Capitol Words a project of the Sunlight Foundation

  • and

Statements On Introduced Bills And Joint Resolutions

By Mr. SPECTER (for himself, Mr. Leahy, Mrs. Feinstein, and Mr. Feingold):

S. 1789. A bill to prevent and mitigate identity theft, to ensure privacy to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information; to the Committee on the Judiciary.

Sen. Arlen Specter

legislator photo

Mr. President, I ask unanimous consent that the text of the bill be printed in the Record.

There being no objection the bill was ordered to be printed in the Record, as follows:

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

(a) Short Title.--This Act may be cited as the ``Personal Data Privacy and Security Act of 2005''. (b) Table of Contents.--The table of contents for this Act is as follows:

TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING

Congress finds that-- (1) databases of personally identifiable information are increasingly prime targets of hackers, identity thieves, rogue employees, and other criminals, including organized and sophisticated criminal operations; (2) identity theft is a serious threat to the nation's economic stability, homeland security, the development of e- commerce, and the privacy rights of Americans; (3) over 9,300,000 individuals were victims of identity theft in America last year; (4) security breaches are a serious threat to consumer confidence, homeland security, e-commerce, and economic stability; (5) it is important for business entities that own, use, or license personally identifiable information to adopt reasonable procedures to ensure the security, privacy, and confidentially of that personally identifiable information; (6) individuals whose personal information has been compromised or who have been victims of identity theft should receive the necessary information and assistance to mitigate their damages and to restore the integrity of their personal information and identities; (7) data brokers have assumed a significant role in providing identification, authentication, and screening services, and related data collection and analyses for commercial, nonprofit, and government operations; (8) data misuse and use of inaccurate data have the potential to cause serious or irreparable harm to an individual's livelihood, privacy, and liberty and undermine efficient and effective business and government operations; (9) there is a need to insure that data brokers conduct their operations in a manner that prioritizes fairness, transparency, accuracy, and respect for the privacy of consumers; (10) government access to commercial data can potentially improve safety, law enforcement, and national security; and (11) because government use of commercial data containing personal information potentially affects individual privacy, and law enforcement and national security operations, there is a need for Congress to exercise oversight over government use of commercial data.

In this Act: (1) Agency.--The term ``agency'' has the same meaning given such term in section 551 of title 5, United States Code. (2) Affiliate.--The term ``affiliate'' means persons related by common ownership or by corporate control. (3) Business entity.--The term ``business entity'' means any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, venture established to make a profit, or nonprofit, and any contractor, subcontractor, affiliate, or licensee thereof engaged in interstate commerce. (4) Identity theft.--The term ``identity theft'' means a violation of section 1028 of title 18, United States Code, or any other similar provision of applicable State law. (5) Data broker.--The term ``data broker'' means a business entity which for monetary fees, dues, or on a cooperative nonprofit basis, currently or regularly engages, in whole or in part, in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information primarily for the purposes of providing such information to nonaffiliated third parties on a nationwide basis on more than 5,000 individuals who are not the customers or employees of the business entity or affiliate. (6) Data furnisher.--The term ``data furnisher'' means any agency, governmental entity, organization, corporation, trust, partnership, sole proprietorship, unincorporated association, venture established to make a profit, or nonprofit, and any contractor, subcontractor, affiliate, or licensee thereof, that serves as a source of information for a data broker. (7) Personal electronic record.--The term ``personal electronic record'' means data associated with an individual contained in a database, networked or integrated databases, or other data system that holds sensitive personally identifiable information of that individual and is provided to non-affiliated third parties. (8) Personally identifiable information.--The term ``personally identifiable information'' means any information, or compilation of information, in electronic or digital form serving as a means of identification, as defined by section 1028(d)(7) of title 18, United State Code. (9) Public record source.--The term ``public record source'' means any agency, Federal court, or State court that maintains personally identifiable information in records available to the public. (10) Security breach.-- (A) In general.--The term ``security breach'' means compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to sensitive personally identifiable information. (B) Exclusion.--The term ``security breach'' does not include-- (i) a good faith acquisition of sensitive personally identifiable information by a business entity or agency, or an employee or agent of a business entity or agency, if the sensitive personally identifiable information is not subject to further unauthorized disclosure; or (ii) the release of a public record not otherwise subject to confidentiality or nondisclosure requirements. (11) Sensitive personally identifiable information.--The term ``sensitive personally identifiable information'' means any information or compilation of information, in electronic or digital form that includes: (A) An individual's name in combination with any 1 of the following data elements: (i) A non-truncated social security number, driver's license number, passport number, or alien registration number. (ii) Any 2 of the following:

Section 1030(a)(2) of title 18, United States Code, is amended-- (1) in subparagraph (B), by striking ``or'' after the semicolon; (2) in subparagraph (C), by inserting ``or'' after the semicolon; and (3) by adding at the end the following: ``(D) information contained in the databases or systems of a data broker, or in other personal electronic records, as such terms are defined in section 3 of the Personal Data Privacy and Security Act of 2005;''.

Section 1961(1) of title 18, United States Code, is amended by inserting ``section 1030(a)(2)(D)(relating to fraud and related activity in connection with unauthorized access to personally identifiable information,'' before ``section 1084''.

(a) In General.--Chapter 47 of title 18, United States Code, is amended by adding at the end the following: ``Sec. 1039. Concealment of security breaches involving sensitive personally identifiable information

(a) In General.--Chapter 47 of title 18, United States Code, is amended by adding after section 1030 the following:

(a) Review and Amendment.--Not later than 180 days after the date of enactment of this Act, the United States Sentencing Commission, pursuant to its authority under section 994 of title 28, United States Code, and in accordance with this section, shall review and, if appropriate, amend the Federal sentencing guidelines (including its policy statements) applicable to persons convicted of using fraud to access, or misuse of, digitized or electronic personally identifiable information, including identity theft or any offense under-- (1) sections 1028, 1028A, 1030, 1030A, 2511, and 2701 of title 18, United States Code; or (2) any other relevant provision. (b) Requirements.--In carrying out the requirements of this section, the United States Sentencing Commission shall-- (1) ensure that the Federal sentencing guidelines (including its policy statements) reflect-- (A) the serious nature of the offenses and penalties referred to in this Act; (B) the growing incidences of theft and misuse of digitized or electronic personally identifiable information, including identity theft; and (C) the need to deter, prevent, and punish such offenses; (2) consider the extent to which the Federal sentencing guidelines (including its policy statements) adequately address violations of the sections amended by this Act to-- (A) sufficiently deter and punish such offenses; and (B) adequately reflect the enhanced penalties established under this Act; (3) maintain reasonable consistency with other relevant directives and sentencing guidelines; (4) account for any additional aggravating or mitigating circumstances that might justify exceptions to the generally applicable sentencing ranges; (5) consider whether to provide a sentencing enhancement for those convicted of the offenses described in subsection (a), if the conduct involves-- (A) the online sale of fraudulently obtained or stolen personally identifiable information; (B) the sale of fraudulently obtained or stolen personally identifiable information to an individual who is engaged in terrorist activity or aiding other individuals engaged in terrorist activity; or (C) the sale of fraudulently obtained or stolen personally identifiable information to finance terrorist activity or other criminal activities; (6) make any necessary conforming changes to the Federal sentencing guidelines to ensure that such guidelines (including its policy statements) as described in subsection (a) are sufficiently stringent to deter, and adequately reflect crimes related to fraudulent access to, or misuse of, personally identifiable information; and (7) ensure that the Federal sentencing guidelines adequately meet the purposes of sentencing under section 3553(a)(2) of title 18, United States Code. (c) Emergency Authority to Sentencing Commission.--The United States Sentencing Commission may, as soon as practicable, promulgate amendments under this section in accordance with procedures established in section 21(a) of the Sentencing Act of 1987 (28 U.S.C. 994 note) as though the authority under that Act had not expired.

TITLE II--ASSISTANCE FOR STATE AND LOCAL LAW ENFORCEMENT COMBATING

(a) In General.--Subject to the availability of amounts provided in advance in appropriations Acts, the Assistant Attorney General for the Office of Justice Programs of the Department of Justice may award a grant to a State to establish and develop programs to increase and enhance enforcement against crimes related to fraudulent, unauthorized, or other criminal use of personally identifiable information. (b) Application.--A State seeking a grant under subsection (a) shall submit an application to the Assistant Attorney General for the Office of Justice Programs of the Department of Justice at such time, in such manner, and containing such information as the Assistant Attorney General may require. (c) Use of Grant Amounts.--A grant awarded to a State under subsection (a) shall be used by a State, in conjunction with units of local government within that State, State and local courts, other States, or combinations thereof, to establish and develop programs to-- (1) assist State and local law enforcement agencies in enforcing State and local criminal laws relating to crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; (2) assist State and local law enforcement agencies in educating the public to prevent and identify crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; (3) educate and train State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; (4) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; and (5) facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information with State and local law enforcement officers and prosecutors, including the use of multi-jurisdictional task forces. (d) Assurances and Eligibility.--To be eligible to receive a grant under subsection (a), a State shall provide assurances to the Attorney General that the State-- (1) has in effect laws that penalize crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information, such as penal laws prohibiting-- (A) fraudulent schemes executed to obtain personally identifiable information; (B) schemes executed to sell or use fraudulently obtained personally identifiable information; and (C) online sales of personally identifiable information obtained fraudulently or by other illegal means; (2) will provide an assessment of the resource needs of the State and units of local government within that State, including criminal justice resources being devoted to the investigation and enforcement of laws related to crimes involving the fraudulent, unauthorized, or other criminal use of personally identifiable information; and (3) will develop a plan for coordinating the programs funded under this section with other federally funded technical assistant and training programs, including directly funded local programs such as the Local Law Enforcement Block Grant program (described under the heading ``Violent Crime Reduction Programs, State and Local Law Enforcement Assistance'' of the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1998 (Public Law 105-119)). (e) Matching Funds.--The Federal share of a grant received under this section may not exceed 90 percent of the total cost of a program or proposal funded under this section unless the Attorney General waives, wholly or in part, the requirements of this subsection.

(a) In General.--There is authorized to be appropriated to carry out this title $25,000,000 for each of fiscal years 2006 through 2009. (b) Limitations.--Of the amount made available to carry out this title in any fiscal year not more than 3 percent may be used by the Attorney General for salaries and administrative expenses. (c) Minimum Amount.--Unless all eligible applications submitted by a State or units of local government within a State for a grant under this title have been funded, the State, together with grantees within the State (other than Indian tribes), shall be allocated in each fiscal year under this title not less than 0.75 percent of the total amount appropriated in the fiscal year for grants pursuant to this title, except that the United States Virgin Islands, American Samoa, Guam, and the Northern Mariana Islands each shall be allocated 0.25 percent. (d) Grants to Indian Tribes.--Notwithstanding any other provision of this title, the Attorney General may use amounts made available under this title to make grants to Indian tribes for use in accordance with this title.

(a) In General.--Data brokers engaging in interstate commerce are subject to the requirements of this title for any product or service offered to third parties that allows access, use, compilation, distribution, processing, analyzing, or evaluation of sensitive personally identifiable information. (b) Limitation.--Notwithstanding any other paragraph of this title, this section shall not apply to-- (1) brokers engaging in interstate commerce for any offered product or service currently subject to, and in compliance with, access and accuracy protections similar to those under subsections (c) through (f) of this section under the Fair Credit Reporting Act (Public Law 91-508), or the Gramm-Leach Bliley Act (Public Law 106-102); (2) data brokers engaging in interstate commerce for any offered product or service currently in compliance with the requirements for such entities under the Health Insurance Portability and Accountability Act (Public Law 104-191), and implementing regulations; (3) information in a personal electronic record held by a data broker if-- (A) the data broker maintains such information solely pursuant to a license agreement with another business entity; and (B) the business entity providing such information to the data broker pursuant to a license agreement either complies with the provisions of this section or qualifies for this exemption; and (4) information in a personal record that-- (A) the data broker has identified as inaccurate, but maintains for the purpose of aiding the data broker in preventing inaccurate information from entering an individual's personal electronic record; and (B) is not maintained primarily for the purpose of transmitting or otherwise providing that information, or assessments based on that information, to non-affiliated third parties. (c) Disclosures to Individuals.-- (1) In general.--A data broker shall, upon the request of an individual, clearly and accurately disclose to such individual for a reasonable fee all personal electronic records pertaining to that individual maintained for disclosure to third parties in the ordinary course of business in the databases or systems of the data broker at the time of the request. (2) Information on how to correct inaccuracies.--The disclosures required under paragraph (1) shall also include guidance to individuals on the processes and procedures for demonstrating and correcting any inaccuracies. (d) Creation of an Accuracy Resolution Process.--A data broker shall develop and publish on its website timely and fair processes and procedures for responding to claims of inaccuracies, including procedures for correcting inaccurate information in the personal electronic records it maintains on individuals. (e) Accuracy Resolution Process.-- (1) Information from a public record source.-- (A) In general.--If an individual notifies a data broker of a dispute as to the completeness or accuracy of information, and the data broker determines that such information is derived from a public record source, the data broker shall determine within 30 days whether the information in its system accurately and completely records the information offered by the public record source. (B) Data broker actions.--If a data broker determines under subparagraph (A) that the information in its systems-- (i) does not accurately and completely record the information offered by a public record source, the data broker shall correct any inaccuracies or incompleteness, and provide to such individual written notice of such changes; and (ii) does accurately and completely record the information offered by a public record source, the data broker shall--

(a) Civil Penalties.-- (1) Penalties.--Any data broker that violates the provisions of section 301 shall be subject to civil penalties of not more than $1,000 per violation per day, with a maximum of $15,000 per day, while such violations persist. (2) Intentional or willful violation.--A data broker that intentionally or willfully violates the provisions of section 301 shall be subject to additional penalties in the amount of $1,000 per violation per day, with a maximum of an additional $15,000 per day, while such violations persist. (3) Equitable relief.--A data broker engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction. (4) Other rights and remedies.--The rights and remedies available under this subsection are cumulative and shall not affect any other rights and remedies available under law. (b) Injunctive Actions by the Attorney General.-- (1) In general.--Whenever it appears that a data broker to which this title applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this title, the Attorney General may bring a civil action in an appropriate district court of the United States to-- (A) enjoin such act or practice; (B) enforce compliance with this title; (C) obtain damages-- (i) in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and (ii) punitive damages, if the violation is willful or intentional; and (D) obtain such other relief as the court determines to be appropriate. (2) Other injunctive relief.--Upon a proper showing in the action under paragraph (1), the court shall grant a permanent injunction or a temporary restraining order without bond. (c) State Enforcement.-- (1) Civil actions.--In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates this title, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to-- (A) enjoin that act or practice; (B) enforce compliance with this title; (C) obtain-- (i) damages in the sum of actual damages, restitution, or other compensation on behalf of affected residents of the State; and (ii) punitive damages, if the violation is willful or intentional; or (D) obtain such other legal and equitable relief as the court may consider to be appropriate. (2) Notice.-- (A) In general.--Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General-- (i) a written notice of that action; and (ii) a copy of the complaint for that action. (B) Exception.--Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action. (C) Notification when practicable.--In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Attorney General as soon after the filing of the complaint as practicable. (3) Attorney general authority.--Upon receiving notice under paragraph (2), the Attorney General shall have the right to-- (A) move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4); (B) intervene in an action brought under paragraph (1); and (C) file petitions for appeal. (4) Pending proceedings.--If the Attorney General has instituted a proceeding or action for a violation of this title or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action. (5) Rule of construction.--For purposes of bringing any civil action under paragraph (1), nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to-- (A) conduct investigations; (B) administer oaths and affirmations; or (C) compel the attendance of witnesses or the production of documentary and other evidence. (6) Venue; service of process.-- (A) Venue.--Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1931 of title 28, United States Code. (B) Service of process.--In an action brought under this subsection process may be served in any district in which the defendant-- (i) is an inhabitant; or (ii) may be found. (d) No Private Cause of Action.--Nothing in this title establishes a private cause of action against a data broker for violation of any provision of this title.

No requirement or prohibition may be imposed under the laws of any State with respect to any subject matter regulated under section 301, relating to individual access to, and correction of, personal electronic records held by databrokers.

This title shall take effect 180 days after the date of enactment of this Act and shall be implemented pursuant to a State by State rollout schedule set by the Federal Trade Commission, but in no case shall full implementation and effect of this title occur later than 1 year and 180 days after the date of enactment of this Act.

(a) Purpose.--The purpose of this subtitle is to ensure standards for developing and implementing administrative, technical, and physical safeguards to protect the privacy, security, confidentiality, integrity, storage, and disposal of sensitive personally identifiable information. (b) In General.--A business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons is subject to the requirements for a data privacy and security program under section 402 for protecting sensitive personally identifiable information. (c) Limitations.--Notwithstanding any other obligation under this subtitle, this subtitle does not apply to-- (1) financial institutions-- (A) subject to the data security requirements and implementing regulations under the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); and (B) subject to-- (i) examinations for compliance with the requirements of this Act by 1 or more Federal or State functional regulators (as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)); or (ii) compliance with part 314 of title 16, Code of Federal Regulations; or (2) ``covered entities'' subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1301 et seq.), including the data security requirements and implementing regulations of that Act. (d) Safe Harbor.--A business entity shall be deemed in compliance with the privacy and security program requirements under section 402 if the business entity complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of sensitive personally identifiable information involved in the ordinary course of business of such business entity.

(a) Personal Data Privacy and Security Program.--Unless otherwise limited under section 401(c), a business entity subject to this subtitle shall comply with the following safeguards and any others identified by the Federal Trade Commission in a rulemaking process pursuant to section 553 of title 5, United States Code, to protect the privacy and security of sensitive personally identifiable information: (1) Scope.--A business entity shall implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities. (2) Design.--The personal data privacy and security program shall be designed to-- (A) ensure the privacy, security, and confidentiality of personal electronic records; (B) protect against any anticipated vulnerabilities to the privacy, security, or integrity of personal electronic records; and (C) protect against unauthorized access to use of personal electronic records that could result in substantial harm or inconvenience to any individual. (3) Risk assessment.--A business entity shall-- (A) identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information or systems containing sensitive personally identifiable information; (B) assess the likelihood of and potential damage from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information; and (C) assess the sufficiency of its policies, technologies, and safeguards in place to control and minimize risks from unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information. (4) Risk management and control.--Each business entity shall-- (A) design its personal data privacy and security program to control the risks identified under paragraph (3); and (B) adopt measures commensurate with the sensitivity of the data as well as the size, complexity, and scope of the activities of the business entity that-- (i) control access to systems and facilities containing sensitive personally identifiable information, including controls to authenticate and permit access only to authorized individuals; (ii) detect actual and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or alteration of sensitive personally identifiable information, including by employees and other individuals otherwise authorized to have access; and (iii) protect sensitive personally identifiable information during use, transmission, storage, and disposal by encryption or other reasonable means (including as directed for disposal of records under section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w) and the implementing regulations of such Act as set forth in section 682 of title 16, Code of Federal Regulations). (b) Training.--Each business entity subject to this subtitle shall take steps to ensure employee training and supervision for implementation of the data security program of the business entity. (c) Vulnerability Testing.-- (1) In general.--Each business entity subject to this subtitle shall take steps to ensure regular testing of key controls, systems, and procedures of the personal data privacy and security program to detect, prevent, and respond to attacks or intrusions, or other system failures. (2) Frequency.--The frequency and nature of the tests required under paragraph (1) shall be determined by the risk assessment of the business entity under subsection (a)(3). (d) Relationship to Service Providers.--In the event a business entity subject to this subtitle engages service providers not subject to this subtitle, such business entity shall-- (1) exercise appropriate due diligence in selecting those service providers for responsibilities related to sensitive personally identifiable information, and take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the sensitive personally identifiable information at issue; and (2) require those service providers by contract to implement and maintain appropriate measures designed to meet the objectives and requirements governing entities subject to this section, section 401, and subtitle B. (e) Periodic Assessment and Personal Data Privacy and Security Modernization.--Each business entity subject to this subtitle shall on a regular basis monitor, evaluate, and adjust, as appropriate its data privacy and security program in light of any relevant changes in-- (1) technology; (2) the sensitivity of personally identifiable information; (3) internal or external threats to personally identifiable information; and (4) the changing business arrangements of the business entity, such as-- (A) mergers and acquisitions; (B) alliances and joint ventures; (C) outsourcing arrangements; (D) bankruptcy; and (E) changes to sensitive personally identifiable information systems. (f) Implementation Time Line.--Not later than 1 year after the date of enactment of this Act, a business entity subject to the provisions of this subtitle shall implement a data privacy and security program pursuant to this subtitle.

(a) Civil Penalties.-- (1) In general.--Any business entity that violates the provisions of sections 401 or 402 shall be subject to civil penalties of not more than $5,000 per violation per day, with a maximum of $35,000 per day, while such violations persist. (2) Intentional or willful violation.--A business entity that intentionally or willfully violates the provisions of sections 401 or 402 shall be subject to additional penalties in the amount of $5,000 per violation per day, with a maximum of an additional $35,000 per day, while such violations persist. (3) Equitable relief.--A business entity engaged in interstate commerce that violates this section may be enjoined from further violations by a court of competent jurisdiction. (4) Other rights and remedies.--The rights and remedies available under this section are cumulative and shall not affect any other rights and remedies available under law (b) Injunctive Actions by the Attorney General.-- (1) In general.--Whenever it appears that a business entity or agency to which this subtitle applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this subtitle, the Attorney General may bring a civil action in an appropriate district court of the United States to-- (A) enjoin such act or practice; (B) enforce compliance with this subtitle; and (C) obtain damages-- (i) in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and (ii) punitive damages, if the violation is willful or intentional; and (D) obtain such other relief as the court determines to be appropriate. (2) Other injunctive relief.--Upon a proper showing in the action under paragraph (1), the court shall grant a permanent injunction or a temporary restraining order without bond. (c) State Enforcement.-- (1) Civil actions.--In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates this subtitle, the State may bring a civil action on behalf of the residents of that State in a district court of the United States of appropriate jurisdiction, or any other court of competent jurisdiction, to-- (A) enjoin that act or practice; (B) enforce compliance with this subtitle; (C) obtain-- (i) damages in the sum of actual damages, restitution, or other compensation on behalf of affected residents of the State; and (ii) punitive damages, if the violation is willful or intentional; or (D) obtain such other legal and equitable relief as the court may consider to be appropriate. (2) Notice.-- (A) In general.--Before filing an action under this subsection, the attorney general of the State involved shall provide to the Attorney General-- (i) a written notice of that action; and (ii) a copy of the complaint for that action. (B) Exception.--Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general of a State determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action. (C) Notification when practicable.--In an action described under subparagraph (B), the attorney general of a State shall provide the written notice and the copy of the complaint to the Attorney General as soon after the filing of the complaint as practicable. (3) Attorney general authority.--Upon receiving notice under paragraph (2), the Attorney General shall have the right to-- (A) move to stay the action, pending the final disposition of a pending Federal proceeding or action as described in paragraph (4); (B) intervene in an action brought under paragraph (1); and (C) file petitions for appeal. (4) Pending proceedings.--If the Attorney General has instituted a proceeding or action for a violation of this title or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action. (5) Rule of construction.--For purposes of bringing any civil action under paragraph (1) nothing in this title shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to-- (A) conduct investigations; (B) administer oaths and affirmations; or (C) compel the attendance of witnesses or the production of documentary and other evidence. (6) Venue; service of process.-- (A) Venue.--Any action brought under this subsection may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1931 of title 28, United States Code. (B) Service of process.--In an action brought under this subsection process may be served in any district in which the defendant-- (i) is an inhabitant; or (ii) may be found. (d) No Private Cause of Action.--Nothing in this title establishes a private cause of action against a business entity for violation of any provision of this subtitle.

(a) In General.--No State may-- (1) require an entity described in section 401(c) to comply with this subtitle or any regulation promulgated thereunder; and (2) require an entity in compliance with the safe harbor established under section 401(d), to comply with any other provision of this subtitle. (b) Effect of Subtitle A.--Except as provided in subsection (a), this subtitle does not annul, alter, affect, or exempt any person subject to the provisions of this subtitle from complying with the laws of any State with respect to security programs for sensitive personally identifiable information, except to the extent that those laws are inconsistent with any provisions of this subtitle, and then only to the extent of such inconsistency.

(a) In General.--Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach maintained by the agency or business entity that contains such information, notify any resident of the United States whose sensitive personally identifiable information was subject to the security breach. (b) Obligation of Owner or Licensee.-- (1) Notice to owner or licensee.--Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information that the agency or business entity does not own or license shall notify the owner or licensee of the information following the discovery of a security breach containing such information. (2) Notice by owner, licensee or other designated third party.--Noting in this subtitle shall prevent or abrogate an agreement between an agency or business entity required to give notice under this section and a designated third party, including an owner or licensee of the sensitive personally identifiable information subject to the security breach, to provide the notifications required under subsection (a). (3) Business entity relieved from giving notice.--A business entity obligated to give notice under subsection (a) shall be relieved of such obligation if an owner or licensee of the sensitive personally identifiable information subject to the security breach, or other designated third party, provides such notification. (c) Timeliness of Notification.-- (1) In general.--All notifications required under this section shall be made without unreasonable delay following-- (A) the discovery by the agency or business entity of a security breach; and (B) any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. (2) Burden of proof.--The agency, business entity, owner, or licensee required to provide notification under this section shall have the burden of demonstrating that all notifications were made as required under this subtitle, including evidence demonstrating the necessity of any delay. (d) Delay of Notification Authorized for Law Enforcement Purposes.-- (1) In general.--If a law enforcement agency determines that the notification required under this section would impede a criminal investigation, such notification may be delayed upon the written request of the law enforcement agency. (2) Extended delay of notification.--If the notification required under subsection (a) is delayed pursuant to paragraph (1), an agency or business entity shall give notice 30 days after the day such law enforcement delay was invoked unless a law enforcement agency provides written notification that further delay is necessary.

(a) Exemption for National Security and Law Enforcement.-- (1) In general.--Section 421 shall not apply to an agency if the head of the agency certifies, in writing, that notification of the security breach as required by section 421 reasonably could be expected to-- (A) cause damage to the national security; or (B) hinder a law enforcement investigation or the ability of the agency to conduct law enforcement investigations. (2) Limits on certifications.--The head of an agency may not execute a certification under paragraph (1) to-- (A) conceal violations of law, inefficiency, or administrative error; (B) prevent embarrassment to a business entity, organization, or agency; or (C) restrain competition. (3) Notice.--In every case in which a head of an agency issues a certification under paragraph (1), the certification, accompanied by a concise description of the factual basis for the certification, shall be immediately provided to the Congress. (b) Risk Assessment Exemption.--An agency or business entity will be exempt from the notice requirements under section 421, if-- (1) a risk assessment concludes that there is no significant risk that the security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach; (2) without unreasonable delay, but not later than 45 days after the discovery of a security breach, unless extended by the United States Secret Service, the business entity notifies the United States Secret Service, in writing, of-- (A) the results of the risk assessment; (B) its decision to invoke the risk assessment exemption; and (3) the United States Secret Service does not indicate, in writing, within 10 days from receipt of the decision, that notice should be given. (c) Financial Fraud Prevention Exemption.-- (1) In general.--A business entity will be exempt from the notice requirement under section 421 if the business entity utilizes or participates in a security program that-- (A) is designed to block the use of the sensitive personally identifiable information to initiate unauthorized financial transactions before they are charged to the account of the individual; and (B) provides for notice after a security breach that has resulted in fraud or unauthorized transactions. (2) Limitation.--The exemption by this subsection does not apply if the information subject to the security breach includes, in addition to an account number, sensitive personally identifiable information.

An agency, or business entity shall be in compliance with section 421 if it provides: (1) Individual notice.-- (A) Written notification to the last known home mailing address of the individual in the records of the agency or business entity; or (B) E-mail notice, if the individual has consented to receive such notice and the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001). (2) Media notice.--If more than 5,000 residents of a State or jurisdiction are impacted, notice to major media outlets serving that State or jurisdiction.

(a) In General.--Regardless of the method by which notice is provided to individuals under section 423, such notice shall include, to the extent possible-- (1) a description of the categories of sensitive personally identifiable information that was, or is reasonably believed to have been, acquired by an unauthorized person; (2) a toll-free number-- (A) that the individual may use to contact the agency or business entity, or the agent of the agency or business entity; and (B) from which the individual may learn-- (i) what types of sensitive personally identifiable information the agency or business entity maintained about that individual or about individuals in general; and (ii) whether or not the agency or business entity maintained sensitive personally identifiable information about that individual; and (3) the toll-free contact telephone numbers and addresses for the major credit reporting agencies. (b) Additional Content.--Notwithstanding section 429, a State may require that a notice under subsection (a) shall also include information regarding victim protection assistance provided for by that State.

If an agency or business entity is required to provide notification to more than 1,000 individuals under section 421(a), the agency or business entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of the timing and distribution of the notices.

(a) Secret Service.--Any business entity or agency required to give notice under section 421 shall also give notice to the United States Secret Service if the security breach impacts-- (1) more than 10,000 individuals nationwide; (2) a database, networked or integrated databases, or other data system associated with the sensitive personally identifiable information on more than 1,000,000 individuals nationwide; (3) databases owned by the Federal Government; or (4) primarily sensitive personally identifiable information of employees and contractors of the Federal Government involved in national security or law enforcement. (b) Notice to Other Law Enforcement Agencies.--The United States Secret Service shall be responsible for notifying-- (1)(A) the Federal Bureau of Investigation, if the security breach involves espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service under section 3056(a) of title 18, United States Code; and (B) the United States Postal Inspection Service, if the security breach involves mail fraud; and (2) the attorney general of each State affected by the security breach. (c) 30-Day Rule.--The notices to Federal law enforcement and the attorney general of each State affected by a security breach required under this section shall be delivered without unreasonable delay, but not later than 30 days after discovery of the events requiring notice.

(a) Penalties.--Any agency, or business entity engaged in interstate commerce, that violates this subtitle shall be subject to a fine of-- (1) not more than $1,000 per individual per day whose sensitive personally identity information was, or is reasonably believed to have been, acquired by an unauthorized person; or (2) not more than $50,000 per day while the failure to give notice under this subtitle persists. (b) Equitable Relief.--Any agency or business entity that violates, proposes to violate, or has violated this subtitle may be enjoined from further violations by a court of competent jurisdiction. (c) Other Rights and Remedies.--The rights and remedies available under this subtitle are cumulative and shall not affect any other rights and remedies available under law. (d) Fraud Alert.--Section 605A(b)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681c-1(b)(1)) is amended by inserting ``, or evidence that the consumer has received notice that the consumer's financial information has or may have been compromised,'' after ``identity theft report''. (e) Injunctive Actions by the Attorney General.--Whenever it appears that a business entity or agency to which this subtitle applies has engaged, is engaged, or is about to engage, in any act or practice constituting a violation of this subtitle, the Attorney General may bring a civil action in an appropriate district court of the United States to-- (1) enjoin such act or practice; (2) enforce compliance with this subtitle; (3) obtain damages-- (A) in the sum of actual damages, restitution, and other compensation on behalf of the affected residents of a State; and (B) punitive damages, if the violation is willful or intentional; and (4) obtain such other relief as the court determines to be appropriate.

(a) In General.-- (1) Civil actions.--In any case in which the attorney general of a State, or any State or local law enforcement agency authorized by the State attorney general or by State statute to prosecute violations of consumer protection law, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any agency or business entity in a practice that is prohibited under this subtitle, the State, as parens patriae on behalf of the residents of the State, or the State or local law enforcement agency on behalf of the residents of the agency's jurisdiction, may bring a civil action on behalf of the residents of the State or jurisdiction in a district court of the United States of appropriate jurisdiction or any other court of competent jurisdiction, including a State court, to-- (A) enjoin that practice; (B) enforce compliance with this subtitle; (C) obtain damages, restitution, or other compensation on behalf of residents of the State; or (D) obtain such other relief as the court may consider to be appropriate. (2) Notice.-- (A) In general.--Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Attorney General of the United States-- (i) written notice of the action; and (ii) a copy of the complaint for the action. (B) Exemption.-- (i) In general.--Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subtitle, if the State attorney general determines that it is not feasible to provide the notice described in such subparagraph before the filing of the action. (ii) Notification.--In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Attorney General at the time the State attorney general files the action. (b) Federal Proceedings.--Upon receiving notice under subsection (a)(2), the Attorney General shall have the right to-- (1) move to stay the action, pending the final disposition of a pending Federal proceeding or action; (2) intervene in an action brought under subsection (a)(2); and (3) file petitions for appeal. (c) Pending Proceedings.--If the Attorney General has instituted a proceeding or action for a violation of this subtitle or any regulations thereunder, no attorney general of a State may, during the pendency of such proceeding or action, bring an action under this subtitle against any defendant named in such criminal proceeding or civil action for any violation that is alleged in that proceeding or action. (d) Construction.--For purposes of bringing any civil action under subsection (a), nothing in this subtitle regarding notification shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to-- (1) conduct investigations; (2) administer oaths or affirmations; or (3) compel the attendance of witnesses or the production of documentary and other evidence. (e) Venue; Service of Process.-- (1) Venue.--Any action brought under subsection (a) may be brought in-- (A) the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or (B) another court of competent jurisdiction. (2) Service of process.--In an action brought under subsection (a), process may be served in any district in which the defendant-- (A) is an inhabitant; or (B) may be found. (f) No Private Cause of Action.--Nothing in this subtitle establishes a private cause of action against a data broker for violation of any provision of this subtitle.

The provisions of this subtitle shall supersede any other provision of Federal law or any provision of law of any State relating to notification of a security breach, except as provided in section 424(b).

There are authorized to be appropriated such sums as may be necessary to cover the costs incurred by the United States Secret Service to carry out investigations and risk assessments of security breaches as required under this subtitle.

The United States Secret Service shall report to Congress not later than 18 months after the date of enactment of this Act, and upon the request by Congress thereafter, on the number and nature of the security breaches described in the notices filed by those business entities invoking the risk assessment exemption under section 422(b) and the response of the United States Secret Service to those notices.

This subtitle shall take effect on the expiration of the date which is 90 days after the date of enactment of this Act.

(a) In General.--In considering contract awards totaling more than $500,000 and entered into after the date of enactment of this Act with data brokers, the Administrator of the General Services Administration shall evaluate-- (1) the data privacy and security program of a data broker to ensure the privacy and security of data containing personally identifiable information, including whether such program adequately addresses privacy and security threats created by malicious software or code, or the use of peer-to- peer file sharing software; (2) the compliance of a data broker with such program; (3) the extent to which the databases and systems containing personally identifiable information of a data broker have been compromised by security breaches; and (4) the response by a data broker to such breaches, including the efforts by such data broker to mitigate the impact of such breaches. (b) Compliance Safe Harbor.--The data privacy and security program of a data broker shall be deemed sufficient for the purposes of subsection (a), if the data broker complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of personally identifiable information involved in the ordinary course of business of such data broker. (c) Penalties.--In awarding contracts with data brokers for products or services related to access, use, compilation, distribution, processing, analyzing, or evaluating personally identifiable information, the Administrator of the General Services Administration shall-- (1) include monetary or other penalties-- (A) for failure to comply with subtitles A and B of title IV of this Act; or (B) if a contractor knows or has reason to know that the personally identifiable information being provided is inaccurate, and provides such inaccurate information; and (2) require a data broker that engages service providers not subject to subtitle A of title IV for responsibilities related to sensitive personally identifiable information to-- (A) exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiable information; (B) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the personally identifiable information at issue; and (C) require such service providers, by contract, to implement ad maintain appropriate measures designed to meet the objectives and requirements in title IV. (d) Limitation.--The penalties under subsection (c) shall not apply to a data broker providing information that is accurately and completely recorded from a public record source.

Section 3544(b) of title 44, United States Code, is amended-- (1) in paragraph (7)(C)(iii), by striking ``and'' after the semicolon; (2) in paragraph (8), by striking the period and inserting ``; and''; and (3) by adding at the end the following: ``(9) procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the information systems or operations of the agency involving personally identifiable information (as that term is defined in section 3 of the Personal Data Privacy and Security Act of 2005) and ensuring remedial action to address any significant deficiencies.''.

(a) In General.--Section 208(b)(1) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended-- (1) in subparagraph (A)(i), by striking ``or''; and (2) in subparagraph (A)(ii), by striking the period and inserting ``; or''; and (3) by inserting after clause (ii) the following: ``(iii) purchasing or subscribing for a fee to personally identifiable information from a data broker (as such terms are defined in section 3 of the Personal Data Privacy and Security Act of 2005).''. (b) Limitation.--Notwithstanding any other provision of law, commencing 1 year after the date of enactment of this Act, no Federal department or agency may enter into a contract with a data broker to access for a fee any database consisting primarily of personally identifiable information concerning United States persons (other than news reporting or telephone directories) unless the head of such department or agency-- (1) completes a privacy impact assessment under section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note), which shall subject to the provision in that Act pertaining to sensitive information, include a description of-- (A) such database; (B) the name of the data broker from whom it is obtained; and (C) the amount of the contract for use; (2) adopts regulations that specify-- (A) the personnel permitted to access, analyze, or otherwise use such databases; (B) standards governing the access, analysis, or use of such databases; (C) any standards used to ensure that the personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal department or agency; (D) standards limiting the retention and redisclosure of personally identifiable information obtained from such databases; (E) procedures ensuring that such data meet standards of accuracy, relevance, completeness, and timeliness; (F) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases; (G) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases; (H) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and (I) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases; and (3) incorporates into the contract or other agreement totaling more than $500,000, provisions-- (A) providing for penalties-- (i) for failure to comply with title IV of this Act; or (ii) if the entity knows or has reason to know that the personally identifiable information being provided to the Federal department or agency is inaccurate, and provides such inaccurate information. (B) requiring a data broker that engages service providers not subject to subtitle A of title IV for responsibilities related to sensitive personally identifiable information to-- (i) exercise appropriate due diligence in selecting those service providers for responsibilities related to personally identifiable information; (ii) take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the security, privacy, and integrity of the personally identifiable information at issue; and (iii) require such service providers, by contract, to implement ad maintain appropriate measures designed to meet the objectives and requirements in title IV. (c) Limitation on Penalties.--The penalties under paragraph (3)(A) shall not apply to a data broker providing information that is accurately and completely recorded from a public record source. (d) Individual Screening Programs.-- (1) In general.--Notwithstanding any other provision of law, commencing one year after the date of enactment of this Act, no Federal department or agency may use commercial databases or contract with a data broker to implement an individual screening program unless such program is-- (A) congressionally authorized; and (B) subject to regulations developed by notice and comment that-- (i) establish a procedure to enable individuals, who suffer an adverse consequence because the screening system determined that they might pose a security threat, to appeal such determination and correct information contained in the system; (ii) ensure that Federal and commercial databases that will be used to establish the identity of individuals or otherwise make assessments of individuals under the system will not produce a large number of false positives or unjustified adverse consequences; (iii) ensure the efficacy and accuracy of all of the search tools that will be used and ensure that the department or agency can make an accurate predictive assessment of those who may constitute a threat; (iv) establish an internal oversight board to oversee and monitor the manner in which the system is being implemented; (v) establish sufficient operational safeguards to reduce the opportunities for abuse; (vi) implement substantial security measures to protect the system from unauthorized access; (vii) adopt policies establishing the effective oversight of the use and operation of the system; and (viii) ensure that there are no specific privacy concerns with the technological architecture of the system; and (C) coordinated with the Terrorist Screening Center or any such successor organization. (2) Definition.--As used in this subsection, the term ``individual screening program''-- (A) means a system that relies on personally identifiable information from commercial databases to-- (i) evaluate all or most individuals seeking to exercise a particular right or privilege under Federal law; and (ii) determine whether such individuals are on a terrorist watch list or otherwise pose a security threat; and (B) does not include any program or system to grant security clearances. (e) Study of Government Use.-- (1) Scope of study.--Not later than 180 days after the date of enactment of this Act, the Comptroller General of the United States shall conduct a study and audit and prepare a report on Federal agency use of data brokers or commercial databases containing personally identifiable information, including the impact on privacy and security, and the extent to which Federal contracts include sufficient provisions to ensure privacy and security protections, and penalties for failures in privacy and security practices. (2) Report.--A copy of the report required under paragraph (1) shall be submitted to Congress.

(a) Designation of the Chief Privacy Officer.--Pursuant to the requirements under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (Division H of Public Law 108-447; 118 Stat. 3199) that each agency designate a Chief Privacy Officer, the Department of Justice shall implement such requirements by designating a department-wide Chief Privacy Officer, whose primary role shall be to fulfill the duties and responsibilities of Chief Privacy Officer and who shall report directly to the Deputy Attorney General. (b) Duties and Responsibilities of Chief Privacy Officer.-- In addition to the duties and responsibilities outlined under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (Division H of Public Law 108-447; 118 Stat. 3199), the Department of Justice Chief Privacy Officer shall-- (1) oversee the Department of Justice's implementation of the requirements under section 603 to conduct privacy impact assessments of the use of commercial data containing personally identifiable information by the Department; (2) promote the use of law enforcement technologies that sustain privacy protections, and assure that the implementation of such technologies relating to the use, collection, and disclosure of personally identifiable information preserve the privacy and security of such information; and (3) coordinate with the Privacy and Civil Liberties Oversight Board, established in the Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108-458), in implementing paragraphs (1) and (2) of this subsection.

Sen. Patrick J. Leahy

legislator photo

Mr. President, today we reintroduce the Specter-Leahy Personal Data Privacy and Security Act of 2005.

Earlier this year, Senator Specter and I introduced a comprehensive bill to bring urgently needed reforms to protect Americans' privacy and to secure their personal data. Chairman Specter has shown great leadership on this issue, and I appreciate his dedication to solving these challenging problems through his willingness to work together to enhance this legislation as we have deemed appropriate. Since initial introduction of our bill, we have worked with Senator Feinstein and other members of the Judiciary Committee to address areas of concern and to perfect the bill. We have also worked closely with a wide variety of stakeholders and experts in these issues, which has also improved the bill.

I especially thank Senator Feinstein for her dedication and resolve to address these difficult data security and privacy concerns. I commend her input and leadership, and I am pleased that she is joining as an original cosponsor of this revised bill. I also thank Senator Feingold for his commitment to ensuring that the government also acts responsibly in its use of our personal information and appreciate his support as an original cosponsor. This is a good bill--carefully calibrated to help remedy the problems we set out to address--and I look forward to continuing our efforts to pass effective legislation.

We have teamed together and applied our collective wisdom to sort through these issues with care and precision. We took the time needed to develop well-balanced, focused legislation that provides strong protections where necessary, and that offers strong penalties and consequences as disincentives for those who fail to protect Americans' most personal information.

Reforms like these are long overdue. As we look toward the end of the year, these necessary reforms should be included in our domestic priorities so that we can achieve some positive changes in areas that affect the everyday lives of Americans.

First our bill requires data brokers to let people know what sensitive personal information they have about them, and to allow people to correct inaccurate information. These principles have precedent from the credit report context, and we have adapted them in a way that makes sense for the data brokering industry. This is a simple matter of fairness.

Second, we would require companies that have databases with sensitive personal information on Americans to establish and implement data privacy and security programs. In the digital age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain which contain Americans' private data. They also have a responsibility in the next link in the security chain, to make sure that contractors hired to process data are adequately vetted to keep the personal information in these databases secure. This is increasingly important as Americans' personal information more and more is outsourced for processing overseas and beyond U.S. laws.

Third, our bill requires notice when sensitive personal information has been compromised. The American people have a right to know when they are at risk because of corporate failures to protect their data, or when a criminal has infiltrated data systems. The notice rules in our bill were carefully crafted to ensure that the trigger for notice is tied to ``significant risk of harm'' with appropriate checks-and-balances, in order to make sure that companies do not underreport. We also recognize important fraud prevention techniques that already exist. But our priority has been to make sure that victims have critical information as a roadmap that offers the assistance necessary to protect themselves, their families and their financial well-being.

Finally, our bill addresses the government's use of personal data. We are living in a world in which our government increasingly is turning to the private sector to get personal data the government could not legally collect on its own without oversight and appropriate protections. This bill would place privacy and security front and center in evaluating whether data brokers can be trusted with government contracts that involve sensitive information about the American people. It would require contract reviews that include these considerations, audits to ensure good practice, and contract penalties for failure to protect data privacy and security.

This legislation meets other key goals. It provides tough monetary and criminal penalties for compromising personal data or failing to provide necessary protections. This creates an incentive for companies to protect personal information, especially when there is no commercial relationship between individuals and companies using their data. We also would authorize an additional $100 million over four years to help state law enforcement agencies fight misuse of personal information.

This is a solid bill--a comprehensive bill--that not only deals with the need to provide Americans notice when they have already been hurt, but that also deals with the underlying problem of lax security and lack of accountability in dealing with the public's most personal and private information.

By Mr. BINGAMAN (for himself, Mr. Specter, Mr. Nelson of Nebraska, Mr. Harkin and Mr. Rockefeller):

S. 1793. A bill to extend certain apportionments to primary airports; to the Committee on Commerce, Science, and Transportation.

Sen. Jeff Bingaman

legislator photo

Mr. President, I rise today with my colleague Senator Specter to introduce legislation that is important to a number of rural communities located in over half of the States. Our legislation will ensure that over 50 mostly rural airports will not see an 85 percent reduction in their annual grant from the Federal Aviation Administration's Airport Improvement Program.

I think all Senators are well aware of the wide-ranging impact the tragic events of September 11, 2001, have had throughout our economy. One of the hardest hit industries has been commercial aviation, which is continuing to feel the effects in terms of higher costs and loss of passengers. Nowhere has the decline in commercial aviation been felt more than in small and rural communities.

All across America, small communities already face growing hurdles to promoting their economic growth and development. Today, many rural areas lack access to interstate or even four-lane highways, railroads or broadband telecommunications. Business development in rural areas frequently depends on the quality of their airports and the availability of scheduled air service. For small communities, airports often provide the critical link to the national and international transportation system.

Ensuring small communities have the resources they need to preserve this vital airport infrastructure in rural areas is the purpose of our bill.

Under current formulae for distributing Federal funds, every airport that has more than 10,000 annual passenger boardings is guaranteed an entitlement grant from the FAA's AIP of at least $1 million per year. These are called ``primary'' airports. Airports with less than 10,000 annual boardings receive $150,000. Unfortunately, there are a handful of primary airports that have had their annual boardings drop below 10,000 as a result of the effects of 9/11. One of these airports is the Roswell International Air Center in my State of New Mexico.

For the passed two years, Congress has permitted these so called ``virtual primary'' airports to retain their full $1 million entitlement, even though their annual boardings had dropped below the 10,000 threshold as a direct result of 9/11. This two-year waiver was included in section 146 of the Vision 100 aviation reauthorization act. (P.L. 108-176).

Unfortunately, based on preliminary boarding data for 2004, there are still about 50 primary airports that have not yet regained their previous boarding levels. As a result, these airports will face a cut in their annual entitlement in FY2006 from $1 million to $150,000.

I ask unanimous consent that a list of these likely virtual primary airports for fiscal year 2006 be printed in the Record.

Alaska--Fort Yukon, Gustavus, Haines, Iliamna, Kodiak, Metlakatla, Skagway, Merrill Field* and Manokotak*. California--Imperial, Santa Rosa, Visalia. Connecticut--Groton-New London. Florida--Naples. Georgia--Athens. Iowa--Burlington, Fort Dodge. Illinois--Belleville, Quincy. Indiana--Lafayette. Kansas--Garden City, Salina. Kentucky--Owensboro. Maine--Rockland*. Massachusetts--Worcester. Michigan--Alpena, Escanaba. Minnesota--Grand Rapids, Hibbing. Montana--Sidney-Richland*. North Carolina--Hickory, Pinehurst/Southern Pines. Nebraska--Grand Island, Kearney, Scottsbluff. New Hampshire--Lebanon. New Mexico--Roswell. Ohio--Youngstown/Warren. Oregon--Pendleton. Pennsylvania--Altoona, Bradford, Brookville, Lancaster, and Reading*. Rhode Island--Block Island, Westerly. Tennessee--Jackson. Utah--Cedar City. Virginia--Weyers Cave. Washington--Anacortes, Moses Lake, and Port Angeles*. West Virginia--Clarksburg*. Wyoming--Laramie. *These primary airports where above 10,000 boardings in CY2003 but could lose their $1 million AIP entitlement based on the preliminary CY2004 enplanements. List compiled from preliminary FAA data.

The good news is a number of airports that were virtual primary airports in fiscal year 2005 have seen their annual boardings increase back above 10,000 per year. However, for this handful of airports that were still below 10,000 boardings in 2004, I believe it is appropriate that they have another year to regain their status as primary airports and not suffer the loss of 85 percent of their fiscal year 2006 annual entitlement grant for airport improvement projects.

Thus, our bill provides a simple one year extension of the existing law to preserve the airports' current level of federal funding and give these mostly rural communities a little breathing room while the airline industry recovers from the effects of 9/11.

I ask unanimous consent that a letter and resolution from the City of Roswell and the text of the bill be printed in the Record.

There being no objection, the material; were ordered to be printed in the Record, as follows: