[DOCID: f:hr339.110] From the House Reports Online via GPO Access [wais.access.gpo.gov] 110th Congress Report HOUSE OF REPRESENTATIVES 1st Session 110-339 ====================================================================== SOCIAL SECURITY NUMBER PRIVACY AND IDENTITY THEFT PREVENTION ACT OF 2007 _______ September 24, 2007.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Rangel, from the Committee on Ways and Means, submitted the following R E P O R T together with ADDITIONAL VIEWS [To accompany H.R. 3046] [Including cost estimate of the Congressional Budget Office] The Committee on Ways and Means, to whom was referred the bill (H.R. 3046) to amend the Social Security Act to enhance Social Security account number privacy protections, to prevent fraudulent misuse of the Social Security account number, and to otherwise enhance protection against identity theft, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page I. Introduction....................................................15 A. Purpose and Summary................................. 15 B. Background.......................................... 16 C. Legislative History................................. 16 II. Section-by-Section Summary......................................19 III. Votes of the Committee..........................................42 A. Motion to Report the Bill........................... 42 B. Votes on Amendments................................. 42 IV. Budget Effects of the Bill......................................43 A. Committee Estimate of Budgetary Effects............. 43 B. Statement Regarding New Budget Authority and Tax Expenditures....................................... 43 C. Cost Estimate Prepared by the Congressional Budget Office............................................. 43 V. Other Matters to be Discussed under the Rules of the House......50 A. Committee Oversight Findings and Recommendations.... 50 B. Earmarks and Tax and Tariff Benefits................ 50 C. Constitutional Authority Statement.................. 50 D. Information Relating to Unfunded Mandates........... 50 VI. Changes in Existing Law Made by the Bill, as Reported...........50 VII. Additional Views................................................70 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE AND TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Social Security Number Privacy and Identity Theft Prevention Act of 2007''. (b) Table of Contents.--The table of contents is as follows: Sec. 1. Short title and table of contents. Sec. 2. Restrictions on the sale or display to the general public of social security account numbers by governmental entities. Sec. 3. Prohibition of display of social security account numbers on checks issued for payment by governmental entities. Sec. 4. Prohibition of the display of social security account numbers on certain government identification cards or tags. Sec. 5. Prohibition of inmate access to social security account numbers. Sec. 6. Measures to preclude unauthorized disclosure by governmental entities of social security account numbers and protect the confidentiality of such numbers. Sec. 7. Uniform standards for truncation of the social security account number. Sec. 8. Prohibition of the sale, purchase, and display to the general public of the social security account number in the private sector. Sec. 9. New criminal penalties for misuse of social security account numbers. Sec. 10. Extension of civil monetary penalty authority. Sec. 11. Criminal penalties for employees of the Social Security Administration who knowingly and fraudulently issue social security cards or social security account numbers. Sec. 12. Enhanced penalties in cases of terrorism, drug trafficking, crimes of violence, or prior offenses. Sec. 13. Regulatory and enforcement authority with respect to misuse of the social security account number. Sec. 14. Study on feasibility of banning social security account number as an authenticator. SEC. 2. RESTRICTIONS ON THE SALE OR DISPLAY TO THE GENERAL PUBLIC OF SOCIAL SECURITY ACCOUNT NUMBERS BY GOVERNMENTAL ENTITIES. (a) In General.--Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) is amended by adding at the end the following new clause: ``(x)(I) A governmental entity (as defined in subclause (X)) may not sell or display to the general public any social security account number if such number has been disclosed to such governmental entity pursuant to the assertion by such governmental entity to any person that disclosure of such number is a statutory or regulatory requirement. Notwithstanding the preceding sentence, such number may be sold or displayed to the general public in accordance with the exceptions specified in subclauses (II), (III), (IV), (V), (VI), (VII), and (VIII) (and for no other purpose). ``(II) Notwithstanding subclause (I), a social security account number may be sold by a governmental entity to the extent that such sale is specifically authorized by this Act or the Privacy Act of 1974. ``(III) Notwithstanding subclause (I), a social security account number may be sold by a governmental entity to the extent that is necessary or appropriate for law enforcement or national security purposes, as determined under regulations which shall be issued as provided in section 1129C. ``(IV) Notwithstanding subclause (I), a social security account number may be sold by a governmental entity to the extent that such sale is required to comply with a tax law of the United States or of any State (or political subdivision thereof). ``(V) Notwithstanding subclause (I), a social security account number may be sold by a State department of motor vehicles as authorized under subsection (b) of section 2721 of title 18, United States Code, if such number is to be used pursuant to such sale solely for purposes permitted under paragraph (1), (6), or (9) of such subsection. ``(VI) Notwithstanding subclause (I), a social security account number may be sold or otherwise made available by a governmental entity to a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))) for use or disclosure solely for permissible purposes described in section 604(a) of such Act (15 U.S.C. 1681b(a)). ``(VII) Notwithstanding subclause (I), a social security account number may be sold by a governmental entity to the extent necessary for research (other than market research) conducted by any governmental entity for the purpose of advancing the public good, on the condition that the researcher provides adequate assurances that the social security account numbers will not be used to harass, target, or publicly reveal information concerning any identifiable individuals, that information about identifiable individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals, and that the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about identifiable individuals, including procedures to ensure that the social security account numbers will be encrypted or otherwise appropriately secured from unauthorized disclosure. In the case of medical research, the Commissioner of Social Security shall maintain ongoing consultation with the Office for Civil Rights of the Department of Health and Human Services to ensure that the sale or purchase of social security account numbers which constitute personally identifiable medical information is permitted only in compliance with existing Federal rules and regulations prescribed by the Secretary of Health and Human Services pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (110 Stat. 2033). ``(VIII) Notwithstanding subclause (I), a social security account number may be sold or displayed to the general public by a governmental entity under such other circumstances as may be specified in regulations issued as provided in section 1129C. ``(IX) This clause does not apply with respect to a social security account number of a deceased individual. ``(X) For purposes of this clause, the term `governmental entity' means an executive, legislative, or judicial agency or instrumentality of the Federal Government or of a State or political subdivision thereof, a Federally recognized Indian tribe, or a trustee appointed in a case under title 11, United States Code. Such term includes a person acting as an agent of such an agency or instrumentality, Indian tribe, or trustee. For purposes of this subclause, the term `State' has the meaning provided in subparagraph (D)(iii)(II). ``(XI) For purposes of this clause, the term `sell' means, in connection with a social security account, to obtain, directly or indirectly, anything of value in exchange for such number. Such term does not include the submission of such number as part of the process for applying for any type of Government benefits or programs (such as grants, loans, or welfare or other public assistance programs) or as part of the administration of, or provision of benefits under, an employee benefit plan. ``(XII) For purposes of this clause, the term `display to the general public' shall have the meaning provided such term in section 208A(a)(3)(A). In any case in which a governmental entity requires transmittal to such governmental entity of an individual's social security account number by means of the Internet without ensuring that such number is encrypted or otherwise appropriately secured from disclosure, any such transmittal of such number as so required shall be treated, for purposes of this clause, as a `display to the general public' of such number by such governmental entity for purposes of this clause. ``(XIII) For purposes of this clause, the term `social security account number' includes any derivative of such number. Notwithstanding the preceding sentence, any expression, contained in or on any item sold or displayed to the general public, shall not be treated as a social security account number solely because such expression sets forth not more than the last 4 digits of such number, if the remainder of such number cannot be determined based solely on such expression or any other matter presented in or on such item. ``(XIV) Nothing in the preceding subclauses of this clause shall be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect under any other Federal or State law, except to the extent that such statute, regulation, order, or interpretation is inconsistent with such subclauses, and then only to the extent of the inconsistency. For purposes of this subclause, a statue, regulation, order, or interpretation is not inconsistent with the preceding subclauses of this clause if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under such subclauses.''. (b) Effective Date and Related Rules.-- (1) In general.--Initial final regulations prescribed to carry out the provisions of section 205(c)(2)(C)(x) of the Social Security Act (added by this section) shall be issued not later than the last date of the 18th calendar month following the date of the enactment of this Act. Such provisions shall take effect, with respect to matters governed by such regulations issued by the Commissioner of Social Security or any other agency or instrumentality of the United States, 1 year after the date of the issuance of such regulations by the Commissioner or such other agency or instrumentality, respectively. Such provisions shall apply in the case of displays to the general public, as defined in section 208A(a)(3) of such Act (added by section 8 of this Act), to such displays originally occurring after such 1-year period. Such provisions shall not apply with respect to any display of a record (containing a social security account number (or any derivative thereof)) generated prior to the close of such 1- year period. (2) Sunset of exception.--The last sentence of subclause (XIII) of section 205(c)(2)(C)(x) of the Social Security Act (added by this section) shall cease to be effective with respect to sales or displays to the general public occurring after 2 years after the effective date of the initial final regulations prescribed to carry out the provisions of such section 205(c)(2)(C)(x). SEC. 3. PROHIBITION OF DISPLAY OF SOCIAL SECURITY ACCOUNT NUMBERS ON CHECKS ISSUED FOR PAYMENT BY GOVERNMENTAL ENTITIES. (a) In General.--Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) (as amended by section 2 of this Act) is amended further by adding at the end the following new clause: ``(xi) No governmental entity (as defined in clause (x)(X)) may include the social security account number of any individual (or any derivative of such number) on any check issued for any payment by such governmental entity or on any document attached to or accompanying such a check.''. (b) Effective Date.--The amendment made by this section shall apply with respect to checks (and documents attached to or accompanying such checks) issued after 1 year after the date of the enactment of this Act. SEC. 4. PROHIBITION OF THE DISPLAY OF SOCIAL SECURITY ACCOUNT NUMBERS ON CERTAIN GOVERNMENT IDENTIFICATION CARDS OR TAGS. (a) In General.--Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) (as amended by the preceding provisions of this Act) is amended further by adding at the end the following new clause: ``(xii) No governmental entity (as defined in clause (x)(X)), and no other person offering benefits in connection with an employee benefit plan maintained by such governmental entity, may display a social security account number (or any derivative thereof) on any card or tag that is commonly provided-- ``(I) to employees of such governmental entity, ``(II) in the case of a governmental entity which is an educational institution, to its students, or ``(III) in the case of a governmental entity which is a medical institution, to its patients, (or to their family members) for purposes of identification or include on such card or tag a magnetic strip, bar code, or other means of communication which conveys such number (or derivative thereof). The requirements of this clause shall also apply to the Medicare card issued by the Department of Health and Human Services.''. (b) Effective Date.--The amendment made by this section shall apply with respect to cards or tags issued after 1 year after the date of the enactment of this Act, except that the last sentence of section 205(c)(2)(C)(xii) (as added by this section) shall take effect 2 and one-half years after the date of the enactment of this Act. SEC. 5. PROHIBITION OF INMATE ACCESS TO SOCIAL SECURITY ACCOUNT NUMBERS. (a) In General.--Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) (as amended by the preceding provisions of this Act) is amended further by adding at the end the following new clause: ``(xiii) No governmental entity (as defined in clause (x)(X)) may employ, or enter into a contract for the use or employment of, prisoners in any capacity that would allow such prisoners access to the social security account numbers of other individuals (or any derivatives of such numbers). For purposes of this clause, the term `prisoner' means an individual confined in a jail, prison, or other penal institution or correctional facility.''. (b) Effective Date.-- (1) In general.--Except as provided in paragraph (2), the amendment made by this section shall apply with respect to employment of prisoners, or entry into contract for the use or employment of prisoners, on or after the date of the enactment of this Act. (2) Treatment of current arrangements.--In the case of-- (A) prisoners employed as described in clause (xiii) of section 205(c)(2)(C) of the Social Security Act (as added by this section) on the date of the enactment of this Act, and (B) contracts described in such clause in effect on such date, the amendment made by this section shall take effect 90 days after the date of the enactment of this Act. SEC. 6. MEASURES TO PRECLUDE UNAUTHORIZED DISCLOSURE BY GOVERNMENTAL ENTITIES OF SOCIAL SECURITY ACCOUNT NUMBERS AND PROTECT THE CONFIDENTIALITY OF SUCH NUMBERS. (a) In General.--Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) (as amended by the preceding provisions of this Act) is amended further by adding at the end the following new clause: ``(xiv) Except as otherwise provided in this paragraph, in the case of any governmental entity (as defined in clause (x)(X)) having access to an individual's social security account number-- ``(I) no officer or employee thereof shall have access to such number for any purpose other than the effective administration of the statutory provisions governing its functions, ``(II) such governmental entity shall restrict, to the satisfaction of the Commissioner of Social Security, access to social security account numbers obtained thereby to officers and employees thereof whose duties or responsibilities require access for the administration or enforcement of such provisions, and ``(III) such governmental entity shall provide such other safeguards as the Commissioner determines to be necessary or appropriate to preclude unauthorized access to the social security account number and to otherwise protect the confidentiality of such number. For purposes of this clause the term `social security account number' includes any derivative thereof.''. (b) Effective Date.--The amendment made by this section shall take effect 1 year after the date of the enactment of this Act. SEC. 7. UNIFORM STANDARDS FOR TRUNCATION OF THE SOCIAL SECURITY ACCOUNT NUMBER. (a) In General.--Section 205(c)(2)(C) of the Social Security Act (42 U.S.C. 405(c)(2)(C)) (as amended by the preceding provisions of this Act) is amended further by adding at the end the following new clause: ``(xv) The truncation by any governmental entity (as defined in clause (x)(X)) or by any person in the private sector of an individual's social security account number which is used by such governmental entity or person otherwise in accordance with the requirements of this Act shall be in accordance with a uniform truncation standard which shall be specified in regulations prescribed by the Commissioner of Social Security. Under such standard, the number as truncated shall set forth not more than the last 4 digits of the number. Nothing in this clause shall be construed to authorize any use of the social security account number which is not otherwise authorized by this title or regulations prescribed thereunder.''. (b) Effective Date.--Initial final regulations prescribed to carry out the provisions of section 205(c)(2)(C)(xv) of the Social Security Act (added by this section) shall be issued not later than the last date of the 18th calendar month following the date of the enactment of this Act. Such provisions shall take effect, with respect to matters governed by such regulations issued by the Commissioner or any other agency or instrumentality of the United States, 1 year after the date of the issuance of such regulations by the Commissioner or such other agency or instrumentality, respectively. SEC. 8. PROHIBITION OF THE SALE, PURCHASE, AND DISPLAY TO THE GENERAL PUBLIC OF THE SOCIAL SECURITY ACCOUNT NUMBER IN THE PRIVATE SECTOR. (a) In General.--Title II of the Social Security Act is amended by inserting after section 208 (42 U.S.C. 408) the following new section: ``prohibition of the sale, purchase, and display to the general public of the social security account number in the private sector ``Sec. 208A. (a) Definitions.--For purposes of this section: ``(1) Person.-- ``(A) In general.--Subject to subparagraph (B), the term `person' means any individual, partnership, corporation, trust, estate, cooperative, association, or any other entity. ``(B) Exclusion of governmental entities.--Such term does not include a governmental entity. Nothing in this subparagraph shall be construed to authorize, in connection with a governmental entity, an act or practice otherwise prohibited under this section or section 205(c)(2)(C). ``(2) Selling and purchasing.-- ``(A) In general.--Subject to subparagraph (B)-- ``(i) Sell.--The term `sell' in connection with a social security account number means to obtain, directly or indirectly, anything of value in exchange for such number. ``(ii) Purchase.--The term `purchase' in connection with a social security account number means to provide, directly or indirectly, anything of value in exchange for such number. ``(B) Exceptions.--The terms `sell' and `purchase' in connection with a social security account number do not include the submission of such number as part of-- ``(i) the process for applying for any type of Government benefits or programs (such as grants or loans or welfare or other public assistance programs), ``(ii) the administration of, or provision of benefits under, an employee benefit plan, or ``(iii) the sale, lease, merger, transfer, or exchange of a trade or business. ``(3) Display to the general public.-- ``(A) In general.--The term `display to the general public' means, in connection with a social security account number, to intentionally place such number in a viewable manner on an Internet site that is available to the general public or to make such number available in any other manner intended to provide access to such number by the general public. ``(B) Internet transmissions.--In any case in which a person requires transmittal to such person of an individual's social security account number by means of the Internet without ensuring that such number is encrypted or otherwise well-secured from disclosure, any such transmittal of such number as so required shall be treated as a `display to the general public' of such number by such person. ``(4) Social security account number.-- ``(A) In general.--The term `social security account number' has the meaning given such term in section 208(e), except that such term includes any derivative of such number. ``(B) 4-digit expression.--Notwithstanding the preceding sentence, for purposes of subsection (b)(1)(A), any expression, contained in or on any item sold or displayed to the general public, shall not be treated as a social security account number solely because such expression sets forth not more than the last 4 digits of such number, if the remainder of such number cannot be determined based solely on such expression or any other matter presented in or on such item. ``(5) Governmental entity.-- ``(A) In general.--The term `governmental entity' means an executive, legislative, or judicial agency or instrumentality of the Federal Government, a State or political subdivision thereof, a Federally recognized Indian tribe, or a trustee appointed in a case under title 11, United States Code. Such term includes a person acting as an agent of such an agency or instrumentality, Indian tribe, or trustee. ``(B) State.--The term `State' includes the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, the Commonwealth of the Northern Marianas, and the Trust Territory of the Pacific Islands. ``(b) Prohibition of Sale, Purchase, and Display to the General Public.-- ``(1) In general.--Except as provided in paragraph (2), it shall be unlawful for any person to-- ``(A) sell or purchase a social security account number or display to the general public a social security account number, or ``(B) obtain or use any individual's social security account number for the purpose of locating or identifying such individual with the intent to harass, harm, or physically injure such individual or using the identity of such individual for any illegal purpose. ``(2) Exceptions.-- ``(A) In general.--Notwithstanding paragraph (1), and subject to paragraph (3), a social security account number may be sold or purchased by any person to the extent provided in this subsection (and for no other purpose) as follows: ``(i) to the extent necessary for law enforcement, including (but not limited to) the enforcement of a child support obligation, as determined under regulations issued as provided in section 1129C; ``(ii) to the extent necessary for national security purposes, as determined under regulations issued as provided in section 1129C; ``(iii) to the extent necessary for public health purposes; ``(iv) to the extent necessary in emergency situations to protect the health or safety of 1 or more individuals; ``(v) to the extent that the sale or purchase is required to comply with a tax law of the United States or of any State (or political subdivision thereof); ``(vi) to the extent that the sale or purchase is to or by a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))) for use or disclosure solely for permissible purposes described in section 604(a) of such Act (15 U.S.C. 1681b(a)); and ``(vii) to the extent necessary for research (other than market research) conducted by an agency or instrumentality of the United States or of a State or political subdivision thereof (or a person acting as an agent of such an agency or instrumentality) for the purpose of advancing the public good, on the condition that the researcher provides adequate assurances that-- ``(I) the social security account numbers will not be used to harass, target, or publicly reveal information concerning any identifiable individuals; ``(II) information about identifiable individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals; and ``(III) the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about identifiable individuals, including procedures to ensure that the social security account numbers will be encrypted or otherwise appropriately secured from unauthorized disclosure. ``(B) Medical research.--In the case of research referred to in subparagraph (A)(vii) consisting of medical research, the Commissioner of Social Security shall maintain ongoing consultation with the Office for Civil Rights of the Department of Health and Human Services to ensure that the sale or purchase of social security account numbers which constitute personally identifiable medical information is permitted only in compliance with existing Federal rules and regulations prescribed by the Secretary of Health and Human Services pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (110 Stat. 2033). ``(3) Consent and other circumstances determined by regulation.--Notwithstanding paragraph (1), a social security account number assigned to an individual may be sold or purchased by any person-- ``(A) to the extent consistent with such individual's voluntary and affirmative written consent to the sale or purchase, but only if-- ``(i) the terms of the consent and the right to refuse consent are presented to the individual in a clear, conspicuous, and understandable manner, ``(ii) the individual is placed under no obligation to provide consent to any such sale or purchase, and ``(iii) the terms of the consent authorize the individual to limit the sale or purchase to purposes directly associated with the transaction with respect to which the consent is sought, and ``(B) under such circumstances as may be deemed appropriate in regulations issued as provided under section 1129C. ``(c) Prohibition of Display on Checks.--It shall be unlawful for any person to include the social security account number of any other individual on any check issued for any payment by such person or on any document attached to or accompanying such a check. ``(d) Prohibition of Unauthorized Disclosure to Government Agencies or Instrumentalities.-- ``(1) In general.--It shall be unlawful for any person to communicate by any means to any agency or instrumentality of the United States or of any State or political subdivision thereof the social security account number of any individual other than such person without the written permission of such individual, unless the number was requested by the agency or instrumentality. In the case of an individual who is legally incompetent, permission provided by the individual's legal representatives shall be deemed to be permission provided by such individual. ``(2) Exceptions.--Paragraph (1) shall not apply to the extent necessary-- ``(A) for law enforcement, including (but not limited to) the enforcement of a child support obligation, or ``(B) for national security purposes, as determined under regulations issued as provided under section 1129C. ``(e) Prohibition of the Displays on Cards or Tags Required for Access to Goods, Services, or Benefits.--No person may display a social security account number on any card or tag issued to any other person for the purpose of providing such other person access to any goods, services, or benefits or include on such card or tag a magnetic strip, bar code, or other means of communication which conveys such number. ``(f) Prohibition of the Displays on Employee Identification Cards or Tags.--No person that is an employer, and no other person offering benefits in connection with an employee benefit plan maintained by such employer or acting as an agent of such employer, may display a social security account number on any card or tag that is commonly provided to employees of such employer (or to their family members) for purposes of identification or include on such card or tag a magnetic strip, bar code, or other means of communication which conveys such number. ``(g) Measures to Preclude Unauthorized Disclosure of Social Security Account Numbers and Protect the Confidentiality of Such Numbers.-- Subject to the preceding provisions of this section, any person having access to the social security account number of any individual other than such person shall, to the extent that such access is maintained for the conduct of such person's trade or business-- ``(1) ensure that no officer or employee thereof has access to such number for any purpose other than as necessary for the conduct of such person's trade or business, ``(2) restrict, in accordance with regulations of the Commissioner of Social Security, access to social security account numbers obtained thereby to officers and employees thereof whose duties or responsibilities require access for the conduct of such person's trade or business, and ``(3) provide such safeguards as may be specified, in regulations of the Commissioner of Social Security, to be necessary or appropriate to preclude unauthorized access to the social security account number and to otherwise protect the confidentiality of such number. ``(h) Deceased Individuals.--This section does not apply with respect to the social security account number of a deceased individual. ``(i) Applicability of Other Protections.--Nothing in the preceding subsections of this section shall be construed as superseding, altering, or affecting any statutory provision, regulation, order, or interpretation in effect under any other Federal or State law, except to the extent that such statutory provision, regulation, order, or interpretation is inconsistent with such subsections, and then only to the extent of the inconsistency. For purposes of this subclause, a statutory provision, regulation, order, or interpretation is not inconsistent with the preceding subsections of this section if the protection such statutory provision, regulation, order, or interpretation affords any person is greater than the protection provided under such subsections.''. (b) Effective Date and Related Rules.-- (1) In general.--Initial final regulations prescribed to carry out the provisions of section 208A of the Social Security Act (added by this section) shall be issued not later than the last date of the 18th calendar month following the date of the enactment of this Act. Such provisions shall take effect, with respect to matters governed by such regulations issued by the Commissioner of Social Security or any other agency or instrumentality of the United States, 1 year after the date of the issuance of such regulations by the Commissioner of Social Security or such other agency or instrumentality, respectively. Section 208A(b) of such Act shall apply in the case of displays to the general public (as defined in section 208A(a)(3) of such Act) to such displays to the general public originally occurring after such 1-year period. Such provisions shall not apply with respect to any such display to the general public of a record (containing a social security account number (or any derivative thereof)) generated prior to the close of such 1- year period. (2) Sunset of exception.--Section 208A(a)(4)(B) of the Social Security Act (added by this section) shall cease to be effective with respect to sales, purchases, or displays to the general public occurring after 2 years after the effective date of the initial final regulations prescribed to carry out the provisions of section 208A of such Act. SEC. 9. NEW CRIMINAL PENALTIES FOR MISUSE OF SOCIAL SECURITY ACCOUNT NUMBERS. (a) In General.--Section 208 of the Social Security Act (42 U.S.C. 408) is amended-- (1) in subsection (a), by inserting ``or'' at the end of paragraph (8) and by inserting after paragraph (8) the following new paragraph: ``(9) willfully acts or fails to act so as to cause a violation of section 208A(b)(1)(B);''. (2) by redesignating subsections (b) through (e) as subsections (c) through (f), respectively; (3) in subsection (c)(1) (as so redesignated), by inserting ``or (b)'' after ``subsection (a)''; and (4) by inserting after subsection (a) the following new subsection: ``(b)(1) Whoever-- ``(A) knowingly, and with intent to commit, or to aid or abet, any activity that constitutes a violation of Federal law, or a violation of any applicable law of a State or political subdivision thereof if the maximum penalty of such applicable law includes imprisonment for 5 years or more-- ``(i) possesses the social security account number of another person without lawful authority, or ``(ii) possesses a social security card, knowing that the social security account number or other identifying information displayed on the card has been altered, counterfeited, or forged or that the card was falsely made, stolen, or obtained from the Social Security Administration by use of false information; if such activity is committed, or aided or abetted, with intent to use such social security account number, social security card, or other identifying information displayed on such card in furtherance of such violation; ``(B) being-- ``(i) an officer or employee of any governmental entity (as defined in section 205(c)(2)(C)(x)(X)), or ``(ii) a person acting as an agent of a governmental entity (as so defined), willfully acts or fails to act so as to cause a violation of clause (vi)(II), (xi), (xii), or (xv) of section 205(c)(2)(C); ``(C) being a trustee appointed in a case under title 11, United States Code (or an officer or employee thereof or a person acting as an agent thereof), willfully acts or fails to act so as to cause a violation of clause (xi) or (xv) of section 205(c)(2)(C); or ``(D) willfully acts or fails to act so as to cause a violation of subsection (c), (d), (e), or (f) of section 208A or, as a person in the private sector, willfully acts or fails to act so as to cause a violation of section 205(c)(2)(C)(xv); shall be guilty of a misdemeanor and upon conviction thereof shall be fined under title 18, United States Code, or imprisoned for not more than 1 year, or both. ``(2)(A) Whoever-- ``(i) with intent to deceive, discloses, sells, or transfers his own social security account number, assigned to him by the Commissioner of Social Security (in the exercise of the Commissioner's authority under section 205(c)(2) to establish and maintain records), to any person; ``(ii) without lawful authority, offers, for a fee, to acquire for any individual, or to assist in acquiring for any individual, an additional social security account number or a number that is purported to be a social security account number; ``(iii) being-- ``(I) an officer or employee of any governmental entity (as defined in section 205(c)(2)(C)(x)(X)), or ``(II) a person acting as an agent of a governmental entity (as so defined), willfully acts or fails to act so as to cause a violation of clause (x), (xiii), or (xiv) of section 205(c)(2)(C); ``(iv) being a trustee appointed in a case under title 11, United States Code (or an officer or employee thereof or a person acting as an agent thereof), willfully acts or fails to act so as to cause a violation of clause (x) or (xiv) of section 205(c)(2)(C); or ``(v) willfully acts or fails to act so as to cause a violation of subsection (b)(1)(A) or (g) of section 208A; shall be fined, imprisoned, or both, as provided in subparagraph (B). ``(B) A person convicted of a violation described in subparagraph (A) shall-- ``(i) be fined under title 18, United States Code, imprisoned not more than 1 year, or both; and ``(ii) if the offense is committed under false pretenses or for commercial advantage, personal gain, or malicious harm, be fined under title 18, United States Code, imprisoned not more than 5 years, or both.''. (b) Effective Dates.--The amendments made by this section shall apply with respect to each violation occurring after the date of the enactment of this Act, except that subparagraphs (B), (C), and (D) of section 208(b)(1) of such Act and clauses (iii), (iv), and (v) of section 208(b)(2)(A) of such Act (added by subsection (a)(3)) shall apply, in connection with violations of clause (x), (xi), (xii), (xiii), (xiv), or (xv) of section 205(c)(2)(C) or section 208A, with respect to each violation occurring on or after the effective date applicable with respect to such violation under section 2, 3, 4, 5, 6, 7, or 8. SEC. 10. EXTENSION OF CIVIL MONETARY PENALTY AUTHORITY. (a) Application of Civil Money Penalties to Elements of Criminal Violations.--Section 1129(a) of the Social Security Act (42 U.S.C. 1320a-8(a)) is amended-- (1) by redesignating paragraphs (2) and (3) as paragraphs (4) and (5), respectively; (2) by designating the last sentence of paragraph (1) as a new paragraph (2), appearing after and below paragraph (1); and (3) by inserting after paragraph (2) (as designated under paragraph (2) of this subsection) the following: ``(3) Any person (including an organization, agency, or other entity) who-- ``(A) uses a social security account number that such person knows or should know has been assigned by the Commissioner of Social Security (in an exercise of authority under section 205(c)(2) to establish and maintain records) on the basis of false information furnished to the Commissioner by any person; ``(B) falsely represents a number to be the social security account number assigned by the Commissioner of Social Security to any individual, when such person knows or should know that such number is not the social security account number assigned by the Commissioner to such individual; ``(C) with intent to deceive, alters a social security card that the person knows or should know was issued by the Commissioner of Social Security, or possesses such a card with intent to alter it; ``(D) buys or sells a card that such person knows or should know is, or is purported to be, a card issued by the Commissioner of Social Security, or possesses such a card with intent to buy or sell it; ``(E) counterfeits a social security card, or possesses a counterfeit social security card with intent to buy or sell it; ``(F) discloses, uses, compels the disclosure of, or knowingly sells or purchases the social security account number of any person in violation of the laws of the United States; ``(G) with intent to deceive the Commissioner of Social Security as to such person's true identity (or the true identity of any other person), furnishes or causes to be furnished false information to the Commissioner with respect to any information required by the Commissioner in connection with the establishment and maintenance of the records provided for in section 205(c)(2); ``(H) without lawful authority, offers, for a fee, to acquire for any individual, or to assist in acquiring for any individual, an additional social security account number or a number which is purported to be a social security account number; ``(I) with intent to deceive, discloses, sells, or transfers his own social security account number, assigned to him by the Commissioner of Social Security under section 205(c)(2)(B), to any person; ``(J) knowingly, and with intent to commit, or to aid or abet, any activity that constitutes a violation of Federal law, or a violation of any applicable law of a State or political subdivision thereof if the maximum penalty of such applicable law includes imprisonment for 5 years or more-- ``(i) possesses a social security account number of another individual without lawful authority, or ``(ii) possesses a social security card, knowing that the social security account number or other identifying information displayed on the card has been altered, counterfeited, or forged or that the card was falsely made, stolen, or obtained from the Social Security Administration by use of false information, if such activity is committed, or aided or abetted, with intent to use such social security account number, social security card, or other identifying information displayed on such card in furtherance of such violation; ``(K) being-- ``(i) an officer or employee of a governmental entity (as defined in section 205(c)(2)(C)(x)(X)), or ``(ii) a person acting as an agent of a governmental entity (as so defined), willfully acts or fails to act so as to cause a violation of clause (vi)(II), (x), (xi), (xii), (xiii), (xiv), or (xv) of section 205(c)(2)(C); ``(L) being a trustee appointed in a case under title 11, United States Code (or an officer or employee thereof or a person acting as an agent thereof), willfully acts or fails to act so as to cause a violation of clause (x), (xi), (xiv), or (xv) of section 205(c)(2)(C); ``(M) violates section 208A (relating to prohibition of the sale, purchase, or display of the social security account number in the private sector) or, as a person in the private sector, violates section 205(c)(2)(C)(xv); or ``(N) violates section 208(g) (relating to fraud by social security administration employees); shall be subject to, in addition to any other penalties that may be prescribed by law, a civil money penalty of not more than $5,000 for each violation. Such person shall also be subject to an assessment, in lieu of damages sustained by the United States resulting from such violation, of not more than twice the amount of any benefits or payments paid as a result of such violation.''. (b) Effective Dates.--The amendments made by this section shall apply with respect to violations committed after the date of the enactment of this Act, except that subparagraphs (J), (K), (L), and (M) of section 1129(a)(3) of the Social Security Act (added by subsection (a)) shall apply with respect to violations of the provisions of clause (x), (xi), (xii), (xiii), (xiv), or (xv) of section 205(c)(2)(C) or section 208A occurring on or after the applicable effective date provided in connection with such provisions under section 2, 3, 4, 5, 6, 7, or 8 of this Act. SEC. 11. CRIMINAL PENALTIES FOR EMPLOYEES OF THE SOCIAL SECURITY ADMINISTRATION WHO KNOWINGLY AND FRAUDULENTLY ISSUE SOCIAL SECURITY CARDS OR SOCIAL SECURITY ACCOUNT NUMBERS. (a) In General.--Section 208 of the Social Security Act (as amended by section 9) is amended further by adding at the end the following new subsection: ``(g)(1) Whoever is an employee of the Social Security Administration and knowingly and fraudulently sells or transfers one or more social security account numbers or social security cards shall, upon conviction, be guilty of a felony and fined under title 18, United States Code, imprisoned as provided in paragraph (2), or both. ``(2) Imprisonment for a violation described in paragraph (1) shall be for-- ``(A) not more than 5 years, in the case of an employee of the Social Security Administration who has fraudulently sold or transferred not more than 50 social security account numbers or social security cards, ``(B) not more than 10 years, in the case of an employee of the Social Security Administration who has fraudulently sold or transferred more than 50, but not more than 100, social security account numbers or social security cards, or ``(C) not more than 20 years, in the case of an employee of the Social Security Administration who has fraudulently sold or transferred more than 100 social security account numbers or social security cards. ``(3) For purposes of this subsection-- ``(A) The term `social security employee' means any State employee of a State disability determination service, any officer, employee, or contractor of the Social Security Administration, any employee of such a contractor, or any volunteer providing services or assistance in any facility of the Social Security Administration. ``(B) The term `social security account number' means a social security account number assigned by the Commissioner of Social Security under section 205(c)(2)(B) or another number that has not been so assigned but is purported to have been so assigned. ``(C) The term `social security card' means a card issued by the Commissioner of Social Security under section 205(c)(2)(G), another card which has not been so issued but is purported to have been so issued, and banknote paper of the type described in section 205(c)(2)(G) prepared for the entry of social security account numbers, whether fully completed or not.''. (b) Effective Date.--The amendment made by this section shall apply with respect to violations occurring on or after the date of the enactment of this Act. SEC. 12. ENHANCED PENALTIES IN CASES OF TERRORISM, DRUG TRAFFICKING, CRIMES OF VIOLENCE, OR PRIOR OFFENSES. (a) Amendments to Title II.--Section 208 of the Social Security Act (as amended by the preceding provisions of this Act) is amended further-- (1) in subsection (a), by striking ``shall be fined'' and all that follows and inserting the following: ``shall be fined, imprisoned, or both, as provided in subsection (c).''; (2) in subsection (b)(2)(B)(ii) (as added by section 9), by striking ``be fined'' and all that follows and inserting the following: ``be fined, imprisoned, or both, as provided in subsection (c).''; (3) by striking subsection (d); (4) by redesignating subsection (c) as subsection (d); and (5) by inserting after subsection (b) the following new subsection: ``(c) A person convicted of a violation described in subsection (a) or a violation described in subsection (b)(2)(A) which is subject to subsection (b)(2)(B)(ii) shall be-- ``(1) fined under title 18, United States Code, or imprisoned for not more than 5 years, or both, in the case of an initial violation, subject to paragraphs (3) and (4), ``(2) fined under title 18, United States Code, or imprisoned for not more than 10 years, or both, in the case of a violation which occurs after a prior conviction for another offense under subsection (a) becomes final, subject to paragraphs (3) and (4), ``(3) fined under title 18, United States Code, or imprisoned for not more than 20 years, in the case of a violation which is committed to facilitate a drug trafficking crime (as defined in section 929(a)(2) of title 18, United States Code) or in connection with a crime of violence (as defined in section 924(c)(3) of title 18, United States Code) involving force against the person of another, subject to paragraph (4), and ``(4) fined under title 18, United States Code, or imprisoned for not more than 25 years, in the case of a violation which is committed to facilitate an act of international or domestic terrorism (as defined in paragraphs (1) and (5), respectively, of section 2331 of title 18, United States Code).''. (b) Amendments to Title VIII.--Section 811 of such Act (42 U.S.C. 1011) is amended-- (1) in subsection (a), by striking ``shall be fined'' and all that follows and inserting ``shall be fined, imprisoned, or both, as provided in subsection (b).''; (2) by redesignating subsection (b) as subsection (c); and (3) by inserting after subsection (a) the following new subsection: ``(b) Punishment.--A person convicted of a violation described in subsection (a) shall be-- ``(1) fined under title 18, United States Code, or imprisoned for not more than 5 years, or both, in the case of an initial violation, subject to paragraphs (3) and (4), ``(2) fined under title 18, United States Code, or imprisoned for not more than 10 years, or both, in the case of a violation which occurs after a prior conviction for another offense under subsection (a) becomes final, subject to paragraphs (3) and (4), ``(3) fined under title 18, United States Code, or imprisoned for not more than 20 years, in the case of a violation which is committed to facilitate a drug trafficking crime (as defined in section 929(a)(2) of title 18, United States Code) or in connection with a crime of violence (as defined in section 924(c)(3) of title 18, United States Code) involving force against the person of another, subject to paragraph (4), and ``(4) fined under title 18, United States Code, or imprisoned for not more than 25 years, in the case of a violation which is committed to facilitate an act of international or domestic terrorism (as defined in paragraphs (1) and (5), respectively, of section 2331 of title 18, United States Code).''. (c) Amendments to Title XVI.--Section 1632 of such Act (42 U.S.C. 1383a) is amended-- (1) in subsection (a), by striking ``shall be fined'' and all that follows and inserting ``shall be fined, imprisoned, or both, as provided in subsection (b).''; (2) by redesignating subsections (b) and (c) as subsections (c) and (d), respectively; and (3) by inserting after subsection (a) the following new subsection: ``(b) A person convicted of a violation described in subsection (a) shall be-- ``(1) fined under title 18, United States Code, or imprisoned for not more than 5 years, or both, in the case of an initial violation, subject to paragraphs (3) and (4), ``(2) fined under title 18, United States Code, or imprisoned for not more than 10 years, or both, in the case of a violation which occurs after a prior conviction for another offense under subsection (a) becomes final, subject to paragraphs (3) and (4), ``(3) fined under title 18, United States Code, or imprisoned for not more than 20 years, in the case of a violation which is committed to facilitate a drug trafficking crime (as defined in section 929(a)(2) of title 18, United States Code) or in connection with a crime of violence (as defined in section 924(c)(3) of title 18, United States Code) involving force against the person of another, subject to paragraph (4), and ``(4) fined under title 18, United States Code, or imprisoned for not more than 25 years, in the case of a violation which is committed to facilitate an act of international or domestic terrorism (as defined in paragraphs (1) and (5), respectively, of section 2331 of title 18, United States Code).''. (d) Effective Date.--The amendments made by this section shall apply with respect to violations occurring after the date of the enactment of this Act. SEC. 13. REGULATORY AND ENFORCEMENT AUTHORITY WITH RESPECT TO MISUSE OF THE SOCIAL SECURITY ACCOUNT NUMBER. Title XI of the Social Security Act is amended by inserting after section 1129B (42 U.S.C. 1320a-7b) the following new section: ``regulatory and enforcement authority with respect to misuse of the social security account number ``Sec. 1129C. (a) Regulatory Authority.-- ``(1) In general.--The Commissioner of Social Security shall prescribe regulations to carry out the provisions of clauses (vi)(II), (x), (xi), (xii), (xiii), (xiv), and (xv) of section 205(c)(2)(C) and section 208A. Such regulations shall be issued in consultation with the Federal Trade Commission, the Attorney General of the United States, the Secretary of Homeland Security, the Secretary of Health and Human Services, the Secretary of the Treasury, the Federal banking agencies (as defined in section 3 of the Federal Deposit Insurance Act), the National Credit Union Administration, the Securities and Exchange Commission, State attorneys general, and such representatives of the State insurance commissioners as may be designated by the National Association of Insurance Commissioners. ``(2) Treatment of matters relating to law enforcement and national security.--In issuing the regulations described in paragraph (1) with respect to the provisions of 205(c)(2)(C)(x)(III), paragraph (A) or (B) of section 208A(b)(2), or section 208A(c)(2) (relating to law enforcement and national security), the sale or purchase of Social Security account numbers may be authorized only if the Commissioner (or the agency or instrumentality delegated authority to issue such regulations under paragraph (5)) determines that-- ``(A) such sale or purchase would serve a compelling public interest that cannot reasonably be served through alternative measures, and ``(B) such sale or purchase will not pose an unreasonable risk of identity theft, or bodily, emotional, or financial harm to an individual (taking into account any restrictions and conditions that the agency or instrumentality issuing the regulations imposes on the sale, purchase, or disclosure). ``(3) Treatment of other matters in general discretion of the commissioner.-- ``(A) In general.--In issuing the regulations described in paragraph (1) with respect to the provisions of section 205(c)(2)(C)(x)(VIII) or section 208A(b)(3)(B), the sale, purchase, or display to the general public of social security account numbers may be authorized only after considering, among other relevant factors-- ``(i) the extent to which the authorization of the sale, purchase, or display of the social security account number would serve a compelling public interest that cannot reasonably be served through alternative measures, ``(ii) the associated cost or burden of the authorization to the general public, businesses, commercial enterprises, non-profit organizations, and Federal, State, and local governments; and ``(iii) the associated benefit of the authorization to the general public, businesses, commercial enterprises, non-profit associations, and Federal, State, and local governments. ``(B) Restrictions and conditions.--If, after considering the factors in subparagraph (A), the sale, purchase, or display to the general public of social security account numbers is authorized under regulations referred to in subparagraph (A), the Commissioner (or the agency or instrumentality delegated authority to issue such regulations under paragraph (5)) shall impose restrictions and conditions on the sale, purchase, or display to the general public to the extent necessary-- ``(i) to provide reasonable assurances that social security account numbers will not be used to commit or facilitate fraud, deceptions, or crime, and ``(ii) to prevent an unreasonable risk of identity theft or bodily, emotional, or financial harm to any individual, considering the nature, likelihood, and severity of the anticipated harm that could result from the sale, purchase, or display to the general public of social security account numbers, together with the nature, likelihood, and extent of any benefits that could be realized. ``(C) 5-year expiration date for regulations.--At the end of the 5-year period beginning on the effective date of any final regulations issued pursuant to this paragraph-- ``(i) such regulations shall expire, and ``(ii) new regulations may be issued pursuant to this paragraph. ``(4) Administrative procedure.--In the issuance of regulations pursuant to this subsection, notice shall be provided as described in paragraphs (1), (2), and (3) of section 553(b) of title 5, United States Code, and opportunity to participate in the rule making shall be provided in accordance with section 553(c) of such title. ``(5) Delegation to other agencies.--Any agency or instrumentality of the United States may exercise the authority of the Commissioner under this subsection, with respect to matters otherwise subject to regulation by such agency or instrumentality, to the extent determined appropriate in regulations of the Commissioner. ``(6) Consultation and coordination.--Each agency and instrumentality exercising authority to issue regulations under this subsection shall consult and coordinate with the other such agencies and instrumentalities for the purposes of assuring, to the extent possible, that the regulations prescribed by each such agency or instrumentality are consistent and comparable, as appropriate, with the regulations prescribed by the other such agencies and instrumentalities. The Commissioner shall undertake to facilitate such consultation and coordination. ``(7) Definitions and special rules.-- ``(A) For purposes of this subsection, the terms `sell', `purchase', and `display to the general public' shall have the meanings provided such terms under section 205(c)(2)(C)(x) or section 208A(a), as applicable. ``(B) For purposes of this subsection, section 205(c)(2)(C)(x)(XI) shall apply. ``(b) Coordination of Enforcement With Other Agencies.--The Commissioner may provide, by regulation, for enforcement by any other agency or instrumentality of the United States of the provisions of section 208A and regulations prescribed pursuant to subsection (a)(1) with respect to section 208A. ``(c) Actions by States With Respect to Misuse in Private Sector or by State and Local Governments.-- ``(1) Civil actions.--In any case in which the attorney general of a State (as defined in section 205(c)(2)(C)(x)(X)) has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice described in paragraph (2), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction, to-- ``(A) enjoin that act or practice; ``(B) enforce compliance with the regulation; ``(C) obtain civil penalties in an amount of $11,000 per violation not to exceed a total of $5,000,000; or ``(D) obtain such other legal and equitable relief as the district court may consider to be appropriate. Before filing an action under this subsection, the attorney general of the State involved shall provide to the Commissioner of Social Security and the Attorney General of the United States a written notice of that action and a copy of the complaint for that action. If the State attorney general determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action, the State attorney general shall provide the written notice and the copy of the complaint as soon after the filing of the complaint as practicable. Any reference in this subsection to the attorney general of a State shall be deemed also to be a reference to any equivalent official of such State. ``(2) Acts or practices subject to enforcement.--An act or practice described in this paragraph is-- ``(A) an act or practice by an executive, legislative, or judicial agency or instrumentality of the State involved or a political subdivision thereof, a person acting as an agent thereof, or any officer or employee of the foregoing or person acting as an agent of the foregoing that violates clause (vi)(II), (x), (xi), (xii), (xiii), (xiv), or (xv) of section 205(c)(2)(C) or any regulation promulgated thereunder, or ``(B) an act or practice by any person that violates section 208A or any regulation promulgated thereunder. ``(3) Attorney general authority.--On receiving notice under paragraph (1), the Attorney General of the United States shall have the right-- ``(A) to move to stay the action, pending the final disposition of a pending Federal matter as described in paragraph (4); ``(B) to intervene in an action under paragraph (1); ``(C) upon so intervening, to be heard on all matters arising therein; and ``(D) to file petitions for appeal. ``(4) Pending criminal proceedings.--If the Attorney General of the United States has instituted a criminal proceeding under section 208 alleging an act or practice described in paragraph (2) in connection with any State, such State may not, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in the criminal proceeding. ``(5) Rule of construction.--For purposes of bringing any civil action under paragraph (1), nothing in this subsection shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence. ``(6) Venue; service of process.--Any action brought under paragraph (1) may be brought in any district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code. In an action brought under paragraph (1), process may be served in any district in which the defendant is an inhabitant or may be found. ``(d) Remedies to Individuals for Violations by the Federal Government of Requirements Relating to Social Security Account Numbers.-- ``(1) Civil actions.--Any individual who is aggrieved by an act or practice by any person acting as an officer, employee, or agent of an agency or instrumentality of the Federal Government in violation of the requirements of clause (vi)(II), (x), (xi), (xii), (xiii), (xiv), or (xv) of subsection (c)(2)(C) with respect to the social security account number assigned to such individual under subsection (c)(2)(B) may commence a civil action for appropriate equitable relief or actual damages. ``(2) Venue; service of process.--An action under this subsection action may be brought in the district court of the United States for the judicial district in which the plaintiff resides, or has his principal place of business, in which the violation took place, or in which the defendant resides or may be found, and process may be served in any other district in which a defendant resides or may be found. ``(3) Jurisdiction.--The district courts of the United States shall have jurisdiction, without respect to the amount in controversy or the citizenship of the parties, to grant the relief provided for in paragraph (1). ``(4) Attorney's fees.--In any action under this subsection, the court in its discretion may allow a reasonable attorney's fee and costs of action to either party. ``(e) Ongoing GAO Review on Efficacy of Regulations.-- ``(1) In general.--The Comptroller General of the United States shall conduct an ongoing review of the efficacy of the regulations prescribed by any agency or instrumentality of the United States pursuant to this section. Such review shall consider the extent to which such regulations are consistent with, and in furtherance of the purposes of, the amendments made by the Social Security Number Privacy and Identity Theft Prevention Act of 2007. ``(2) Report.--Not later than 4 years after the effective date of any final regulations issued by any agency or instrumentality of the United States pursuant to this section, the Comptroller General shall report to each House of the Congress regarding the results of the review of such regulations conducted under this paragraph. Such report shall include the Comptroller General's recommendations for such statutory or regulatory changes as the Comptroller General considers appropriate.''. SEC. 14. STUDY ON FEASIBILITY OF BANNING SOCIAL SECURITY ACCOUNT NUMBER AS AN AUTHENTICATOR. (a) Study.--As soon as practicable after the date of the enactment of this Act, the Commissioner of Social Security shall enter into an arrangement with the National Research Council under which the Council shall carry out a study to determine-- (1) the extent of the use of social security account numbers as a primary means of authenticating identity; (2) the extent of the use of social security account numbers for verification in commercial transactions; and (3) the feasibility of a prohibition on such use. The study shall also examine possible alternatives to social security account numbers for verification purposes and uses in authenticating identity. (b) Report.--The arrangement entered into with the Council under this section shall provide for submission by the Council to the Commissioner and to each House of the Congress of a report setting forth the results of the Council's study under this section, together with the Council's findings and recommendations, no later than 1 year after the effective date of the initial final regulations issued by the Commissioner pursuant to the amendments made by section 2 of this Act. I. INTRODUCTION A. Purpose and Summary The purpose of the ``Social Security Number Privacy and Identity Theft Prevention Act of 2007,'' H.R. 3046, is to enhance Social Security number (SSN) privacy protections, prevent misuse of SSNs, and to otherwise enhance protections against identity theft. The bill would restrict the sale, purchase and display to the general public of SSNs in the public and private sectors; provide additional measures to protect SSN privacy; and create criminal and civil monetary penalties for persons who misuse SSNs. B. Background The SSN was created in 1936 to track workers' earnings for the purpose of paying Social Security taxes and determining eligibility and benefit amounts upon retirement, or later upon disability. Since 1936, the Social Security Administration (SSA) has issued more than 400 million SSNs. Although the SSN was originally created for administering the Social Security program, its use has expanded dramatically throughout both the public and private sectors. Federal use of the SSN was first mandated by President Roosevelt in 1943 with Executive Order 9397. This Executive Order required that any Federal department establishing a new system of permanent account numbers pertaining to an individual must exclusively utilize the SSN and that such personal information must be kept confidential. Today the SSN is required for the administration of a number of government benefit programs and the Federal income tax. In addition to uses mandated by Federal law, the SSN is also widely used in the public and private sectors for purposes that are neither required nor prohibited by law. As a result, the SSN is generally regarded as the single-most widely used record identifier by both government and private sectors within the United States. Ubiquitous use of SSNs and the ease with which individuals can access another person's SSN have raised serious concerns over privacy and opportunities for identity theft and fraud. The Federal Trade Commission (FTC), SSA, the SSA Inspector General and others acknowledge that SSNs play a pivotal role in identity theft. Even worse, terrorists may steal, fake, or purchase SSNs in order to operate in our society and abet their nefarious acts. The FTC reported in 2003 that 10 million Americans fell prey to identity theft in the prior year. A more recent survey by Gartner, Inc. estimated the number of identity theft victims at 15 million in 2006. The FTC study found that victims spent an estimated $5 billion to rehabilitate their good names, and businesses lost over $50 billion to identity theft-related fraud in a single year. Protecting the privacy of SSNs will help to protect our individual and national security. The absence of overarching Federal law regulating the sale, purchase, and public display of SSNs, and the growing threat represented by SSN misuse and identity theft, have prompted a need to better protect the privacy and integrity of SSNs. C. Legislative History During the 106th Congress, the Subcommittee on Social Security held hearings on Social Security program integrity on March 30, 2000 (106-38); representative payees on May 4, 2000 (106-57); use and misuse of SSNs on May 9 and May 11, 2000 (106-108); and the processing of attorney's fees on June 14, 2000 (106-70). The information gained from these hearings led to the introduction of H.R. 4857, the ``Privacy and Identity Protection Act of 2000,'' on July 13, 2000. The bill enhanced privacy protections for individuals, prevented fraudulent misuse of the SSN, and provided additional safeguards for Social Security and Supplemental Security Income (SSI) beneficiaries with representative payees. A further hearing on protecting privacy and preventing misuse of the SSN was held on July 17, 2000 (106-43). On July 20, 2000, the Subcommittee on Social Security ordered favorably reported H.R. 4857, as amended. The Committee on Ways and Means ordered the bill favorably reported, as amended on September 28, 2000 (H. Rept. 106-996 Part 1). The bill was not considered by the full House, as other committees of jurisdiction did not complete consideration of the bill. During the 107th Congress, the Subcommittee on Social Security held a hearing on protecting privacy and preventing misuse of SSNs on May 22, 2001 (107-31). In response to information gathered at this hearing and previous hearings in the 106th Congress, H.R. 2036, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2001,'' was introduced on May 25, 2001. The bill restricted the sale, purchase, and display of SSNs, limited dissemination of SSNs by credit reporting agencies, and made it more difficult for businesses to deny services if a customer refused to provide his or her SSN. Further hearings were held on preventing identity theft by terrorists and criminals, held jointly with the Committee on Financial Services, Subcommittee on Oversight and Investigations on November 8, 2001 (107-51); protecting the privacy of SSNs and preventing identity theft on April 29, 2002 (107-71); and preserving the integrity of SSNs and preventing their misuse by terrorists and identity thieves, held jointly with the Committee on Judiciary, Subcommittee on Immigration, Border Security, and Claims on September 19, 2002 (107-81). Neither the House nor the Senate acted on the bill. During the 108th Congress, the Subcommittee on Social Security held a hearing on the use and misuse of SSNs on July 10, 2003 (108-35). The Government Accountability Office (GAO-- then known as the General Accounting Office) witness testified that SSNs are widely utilized in both the public and private sectors as an identifier, and cited numerous examples where public and private databases had been compromised and personal data, including SSNs, had been stolen. They also found that in some cases, the display of SSNs in public records and easily accessible websites provided an opportunity for identity thieves. The SSA Inspector General testified that the most important step in preventing SSN misuse is to limit its easy availability through public records, sale on the open market, and unnecessary use. Consumer advocate witnesses testified regarding the growing crime of identity theft, its impact on victims, and the need to protect the privacy of SSNs. A law enforcement witness testified that SSNs arekey to the takeover of another individual's identity, described difficulties in prosecuting identity theft, and stated the need to restrict SSN use to necessary purposes. Based on information gathered at this hearing and hearings in previous Congresses, Social Security Subcommittee Chairman E. Clay Shaw, Jr. and Ranking Member Robert T. Matsui introduced H.R. 2971, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2003,'' on July 25, 2003. The bill was referred to the Committee on Ways and Means, the Committee on Financial Services, and the Committee on Energy and Commerce. The Subcommittee on Social Security held a further hearing on enhancing SSN privacy on June 15, 2004, and marked up the bill on July 15, 2004. The bill was reported favorably to the full Committee on Ways and Means on July 15, 2004, as amended, by voice vote. On July 21, 2004, the Committee on Ways and Means marked up H.R. 2971, as amended by the Subcommittee. Chairman Thomas offered an amendment in the nature of a substitute, which was agreed to by voice vote. The Committee then ordered favorably reported H.R. 2971, as amended, by a roll call vote of 33 yeas to 0 nays. The bill was not considered by the full House, as other committees of jurisdiction did not complete consideration of the bill. In addition, during the 106th, 107th, 108th and 109th Congresses, Subcommittee Chairman Shaw and other Members of Congress asked the GAO for a number of reports to inform the debate on SSN privacy and integrity. These reports explained how government agencies and private sector businesses such as consumer reporting agencies, information resellers, and health care organizations collect, utilize, and safeguard SSNs (Social Security: Government and Commercial Use of the Social Security Number is Widespread, GAO/HEHS-99-28; Social Security Numbers: Government Benefits from SSN Use But Could Provide Better Safeguards, GAO-02-352; Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information, GAO 04-11; Social Security Numbers: Use is Widespread and Protections Vary, GAO-04-768T; Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, GAO-06- 674). During the 109th Congress, the Subcommittee on Social Security held a series of five hearings on SSN high risk issues. The hearings addressed the role of SSNs in abetting identity theft, and discussed the impact of prohibiting or restricting the use, sale, purchase, or display of SSNs by individuals, businesses, or the government. Based on these and prior hearings, Subcommittee Chairman Shaw and Full Committee Ranking Member Charles B. Rangel introduced H.R. 1745, the ``Social Security Number Privacy and Identity Theft Protection Act of 2005,'' on April 20, 2005. The bill was referred to the Committee on Ways and Means, the Committee on Financial Services, and the Committee on Energy and Commerce. The bill was not reported. During the 110th Congress, the Subcommittee on Social Security held a hearing on protecting the privacy of the SSN from identity theft on June 21, 2007. The GAO witness testified that SSNs are vulnerable to misuse because there is no Federal standard for truncating SSNs, which allows identity thieves to piece together portions of SSNs from different sources. The SSA Inspector General testified that Federal efforts to protect the SSN should be improved by limiting the use of the SSNs on school and hospital identification cards. An expert on technology and data privacy testified that the SSN should not be used as an identifier or authenticator, that steps should be taken to reduce the use and exposure of SSNs, and that businesses have alternatives to over-reliance on SSNs for record matching and verification. Also during the 110th Congress, GAO issued a report identifying which Federal agencies provide records containing SSNs to state and local record keepers, and the significant vulnerabilities that remain in the protection of SSNs in public records (Social Security Numbers: Federal Actions Could Further Decrease Availability in Public Records, though Other Vulnerabilities Remain, GAO-07- 752). Based on information gathered at this hearing and hearings in previous Congresses, Social Security Subcommittee Chairman Michael R. McNulty and Ranking Member Sam Johnson introduced H.R. 3046, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2007,'' on July 16, 2007. The bill was referred to the Committee on Ways and Means. On July 18, 2007, the Committee marked-up the bill; and Chairman Rangel offered an amendment in the nature of a substitute, which was agreed to by voice vote. The Committee then ordered favorably reported H.R. 3046, as amended, by a rollcall vote of 41 yeas to 0 nays. II. SECTION-BY-SECTION SUMMARY Sec. 1. Short title CURRENT LAW No provision. EXPLANATION OF PROVISION Section 1 provides that the Act may be cited as the ``Social Security Number Privacy and Identity Theft Prevention Act of 2007.'' REASON FOR CHANGE The section identifies the short title for the bill. Sec. 2. Restrictions on the sale or display to the general public of Social Security account numbers by governmental entities CURRENT LAW The SSN is required by law for the administration of a number of Federal programs. In addition, Federal law permits States to require the SSN in the administration of certain State programs, and in other cases Federal law requires the States to use the SSN in the administrationof Federal or State programs. No Federal law regulates the overall use of SSNs by Federal, State or local governments. The ``Department of Transportation and Related Agencies Appropriations Act'' (P.L. 106-346) amended the ``Driver's Privacy Protection Act of 1994'' (P.L. 103-322) to require States to obtain express consent of drivers before sharing or selling drivers' ``highly restricted personal information,'' including SSNs, except under very limited circumstances. EXPLANATION OF PROVISION The bill would restrict the sale or display to the general public of full or partial SSNs by Federal, State or local governmental agencies and their agents, by a Federally recognized Indian tribe, or by a bankruptcy trustee. The sale of SSNs would be permitted as follows: 1. As specifically authorized by the ``Social Security Act'' (P.L. 74-271) or the ``Privacy Act of 1974'' (P.L. 93- 579), which includes data-matching performed by SSA and reimbursed by other agencies for the administration of programs whose purposes are compatible with the Social Security Act; 2. For law enforcement or national security purposes; 3. For tax compliance; 4. By State departments of motor vehicles for use by a government agency in carrying out its functions; for use by an insurer for claims investigation, anti-fraud activities, and rating or underwriting; and for use by an employer to obtain or verify information about a holder of a commercial driver's license; 5. To a consumer reporting agency under the ``Fair Credit Reporting Act'' (FCRA, P.L. 91-508) solely for use or disclosure for permissible purposes under the FCRA as follows: as ordered by a court or a Federal grand jury subpoena; as instructed by the consumer in writing; for the extension of credit based on a consumer's application; for review or collection of a consumer's account; for employment purposes; for insurance underwriting based on a consumer's application; when there is a legitimate business need regarding a transaction the consumer initiates; to review whether a customer meets the terms of his or her account; to determine a consumer's eligibility for a license or other benefit granted by a government agency; to analyze the credit or prepayment risks associated with an existing credit obligation; and for use by State and local officials for child support payment purposes; 6. For government research advancing the public good. In addition, the Commissioner of Social Security would be permitted to authorize sale and display to the general public of SSNs in other circumstances as determined appropriate. The restrictions on sale or display to the general public of SSNs would not apply to SSNs of deceased persons. The restrictions that would be established under this provision would not override other restrictions or limitations in Federal or State law or regulations in effect to the extent that they provide greater protections for SSNs than would be created under this bill. The bill would define ``governmental entity'' as an executive, legislative, or judicial agency or instrumentality of the Federal or State government, including a Federally recognized Indian tribe, a bankruptcy trustee, and agents of the entity. The bill would define ``sell'' as obtaining anything of value, directly or indirectly, in exchange for an SSN. However, the submission of the SSN in the process of applying for government benefits or programs, and in the administration of an employee benefit plan, would not be considered a sale. ``Display to the general public'' would mean to intentionally place an SSN in a viewable manner on an Internet site that is available to the general public or to provide access to the general public by other means. In addition, requiring an individual to transmit his or her SSN over the Internet without ensuring the number is encrypted or otherwise protected would be considered a prohibited display to the general public. ``Social Security account number'' would include a partial SSN. However, the bill would provide a temporary exemption permitting government entities to sell and publicly display the last four digits of an SSN for two years after the effective date of the final regulations. REASON FOR CHANGE The Federal government created the SSN, under the authority of the Social Security Act, and its use has since been required for a broad range of interactions between individuals and the government, including tax administration, many benefit programs, and driver's and professional licenses. While there are laws protecting the privacy of SSNs held by certain agencies or under specific circumstances, there is no comprehensive law protecting the privacy of SSNs held by Federal, State, and local government agencies. As a result, SSNs may be sold, displayed on the Internet, or otherwise made available to the general public on paper, computer disk, or other means to individuals requesting a copy--for example through open court or other government records--and may be obtained by third parties who can subsequently sell or display the information to others. Since SSNs are the key to accessing an individual's financial and other personal information, the wide accessibility of SSNs has raised serious concerns over privacy. Testimony before the Subcommittee on Social Security highlights the relative ease by which an individual can obtain another person's SSN and use the information to commit identity theft or other crimes. Restricting the display to the general public and sale of SSNs by governments will help curb fraudulent activity by making it more difficult for criminals to access this personal information. The bill would provide specific exceptions to permit the continuation of SSN exchanges that provide important benefits in the public interest such as law enforcement; administration of government programs, including SSI, Medicaid, and unemployment insurance; administration of employee benefits; limited commercial purposes such as granting credit and insurance; tax administration; and government research advancing the public good. In addition, authority would be given to the Commissioner to authorize sale and display to the general public of SSNs as determined appropriate under guidelines specified in section 13 of the bill. Since SSN use is so pervasive in both the public and private sectors, is linked to so many government and business transactions, and because of evolving needs regarding SSN utilization and new technologies to facilitate information exchanges, this exception is intended to allow the Commissioner or agencies to which it delegates authority to thoroughly evaluate how SSNs are sold and displayed, the degree to which they are convenient versus essential to such exchanges, and to modify the rules as needed. However, it is expected that this authority would be used extremely judiciously, and not merely for the sake of facilitating transactions or data-matching that could be reasonably accomplished without the use of the SSN. In comparing the costs and benefits of authorizing SSN sale or display to the general public and whether the authorization serves a compelling public interest that cannot reasonably be served through alternative measures, it is expected that the Commissioner and other agencies would give significant weight to the need to maintain individuals' privacy and safety, as well as the bill's purpose of preventing identity theft. With respect to the exception for research advancing the public good, the intent is to preserve the government's ability to conduct scientific, epidemiological, and social scientific research that would benefit the public. In the case of research involving medical information on individuals, it is expected that SSA will only authorize sale of SSNs in strict compliance with Federal rules and regulations on the privacy of medical information. The bill also provides a ``transition rule,'' which permits the government to use the last four digits of the SSN where the sale or public display is otherwise prohibited, to provide a period of transition to less reliance overall on the SSN and its derivatives. In combination with the effective date of the implementation rules, this transition rule permits government sale and display of the SSN for four and one-half years after enactment, in order to accommodate the transition to the prohibitions on sale and public display. The restrictions on sale and display to the general public of SSNs would not apply to the SSNs of deceased persons. This is because the sale and public availability of information on deceased individuals is necessary to prevent waste, fraud, and abuse. SSA compiles a Death Master File (DMF), which contains the name, date of birth, date of death, SSN, and other information for about 70 million individuals. The SSA DMF is used by leading government, financial, investigative, and credit reporting organizations, in medical research and by other industries to verify identity as well as to prevent fraud and comply with the ``Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001'' (USA PATRIOT Act, P.L. 107-56). The restrictions on sale and display by government agencies, trustees, and their agents would only apply to SSNs they require individuals or others to provide. During Social Security Subcommittee hearings on the bill, court and other public records administrators testified they receive numerous documents filed by individuals, businesses, and attorneys that often include SSNs the government did not require to be submitted, and of which they are therefore unaware. They stated redaction of ``incidentally'' included SSNs would create a serious administrative burden, and it would require significant resources to review each document and redact such incidental SSNs. Therefore, the bill would make government agencies, trustees, and their agents responsible only for those SSNs they require individuals to submit, since they should be able to easily locate and redact them. For example, a court requiring individuals to provide their SSNs on a coversheet for filed documents could remove the coversheet or redact the SSN before selling the court record or displaying it to the general public. With respect to SSNs submitted in court documents absent the court's requirement to do so, the individual communicating the SSN in the document, not the court, would be held responsible according to section 8 of the bill. The restrictions established under this bill would serve as a floor of protection for SSNs, and are not intended to override SSN protections in Federal or State law or regulations in effect to the extent they provide greater restrictions on SSN sale, purchase, or display to the general public than would be created under the bill. For example, this bill is not intended to circumvent the provision included in section 1735 of the ``Food, Agriculture, Conservation, and Trade Act of 1990'' (P.L. 101-624) preventing the disclosure of SSNs maintained as the result of laws enacted on or after October 1, 1990. EFFECTIVE DATE Initial final regulations to carry out the provisions would have to be issued by the Commissioner of Social Security or any other agency to which the Commissioner delegates authority within 18 calendar months after the date of enactment. The provisions would take effect one year after issuance of initial final regulations. The provisions would not apply to display of records generated prior to the date the provisions become effective. The temporary exemption to allow sale and display of the last four digits of the SSN would expire two years after the effective date of the initial final regulations. Sec. 3. Prohibition of display of Social Security account numbers on checks issued for payment by governmental entities CURRENT LAW No Federal law regulates the overall use of SSNs by Federal, State, or local governments. However, the ``Social Security Number Confidentiality Act of 2000'' (P.L. 106-433) specifically directed the Secretary of the Treasury to take necessary action to ensure that SSNs are not visible on or through unopened mailings of checks or other drafts. EXPLANATION OF PROVISION The bill would prohibit Federal, State, or local governments, or bankruptcy trustees, from including full or partial SSNs on checks issued for payment or on any documents accompanying checks. REASON FOR CHANGE The Subcommittee on Social Security has heard testimony from the Postal Inspection Service and consumer advocates that mail theft and rifling through trash for discarded documents are means by which identity thieves gain access to personal information, including SSNs. EFFECTIVE DATE Provision would apply with respect to checks (and documents attached to or accompanying such checks) issued after one year after enactment. Sec. 4. Prohibition of the display of Social Security account numbers on certain government identification cards or tags CURRENT LAW No provision. EXPLANATION OF PROVISION The bill would prohibit government agencies and those providing employee benefits for a government agency from displaying an individual's full or partial SSN on any identification card or tag issued to employees or employees' family members; on identification cards issued to students at government educational institutions; on identification tags issued to patients at government medical institutions; and on Medicare cards. This would include use of a magnetic strip, bar code, or other means of communication to convey the full or partial SSN. REASON FOR CHANGE SSNs are often utilized as employee identification numbers or customer account numbers for the sake of convenience. However, the display of SSNs on military identification tags, employee identification cards, student identification cards, patient identification cards and tags, health benefit cards, the Medicare card, customer cards, and on other cards or tags that are required to be submitted or displayed to others, which are frequently carried in individuals' wallets, unnecessarily increases the risk of identity theft. Similar prohibitions have been enacted under several State laws, and the Centers for Medicare and Medicaid Services and the Department of Defense are both evaluating their use of SSNs in light of identity theft concerns. This provision is not intended to prevent inclusion of encrypted SSNs (those that are transformed by a secret code to appear as other than the nine-digit number assigned by the Commissioner of Social Security when read or otherwise accessed by unauthorized parties). EFFECTIVE DATE Provision would apply with respect to cards or tags issued after one year after enactment, except for Medicare cards, for which the prohibition would first apply two and one-half years after enactment. Sec. 5. Prohibition of inmate access to Social Security account numbers CURRENT LAW No provision. EXPLANATION OF PROVISION The bill would prohibit Federal, State or local governments from employing prisoners in any capacity that would allow prisoners access to full or partial SSNs of other individuals. REASON FOR CHANGE Prisoners, including those who may have been incarcerated for identity theft, should not have access to SSNs or derivatives of SSNs, thereby posing a serious risk of identity theft or fraud. The Subcommittee on Social Security has heard testimony regarding a serious instance where use of prisoner labor to process personal information resulted in a case of stalking (Beverly Dennis, et al v. Metromail, et al., No. 96- 04451, District Court, Travis County, Texas). EFFECTIVE DATE Provision would apply with respect to employment or entry into contract for employment of prisoners on or after enactment. In the case of employment or contracts for employment in effect on the date of enactment, provision would take effect 90 days after enactment. Sec. 6. Measures to preclude unauthorized disclosure by governmental entities of Social Security account numbers and protect the confidentiality of such numbers CURRENT LAW The Social Security Act requires officers and employees of Federal and State governments to keep SSNs and related records confidential. It also prohibits officers and employees from disclosing SSNs or related records. The Privacy Act of 1974 requires Federal agencies to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of the agencies' systems of records. The term ``records'' includes any personally identifiable item or information about an individual that is maintained by an agency. EXPLANATION OF PROVISION With respect to Federal, State, and local government employees and their agents, the bill would restrict access to SSNs and any derivative thereof to employees whose responsibilities require access for administration or enforcement of the government agency's functions. Government agencies and their agents would be required to provide safeguards to prevent unauthorized access to SSNs and protect their confidentiality. REASON FOR CHANGE There have been numerous reported cases of computer hackers obtaining SSNs from universities and other institutions. In addition, the Subcommittee on Social Security has heard testimony on how identity theft rings may plant an employee inside an organization to access SSNs and other personal information. Finally, there have been numerous recent instances where government agencies have failed to adequately secure confidential data which includes SSNs, such as the U.S. Department of Veterans Affairs and the State of Ohio. Also, the Personal Responsibility and Work Opportunity Act of 1996 (P.L. 105-33) requires state agencies to collect SSNs from applicants for professional licenses, drivers' licenses and marriage licenses. In 1997, the Balanced Budget Act (P.L. 104-193) amended this requirement to include recreational licenses. The goal of these provisions was to enhance the ability of family support agencies to locate parents who were not supporting their children and enforce child support payment orders. Citizens obtain drivers licenses, professional licenses and marriage licenses in government offices. Hunting, fishing and boating licenses, in addition to being available through government offices or online, are typically sold in retail stores, outdoor marinas, or public parks, where, according to testimony provided to the Subcommittee on Social Security in 2006, transactions are relatively open; employees processing the sale are often young, seasonal workers with very little training of any type; and data security protocols rarely include more than closing the cover on the receipt book. The Committee believes that government agencies and their agents (as in the case of retailers of recreational licenses) that ask or require individuals to provide their SSN to obtain benefits or services have a responsibility to safeguard SSNs from unauthorized access by employees or other individuals. This provision is not intended to prevent government employees or those to whom government agencies contract work from accessing SSNs in cases where it is necessary for performance of their duties, or to impede data exchanges between government agencies that include SSN information and are in accordance with section 2 of the bill. For example, it is not the intent to prevent State unemployment insurance agencies from sending wage records or claim information to other Federal, State, or local government agencies (e.g. for purposes of determining eligibility or benefit amounts for Temporary Assistance to Needy Families, Housing and Urban Development assistance, Food Stamps, SSI, etc.). EFFECTIVE DATE Provision would take effect one year after the date of enactment. Sec. 7. Uniform standards for truncation of the Social Security account number CURRENT LAW No provision. EXPLANATION OF PROVISION This bill would restrict the sale, purchase, and public display of the SSN, and certain other uses of the SSN, in both the public and private sectors. In situations not regulated by this bill, government entities and the private sector may voluntarily choose to use a truncated version of the SSN. However, if they choose to do so, the bill would require any truncated version of an individual's SSN to be limited to not more than the last four digits of the SSN. REASON FOR CHANGE A 2007 report by the GAO (Social Security Numbers: Federal Actions Could Decrease Availability in Public Records, though Other Vulnerabilities Remain, GAO-07-752), recommended that Congress enact truncation standards for SSNs. GAO found that because there are no uniform truncation standards, identity thieves may be able to reconstruct full SSNs by combining different truncated versions of the SSN available from public and private sources. This bill would create a uniform truncation standard--limited to no more than the last four digits of the SSN, which are randomly generated--with which government and private sector entities must comply to limit identity thieves' access to full or partial SSNs. EFFECTIVE DATE Initial final regulations to carry out the provisions would have to be issued by the Commissioner (or any agency to which it delegates authority) within 18 calendar months after the date of enactment. The provision would take effect one year after issuance of initial final regulations. Sec. 8. Prohibition of the sale, purchase, and display to the general public of the Social Security account number in the private sector CURRENT LAW The Gramm-Leach-Bliley Act (GLBA, P.L. 106-102) restricts the ability of financial institutions to disclose nonpublic personal information about consumers, including SSNs, to nonaffiliated third parties, although consumers must opt-out of such sharing arrangements.Moreover, GLBA allows financial institutions to sell SSNs among their affiliates, who may number in the thousands and may not themselves be financial institutions. Consumers have no opt-out right under GLBA against selling of SSNs to affiliates, which is often done for marketing purposes. FCRA regulates businesses that regularly provide information about consumers to third parties for purposes of determining eligibility for credit, employment, insurance, and for any other legitimate business need in a transaction initiated by a consumer. Entities that provide such reports on consumers are considered to fall under FCRA's coverage. Moreover, FCRA requires companies that provide such information to abide by certain consumer protections, such as allowing consumers to view and correct inaccuracies in such reports. The ``Health Insurance Portability and Accountability Act'' (HIPAA, P.L. 104-191) Privacy Rule limits health plans, health care clearinghouses, and health care providers from disclosing certain protected information, including SSNs. Individuals must give specific authorization before health care providers and other covered entities may disclose protected information in most non-routine circumstances. However, no Federal law regulates the overall sale, purchase, and display to the general public of SSNs in the private sector. EXPLANATION OF PROVISION The bill would prohibit the sale, purchase or display to the general public of a full or partial SSN. It also prohibits using an SSN to find an individual with the intent to harass, harm, or physically injure the individual, or using the individual's identity for illegal purposes. The bill would provide exceptions to the prohibitions on SSN sale and purchase for law enforcement, including but not limited to enforcement of a child support obligation; national security purposes; public health; in emergency situations to protect the health or safety of one or more individuals; for tax compliance; by or to a consumer reporting agency for use or disclosure for permissible purposes described in FCRA (see Explanation of Provision under section 2 of the bill); and government or publicly-funded research (for advancing the public good and with restrictions to protect privacy of individuals). The bill would also provide an exception for sale and purchase of SSNs with the affirmative, written consent of the individual so long as consent is voluntary, the terms are presented clearly and conspicuously, and the individual may limit the sale or purchase to purposes directly associated with the transaction. In addition, the Commissioner of Social Security would be permitted to authorize sale, purchase or public display of SSNs in other circumstances as deemed appropriate. The bill would prohibit the display of the full or partial SSN of another person on any check issued for payment or on any documents accompanying checks. The bill would prohibit the unauthorized disclosure of another person's SSN to a government agency or instrumentality that did not request the SSN. In addition, the bill would prohibit the display of full or partial SSNs on employee identification cards or tags, or cards or tags businesses and others require individuals to use to access goods and services. The restrictions would also prohibit including the SSN on a magnetic strip, bar code, or other means which would convey the SSN. The bill would require businesses and other entities that collect and store SSNs to prevent unauthorized access by employees or other individuals. These prohibitions would not apply to SSNs of deceased persons. The restrictions that would be established under this provision would not override other restrictions or limitations in Federal or State law or regulations in effect to the extent they provide greater protections for SSNs than would be created under this provision in the bill. The bill would define a ``person'' to which these prohibitions apply as any individual, partnership, corporation, trust, estate, cooperation, association, or any other entity, other than a governmental entity. The bill would define ``sell'' as obtaining, directly or indirectly, anything of value in exchange for the SSN. ``Purchase'' would mean to provide, directly or indirectly, anything of value in exchange for the SSN. The terms ``sell'' and ``purchase'' would not include submission of the SSN when applying for government benefits or programs, use of SSNs in administration of employee benefit plans, or incidental transmission of SSNs as part of the sale, lease, merger, transfer, or exchange of a trade or business. The exception for the transfer of an SSN as part of the sale, lease, merger, transfer, or exchange of a trade or business in the definitions of ``sell'' and ``purchase'' recognizes that there may be SSNs embedded in data files, employee files or loan documents of legitimate businesses that may be transferred when a business or certain assets are sold, where the transfer of the SSN is incidental to the transaction. The Committee intends that this exception encompasses not only the sale of a trade or business in its entirety, but also the sale of parts of a business and the sale of assets, but only where the primary economic value being transferred is derived from assets other than personally identifiable information such as SSNs. Examples of such a covered transfer of assets include a proposed or actual securitization, secondary market sale, sale of servicing rights, or similar transaction related to mortgages and student loans, where an SSN is embedded in the loan file. If SSNs are included in such a transfer, then the recipient is obligated to safeguard them as required under the bill. ``Display to the general public'' would mean to intentionally place an SSN in a viewablemanner on an Internet site that is available to the general public or to provide access to the general public by other means. In addition, requiring an individual to transmit his or her SSN over the Internet without ensuring the number is encrypted or otherwise protected would be considered a prohibited display to the general public. ``Social Security account number'' would include any derivative of the SSN. However, with respect to the restrictions on sale, purchase or public display of the SSN, the bill would provide a temporary exemption permitting private entities to purchase, sell and publicly display the last four digits of an SSN for two years after the effective date of the final regulations. REASON FOR CHANGE Use of SSNs in the private sector has proliferated for purposes unrelated to administration of the Social Security program, collection of taxes, or other purposes authorized under Federal law. Businesses often request SSNs from their customers. For example, information resellers, consumer reporting agencies, and financial institutions obtain SSNs and other personal information from customers, public records, and other sources to determine an individual's identity and accumulate information about them for certain purposes, which may include for marketing purposes or to provide that information to businesses or others for a fee. As a result, Americans are increasingly concerned that the SSN they disclose for one purpose may be subsequently sold to third parties and used for other purposes without their knowledge or consent. For example, an individual discloses his or her SSN to get a bank loan. The bank sends the information to a consumer reporting agency to request a credit report. The consumer reporting agency assembles information on the individual and associates it with the SSN. Under current law, the consumer reporting agency may then incidentally or purposefully sell the SSN and other information to insurance companies, credit companies, information resellers, law enforcement, government agencies, private investigators, and others. Financial institutions are allowed under current law to disclose nonpublic personal information they gather from consumers or from other sources such as credit bureaus to their affiliates, which may number in the thousands and may not themselves be financial institutions. Affiliations between businesses and financial institutions may often be based on joint-marketing agreements, thus the sale of nonpublic personal information such as SSNs is often done for marketing purposes. In addition, such widespread use of SSNs increases the risk that business employees, computer hackers, or others may obtain unauthorized access and misuse SSNs to commit identity theft or other crimes. According to a 2003 survey sponsored by the FTC, among identity theft victims who knew the identity of the criminal, 23 percent said the person responsible worked at a company or financial institution that had access to the victim's personal information. The bill would restrict the sale, purchase, and display to the general public of SSNs. For example, display to the general public would include making records containing SSNs available on paper, computer disk, or other media, in addition to display over the Internet. The bill would also require that SSNs be appropriately safeguarded when collected and stored. The intent is to limit transmission of SSNs in order to minimize opportunities for SSN misuse and identity theft. In limiting the transmission of SSNs, it is not the intent to prevent individuals from voluntarily providing their own SSNs to facilitate a transaction that they initiate or to prevent businesses from utilizing SSNs in a transaction that the individual authorizes. For example, if an individual voluntarily gives his or her own SSN to a business so that it may provide goods or services, it is not the intent of the bill to call such an exchange the ``sale'' or ``purchase'' of the SSN simply because it is facilitating the transaction. The prohibition against the sale or purchase of SSNs would not prevent financial institutions from complying with the customer identification program requirements of the USA PATRIOT Act. Under the USA PATRIOT Act, banks, savings associations, credit unions and securities firms are required to verify identification information provided by their customers when establishing an account. Financial institutions that utilize verification services offered by consumer reporting agencies and other information resellers generally are not selling or purchasing their customers' SSNs when they check them against a database because the financial institution and the verification service provider each already possess the SSN. The verification service merely affirms whether the SSN and other identification information provided by the customer to the financial institution match the information in the provider's database. If the SSN itself is not being exchanged for something of value, then the transaction would not be considered a sale or purchase of the SSN. With respect to the exemption for activities of consumer reporting agencies for purposes described in section 604(a) of FCRA, sales and purchases of SSNs by CRAs that are in furtherance of those specified purposes (such a sale or purchase of an SSN as part of authenticating a customer's identity in order to ensure that he or she receives the correct report, or compiling information used in providing a consumer report) are not intended to constitute a prohibited sale or purchase under the bill. The exemption for tax compliance recognizes that SSNs are also used in tax administration, and that tax law extends to a wide variety of transactions including, for example, payment of mortgages where interest is tax-deductible, securities sales, and even car loans, where if there is a default and the creditor writes off the loss, the value of the discharged debt must be reported for tax purposes. In addition, during the course of the Subcommittee on Social Security's consideration of the bill, the Federal Deposit Insurance Corporation (FDIC) and some financial institutions expressed concern that the bill's restrictions on sale and purchase of SSNs could be interpreted to impede the FDIC's resolution or liquidation of failed insured depository institutions, or other business mergers and acquisitions. The bill's language specifying that ``sell'' or ``purchase'' does not include the sale, lease, merger, transfer, or exchange of a trade or business is intended to make clear that the FDIC may share SSNs in carrying out its responsibilities, and SSNs may be conveyed as part of the merger, acquisition, etc. of a business. With respect to the exception for research advancing the public good, the intent is to preserve the government's ability to conduct scientific, epidemiological, and social scientific research that would benefit the public. It is not intended to facilitate private commercial research for product or service development or marketing. In the case of non-publicly sponsored or funded research advancing the public good, the Commissioner would have the ability to authorize SSN sale and purchase where appropriate, under its general regulatory authority. In the case of research involving medical information on individuals, it is expected that the Commissioner will only authorize sale of SSNs in strict compliance with Federal rules and regulations on the privacy of medical information. With respect to the exception for affirmative written consent of the individual, the intent is to enable individuals to authorize the sale or purchase of their own SSNs if they determine it is in their own best interest. Businesses and others soliciting such consent from the individual must explain clearly and understandably what giving consent would entail and the uses that might be made of the individual's SSN. Preferably, the explanation and solicitation of consent would be a distinct document or other communication separate from other explanations or solicitations from the business or other persons. The terms of consent, and the explanation of the right to refuse consent or to limit the SSN's exchange solely to a specific transaction, should not be obscured by other explanations, authorizations, solicitations or other text that might be included in the same document. No individual should be obligated to provide consent; however, businesses and others may provide an explanation of the advantages and disadvantages (with equal prominence given to both) of providing versus refusing consent. With respect to the exception permitting the Commissioner to authorize additional exceptions to the general prohibition on SSN sale, purchase, and display to the general public, for the same reasons discussed under section 2 of the bill, the expectation is that this authority would be used extremely judiciously and only when there are no other reasonable alternative measures that could attain the same objective. For the same reasons discussed under section 3, the bill would prohibit display of another individual's SSN on any check issued for payment or documents accompanying the checks because identity thieves may gain access to personal information, including SSNs, by rifling through trash for discarded documents. Section 2 of the bill would prohibit government agencies from selling or displaying to the general public SSNs they require individuals to disclose to the government. However, many of the SSNs that appear in government records-- particularly court records, documents from attorneys, title companies, or other businesses and individuals--are the result of including a person's SSN on papers submitted to the court for the sake of convenience. Government agencies do not have the resources to comb through innumerable documents searching for such ``incidental'' inclusion of SSNs. As a result, an individual's SSN could be displayed to the public without the government record-keeper realizing it. Therefore, to prevent inadvertent sale or display of SSNs by government agencies, the bill would prohibit the submission of the SSN to government agencies absent the government agency's requiring that the number be submitted or the individual's written consent. Thus, this provision does not prohibit submission of another individual's SSN for the purpose of applying for benefits on their behalf, such as when a parent files an application on behalf of a child. Also, for the same reasons discussed under section 4, the bill would prevent private sector employers and those providing employee benefits from displaying an individual's full or partial SSN on any identification card or tag issued to the employee or an employee's family member. In addition, the bill would prevent businesses from displaying full or partial SSNs on cards or tags used to access goods and services. Individuals who must carry such cards and tags with their SSNs are at greater risk of identity theft should their wallets or purses be stolen or lost. According to an FTC-sponsored survey, 14 percent of identity theft victims said their personal information was obtained from a lost or stolen wallet or checkbook. This provision is not intended to prevent inclusion of encrypted SSNs (those that are transformed by a secret code to appear as other than the nine-digit number assigned by the Commissioner of Social Security when read or otherwise accessed by unauthorized parties). The restrictions on private sector sale, purchase, and display to the general public of SSNs would not apply to the SSNs of deceased persons. This is because the sale and public availability of information on deceased individuals is necessary to prevent fraud. As mentioned in the discussion under section 2 of the bill, the SSA DMF is used by both public and private sector entities to prevent fraud and comply with the USA PATRIOT Act. By methodically running financial, credit, payment and other applications against the DMF, the financial community, insurance companies, security firms and State and local governments are better able to identify and prevent identity fraud. The USA PATRIOT Act requires an effort to verify the identity of customers, including procedures to verify customer identity and maintaining records of information used to verify identity. As discussed under section 2, this bill is intended to serve as a floor of protection for SSNs and is not intended to override SSN protections in Federal or State law or regulations in effect to the extent they provide greater restrictions. For example, this bill is not intended to enable SSN sale, purchase, or display to the general public by health providers that would otherwise be prohibited under the HIPAA Privacy Rule. EFFECTIVE DATE Initial final regulations to carry out the provisions would have to be issued by the Commissioner or any other agency to which the Commissioner delegates authority within 18 calendar months after the date of enactment. The provisions would take effect one year after issuance of initial final regulations. The prohibition on public display of SSNs would only apply with respect to records generated after the effective date of the regulations. The temporary exemption to allow purchase, sale and display of the last four digits of the SSN would expire two years after the effective date of the initial final regulations. Sec. 9. New criminal penalties for misuse of Social Security account numbers CURRENT LAW Section 208 of the Social Security Act provides criminal penalties for fraudulently obtaining an SSN from SSA or the misuse of an SSN. In such cases, section 208 specifies that persons shall be guilty of a felony and upon conviction shall be fined under Title 18, United States Code (up to $250,000 for an individual and up to $500,000 for an organization) and/or imprisoned for up to five years. In addition, depending upon the facts, certain sections under Title 18 of the United States Code are applicable to the misuse of SSNs, including 18 U.S.C. Sec. 1028(a)(7), the ``Identity Theft and Assumption Deterrence Act of 1998'' (P.L. 105-318), which prohibits the knowing transfer or use of another person's SSN without lawful authority. The ``Internet False Identification Prevention Act of 2000'' (P.L. 106-578) closed some loopholes in the ``Identity Theft and Assumption Deterrence Act of 1998'' by prohibiting the transfer of a false identification document by electronic means, including on a template or computer file or disk. Lastly, the ``Identity Theft Penalty Enhancement Act'' (P.L. 108-275) establishes penalties for aggravated identity theft. The law prescribes sentences, to be imposed in addition to the punishments provided for the related felonies, of: (1) two years' imprisonment for knowingly transferring, possessing, or using, without lawful authority, a means of identification of another person during and in relation to specified felony violations; and (2) five years' imprisonment for knowingly taking such action with respect to a means of identification or a false identification document during and in relation to specified felony violations pertaining to terrorist acts. The law also prohibits a court from: (1) placing any person convicted of such a violation on probation; (2) reducing any sentence for the related felony to take into account the sentence imposed for such a violation; or (3) providing for concurrent terms of imprisonment for a violation of this Act and a violation under any other Act. The law also expands the existing identify theft prohibition to: (1) cover possession of a means of identification of another with intent to commit specified unlawful activity; (2) increase penalties for violations; and (3) include acts of domestic terrorism within the scope of a prohibition against facilitating an act of international terrorism. Finally, the law modifies provisions regarding embezzlement and theft of public money, property, or records to provide for combining amounts from all the counts for which the defendant is convicted in a single case for purposes of determining which penalties apply. EXPLANATION OF PROVISION The bill would expand the types of SSN misuse to which criminal penalties apply and would establish a two-tier penalty structure that creates new categories of misdemeanor and felony violations. The bill would provide for criminal misdemeanor penalties, which are subject to fines under Title 18 of the United States Code and/or imprisonment for up to one year. It would apply to government employees and private sector individuals who: (1) display SSNs on checks issued for payment; (2) display SSNs on identification cards; or (3) violate the uniform truncation standards. It would apply to private sector entities who communicate another person's SSN to a government entity when not required. It would apply to government employees who display SSNs on drivers' licenses and vehicle registrations. Finally, the misdemeanor penalty would apply to the knowing unlawful possession of another person's SSN card or a fraudulent SSN card with an intent to use the SSN in furtherance of a violation of law. The bill would also provide for criminal felony penalties, which are subject to fines under Title 18 of the United States Code and/or imprisonment for up to five years. The felony provision would apply to individuals who obtain or use an SSN with intent to harass, harm or physically injure another person. The bill would also create enhanced penalties for repeat offenders and for violations committed to facilitate drug trafficking or terrorism. Finally, the bill would provide for both criminal misdemeanor and felony penalties for certain violations. These penalties apply to persons who sell their own SSN with the intent to deceive, or assist an individual in acquiring an additional SSN for a fee. It would apply to government entities that: (1) sell or display the SSN in violation of section 2 of the bill; (2) give inmates access to SSNs; or (3) fail to protect SSNs as required under section 6 of the bill. It would also apply to private sector entities who: (1) sell, purchase or display the SSN in violation of section 8 of the bill; or (2) fail to protect the confidentiality of the SSN in violation of section 8 of the bill. These violations would be subject to a felony charge if they are committed under false pretenses, or for commercial advantage, personal gain, or malicious harm. REASON FOR CHANGE Identity theft often begins with the misuse of an SSN. While advances have been made to prosecute those individuals who assist another person to improperly acquire an additional SSN or a number that purports to be an SSN, SSA Inspector General and the Department of Justice have continued to encounter some problems, for example in prosecuting individuals who operate over the Internet or at a flea market. It is appropriate to close loopholes to prevent individuals assisting another person to improperly acquire an additional SSN or a number that purports to be an SSN. In addition, it is appropriate to establish penalties for those who violate the prohibitions on sale, purchase and display to the general public established under this bill. In addition, the SSA Inspector General has investigated individuals who have sold or transferred their own SSN to a third person with intent to deceive and has encountered problems in the prosecution. While such an individual may potentially be prosecuted under the criminal statutes involving conspiracy or aiding and abetting, because of the gravity of SSN misuse, it is appropriate to address this problem head on and provide criminal penalties when an individual sells or transfers his or her own SSN with intent to deceive. With respect to violations that are punishable as either a misdemeanor or a felony, this two-tier structure is intended to provide prosecutors with additional flexibility in charging violators. The ``aggravating'' circumstances under which a violation would be a felony rather than a misdemeanor are drawn from the HIPAA Privacy Rule, which also contains a multi-tiered structure of penalties. EFFECTIVE DATE The criminal penalties would apply to violations that occur after enactment, except for violations of prohibitions created under this bill. In such cases, the criminal penalties would apply to violations that occur on or after the applicable effective dates. Sec. 10. Extension of civil monetary penalty authority CURRENT LAW Section 1129 of the Social Security Act authorizes the Commissioner to impose civil monetary penalties and assessments on any person who makes a false statement or representation of a material fact, or omits a material fact while providing a statement, for use in determining eligibility for Social Security or SSI benefits or the benefit amount. The Commissioner may impose a civil monetary penalty of up to $5,000 for each violation, and an assessment of up to twice the amount of benefits or payments paid as a result of such violation. Currently, an individual who improperly obtains an SSN from SSA or misuses another person's SSN is not subject to civil monetary penalties and assessments under section 1129, except in cases of SSN misuse related to the receipt of Social Security or SSI benefits. EXPLANATION OF PROVISION The bill would expand the types of activities to which civil monetary penalties and assessments apply. Specifically, it would authorize the Commissioner to impose (in addition to any other penalties that may apply) civil monetary penalties and assessments on persons who: (1) use an SSN obtained through false information; (2) falsely represent an SSN to be their own; (3) with intent to deceive, alter an SSN card; (4) buy or sell an SSN card or a card purported to be an SSN card; (5) counterfeit an SSN card; (6) disclose, use or compel the disclosure of the SSN of any person in violation of any Federal law; (7) provide false information to obtain an SSN; (8) offer to acquire, for a fee, an additional SSN for an individual; (9) disclose, sell or transfer a person's own SSN with intent to deceive; (10) knowingly possess an SSN unlawfully or possess an altered or counterfeited SSN with the intent to commit a felony; (11) as a government officer, violate prohibitions on display of SSNs on drivers' licenses, sale and display of SSNs, displaying SSNs on checks and identification cards, inmate access to SSNs, security and protection of SSNs, or truncation standards; (12) as a bankruptcy trustee, sell or display SSNs, display SSNs on checks, fail to protect the confidentiality of SSNs, or violate truncation standards; (13) sell, purchase or display SSNs, or violate truncation standards; or (14) as an SSA employee, violate section 11 of the bill (relating to fraudulent issuance of SSNs). REASON FOR CHANGE SSN misuse, not related to the determination of eligibility for, or the amount of, Social Security or SSI benefits, can also result in considerable costs for the government, the private sector, and individuals who are victims of fraud. In many cases, the costs of SSN misuse extend beyond monetary losses. The SSN is a valuable commodity today for criminals. As the Subcommittee on Social Security has heard in testimony, the use of the SSN has grown so that it is interwoven into many aspects of every day life. It has become the de facto national identifier, used as a ``breeder document'' to obtain a driver's license or a credit card, open a bank account or secure a loan. Because of the prevalence of the use of the SSN in society and the gravity of SSN misuse, it is appropriate to provide for civil monetary penalties and assessments for violations of the law relating to SSN misuse in general. EFFECTIVE DATE The civil monetary penalties would apply to violations that occur after enactment, except with respect to violations of prohibitions created under this bill. In such cases, the civil monetary penalties would apply to violations that occur on or after the applicable effective date. Sec. 11. Criminal penalties for employees of the Social Security Administration who knowingly and fraudulently issue Social Security cards or Social Security account numbers CURRENT LAW SSA employees who fraudulently sell SSNs to third parties may be tried under a number of criminal statutes, including but not limited to 18 U.S.C. 371 (conspiracy) and 18 U.S.C. Sec. 641 (theft of government property). EXPLANATION OF PROVISION The bill would provide for criminal penalties for SSA employees (including contract workers, State Disability Determination Service workers and volunteers in an SSA facility) who knowingly and fraudulently sell or transfer SSNs or Social Security cards, with the penalty based on the number of SSNs or Social Security cards fraudulently issued, as follows: (1) up to 50 SSNs or cards: up to 5 years imprisonment; (2) 51 to 100 SSNs or cards: up to 10 years imprisonment; or (3) 101 or more SSNs or cards: up to 20 years imprisonment. REASON FOR CHANGE Crimes of fraud against the integrity of the SSN are of great concern because of the far-reaching implication such crimes have upon the integrity of SSA, the potential impact on innocent individuals due to identity theft, and possible misuse of SSNs in terrorist activities. This is especially true when the crime is perpetrated, at least in part, by an SSA employee. SSA employees issuing SSNs are in a position of trust. When this trust is violated, the effect on SSA's programs and operations and on the public in general can be devastating. Fortunately, the number of SSA employees taking part in these crimes is small, but participation in such crimes by any SSA employee to any extent cannot be tolerated. SSA and the SSA Inspector General are concerned that current laws do not provide an adequate deterrent to SSA employees tempted to facilitate these crimes. In several recent investigations involving SSA employees, the employee when caught has received little, if any, prison time though the employee may have fraudulently issued hundreds of SSNs. The Committee is concerned because the SSNs issued have usually not previously been issued to anyone else. Even a thorough credit check would not show this SSN to be fraudulent. This could allow a criminal to more easily assimilate into our society. Therefore, it is appropriate to provide for enhanced criminal penalties for SSA employees who abuse their position of trust and assist in the fraudulent issuance of SSNs. EFFECTIVE DATE The penalties would apply to violations that occur on or after enactment. Sec. 12. Enhanced penalties in cases of terrorism, drug trafficking, crimes of violence, or prior offenses CURRENT LAW Sections 208, 811 and 1632 of the Social Security Act (regarding Social Security benefits, Special Benefits for Certain World War II Veterans and SSl benefits, respectively) provide that persons who willingly and knowingly commit fraud shall be guilty of a felony and upon conviction shall be fined under Title 18, United States Code, and/or imprisoned for up to five years. Examples of violations to which penalties apply include making false statements or representations of fact to obtain benefits or increase benefit payments; failing to disclose an event that affects an individual's initial or continued right to receive benefits; and engaging in various types of SSN misuse or fraud (such as using an SSN obtained on the basis of false information; falsely representing an SSN to be one's own with intent to deceive; buying or selling an SSN card; counterfeiting an SSN card; or disclosing, using or compelling the disclosure of the SSN of any person in violation of any Federal law). Penalties apply to violations committed by individuals (or organizations) acting in the capacity of a representative payee (or prospective representative payee) for a beneficiary other than the individual's spouse. If the court determines that the violation also includes willful misuse of funds, the court may require full or partial restitution of funds to the beneficiary. EXPLANATION OF PROVISION The bill would enhance criminal penalties under sections 208, 811 and 1632 of the Social Security Act with respect to (a) repeat offenders and (b) violations committed to facilitate a drug trafficking crime, a crime of violence, or an act of international or domestic terrorism. Specifically, the bill would provide for: (1) fines and/or imprisonment for up to five years for first offenders; (2) fines and/or imprisonment for up to 10 years for repeat offenders; (3) fines or imprisonment for up to 20 years for persons convicted of violations for the purpose of facilitating a drug trafficking crime or a crime of violence against persons; and (4) fines or imprisonment for up to 25 years for persons convicted of violations for the purpose of facilitating an act of international or domestic terrorism. REASON FOR CHANGE The expanded use of the SSN in today's society has made it a very valuable commodity for criminals. As the Subcommittee on Social Security has heard in several hearings, the SSN is considered a prime ``breeder document,'' a valuable commodity used to obtain a driver's license or credit card, as well as open a bank account or obtain a loan. In addition to being a lynchpin for identity theft crimes, the SSN also assists terrorists in assimilating into our society and avoiding detection. The integrity of the SSN is vital. Its importance in both identity theft and homeland security is universally recognized. Providing new, enhanced, structured penalties appropriately reflects the vital importance of the SSN and the commitment of the Congress, SSA and the SSA Inspector General to its protection. EFFECTIVE DATE The penalties would apply to violations that occur after enactment. Sec. 13. Regulatory and enforcement authority with respect to misuse of the Social Security account number CURRENT LAW No provision. EXPLANATION OF PROVISION The bill would direct the Commissioner of Social Security to issue regulations regardingthe sale, purchase, or display to the general public of SSNs and to provide an opportunity for public comment on regulations in accordance with the ``Administrative Procedure Act'' (P.L. 79-404). The Commissioner would be required to consult with the Attorney General of the United States, the Secretary of Health and Human Services, the Secretary of Homeland Security, the Secretary of the Treasury, the Federal Trade Commission, the Comptroller of the Currency, the Director of the Office of Thrift Supervision, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Securities and Exchange Commission, State Attorneys General and representatives of the State insurance commissioners as designated by the National Association of Insurance Commissioners. When authorizing the sale, purchase, or display of SSNs for law enforcement or national security purposes, the Commissioner would be required to find that the sale, purchase or display would serve a compelling public interest that cannot reasonably be served through alternative measures, and would not pose an unreasonable risk of identity theft, or harm to an individual. The Commissioner would be able to authorize the sale, purchase, or display to the general public of SSNs for purposes other than law enforcement or national security, only after considering whether the authorization serves a compelling public interest and considering the costs and benefits to the general public, businesses, commercial enterprises, non-profit associations, and governments. If the Commissioner authorizes the sale, purchase, or display to the general public of SSNs, he or she would be required to impose restrictions and conditions to reduce the likelihood of fraud and crime and to prevent an unreasonable risk of identity theft or bodily, emotional or financial harm to individuals. The Committee intends that any exceptions made under this section of the bill by SSA, or any other agency to which rulemaking authority is delegated, would conform to the purposes of this Act: to prevent SSN misuse and identity theft by reducing the availability of SSNs in documents obtainable by identity thieves. The Committee expects SSA or other agencies to consider an exception to allow the sale or purchase of SSNs to the extent necessary to prevent fraud in financial transactions initiated by a consumer. FCRA requires information sellers to comply with certain consumer protections if they are compiling and selling consumer information for determining consumer eligibility for credit, employment, insurance, licensing and other government benefits, or for any other legitimate business need in transactions initiated by the consumer. Any further exceptions promulgated by an agency regarding fraud should be tailored narrowly to the purpose of detecting and investigating fraud in violation of civil or criminal statutes and/or regulations or identity theft. Furthermore, they should be written in such manner that does not allow sellers or buyers of SSNs to circumvent the requirements and applicability of FCRA by selling or buying SSNs for purposes already covered by the exception relating to section 604(a) of FCRA, but doing so in a way that does not subject them to FCRA's regulations. Finally, SSNs sold or bought under such an exception should be restricted from use for any secondary purposes not related to the transaction. The Commissioner would have the authority to delegate rulemaking to other Federal agencies, as appropriate. The Commissioner would delegate this authority to any agency or instrumentality which would otherwise have regulatory authority over such matters. The Commissioner would also facilitate coordination and consistent rulemaking and enforcement by other agencies. With respect to any regulation issued under the Commissioner's general authority to provide for an exemption from the bill's prohibition on sale, purchase or display, such regulations would expire five years after their effective dates. One year prior to the expiration of the regulations, GAO would be required to conduct a review of the efficacy of the regulations and the extent to which such regulations are consistent with and in furtherance of the purpose of this bill. The Commissioner may use the results of the review to issue new regulations consistent with the guidelines provided in this bill, as listed above. This bill would authorize any State Attorney General to bring a civil action in a United States district court to enforce compliance with the statute and related regulations by State and local governments and the private sector. An Attorney General may bring an action when he or she has reason to believe that an interest of the State's residents is threatened or adversely affected by State or local governments or private entities that violate this statute. Attorneys General may seek to enjoin the act or practice, enforce compliance with the regulation, obtain limited civil penalties of $11,000 per violation not to exceed a total of $5,000,000, or other appropriate legal and equitable relief. In addition, this bill would give individuals limited standing to sue a Federal agency for violations of prohibitions and requirements established under this bill. An individual would be allowed to sue a Federal agency in a United States district court only if the individual's SSN was involved in the violation. The individual would only be allowed to sue for injunctive relief and actual damages, and could recover attorney's fees and costs of the action. REASON FOR CHANGE The SSN is widely used throughout the public and private sectors. Some uses are authorized or required under law, others are to facilitate data-matching and record-keeping, and still others are simply for the sake of convenience. The development of coordinated regulations regarding SSN sale, purchase, and display across such diverse agencies and businesses makes it necessary to centralize regulatory authority with SSA (which is responsible for issuing SSNs). In addition, to address concerns that the limited statutory list of exceptions does not enumerate all instances in which the sale, purchase, and display of SSNs may be essential and irreplaceable for government and business transactions, the Commissioner would be given authority to authorize the sale, purchase or display to the general public of SSNs. The bill provides guidelines to ensure SSNs are exchanged only when there is no other alternative that could reasonably accomplish the objective, and with due consideration for the unintended and potentially harmful consequences to individuals, government agencies, and businesses that may result. SSNs are used widely in government and the private sectors for many diverse purposes, and in industry sectors that maybe overseen by their own regulatory bodies, such as the financial services industry. To most effectively issue regulations that address these various concerns, the Commissioner has the authority to delegate, by regulation, rulemaking and enforcement of these provisions to other agencies. Agencies tasked with this authority may be better suited to issue and enforce regulations within the domain of their jurisdiction and expertise. This bill would encourage private sector entities to change their business practices to reduce reliance on the SSN. As business models change and as research progresses to employ authentication devices other than the SSN, the regulations should be reviewed and revised as appropriate to ensure that the regulations meet the goals of this bill. To ensure that the regulations authorized by the Commissioner are consistent with the goals of this statute, any final regulation issued under the regulator's general exemption authority will expire five years after its effective date. This provision ensures that regulations issued under this bill will undergo regular and consistent reviews to ensure that the regulations effectively and functionally limit the sale, purchase and display of the SSN in the private sector and discourage excessive use of and reliance on the SSN. The GAO assessment would also provide Congress and regulators the opportunity to review the effectiveness of regulations granting permissible sale, purchase and display of SSNs and the extent to which they are consistent with the purpose of this bill. State Attorneys General would assist in enforcement efforts under this bill through civil actions. As in other areas of Federal law, State Attorneys General can support compliance with Federal law by supplementing the enforcement resources of Federal agencies, and they are well-positioned to be aware of unlawful acts and practices in their states. State Attorneys General would be required to inform SSA and the U.S. Attorney General of any enforcement actions they intend to undertake, and State action would be precluded where the Federal government has initiated a criminal proceeding. Federal agencies, like State and local governments, have unique and frequent access to SSNs. Federal agencies are commonly required by law to use the SSN as an identifier and often use the SSN for record-keeping purposes in the administration of government benefits. Therefore, it is just as important for Federal agencies to protect the confidentiality of the SSN, as well as limit its sale and display, as it is for State and local government agencies. This bill would strengthen enforcement against Federal agencies that are not in compliance with the bill by allowing individuals to take action against Federal agencies in limited situations where they may be harmed. EFFECTIVE DATE The regulatory authority would be effective upon enactment. Sec. 14. Study on feasibility of banning Social Security account number as an authenticator CURRENT LAW No provision. EXPLANATION OF PROVISION This bill would direct the Commissioner of Social Security to enter into an arrangement with the National Research Council for the Council to conduct a study to determine the extent to which SSNs are used as a primary means of authenticating identity and the extent to which SSNs are used for verification in commercial transactions. It would also require the Council to determine the feasibility of prohibiting use of the SSN as an authenticator and possible alternatives to the SSN for verification purposes and uses in authenticating identity. REASON FOR CHANGE Identity theft is facilitated by the fact that the SSN is used by business and governments as an identifier, to distinguish one person from another, as well as an authenticator, or evidence that a person is who they say they are. This insecure practice is analogous to someone using the same element for their user ID as for their password in order to gain access to a computer network. At a hearing before the Subcommittee on Social Security, a witness for the Association for Computing Machinery explained that knowledge of an SSN is not sufficient to reliably authenticate any party in a transaction, but this use is commonplace. While some businesses have begun to discontinue the use of SSNs as passwords on their phone and online accessible networks, many businesses still depend on the SSN as an authenticator of identity. This practice continues to make the SSN a primary instrument of identity theft, since once the SSN is acquired, access to an individual's sensitive information is easily obtainable. When the SSN is used as a password, a cancelled check and an SSN can provide a criminal sufficient information to gain access to a person's account online or by phone. This provision authorizes the Commissioner to arrange for the National Research Council to conduct a study on the prevalence of this practice and whether it can be reduced. The Committee also intends that the examination of possible alternatives to SSNs for verification purposes and uses in authenticating identity include the last four digits of the SSN. EFFECTIVE DATE Under its arrangement with the Commissioner, the Council would be required to submit a report to the Commissioner and to each House of the Congress no later than one year after the effective date of the initial final regulations issued under section 2 of the bill (that is, three and one-half years after enactment). III. VOTES OF THE COMMITTEE In compliance with clause 3(b) of rule XIII of the Rules of the House of Representatives, the following statements are made concerning the vote of the Committee on Ways and Means in its consideration of the bill, H.R. 3046. MOTION TO REPORT THE BILL The bill, H.R. 3046, as amended, was ordered favorably reported by a rollcall vote of 41 yeas to 0 nays (with a quorum being present). The vote was as follows: ---------------------------------------------------------------------------------------------------------------- Representatives Yea Nay Present Representative Yea Nay Present ---------------------------------------------------------------------------------------------------------------- Mr. Rangel..................... X ........ ......... Mr. McCrery...... X ........ ......... Mr. Stark...................... X ........ ......... Mr. Herger....... X ........ ......... Mr. Levin...................... X ........ ......... Mr. Camp......... X ........ ......... Mr. McDermott.................. X ........ ......... Mr. Ramstad...... X ........ ......... Mr. Lewis (GA)................. X ........ ......... Mr. Johnson...... X ........ ......... Mr. Neal....................... X ........ ......... Mr. English...... X ........ ......... Mr. McNulty.................... X ........ ......... Mr. Weller....... X ........ ......... Mr. Tanner..................... X ........ ......... Mr. Hulshof...... X ........ ......... Mr. Becerra.................... X ........ ......... Mr. Lewis (KY)... X ........ ......... Mr. Doggett.................... X ........ ......... Mr. Brady........ X ........ ......... Mr. Pomeroy.................... X ........ ......... Mr. Reynolds..... X ........ ......... Mrs. Tubbs Jones............... X ........ ......... Mr. Ryan......... X ........ ......... Mr. Thompson................... X ........ ......... Mr. Cantor....... X ........ ......... Mr. Larson..................... X ........ ......... Mr. Linder....... X ........ ......... Mr. Emanuel.................... X ........ ......... Mr. Nunes........ X ........ ......... Mr. Blumenauer................. X ........ ......... Mr. Tiberi....... X ........ ......... Mr. Kind....................... X ........ ......... Mr. Porter....... X ........ ......... Mr. Pascrell................... X ........ ......... Ms. Berkley.................... X ........ ......... Mr. Crowley.................... X ........ ......... Mr. Van Hollen................. X ........ ......... Mr. Meek....................... X ........ ......... Ms. Schwartz................... X ........ ......... Mr. Davis (AL)................. X ........ ......... ---------------------------------------------------------------------------------------------------------------- IV. BUDGET EFFECTS OF THE BILL A. Committee Estimate of Budgetary Effects In compliance with clause 3(d)(2) of rule XIII of the Rules of the House of Representatives, the following statement is made concerning the effects on the budget of this bill, H.R. 3046, as amended and reported: The Committee agrees with the estimate prepared by the Congressional Budget Office (CBO), which is included below. B. Statement Regarding New Budget Authority and Tax Expenditures In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee states that H.R. 3046 does not include any new budget authority or tax expenditures. C. Cost Estimate Prepared by the Congressional Budget Office In compliance with clause 3(c)(3) of rule XIII of the Rules of the House of Representatives, requiring a cost estimate prepared by the Congressional Budget Office, the following report by CBO is provided: U.S. Congress, Congressional Budget Office, Washington, DC, July 30, 2007. Hon. Charles B. Rangel, Chairman, Committee on Ways and Means, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 3046, the Social Security Number Privacy and Identity Theft Prevention Act of 2007. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contacts are Sheila Dacey (for federal costs), Lisa Ramirez-Branum (for the state and local impact), and Paige Piper-Bach (for the private-sector impact). Sincerely, Robert A. Sunshine (For Peter R. Orszag, Director). Enclosure. H.R. 3046--Social Security Number Privacy and Identity Theft Prevention Act of 2007 Summary: H.R. 3046 would provide new safeguards for the use of Social Security numbers (SSNs) and penalties for SSN misuse. The bill would: <bullet> Bar the sale, purchase, or display of the SSN in both the public and private sectors, with certain exceptions; <bullet> Prohibit the display of SSNs (including magnetic strips or bar codes that contain them) on government checks, employer-issued identification cards or tags, and Medicare cards; <bullet> Require government and private entities to limit access to SSNs and assure that they have safeguards to prevent breaches of confidentiality; <bullet> Require the Government Accountability Office (GAO) and the Social Security Administration (SSA) to study the effectiveness of regulations related to this bill and the feasibility of additional safeguards; and <bullet> Create or expand civil and criminal penalties for SSN misuse. Enacting H.R. 3046 could affect direct spending and revenues, but CBO estimates that any such effects would not be significant. Complying with the bill's standards would cause federal agencies to incur additional administrative expenses. Those costs--which CBO estimates at $43 million over the 2008- 2012 period--would generally come from agencies' salary and expense budgets, which are subject to annual appropriation. H.R. 3046 contains a number of intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), including limitations on the sale, display, and use of SSNs by state, local, and tribal governments. CBO estimates that the aggregated costs of complying with those mandates would probably exceed the threshold established in UMRA for intergovernmental mandates ($66 million in 2007, adjusted annually for inflation) in at least one of the first five years that the mandates are in effect. H.R. 3046 also would impose private-sector mandates as defined in UMRA. CBO cannot determine whether the aggregate direct costs of complying with those mandates would exceed the annual threshold for private-sector mandates established by UMRA ($131 million in 2007, adjusted annually for inflation) because such costs would depend on the specific regulations that would be issued under the bill. Estimated cost to the Federal Government: The estimated budgetary impact of H.R. 3046 is shown in the following table. The costs of the legislation fall primarily in budget functions 050 (national defense), 570 (Medicare), 650 (Social Security), and 700 (veterans benefits and services), but could affect numerous other budget functions as well. As explained below, CBO cannot estimate some potential costs in cases where agencies do not yet know how they would implement certain provisions. Basis of estimate: Federal agencies already comply, or are moving to comply, with most requirements of H.R. 3046. The bill's budgetary effects would stem from a few provisions that would change agencies' practices or assign new enforcement responsibilities. For this estimate, CBO assumes that the bill will be enacted in the fall of 2007. Spending subject to appropriation CBO estimates that implementing H.R. 3046 would cost $43 million over the 2008-2012 period, assuming that the necessary amounts will be appropriated near the start of each fiscal year and that spending will follow historical patterns for similar activities. ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- -------------------------------------------- 2008 2009 2010 2011 2012 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION\1\ Prohibiting Display of SSN on Government ID Tags or Cards: Estimated Authorization Level.................................. 16 * 6 10 10 Estimated Outlays.............................................. 11 5 5 10 10 Regulation and Enforcement: Estimated Authorization Level.................................. 1 * * * * Estimated Outlays.............................................. 1 * * * * Studies: Estimated Authorization Level.................................. * * 1 * * Estimated Outlays.............................................. * * 1 * * Total Changes: Estimated Authorization Level.............................. 17 * 7 10 10 Estimated Outlays.......................................... 12 5 6 10 10 ---------------------------------------------------------------------------------------------------------------- \1\Enacting H.R. 3046 also could affect direct spending and revenues, but CBO estimates that any such effects would not be significant. Note.--SSN = Social Security number; * = less than $500,000. Prohibiting Display of SSN on ID Tags or Cards. The bill would prohibit government agencies from displaying SSNs (including magnetic strips or bar codes that contain them) on certain government-issued identification cards or tags. Government agencies could not display an SSN on employee, student, or patient identification tags or on Medicare cards. The requirement would affect cards or tags issued one year after the date of enactment, or in the case of Medicare cards, two and one-half years after enactment. In total, CBO estimates that implementing the provision would cost $41 million over the 2008-2012 period, subject to the availability of appropriated funds. The estimated costs to major agencies are described below. Department of Defense. The Geneva Convention calls for military personnel to have a number displayed on their identification cards, and the Department of Defense (DoD) has chosen to use the SSN. Under the bill, DoD would have to revamp its records and cards to use another unique identifier for 6.5 million personnel. Based on information from DoD, CBO estimates that implementing this provision would cost $2 million over the 2008-2009 period, assuming the availability of appropriated funds. Subsequent ongoing costs would be negligible. Veterans Affairs. The bill would prohibit the Department of Veterans Affairs (VA) from using a patient's SSN on the identity cards or tags used by its medical facilities. Based on information from the department, CBO estimates that it would cost $9 million to make the necessary changes to its computer systems. In addition, VA would plan to replace older, but still valid, cards at a cost of $5 million. Assuming appropriation of the estimated amounts, CBO estimates that VA would spend $10 million in 2008 and $4 million in 2009 to implement the requirement. Medicare. The Medicare program uses the SSN as the basis of its Health Insurance Claim Number and displays that number on the Medicare card. Over 42 million Medicare beneficiaries have a Medicare card and several million new beneficiaries are added to the Medicare rolls annually. Under H.R. 3046, CBO assumes that the Centers for Medicare and Medicaid Services (CMS) would continue to use the SSN-based claim number to process and pay claims, but would remove the number from the Medicare card. CBO estimates that CMS would increase spending on beneficiary outreach and provider education in 2009, but that such costs would total less than $500,000. In 2010, CMS would begin to issue Medicare cards that do not display a claim number to new enrollees and beneficiaries who request a replacement card. CBO estimates that it would cost CMS $5 million in 2010, and $10 million in each of fiscal years 2011 and 2012 to implement the changes. The bulk of the new costs would stem from handling additional inquiries from beneficiaries and providers who would be confused by the change. Based on information provided by CMS and SSA, CBO estimates that up to 10 million beneficiaries would be affected by the change annually and that 10 percent of them would contact the agencies with questions. In addition, the agencies would incur small costs for replacement cards for beneficiaries who request them. CMS could choose to adopt a different strategy and change the claim number so that it is no longer based on the SSN. That strategy would require changes to CMS computer systems that would be more expensive than removing the claim number from the card. Regulation and Enforcement. The Social Security Administration would take the lead in drafting regulations to govern compliance with the new law in both the public and private sectors and would prosecute violations. CBO estimates the agency's new tasks would cost $1 million in 2008, assuming the availability of appropriated funds. Costs would be less than $500,000 in other years. Some additional costs are likely, however. H.R. 3046 would require all federal agencies to demonstrate to SSA that they allow access only to employees who need SSNs to carry out their statutory responsibilities and have safeguards to prevent unauthorized access and breaches of confidentiality. That provision would apply to all SSNs in the agencies' possession, including paper records. Its implications for contractors (who handle key responsibilities, especially in the areas of welfare and child support enforcement) are unclear. According to GAO, every federal agency uses the SSN in some way. CBO cannot estimate the cost of this provision to SSA or to other agencies because it would depend on SSA's approach to implementing the bill's requirements. Studies. H.R. 3046 would authorize two new studies. It would require the Commissioner of SSA to contract with the National Research Council to study the feasibility of banning the SSN as a primary means of authenticating identity. It also would require GAO to conduct a review of the effectiveness of the regulations issued pursuant to this legislation and report on the results. CBO estimates that the combined cost of the studies would total about $1 million in 2010, but would be less than $500,000 in other years. Direct spending and revenues Implementing H.R. 3046 could affect direct spending and revenues, but CBO estimates that any such effects would not be significant. Civil Actions. H.R. 3046 would permit individuals to sue the federal government in federal district court for violations relating to the privacy of SSNs. Under the bill, if a plaintiff prevailed in such lawsuit, payment for damages and attorneys fees would be made by the Treasury's Judgment Fund. Payments from that fund are considered increases in direct spending. Considering current governmentwide practices regarding privacy and identity theft, CBO estimates that enacting H.R. 3046 would lead to an increase in the number of civil actions against the government and an increase in direct spending to pay claims, but that such costs would likely be less than $500,000 in each year. Civil and Criminal Penalties. H.R. 3046 could increase federal revenues and direct spending as a result of the collection of additional civil and criminal penalties assessed for misuse of SSNs. Collections of civil penalties are recorded in the budget as revenues and deposited in the Treasury. Collections of criminal penalties are recorded as revenues, deposited in the Crime Victims Fund, and later spent. CBO estimates that any additional revenues and direct spending would not be significant because of the relatively small number of cases likely to be involved. Child Support Enforcement. Requiring government agencies to remove SSNs from checks could raise administrative costs to the child support enforcement (CSE) program and/or delay distribution of collections. Many states currently use SSNs as their primary identifier when distributing child support, and the federal government covers the bulk of states' costs for administering CSE. CBO expects that the bill's requirement would have an additional cost to the federal government but that cost would be small because of the widespread and increasing use of electronic funds transfers to distribute payments rather than checks. Estimated impact on state, local, and tribal governments: H.R. 3046 contains a number of intergovernmental mandates as defined in UMRA. Specifically, the bill would restrict or prohibit government agencies from: <bullet> Selling or displaying SSNs that have been disclosed to the agency because of a mandatory requirement (applies only to documents issued after the requirements become effective); <bullet> Displaying SSNs on checks or check stubs; <bullet> Placing SSNs on student or employee identification cards or coding them into magnetic strips or bar codes on those documents; and <bullet> Allowing prisoners access to SSNs of other individuals. The bill also would require state and local governments to restrict access to SSNs and their derivatives to employees whose access is essential to effective administration of programs. In addition, the governments would have to implement safeguards to preclude unauthorized access to SSNs and their derivatives and to protect individual confidentiality. While state and local governments have taken steps to reduce the use of SSNs, many continue to use them for a variety of purposes. Based on information from GAO and from state and local officials, CBO estimates that the costs of complying with the mandates in the bill would probably exceed the intergovernmental threshold established in UMRA ($66 million in 2007, adjusted annually for inflation) in at least one of the first five years the mandates are in effect. The bill would allow exceptions for the display or sale of SSNs when such use or display is authorized by the Social Security Act, necessary for law enforcement, national security or tax law purposes, done in compliance with certain motor vehicle laws, or used for consumerreporting practices and nonmarket research for advancing the public good. The bill's restrictions on the sale or display (which includes Internet transmissions that are not encrypted or otherwise secured) of SSNs would be prospective, and would not require state and local governments to redact SSNs from existing documents that are publicly available. However, if state and local governments do not currently have a system in place to safeguard SSNs, any such governments would have to implement a new system for handling any documents issued when the regulations become effective (up to two and a half years following enactment). If state or local governments use SSNs on checks and check-stubs as part of their recordkeeping and tracking procedures, they would have to alter those systems and remove the SSNs. They also would have to implement systems for removing SSNs from many documents that currently include SSNs and that are available to the public. Likewise, some public institutions of higher education might have to alter their document systems for identification cards or tags to remove SSNs that are coded electronically onto a magnetic strip or digitized as part of a bar code. Finally, any government agency that uses SSNs would have to implement safeguards to preclude unauthorized access to SSNs and their derivatives and to protect confidentiality. Because of the large number of governments affected by these provisions (particularly municipal governments), even small changes to existing systems would result in total costs that exceed the threshold established in UMRA. There are over 75,000 municipal governments, so even small one-time costs--for example, as little as $5,000--would add up to costs over $66 million in a given year. Counties and states, on the other hand, while fewer in number (there are about 3,600 counties in the United States), are more dependent on SSNs for various recordkeeping and identification purposes and would thus be likely to face significantly higher costs because of the complexity and scope of their recordkeeping systems. (Some counties estimate that altering their systems to use identifiers other than SSNs or to eliminate display of SSNs would result in one-time costs ranging from $40,000 to over $1 million, depending on the county and the scope of the changes that would need to be made). Estimated impact on the private sector: H.R. 3046 would impose private-sector mandates, as defined in UMRA, on certain private entities. CBO cannot determine the direct costs of complying with those mandates because such costs would depend on the specific regulations that would be issued under the bill. Consequently, CBO cannot determine whether the aggregate direct costs of complying with those mandates would exceed the annual threshold for private-sector mandates established by UMRA ($131 million in 2007, adjusted annually for inflation). The bill would impose private-sector mandates on certain private entities by generally prohibiting the purchase, sale, or display of an SSN to the general public, including on the Internet, with some exceptions. In addition, the bill would establish a uniform truncation standard requiring that truncated SSNs be limited to the last four digits of the number. Private entities also would be prohibited from: <bullet> Making unnecessary disclosures of another individual's SSN to government agencies; <bullet> Displaying an SSN on checks; <bullet> Displaying an SSN on cards or tags issued to employees, family members, or other individuals; and <bullet> Displaying an SSN on any card or tag issued to another person to access goods, services, or benefits. Private entities that maintain SSNs in their records for the conduct of their business would be required to limit access to those records and institute safeguards to protect the confidentiality of those records. The Commissioner of Social Security would be required to issue regulations to implement the requirements, safeguards, and standards imposed by the bill. The direct cost to private entities of complying with those mandates would depend on regulations issued under the bill. Previous CBO estimate: On May 25, 2007, CBO transmitted a cost estimate for H.R. 948, the Social Security Number Protection Act of 2007, as ordered reported by the House Committee on Energy and Commerce on May 10, 2007. That bill has similar provisions regarding the sale, purchase, or display of SSNs by entities in the private sector, but fewer requirements on government agencies. CBO estimated that H.R. 948 would not have a significant impact on spending subject to appropriation. H.R. 948 also contains provisions that would impose intergovernmental mandates on state and local governments. However, because the Federal Trade Commission, the federal agency directed to carry out the provisions relating to the use of SSNs, does not have jurisdiction over those governments or public universities, the cost of mandates in H.R. 948 would be below the threshold established in UMRA. The mandates on the private sector in H.R. 948 are similar to those in H.R. 3046, except that the Federal Trade Commission would be required--under H.R. 948--to issue the regulations prohibiting an entity in the private sector from selling or purchasing a Social Security number. Estimate prepared by: Federal Costs: Social Security Administration--Sheila Dacey; Veterans Affairs--Sunita D'Monte; Treasury--Matthew Pickford; Defense--Jason Wheelock. Federal Revenues: Emily Schlect. Impact on State, Local, and Tribal Governments: Lisa Ramirez-Branum. Impact on the Private Sector: Paige Piper-Bach, Ralph Smith. Estimate approved by: Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. V. OTHER MATTERS TO BE DISCUSSED UNDER THE RULES OF THE HOUSE A. Committee Oversight Findings and Recommendations With respect to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives (relating to oversight findings), the Committee, based on public hearing testimony, concludes that it is appropriate and timely to consider the bill as reported. B. Earmarks and Tax and Tariff Benefits With respect to clause 9 of rule XXI of the Rules of the House, H.R. 3046, as amended, does not contain any Congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(d), 9(e), or 9(f) of rule XXI. C. Constitutional Authority Statement With respect to clause (3)(d)(1) of rule XIII of the Rules of the House of Representatives, relating to Constitutional Authority, the Committee states that the Committee's action in reporting the bill is derived from Article I of the Constitution, Section 8 (``The Congress shall have power to lay and collect taxes, duties, imposts, and excises, to pay the debts and to provide for * * * the general Welfare of the United States.'') D. Information Relating to Unfunded Mandates This information is provided in accordance with Section 423 of the Unfunded Mandates Reform Act of 1995 (P.L. 104-4). The Committee has determined that the bill does impose a Federal intergovernmental mandate on State, local, or tribal governments. The Committee has determined that the bill does contain Federal mandates on the private sector. VI. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): SOCIAL SECURITY ACT * * * * * * * TITLE II--FEDERAL OLD-AGE, SURVIVORS, AND DISABILITY INSURANCE BENEFITS * * * * * * * EVIDENCE, PROCEDURE, AND CERTIFICATION FOR PAYMENT Sec. 205. (a) * * * * * * * * * * (c)(1) * * * (2)(A) * * * * * * * * * * (C)(i) * * * * * * * * * * (x)(I) A governmental entity (as defined in subclause (X)) may not sell or display to the general public any social security account number if such number has been disclosed to such governmental entity pursuant to the assertion by such governmental entity to any person that disclosure of such number is a statutory or regulatory requirement. Notwithstanding the preceding sentence, such number may be sold or displayed to the general public in accordance with the exceptions specified in subclauses (II), (III), (IV), (V), (VI), (VII), and (VIII) (and for no other purpose). (II) Notwithstanding subclause (I), a social security account number may be sold by a governmental entity to the extent that such sale is specifically authorized by this Act or the Privacy Act of 1974. (III) Notwithstanding subclause (I), a social security account number may be sold by a governmental entity to the extent that is necessary or appropriate for law enforcement or national security purposes, as determined under regulations which shall be issued as provided in section 1129C. (IV) Notwithstanding subclause (I), a social security account number may be sold by a governmental entity to the extent that such sale is required to comply with a tax law of the United States or of any State (or political subdivision thereof). (V) Notwithstanding subclause (I), a social security account number may be sold by a State department of motor vehicles as authorized under subsection (b) of section 2721 of title 18, United States Code, if such number is to be used pursuant to such sale solely for purposes permitted under paragraph (1), (6), or (9) of such subsection. (VI) Notwithstanding subclause (I), a social security account number may be sold or otherwise made available by a governmental entity to a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))) for use or disclosure solely for permissible purposes described in section 604(a) of such Act (15 U.S.C. 1681b(a)). (VII) Notwithstanding subclause (I), a social security account number may be sold by a governmental entity to the extent necessary for research (other than market research) conducted by any governmental entity for the purpose of advancing the public good, on the condition that the researcher provides adequate assurances that the social security account numbers will not be used to harass, target, or publicly reveal information concerning any identifiable individuals, that information about identifiable individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals, and that the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about identifiable individuals, including procedures to ensure that the social security account numbers will be encrypted or otherwise appropriately secured from unauthorized disclosure. In the case of medical research, the Commissioner of Social Security shall maintain ongoing consultation with the Office for Civil Rights of the Department of Health and Human Services to ensure that the sale or purchase of social security account numbers which constitute personally identifiable medical information is permitted only in compliance with existing Federal rules and regulations prescribed by the Secretary of Health and Human Services pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (110 Stat. 2033). (VIII) Notwithstanding subclause (I), a social security account number may be sold or displayed to the general public by a governmental entity under such other circumstances as may be specified in regulations issued as provided in section 1129C. (IX) This clause does not apply with respect to a social security account number of a deceased individual. (X) For purposes of this clause, the term ``governmental entity'' means an executive, legislative, or judicial agency or instrumentality of the Federal Government or of a State or political subdivision thereof, a Federally recognized Indian tribe, or a trustee appointed in a case under title 11, United States Code. Such term includes a person acting as an agent of such an agency or instrumentality, Indian tribe, or trustee. For purposes of this subclause, the term ``State'' has the meaning provided in subparagraph (D)(iii)(II). (XI) For purposes of this clause, the term ``sell'' means, in connection with a social security account, to obtain, directly or indirectly, anything of value in exchange for such number. Such term does not include the submission of such number as part of the process for applying for any type of Government benefits or programs (such as grants, loans, or welfare or other public assistance programs) or as part of the administration of, or provision of benefits under, an employee benefit plan. (XII) For purposes of this clause, the term ``display to the general public'' shall have the meaning provided such term in section 208A(a)(3)(A). In any case in which a governmental entity requires transmittal to such governmental entity of an individual's social security account number by means of the Internet without ensuring that such number is encrypted or otherwise appropriately secured from disclosure, any such transmittal of such number as so required shall be treated, for purposes of this clause, as a ``display to the general public'' of such number by such governmental entity for purposes of this clause. (XIII) For purposes of this clause, the term ``social security account number'' includes any derivative of such number. Notwithstanding the preceding sentence, any expression, contained in or on any item sold or displayed to the general public, shall not be treated as a social security account number solely because such expression sets forth not more than the last 4 digits of such number, if the remainder of such number cannot be determined based solely on such expression or any other matter presented in or on such item. (XIV) Nothing in the preceding subclauses of this clause shall be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect under any other Federal or State law, except to the extent that such statute, regulation, order, or interpretation is inconsistent with such subclauses, and then only to the extent of the inconsistency. For purposes of this subclause, a statue, regulation, order, or interpretation is not inconsistent with the preceding subclauses of this clause if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under such subclauses. (xi) No governmental entity (as defined in clause (x)(X)) may include the social security account number of any individual (or any derivative of such number) on any check issued for any payment by such governmental entity or on any document attached to or accompanying such a check. (xii) No governmental entity (as defined in clause (x)(X)), and no other person offering benefits in connection with an employee benefit plan maintained by such governmental entity, may display a social security account number (or any derivative thereof) on any card or tag that is commonly provided-- (I) to employees of such governmental entity, (II) in the case of a governmental entity which is an educational institution, to its students, or (III) in the case of a governmental entity which is a medical institution, to its patients, (or to their family members) for purposes of identification or include on such card or tag a magnetic strip, bar code, or other means of communication which conveys such number (or derivative thereof). The requirements of this clause shall also apply to the Medicare card issued by the Department of Health and Human Services. (xiii) No governmental entity (as defined in clause (x)(X)) may employ, or enter into a contract for the use or employment of, prisoners in any capacity that would allow such prisoners access to the social security account numbers of other individuals (or any derivatives of such numbers). For purposes of this clause, the term ``prisoner'' means an individual confined in a jail, prison, or other penal institution or correctional facility. (xiv) Except as otherwise provided in this paragraph, in the case of any governmental entity (as defined in clause (x)(X)) having access to an individual's social security account number-- (I) no officer or employee thereof shall have access to such number for any purpose other than the effective administration of the statutory provisions governing its functions, (II) such governmental entity shall restrict, to the satisfaction of the Commissioner of Social Security, access to social security account numbers obtained thereby to officers and employees thereof whose duties or responsibilities require access for the administration or enforcement of such provisions, and (III) such governmental entity shall provide such other safeguards as the Commissioner determines to be necessary or appropriate to preclude unauthorized access to the social security account number and to otherwise protect the confidentiality of such number. For purposes of this clause the term ``social security account number'' includes any derivative thereof. (xv) The truncation by any governmental entity (as defined in clause (x)(X)) or by any person in the private sector of an individual's social security account number which is used by such governmental entity or person otherwise in accordance with the requirements of this Act shall be in accordance with a uniform truncation standard which shall be specified in regulations prescribed by the Commissioner of Social Security. Under such standard, the number as truncated shall set forth not more than the last 4 digits of the number. Nothing in this clause shall be construed to authorize any use of the social security account number which is not otherwise authorized by this title or regulations prescribed thereunder. * * * * * * * PENALTIES Sec. 208. (a) Whoever-- (1) * * * * * * * * * * (8) discloses, uses, or compels the disclosure of the social security number of any person in violation of the laws of the United States; or (9) willfully acts or fails to act so as to cause a violation of section 208A(b)(1)(B); shall be guilty of a felony and upon conviction thereof [shall be fined under title 18, United States Code, or imprisoned for not more than five years, or both.] shall be fined, imprisoned, or both, as provided in subsection (c). (b)(1) Whoever-- (A) knowingly, and with intent to commit, or to aid or abet, any activity that constitutes a violation of Federal law, or a violation of any applicable law of a State or political subdivision thereof if the maximum penalty of such applicable law includes imprisonment for 5 years or more-- (i) possesses the social security account number of another person without lawful authority, or (ii) possesses a social security card, knowing that the social security account number or other identifying information displayed on the card has been altered, counterfeited, or forged or that the card was falsely made, stolen, or obtained from the Social Security Administration by use of false information; if such activity is committed, or aided or abetted, with intent to use such social security account number, social security card, or other identifying information displayed on such card in furtherance of such violation; (B) being-- (i) an officer or employee of any governmental entity (as defined in section 205(c)(2)(C)(x)(X)), or (ii) a person acting as an agent of a governmental entity (as so defined), willfully acts or fails to act so as to cause a violation of clause (vi)(II), (xi), (xii), or (xv) of section 205(c)(2)(C); (C) being a trustee appointed in a case under title 11, United States Code (or an officer or employee thereof or a person acting as an agent thereof), willfully acts or fails to act so as to cause a violation of clause (xi) or (xv) of section 205(c)(2)(C); or (D) willfully acts or fails to act so as to cause a violation of subsection (c), (d), (e), or (f) of section 208A or, as a person in the private sector, willfully acts or fails to act so as to cause a violation of section 205(c)(2)(C)(xv); shall be guilty of a misdemeanor and upon conviction thereof shall be fined under title 18, United States Code, or imprisoned for not more than 1 year, or both. (2)(A) Whoever-- (i) with intent to deceive, discloses, sells, or transfers his own social security account number, assigned to him by the Commissioner of Social Security (in the exercise of the Commissioner's authority under section 205(c)(2) to establish and maintain records), to any person; (ii) without lawful authority, offers, for a fee, to acquire for any individual, or to assist in acquiring for any individual, an additional social security account number or a number that is purported to be a social security account number; (iii) being-- (I) an officer or employee of any governmental entity (as defined in section 205(c)(2)(C)(x)(X)), or (II) a person acting as an agent of a governmental entity (as so defined), willfully acts or fails to act so as to cause a violation of clause (x), (xiii), or (xiv) of section 205(c)(2)(C); (iv) being a trustee appointed in a case under title 11, United States Code (or an officer or employee thereof or a person acting as an agent thereof), willfully acts or fails to act so as to cause a violation of clause (x) or (xiv) of section 205(c)(2)(C); or (v) willfully acts or fails to act so as to cause a violation of subsection (b)(1)(A) or (g) of section 208A; shall be fined, imprisoned, or both, as provided in subparagraph (B). (B) A person convicted of a violation described in subparagraph (A) shall-- (i) be fined under title 18, United States Code, imprisoned not more than 1 year, or both; and (ii) if the offense is committed under false pretenses or for commercial advantage, personal gain, or malicious harm, be fined, imprisoned, or both, as provided in subsection (c). (c) A person convicted of a violation described in subsection (a) or a violation described in subsection (b)(2)(A) which is subject to subsection (b)(2)(B)(ii) shall be-- (1) fined under title 18, United States Code, or imprisoned for not more than 5 years, or both, in the case of an initial violation, subject to paragraphs (3) and (4), (2) fined under title 18, United States Code, or imprisoned for not more than 10 years, or both, in the case of a violation which occurs after a prior conviction for another offense under subsection (a) becomes final, subject to paragraphs (3) and (4), (3) fined under title 18, United States Code, or imprisoned for not more than 20 years, in the case of a violation which is committed to facilitate a drug trafficking crime (as defined in section 929(a)(2) of title 18, United States Code) or in connection with a crime of violence (as defined in section 924(c)(3) of title 18, United States Code) involving force against the person of another, subject to paragraph (4), and (4) fined under title 18, United States Code, or imprisoned for not more than 25 years, in the case of a violation which is committed to facilitate an act of international or domestic terrorism (as defined in paragraphs (1) and (5), respectively, of section 2331 of title 18, United States Code). [(b)] (d)(1) Any Federal court, when sentencing a defendant convicted of an offense under subsection (a) or (b), may order, in addition to or in lieu of any other penalty authorized by law, that the defendant make restitution to the victims of such offense specified in paragraph (4). * * * * * * * [(c) Any person or other entity who is convicted of a violation of any of the provisions of this section, if such violation is committed by such person or entity in his role as, or in applying to become, a certified payee under section 205(j) on behalf of another individual (other than such person's spouse), upon his second or any subsequent such conviction shall, in lieu of the penalty set forth in the preceding provisions of this section, be guilty of a felony and shall be fined under title 18, United States Code, or imprisoned for not more than five years, or both.] [(d)] (e) Any individual or entity convicted of a felony under this section or under section 1632(b) may not be certified as a payee under section 205(j). For the purpose of subsection (a)(7), the terms ``social security number'' and ``social security account number'' mean such numbers as are assigned by the Commissioner of Social Security under section 205(c)(2) whether or not, in actual use, such numbers are called social security numbers. [(e)] (f)(1) * * * * * * * * * * (g)(1) Whoever is an employee of the Social Security Administration and knowingly and fraudulently sells or transfers one or more social security account numbers or social security cards shall, upon conviction, be guilty of a felony and fined under title 18, United States Code, imprisoned as provided in paragraph (2), or both. (2) Imprisonment for a violation described in paragraph (1) shall be for-- (A) not more than 5 years, in the case of an employee of the Social Security Administration who has fraudulently sold or transferred not more than 50 social security account numbers or social security cards, (B) not more than 10 years, in the case of an employee of the Social Security Administration who has fraudulently sold or transferred more than 50, but not more than 100, social security account numbers or social security cards, or (C) not more than 20 years, in the case of an employee of the Social Security Administration who has fraudulently sold or transferred more than 100 social security account numbers or social security cards. (3) For purposes of this subsection-- (A) The term ``social security employee'' means any State employee of a State disability determination service, any officer, employee, or contractor of the Social Security Administration, any employee of such a contractor, or any volunteer providing services or assistance in any facility of the Social Security Administration. (B) The term ``social security account number'' means a social security account number assigned by the Commissioner of Social Security under section 205(c)(2)(B) or another number that has not been so assigned but is purported to have been so assigned. (C) The term ``social security card'' means a card issued by the Commissioner of Social Security under section 205(c)(2)(G), another card which has not been so issued but is purported to have been so issued, and banknote paper of the type described in section 205(c)(2)(G) prepared for the entry of social security account numbers, whether fully completed or not. PROHIBITION OF THE SALE, PURCHASE, AND DISPLAY TO THE GENERAL PUBLIC OF THE SOCIAL SECURITY ACCOUNT NUMBER IN THE PRIVATE SECTOR Sec. 208A. (a) Definitions.--For purposes of this section: (1) Person.-- (A) In general.--Subject to subparagraph (B), the term ``person'' means any individual, partnership, corporation, trust, estate, cooperative, association, or any other entity. (B) Exclusion of governmental entities.--Such term does not include a governmental entity. Nothing in this subparagraph shall be construed to authorize, in connection with a governmental entity, an act or practice otherwise prohibited under this section or section 205(c)(2)(C). (2) Selling and purchasing.-- (A) In general.--Subject to subparagraph (B)-- (i) Sell.--The term ``sell'' in connection with a social security account number means to obtain, directly or indirectly, anything of value in exchange for such number. (ii) Purchase.--The term ``purchase'' in connection with a social security account number means to provide, directly or indirectly, anything of value in exchange for such number. (B) Exceptions.--The terms ``sell'' and ``purchase'' in connection with a social security account number do not include the submission of such number as part of-- (i) the process for applying for any type of Government benefits or programs (such as grants or loans or welfare or other public assistance programs), (ii) the administration of, or provision of benefits under, an employee benefit plan, or (iii) the sale, lease, merger, transfer, or exchange of a trade or business. (3) Display to the general public.-- (A) In general.--The term ``display to the general public'' means, in connection with a social security account number, to intentionally place such number in a viewable manner on an Internet site that is available to the general public or to make such number available in any other manner intended to provide access to such number by the general public. (B) Internet transmissions.--In any case in which a person requires transmittal to such person of an individual's social security account number by means of the Internet without ensuring that such number is encrypted or otherwise well-secured from disclosure, any such transmittal of such number as so required shall be treated as a ``display to the general public'' of such number by such person. (4) Social security account number.-- (A) In general.--The term ``social security account number'' has the meaning given such term in section 208(e), except that such term includes any derivative of such number. (B) 4-digit expression.--Notwithstanding the preceding sentence, for purposes of subsection (b)(1)(A), any expression, contained in or on any item sold or displayed to the general public, shall not be treated as a social security account number solely because such expression sets forth not more than the last 4 digits of such number, if the remainder of such number cannot be determined based solely on such expression or any other matter presented in or on such item. (5) Governmental entity.-- (A) In general.--The term ``governmental entity'' means an executive, legislative, or judicial agency or instrumentality of the Federal Government, a State or political subdivision thereof, a Federally recognized Indian tribe, or a trustee appointed in a case under title 11, United States Code. Such term includes a person acting as an agent of such an agency or instrumentality, Indian tribe, or trustee. (B) State.--The term ``State'' includes the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, the Commonwealth of the Northern Marianas, and the Trust Territory of the Pacific Islands. (b) Prohibition of Sale, Purchase, and Display to the General Public.-- (1) In general.--Except as provided in paragraph (2), it shall be unlawful for any person to-- (A) sell or purchase a social security account number or display to the general public a social security account number, or (B) obtain or use any individual's social security account number for the purpose of locating or identifying such individual with the intent to harass, harm, or physically injure such individual or using the identity of such individual for any illegal purpose. (2) Exceptions.-- (A) In general.--Notwithstanding paragraph (1), and subject to paragraph (3), a social security account number may be sold or purchased by any person to the extent provided in this subsection (and for no other purpose) as follows: (i) to the extent necessary for law enforcement, including (but not limited to) the enforcement of a child support obligation, as determined under regulations issued as provided in section 1129C; (ii) to the extent necessary for national security purposes, as determined under regulations issued as provided in section 1129C; (iii) to the extent necessary for public health purposes; (iv) to the extent necessary in emergency situations to protect the health or safety of 1 or more individuals; (v) to the extent that the sale or purchase is required to comply with a tax law of the United States or of any State (or political subdivision thereof); (vi) to the extent that the sale or purchase is to or by a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))) for use or disclosure solely for permissible purposes described in section 604(a) of such Act (15 U.S.C. 1681b(a)); and (vii) to the extent necessary for research (other than market research) conducted by an agency or instrumentality of the United States or of a State or political subdivision thereof (or a person acting as an agent of such an agency or instrumentality) for the purpose of advancing the public good, on the condition that the researcher provides adequate assurances that-- (I) the social security account numbers will not be used to harass, target, or publicly reveal information concerning any identifiable individuals; (II) information about identifiable individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals; and (III) the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about identifiable individuals, including procedures to ensure that the social security account numbers will be encrypted or otherwise appropriately secured from unauthorized disclosure. (B) Medical research.--In the case of research referred to in subparagraph (A)(vii) consisting of medical research, the Commissioner of Social Security shall maintain ongoing consultation with the Office for Civil Rights of the Department of Health and Human Services to ensure that the sale or purchase of social security account numbers which constitute personally identifiable medical information is permitted only in compliance with existing Federal rules and regulations prescribed by the Secretary of Health and Human Services pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (110 Stat. 2033). (3) Consent and other circumstances determined by regulation.--Notwithstanding paragraph (1), a social security account number assigned to an individual may be sold or purchased by any person-- (A) to the extent consistent with such individual's voluntary and affirmative written consent to the sale or purchase, but only if-- (i) the terms of the consent and the right to refuse consent are presented to the individual in a clear, conspicuous, and understandable manner, (ii) the individual is placed under no obligation to provide consent to any such sale or purchase, and (iii) the terms of the consent authorize the individual to limit the sale or purchase to purposes directly associated with the transaction with respect to which the consent is sought, and (B) under such circumstances as may be deemed appropriate in regulations issued as provided under section 1129C. (c) Prohibition of Display on Checks.--It shall be unlawful for any person to include the social security account number of any other individual on any check issued for any payment by such person or on any document attached to or accompanying such a check. (d) Prohibition of Unauthorized Disclosure to Government Agencies or Instrumentalities.-- (1) In general.--It shall be unlawful for any person to communicate by any means to any agency or instrumentality of the United States or of any State or political subdivision thereof the social security account number of any individual other than such person without the written permission of such individual, unless the number was requested by the agency or instrumentality. In the case of an individual who is legally incompetent, permission provided by the individual's legal representatives shall be deemed to be permission provided by such individual. (2) Exceptions.--Paragraph (1) shall not apply to the extent necessary-- (A) for law enforcement, including (but not limited to) the enforcement of a child support obligation, or (B) for national security purposes, as determined under regulations issued as provided under section 1129C. (e) Prohibition of the Displays on Cards or Tags Required for Access to Goods, Services, or Benefits.--No person may display a social security account number on any card or tag issued to any other person for the purpose of providing such other person access to any goods, services, or benefits or include on such card or tag a magnetic strip, bar code, or other means of communication which conveys such number. (f) Prohibition of the Displays on Employee Identification Cards or Tags.--No person that is an employer, and no other person offering benefits in connection with an employee benefit plan maintained by such employer or acting as an agent of such employer, may display a social security account number on any card or tag that is commonly provided to employees of such employer (or to their family members) for purposes of identification or include on such card or tag a magnetic strip, bar code, or other means of communication which conveys such number. (g) Measures to Preclude Unauthorized Disclosure of Social Security Account Numbers and Protect the Confidentiality of Such Numbers.--Subject to the preceding provisions of this section, any person having access to the social security account number of any individual other than such person shall, to the extent that such access is maintained for the conduct of such person's trade or business-- (1) ensure that no officer or employee thereof has access to such number for any purpose other than as necessary for the conduct of such person's trade or business, (2) restrict, in accordance with regulations of the Commissioner of Social Security, access to social security account numbers obtained thereby to officers and employees thereof whose duties or responsibilities require access for the conduct of such person's trade or business, and (3) provide such safeguards as may be specified, in regulations of the Commissioner of Social Security, to be necessary or appropriate to preclude unauthorized access to the social security account number and to otherwise protect the confidentiality of such number. (h) Deceased Individuals.--This section does not apply with respect to the social security account number of a deceased individual. (i) Applicability of Other Protections.--Nothing in the preceding subsections of this section shall be construed as superseding, altering, or affecting any statutory provision, regulation, order, or interpretation in effect under any other Federal or State law, except to the extent that such statutory provision, regulation, order, or interpretation is inconsistent with such subsections, and then only to the extent of the inconsistency. For purposes of this subclause, a statutory provision, regulation, order, or interpretation is not inconsistent with the preceding subsections of this section if the protection such statutory provision, regulation, order, or interpretation affords any person is greater than the protection provided under such subsections. * * * * * * * TITLE VIII--SPECIAL BENEFITS FOR CERTAIN WORLD WAR II VETERANS * * * * * * * SEC. 811. PENALTIES FOR FRAUD. (a) In General.--Whoever-- (1) * * * * * * * * * * [shall be fined under title 18, United States Code, imprisoned not more than 5 years, or both.] shall be fined, imprisoned, or both, as provided in subsection (b). (b) Punishment.--A person convicted of a violation described in subsection (a) shall be-- (1) fined under title 18, United States Code, or imprisoned for not more than 5 years, or both, in the case of an initial violation, subject to paragraphs (3) and (4), (2) fined under title 18, United States Code, or imprisoned for not more than 10 years, or both, in the case of a violation which occurs after a prior conviction for another offense under subsection (a) becomes final, subject to paragraphs (3) and (4), (3) fined under title 18, United States Code, or imprisoned for not more than 20 years, in the case of a violation which is committed to facilitate a drug trafficking crime (as defined in section 929(a)(2) of title 18, United States Code) or in connection with a crime of violence (as defined in section 924(c)(3) of title 18, United States Code) involving force against the person of another, subject to paragraph (4), and (4) fined under title 18, United States Code, or imprisoned for not more than 25 years, in the case of a violation which is committed to facilitate an act of international or domestic terrorism (as defined in paragraphs (1) and (5), respectively, of section 2331 of title 18, United States Code). [(b)] (c) Court Order for Restitution.-- (1) * * * * * * * * * * TITLE XI--GENERAL PROVISIONS, PEER REVIEW, AND ADMINISTRATIVE SIMPLIFICATION Part A--General Provisions * * * * * * * SEC. 1129. CIVIL MONETARY PENALTIES AND ASSESSMENTS FOR TITLES II, VIII AND XVI. (a)(1) * * * * * * * * * * (2) In addition, the Commissioner of Social Security may make a determination in the same proceeding to recommend that the Secretary exclude, as provided in section 1128, such a person who is a medical provider or physician from participation in the programs under title XVIII. (3) Any person (including an organization, agency, or other entity) who-- (A) uses a social security account number that such person knows or should know has been assigned by the Commissioner of Social Security (in an exercise of authority under section 205(c)(2) to establish and maintain records) on the basis of false information furnished to the Commissioner by any person; (B) falsely represents a number to be the social security account number assigned by the Commissioner of Social Security to any individual, when such person knows or should know that such number is not the social security account number assigned by the Commissioner to such individual; (C) with intent to deceive, alters a social security card that the person knows or should know was issued by the Commissioner of Social Security, or possesses such a card with intent to alter it; (D) buys or sells a card that such person knows or should know is, or is purported to be, a card issued by the Commissioner of Social Security, or possesses such a card with intent to buy or sell it; (E) counterfeits a social security card, or possesses a counterfeit social security card with intent to buy or sell it; (F) discloses, uses, compels the disclosure of, or knowingly sells or purchases the social security account number of any person in violation of the laws of the United States; (G) with intent to deceive the Commissioner of Social Security as to such person's true identity (or the true identity of any other person), furnishes or causes to be furnished false information to the Commissioner with respect to any information required by the Commissioner in connection with the establishment and maintenance of the records provided for in section 205(c)(2); (H) without lawful authority, offers, for a fee, to acquire for any individual, or to assist in acquiring for any individual, an additional social security account number or a number which is purported to be a social security account number; (I) with intent to deceive, discloses, sells, or transfers his own social security account number, assigned to him by the Commissioner of Social Security under section 205(c)(2)(B), to any person; (J) knowingly, and with intent to commit, or to aid or abet, any activity that constitutes a violation of Federal law, or a violation of any applicable law of a State or political subdivision thereof if the maximum penalty of such applicable law includes imprisonment for 5 years or more-- (i) possesses a social security account number of another individual without lawful authority, or (ii) possesses a social security card, knowing that the social security account number or other identifying information displayed on the card has been altered, counterfeited, or forged or that the card was falsely made, stolen, or obtained from the Social Security Administration by use of false information, if such activity is committed, or aided or abetted, with intent to use such social security account number, social security card, or other identifying information displayed on such card in furtherance of such violation; (K) being-- (i) an officer or employee of a governmental entity (as defined in section 205(c)(2)(C)(x)(X)), or (ii) a person acting as an agent of a governmental entity (as so defined), willfully acts or fails to act so as to cause a violation of clause (vi)(II), (x), (xi), (xii), (xiii), (xiv), or (xv) of section 205(c)(2)(C); (L) being a trustee appointed in a case under title 11, United States Code (or an officer or employee thereof or a person acting as an agent thereof), willfully acts or fails to act so as to cause a violation of clause (x), (xi), (xiv), or (xv) of section 205(c)(2)(C); (M) violates section 208A (relating to prohibition of the sale, purchase, or display of the social security account number in the private sector) or, as a person in the private sector, violates section 205(c)(2)(C)(xv); or (N) violates section 208(g) (relating to fraud by social security administration employees); shall be subject to, in addition to any other penalties that may be prescribed by law, a civil money penalty of not more than $5,000 for each violation. Such person shall also be subject to an assessment, in lieu of damages sustained by the United States resulting from such violation, of not more than twice the amount of any benefits or payments paid as a result of such violation. [(2)] (4) For purposes of this section, a material fact is one which the Commissioner of Social Security may consider in evaluating whether an applicant is entitled to benefits under title II or title VIII, or eligible for benefits or payments under title XVI. [(3)] (5) Any person (including an organization, agency, or other entity) who, having received, while acting in the capacity of a representative payee pursuant to section 205(j), 807, or 1631(a)(2), a payment under title II, VIII, or XVI for the use and benefit of another individual, converts such payment, or any part thereof, to a use that such person knows or should know is other than for the use and benefit of such other individual shall be subject to, in addition to any other penalties that may be prescribed by law, a civil money penalty of not more than $5,000 for each such conversion. Such person shall also be subject to an assessment, in lieu of damages sustained by the United States resulting from the conversion, of not more than twice the amount of any payments so converted. * * * * * * * REGULATORY AND ENFORCEMENT AUTHORITY WITH RESPECT TO MISUSE OF THE SOCIAL SECURITY ACCOUNT NUMBER Sec. 1129C. (a) Regulatory Authority.-- (1) In general.--The Commissioner of Social Security shall prescribe regulations to carry out the provisions of clauses (vi)(II), (x), (xi), (xii), (xiii), (xiv), and (xv) of section 205(c)(2)(C) and section 208A. Such regulations shall be issued in consultation with the Federal Trade Commission, the Attorney General of the United States, the Secretary of Homeland Security, the Secretary of Health and Human Services, the Secretary of the Treasury, the Federal banking agencies (as defined in section 3 of the Federal Deposit Insurance Act), the National Credit Union Administration, the Securities and Exchange Commission, State attorneys general, and such representatives of the State insurance commissioners as may be designated by the National Association of Insurance Commissioners. (2) Treatment of matters relating to law enforcement and national security.--In issuing the regulations described in paragraph (1) with respect to the provisions of 205(c)(2)(C)(x)(III), paragraph (A) or (B) of section 208A(b)(2), or section 208A(c)(2) (relating to law enforcement and national security), the sale or purchase of Social Security account numbers may be authorized only if the Commissioner (or the agency or instrumentality delegated authority to issue such regulations under paragraph (5)) determines that-- (A) such sale or purchase would serve a compelling public interest that cannot reasonably be served through alternative measures, and (B) such sale or purchase will not pose an unreasonable risk of identity theft, or bodily, emotional, or financial harm to an individual (taking into account any restrictions and conditions that the agency or instrumentality issuing the regulations imposes on the sale, purchase, or disclosure). (3) Treatment of other matters in general discretion of the commissioner.-- (A) In general.--In issuing the regulations described in paragraph (1) with respect to the provisions of section 205(c)(2)(C)(x)(VIII) or section 208A(b)(3)(B), the sale, purchase, or display to the general public of social security account numbers may be authorized only after considering, among other relevant factors-- (i) the extent to which the authorization of the sale, purchase, or display of the social security account number would serve a compelling public interest that cannot reasonably be served through alternative measures, (ii) the associated cost or burden of the authorization to the general public, businesses, commercial enterprises, non-profit organizations, and Federal, State, and local governments; and (iii) the associated benefit of the authorization to the general public, businesses, commercial enterprises, non-profit associations, and Federal, State, and local governments. (B) Restrictions and conditions.--If, after considering the factors in subparagraph (A), the sale, purchase, or display to the general public of social security account numbers is authorized under regulations referred to in subparagraph (A), the Commissioner (or the agency or instrumentality delegated authority to issue such regulations under paragraph (5)) shall impose restrictions and conditions on the sale, purchase, or display to the general public to the extent necessary-- (i) to provide reasonable assurances that social security account numbers will not be used to commit or facilitate fraud, deceptions, or crime, and (ii) to prevent an unreasonable risk of identity theft or bodily, emotional, or financial harm to any individual, considering the nature, likelihood, and severity of the anticipated harm that could result from the sale, purchase, or display to the general public of social security account numbers, together with the nature, likelihood, and extent of any benefits that could be realized. (C) 5-year expiration date for regulations.--At the end of the 5-year period beginning on the effective date of any final regulations issued pursuant to this paragraph-- (i) such regulations shall expire, and (ii) new regulations may be issued pursuant to this paragraph. (4) Administrative procedure.--In the issuance of regulations pursuant to this subsection, notice shall be provided as described in paragraphs (1), (2), and (3) of section 553(b) of title 5, United States Code, and opportunity to participate in the rule making shall be provided in accordance with section 553(c) of such title. (5) Delegation to other agencies.--Any agency or instrumentality of the United States may exercise the authority of the Commissioner under this subsection, with respect to matters otherwise subject to regulation by such agency or instrumentality, to the extent determined appropriate in regulations of the Commissioner. (6) Consultation and coordination.--Each agency and instrumentality exercising authority to issue regulations under this subsection shall consult and coordinate with the other such agencies and instrumentalities for the purposes of assuring, to the extent possible, that the regulations prescribed by each such agency or instrumentality are consistent and comparable, as appropriate, with the regulations prescribed by the other such agencies and instrumentalities. The Commissioner shall undertake to facilitate such consultation and coordination. (7) Definitions and special rules.-- (A) For purposes of this subsection, the terms ``sell'', ``purchase'', and ``display to the general public'' shall have the meanings provided such terms under section 205(c)(2)(C)(x) or section 208A(a), as applicable. (B) For purposes of this subsection, section 205(c)(2)(C)(x)(XI) shall apply. (b) Coordination of Enforcement with Other Agencies.--The Commissioner may provide, by regulation, for enforcement by any other agency or instrumentality of the United States of the provisions of section 208A and regulations prescribed pursuant to subsection (a)(1) with respect to section 208A. (c) Actions by States with Respect to Misuse in Private Sector or by State and Local Governments.-- (1) Civil actions.--In any case in which the attorney general of a State (as defined in section 205(c)(2)(C)(x)(X)) has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice described in paragraph (2), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction, to-- (A) enjoin that act or practice; (B) enforce compliance with the regulation; (C) obtain civil penalties in an amount of $11,000 per violation not to exceed a total of $5,000,000; or (D) obtain such other legal and equitable relief as the district court may consider to be appropriate. Before filing an action under this subsection, the attorney general of the State involved shall provide to the Commissioner of Social Security and the Attorney General of the United States a written notice of that action and a copy of the complaint for that action. If the State attorney general determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action, the State attorney general shall provide the written notice and the copy of the complaint as soon after the filing of the complaint as practicable. Any reference in this subsection to the attorney general of a State shall be deemed also to be a reference to any equivalent official of such State. (2) Acts or practices subject to enforcement.--An act or practice described in this paragraph is-- (A) an act or practice by an executive, legislative, or judicial agency or instrumentality of the State involved or a political subdivision thereof, a person acting as an agent thereof, or any officer or employee of the foregoing or person acting as an agent of the foregoing that violates clause (vi)(II), (x), (xi), (xii), (xiii), (xiv), or (xv) of section 205(c)(2)(C) or any regulation promulgated thereunder, or (B) an act or practice by any person that violates section 208A or any regulation promulgated thereunder. (3) Attorney general authority.--On receiving notice under paragraph (1), the Attorney General of the United States shall have the right-- (A) to move to stay the action, pending the final disposition of a pending Federal matter as described in paragraph (4); (B) to intervene in an action under paragraph (1); (C) upon so intervening, to be heard on all matters arising therein; and (D) to file petitions for appeal. (4) Pending criminal proceedings.--If the Attorney General of the United States has instituted a criminal proceeding under section 208 alleging an act or practice described in paragraph (2) in connection with any State, such State may not, during the pendency of such proceeding or action, bring an action under this subsection against any defendant named in the criminal proceeding. (5) Rule of construction.--For purposes of bringing any civil action under paragraph (1), nothing in this subsection shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence. (6) Venue; service of process.--Any action brought under paragraph (1) may be brought in any district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code. In an action brought under paragraph (1), process may be served in any district in which the defendant is an inhabitant or may be found. (d) Remedies to Individuals for Violations by the Federal Government of Requirements Relating to Social Security Account Numbers.-- (1) Civil actions.--Any individual who is aggrieved by an act or practice by any person acting as an officer, employee, or agent of an agency or instrumentality of the Federal Government in violation of the requirements of clause (vi)(II), (x), (xi), (xii), (xiii), (xiv), or (xv) of subsection (c)(2)(C) with respect to the social security account number assigned to such individual under subsection (c)(2)(B) may commence a civil action for appropriate equitable relief or actual damages. (2) Venue; service of process.--An action under this subsection action may be brought in the district court of the United States for the judicial district in which the plaintiff resides, or has his principal place of business, in which the violation took place, or in which the defendant resides or may be found, and process may be served in any other district in which a defendant resides or may be found. (3) Jurisdiction.--The district courts of the United States shall have jurisdiction, without respect to the amount in controversy or the citizenship of the parties, to grant the relief provided for in paragraph (1). (4) Attorney's fees.--In any action under this subsection, the court in its discretion may allow a reasonable attorney's fee and costs of action to either party. (e) Ongoing Gao Review on Efficacy of Regulations.-- (1) In general.--The Comptroller General of the United States shall conduct an ongoing review of the efficacy of the regulations prescribed by any agency or instrumentality of the United States pursuant to this section. Such review shall consider the extent to which such regulations are consistent with, and in furtherance of the purposes of, the amendments made by the Social Security Number Privacy and Identity Theft Prevention Act of 2007. (2) Report.--Not later than 4 years after the effective date of any final regulations issued by any agency or instrumentality of the United States pursuant to this section, the Comptroller General shall report to each House of the Congress regarding the results of the review of such regulations conducted under this paragraph. Such report shall include the Comptroller General's recommendations for such statutory or regulatory changes as the Comptroller General considers appropriate. * * * * * * * TITLE XVI--SUPPLEMENTAL SECURITY INCOME FOR THE AGED, BLIND, AND DISABLED * * * * * * * Part B--Procedural and General Provisions * * * * * * * PENALTIES FOR FRAUD Sec. 1632. (a) Whoever-- (1) * * * * * * * * * * [shall be fined under title 18, United States Code, imprisoned not more than 5 years, or both.] shall be fined, imprisoned, or both, as provided in subsection (b). (b) A person convicted of a violation described in subsection (a) shall be-- (1) fined under title 18, United States Code, or imprisoned for not more than 5 years, or both, in the case of an initial violation, subject to paragraphs (3) and (4), (2) fined under title 18, United States Code, or imprisoned for not more than 10 years, or both, in the case of a violation which occurs after a prior conviction for another offense under subsection (a) becomes final, subject to paragraphs (3) and (4), (3) fined under title 18, United States Code, or imprisoned for not more than 20 years, in the case of a violation which is committed to facilitate a drug trafficking crime (as defined in section 929(a)(2) of title 18, United States Code) or in connection with a crime of violence (as defined in section 924(c)(3) of title 18, United States Code) involving force against the person of another, subject to paragraph (4), and (4) fined under title 18, United States Code, or imprisoned for not more than 25 years, in the case of a violation which is committed to facilitate an act of international or domestic terrorism (as defined in paragraphs (1) and (5), respectively, of section 2331 of title 18, United States Code). [(b)] (c)(1) * * * * * * * * * * [(c)] (d) Any person or entity convicted of a violation of subsection (a) of this section or of section 208 may not be certified as a representative payee under section 1631(a)(2). * * * * * * * VII. ADDITIONAL VIEWS ---------- ADDITIONAL VIEWS OF HON. KENNY C. HULSHOF The absence of overarching Federal law regulating the sale, purchase, and display to the general public of Social Security numbers (SSNs), and the growing threat represented by SSN misuse and identity theft, have prompted a need to better protect the privacy and integrity of SSNs. The purpose of the ``Social Security Number Privacy and Identity Theft Prevention Act of 2007,'' H.R. 3046, is to enhance Social Security number privacy protections and to otherwise enhance protections against identity theft. Concerns have been raised that the provisions in H.R. 3046 would harm a consumer's ability to obtain benefits such as credit as stipulated by the Fair Credit Reporting Act (FCRA). The bill addresses these concerns by providing exceptions to the prohibitions on SSN sale and purchase, as follows: (1) by or to a consumer reporting agency for use or disclosure for permissible purposes described in the FCRA; (2) with affirmative written consent; and (3) under other circumstances determined appropriate according to regulations. Also, to permit accurate data-matching to continue without jeopardizing SSN privacy, the bill provides for the sale and display to the general public of the last four digits of the SSN for two years after the effective date of the final regulation. This authority may be extended with action by Congress. As the bill advances through the legislative process, continued efforts should be made to protect the accuracy of credit reports and other consumer reports, along with the legitimate uses of the SSN by financial institutions. Kenny C. Hulshof. ADDITIONAL VIEWS OF HON. PATRICK J. TIBERI I agree with the goal of H.R. 3046, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2007.'' We, as holders of the public trust, need to do everything within our power to ensure our constituents' personal information remains exactly that--personal. We need to make sure that key information, like a Social Security number, is used in a responsible and protected way. Chairman McNulty and Ranking Member Johnson deserve a great deal of credit for their dedication and hard work on this bill. During markup of this legislation I expressed a concern about the balance between restricting the use of Social Security numbers where there is no compelling purpose, and allowing continued use where they may be needed for important and legitimate purposes. I would like to take this opportunity to elaborate on my comments. The bill prohibits the sale, purchase, and display of Social Security numbers, with limited exceptions: for law enforcement purposes, national security purposes, public health purposes, emergency situations, compliance with a tax law, use or disclosure by a consumer reporting agency for the permissible purposes of section 604(a) of the Fair Credit Reporting Act (FCRA), certain research, and when the consumer has consented. The committee did not explicitly allow the use of Social Security numbers for the detection and prevention of fraud or to verify a person's identity in connection with financial transactions. Banks are mandated by Section 326 of the USA PATRIOT Act to have a Customer Identification Program, intended to enable the bank to form a reasonable belief that it knows the true identity of each customer. It is obviously important that the identity verification process produces a high degree of confidence in the person's identity. The bill authorizes the Social Security Administration to provide additional exceptions by regulation. As a former Member of the Committee on Financial Services, I note that these uses are allowed under the Gramm-Leach-Bliley Act for all ``nonpublic personal information,'' which includes Social Security numbers. It also permits the use of Social Security numbers only for FCRA section 604(a), rather than for all of the permissible purposes under that Act. Without specific attention to this matter, I'm concerned that H.R. 3046 could, in fact, overturn Gramm-Leach-Bliley to prohibit the use of Social Security numbers for legitimate purposes. They should be provided for by statute, rather than left to the chances of a regulatory process. I appreciate Chairman Rangel's offer to work with me to resolve this issue and hope that it can be addressed as the bill moves forward. Patrick J. Tiberi. <all>