[DOCID: f:hr708p1.109]
From the House Reports Online via GPO Access
[wais.access.gpo.gov]
109th Congress Rept. 109-708
HOUSE OF REPRESENTATIVES
2d Session Part 1
======================================================================
SOCIAL SECURITY NUMBER PROTECTION ACT OF 2006
_______
September 29, 2006.--Ordered to be printed
_______
Mr. Barton of Texas, from the Committee on Energy and Commerce,
submitted the following
R E P O R T
[To accompany H.R. 1078]
[Including cost estimate of the Congressional Budget Office]
The Committee on Energy and Commerce, to whom was referred
the bill (H.R. 1078) to strengthen the authority of the Federal
Government to protect individuals from certain acts and
practices in the sale and purchase of Social Security numbers
and Social Security account numbers, and for other purposes,
having considered the same, report favorably thereon with an
amendment and recommend that the bill as amended do pass.
CONTENTS
Page
Amendment........................................................ 1
Purpose and Summary.............................................. 4
Background and Need for Legislation.............................. 4
Hearings......................................................... 7
Committee Consideration.......................................... 7
Committee Votes.................................................. 7
Committee Oversight Findings..................................... 7
Statement of General Performance Goals and Objectives............ 7
New Budget Authority, Entitlement Authority, and Tax Expenditures 7
Committee Cost Estimate.......................................... 8
Congressional Budget Office Estimate............................. 8
Federal Mandates Statement....................................... 10
Advisory Committee Statement..................................... 10
Constitutional Authority Statement............................... 10
Applicability to Legislative Branch.............................. 10
Section-by-Section Analysis of the Legislation................... 10
Changes in Existing Law Made by the Bill, as Reported............ 13
AMENDMENT
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Social Security Number Protection Act
of 2006''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Person.--The term ``person'' means any individual,
partnership, corporation, trust, estate, cooperative,
association, or any other entity.
(3) Sale.--The term ``sale'' means obtaining, directly or
indirectly, anything of value in exchange for a Social Security
number or Social Security account number. Such term does not
include the submission of such numbers as part of the process
for applying for any type of Government benefit or programs
(such as grant or loan applications or welfare or other public
assistance programs). Such term also does not include transfers
of such numbers as part of a data matching program under the
Computer Matching and Privacy Protection Act.
(4) Purchase.--The term ``purchase'' means providing directly
or indirectly, anything of value in exchange for a Social
Security number or Social Security account number. Such term
does not include the submission of such numbers as part of the
process for applying for any type of Government benefit or
programs (such as grant or loan applications or welfare or
other public assistance programs). Such term also does not
include transfers of such numbers as part of a data matching
program under the Computer Matching and Privacy Protection Act.
(5) Social security number.--The term ``Social Security
number'' means the social security account number assigned to
an individual under section 205(c)(2)(B) of the Social Security
Act (42 U.S.C. 405(c)(2)(B)).
(6) State.--The term ``State'' means any State of the United
States, the District of Columbia, Puerto Rico, the Northern
Mariana Islands, the United States Virgin Islands, Guam,
American Samoa, and any territory or possession of the United
States.
SEC. 3. REGULATION OF THE SALE AND PURCHASE OF SOCIAL SECURITY NUMBERS.
(a) Prohibition.--It shall be unlawful for any person to sell or
purchase a Social Security number in a manner that violates a
regulation promulgated by the Commission under subsection (b) of this
section.
(b) Regulations.--
(1) Restrictions authorized.--The Commission, after
consultation with the Commissioner of Social Security, the
Attorney General, and other agencies as the Commission deems
appropriate, shall promulgate regulations restricting the sale
and purchase of Social Security numbers and any unfair or
deceptive acts or practices in connection with the sale and
purchase of Social Security numbers.
(2) Limitations on restrictions.--In promulgating such
regulations, the Commission shall impose restrictions and
conditions on the sale and purchase of Social Security numbers
that are no broader than necessary--
(A) to provide reasonable assurance that Social
Security numbers will not be used to commit or
facilitate fraud, deception, or crime; and
(B) to prevent an undue risk of bodily, emotional, or
financial harm to individuals.
For purposes of subparagraph (B), the Commission shall consider
the nature, likelihood, and severity of the anticipated harm;
the nature, likelihood, and extent of any benefits that could
be realized from the sale or purchase of the numbers; and any
other relevant factors.
(3) Exceptions.--The regulations promulgated pursuant to
paragraph (1) shall include exceptions which permit the sale
and purchase of Social Security numbers--
(A) to the extent necessary for law enforcement or
national security purposes;
(B) to the extent necessary for public health
purposes;
(C) to the extent necessary in emergency situations
to protect the health or safety of 1 or more
individuals;
(D) to the extent necessary for research conducted
for the purpose of advancing public knowledge, on the
condition that the researcher provides adequate
assurances that--
(i) the Social Security numbers will not be
used to harass, target, or publicly reveal
information concerning any identifiable
individuals;
(ii) information about identifiable
individuals obtained from the research will not
be used to make decisions that directly affect
the rights, benefits, or privileges of specific
individuals; and
(iii) the researcher has in place appropriate
safeguards to protect the privacy and
confidentiality of any information about
identifiable individuals;
(E) to the extent consistent with an individual's
voluntary and affirmative written consent to the sale
or purchase of a Social Security number that has been
assigned to that individual;
(F) to the extent necessary for legitimate consumer
credit verification, if the Social Security numbers
used for such verification are redacted in accordance
with uniform redaction standards established by the
Commission in such regulations; and
(G) under other appropriate circumstances as the
Commission may determine and as are consistent with the
principles in paragraph (2).
(c) Rulemaking.--
(1) Deadline for action.--Not later than 1 year after the
date of enactment of this Act, the Commission shall promulgate
the regulations under subsection (b) of this section, in
accordance with section 553 of title 5, United States Code.
(2) Effective dates.--Subsection (a) and the regulations
promulgated under subsection (b) shall take effect 30 days
after the date on which the final regulations issued under this
section are published in the Federal Register.
(d) Enforcement.--Any violation of a regulation promulgated under
subsection (b) of this section shall be treated as a violation of a
regulation under section 18(a)(1)(B) of the Federal Trade Commission
Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or
practices.
(e) Administration and Enforcement.--
(1) The commission.--The Commission shall prevent any person
from violating this section, and any regulation promulgated
thereunder, in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all applicable
terms and provisions of the Federal Trade Commission Act (15
U.S.C. 41 et seq.) were incorporated into and made a part of
this Act. Any person who violates such regulation shall be
subject to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act (15
U.S.C. 41 et seq.) as though all applicable terms and
provisions of the Federal Trade Commission Act (15 U.S.C. 41 et
seq.) were incorporated into and made a part of this Act.
Nothing contained in this Act shall be construed to limit the
authority of the Commission under any other provision of law.
(2) Actions by states.--
(A) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an
interest of the residents of that State has been or is
threatened or adversely affected by an act or practice
that violates any regulation of the Commission
promulgated under subsection (b), the State, as parens
patriae, may bring a civil action on behalf of the
residents of the State in a district court of the
United States of appropriate jurisdiction, to--
(i) enjoin that act or practice;
(ii) enforce compliance with the regulation;
(iii) obtain civil penalties in an amount of
$11,000 per violation not to exceed a total of
$5,000,000; or
(iv) obtain such other legal and equitable
relief as the district court may consider to be
appropriate.
Before filing an action under this subsection, the
attorney general of the State involved shall provide to
the Commission and to the Attorney General a written
notice of that action and a copy of the complaint for
that action. If the State attorney general determines
that it is not feasible to provide the notice described
in this subparagraph before the filing of the action,
the State attorney general shall provide the written
notice and the copy of the complaint to the Commission
and to the Attorney General as soon after the filing of
the complaint as practicable.
(B) Commission and attorney general authority.--On
receiving notice under subparagraph (A), the Commission
and the Attorney General each shall have the right--
(i) to move to stay the action, pending the
final disposition of a pending Federal matter
as described in subparagraph (C);
(ii) to intervene in an action under clause
(i);
(iii) upon so intervening, to be heard on all
matters arising therein; and
(iv) to file petitions for appeal.
(C) Pending criminal proceedings.--If the Attorney
General has instituted a criminal proceeding or the
Commission has instituted a civil action for a
violation of this Act or any regulations thereunder, no
State may, during the pendency of such proceeding or
action, bring an action under this section against any
defendant named in the criminal proceeding or civil
action for any violation of this section that is
alleged in that proceeding or action.
(D) Rule of construction.--For purposes of bringing
any civil action under subparagraph (A), nothing in
this Act shall be construed to prevent an attorney
general of a State from exercising the powers conferred
on the attorney general by the laws of that State to
conduct investigations, administer oaths and
affirmations, or compel the attendance of witnesses or
the production of documentary and other evidence.
(E) Venue; service of process.--Any action brought
under this section may be brought in any district court
of the United States that meets applicable requirements
relating to venue under section 1391 of title 28,
United States Code. In an action brought under this
section, process may be served in any district in which
the defendant is an inhabitant or may be found.
SEC. 4. EFFECT ON OTHER LAWS.
This Act supersedes any provision of a statute, regulation, or rule
of a State or political subdivision of a State that expressly restricts
or prohibits the sale or purchase of Social Security numbers in a
manner consistent with the regulations promulgated under section 3(b).
PURPOSE AND SUMMARY
The purpose of H.R. 1078 is to prohibit the purchase and
sale of citizens' Social Security numbers in interstate
commerce in violation of rules to be promulgated by the Federal
Trade Commission (FTC). H.R. 1078 requires the FTC to
promulgate rules within one year, after consultation with the
Attorney General and Commissioner of Social Security,
restricting the sale and purchase of Social Security numbers.
The regulations should be broad enough to prevent Social
Security numbers from being used to commit fraud, deception, or
crime, and prevent risk of bodily, emotional, or financial harm
to individuals. However, H.R. 1078 requires certain exemptions
from the prohibition for legitimate purposes including
emergencies, public health, and law enforcement.
BACKGROUND AND NEED FOR LEGISLATION
For centuries, commercial activity has involved the
exchange by businesses, consumers, and governmental entities of
information about consumer transactions. In recent times,
information exchanges have taken on greater importance.
Technological advances brought increased efficiencies to
collecting, processing, and sharing data and solidified
``information'' as a principle commodity of the U.S. economy.
As consumer transactions account for more than two-thirds of
the U.S. gross domestic product at this time, information
sharing is of particular importance to the U.S. economy. The
exchange of information among businesses is linked to broad
economic benefits, including the widespread availability and
low cost of consumer credit, based in part upon real time
authentication and verification. However, notwithstanding the
benefits of information sharing, consumers, businesses, and
governmental entities have begun to focus on the privacy
implications of information practices. The same technological
advances in information networks that benefit consumers are
increasingly used for purposes that can harm consumers when
information is accessible to unauthorized parties.
Adopting fair information practices became more common
among businesses in the mid 1990's. The common elements of fair
information practices are: notice, choice, access, security,
and enforcement. There is wide variance in the extent to which
businesses adhere to these information practices. Even among
the entities that have embraced these fair information
practices, there is disagreement about the right mix of self-
regulation, legislation, and technology in protecting privacy.
Historically, Congress has taken a sectoral approach to
privacy and has mandated discrete protections for certain
personal information used for commercial purposes, upon a
showing that a particular use harmed or threatened to harm the
American consumer. This industry by industry approach differs
from the comprehensive approach attempted by other nations,
such as the European Union's Data Protection Directive.
Together those sector specific statutes encompass a significant
portion of U.S. commercial activity, though they are
significantly different in the protections afforded to
consumers. The following is a small sample of Federal statutes
addressing the issue of information privacy: the Children's
Online Privacy Protection Act, the Cable Communications Policy
Act, the Telecommunications Act of 1996, the Telephone Consumer
Protection Act, the Electronic Communications Privacy Act, the
Health Insurance Portability Protection Act, the Fair Credit
Reporting Act, the Gramm-Leach-Bliley Act, the Family
Educational Rights and Privacy Act, the Video Privacy
Protection Act, the Driver's Privacy Protection Act, and
wiretap statutes.
The need to address privacy concerns has grown
exponentially with the prevalence of e-commerce and the
digitization of personal information that can be stored,
transferred, and theoretically accessed by limitless parties
depending on the data safeguards or protections. Integral to
all personal information sharing is the role of a universal
personal identifier that links an individual to many other
financial and personally identifiable accounts. Specifically,
Social Security numbers have become the default identifier for
the overwhelming majority of U.S. citizens.
Originally created by the Federal government to administer
the Social Security program, the numbers were intended only to
track employee contributions to the system and administer
benefits but were prohibited from any other use. Congress later
authorized the use of Social Security numbers as taxpayer
identification numbers for the IRS. However, over time, the
numbers have become default identification and verification for
many other purposes. The Federal Government requires virtually
every individual in the United States to obtain and maintain a
Social Security number in order to pay taxes, to qualify for
Social Security benefits, or to seek employment. An unintended
consequence of these requirements is that Social Security
numbers have become tools that can be used to facilitate crime,
fraud, and invasions of the privacy of the individuals to whom
the numbers are assigned. Because the Federal government
created and maintains this system, and because the Federal
government does not permit persons to exempt themselves from
those requirements, the Committee finds it is appropriate for
the government to take steps to stem the abuse of this system.
The Committee notes that Congress attempted to limit the
use of Social Security numbers with the passage of the Privacy
Act of 1974. However, this law applied only to government
agencies and did not restrict the private sector. As a result
of the lack of restrictions, Social Security numbers have
become synonymous with an individual's identity as the number
is tied directly to nearly all financial accounts, as well as
patient records of health care providers and other business
entities. While there are clear benefits associated with the
ability to authenticate and verify an individual--including the
provision of instantaneous credit, combating fraudulent
transactions, and accurately identifying or locating
individuals whose name has changed and is otherwise unable to
be located--the Social Security number has become the
singularly most important means of identifying and
authenticating an individual.
The Committee finds that the inappropriate sale or purchase
of Social Security numbers is a significant factor in a growing
range of illegal activities, including fraud, identity theft,
and, in some cases, stalking and other violent crimes. It is
the identifying information associated with a Social Security
number that presents the largest potential threats to
individuals. Because an individual's information is linked to
the Social Security number, access to the Social Security
number opens the individual's identity and related information
to the possibility of the information being available to
unauthorized parties or for unauthorized purposes. The
Committee found that this can facilitate the commission of
criminal activities and also can result in serious invasions of
individual privacy.
It is the unauthorized access to and use of an individual's
Social Security number as a result of a commercial transaction
to purchase or sell the numbers which the Committee seeks to
stop. For example, identity theft crimes have risen
substantially over the past decade in part because Social
Security numbers and other information necessary to perpetrate
the crime is often easily available for purchase by potential
criminals. The Committee's related investigation into the
practice of pretexting--fraudulently impersonating someone else
to acquire detailed information (usually over the phone) about
another person--demonstrated that access to an individual's
personal information is often only limited to the provision of
a Social Security number. Once a Social Security number is
obtained, access to detailed personal information associated
with the Social Security number is readily accessible. With
this information in hand, a criminal can commit identity theft
in numerous ways, including opening new accounts in the name of
the individual attached to the Social Security number.
Although account fraud is one of the most common crimes
perpetrated by criminals, the Committee is aware of other harm,
including violent crimes, that can occur when Social Security
numbers are easily available for purchase. The Committee is
concerned the range of harms and crimes that can be perpetrated
will only increase if prohibitions are not enacted to restrict
the proliferation of the commercial availability of
individuals' Social Security numbers. No one should seek to
profit from the sale of Social Security numbers in
circumstances that create a substantial risk of physical,
emotional, or financial harms to the individuals to whom those
numbers are assigned. Consequently, there is a need for
enactment of legislation that will offer individuals assigned
such numbers necessary protections from the sale and purchase
of Social Security numbers in circumstances that might
facilitate unlawful conduct or that might otherwise likely
result in unfair or deceptive practices.
HEARINGS
On Thursday, May 11, 2006, the Subcommittee on Commerce,
Trade, and Consumer Protection held a hearing entitled,
``Social Security Numbers in Commerce: Reconciling Beneficial
Uses with Threats to Privacy'' which examined H.R. 1078 and
other legislative proposals to increase privacy protections for
Social Security Numbers. Testimony was received from The
Honorable Jon Leibowitz, Commissioner, Federal Trade
Commission; Mr. Oliver I. Ireland, Partner, Morrison &
Foerster, testifying on behalf of the Financial Services
Industry Association; Ms. Susan McDonald, President, Pension
Benefit Information; Ms. Lauren Steinfeld, Former Associate
Chief Counsel, Office of Management and the Budget, Mr. H.
Randy Lively Jr., President and CEO, American Financial
Services Association; and Mr. Marc Rotenberg, Executive
Director, Electronic Privacy Information Center.
COMMITTEE CONSIDERATION
On Wednesday, July 26, 2006, the Committee on Energy and
Commerce met in open markup session and ordered H.R. 1078
favorably reported to the House, amended, by a voice vote, a
quorum being present.
COMMITTEE VOTES
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the record votes
on the motion to report legislation and amendments thereto.
There were no record votes taken in connection with ordering
H.R. 1078 reported. A motion by Mr. Barton to order H.R. 1078
reported to the House, amended, was agreed to by a voice vote.
COMMITTEE OVERSIGHT FINDINGS
Pursuant to clause 3(c)(1) of rule XIII of the Rules of the
House of Representatives, the Committee has not held oversight
or legislative hearings on this legislation.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
The purpose of the legislation is to reduce harm to
individuals that results from unauthorized access to and use of
their Social Security number.
NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES
In compliance with clause 3(c)(2) of rule XIII of the Rules
of the House of Representatives, the Committee finds that H.R.
1078, the Social Security Number Protection Act of 2006, would
result in no new or increased budget authority, entitlement
authority, or tax expenditures or revenues.
COMMITTEE COST ESTIMATE
The Committee adopts as its own the cost estimate prepared
by the Director of the Congressional Budget Office pursuant to
section 402 of the Congressional Budget Act of 1974.
CONGRESSIONAL BUDGET OFFICE ESTIMATE
Pursuant to clause 3(c)(3) of rule XIII of the Rules of the
House of Representatives, the following is the cost estimate
provided by the Congressional Budget Office pursuant to section
402 of the Congressional Budget Act of 1974:
U.S. Congress,
Congressional Budget Office,
Washington, DC, August 17, 2006.
Hon. Joe Barton,
Chairman, Committee on Energy and Commerce,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 1078, the Social
Security Number Protection Act of 2006.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Susan Willie.
Sincerely,
Donald B. Marron,
Acting Director.
Enclosure.
H.R. 1078--Social Security Number Protection Act of 2006
Summary: H.R. 1078 would prohibit the sale or purchase of
Social Security numbers (SSNs) and would require the Federal
Trade Commission (FTC) to develop and enforce regulations
restricting their sale or purchase. CBO estimates that
promulgating the regulation and its enforcement would not have
a significant effect on FTC spending.
Enacting the bill could increase federal revenues from
civil penalties assessed for violations of the new regulation,
but CBO estimates that any such increases would not be
significant in any year. Enacting the bill would not affect
direct spending.
H.R. 1078 contains intergovernmental mandates as defined in
the Unfunded Mandates Reform Act (UMRA), but CBO estimates that
any costs to state, local, or tribal governments would be small
and would not exceed the threshold established in that act ($64
million, adjusted annually for inflation).
H.R. 1078 also would impose a private-sector mandate as
defined in UMRA. It would prohibit any person from selling or
purchasing an SSN in violation of regulations that the FTC
would be required to issue under this act. Because of the lack
of industry data on the sale and purchase of Social Security
numbers, CBO has no basis to estimate the costs to the private
sector for prohibiting those transactions. Thus, CBO cannot
estimate the cost of the mandate or whether the cost would
exceed the annual threshold established by UMRA for private-
sector mandates ($128 million in 2006, adjusted annually for
inflation).
Estimated cost to the Federal government: Based on
information from the FTC, CBO estimates that the cost to
develop and enforce regulations concerning the sale or purchase
of Social Security numbers would be less than $500,000 a year.
Such costs would be subject to the availability of appropriated
funds. The costs of this legislation fall within budget
function 370 (commerce and housing credit).
Enacting the bill could increase federal revenues from
civil penalties assessed for violations of the new regulation.
CBO estimates, however, that any additional revenues that would
result from enacting the bill would not be significant because
of the relatively small number of cases likely to be involved.
Estimated impact on state, local, and tribal governments:
H.R. 1078 contains intergovernmental mandates as defined in
UMRA. Provisions in section 3 would require State Attorneys
General to notify the FTC of any action taken under the bill,
allow the FTC to intervene in those actions, and limit the
actions that Attorneys General may take in certain
circumstances. Also, provisions regarding the sale or purchase
of Social Security numbers in section 4 would preempt state
laws in more than 30 states. These provisions constitute
intergovernmental mandates as defined in UMRA. CBO estimates
that the aggregate costs, if any, to state, local, and tribal
governments of complying with the mandates in the bill would be
small and would not exceed the threshold established in UMRA
($64 million in 2006, adjusted annually for inflation).
CBO assumes that the bill would grant no new authority to
the FTC to regulate the activities of state and local
governments. Under current law, the courts have ruled that the
FTC does not have jurisdiction over those governments or over
public universities. The provisions of the bill regarding the
sales and purchase of SSNs, therefore, would not apply to such
entities.
Estimated impact on the private sector: H.R. 1078 would
impose a private-sector mandate as defined in UMRA. It would
prohibit any individual, partnership, corporation, trust,
estate, cooperative, association, or any other entity from
selling or purchasing an SSN in violation of regulations that
the FTC would be required to issue under this act. The FTC
would be required to ensure that the restrictions and
conditions on the sale or purchase of SSNs are no broader than
necessary to provide reasonable assurance that SSNs will not be
used to commit or facilitate fraud, deception, or crime, and to
prevent an undue risk of bodily, emotional, or financial harm
to individuals.
Certain exceptions also would apply to the prohibition with
respect to the sale or purchase of SSNs. Those exceptions could
be based on law enforcement or national security needs, public
health, certain emergency situations, for certain research
projects, for consumer credit reporting, or other circumstances
that the FTC may determine.
Because of the lack of industry data on the sale and
purchase of Social Security numbers, CBO has no basis to
estimate the costs to the private sector for prohibiting those
transactions. Thus, CBO cannot estimate the cost of the mandate
or whether the cost would exceed the annual threshold
established by UMRA for private-sector mandates ($128 million
in 2006, adjusted annually for inflation).
Estimate prepared by: Federal Costs: Susan Willie; Impact
on State, Local, and Tribal Governments: Sarah Puro; Impact on
the Private Sector: Tyler Kruzich.
Estimate approved by: Peter H. Fontaine, Deputy Assistant
Director for Budget Analysis.
FEDERAL MANDATES STATEMENT
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
ADVISORY COMMITTEE STATEMENT
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
CONSTITUTIONAL AUTHORITY STATEMENT
Pursuant to clause 3(d)(1) of rule XIII of the Rules of the
House of Representatives, the Committee finds that the
Constitutional authority for this legislation is provided in
Article I, section 8, clause 3, which grants Congress the power
to regulate commerce with foreign nations, among the several
States, and with the Indian tribes.
APPLICABILITY TO LEGISLATIVE BRANCH
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION
Section 1. Short title
Section 1 defines this Act as the ``Social Security
Protection Act of 2006.''
Section 2. Definitions
Section 2 defines terms to be used in this Act: including,
``Commission,'' ``person,'' ``sale,'' ``purchase,'' ``Social
Security number,'' ``Social Security account number,'' and
``State.''
The terms ``sale'' and ``purchase'' are broadly defined to
include, respectively, obtaining or providing, directly or
indirectly, anything of value in exchange for a Social Security
number or a Social Security account number. Both of the latter
terms, ``sale'' and ``purchase,'' are specifically defined to
exclude two sets of circumstances: (1) the submission of such
numbers as part of the process for applying for any type of
government benefit or program (e.g., grant or loan applications
or welfare or other public assistance programs); and (2) the
transfer of such numbers as part of a data matching program
under the Computer Matching and Privacy Protection Act of 1988.
The term ``State'' is defined broadly to include both States of
the United States and other political subdivisions of the
United States, such as its territories and possessions.
Section 3. Regulation of the sale and purchase of Social Security
numbers
Section 3 provides for the prohibition of the sale or
purchase of Social Security numbers in violation of regulations
promulgated by the Federal Trade Commission. The FTC shall
promulgate regulations within one year of enactment restricting
the sale and purchase and defining unfair and deceptive acts
related to the sale and purchase of Social Security numbers.
The FTC regulations shall also include exceptions for certain
enumerated purposes consistent with the intent of the
legislation.
Subsection 3(a) would establish the general prohibition of
the sale and purchase of a Social Security number or Social
Security account number in a manner that violates a regulation
promulgated by the Federal Trade Commission (Commission) under
subsection (b). Subsection 3(b)(1) would direct the Commission,
after consultation with the Commissioner of Social Security,
the Department of Justice, and other agencies as the Commission
deems appropriate, to promulgate substantive regulations
restricting the sale and purchase of those numbers and any
unfair and deceptive acts and practices in connection with the
sale and purchase of those numbers. Subsection 3(b)(2) would
require the Commission to impose restrictions and conditions on
the sale and purchase of Social Security numbers and Social
Security account numbers that are no broader than necessary (A)
to provide reasonable assurance that such numbers will not be
used to commit or facilitate fraud, deception, or crime; and
(B) to prevent an undue risk of bodily, emotional, or financial
harm to individuals (taking into account any benefits that
might be realized from the sale or purchase of the numbers and
any other relevant factors). Subsection 3(b)(2) would authorize
the Commission to address, for example, the potential use of
Social Security numbers by stalkers and by those seeking to
commit fraud or identity theft; and the harms that would result
from reuse or onward transfer by those who have lawfully
received the Social Security number. For purposes of
subparagraph (B) only, the Commission is directed to consider
the nature, likelihood, and severity of the harm; the nature,
likelihood, and extent of any benefits that might be realized
from the sale or purchase of the numbers; and any other
relevant factors. Subparagraph (B) is not intended, however, to
create any new requirement for the Commission to conduct formal
studies or develop statistical or quantitative analyses of the
factors set forth in that subsection.
Subsection 3(b)(3) would require the Commission to
establish in those regulations exceptions for seven categories
of situations in which the sale and purchase of Social Security
numbers and Social Security account numbers would be permitted:
(1) to the extent necessary for law enforcement or national
security purposes; (2) to the extent necessary for public
health purposes; (3) to the extent necessary in emergency
situations to protect the health and safety of one or more
individuals; (4) to the extent necessary for research
(including, but not limited to, scientific, epidemiological,
and social scientific research) conducted for the purpose of
advancing public knowledge, on the condition that for such
research the researcher provides adequate assurances that (i)
the Social Security numbers or Social Security account numbers
will not be used to harass, target, or publicly reveal
information concerning any identifiable individual(s); (ii)
information about identifiable individuals obtained from the
research will not be used to make decisions that directly
affect the rights, benefits, or privileges of specific
individuals; and (iii) the researcher has in place appropriate
safeguards to protect the privacy and confidentiality of any
information about identifiable individuals; (5) to the extent
consistent with an individual's voluntary and affirmative
written consent to the sale or purchase of a particular Social
Security number or Social Security account number that has been
assigned to that individual; (6) to the extent necessary for
legitimate consumer credit verification, if the Social Security
numbers used for such verification are redacted in accordance
with uniform redaction standards issued by the Commission in
such regulations, and (7) under other appropriate circumstances
as the Commission may determine and as are consistent with the
findings in Section 2 and the principles in subsection 3(b)(2).
Under any of these seven exceptions, when Federal departments
and agencies have Social Security numbers and Social Security
account numbers in systems of records, the legal protections of
the Privacy Act, 5 U.S.C. Sec. 552a, will apply.
The Committee intends that the Commission's regulations
will address, among other things, growing concerns about the
ability of companies to demand that consumers provide them with
a full Social Security number as a condition of doing business.
The Committee intends that the Commission, in crafting uniform
redaction standards pursuant to 3(b)(3)(F), shall protect
against the threat that a persons' full Social Security number
could be uncovered. For example, such standards shall protect
against the threat that a person's full Social Security number
could be identified by combining the redacted number with other
data which might otherwise reasonably be available about the
individual and which could facilitate replication of the full
number, such as the individual's date of birth or place of
birth.
Subsection 3(c)(1) would direct the Commission to
promulgate the regulations under subsection 3(b) not later than
one year after the date of enactment of the bill. Subsection
3(a), and regulations promulgated under subsection 3(b), shall
take effect thirty days after the date on which the final
regulations issued under subsection 3(b) are published in the
Federal Register. Subsection 3(d) would direct that any
violation of a regulation promulgated under subsection 3(b)
shall be treated as a violation of a regulation under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
Sec. 57a(a)(1)(B)) regarding unfair or deceptive acts or
practices.
Subsection 3(e)(1) would set forth the Commission's
authority to prevent violations of section 4 and the
regulations promulgated thereunder, and provide that violators
of such rules shall be subject to the penalties, and entitled
to the privileges and immunities provided in the Federal Trade
Commission Act as though all applicable terms and provisions of
that Act were incorporated into and made a part of this bill.
Subsection 3(e)(2) would authorize any State attorney general
to bring a parens patriae action in a United States district
court, in any case in which that attorney general has reason to
believe that an interest of the residents of that State has
been or is threatened or adversely affected by an act or
practice that violates any regulation under subsection 3(b) of
the Act. The relief that the State attorney general may seek
would include injunctive relief, enforcement of compliance with
the regulation, obtaining damages, restitution, and other
compensation on behalf of the State's residents (including
civil penalties up to $11,000 per violation, not to exceed a
maximum of $5,000,000) and any other legal or equitable relief
as the district court may consider to be appropriate. This
subsection also contains provisions for notice to the
Commission and the Department of Justice when such actions are
brought; litigation-related rights that the Commission and the
Department each would have in such actions; a provision
precluding States from filing such parens patriae actions if
the Department has instituted a prosecution for criminal
violations or the Commission has instituted civil litigation
for civil violations of the Act; a provision clarifying the
ability of a State attorney general to use investigatory powers
under the laws of that State; and procedural provisions for
venue and service of process.
Section 4. Effect on other laws
Section 4 preempts State laws that expressly restrict the
sale or purchase of Social Security numbers that are consistent
with the Act.
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation does not amend any existing Federal
statute.
<all>
�