S 1924 IS

To ensure personal privacy with respect to financial information, to provide customers notice and choice about how their financial institutions share or sell their personally identifiable sensitive financial information, to provide for strong enforcement of these rights, and to protect States' rights.

November 16, 1999

Mr. LEAHY (for himself, Mr. BRYAN, Mr. HARKIN, Mr. DURBIN, Mr. FEINGOLD, and Mr. ROBB) introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban Affairs

To ensure personal privacy with respect to financial information, to provide customers notice and choice about how their financial institutions share or sell their personally identifiable sensitive financial information, to provide for strong enforcement of these rights, and to protect States' rights.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Financial Information Privacy and Security Act'.

SEC. 2. DEFINITIONS.

In this Act--

(1) the term `covered person' means--

(A) a person that is subject to the jurisdiction of any of the Federal banking agencies;

(B) a broker or dealer, or a person associated with a broker or dealer, as those terms are defined in the Securities Exchange Act of 1934;

(C) an investment advisor, as that term is defined in section 202 of the Investment Advisors Act of 1940, and any officer, director, partner, copartner, or employee of such investment advisor; and

(D) an investment company, as that term is defined in section 3 of the Investment Company Act of 1940, and any officer, director, partner, copartner, or employee of such investment company; and

(2) the term `Federal financial regulatory authorities' means--

(A) each of the Federal banking agencies, as that term is defined in section 3(z) of the Federal Deposit Insurance Act; and

(B) the Securities and Exchange Commission.

SEC. 3. PRIVACY OF CONFIDENTIAL CUSTOMER INFORMATION.

(a) RULEMAKING- The Federal financial regulatory authorities shall jointly issue final rules to protect the privacy of confidential customer information relating to the customers of covered persons, not later than 270 days after the date of enactment of this Act (and shall issue a notice of proposed rulemaking not later than 150 days after the date of enactment of this Act), which rules shall--

(1) define the term `confidential customer information' to be personally identifiable data that includes social security numbers, transactions, experiences, rejections, balances, maturity dates, payouts, and payout dates, of--

(A) deposit and trust accounts;

(B) certificates of deposit;

(C) securities holdings; and

(D) insurance policies;

(2) require that a covered person may not disclose or share any confidential customer information to or with any affiliate or agent of that covered person if the customer to whom the information relates has been provided written notice, as described in paragraphs (4) and (5), to the covered person prohibiting such disclosure or sharing--

(A) with respect to an individual that became a customer on or after the effective date of such rules, at the time at which the business relationship between the customer and the covered person is initiated; and

(B) with respect to an individual that was a customer before the effective date of such rules, at such time thereafter that provides a reasonable and informed opportunity to the customer to prohibit such disclosure or sharing;

(3) require that a covered person may not disclose or share any confidential customer information to or with any person that is not an affiliate or agent of that covered person unless the covered person has first--

(A) given written notice to the customer to whom the information relates, as described in paragraphs (4) and (5); and

(B) obtained the informed written or electronic consent of that customer for such disclosures or sharing;

(4) require that the covered person provide notices and consent acknowledgments to customers, as required by this section, in separate and easily identifiable and distinguishable form;

(5) require that the covered person provide notice as required by this section to the customer to whom the information relates that describes what specific types of information would be disclosed or shared, and under what general circumstances, to what specific types of businesses or persons, and for what specific types of purposes such information could be disclosed or shared, and not less frequently than annually thereafter;

(6) require that the customer to whom the information relates be provided with access to the confidential customer information that could be disclosed or shared so that the information may be reviewed for accuracy and corrected or supplemented;

(7) require that, before a covered person may use any confidential customer information provided by a third party that engages, directly or indirectly, in activities that are financial in nature, as determined by the Federal financial regulatory authorities, the covered person shall take reasonable steps to assure that procedures that are substantially similar to those described in paragraphs (2) through (6) have been followed by the provider of the information (or an affiliate or agent of that provider);

(8) establish a means of examination for compliance and enforcement of such rules and resolving consumer complaints; and

(9) require financial institutions within the jurisdiction of the Federal financial regulatory authorities--

(A) to establish appropriate administrative, technical, and physical safeguards to ensure protection of the security and confidentiality of records of confidential customer information; and

(B) to protect against any anticipated threats or hazards to the security or integrity of such records that could result in their unauthorized release or disclosure.

(b) LIMITATION- The rules prescribed pursuant to subsection (a) may not prohibit the release of confidential customer information--

(1) that is essential to processing a specific financial transaction that the customer to whom the information relates has authorized;

(2) to a governmental, regulatory, or self-regulatory authority having jurisdiction over the covered financial entity for examination, compliance, or other authorized purposes;

(3) to a court of competent jurisdiction;

(4) to a consumer reporting agency, as defined in section 603 of the Fair Credit Reporting Act for inclusion in a consumer report that may be released to a third party only for a purpose permissible under section 604 of that Act; or

(5) that is not personally identifiable.

SEC. 4. CIVIL LIABILITY FOR NONCOMPLIANCE.

(a) IN GENERAL- Any individual whose rights under this Act have been knowingly or negligently violated may bring a civil action to recover--

(1) such preliminary and equitable relief as the court determines to be appropriate; and

(2) the greater of compensatory damages or liquidated damages of $5,000.

(b) PUNITIVE DAMAGES- In any action brought under this section in which the individual has prevailed because of a knowing violation of a provision of this Act, the court may, in addition to any relief awarded under subsection (a), award such punitive damages as may be warranted.

(c) ATTORNEY'S FEES- In the case of a civil action brought under subsection (a) in which the individual has substantially prevailed, the court may assess against the respondent a reasonable attorney's fee and other litigation costs and expenses (including expert fees) reasonably incurred.

(d) LIMITATION- No action may be commenced under this section more than 3 years after the date on which the violation was or should reasonably have been discovered.

(e) AGENCY- A principal is jointly and severally liable with the principal's agent for damages under this section for the actions of the principal's agent acting within the scope of the agency.

(f) ADDITIONAL REMEDIES- The equitable relief or damages that may be available under this section shall be in addition to any other lawful remedy or award available.

SEC. 5. RELATION TO STATE LAWS.

(a) IN GENERAL- This Act shall not be construed as superseding, altering, or affecting the statutes, regulations, orders, or interpretations in effect in any State, except to the extent that such statutes, regulations, orders, or interpretations are inconsistent with the provisions of this Act, and then only to the extent of the inconsistency.

(b) GREATER PROTECTION UNDER STATE LAW- For purposes of this Act, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this Act.

END