For other versions of this document, see http://wikileaks.org/wiki/CRS-RL31752 ------------------------------------------------------------------------------ Order Code RL31752 Report for Congress Received through the CRS Web Identity Theft: An Overview of Proposed Legislation in the 107th Congress February 21, 2003 Angie A. Welborn Legislative Attorney American Law Division Congressional Research Service ~ The Library of Congress Identity Theft: An Overview of Proposed Legislation in the 107th Congress Summary This report provides an overview of legislation proposed during the 107th Congress to address the growing problem of identity theft.1 Much of the legislation from the 107th Congress sought to prevent identity theft through a variety of measures, including placing limitations on the use of social security numbers, requiring the truncation of credit card numbers, and placing additional limitations on access to consumer credit reports. Legislation was also introduced aimed at assisting victims with the oftentimes arduous task of removing information resulting from identity theft from their credit reports, and providing greater criminal penalties for those convicted of identity theft and related crimes. The bills are arranged by chamber and presented in numerical order (Senate Bills: S. 848, S. 1014, S. 1399, S. 1723, S. 1742, S. 2541, S. 3100, House Bills: H.R. 220, H.R. 1478, H.R. 2036, H.R. 3053, H.R. 3368, H.R. 4513, H.R. 4678, H.R. 5424, H.R. 5474, H.R. 5588). During the 108th Congress, identity theft is likely to once again be a focus of the legislative agenda. Since the Federal Trade Commission first identified identity theft as the number one consumer complaint in 2000, problems associated with identity theft have grown. Despite efforts at the state level to prevent identity theft and provide assistance to victims, many consumer organizations believe that comprehensive federal legislation is necessary. 1 For additional information about identity theft and related legislation, see CRS Report RS21083, Identity Theft and the Fair Credit Reporting Act: An Analysis of TRW v. Andrews and Current Legislation, and CRS Report RS21163, Remedies Available to Victims of Identity Theft. Contents Senate Bills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 S. 848 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 S. 1014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 S. 1399 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 S. 1723 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 S. 1742 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 S. 2541 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 S. 3100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 House Bills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 H.R. 220 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 H.R. 1478 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 H.R. 2036 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 H.R. 3053 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 H.R. 3368 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 H.R. 4513 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 H.R. 4678 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 H.R. 5424 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 H.R. 5474 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 H.R. 5588 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Identity Theft: An Overview of Proposed Legislation in the 107th Congress Senate Bills S. 848. The Social Security Number Misuse Prevention Act of 2001, as introduced, would have amended Title 18 of the United States Code to limit the misuse of Social Security numbers and establish criminal penalties for such misuse. The bill would have prohibited the display, sale or purchase of an individual's Social Security number without that individual's "affirmatively expressed consent."2 The bill would have also prohibited any person from obtaining any individual's Social Security number for purposes of locating or identifying an individual with the intent to physically injure, harm, or use the identity of the individual for any illegal purpose.3 Exceptions to the general prohibition included permissible uses under the Social Security Act, the Privacy Act, the Internal Revenue Code, and the Professional Boxing Safety Act of 1996; uses relating to public health, national security or law enforcement; certain business-to-business uses; and required submissions as part of the process for applying for any type of Federal, State, or local government benefit or program.4 The prohibition would not have applied to Social Security numbers included in certain public records, but agencies would have been required to institute procedures to restrict access to an individual's Social Security number.5 The Attorney General was given authority to prescribe rules and regulations necessary to carry out the general prohibition provisions, and is directed to consult with "the Commissioner of Social Security, the Chairman of the Federal Trade Commission, and such other heads of Federal agencies as the Attorney General determines appropriate" to promulgate regulations "to implement and clarify the uses occurring as a result of the interaction between businesses, governments, or businesses and governments."6 The bill also provided for factors to be considered when promulgating such rules. The bill would have also prohibited the use of Social Security numbers on checks issued by governmental agencies and on driver's licenses, motor vehicle 2 S. 848, as introduced, Sec. 3. 3 Id. 4 Id. 5 S. 848, as introduced, Sec. 4. 6 S. 848, as introduced, Sec. 5. CRS-2 registration documents, or any other document issued to an individual for identification purposes.7 S. 848 would also prohibit inmate access to Social Security numbers. Under S. 848, as introduced, a commercial entity would have been prohibited from requiring an individual to provide his or her Social Security number when purchasing a commercial good or service or denying an individual the good or service for refusing to provide the number.8 The prohibition did not apply with respect to any purpose relating to obtaining a consumer report for any purpose permitted under the Fair Credit Reporting Act; a background check of the individual conducted by a landlord, lessor, employer, voluntary service agency, or other entity as determined by the Attorney General. An individual may have also been required to provide his or her Social Security number for law enforcement purposes; by Federal, State or local law; or if the Social Security number is necessary to verify the identity and to prevent fraud with respect to the specific transaction requested by the consumer and no other form of identification can produce comparable results.9 These provisions did not prohibit a commercial entity from requiring an individual to provide two forms of identification that do not contain the Social Security number of the individual; or denying an individual a good or service for refusing to provide two forms of such identification.10 S. 848, as introduced, also extended civil monetary penalties for misuse of a Social Security number.11 S. 848 was referred to the Senate Committee on the Judiciary and reported by Senator Leahy with an amendment in the nature of a substitute on May 16, 2002. The bill was then reported to the Committee on Finance. The Subcommittee on Social Security and Family Policy held hearings on July 11, 2002. No additional action was taken. As reported, S. 848 included similar provisions relating to prohibitions on the display, sale or purchase of Social Security numbers.12 However, unlike the introduced version, the bill as reported provided for civil actions in state courts for violations of those prohibitions, and allows an aggrieved individual to recover for actual monetary loss or up to $500 in damages for each violation, whichever is greater.13 Any such action would have been required to be commenced not later than the earlier of five years after the date on which the alleged violation occurred; or three years after the date on which the alleged violation was or should have been 7 S. 848, as introduced, Sec. 6. 8 S. 848, as introduced, Sec. 7. 9 Id. 10 Id. 11 S. 848, as introduced, Sec. 8. 12 S. 848, as reported, Sec. 3. 13 Id. CRS-3 reasonably discovered by the aggrieved individual.14 The bill, as reported, also provided for civil penalties for violations of the prohibitions set forth and criminal sanctions for knowing and willful violations.15 The general prohibition would not have applied to Social Security numbers in public records. However, S. 848, as reported, would have required agencies to institute procedures to limit the disclosure of an individual's Social Security number on certain types of records.16 S. 1014. The Social Security Number Privacy and Identity Theft Prevention Act of 2001, would have made several amendments to the Social Security Act aimed at enhancing privacy protections for individuals and preventing fraudulent misuse of Social Security numbers. The bill would have prohibited - with limited exceptions - the sale of an individual's Social Security number by any state or federal governmental entity in possession of such number.17 The display to the general public of an individual's Social Security number would have also been prohibited, as would the display of a Social Security number on any check issued for any payment by any governmental agency.18 In addition, the appearance of Social Security account numbers on driver's licenses would have been prohibited, as would the display of Social Security numbers on personal identification card or tags provided to state or federal government employees.19 Access to Social Security numbers by inmates would have also been prohibited, and independent verification of birth records provided by an applicant for a Social Security account number would have been required.20 S. 1014 would have also prohibited the sale and display of Social Security numbers in the private sector.21 The general prohibition would have been subject to certain exceptions. Social Security numbers could have been sold, purchased or displayed to the extent necessary for law enforcement purposes, including the enforcement of a child support obligation; to the extent necessary for national security purposes; to the extent necessary for public health purposes; to the extent necessary in emergency situations; and to the extent necessary for research conducted for the purpose of advancing public knowledge, on the condition that the researcher provide adequate assurances that the privacy of the individual and the individual's number would have been protected.22 Individuals would have also been able to 14 Id. 15 Id. 16 S. 848, as reported, Sec. 4. 17 S. 1014, Title I, Sec. 101(a). 18 S. 1014, Title I, Sec. 102, Sec. 103. 19 S. 1014, Title I, Sec. 104, Sec. 105. 20 S. 1014, Title I, Sec. 106, Sec. 107. 21 S. 1014, Title II, Sec. 201. 22 Id. CRS-4 consent to the sale, purchase or display of their Social Security numbers. The bill directed the Attorney General to promulgate regulations regarding such restrictions.23 S. 1014 would have made refusal to do business without receipt of a Social Security number an unfair or deceptive trade practice under the Federal Trade Commission Act.24 However, situations in which a person was required under federal law to submit an individual's Social Security number in connection with a business transaction would have been exempt.25 An amendment to the Fair Credit Reporting Act would have prohibited a credit reporting agency from furnishing an individual's Social Security number unless a full consumer report is being furnished.26 With regard to enforcement, S. 1014 would have established new criminal penalties for misuse of a Social Security number, and extends the authority under the Social Security Act to impose civil monetary penalties for misuse of a Social Security number.27 The bill would have also authorized a court to order a defendant to make restitution to the Social Security Administration.28 S. 1014 was referred to the Senate Committee on Finance on June 12, 2001. No additional action was taken. S. 1399. The Identity Theft Prevention Act of 2001, included several provisions aimed at preventing identity theft. First, the bill would have required credit card issuers to confirm changes of address when a request for an additional card with respect to an existing account is received no more than 30 days after the address change request.29 Additionally, consumer reporting agencies would have been required to notify requesters of information of potential fraud when the request includes an address for the consumer that differs from the most recent address on file with the consumer reporting agency.30 The Federal Trade Commission would have had primary enforcement authority, with other agencies responsible for enforcement with respect to entities outside the FTC's jurisdiction.31 23 Id. 24 S. 1014, Title II, Sec. 202. 25 Id. 26 S. 1014, Title II, Sec. 203. 27 S. 1014, Title III, Sec. 301, Sec. 302. 28 S. 1014, Title III, Sec. 303. 29 S. 1399, Sec. 3(a). 30 Id. 31 Id. CRS-5 Under S. 1399, consumer reporting agencies would have also been required to include a fraud alert in a consumer's file, if requested by the consumer.32 The consumer reporting agency would have been responsible for notifying each person procuring consumer credit information of the existence of a fraud alert in the consumer's file regardless of whether a full credit report, credit score, or summary report is requested.33 The bill would have also directed the Federal Trade Commission to promulgate rules requiring each consumer reporting agency to investigate discrepancies between personal or identifying information contained in the file maintained by the agency and the personal identifying information supplied to the agency by the user of the consumer report.34 The rules promulgated pursuant to S. 1399 would have also been required to include procedures for referral of consumer complaints about identity theft and fraud alerts between and among the consumer reporting agencies and to the Federal Trade Commission.35 The truncation of credit card numbers on receipts that are electronically printed would have also been required under S. 1399.36 S. 1399 was referred to the Senate Committee on Banking, Housing and Urban Affairs on September 4, 2001. No additional action was taken. S. 1723. The Protect Victims of Identity Theft Act of 2001, would have amended the Fair Credit Reporting Act's statute of limitations. The amendment proposed under S. 1723 would have allowed suit to be brought "not later than 2 years after the date on which the violation is discovered or should have been discovered by the exercise of reasonable diligence."37 S. 1723 was referred to the Senate Committee on Banking, Housing, and Urban Affairs on November 16, 2001. No additional action was taken. S. 1742. The Restore Your Identity Act of 2001, as introduced, included several provisions aimed at preventing identity theft and aiding victims of identity theft. The bill set forth a mechanism enabling victims of identity theft to receive application and transaction information related to the theft from any business entity possessing such information.38 The bill included provisions for verification of the victim's identity and places limitations on a business' liability with regard to the 32 S. 1399, Sec. 3(b). 33 Id. 34 S. 1399, Sec. 3(c). 35 Id. 36 S. 1399, Sec. 4. 37 S. 1723, Sec. 2. 38 S. 1742, as introduced, Sec. 5. CRS-6 provision of the requested information.39 Among the other provisions set forth in the bill was an amendment to the Fair Credit Reporting Act which would have required a consumer reporting agency to "permanently block the reporting of information identified by the consumer in the file of the consumer resulting from the identity theft, so that the information could be reported."40 Consumer reporting agencies would have had the authority to decline or rescind the request to block information under certain circumstances.41 Another amendment to the FCRA would have affected the statute of limitations for filing a claim against a credit reporting agency. The proposed amendment would have allowed suit to be filed "not later than two years after the discovery by the individual of the misrepresentation."42 The bill also amended the Internet False Identification Act to establish a commission to study coordination between federal, state, and local authorities in enforcing identity theft laws,43 and provided for enforcement of the provisions set forth in the legislation by state attorneys general and by the Attorney General of the United States.44 S. 1742 was referred to the Senate Committee on the Judiciary, and was reported on May 21, 2002, by Senator Leahy with an amendment in the nature of a substitute entitled the Identity Theft Victims Assistance Act of 2002. The amendment was similar to the introduced bill, but some substantive changes were made, including the addition of a provision allowing businesses to establish notification systems to comply with the information sharing provisions discussed above.45 Additionally, the bill, as reported, provided for enforcement actions by state attorneys general or the Attorney General of the United States for violations of the provisions related to the release of information by business entities.46 Substantive changes were also made with regard to the Fair Credit Reporting Act amendments. As reported, S. 1742 included the provisions discussed above related to the blocking of information on a consumer's credit report resulting from an identity theft, but added certain exceptions to the general rule.47 Additional changes were made to the statute of limitations under the FCRA. S. 1742, as reported, would have amended the FCRA to allow suit to be brought "not later than 2 years from the date of the defendant's violation of any requirement under this 39 Id. 40 S. 1742, as introduced, Sec. 6. 41 Id. 42 Id. 43 S. 1742, as introduced, Sec. 7. 44 S. 1742, as introduced, Sec. 8. 45 S. 1742, as reported, Sec. 4. 46 S. 1742, as reported, Sec. 7. 47 S. 1742, as reported, Sec. 5. CRS-7 title."48 Actions by victims of identity theft could have been brought not later than 5 years from the date of the defendant's violation if the victim "has reasonable grounds to believe that [he or she] is the victim of an identity theft; and has not materially and willfully misrepresented such a claim."49 The Senate passed S. 1742 on November 14, 2002, with an amendment proposed by Senator Reed for Senator Cantwell. As passed, the bill did not include the notification system provision discussed above. Language was included to preclude private rights of action or claims for relief for violations of the provisions related to the release of information by business entities.50 The bill, as passed, also added to the exceptions related to the blocking of information on a consumer's credit file resulting from an identity theft, and changed the statute of limitations for actions relating to identity theft from 5 years to 4 years.51 S. 1742 was referred to the House Committee on the Judiciary and the Committee on Financial Services on November 15, 2002. No additional action was taken by the House of Representatives. S. 2541. The Identity Theft Penalty Enhancement Act of 2002, would have amended Title 18 of the United States Code to establish penalties for aggravated identity theft and make changes to the existing identity theft provisions of Title 18.52 Under S. 2541, aggravated identity theft would have occurred when a person "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person" during and in relation to the commission of certain enumerated felonies.53 The penalty for aggravated identity theft would have been a term of imprisonment of 2 years in addition to the punishment provided for the original felony committed.54 The felonies for which a penalty for aggravated identity theft could have been imposed included felonies related to theft from employee benefit plans; false impersonation of citizenship; false statements in connection with the acquisition of a firearm; other types of fraud and false statements; mail, bank and wire fraud; fraud relating to passports and visas; violations of the Gramm-Leach- Bliley Act relating to obtaining consumer information under false pretenses; certain violations of the Immigration and Nationality Act relating to willfully failing to leave the United States after deportation and creating a counterfeit alien registration card; and certain violations of the Social Security Act.55 48 Id. 49 Id. 50 S. 1742, as passed, Sec. 3. 51 S. 1742, as passed, Sec. 4. 52 See S. 2541, Sec. 3, for amendments to the 18 U.S.C. 1028. 53 S. 2541, Sec. 2. 54 Id. 55 Id. CRS-8 S. 2541 was referred to the Senate Committee on the Judiciary. The Subcommittee on Technology, Terrorism, and Government Information held hearings on July 9, 2002. On November 14, 2002, the bill was reported out of Committee favorably and without amendment. No additional action was taken. S. 3100. The Social Security Number Misuse Prevention Act of 2002, would have amended Title 18 of the United States Code to limit the misuse of Social Security numbers and establish criminal penalties for such misuse. The bill would have prohibited the display, sale or purchase of Social Security numbers without the "affirmatively expressed consent of the individual."56 Certain exceptions would have applied, including cases where required, authorized, or excepted under any Federal law; for public health purposes; for a national security purpose; for a law enforcement purpose; and under certain circumstances if the display, sale or purchase of the number is for a use occurring as a result of an interaction between businesses, governments, or business and government.57 The bill provided for limitations on the prohibition with respect to uses permitted under the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and with respect to the display, sale or purchase of public records containing Social Security numbers.58 The Attorney General was given rulemaking authority substantially similar to that provided for in S. 848, as introduced, discussed above. Additional prohibitions would have applied to the display of the Social Security number, or any derivative of such number, on any check issued for any payment by the Federal, State, or local [social security] agency; on a driver's license, motor vehicle registration or any other document issues for purposes of identification. The bill also prohibited inmate access to Social Security numbers.59 In general, S. 3100 precluded a commercial entity from requiring that an individual provide his or her Social Security number when purchasing a consumer good or service, or denying an individual the good or service for failing to provide his or her Social Security number.60 The preclusion did not apply with respect to any purpose relating to obtaining a consumer report for any purpose permitted under the Fair Credit Reporting Act; a background check of the individual conducted by a landlord, lessor, employer, voluntary service agency, or other entity as determined by the Attorney General. An individual could have also been required to provide his or her Social Security number for law enforcement purposes; by Federal, State or local law; or if the Social Security number is necessary to verify the identity of the consumer to effect, administer, or enforce the specific transaction requested or authorized by the consumer, or to prevent fraud.61 Violations of these provisions 56 S. 3100, Sec. 3. These provisions are similar to those in S. 848, as introduced. 57 Id. 58 S. 3100, Sec. 3 and Sec. 4. 59 S. 3100, Sec. 6. 60 S. 3100, Sec. 7. 61 Id. CRS-9 could have been pursued by state attorneys general or by the Attorney General of the United States. The provisions would have expired 6 years after the effective date.62 Unrelated to Social Security numbers, an additional section of S. 3100 would have required the truncation of credit card account numbers, prohibiting the printing of more than the last 5 digits of the credit card account number or the expiration date upon any receipt provided to the card holder.63 The bill provided for civil monetary penalties, criminal penalties, and civil actions for certain misuses of Social Security numbers.64 S. 3100 was placed on the Senate legislative calendar, but no additional action was taken. House Bills H.R. 220. The Identity Theft Protection Act of 2001, would have repealed provisions of the Social Security Act which authorize certain usages of an individual's Social Security number, including, the use of Social Security numbers for general public assistance offered by a state, driver's licenses or motor vehicle registration; and the use of Social Security numbers in the administration of the food stamp program.65 The bill would have also required all Social Security numbers to be randomly generated and prohibit the Social Security Administration from divulging an individual's account number to any other federal or state governmental entity.66 In addition to the provisions related to Social Security numbers, the bill would have prohibited any two agencies or instrumentalities of the federal government from implementing the same identifying number with respect to any individual.67 The federal government would have also been prohibited from establishing or mandating a uniform standard for identification for an individual; and could not have conditioned the receipt of any federal funding on the adoption, by a state, a state agency, or a political subdivision of a state, of a uniform standard for identification of an individual.68 H.R. 220 was referred to the House Committee on Ways and Means and the Committee on Government reform on January 3, 2001, with subsequent referrals to various subcommittees. No additional action was taken. 62 Id. 63 S. 3100, Sec. 11. 64 S. 3100, Sec. 8, Sec. 9, and Sec. 10. 65 H.R. 220, Sec. 2. 66 Id. 67 H.R. 220, Sec. 4. 68 H.R. 220, Sec. 5. CRS-10 H.R. 1478. The Personal Information Privacy Act of 2001, would have made several amendments to the Fair Credit Reporting Act (FCRA) aimed at protecting a consumer's personal information. The bill would have amended the FCRA to expand the definition of "consumer report" to include "any other identifying information of the consumer, except the name, address, and telephone number of the consumer if listed in a residential telephone directory available in the locality of the consumer."69 Other amendments to the FCRA would have prohibited the furnishing of consumer credit reports in connection with credit or insurance transactions that were not initiated by the consumer without the consumer's express written authorization and would have required full disclosure to the consumer of what was being authorized and any potential positive and negative effects of such authorization.70 The sale or transfer of transaction or experience information71 would have also been prohibited without the express written consent of the consumer.72 H.R. 1478 would have also prohibited certain misuses of an individual's Social Security number. The commercial use of an individual's Social Security number would have been prohibited without the written consent of the individual.73 Refusal to do business with an individual because the individual would not consent to the use of his or her Social Security number would have been treated as an unfair or deceptive act or practice in violation of Section 5 of the Federal Trade Commission Act.74 The use of an individual's Social Security number as a personal identification number would have also been prohibited without written consent.75 H.R. 1478 was referred to the House Committee on Ways and Means and the Committee on Financial Services on April 24, 2001, with subsequent referrals to the Subcommittee on Financial Institutions and Consumer Credit. No additional action was taken. H.R. 2036. The Social Security Number Privacy and Identity Theft Prevention Act of 2001, was substantially similar to S. 1014 discussed above. H.R. 2036 was referred to the House Committee on Ways and Means, the Committee on Energy and Commerce, and the Committee on Financial Services on May 25, 2001. The bill was subsequently referred to various subcommittees. No additional action was taken. 69 H.R. 1478, Sec. 2. 70 H.R. 1478, Sec. 4. 71 Transaction or experience information is defined as "any information identifying the content or subject of one or more transactions between the consumer and a person doing business with a consumer, including any component part of any transaction, any brand name involved, or any quantity or category of merchandise involved in any party of the transaction." H.R. 1478, Sec. 5. 72 H.R. 1478, Sec. 5. 73 H.R. 1478, Sec. 3. 74 Id. 75 Id. CRS-11 H.R. 3053. The Identity Theft Prevention Act of 2001, was substantially similar to S. 1399, discussed above. Unlike S. 1399, H.R. 3053 would have required consumer reporting agencies to provide free copies of consumer credit reports on a yearly basis, at the request of the consumer.76 H.R. 3053 would have also required the Federal Trade Commission to develop a model form and standard procedures to be used by consumers who are victims of identity fraud for contacting and informing creditors and consumer reporting agencies of the fraud.77 H.R. 3053 was referred to the House Committee on Financial Services on October 5, 2001, and subsequently to the Subcommittee on Financial Institutions and Consumer Credit. No additional action was taken. H.R. 3368. The Protect Victims of Identity Theft Act of 2001, was substantially similar to S. 1723 discussed above. The bill would have amended the Fair Credit Reporting Act's statute of limitations. The proposed amendment would have allowed suit to be brought "not later than 2 years after the date on which the violation is discovered or should have been discovered by the exercise of reasonable diligence."78 H.R. 3368 was referred to the House Committee on Financial Services on November 28, 2001, and subsequently to the Subcommittee on Financial Institutions and Consumer Credit. The bill was also referred to the House Committee on the Judiciary Subcommittee on Courts, the Internet, and Intellectual Property. No additional action was taken. H.R. 4513. The Social Security Number Protection Act of 2002, included several provisions that were somewhat similar to those in S. 1014 discussed above. H.R. 4513 directed the Federal Trade Commission to promulgate regulations regarding the sale and purchase of Social Security numbers. It would have been unlawful for any person to sell or purchase a Social Security number in a manner that violates a regulation promulgated by the Commission.79 The Commission was directed to consult with the Commissioner of Social Security, the Department of Justice, and other agencies deemed appropriate to promulgate regulations restricting the sale and purchase of Social Security numbers and any unfair or deceptive acts or practices in connection with the sale and purchase of such.80 The regulations promulgated were to be no broader than necessary "to provide reasonable assurance that Social Security numbers and Social Security account numbers will not be used to commit or facilitate fraud, deception, or crime; and to prevent an undue risk of bodily, emotional, or financial harm to individuals."81 76 H.R. 3053, Sec. 5. 77 H.R. 3053, Sec. 3(c). 78 H.R. 3368, Sec. 2. 79 H.R. 4513, Sec. 4(a). 80 H.R. 4513, Sec. 4(b)(1). 81 H.R. 4513, Sec. 4(b)(2). CRS-12 Under H.R. 4513, certain exceptions would have applied to the general restrictions on the sale and purchase of Social Security numbers. The sale and purchase of Social Security numbers would have been permitted under the regulations to the extent necessary for law enforcement and national security purposes; to the extent necessary for public health purposes; to the extent necessary in emergency situations to protect the health or safety of one or more individuals; and to the extent necessary for research conducted for the purpose of advancing public knowledge, on the condition that the researcher provided adequate assurances that certain measures would have been employed to protect the privacy of the individual and the confidentiality of the individual's Social Security number.82 An individual could have also consented to the sale or purchase of his or her Social Security number.83 Violations of the regulations promulgated pursuant to H.R. 4513 would have been enforced by the Federal Trade Commission and treated as an unfair or deceptive act or practice.84 State attorneys general would have also had authority to bring actions on behalf of the residents of their states.85 The Attorney General of the United States would have also had some enforcement authority.86 H.R. 4513 was referred to the House Committee on Energy and Commerce and the Committee on Ways and Means on April 18, 2002. No additional action was taken. H.R. 4678. The Consumer Privacy Protection Act of 2002, included provisions related to both privacy protection and identity theft. Title I of H.R. 4678 specifically addressed privacy with regard to consumer information gathered and used by data collection organizations, and included provisions related to privacy statements, opt-out opportunities for consumers, information security obligations, and self-regulatory programs for data collection organizations. Title II of the bill specifically addressed identity theft prevention and remedies. These provisions will be discussed in detail below. Title II of H.R. 4678 directed the Federal Trade Commission to take specific actions to assist victims of identity theft. The Commission was directed to take such action as necessary to permit (including by electronic means) consumers that have a reasonable belief that they are a victims of identity theft to enter required consumer information into the commission-developed "Identity Theft Affidavit," and to submit completed forms and other supplemental information to the Commission and other entities.87 The Commission would have also been required to "take such action as necessary to solicit the acceptance and acknowledgment of standardized Identity 82 H.R. 4513, Sec. 4(b)(3). 83 Id. 84 H.R. 4513, Sec. 4(d). 85 H.R. 4513, Sec. 4(e). 86 Id. 87 H.R. 4678, Sec. 201. CRS-13 Theft Affidavit by entities that receive disputes regarding the unauthorized use of accounts of such entities from consumers that have reason to believe that they are a victim of identity theft."88 Additionally, the Commission would have required such entities to conduct any necessary investigation and decide an outcome of a claim from a consumer within 90 days from the date on which all necessary information has been submitted.89 Under H.R. 4678, the Federal Trade Commission would have also been required to make improvements to the Identity Theft Clearinghouse which would allow consumers to submit identity theft information to appropriate entities via the Clearinghouse.90 The Commission would have also been required to obtain identity theft data from public and private entities that receive and process complaints from consumers and include such information in the Identity Theft Clearinghouse database.91 In an effort to prevent identity theft, H.R. 4678 directed the Commission to require "appropriate entities to take reasonable steps to verify the accuracy of a consumer's address, including by confirming a consumer's change of address by sending a confirmation of such change to the old and new address of the consumer."92 H.R. 4678 was referred to the House Committee on Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection. Subcommittee hearings were held on September 24, 2002, but not additional action was taken.93 H.R. 5424. The Identity Theft Victims Assistance Act of 2002, appeared to be substantially similar to S. 1742, as reported, discussed above. H.R. 5424 was referred to the House Committee on the Judiciary and the Committee on Financial Services on September 19, 2002, and subsequently to the Subcommittee on Crime, Terrorism and Homeland Security and the Subcommittee on Financial Institutions and Consumer Credit. No additional action was taken. H.R. 5474. The Identity Theft Consumer Notification Act, would have amended the Gramm-Leach-Bliley Act to further protect consumers whose identities are stolen from their financial institutions. Under H.R. 5474, a financial institution would have been required to promptly notify a consumer if his or her personal information had been compromised in any way by an employee of the financial institution or through any unauthorized entry into the records of the institution.94 In the event of such compromise, the financial institution would have been obligated to 88 H.R. 4678, Sec. 202. 89 H.R. 4678, Sec. 203. 90 H.R. 4678, Sec. 204. 91 H.R. 4678, Sec. 205. 92 H.R. 4678, Sec. 206. 93 Title III of the bill includes provisions related to international privacy laws which were referred to the House Committee on International Relations. 94 H.R. 5474, Sec. 2. CRS-14 notify the consumer of the compromise and any misuse of the information; to provide assistance to the consumer to remedy any such compromise; to reimburse the consumer for any losses the consumer incurred as a result of the compromise, including any fees for obtaining, investigating, and correcting a consumer report; and to provide information concerning the manner in which the consumer can obtain such assistance.95 Financial institutions would have been able to delay notification at the request of a law enforcement agency investigating the violation that led to the compromise of the consumer's information. The bill would have also amended the Fair Credit Reporting Act's statute of limitations to allow an action to be brought "not later than 2 years after the date on which the violation is discovered or should have been discovered by the exercise of reasonable diligence."96 H.R. 5474 was referred to the House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit on October 7, 2002. No additional action was taken. H.R. 5588. The Identity Theft Penalty Enhancement Act of 2002, was substantially similar to S. 2541 discussed above. H.R. 5588 was referred to the House Committee on the Judiciary Subcommittee on Crime, Terrorism, and Homeland Security on November 12, 2002. No additional action was taken. 95 Id. 96 H.R. 5474, Sec. 3. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL31752