Consumer Notification and Financial Data Protection Act of 2005 - Declares that each financial institution has an obligation to maintain reasonable policies and procedures to protect the security and confidentiality of a consumer's sensitive financial personal information against any unauthorized use that is reasonably likely to result in harm or substantial inconvenience to such consumer.
Prescribes procedural guidelines, including: (1) investigation and notice procedures to alert regulators, law enforcement officials, and consumers in case of data security breaches; (2) mitigation procedures that offer free nationwide file monitoring for affected consumers; and (3) a safe harbor from liability for a financial institution in compliance with this Act.
Directs the Federal Trade Commission to promulgate regulations requiring a financial institution which maintains or possesses sensitive financial personal information for a business purpose to dispose of it so that it cannot practicably be read or reconstructed.
Preempts comparable state law.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3374 Introduced in House (IH)]
109th CONGRESS
1st Session
H. R. 3374
To provide for the uniform and timely notification of consumers whose
sensitive financial personal information has been placed at risk by a
breach of data security, to enhance data security safeguards, to
provide appropriate consumer mitigation services, and for other
purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
July 21, 2005
Mr. LaTourette (for himself and Ms. Hooley) introduced the following
bill; which was referred to the Committee on Financial Services
_______________________________________________________________________
A BILL
To provide for the uniform and timely notification of consumers whose
sensitive financial personal information has been placed at risk by a
breach of data security, to enhance data security safeguards, to
provide appropriate consumer mitigation services, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Consumer Notification and Financial
Data Protection Act of 2005''.
SEC. 2. DATA SECURITY SAFEGUARDS.
Each financial institution shall have an affirmative and continuing
obligation to maintain reasonable policies and procedures to protect
the security and confidentiality of sensitive financial personal
information of any consumer that is maintained or received by or on
behalf of such financial institution against any unauthorized use that
is reasonably likely to result in harm or substantial inconvenience to
such consumer.
SEC. 3. INVESTIGATION AND NOTICE TO REGULATORS AND LAW ENFORCEMENT IN
CASE OF BREACH OF DATA SECURITY.
(a) Duty to Investigate.--
(1) In general.--Whenever any financial institution
determines or becomes aware of information that would
reasonably indicate that a breach of data security may have
occurred or is reasonably likely to occur, or receives notice
under subsection (c), the financial institution shall
immediately conduct a reasonable investigation to--
(A) assess the nature and scope of the breach;
(B) identify the sensitive financial personal
information involved; and
(C) determine if the breach is reasonably likely to
result in harm or substantial inconvenience to any
consumer to whom the information relates.
(2) Factors to be considered.--In determining, under
paragraph (1), the likelihood that harm or substantial
inconvenience may be caused to consumers, the financial
institution shall consider all available relevant facts,
including whether the information that was subject to the
breach was unencrypted, or unredacted, or required technology
to use that is not generally commercially available.
(b) Investigation Notices.--If a financial institution determines
after commencing an investigation under subsection (a) that a potential
breach of data security may result in harm or substantial inconvenience
to any consumer whose sensitive financial personal information was
involved in such potential breach, the financial institution shall--
(1) promptly notify the appropriate law enforcement
agencies of the breach;
(2) promptly notify the institution's functional regulator;
(3) take reasonable measures to ensure and restore the
security and confidentiality of the sensitive financial
personal information involved in the breach;
(4) take reasonable measures to prevent further
unauthorized access to or disclosure of any sensitive financial
personal information and to restore the integrity of the data
system; and
(5) notify as appropriate and without unreasonable delay
all critical third parties--
(A) whose involvement is necessary to investigate
the breach of data security; or
(B) who will be required to undertake further
action with respect to such information to protect such
consumers from fraud or identity theft.
(c) Duty of Financial Contractors.--Whenever any financial
institution that maintains or receives sensitive personal financial
information for or on behalf of another party determines, or has reason
to believe, that a breach of data security has occurred with respect to
such information, the financial institution shall--
(1) promptly notify the other party of the breach;
(2) conduct a joint investigation with the other party to
determine the likelihood that such information will be misused
against the consumers to whom the information relates in a
manner that would cause harm or substantial inconvenience to
such consumer; and
(3) unless the financial institution and third party
determine, after conducting a reasonable investigation, that it
is not reasonably likely that such information will be misused
to commit financial fraud against any consumer to whom any of
such sensitive financial personal information relates in a
manner that would cause harm or substantial inconvenience to
such consumer, provide joint notice under section 4 to such
consumers.
SEC. 4. NOTICE TO CONSUMERS OF DATA SECURITY BREACH.
(a) Notice Required.--If, after completing a reasonable
investigation pursuant to section 3, a financial institution or a
financial contractor pursuant to section 3(c) becomes aware that a
breach of data security is reasonably likely to have occurred, with
respect to sensitive financial personal information maintained or
received by or on behalf of the institution, that creates a risk of
harm or substantial inconvenience to consumers to whom the information
relates, the financial institution shall, without unreasonable delay--
(1) provide written notice, in accordance with this
section, to each consumer whose sensitive financial personal
information was involved in the breach of data security; and
(2) if the financial institution determines that it is
likely to be providing notice under paragraph (1) to 1,000 or
more consumers for any breach of data security, provide written
notice to--
(A) each consumer reporting agency described in
section 603(p) of the Fair Credit Reporting Act; and
(B) any other consumer reporting agency that the
financial institution identifies, or expects to
identify, in the notice provided to the consumer under
paragraph (1).
(b) Content of Notice.--The notice provided to any consumer under
subsection (a)(1) shall include the following information in a clear
and conspicuous manner:
(1) A description of the nature and type of information
that was, or is reasonably believed to have been, subject to
the breach of data security.
(2) If known, the date, or a reasonable approximation of
the period of time, on or within which sensitive financial
personal information of the consumer was, or is reasonably
believed to have been, acquired by an unauthorized person.
(3) A description of the actions taken by the financial
institution to restore the security and confidentiality of the
data.
(4) A toll-free telephone number where a consumer whose
information was subject of the breach of data security may
obtain additional information the breach of data security.
(5) A summary of rights of consumer victims of fraud or
identity theft, such as that prepared by the Federal Trade
Commission under section 609(d) of the Fair Credit Reporting
Act, including any additional appropriate information on how
the consumer may--
(A) obtain a copy of a consumer report free of
charge in accordance with section 612 of the Fair
Credit Reporting Act;
(B) place a fraud alert in any file relating to the
consumer at a consumer reporting agency under section
605A of such Act to discourage unauthorized use; and
(C) contact the Federal Trade Commission for more
detailed information.
(c) Notice of Identity Theft.--If a financial institution is
required to provide a notice under subsection (a)(1) with respect to a
breach of data security involving sensitive financial personal
information relating to a consumer (other than financial account
information described in section 9(5)(A)(v)), the notice required in
this section with respect to such consumer shall include information on
how the consumer may obtain mitigation services free of charge in
accordance with section 5.
(d) Delay of Notice for Law Enforcement Purposes.--If a financial
institution receives a written request, or an oral request indicating
that a written request will be provided, from an appropriate law
enforcement agency indicating that providing a particular notice to any
consumer under this section would impede a criminal or civil
investigation by that law enforcement agency, the financial institution
shall delay, or in the case of a foreign law enforcement agency may
delay, providing such notice until the law enforcement agency informs
the financial institution that such notice will no longer impede the
investigation or the law enforcement agency fails to confirm that a
continued delay is necessary to avoid impeding such investigation.
(e) Electronic Transmission of Notice.--The written notice required
under this section to any consumer may be made by an electronic
transmission only if--
(1) the consumer has provided prior consent to receive any
such notice by electronic transmission; and
(2) the notice is consistent with the provisions permitting
electronic transmission of notices under section 101 of the
Electronic Signatures in Global and National Commerce Act.
SEC. 5. MITIGATION PROCEDURES.
(a) Free File Monitoring.--Any financial institution that is
required to provide notice to a consumer under section 4(a)(1) with
respect to a breach of data security described in section 4(c) shall,
if requested by the consumer before the end of the 90-day period
beginning on the date of such notice, make available to the consumer,
free of charge and for a 12-month period, a service that monitors
nationwide credit activity regarding the consumer from a consumer
reporting agency described in section 603(p) of the Fair Credit
Reporting Act.
(b) Joint Rulemaking for Safe Harbor.--The Federal Trade
Commission, in consultation with the regulatory agencies described in
section 8, shall develop regulations, which shall be prescribed by all
functional regulatory agencies, that, in any case in which--
(1) free file monitoring is offered under subsection (a) to
a consumer;
(2) subsequent to the offer, another party misuses
sensitive financial identity information on the consumer
obtained through the breach of data security (that gave rise to
such offer) to commit identity theft against the consumer; and
(3) at the time of such breach the financial institution
maintained reasonable policies and procedures to comply with
subsection (a),
exempts the financial institution from any liability under State common
law for any loss or harm to the consumer occurring after the end of a
reasonable period beginning on the date of such offer, other than any
direct pecuniary loss provided under such law, resulting from such
misuse.
SEC. 6. PROPER DISPOSAL OF PERSONAL INFORMATION.
(a) In General.--Before the end of the 6-month period beginning on
the date of the enactment of this Act, the Federal Trade Commission
shall prescribe regulations in final form requiring any financial
institution which maintains or otherwise possesses sensitive financial
personal information, or any compilation of such information, for a
business purpose to properly dispose of any such information or
compilation so that such information or compilation cannot practicably
be read or reconstructed.
(b) Rule of Construction.--No provision of this section shall be
construed--
(1) as requiring, or authorizing the Federal Trade
Commission to require, any person to maintain or destroy any
sensitive financial personal information that is not required
to be maintained or destroyed under any other provision of
Federal or State law; or
(2) as altering or affecting any requirement imposed under
any other provision of Federal or State law to maintain or
destroy sensitive financial personal information.
SEC. 7. RELATION TO STATE LAW.
The provisions of this Act shall supersede any law, rule, or
regulation of any State or political subdivision of any State that
relates in any way to--
(1) information security standards of financial
institutions; or
(2) the notification of consumers by financial institutions
with respect to any breach of the confidentiality or security
of information maintained or received by or on behalf of the
financial institutions.
SEC. 8. ADMINISTRATIVE ENFORCEMENT.
This Act and any regulation prescribed under this Act shall be
enforced with respect to financial institutions and other persons to
which this Act applies exclusively by the functional financial
regulators, and by the chief law enforcement officer of a State, or an
official or agency designated by a State (with respect to persons
within the jurisdiction of such officer, official, or agency), as
follows:
(1) Under section 8 of the Federal Deposit Insurance Act,
in the case of--
(A) national banks, Federal branches and Federal
agencies of foreign banks, and any subsidiaries of such
entities (except brokers, dealers, persons providing
insurance, investment companies, and investment
advisers), by the Comptroller of the Currency;
(B) member banks of the Federal Reserve System
(other than national banks), branches and agencies of
foreign banks (other than Federal branches, Federal
agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by
foreign banks, organizations operating under section 25
or 25A of the Federal Reserve Act, and bank holding
companies and their nonbank subsidiaries or affiliates
(except brokers, dealers, persons providing insurance,
investment companies, and investment advisers), by the
Board of Governors of the Federal Reserve System;
(C) banks insured by the Federal Deposit Insurance
Corporation (other than members of the Federal Reserve
System), insured State branches of foreign banks, and
any subsidiaries of such entities (except brokers,
dealers, persons providing insurance, investment
companies, and investment advisers), by the Board of
Directors of the Federal Deposit Insurance Corporation;
and
(D) savings associations the deposits of which are
insured by the Federal Deposit Insurance Corporation,
and any subsidiaries of such savings associations
(except brokers, dealers, persons providing insurance,
investment companies, and investment advisers), by the
Director of the Office of Thrift Supervision.
(2) Under the Federal Credit Union Act, by the Board of the
National Credit Union Administration with respect to any
federally insured credit union, and any subsidiaries of such an
entity.
(3) Under the Securities Exchange Act of 1934, by the
Securities and Exchange Commission with respect to any broker
or dealer.
(4) Under the Investment Company Act of 1940, by the
Securities and Exchange Commission with respect to investment
companies.
(5) Under the Investment Advisers Act of 1940, by the
Securities and Exchange Commission with respect to investment
advisers registered with the Commission under such Act.
(6) Under State insurance law, in the case of any person
engaged in the business of insurance, by the applicable State
insurance authority of the State in which the person is
domiciled.
(7) Under the Federal Trade Commission Act, by the Federal
Trade Commission for any other person that is not subject to
the jurisdiction of any agency or authority under paragraphs
(1) through (6) of this subsection.
SEC. 9. DEFINITIONS.
For purposes of this Act, the following definitions shall apply:
(1) Breach of data security.--The term ``breach of data
security'' means, with respect to sensitive financial personal
information that is maintained, received, or communicated by or
on behalf of any financial institution--
(A) an unauthorized acquisition of such information
that could be used to commit financial fraud; or
(B) an unusual pattern of misuse of such
information to commit financial fraud.
(2) Consumer.--The term ``consumer'' means an individual.
(3) Financial institution.--The term ``financial
institution'' means--
(A) any person the business of which is engaging in
activities that are financial in nature as described in
or determined under section 4(k) of the Bank Holding
Company Act;
(B) any entity that is primarily engaged in
activities that are subject to the Fair Credit
Reporting Act; and
(C) any person that is maintaining, receiving, or
communicating sensitive financial personal information
on an ongoing basis for the purposes of engaging in
interstate commerce.
(4) Functional financial regulator.--The term ``functional
financial regulator''--
(A) has the same meaning as in section 509(2) of
the Gramm-Leach-Bliley Act; and
(B) in the case of any financial institution that
is described in paragraph (3)(B) that is not subject to
the Gramm-Leach-Bliley Act, includes the appropriate
regulator for such financial institution under section
621 of the Fair Credit Reporting Act.
(5) Sensitive financial personal information.--
(A) In general.--The term ``sensitive financial
personal information'' means information that is
personal, sensitive, and nonpublic and contains an
individual's first and last name and either the
individual's address or telephone number and appears in
combination with any of the following:
(i) Social Security number.
(ii) Driver's license number or an
equivalent State-issued identification number.
(iii) Taxpayer identification number.
(iv) Any credit card or debit card account
number.
(v) Any bank, savings association, credit
union, or investment account number, other than
an account number described in clause (iv), in
combination with any required security code,
biometric code, password, or other means that
would permit access to a consumer's financial
account.
(B) Exclusions.--The term ``sensitive financial
personal information'' shall not include--
(i) any list, description or other grouping
of individuals (and publicly available
information pertaining to them) that is derived
without using any sensitive personal
information; or
(ii) publicly available information that is
lawfully made available to the general public
from Federal, State or local government
records.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Financial Services.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line