[DOCID: f:hr191.110] From the House Reports Online via GPO Access [wais.access.gpo.gov] 110th Congress Rept. 110-191 HOUSE OF REPRESENTATIVES 1st Session Part 1 ====================================================================== SOCIAL SECURITY NUMBER PROTECTION ACT OF 2007 _______ June 13, 2007.--Ordered to be printed _______ Mr. Dingell, from the Committee on Energy and Commerce, submitted the following R E P O R T [To accompany H.R. 948] [Including cost estimate of the Congressional Budget Office] The Committee on Energy and Commerce, to whom was referred the bill (H.R. 948) to strengthen the authority of the Federal Government to protect individuals from certain acts and practices in the sale and purchase of Social Security numbers and Social Security account numbers, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Amendment........................................................ 2 Purpose and Summary.............................................. 5 Background and Need for Legislation.............................. 5 Hearings......................................................... 7 Committee Consideration.......................................... 8 Committee Votes.................................................. 8 Committee Oversight Findings..................................... 8 Statement of General Performance Goals and Objectives............ 8 New Budget Authority, Entitlement Authority, and Tax Expenditures 8 Earmarks and Tax and Tariff Benefits............................. 8 Committee Cost Estimate.......................................... 8 Congressional Budget Office Estimate............................. 8 Federal Mandates Statement....................................... 11 Advisory Committee Statement..................................... 11 Constitutional Authority Statement............................... 11 Applicability to Legislative Branch.............................. 11 Section-by-Section Analysis of the Legislation................... 11 Changes in Existing Law Made by the Bill, as Reported............ 14 AMENDMENT The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Social Security Number Protection Act of 2007''. SEC. 2. DEFINITIONS. In this Act: (1) Commission.--The term ``Commission'' means the Federal Trade Commission. (2) Person.--The term ``person'' means any individual, partnership, corporation, trust, estate, cooperative, association, or any other entity. (3) Sale.--The term ``sale'' means obtaining, directly or indirectly, anything of value in exchange for a Social Security number. Such term does not include the submission of such numbers as part of the process for applying for any type of Government benefit or programs (such as grant or loan applications or welfare or other public assistance programs). Such term also does not include transfers of such numbers as part of a data matching program under the Computer Matching and Privacy Protection Act. (4) Purchase.--The term ``purchase'' means providing directly or indirectly, anything of value in exchange for a Social Security number. Such term does not include the submission of such numbers as part of the process for applying for any type of Government benefit or programs (such as grant or loan applications or welfare or other public assistance programs). Such term also does not include transfers of such numbers as part of a data matching program under the Computer Matching and Privacy Protection Act. (5) Social security number.--The term ``Social Security number'' means the social security account number assigned to an individual under section 205(c)(2)(B) of the Social Security Act (42 U.S.C. 405(c)(2)(B)). (6) State.--The term ``State'' means any State of the United States, the District of Columbia, Puerto Rico, the Northern Mariana Islands, the United States Virgin Islands, Guam, American Samoa, and any territory or possession of the United States. SEC. 3. PROHIBITION ON CERTAIN USES OF SOCIAL SECURITY NUMBERS. (a) Prohibition.--Except as provided under regulations issued by the Commission under subsection (c), it shall be unlawful for any person to-- (1) intentionally display the Social Security number of another individual on a website that is generally accessible to the public or provide an individual with access to the Social Security number of another individual through the Internet; (2) require an individual who is customer of or member associated with such person to use that individual's Social Security number as a password for access to any good or service, including access to any account of that individual or any protected access website; or (3) display the Social Security number of any individual on any membership or identity card issued by such person. (b) Enforcement.--A violation of subsection (a) shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. The Commission shall enforce this section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this section. Any person who violates subsection (a) shall be subject to the penalties and entitled to the privileges and immunities provided in that Act. (c) Exceptions.--Not later than 9 months after the date of enactment of this Act, the Commission shall promulgate rules providing for any exceptions to the prohibition in subsection (a) for circumstances which the Commission considers appropriate and consistent with the public interest, the protection of consumers, and the purposes of this Act. SEC. 4. REGULATION OF THE SALE AND PURCHASE OF SOCIAL SECURITY NUMBERS. (a) Prohibition.--It shall be unlawful for any person to sell or purchase a Social Security number in a manner that violates a regulation promulgated by the Commission under subsection (b) of this section. (b) Regulations.-- (1) Restrictions authorized.--The Commission, after consultation with the Commissioner of Social Security, the Attorney General, and other agencies as the Commission deems appropriate, shall promulgate regulations restricting the sale and purchase of Social Security numbers and any unfair or deceptive acts or practices in connection with the sale and purchase of Social Security numbers. (2) Limitations on restrictions.--In promulgating such regulations, the Commission shall impose restrictions and conditions on the sale and purchase of Social Security numbers that are no broader than necessary-- (A) to provide reasonable assurance that Social Security numbers will not be used to commit or facilitate fraud, deception, or crime; and (B) to prevent an undue risk of bodily, emotional, or financial harm to individuals. For purposes of subparagraph (B), the Commission shall consider the nature, likelihood, and severity of the anticipated harm; the nature, likelihood, and extent of any benefits that could be realized from the sale or purchase of the numbers; and any other relevant factors. (3) Exceptions.--The regulations promulgated pursuant to paragraph (1) shall include exceptions which permit the sale and purchase of Social Security numbers-- (A) to the extent necessary for law enforcement or national security purposes; (B) to the extent necessary for public health purposes; (C) to the extent necessary in emergency situations to protect the health or safety of 1 or more individuals; (D) to the extent necessary for research conducted for the purpose of advancing public knowledge, on the condition that the researcher provides adequate assurances that-- (i) the Social Security numbers will not be used to harass, target, or publicly reveal information concerning any identifiable individuals; (ii) information about identifiable individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals; and (iii) the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about identifiable individuals; (E) to the extent consistent with an individual's voluntary and affirmative written consent to the sale or purchase of a Social Security number that has been assigned to that individual; (F) to the extent necessary for legitimate consumer credit verification, if the Social Security numbers used for such verification are redacted in accordance with uniform redaction standards established by the Commission in such regulations; and (G) under other appropriate circumstances as the Commission may determine and as are consistent with the principles in paragraph (2). (c) Rulemaking.-- (1) Deadline for action.--Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate the regulations under subsection (b) of this section, in accordance with section 553 of title 5, United States Code. (2) Effective dates.--Subsection (a) and the regulations promulgated under subsection (b) shall take effect 30 days after the date on which the final regulations issued under this section are published in the Federal Register. (d) Enforcement.--Any violation of a regulation promulgated under subsection (b) of this section shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. (e) Administration and Enforcement.-- (1) The commission.--The Commission shall prevent any person from violating this section, and any regulation promulgated thereunder, in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such regulation shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.) as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Nothing contained in this Act shall be construed to limit the authority of the Commission under any other provision of law. (2) Actions by states.-- (A) Civil actions.--In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates any regulation of the Commission promulgated under subsection (b), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction, to-- (i) enjoin that act or practice; (ii) enforce compliance with the regulation; (iii) obtain civil penalties in an amount of $11,000 per violation not to exceed a total of $5,000,000; or (iv) obtain such other legal and equitable relief as the district court may consider to be appropriate. Before filing an action under this subsection, the attorney general of the State involved shall provide to the Commission and to the Attorney General a written notice of that action and a copy of the complaint for that action. If the State attorney general determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action, the State attorney general shall provide the written notice and the copy of the complaint to the Commission and to the Attorney General as soon after the filing of the complaint as practicable. (B) Commission and attorney general authority.--On receiving notice under subparagraph (A), the Commission and the Attorney General each shall have the right-- (i) to move to stay the action, pending the final disposition of a pending Federal matter as described in subparagraph (c); (ii) to intervene in an action under clause (I); (iii) upon so intervening, to be heard on all matters arising therein; and (iv) to file petitions for appeal. (C) Pending criminal proceedings.--If the Attorney General has instituted a criminal proceeding or the Commission has instituted a civil action for a violation of this Act or any regulations thereunder, no State may, during the pendency of such proceeding or action, bring an action under this section against any defendant named in the criminal proceeding or civil action for any violation of this section that is alleged in that proceeding or action. (D) Rule of construction.--For purposes of bringing any civil action under subparagraph (A), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence. (E) Venue; service of process.--Any action brought under this section may be brought in any district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code. In an action brought under this section, process may be served in any district in which the defendant is an inhabitant or may be found. SEC. 5. STUDY ON FEASIBILITY OF BANNING SOCIAL SECURITY AS AN AUTHENTICATOR. (a) Study.--The Commission shall conduct a study to determine-- (1) the extent of the use of Social Security numbers as a primary means of authenticating identity; (2) the extent of the use of Social Security numbers for verification in commercial transactions; and (3) the feasibility of a prohibition on such use. The study shall also examine possible alternatives to Social Security numbers for verification purposes and uses in authenticating identity. (b) Report.--The Commission shall transmit to Congress a report of the study, including any recommendations, not later than 1 year after the date of the enactment of this Act. SEC. 6. EFFECT ON OTHER LAWS. This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly-- (1) prohibits the uses of Social Security numbers described in section 3(a); or (2) restricts or prohibits the sale or purchase of Social Security numbers in a manner similar to the regulations promulgated under section 4(b). PURPOSE AND SUMMARY The purpose of H.R. 948, the Social Security Number Protection Act of 2007, is to prohibit the public display and the purchase and sale of citizens' Social Security numbers in interstate commerce in violation of rules to be promulgated by the Federal Trade Commission (FTC). H.R. 948 makes it unlawful to intentionally display Social Security numbers on a Web site or to provide access thereto through the Internet, to display Social Security numbers on membership or identity cards, or to require customers to use Social Security numbers as passwords for access to any goods or services, account, or protected access Web site. H.R. 948 also requires the FTC to promulgate rules within one year, after consultation with the Attorney General and Commissioner of Social Security, restricting the sale and purchase of Social Security numbers. The regulations should be broad enough to prevent Social Security numbers from being used to commit fraud, deception, or crime, and prevent risk of bodily, emotional, or financial harm to individuals. H.R. 948 requires, however, certain exemptions from the prohibition for legitimate purposes including emergencies, public health, and law enforcement. BACKGROUND AND NEED FOR LEGISLATION Consumer transactions account for more than two-thirds of the U.S. gross domestic product at this time, and information sharing is of particular importance to the U.S. economy. The exchange of information among businesses is linked to broad economic benefits, including the widespread availability and low cost of consumer credit, based in part upon real time authentication and verification. Notwithstanding the benefits of information sharing, however, consumers, businesses, and governmental entities have begun to focus on the privacy implications of information practices. The same technological advances in information networks that benefit consumers are increasingly misused for purposes that can harm consumers when information is accessible to unauthorized parties. Adopting fair information practices became more common among businesses in the mid 1990s. The common elements of fair information practices are: notice, choice, access, security, and enforcement. There is wide variance in the extent to which businesses adhere to these information practices. Even among the entities that have embraced these fair information practices, there is disagreement about the right mix of self- regulation, legislation, and technology in protecting privacy. Historically, Congress has taken a sector-by-sector approach to privacy and has mandated discrete protections for certain personal information used for commercial purposes, upon a showing that a particular use harmed or threatened to harm the American consumer. This industry-by-industry approach differs from the comprehensive approach attempted by other nations, such as the European Union's Data Protection Directive. Together those sector specific statutes encompass a significant portion of U.S. commercial activity, though they are significantly different in the protections afforded to consumers. The following is a small sample of Federal statutes addressing the issue of information privacy: the Children's Online Privacy Protection Act, the Cable Communications Policy Act, the Telecommunications Act of 1996, the Telephone Consumer Protection Act, the Electronic Communications Privacy Act, the Health Insurance Portability Protection Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, the Driver's Privacy Protection Act, and wiretap statutes. The need to address privacy concerns has grown exponentially with the prevalence of digitized personal information that can be stored, transferred, and theoretically accessed by limitless parties depending on the data safeguards or protections. Such information sharing may require the authentication and validation of individuals' identities. In many cases, individuals' Social Security numbers have become the default identifier. Originally created by the Federal Government to administer the Social Security program, the numbers were intended only to track employee contributions to the system and administer benefits but were prohibited from any other use. Congress later authorized the use of Social Security numbers as taxpayer identification numbers for the IRS. Over time, however, the numbers have become default identification and verification for many other purposes. The Federal Government requires virtually every individual in the United States to obtain and maintain a Social Security number in order to pay taxes, to qualify for Social Security benefits, or to seek employment. An unintended consequence of these requirements is that Social Security numbers have become tools that can be used to facilitate crime, fraud, and invasions of the privacy of the individuals to whom the numbers are assigned. Because the Federal Government created and maintains this system, and because the Federal Government does not permit persons to exempt themselves from those requirements, the Committee finds it is appropriate for the Government to take steps to stem the abuse of this system. The Committee notes that Congress attempted to limit the use of Social Security numbers with the passage of the Privacy Act of 1974. This law applied only to government agencies, however, and did not restrict the private sector. As a result of the lack of restrictions, Social Security numbers have become synonymous with an individual's identity as the number is tied directly to nearly all financial accounts, as well as patient records of health-care providers and other business entities. While there are clear benefits associated with the ability to authenticate and verify an individual--including the provision of instantaneous credit, combating fraudulent transactions, and accurately identifying or locating individuals whose name has changed and is otherwise unable to be located--the Social Security number has become the singularly most important means of identifying and authenticating an individual, increasing its value in the eyes of identity thieves and fraudsters. The Committee finds that the inappropriate sale or purchase of Social Security numbers is a significant factor in a growing range of illegal activities, including fraud, identity theft, and, in some cases, stalking and other violent crimes. It is the identifying information associated with a Social Security number that presents the largest potential threats to individuals. Because an individual's information is linked to the Social Security number, access to the Social Security number opens the individuals' identity and related information to the possibility of the information being available to unauthorized parties or for unauthorized purposes. The Committee found that this can facilitate the commission of criminal activities and also can result in serious invasions of individual privacy. The Committee seeks to stop the unauthorized access to and use of an individual's Social Security number as a result of a commercial transaction to purchase or sell the numbers. For example, identity theft crimes have risen substantially over the past decade in part because Social Security numbers and other information necessary to perpetrate the crime are often easily available for purchase by potential criminals. The Committee's related investigation into the practice of pretexting--fraudulently impersonating someone else to acquire detailed information (usually over the phone) about another person--demonstrated that access to an individual's personal information is often only limited to the provision of a Social Security number. Once a Social Security number is obtained, access to detailed personal information associated with the Social Security number is readily accessible. With this information in hand, a criminal can commit identity theft in numerous ways, including opening new accounts in the name of the individual attached to the Social Security number. Although account fraud is one of the most common crimes perpetrated by criminals, the Committee is aware of other harm, including violent crimes, that can occur when Social Security numbers are easily available for purchase. The Committee is concerned the range of harms and crimes that can be perpetrated will only increase if prohibitions are not enacted to restrict the proliferation of the commercial availability of individuals' Social Security numbers. No one should seek to profit from the sale of Social Security numbers. Consequently, there is a need for enactment of legislation that will offer individuals assigned such numbers necessary protections from the public display or the sale and purchase of Social Security numbers in circumstances that might facilitate unlawful conduct or that might otherwise likely result in unfair or deceptive practices. The Committee observes that the Office of Management and Budget recently released a memorandum advising Federal departments and agencies to review their use of Social Security numbers and come up with a plan in 120 days to eliminate their unnecessary collection and use within 18 months. Action on the Committee's bipartisan legislation is critical and timely. HEARINGS No hearings were held on H.R. 948 this year. However, in the 109th Congress, the Subcommittee on Commerce, Trade, and Consumer Protection held a hearing on Thursday, May 11, 2006 entitled ``Social Security Numbers in Commerce: Reconciling Beneficial Uses with Threats to Privacy'' which examined H.R. 1078, substantially similar legislation considered in the 109th Congress, as well as other legislative proposals to increase privacy protections for Social Security numbers. Testimony was received from the following: The Honorable Jon Leibowitz, Commissioner, Federal Trade Commission; Mr. Oliver I. Ireland, Partner, Morrison & Foerster, testifying on behalf of the Financial Services Industry Association; Ms. Susan McDonald, President, Pension Benefit Information; Ms. Lauren Steinfeld, Former Associate Chief Counsel, Office of Management and the Budget, Mr. H. Randy Lively Jr., President and CEO, American Financial Services Association; and Mr. Marc Rotenberg, Executive Director, Electronic Privacy Information Center. COMMITTEE CONSIDERATION On Wednesday, May 10, 2007, the Committee on Energy and Commerce met in open markup session and ordered H.R. 948 favorably reported to the House, amended, by a voice vote, a quorum being present. COMMITTEE VOTES Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the record votes on the motion to report legislation and amendments thereto. There were no record votes taken in connection with ordering H.R. 948 reported. A motion by Mr. Dingell to order H.R. 948 reported to the House, amended, was agreed to by a voice vote. COMMITTEE OVERSIGHT FINDINGS Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the oversight findings of the Committee are reflected in the preceding portions of this report. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES The purpose of the legislation is to reduce harm to individuals that results from the public display or the purchase or sale of their Social Security number. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES Regarding compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 948, the Social Security Number Protection Act of 2007, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. EARMARKS AND TAX AND TARIFF BENEFITS Regarding compliance with clause 9 of rule XXI of the Rules of the House of Representatives, H.R. 948 does not contain any Congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(d), 9(e), or 9(f) of rule XXI. COMMITTEE COST ESTIMATE The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. CONGRESSIONAL BUDGET OFFICE ESTIMATE Pursuant to clause 3(c)(3) of rule XIII of the Rules of the House of Representatives, the following is the cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974: May 25, 2007. Hon. John D. Dingell, Chairman, Committee on Energy and Commerce, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 948, the Social Security Number Protection Act of 2007. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Susan Willie. Sincerely, Peter R. Orszag. Enclosure. H.R. 948--Social Security Number Protection Act of 2007 Summary: H.R. 948 would prohibit the sale or purchase of Social Security numbers (SSNs) as well as certain other activities related to their display or use. The Federal Trade Commission (FTC) would be required to develop regulations to enforce the new prohibitions. CBO estimates that promulgating and enforcing those regulations would not have a significant effect on federal spending. Enacting the bill could increase federal revenues from civil penalties assessed for violations of the new regulations, but CBO estimates that any such increase would not be significant in any year. Enacting the bill would not affect direct spending. H.R. 948 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA). The bill would preempt state and local laws that restrict the use, sale, or purchase of Social Security numbers, but CBO estimates that the costs of those mandates would be small and would not exceed the threshold established in UMRA ($66 million in 2007, adjusted annually for inflation). H.R. 948 would impose private-sector mandates as defined in the UMRA. It would prohibit any entity in the private sector from selling or purchasing a Social Security number in violation of the regulations that the Federal Trade Commission would issue. The bill also would prohibit certain uses of Social Security numbers. The cost to the private sector of complying with those mandates is uncertain because it would depend on regulations that have not yet been promulgated. Therefore, CBO cannot determine whether the aggregate cost of mandates in the bill would exceed the annual threshold established by UMRA for private sector mandates ($131 million in 2007, adjusted annually for inflation). Estimated cost to the Federal Government: H.R. 948 would make it illegal to display an individual's SSN on a public Web site or on a membership or identity card, to require the use of a SSN as a password for access to services, or to sell or purchase SSNs. The bill would require the FTC to develop and enforce those new prohibitions. Based on information from the FTC, CBO estimates that the cost to develop regulations limiting the display and use of SSNs as well as their sale and purchase would be less than $500,000 per year. Such costs would be subject to the availability of appropriated funds. The costs of this legislation would fall within budget function 370 (commerce and housing credit). Enacting H.R. 948 could increase federal revenues from civil penalties assessed for violations of the new regulations. CBO estimates, however, that any additional revenues that would result from enacting the bill would not be significant because of the relatively small number of cases likely to be involved. Estimated impact on state, local, and tribal governments: H.R. 948 contains intergovernmental mandates as defined in UMRA. In particular, the bill would require state attorneys general to notify the FTC of any action taken under the bill, allow the FTC to intervene in those actions, and limit the actions that attorneys general may take in certain circumstances. Also, provisions regarding the use, sale, or purchase of Social Security numbers would preempt state laws. CBO estimates that the aggregate costs, if any, to state, local, and tribal governments of complying with the mandates in the bill would be small and would not exceed the threshold established in UMRA ($66 million in 2007, adjusted annually for inflation). CBO believes that the bill would grant no new authority to the FTC to regulate the activities of state and local governments. Under current law, the courts have ruled that the FTC does not have jurisdiction over those governments or over public universities. Furthermore, the bill's provisions apply to ``persons,'' a term that does not include sovereigns such as state, local, or tribal governments. We expect, therefore, that the provisions of the bill regarding the use, sale, and purchase of Social Security numbers would not apply to such entities. Estimated impact on the private sector: H.R. 948 contains private-sector mandates as defined in UMRA. It would prohibit any entity from selling or purchasing a Social Security number (SSN) in violation of regulations that the FTC would issue to implement this legislation. The bill also would prohibit the display of Social Security numbers on any Web site that is generally accessible to the public or on any membership or identity cards. In addition, the bill would prohibit anyone from requiring that a consumer use a Social Security number as a password. The FTC would be required to ensure that the restrictions and conditions on the sale or purchase of SSNs are no broader than necessary to provide reasonable assurance that SSNs will not be used to commit or facilitate fraud, deception, or crime, and to prevent an undue risk of bodily, emotional, or financial harm to individuals. H.R. 948 is aimed at prohibiting activities that have no legitimate purpose; however, despite the exemptions in the bill, some entities engaging in legitimate activities might be forced to change their business practices as a result of the legislation. The cost to the private sector of complying with the mandates in the bill is uncertain because it would depend on regulations that have not yet been promulgated. Consequently, CBO cannot determine whether the aggregate cost of mandates in H.R. 948 would exceed the annual threshold established by UMRA for private-sector mandates ($131 million in 2007, adjusted annually for inflation). Estimate prepared by: Federal Costs: Susan Willie; Impact on state, local, and tribal governments: Elizabeth Cove; Impact on the private sector: Fatimot Ladipo. Estimate approved by: Robert A. Sunshine, Assistant Director for Budget Analysis. FEDERAL MANDATES STATEMENT The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. ADVISORY COMMITTEE STATEMENT No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. CONSTITUTIONAL AUTHORITY STATEMENT Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee finds that the Constitutional authority for this legislation is provided in Article I, section 8, clause 3, which grants Congress the power to regulate commerce with foreign nations, among the several States, and with the Indian Tribes. APPLICABILITY TO LEGISLATIVE BRANCH The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short title Section 1 defines this Act as the ``Social Security Protection Act of 2007''. Section 2. Definitions Section 2 defines terms to be used in this Act: including, ``Commission,'' ``person,'' ``sale,'' ``purchase,'' ``Social Security number,'' and ``State.'' The terms ``sale'' and ``purchase'' are broadly defined to include, respectively, obtaining or providing, directly or indirectly, anything of value in exchange for a Social Security number. Both of the latter terms, ``sale'' and ``purchase,'' are specifically defined to exclude two sets of circumstances: (1) the submission of such numbers as part of the process for applying for any type of government benefit or program (e.g., grant or loan applications or welfare or other public assistance programs); and (2) the transfers of such numbers as part of a data matching program under the Computer Matching and Privacy Protection Act of 1988. The term ``State'' is defined broadly to include both States of the United States and other political subdivisions of the United States, such as its territories and possessions. Section 3. Prohibition on certain uses of social security numbers Section 3 prohibits the use of Social Security numbers in specific circumstances, except as provided under regulations promulgated by the FTC. Subsection 3(a)(1) would make it unlawful for any person to intentionally display the Social Security number of another individual on a Web site that is generally accessible to the public or provide an individual with access to the Social Security number of another individual through the Internet. Subsection 3(a)(2) would make it unlawful to require an individual who is a customer of or member associated with such person to use that individual's Social Security number as a password for access to any good or service, including access to any account of that individual or any protected access website. Subsection 3(a)(3) would make it unlawful to display the Social Security number of any individual on any membership or identity card issued by such person. Subsection 3(b) stipulates that a violation of subsection (a) shall be treated as an unfair and deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act. Any person who violates subsection (a) shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act. Subsection 3(c) directs the FTC to promulgate rules that provide for any exceptions to the prohibitions in subsection (a) for circumstances that the FTC considers appropriate and consistent with the public interest, the protection of consumers, and the purposes of this Act. The Committee understands that access to Social Security numbers is essential to many vital government and commercial operations, such as database accuracy and fraud prevention. The Committee believes, however, that there is no legitimate reason why, for example, Web site operators should be displaying, providing access to, or selling Social Security numbers to the general public. The intent of this section is to stop the public display of Social Security numbers. The Committee believes that such activity poses a substantial threat to consumers of identity theft and financial account fraud. Section 4. Regulation of the sale and purchase of social security numbers Section 4 provides for the prohibition of the sale or purchase of Social Security numbers in violation of regulations promulgated by the FTC. The FTC shall promulgate regulations within one year of enactment restricting the sale and purchase and defining unfair and deceptive acts related to the sale and purchase of Social Security numbers. The FTC regulations shall also include exceptions for certain enumerated purposes consistent with the intent of the legislation. Subsection 4(a) would establish the general prohibition of the sale and purchase of a Social Security number in a manner that violates a regulation promulgated by the FTC under subsection (b). Subsection 4(b)(1) would direct the FTC, after consultation with the Commissioner of Social Security, the Attorney General, and other agencies as the FTC deems appropriate, to promulgate regulations restricting the sale and purchase of Social Security numbers and any unfair and deceptive acts and practices in connection with the sale and purchase of those numbers. Subsection 4(b)(2) would require the FTC to impose restrictions and conditions on the sale and purchase of Social Security numbers and Social Security account numbers that are no broader than necessary (A) to provide reasonable assurance that such numbers will not be used to commit or facilitate fraud, deception, or crime; and (B) to prevent an undue risk of bodily, emotional, or financial harm to individuals (taking into account the nature, likelihood, and severity of the anticipated harm and the extent of any benefits that might be realized from the sale or purchase of the numbers and any other relevant factors). Subsection 4(b)(3) would require the FTC to establish in those regulations exceptions for seven categories of situations in which the sale and purchase of Social Security numbers would be permitted: (1) to the extent necessary for law enforcement or national security purposes; (2) to the extent necessary for public health purposes; (3) to the extent necessary in emergency situations to protect the health and safety of one or more individuals; (4) to the extent necessary for research to advance public knowledge (including, but not limited to, scientific, epidemiological, and social scientific research) conducted for the purpose of advancing public knowledge, on the condition that for such research the researcher provides adequate assurances that (i) the Social Security numbers will not be used to harass, target, or publicly reveal information concerning any identifiable individual(s); (ii) information about identifiable individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals; and (iii) the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about identifiable individuals; (5) to the extent consistent with an individual's voluntary and affirmative written consent to the sale or purchase of a particular Social Security number that has been assigned to that individual; (6) to the extent necessary for legitimate consumer credit verification, if the Social Security numbers used for such verification are redacted in accordance with uniform redaction standards issued by the FTC in such regulations, and (7) under other appropriate circumstances as the FTC may determine and as are consistent with the paragraph (2). Under any of these seven exceptions, when Federal departments and agencies have Social Security numbers in systems of records, the legal protections of the Privacy Act, 5 U.S.C. Sec. 552a, will apply. The Committee intends that the FTC's regulations will address, among other things, growing concerns about the ability of companies to demand that consumers provide them with a full Social Security number as a condition of doing business. The Committee intends that the FTC, in crafting uniform redaction standards pursuant to 4(b)(3)(F), shall protect against the threat that a persons' full Social Security number could be uncovered. For example, such standards shall protect against the threat that a person's full Social Security number could be identified by combining the redacted number with other data which might otherwise reasonably be available about the individual and which could facilitate replication of the full number, such as the individual's date of birth or place of birth. Subsection 4(c)(1) would direct the FTC to promulgate the regulations under subsection 4(b) not later than one year after the date of enactment of the bill. Subsection 4(a), and regulations promulgated under subsection 4(b), shall take effect thirty days after the date on which the final regulations issued under subsection 4(b) are published in the Federal Register. Subsection 4(d) would direct that any violation of a regulation promulgated under subsection 4(b) shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. Sec. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. Subsection 4(e)(1) would set forth the FTC's authority to prevent violations of Section 3 and the regulations promulgated under Section 4, and provide that violators of such rules shall be subject to the penalties, and entitled to the privileges and immunities provided in the Federal Trade Commission Act as though all applicable terms and provisions of that Act were incorporated into and made a part of this bill. Subsection 4(e)(2) would authorize any State attorney general to bring a parens patriae action in a United States district court, in any case in which that attorney general has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates any regulation under Section 4(b) of the Act. The relief that the State attorney general may seek would include injunctive relief, enforcement of compliance with the regulation, obtaining damages, restitution, and other compensation on behalf of the State's residents (including civil penalties up to $11,000 per violation, not to exceed a maximum of $5,000,000) and any other legal or equitable relief as the district court may consider to be appropriate. This subsection also contains provisions for notice to the FTC and the Department of Justice when such actions are brought; litigation-related rights that the FTC and the Department each would have in such actions; a provision precluding States from filing such parens patriae actions if the Department has instituted a prosecution for criminal violations or the FTC has instituted civil litigation for civil violations of the Act; a provision clarifying the ability of a State attorney general to use investigatory powers under the laws of that State; and procedural provisions for venue and service of process. Section 5. Study of feasibility of banning social security as an authenticator Section 5 directs the FTC to conduct a study to determine: (1) the extent of the use of Social Security numbers as a primary means of authenticating identity; (2) the extent of the use of Social Security numbers for verification in commercial transactions; (3) the feasibility of a prohibition on such use; and (4) possible alternatives to Social Security numbers for verification purposes and uses in authenticating identity. The FTC shall transmit to Congress a report of the study, including recommendations, no later than one year after the date of enactment of this Act. Section 6. Effect on other laws Section 6 preempts any State laws that expressly: (1) prohibits the uses of Social Security numbers described in Section 3(a); or (2) restricts or prohibits the sale or purchase of Social Security numbers in a manner similar to the regulations promulgated under Section 4(b). CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED H.R. 948 does not amend any existing Federal statute. <all>