REPORT- Not later than 1 year after the date of enactment of this
Act, the Secretary of Health and Human Services shall submit a report
to Congress on the study conducted under this paragraph.
(C) CONTENTS OF REPORT- The report shall include--
(i) a detailed description of the uses of an individual's social security
number that are allowed as of the date of enactment of this Act;
(ii) an evaluation of whether such uses should be continued or discontinued
by appropriate legislative action; and
(iii) such other recommendations for legislative or administrative action
as the Secretary determines to be appropriate.
(1) IN GENERAL- Any person who the Attorney General determines has violated
this section shall be subject, in addition to any other penalties that may
be prescribed by law--
(A) to a civil penalty of not less than $5,000 for each such violation;
and
(B) to a civil penalty of not less than $50,000, if the violations have
occurred with such frequency as to constitute a general business practice.
(2) DETERMINATION OF VIOLATIONS- Any knowing violation committed contemporaneously
with respect to the social security numbers of 2 or more individuals by
means of mail, telecommunication, or otherwise, shall be treated as a separate
violation with respect to each such individual.
(3) ENFORCEMENT PROCEDURES- The provisions of section 1128A of the Social
Security Act (42 U.S.C. 1320a-7a), other than subsections (a), (b), (f),
(h), (i), (j), (m), and (n) and the first sentence of subsection (c) of
such section, and the provisions of subsections (d) and (e) of section 205
of such Act (42 U.S.C. 405) shall apply to a civil penalty action under
this subsection in the same manner as such provisions apply to a penalty
or proceeding under section 1128A(a) of such Act (42 U.S.C. 1320a-7a(a)),
except that, for purposes of this paragraph, any reference in section 1128A
of such Act (42 U.S.C. 1320a-7a) to the Secretary shall be deemed to be
a reference to the Attorney General.
(h) EFFECTIVE DATE- This section shall apply after the end of the 180-day
period beginning on the date of the enactment of this Act.
SEC. 3. IMPROPER USE OF CREDIT CARD, DEBIT CARD, AND OTHER PAYMENT DEVICE
NUMBERS.
(a) IN GENERAL- Except as provided in subsection (b), no person that accepts,
in connection with the transaction of business, credit cards, debit cards,
or other means of access to a consumer's account for the purpose of initiating
electronic fund transfers shall print, on any receipt provided to the cardholder
or accountholder at the point of the business transaction--
(1) more than the last 5 digits of the account number of any such credit
card, debit card, or consumer account; or
(2) the expiration date of any such credit card, debit card, or other means
of access to a consumer's account.
(b) SCOPE OF APPLICATION- This section applies only to receipts that are electronically
printed, and shall not apply to transactions in which the sole means of recording
the credit card or debit card account number, or the account number of a consumer's
account, is by handwriting or by an imprint or copy of the credit card, debit
card, or other means of access.
(c) DEFINITIONS- For purposes of this section, the following definitions shall
apply:
(1) CONSUMER'S ACCOUNT- The term `consumer's account' means an account (as
defined in paragraph (2) of section 903 of the Electronic Fund Transfer
Act) of a consumer (as defined in paragraph (5) of such section).
(2) CREDIT CARD- The term `credit card' has the same meaning as in section
103(k) of the Truth in Lending Act.
(3) DEBIT CARD- The term `debit card' means any card issued by a financial
institution to a consumer for use in initiating electronic fund transfers
from the account of the consumer at such financial institution for the purpose
of transferring
money between accounts or obtaining money, property, labor, or services.
(4) ELECTRONIC FUND TRANSFER- The term `electronic fund transfer' has the
same meaning as in section 903(6) of the Electronic Fund Transfer Act.
(d) EFFECTIVE DATE- This section shall take effect on January 1, 2005, with
respect to any cash register or other machine or device that electronically
prints receipts for credit card transactions.
(e) CIVIL LIABILITY- Any person who violates this section with regard to any
credit card, debit card, or other means of access to a consumer's account
shall be liable for any damages or expenses, including reasonable attorney's
fees, that the card holder or consumer incurs as a result of such violation,
including losses incurred from the unauthorized use of the account number
of any such credit card, debit card, or consumer's account as a result of
such violation.
SEC. 4. IDENTITY THEFT PREVENTION.
(a) DUTY OF ISSUERS OF CREDIT AND DEBIT CARDS-
(1) CREDIT CARDS- Section 132 of the Truth in Lending Act (15 U.S.C. 1642)
is amended--
(A) by inserting `(a) IN GENERAL- ' before `No credit'; and
(B) by adding at the end the following:
`(b) VERIFICATION OF CONSUMER IDENTITY UPON RECEIVING A REQUEST FOR AN ADDITIONAL
CARD AFTER A CHANGE OF ADDRESS- Each card issuer shall establish procedures
for verifying the identification of a consumer whenever the card issuer receives
a request from a consumer for an additional credit card with respect to an
existing credit account not later than 30 days after receiving notification
of a change of address for that account.'.
(2) DEBIT CARDS- Section 911 of the Electronic Fund Transfer Act (15 U.S.C.
1693i) is amended by adding at the end the following new subsection:
`(d) VERIFICATION OF CONSUMER IDENTITY UPON RECEIVING A REQUEST AFTER A CHANGE
OF ADDRESS- Each person who issues to a consumer any code, card, or other
means of access to such consumer's account shall establish procedures for
verifying the identification of the consumer whenever such person receives
a request from a consumer for an additional card, code, or other means of
access to the consumer's account not later than 30 days after receiving notification
of a change of address for that account.'.
(b) CENTRALIZED REPORTING SYSTEM- The Federal Trade Commission shall coordinate
the establishment of a centralized reporting system in which all consumer
reporting agencies (as defined in section 603 of the Fair Credit Reporting
Act) shall participate that will--
(1) allow any consumer or business to report, through the use of an nationwide
free telephone number and an Internet Web site address, any suspected violation
of section 1028 of title 18, United States Code; and
(2) allow such information to be immediately shared among all such consumer
reporting agencies.
SEC. 5. FRAUD ALERTS.
Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is amended
by adding at the end the following new subsection:
`(1) FRAUD ALERT DEFINED- For purposes of this subsection, the term `fraud
alert' means a statement in the file of a consumer that notifies all prospective
users of a consumer report made with respect to that consumer that--
`(A) the consumer's identity may have been used, without the consumer's
consent, to fraudulently obtain goods or services in the consumer's name;
and
`(B) the consumer does not authorize the issuance or extension of credit
in the name of the consumer unless the issuer of such credit utilizes
reasonable procedures established by the issuer to verify the consumer's
identity and obtain the consumer's authorization whenever the card issuer
receives a request for credit.
`(2) INCLUSION OF FRAUD ALERT IN CONSUMER FILE- Upon the request of a consumer,
or another third party who has the consumer's consent to request a fraud
alert on the consumer's behalf, and upon receiving proper identification,
a consumer reporting agency shall include a fraud alert in the file of that
consumer and shall maintain the fraud alert for not less than 1 year, unless
the consumer requests a shorter time period.
`(3) NOTICE SENT BY CONSUMER REPORTING AGENCIES TO USERS- A consumer reporting
agency shall notify each person procuring consumer credit information with
respect to a consumer of the existence of a fraud alert in the file of that
consumer, regardless of whether a full credit report, credit score, or summary
report is requested.
`(4) NOTICE TO NATIONWIDE CONSUMER REPORTING AGENCIES- Whenever a consumer
reporting agency that compiles and maintains files on consumers on a nationwide
basis receives a request from a consumer, directly or through another consumer
reporting agency, to include a fraud alert in the consumer's file, the consumer
reporting agency shall promptly notify every other consumer reporting agency
that compiles and maintains files on consumers on a nationwide basis that
such request has been received and each such other agency shall comply with
paragraph (2) in the same manner as if the agency had received the request
directly from the consumer.
`(5) TOLL-FREE TELEPHONE NUMBER- Each consumer reporting agency referred
to in paragraph (4) shall establish and maintain a toll-free telephone number
for consumers to request fraud alerts.
`(6) PROCEDURES TO RECEIVE FRAUD ALERTS- Any person who uses a consumer
credit report in connection with a credit transaction shall establish reasonable
procedures to receive fraud alerts transmitted by consumer reporting agencies.
`(A) CONSUMER REPORTING AGENCY- Any consumer reporting agency that fails
to notify any user of a consumer credit report of the existence of a fraud
alert in that report shall be in violation of this section.
`(B) USER OF A CONSUMER REPORT- Any user of a consumer report that fails
to comply with preauthorization procedures contained in a fraud alert
and issues or extends credit in the name of the consumer to a person other
than the consumer shall be in violation of this section.
`(8) EXEMPT INSTITUTIONS- The requirement under this subsection to place
a fraud alert in a consumer file shall not apply to--
`(A) check services company or a fraud prevention company, which issues
authorizations for the purpose of approving or processing negotiable instruments,
electronic funds transfers or similar methods of payments; or
`(B) deposit account information service company, which issues reports
regarding account closures due to fraud, substantial overdrafts, automated
teller machine abuse, or similar negative information regarding a consumer,
to inquiring banks or other financial institutions for use only in reviewing
a consumer request for a deposit account at the inquiring bank or financial
institution.
`(9) POLICY REVIEW AND REGULATION-
`(A) REVIEW- Any agency referred to in subsection (a) or (c) of section
621 shall, upon the request of any person under the jurisdiction of such
agency pursuant to this title--
`(i) review any policy or procedure established by such person to carry
out the purposes of this subsection to determine the effectiveness and
reasonableness of the policy or procedure for such purposes; and
`(ii) make such recommendations to such person for improvement in such
policy or procedure as the agency may determine to be appropriate.
`(B) REGULATION- Each agency referred to in subparagraph (A) shall establish
procedures for conducting reviews under such subparagraph.'.
SEC. 6. BUSINESS GUIDELINES.
(a) IN GENERAL- Not later than the end of the 1-year period beginning on the
date of the enactment of this Act, the Federal Trade Commission, after consultation
with the Federal functional regulators (as defined in section 509(2) of the
Gramm-Leach-Bliley Act), shall establish procedures to--
(1) log and acknowledge the receipt of complaints of any person who has
a reasonable belief that information maintained in a database of such person
relating to any other person has likely been stolen or compromised;
(2) provide informational materials and guidelines for a business to follow
when customer or other information in the business' database has likely
been stolen or compromised;
(3) provide guidelines for a business to follow in notifying customers of
the likelihood that information concerning such customers has been stolen
or compromised; and
(4) refer complaints described in paragraph (1) to--
(A) each consumer reporting agency that compiles and maintains files on
consumers on a nationwide basis (as defined in section 603 of the Fair
Credit Reporting Act), together with any recommendation for the implementation
for such fraud alert as the Commission may determine to be appropriate;
(B) appropriate law enforcement agencies.
(b) POLICY REVIEW AND REGULATION-
(1) REVIEW- The Federal Trade Commission and any Federal functional regulator
(as defined in section 509(2) of the Gramm-Leach-Bliley Act) shall, upon
the request of any person under the jurisdiction of such agency--
(A) review any policy or procedure established by such person to follow
in the event that information maintained in a database of such person
has likely been stolen or compromised to determine the effectiveness and
reasonableness of the policy or procedure for such purposes; and
(B) make such recommendations to such person for improvement in such policy
or procedure as the agency may determine to be appropriate.
(2) REGULATION- Each agency referred to in subparagraph (A) shall establish
procedures for conducting reviews under such subparagraph.'.
SEC. 7. SPECIFICATION OF CONSTITUTIONAL AUTHORITY FOR ENACTMENT OF LAW.
This Act is enacted pursuant to the power granted Congress under section 8
of article I of the United States Constitution.
END
