Mr. Bartlet for himself introduced the following bill; which was referred to the Committee on Financial Services



A BILL
To provide for the uniform and timely notification of consumers whose sensitive financial personal information has been placed at risk by a breach of data security, to enhance data security safeguards, to provide appropriate consumer mitigation services, and for other purposes.


Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Consumer Notification and Financial Data Protection Act of 2005'.

SEC. 2. DATA SECURITY SAFEGUARDS.

Each financial institution shall have an affirmative and continuing obligation to maintain reasonable policies and procedures to protect the security and confidentiality of sensitive financial personal information of any consumer that is maintained or received by or on behalf of such financial institution against any unauthorized use that is reasonably likely to result in harm or substantial inconvenience to such consumer.

SEC. 3. INVESTIGATION AND NOTICE TO REGULATORS AND LAW ENFORCEMENT IN CASE OF BREACH OF DATA SECURITY.

(a) Duty to Investigate-

(1) IN GENERAL- Whenever any financial institution determines or becomes aware of information that would reasonably indicate that a breach of data security may have occurred or is reasonably likely to occur, or receives notice under subsection ©, the financial institution shall immediately conduct a reasonable investigation to--

(A) assess the nature and scope of the breach;

(B) identify the sensitive financial personal information involved; and

© determine if the breach is reasonably likely to result in harm or substantial inconvenience to any consumer to whom the information relates.

(2) FACTORS TO BE CONSIDERED- In determining, under paragraph (1), the likelihood that harm or substantial inconvenience may be caused to consumers, the financial institution shall consider all available relevant facts, including whether the information that was subject to the breach was unencrypted, or unredacted, or required technology to use that is not generally commercially available.

(b) Investigation Notices- If a financial institution determines after commencing an investigation under subsection (a) that a potential breach of data security may result in harm or substantial inconvenience to any consumer whose sensitive financial personal information was involved in such potential breach, the financial institution shall--

(1) promptly notify the appropriate law enforcement agencies of the breach;

(2) promptly notify the institution's functional regulator;

(3) take reasonable measures to ensure and restore the security and confidentiality of the sensitive financial personal information involved in the breach;

(4) take reasonable measures to prevent further unauthorized access to or disclosure of any sensitive financial personal information and to restore the integrity of the data system; and

(5) notify as appropriate and without unreasonable delay all critical third parties--

(A) whose involvement is necessary to investigate the breach of data security; or

(B) who will be required to undertake further action with respect to such information to protect such consumers from fraud or identity theft.

© Duty of Financial Contractors- Whenever any financial institution that maintains or receives sensitive personal financial information for or on behalf of another party determines, or has reason to believe, that a breach of data security has occurred with respect to such information, the financial institution shall--

(1) promptly notify the other party of the breach;

(2) conduct a joint investigation with the other party to determine the likelihood that such information will be misused against the consumers to whom the information relates in a manner that would cause harm or substantial inconvenience to such consumer; and

(3) unless the financial institution and third party determine, after conducting a reasonable investigation, that it is not reasonably likely that such information will be misused to commit financial fraud against any consumer to whom any of such sensitive financial personal information relates in a manner that would cause harm or substantial inconvenience to such consumer, provide joint notice under section 4 to such consumers.

SEC. 4. NOTICE TO CONSUMERS OF DATA SECURITY BREACH.

(a) Notice Required- If, after completing a reasonable investigation pursuant to section 3, a financial institution or a financial contractor pursuant to section 3© becomes aware that a breach of data security is reasonably likely to have occurred, with respect to sensitive financial personal information maintained or received by or on behalf of the institution, that creates a risk of harm or substantial inconvenience to consumers to whom the information relates, the financial institution shall, without unreasonable delay--

(1) provide written notice, in accordance with this section, to each consumer whose sensitive financial personal information was involved in the breach of data security; and

(2) if the financial institution determines that it is likely to be providing notice under paragraph (1) to 1,000 or more consumers for any breach of data security, provide written notice to--

(A) each consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act; and

(B) any other consumer reporting agency that the financial institution identifies, or expects to identify, in the notice provided to the consumer under paragraph (1).

(b) Content of Notice- The notice provided to any consumer under subsection (a)(1) shall include the following information in a clear and conspicuous manner:

(1) A description of the nature and type of information that was, or is reasonably believed to have been, subject to the breach of data security.

(2) If known, the date, or a reasonable approximation of the period of time, on or within which sensitive financial personal information of the consumer was, or is reasonably believed to have been, acquired by an unauthorized person.

(3) A description of the actions taken by the financial institution to restore the security and confidentiality of the data.

(4) A toll-free telephone number where a consumer whose information was subject of the breach of data security may obtain additional information the breach of data security.

(5) A summary of rights of consumer victims of fraud or identity theft, such as that prepared by the Federal Trade Commission under section 609(d) of the Fair Credit Reporting Act, including any additional appropriate information on how the consumer may--

(A) obtain a copy of a consumer report free of charge in accordance with section 612 of the Fair Credit Reporting Act;

(B) place a fraud alert in any file relating to the consumer at a consumer reporting agency under section 605A of such Act to discourage unauthorized use; and

© contact the Federal Trade Commission for more detailed information.

© Notice of Identity Theft- If a financial institution is required to provide a notice under subsection (a)(1) with respect to a breach of data security involving sensitive financial personal information relating to a consumer (other than financial account information described in section 9(5)(A)(v)), the notice required in this section with respect to such consumer shall include information on how the consumer may obtain mitigation services free of charge in accordance with section 5.

(d) Delay of Notice for Law Enforcement Purposes- If a financial institution receives a written request, or an oral request indicating that a written request will be provided, from an appropriate law enforcement agency indicating that providing a particular notice to any consumer under this section would impede a criminal or civil investigation by that law enforcement agency, the financial institution shall delay, or in the case of a foreign law enforcement agency may delay, providing such notice until the law enforcement agency informs the financial institution that such notice will no longer impede the investigation or the law enforcement agency fails to confirm that a continued delay is necessary to avoid impeding such investigation.

(e) Electronic Transmission of Notice- The written notice required under this section to any consumer may be made by an electronic transmission only if--

(1) the consumer has provided prior consent to receive any such notice by electronic transmission; and

(2) the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act.

SEC. 5. MITIGATION PROCEDURES.

(a) Free File Monitoring- Any financial institution that is required to provide notice to a consumer under section 4(a)(1) with respect to a breach of data security described in section 4© shall, if requested by the consumer before the end of the 90-day period beginning on the date of such notice, make available to the consumer, free of charge and for a 12-month period, a service that monitors nationwide credit activity regarding the consumer from a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act.

(b) Joint Rulemaking for Safe Harbor- The Federal Trade Commission, in consultation with the regulatory agencies described in section 8, shall develop regulations, which shall be prescribed by all functional regulatory agencies, that, in any case in which--

(1) free file monitoring is offered under subsection (a) to a consumer;

(2) subsequent to the offer, another party misuses sensitive financial identity information on the consumer obtained through the breach of data security (that gave rise to such offer) to commit identity theft against the consumer; and

(3) at the time of such breach the financial institution maintained reasonable policies and procedures to comply with subsection (a),

exempts the financial institution from any liability under State common law for any loss or harm to the consumer occurring after the end of a reasonable period beginning on the date of such offer, other than any direct pecuniary loss provided under such law, resulting from such misuse.

SEC. 6. PROPER DISPOSAL OF PERSONAL INFORMATION.

(a) In General- Before the end of the 6-month period beginning on the date of the enactment of this Act, the Federal Trade Commission shall prescribe regulations in final form requiring any financial institution which maintains or otherwise possesses sensitive financial personal information, or any compilation of such information, for a business purpose to properly dispose of any such information or compilation so that such information or compilation cannot practicably be read or reconstructed.

(b) Rule of Construction- No provision of this section shall be construed--

(1) as requiring, or authorizing the Federal Trade Commission to require, any person to maintain or destroy any sensitive financial personal information that is not required to be maintained or destroyed under any other provision of Federal or State law; or

(2) as altering or affecting any requirement imposed under any other provision of Federal or State law to maintain or destroy sensitive financial personal information.

SEC. 7. RELATION TO STATE LAW.

The provisions of this Act shall supersede any law, rule, or regulation of any State or political subdivision of any State that relates in any way to--

(1) information security standards of financial institutions; or

(2) the notification of consumers by financial institutions with respect to any breach of the confidentiality or security of information maintained or received by or on behalf of the financial institutions.

SEC. 8. ADMINISTRATIVE ENFORCEMENT.

This Act and any regulation prescribed under this Act shall be enforced with respect to financial institutions and other persons to which this Act applies exclusively by the functional financial regulators, and by the chief law enforcement officer of a State, or an official or agency designated by a State (with respect to persons within the jurisdiction of such officer, official, or agency), as follows:

(1) Under section 8 of the Federal Deposit Insurance Act, in the case of--

(A) national banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Comptroller of the Currency;

(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act, and bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Board of Governors of the Federal Reserve System;

© banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System), insured State branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Board of Directors of the Federal Deposit Insurance Corporation; and

(D) savings associations the deposits of which are insured by the Federal Deposit Insurance Corporation, and any subsidiaries of such savings associations (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Director of the Office of Thrift Supervision.

(2) Under the Federal Credit Union Act, by the Board of the National Credit Union Administration with respect to any federally insured credit union, and any subsidiaries of such an entity.

(3) Under the Securities Exchange Act of 1934, by the Securities and Exchange Commission with respect to any broker or dealer.

(4) Under the Investment Company Act of 1940, by the Securities and Exchange Commission with respect to investment companies.

(5) Under the Investment Advisers Act of 1940, by the Securities and Exchange Commission with respect to investment advisers registered with the Commission under such Act.

(6) Under State insurance law, in the case of any person engaged in the business of insurance, by the applicable State insurance authority of the State in which the person is domiciled.

(7) Under the Federal Trade Commission Act, by the Federal Trade Commission for any other person that is not subject to the jurisdiction of any agency or authority under paragraphs (1) through (6) of this subsection.

SEC. 9. DEFINITIONS.

For purposes of this Act, the following definitions shall apply:

(1) BREACH OF DATA SECURITY- The term `breach of data security' means, with respect to sensitive financial personal information that is maintained, received, or communicated by or on behalf of any financial institution--

(A) an unauthorized acquisition of such information that could be used to commit financial fraud; or

(B) an unusual pattern of misuse of such information to commit financial fraud.

(2) CONSUMER- The term `consumer' means an individual.

(3) FINANCIAL INSTITUTION- The term `financial institution' means--

(A) any person the business of which is engaging in activities that are financial in nature as described in or determined under section 4(k) of the Bank Holding Company Act;

(B) any entity that is primarily engaged in activities that are subject to the Fair Credit Reporting Act; and

© any person that is maintaining, receiving, or communicating sensitive financial personal information on an ongoing basis for the purposes of engaging in interstate commerce.

(4) FUNCTIONAL FINANCIAL REGULATOR- The term `functional financial regulator'--

(A) has the same meaning as in section 509(2) of the Gramm-Leach-Bliley Act; and

(B) in the case of any financial institution that is described in paragraph (3)(B) that is not subject to the Gramm-Leach-Bliley Act, includes the appropriate regulator for such financial institution under section 621 of the Fair Credit Reporting Act.

(5) SENSITIVE FINANCIAL PERSONAL INFORMATION-

(A) IN GENERAL- The term `sensitive financial personal information' means information that is personal, sensitive, and nonpublic and contains an individual's first and last name and either the individual's address or telephone number and appears in combination with any of the following:

(i) Social Security number.

(ii) Driver's license number or an equivalent State-issued identification number.

(iii) Taxpayer identification number.

(iv) Any credit card or debit card account number.

(v) Any bank, savings association, credit union, or investment account number, other than an account number described in clause (iv), in combination with any required security code, biometric code, password, or other means that would permit access to a consumer's financial account.

(B) EXCLUSIONS- The term `sensitive financial personal information' shall not include--

(i) any list, description or other grouping of individuals (and publicly available information pertaining to them) that is derived without using any sensitive personal information; or

(ii) publicly available information that is lawfully made available to the general public from Federal, State or local government records.