S 1924 IS
106th CONGRESS
1st Session
S. 1924
To ensure personal privacy with respect to financial information, to
provide customers notice and choice about how their financial institutions share
or sell their personally identifiable sensitive financial information, to
provide for strong enforcement of these rights, and to protect States'
rights.
IN THE SENATE OF THE UNITED STATES
November 16, 1999
Mr. LEAHY (for himself, Mr. BRYAN, Mr. HARKIN, Mr. DURBIN, Mr. FEINGOLD, and
Mr. ROBB) introduced the following bill; which was read twice and referred to
the Committee on Banking, Housing, and Urban Affairs
A BILL
To ensure personal privacy with respect to financial information, to
provide customers notice and choice about how their financial institutions share
or sell their personally identifiable sensitive financial information, to
provide for strong enforcement of these rights, and to protect States'
rights.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Financial Information Privacy and Security
Act'.
SEC. 2. DEFINITIONS.
(1) the term `covered person' means--
(A) a person that is subject to the jurisdiction of any of the Federal
banking agencies;
(B) a broker or dealer, or a person associated with a broker or
dealer, as those terms are defined in the Securities Exchange Act of
1934;
(C) an investment advisor, as that term is defined in section 202 of
the Investment Advisors Act of 1940, and any officer, director, partner,
copartner, or employee of such investment advisor; and
(D) an investment company, as that term is defined in section 3 of the
Investment Company Act of 1940, and any officer, director, partner,
copartner, or employee of such investment company; and
(2) the term `Federal financial regulatory authorities' means--
(A) each of the Federal banking agencies, as that term is defined in
section 3(z) of the Federal Deposit Insurance Act; and
(B) the Securities and Exchange Commission.
SEC. 3. PRIVACY OF CONFIDENTIAL CUSTOMER INFORMATION.
(a) RULEMAKING- The Federal financial regulatory authorities shall jointly
issue final rules to protect the privacy of confidential customer information
relating to the customers of covered persons, not later than 270 days after
the date of enactment of this Act (and shall issue a notice of proposed
rulemaking not later than 150 days after the date of enactment of this Act),
which rules shall--
(1) define the term `confidential customer information' to be personally
identifiable data that includes social security numbers, transactions,
experiences, rejections, balances, maturity dates, payouts, and payout
dates, of--
(A) deposit and trust accounts;
(B) certificates of deposit;
(C) securities holdings; and
(2) require that a covered person may not disclose or share any
confidential customer information to or with any affiliate or agent of that
covered person if the customer to whom the information relates has been
provided written notice, as described in paragraphs (4) and (5), to the
covered person prohibiting such disclosure or sharing--
(A) with respect to an individual that became a customer on or after
the effective date of such rules, at the time at which the business
relationship between the customer and the covered person is initiated;
and
(B) with respect to an individual that was a customer before the
effective date of such rules, at such time thereafter that provides a
reasonable and informed opportunity to the customer to prohibit such
disclosure or sharing;
(3) require that a covered person may not disclose or share any
confidential customer information to or with any person that is not an
affiliate or agent of that covered person unless the covered person has
first--
(A) given written notice to the customer to whom the information
relates, as described in paragraphs (4) and (5); and
(B) obtained the informed written or electronic consent of that
customer for such disclosures or sharing;
(4) require that the covered person provide notices and consent
acknowledgments to customers, as required by this section, in separate and
easily identifiable and distinguishable form;
(5) require that the covered person provide notice as required by this
section to the customer to whom the information relates that describes what
specific types of information would be disclosed or shared, and under what
general circumstances, to what specific types of businesses or persons, and
for what specific types of purposes such information could be disclosed or
shared, and not less frequently than annually thereafter;
(6) require that the customer to whom the information relates be
provided with access to the confidential customer information that could be
disclosed or shared so that the information may be reviewed for accuracy and
corrected or supplemented;
(7) require that, before a covered person may use any confidential
customer information provided by a third party that engages, directly or
indirectly, in activities that are financial in nature, as determined by the
Federal financial regulatory authorities, the covered person shall take
reasonable steps to assure that procedures that are substantially similar to
those described in paragraphs (2) through (6) have been followed by the
provider of the information (or an affiliate or agent of that
provider);
(8) establish a means of examination for compliance and enforcement of
such rules and resolving consumer complaints; and
(9) require financial institutions within the jurisdiction of the
Federal financial regulatory authorities--
(A) to establish appropriate administrative, technical, and physical
safeguards to ensure protection of the security and confidentiality of
records of confidential customer information; and
(B) to protect against any anticipated threats or hazards to the
security or integrity of such records that could result in their
unauthorized release or disclosure.
(b) LIMITATION- The rules prescribed pursuant to subsection (a) may not
prohibit the release of confidential customer information--
(1) that is essential to processing a specific financial transaction
that the customer to whom the information relates has authorized;
(2) to a governmental, regulatory, or self-regulatory authority having
jurisdiction over the covered financial entity for examination, compliance,
or other authorized purposes;
(3) to a court of competent jurisdiction;
(4) to a consumer reporting agency, as defined in section 603 of the
Fair Credit Reporting Act for inclusion in a consumer report that may be
released to a third party only for a purpose permissible under section 604
of that Act; or
(5) that is not personally identifiable.
SEC. 4. CIVIL LIABILITY FOR NONCOMPLIANCE.
(a) IN GENERAL- Any individual whose rights under this Act have been
knowingly or negligently violated may bring a civil action to recover--
(1) such preliminary and equitable relief as the court determines to be
appropriate; and
(2) the greater of compensatory damages or liquidated damages of
$5,000.
(b) PUNITIVE DAMAGES- In any action brought under this section in which
the individual has prevailed because of a knowing violation of a provision of
this Act, the court may, in addition to any relief awarded under subsection
(a), award such punitive damages as may be warranted.
(c) ATTORNEY'S FEES- In the case of a civil action brought under
subsection (a) in which the individual has substantially prevailed, the court
may assess against the respondent a reasonable attorney's fee and other
litigation costs and expenses (including expert fees) reasonably incurred.
(d) LIMITATION- No action may be commenced under this section more than 3
years after the date on which the violation was or should reasonably have been
discovered.
(e) AGENCY- A principal is jointly and severally liable with the
principal's agent for damages under this section for the actions of the
principal's agent acting within the scope of the agency.
(f) ADDITIONAL REMEDIES- The equitable relief or damages that may be
available under this section shall be in addition to any other lawful remedy
or award available.
SEC. 5. RELATION TO STATE LAWS.
(a) IN GENERAL- This Act shall not be construed as superseding, altering,
or affecting the statutes, regulations, orders, or interpretations in effect
in any State, except to the extent that such statutes, regulations, orders, or
interpretations are inconsistent with the provisions of this Act, and then
only to the extent of the inconsistency.
(b) GREATER PROTECTION UNDER STATE LAW- For purposes of this Act, a State
statute, regulation, order, or interpretation is not inconsistent with the
provisions of this subtitle if the protection such statute, regulation, order,
or interpretation affords any person is greater than the protection provided
under this Act.
END