[DOCID: f:hr708p1.109] From the House Reports Online via GPO Access [wais.access.gpo.gov] 109th Congress Rept. 109-708 HOUSE OF REPRESENTATIVES 2d Session Part 1 ====================================================================== SOCIAL SECURITY NUMBER PROTECTION ACT OF 2006 _______ September 29, 2006.--Ordered to be printed _______ Mr. Barton of Texas, from the Committee on Energy and Commerce, submitted the following R E P O R T [To accompany H.R. 1078] [Including cost estimate of the Congressional Budget Office] The Committee on Energy and Commerce, to whom was referred the bill (H.R. 1078) to strengthen the authority of the Federal Government to protect individuals from certain acts and practices in the sale and purchase of Social Security numbers and Social Security account numbers, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Amendment........................................................ 1 Purpose and Summary.............................................. 4 Background and Need for Legislation.............................. 4 Hearings......................................................... 7 Committee Consideration.......................................... 7 Committee Votes.................................................. 7 Committee Oversight Findings..................................... 7 Statement of General Performance Goals and Objectives............ 7 New Budget Authority, Entitlement Authority, and Tax Expenditures 7 Committee Cost Estimate.......................................... 8 Congressional Budget Office Estimate............................. 8 Federal Mandates Statement....................................... 10 Advisory Committee Statement..................................... 10 Constitutional Authority Statement............................... 10 Applicability to Legislative Branch.............................. 10 Section-by-Section Analysis of the Legislation................... 10 Changes in Existing Law Made by the Bill, as Reported............ 13 AMENDMENT The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Social Security Number Protection Act of 2006''. SEC. 2. DEFINITIONS. In this Act: (1) Commission.--The term ``Commission'' means the Federal Trade Commission. (2) Person.--The term ``person'' means any individual, partnership, corporation, trust, estate, cooperative, association, or any other entity. (3) Sale.--The term ``sale'' means obtaining, directly or indirectly, anything of value in exchange for a Social Security number or Social Security account number. Such term does not include the submission of such numbers as part of the process for applying for any type of Government benefit or programs (such as grant or loan applications or welfare or other public assistance programs). Such term also does not include transfers of such numbers as part of a data matching program under the Computer Matching and Privacy Protection Act. (4) Purchase.--The term ``purchase'' means providing directly or indirectly, anything of value in exchange for a Social Security number or Social Security account number. Such term does not include the submission of such numbers as part of the process for applying for any type of Government benefit or programs (such as grant or loan applications or welfare or other public assistance programs). Such term also does not include transfers of such numbers as part of a data matching program under the Computer Matching and Privacy Protection Act. (5) Social security number.--The term ``Social Security number'' means the social security account number assigned to an individual under section 205(c)(2)(B) of the Social Security Act (42 U.S.C. 405(c)(2)(B)). (6) State.--The term ``State'' means any State of the United States, the District of Columbia, Puerto Rico, the Northern Mariana Islands, the United States Virgin Islands, Guam, American Samoa, and any territory or possession of the United States. SEC. 3. REGULATION OF THE SALE AND PURCHASE OF SOCIAL SECURITY NUMBERS. (a) Prohibition.--It shall be unlawful for any person to sell or purchase a Social Security number in a manner that violates a regulation promulgated by the Commission under subsection (b) of this section. (b) Regulations.-- (1) Restrictions authorized.--The Commission, after consultation with the Commissioner of Social Security, the Attorney General, and other agencies as the Commission deems appropriate, shall promulgate regulations restricting the sale and purchase of Social Security numbers and any unfair or deceptive acts or practices in connection with the sale and purchase of Social Security numbers. (2) Limitations on restrictions.--In promulgating such regulations, the Commission shall impose restrictions and conditions on the sale and purchase of Social Security numbers that are no broader than necessary-- (A) to provide reasonable assurance that Social Security numbers will not be used to commit or facilitate fraud, deception, or crime; and (B) to prevent an undue risk of bodily, emotional, or financial harm to individuals. For purposes of subparagraph (B), the Commission shall consider the nature, likelihood, and severity of the anticipated harm; the nature, likelihood, and extent of any benefits that could be realized from the sale or purchase of the numbers; and any other relevant factors. (3) Exceptions.--The regulations promulgated pursuant to paragraph (1) shall include exceptions which permit the sale and purchase of Social Security numbers-- (A) to the extent necessary for law enforcement or national security purposes; (B) to the extent necessary for public health purposes; (C) to the extent necessary in emergency situations to protect the health or safety of 1 or more individuals; (D) to the extent necessary for research conducted for the purpose of advancing public knowledge, on the condition that the researcher provides adequate assurances that-- (i) the Social Security numbers will not be used to harass, target, or publicly reveal information concerning any identifiable individuals; (ii) information about identifiable individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals; and (iii) the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about identifiable individuals; (E) to the extent consistent with an individual's voluntary and affirmative written consent to the sale or purchase of a Social Security number that has been assigned to that individual; (F) to the extent necessary for legitimate consumer credit verification, if the Social Security numbers used for such verification are redacted in accordance with uniform redaction standards established by the Commission in such regulations; and (G) under other appropriate circumstances as the Commission may determine and as are consistent with the principles in paragraph (2). (c) Rulemaking.-- (1) Deadline for action.--Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate the regulations under subsection (b) of this section, in accordance with section 553 of title 5, United States Code. (2) Effective dates.--Subsection (a) and the regulations promulgated under subsection (b) shall take effect 30 days after the date on which the final regulations issued under this section are published in the Federal Register. (d) Enforcement.--Any violation of a regulation promulgated under subsection (b) of this section shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. (e) Administration and Enforcement.-- (1) The commission.--The Commission shall prevent any person from violating this section, and any regulation promulgated thereunder, in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such regulation shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.) as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Nothing contained in this Act shall be construed to limit the authority of the Commission under any other provision of law. (2) Actions by states.-- (A) Civil actions.--In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates any regulation of the Commission promulgated under subsection (b), the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction, to-- (i) enjoin that act or practice; (ii) enforce compliance with the regulation; (iii) obtain civil penalties in an amount of $11,000 per violation not to exceed a total of $5,000,000; or (iv) obtain such other legal and equitable relief as the district court may consider to be appropriate. Before filing an action under this subsection, the attorney general of the State involved shall provide to the Commission and to the Attorney General a written notice of that action and a copy of the complaint for that action. If the State attorney general determines that it is not feasible to provide the notice described in this subparagraph before the filing of the action, the State attorney general shall provide the written notice and the copy of the complaint to the Commission and to the Attorney General as soon after the filing of the complaint as practicable. (B) Commission and attorney general authority.--On receiving notice under subparagraph (A), the Commission and the Attorney General each shall have the right-- (i) to move to stay the action, pending the final disposition of a pending Federal matter as described in subparagraph (C); (ii) to intervene in an action under clause (i); (iii) upon so intervening, to be heard on all matters arising therein; and (iv) to file petitions for appeal. (C) Pending criminal proceedings.--If the Attorney General has instituted a criminal proceeding or the Commission has instituted a civil action for a violation of this Act or any regulations thereunder, no State may, during the pendency of such proceeding or action, bring an action under this section against any defendant named in the criminal proceeding or civil action for any violation of this section that is alleged in that proceeding or action. (D) Rule of construction.--For purposes of bringing any civil action under subparagraph (A), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence. (E) Venue; service of process.--Any action brought under this section may be brought in any district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code. In an action brought under this section, process may be served in any district in which the defendant is an inhabitant or may be found. SEC. 4. EFFECT ON OTHER LAWS. This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly restricts or prohibits the sale or purchase of Social Security numbers in a manner consistent with the regulations promulgated under section 3(b). PURPOSE AND SUMMARY The purpose of H.R. 1078 is to prohibit the purchase and sale of citizens' Social Security numbers in interstate commerce in violation of rules to be promulgated by the Federal Trade Commission (FTC). H.R. 1078 requires the FTC to promulgate rules within one year, after consultation with the Attorney General and Commissioner of Social Security, restricting the sale and purchase of Social Security numbers. The regulations should be broad enough to prevent Social Security numbers from being used to commit fraud, deception, or crime, and prevent risk of bodily, emotional, or financial harm to individuals. However, H.R. 1078 requires certain exemptions from the prohibition for legitimate purposes including emergencies, public health, and law enforcement. BACKGROUND AND NEED FOR LEGISLATION For centuries, commercial activity has involved the exchange by businesses, consumers, and governmental entities of information about consumer transactions. In recent times, information exchanges have taken on greater importance. Technological advances brought increased efficiencies to collecting, processing, and sharing data and solidified ``information'' as a principle commodity of the U.S. economy. As consumer transactions account for more than two-thirds of the U.S. gross domestic product at this time, information sharing is of particular importance to the U.S. economy. The exchange of information among businesses is linked to broad economic benefits, including the widespread availability and low cost of consumer credit, based in part upon real time authentication and verification. However, notwithstanding the benefits of information sharing, consumers, businesses, and governmental entities have begun to focus on the privacy implications of information practices. The same technological advances in information networks that benefit consumers are increasingly used for purposes that can harm consumers when information is accessible to unauthorized parties. Adopting fair information practices became more common among businesses in the mid 1990's. The common elements of fair information practices are: notice, choice, access, security, and enforcement. There is wide variance in the extent to which businesses adhere to these information practices. Even among the entities that have embraced these fair information practices, there is disagreement about the right mix of self- regulation, legislation, and technology in protecting privacy. Historically, Congress has taken a sectoral approach to privacy and has mandated discrete protections for certain personal information used for commercial purposes, upon a showing that a particular use harmed or threatened to harm the American consumer. This industry by industry approach differs from the comprehensive approach attempted by other nations, such as the European Union's Data Protection Directive. Together those sector specific statutes encompass a significant portion of U.S. commercial activity, though they are significantly different in the protections afforded to consumers. The following is a small sample of Federal statutes addressing the issue of information privacy: the Children's Online Privacy Protection Act, the Cable Communications Policy Act, the Telecommunications Act of 1996, the Telephone Consumer Protection Act, the Electronic Communications Privacy Act, the Health Insurance Portability Protection Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, the Driver's Privacy Protection Act, and wiretap statutes. The need to address privacy concerns has grown exponentially with the prevalence of e-commerce and the digitization of personal information that can be stored, transferred, and theoretically accessed by limitless parties depending on the data safeguards or protections. Integral to all personal information sharing is the role of a universal personal identifier that links an individual to many other financial and personally identifiable accounts. Specifically, Social Security numbers have become the default identifier for the overwhelming majority of U.S. citizens. Originally created by the Federal government to administer the Social Security program, the numbers were intended only to track employee contributions to the system and administer benefits but were prohibited from any other use. Congress later authorized the use of Social Security numbers as taxpayer identification numbers for the IRS. However, over time, the numbers have become default identification and verification for many other purposes. The Federal Government requires virtually every individual in the United States to obtain and maintain a Social Security number in order to pay taxes, to qualify for Social Security benefits, or to seek employment. An unintended consequence of these requirements is that Social Security numbers have become tools that can be used to facilitate crime, fraud, and invasions of the privacy of the individuals to whom the numbers are assigned. Because the Federal government created and maintains this system, and because the Federal government does not permit persons to exempt themselves from those requirements, the Committee finds it is appropriate for the government to take steps to stem the abuse of this system. The Committee notes that Congress attempted to limit the use of Social Security numbers with the passage of the Privacy Act of 1974. However, this law applied only to government agencies and did not restrict the private sector. As a result of the lack of restrictions, Social Security numbers have become synonymous with an individual's identity as the number is tied directly to nearly all financial accounts, as well as patient records of health care providers and other business entities. While there are clear benefits associated with the ability to authenticate and verify an individual--including the provision of instantaneous credit, combating fraudulent transactions, and accurately identifying or locating individuals whose name has changed and is otherwise unable to be located--the Social Security number has become the singularly most important means of identifying and authenticating an individual. The Committee finds that the inappropriate sale or purchase of Social Security numbers is a significant factor in a growing range of illegal activities, including fraud, identity theft, and, in some cases, stalking and other violent crimes. It is the identifying information associated with a Social Security number that presents the largest potential threats to individuals. Because an individual's information is linked to the Social Security number, access to the Social Security number opens the individual's identity and related information to the possibility of the information being available to unauthorized parties or for unauthorized purposes. The Committee found that this can facilitate the commission of criminal activities and also can result in serious invasions of individual privacy. It is the unauthorized access to and use of an individual's Social Security number as a result of a commercial transaction to purchase or sell the numbers which the Committee seeks to stop. For example, identity theft crimes have risen substantially over the past decade in part because Social Security numbers and other information necessary to perpetrate the crime is often easily available for purchase by potential criminals. The Committee's related investigation into the practice of pretexting--fraudulently impersonating someone else to acquire detailed information (usually over the phone) about another person--demonstrated that access to an individual's personal information is often only limited to the provision of a Social Security number. Once a Social Security number is obtained, access to detailed personal information associated with the Social Security number is readily accessible. With this information in hand, a criminal can commit identity theft in numerous ways, including opening new accounts in the name of the individual attached to the Social Security number. Although account fraud is one of the most common crimes perpetrated by criminals, the Committee is aware of other harm, including violent crimes, that can occur when Social Security numbers are easily available for purchase. The Committee is concerned the range of harms and crimes that can be perpetrated will only increase if prohibitions are not enacted to restrict the proliferation of the commercial availability of individuals' Social Security numbers. No one should seek to profit from the sale of Social Security numbers in circumstances that create a substantial risk of physical, emotional, or financial harms to the individuals to whom those numbers are assigned. Consequently, there is a need for enactment of legislation that will offer individuals assigned such numbers necessary protections from the sale and purchase of Social Security numbers in circumstances that might facilitate unlawful conduct or that might otherwise likely result in unfair or deceptive practices. HEARINGS On Thursday, May 11, 2006, the Subcommittee on Commerce, Trade, and Consumer Protection held a hearing entitled, ``Social Security Numbers in Commerce: Reconciling Beneficial Uses with Threats to Privacy'' which examined H.R. 1078 and other legislative proposals to increase privacy protections for Social Security Numbers. Testimony was received from The Honorable Jon Leibowitz, Commissioner, Federal Trade Commission; Mr. Oliver I. Ireland, Partner, Morrison & Foerster, testifying on behalf of the Financial Services Industry Association; Ms. Susan McDonald, President, Pension Benefit Information; Ms. Lauren Steinfeld, Former Associate Chief Counsel, Office of Management and the Budget, Mr. H. Randy Lively Jr., President and CEO, American Financial Services Association; and Mr. Marc Rotenberg, Executive Director, Electronic Privacy Information Center. COMMITTEE CONSIDERATION On Wednesday, July 26, 2006, the Committee on Energy and Commerce met in open markup session and ordered H.R. 1078 favorably reported to the House, amended, by a voice vote, a quorum being present. COMMITTEE VOTES Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the record votes on the motion to report legislation and amendments thereto. There were no record votes taken in connection with ordering H.R. 1078 reported. A motion by Mr. Barton to order H.R. 1078 reported to the House, amended, was agreed to by a voice vote. COMMITTEE OVERSIGHT FINDINGS Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has not held oversight or legislative hearings on this legislation. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES The purpose of the legislation is to reduce harm to individuals that results from unauthorized access to and use of their Social Security number. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 1078, the Social Security Number Protection Act of 2006, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. COMMITTEE COST ESTIMATE The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. CONGRESSIONAL BUDGET OFFICE ESTIMATE Pursuant to clause 3(c)(3) of rule XIII of the Rules of the House of Representatives, the following is the cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974: U.S. Congress, Congressional Budget Office, Washington, DC, August 17, 2006. Hon. Joe Barton, Chairman, Committee on Energy and Commerce, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 1078, the Social Security Number Protection Act of 2006. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Susan Willie. Sincerely, Donald B. Marron, Acting Director. Enclosure. H.R. 1078--Social Security Number Protection Act of 2006 Summary: H.R. 1078 would prohibit the sale or purchase of Social Security numbers (SSNs) and would require the Federal Trade Commission (FTC) to develop and enforce regulations restricting their sale or purchase. CBO estimates that promulgating the regulation and its enforcement would not have a significant effect on FTC spending. Enacting the bill could increase federal revenues from civil penalties assessed for violations of the new regulation, but CBO estimates that any such increases would not be significant in any year. Enacting the bill would not affect direct spending. H.R. 1078 contains intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA), but CBO estimates that any costs to state, local, or tribal governments would be small and would not exceed the threshold established in that act ($64 million, adjusted annually for inflation). H.R. 1078 also would impose a private-sector mandate as defined in UMRA. It would prohibit any person from selling or purchasing an SSN in violation of regulations that the FTC would be required to issue under this act. Because of the lack of industry data on the sale and purchase of Social Security numbers, CBO has no basis to estimate the costs to the private sector for prohibiting those transactions. Thus, CBO cannot estimate the cost of the mandate or whether the cost would exceed the annual threshold established by UMRA for private- sector mandates ($128 million in 2006, adjusted annually for inflation). Estimated cost to the Federal government: Based on information from the FTC, CBO estimates that the cost to develop and enforce regulations concerning the sale or purchase of Social Security numbers would be less than $500,000 a year. Such costs would be subject to the availability of appropriated funds. The costs of this legislation fall within budget function 370 (commerce and housing credit). Enacting the bill could increase federal revenues from civil penalties assessed for violations of the new regulation. CBO estimates, however, that any additional revenues that would result from enacting the bill would not be significant because of the relatively small number of cases likely to be involved. Estimated impact on state, local, and tribal governments: H.R. 1078 contains intergovernmental mandates as defined in UMRA. Provisions in section 3 would require State Attorneys General to notify the FTC of any action taken under the bill, allow the FTC to intervene in those actions, and limit the actions that Attorneys General may take in certain circumstances. Also, provisions regarding the sale or purchase of Social Security numbers in section 4 would preempt state laws in more than 30 states. These provisions constitute intergovernmental mandates as defined in UMRA. CBO estimates that the aggregate costs, if any, to state, local, and tribal governments of complying with the mandates in the bill would be small and would not exceed the threshold established in UMRA ($64 million in 2006, adjusted annually for inflation). CBO assumes that the bill would grant no new authority to the FTC to regulate the activities of state and local governments. Under current law, the courts have ruled that the FTC does not have jurisdiction over those governments or over public universities. The provisions of the bill regarding the sales and purchase of SSNs, therefore, would not apply to such entities. Estimated impact on the private sector: H.R. 1078 would impose a private-sector mandate as defined in UMRA. It would prohibit any individual, partnership, corporation, trust, estate, cooperative, association, or any other entity from selling or purchasing an SSN in violation of regulations that the FTC would be required to issue under this act. The FTC would be required to ensure that the restrictions and conditions on the sale or purchase of SSNs are no broader than necessary to provide reasonable assurance that SSNs will not be used to commit or facilitate fraud, deception, or crime, and to prevent an undue risk of bodily, emotional, or financial harm to individuals. Certain exceptions also would apply to the prohibition with respect to the sale or purchase of SSNs. Those exceptions could be based on law enforcement or national security needs, public health, certain emergency situations, for certain research projects, for consumer credit reporting, or other circumstances that the FTC may determine. Because of the lack of industry data on the sale and purchase of Social Security numbers, CBO has no basis to estimate the costs to the private sector for prohibiting those transactions. Thus, CBO cannot estimate the cost of the mandate or whether the cost would exceed the annual threshold established by UMRA for private-sector mandates ($128 million in 2006, adjusted annually for inflation). Estimate prepared by: Federal Costs: Susan Willie; Impact on State, Local, and Tribal Governments: Sarah Puro; Impact on the Private Sector: Tyler Kruzich. Estimate approved by: Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. FEDERAL MANDATES STATEMENT The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. ADVISORY COMMITTEE STATEMENT No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. CONSTITUTIONAL AUTHORITY STATEMENT Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee finds that the Constitutional authority for this legislation is provided in Article I, section 8, clause 3, which grants Congress the power to regulate commerce with foreign nations, among the several States, and with the Indian tribes. APPLICABILITY TO LEGISLATIVE BRANCH The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short title Section 1 defines this Act as the ``Social Security Protection Act of 2006.'' Section 2. Definitions Section 2 defines terms to be used in this Act: including, ``Commission,'' ``person,'' ``sale,'' ``purchase,'' ``Social Security number,'' ``Social Security account number,'' and ``State.'' The terms ``sale'' and ``purchase'' are broadly defined to include, respectively, obtaining or providing, directly or indirectly, anything of value in exchange for a Social Security number or a Social Security account number. Both of the latter terms, ``sale'' and ``purchase,'' are specifically defined to exclude two sets of circumstances: (1) the submission of such numbers as part of the process for applying for any type of government benefit or program (e.g., grant or loan applications or welfare or other public assistance programs); and (2) the transfer of such numbers as part of a data matching program under the Computer Matching and Privacy Protection Act of 1988. The term ``State'' is defined broadly to include both States of the United States and other political subdivisions of the United States, such as its territories and possessions. Section 3. Regulation of the sale and purchase of Social Security numbers Section 3 provides for the prohibition of the sale or purchase of Social Security numbers in violation of regulations promulgated by the Federal Trade Commission. The FTC shall promulgate regulations within one year of enactment restricting the sale and purchase and defining unfair and deceptive acts related to the sale and purchase of Social Security numbers. The FTC regulations shall also include exceptions for certain enumerated purposes consistent with the intent of the legislation. Subsection 3(a) would establish the general prohibition of the sale and purchase of a Social Security number or Social Security account number in a manner that violates a regulation promulgated by the Federal Trade Commission (Commission) under subsection (b). Subsection 3(b)(1) would direct the Commission, after consultation with the Commissioner of Social Security, the Department of Justice, and other agencies as the Commission deems appropriate, to promulgate substantive regulations restricting the sale and purchase of those numbers and any unfair and deceptive acts and practices in connection with the sale and purchase of those numbers. Subsection 3(b)(2) would require the Commission to impose restrictions and conditions on the sale and purchase of Social Security numbers and Social Security account numbers that are no broader than necessary (A) to provide reasonable assurance that such numbers will not be used to commit or facilitate fraud, deception, or crime; and (B) to prevent an undue risk of bodily, emotional, or financial harm to individuals (taking into account any benefits that might be realized from the sale or purchase of the numbers and any other relevant factors). Subsection 3(b)(2) would authorize the Commission to address, for example, the potential use of Social Security numbers by stalkers and by those seeking to commit fraud or identity theft; and the harms that would result from reuse or onward transfer by those who have lawfully received the Social Security number. For purposes of subparagraph (B) only, the Commission is directed to consider the nature, likelihood, and severity of the harm; the nature, likelihood, and extent of any benefits that might be realized from the sale or purchase of the numbers; and any other relevant factors. Subparagraph (B) is not intended, however, to create any new requirement for the Commission to conduct formal studies or develop statistical or quantitative analyses of the factors set forth in that subsection. Subsection 3(b)(3) would require the Commission to establish in those regulations exceptions for seven categories of situations in which the sale and purchase of Social Security numbers and Social Security account numbers would be permitted: (1) to the extent necessary for law enforcement or national security purposes; (2) to the extent necessary for public health purposes; (3) to the extent necessary in emergency situations to protect the health and safety of one or more individuals; (4) to the extent necessary for research (including, but not limited to, scientific, epidemiological, and social scientific research) conducted for the purpose of advancing public knowledge, on the condition that for such research the researcher provides adequate assurances that (i) the Social Security numbers or Social Security account numbers will not be used to harass, target, or publicly reveal information concerning any identifiable individual(s); (ii) information about identifiable individuals obtained from the research will not be used to make decisions that directly affect the rights, benefits, or privileges of specific individuals; and (iii) the researcher has in place appropriate safeguards to protect the privacy and confidentiality of any information about identifiable individuals; (5) to the extent consistent with an individual's voluntary and affirmative written consent to the sale or purchase of a particular Social Security number or Social Security account number that has been assigned to that individual; (6) to the extent necessary for legitimate consumer credit verification, if the Social Security numbers used for such verification are redacted in accordance with uniform redaction standards issued by the Commission in such regulations, and (7) under other appropriate circumstances as the Commission may determine and as are consistent with the findings in Section 2 and the principles in subsection 3(b)(2). Under any of these seven exceptions, when Federal departments and agencies have Social Security numbers and Social Security account numbers in systems of records, the legal protections of the Privacy Act, 5 U.S.C. Sec. 552a, will apply. The Committee intends that the Commission's regulations will address, among other things, growing concerns about the ability of companies to demand that consumers provide them with a full Social Security number as a condition of doing business. The Committee intends that the Commission, in crafting uniform redaction standards pursuant to 3(b)(3)(F), shall protect against the threat that a persons' full Social Security number could be uncovered. For example, such standards shall protect against the threat that a person's full Social Security number could be identified by combining the redacted number with other data which might otherwise reasonably be available about the individual and which could facilitate replication of the full number, such as the individual's date of birth or place of birth. Subsection 3(c)(1) would direct the Commission to promulgate the regulations under subsection 3(b) not later than one year after the date of enactment of the bill. Subsection 3(a), and regulations promulgated under subsection 3(b), shall take effect thirty days after the date on which the final regulations issued under subsection 3(b) are published in the Federal Register. Subsection 3(d) would direct that any violation of a regulation promulgated under subsection 3(b) shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. Sec. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. Subsection 3(e)(1) would set forth the Commission's authority to prevent violations of section 4 and the regulations promulgated thereunder, and provide that violators of such rules shall be subject to the penalties, and entitled to the privileges and immunities provided in the Federal Trade Commission Act as though all applicable terms and provisions of that Act were incorporated into and made a part of this bill. Subsection 3(e)(2) would authorize any State attorney general to bring a parens patriae action in a United States district court, in any case in which that attorney general has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by an act or practice that violates any regulation under subsection 3(b) of the Act. The relief that the State attorney general may seek would include injunctive relief, enforcement of compliance with the regulation, obtaining damages, restitution, and other compensation on behalf of the State's residents (including civil penalties up to $11,000 per violation, not to exceed a maximum of $5,000,000) and any other legal or equitable relief as the district court may consider to be appropriate. This subsection also contains provisions for notice to the Commission and the Department of Justice when such actions are brought; litigation-related rights that the Commission and the Department each would have in such actions; a provision precluding States from filing such parens patriae actions if the Department has instituted a prosecution for criminal violations or the Commission has instituted civil litigation for civil violations of the Act; a provision clarifying the ability of a State attorney general to use investigatory powers under the laws of that State; and procedural provisions for venue and service of process. Section 4. Effect on other laws Section 4 preempts State laws that expressly restrict the sale or purchase of Social Security numbers that are consistent with the Act. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED This legislation does not amend any existing Federal statute. <all>