2007-01-09T23:00:00-06:00 1180584000 Introduced 0 110 S.239 2007-05-31 300043 110-s239 239 /bill/110-s239/show 2008-11-07T07:48:29-05:00

5/31/2007--Reported to Senate amended. Notification of Risk to Personal Data Act of 2007 - (Sec. 2) Requires any federal agency or business entity engaged in interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive, personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired; and (2) the owner or licensee of any such information that the agency or business does not own or license.<br/>(Sec. 3) Exempts: (1) agencies and business entities from notification requirements for national security and law enforcement purposes and for security breaches that a risk assessment concludes do not have a significant risk of resulting in harm if specified certification or notice is provided, which is subject to review by the U.S. Secret Service; and (2) business entities from notification requirements if such an entity utilizes a security program that blocks the use of sensitive personally identifiable information to initiate unauthorized financial transactions and provides notice of a breach to affected individuals. Sets forth a presumption that there was no significant risk of harm to an individual whose sensitive personally identifiable information was subject to a security breach if such information: (1) was encrypted; or (2) was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.<br/>(Sec. 4) Provides that an agency or business entity shall be in compliance with such requirements if it provides both individual notice and media notice.<br/>(Sec. 5) Requires notice to include: (1) a description of the categories of sensitive personally identifiable information acquired by an unauthorized person; (2) a toll-free number that the individual may use to contact the agency or business entity to learn what types of personal information the agency or entity maintained; and (3) the toll-free telephone numbers and addresses for the major credit reporting agencies. Authorizes a state to require that a notice also include information regarding victim protection assistance provided by that state.<br/>(Sec. 6) Directs an agency or business entity that is required to provide notification to more than 5,000 individuals to also notify all nationwide consumer reporting agencies of the timing and distribution of the notices.<br/>(Sec. 7) Requires any business entity or agency to notify the Secret Service of the fact that a security breach has occurred if: (1) the number of individuals whose sensitive personally identifying information was acquired by an unauthorized person exceeds 10,000; (2) the breach involves a data system containing information on more than 1 million individuals nationwide; (3) the breach involves databases owned by the federal government; or (4) the breach involves primarily sensitive personally identifiable information of individuals known to the agency or business entity to be employees and contractors of the federal government involved in national security or law enforcement.<br/>Requires notifications regarding security breaches under specified circumstances to the Secret Service, the Federal Bureau of Investigation, the United States Postal Inspection Service, and state attorneys general.<br/>(Sec. 8) Authorizes the Attorney General to bring a civil action in U.S. district court against any business entity that violates this Act. Sets daily and maximum civil penalties for violations by a business entity.<br/>Amends the Fair Credit Reporting Act to require agencies to include a fraud alert in the file of a consumer that submits evidence of compromised financial information to a consumer reporting agency.<br/>(Sec. 9) Authorizes civil actions by state attorneys general to enforce this Act. (Sec. 10) Provides that this Act shall not supersede any other provision of federal law or of state law relating to notification by a business entity engaged in interstate commerce or an agency of a security breach.<br/>(Sec. 11) Authorizes appropriations for costs incurred by the Secret Service to investigate and conduct risk assessments of security breaches.<br/>(Sec. 12) Directs the Secret Service to report to Congress on the number and nature of security breaches: (1) described in the notices filed by those business entities invoking the risk assessment exemption; and (2) subject to the national security and law enforcement exemptions. Prohibits any report submitted from disclosing the contents of any risk assessment provided to the Secret Service under this Act.<br/>

25 http://www.feinstein.senate.gov 1933-06-22 89 F000062 Jewish 300043 http://www.feinstein.senate.gov/public/index.cfm/e-mail-me SenatorFeinstein F 3834 202-228-3954 331 Hart Senate Office Building 202-224-3841 Dianne Feinstein 2.05084745762712 106 Sen. Dianne Feinstein [D, CA] 22468 91381 Feinstein 110 Dianne 3 1180584000 calendar 2007-05-30T20:00:00-04:00 Placed on Senate Legislative Calendar under General Orders. Calendar No. 180. 1180584000 action 2007-05-30T20:00:00-04:00 Committee on the Judiciary. Reported by Senator Leahy under authority of the order of the Senate of 05/25/2007 with an amendment in the nature of a substitute. Without written report. 1178164800 action 2007-05-02T20:00:00-04:00 Committee on the Judiciary. Date of scheduled consideration. SD-226. 10:00 a.m. 1178164800 action 2007-05-02T20:00:00-04:00 Committee on the Judiciary. Ordered to be reported with an amendment in the nature of a substitute favorably. 1178164800 calendar 2007-05-02T20:00:00-04:00 Committee on the Judiciary. Ordered to be reported with an amendment in the nature of a substitute favorably. 0 s 2007-05-30T23:00:00-05:00 Notification of Risk to Personal Data Act of 2007 59 6819 40051 S.239 Notification of Risk to Personal Data Act of 2007 short introduced official introduced short reported to senate 2007-04-19T23:00:00-05:00 1196830800 Introduced 110 S.1178 2007-12-05 300056 27 http://www.billnelson.senate.gov 1942-09-29 33 N000032 Presbyterian 300078 http://www.billnelson.senate.gov/contact/index.cfm senbillnelson M 2787 202-228-2183 716 Hart Senate Office Building 202-224-5274 Bill Nelson 2.55947136563877 103 Sen. Bill Nelson [D, FL] 17846 67370 Nelson 107 Bill 50 http://www.pryor.senate.gov 1963-01-10 24 P000590 Unknown 300080 http://www.pryor.senate.gov/public/index.cfm?p=ContactMe senatorpryor M 554 202-228-0908 255 Dirksen Senate Office Building 202-224-2353 Mark Pryor 2.81481481481481 83 Sen. Mark L. Pryor [D, AR] 11898 37698 Pryor 110 Mark 1952-05-25 5 S001142 Latter Day Saints 300090 M 94 Gordon Smith 3.71428571428571 Gordon Smith Harold 5160 14887 Smith Gordon 1923-11-18 4 S000888 Episcopalian 300094 M 21 Ted Stevens 1.58333333333333 Ted Stevens F. 8197 14760 Stevens Ted 110-s1178 1178 /bill/110-s1178/show 2008-11-07T09:45:02-05:00

12/5/2007--Reported to Senate amended. Identity Theft Prevention Act - (Sec. 2) Requires any commercial entity or charitable, educational, or nonprofit organization that acquires, maintains, or uses sensitive personal information (covered entity) to develop, implement, maintain, and enforce a written program, containing administrative, technical, and physical safeguards, for the security of sensitive personal information it collects, maintains, sells, transfers, or disposes of. Defines &quot;sensitive personal information&quot; as an individual's name, address, or telephone number combined with at least one of the following relating to that individual: (1) the social security number or numbers derived from that number; (2) financial account or credit or debit card numbers combined with codes or passwords that permit account access, subject to exception; or (3) a state driver's license or resident identification number. (Sec. 3) Requires a covered entity: (1) to report a security breach to the Federal Trade Commission (FTC); (2) if the entity determines that the breach creates a reasonable risk of identity theft, to notify each affected individual; and (3) if the breach involves 1,000 or more individuals, to notify all consumer reporting agencies specified in the Fair Credit Reporting Act.<br/>(Sec. 4) Authorizes a consumer to place a security freeze on his or her credit report by making a request to a consumer credit reporting agency. Prohibits a reporting agency, when a freeze is in effect, from releasing the consumer's report for credit review purposes without the consumer's prior express authorization. Provides for freeze removal and suspension, limits related fees, and sets forth other security freeze requirements. Exempts from certain provisions of this Act: (1) a consumer credit reporting agency that acts only as a reseller of credit information and does not maintain a permanent database of credit information; (2) check services or fraud prevention services companies; and (3) deposit account information service companies.<br/>(Sec. 5) Requires: (1) the establishment of the Information Security and Consumer Privacy Advisory Committee; and (2) a related crime study and report, including regarding the correlation between methamphetamine use and identity theft crimes.<br/>(Sec. 8) Treats any violation of this Act as an unfair or deceptive act or practice under the Federal Trade Commission Act. Requires enforcement under other specified laws. Allows enforcement by state attorneys general. Preempts state laws requiring notification of affected individuals of security breaches. Preempts state laws relating to the use of social security numbers. (Sec. 11) Prohibits, subject to exception, a covered entity from soliciting a social security number from an individual unless there is a specific use of that number for which no other identifier can reasonably be used. Prohibits the display of social security numbers on identification cards commonly provided to employees, faculty, staff, or students and on state driver's licenses. Amends title II (Old Age, Survivors and Disability Insurance) (OASDI) of the Social Security Act to prohibit federal, state, and political subdivision governmental entities and their agents from using prisoners in a way that would allow the prisoners access to other individuals' social security numbers. Makes it unlawful to sell, purchase, provide, or display a social security number to the general public or to obtain or use any individual's social security number for the purpose of locating or identifying the individual with the intent to physically injure or harm the individual or for the purpose of using the individual's identity for any illegal purpose, subject to exceptions, including sales or displays of such numbers for the purposes of national security, public health or safety, and locating abducted children. (Sec. 12) Requires each U.S. agency to: (1) develop, implement, maintain, and enforce a written program for the security of sensitive personal information the agency collects, maintains, sells, transfers, or disposes of; (2) use due diligence to investigate any suspected breach of security affecting sensitive personal information; and (3) notify each affected individual after a breach.<br/>(Sec. 14) Authorizes appropriations.<br/>

161 http://www.inouye.senate.gov/ 1924-09-07 8 I000025 Methodist 300056 http://www.inouye.senate.gov/Contact/ContactDKI.cfm M 169 202-224-6747 722 Hart Senate Office Building 202-224-3934 Daniel Inouye 3.04651162790698 378 Daniel K. Inouye K. 12581 31989 Inouye 399 Daniel 7 1196830800 action 2007-12-04T19:00:00-05:00 Committee on Commerce, Science, and Transportation. Reported by Senator Inouye with amendments. With written report No. 110-235. 1196830800 calendar 2007-12-04T19:00:00-05:00 Placed on Senate Legislative Calendar under General Orders. Calendar No. 520. 1177473600 action 2007-04-24T20:00:00-04:00 Committee on Commerce, Science, and Transportation. Ordered to be reported with amendments favorably. 1177473600 action 2007-04-24T20:00:00-04:00 Committee on Commerce, Science, and Transportation. Date of scheduled consideration. SR-253. 2:30 p.m. 1177473600 calendar 2007-04-24T20:00:00-04:00 Committee on Commerce, Science, and Transportation. Ordered to be reported with amendments favorably. s 2007-12-04T23:00:00-06:00 Identity Theft Prevention Act 39 6124 43092 S.1178 Identity Theft Prevention Act short introduced short false reported to senate official introduced