Identity Theft: An Overview of Proposed Legislation

Report for Congress
Identity Theft: An Overview
of Proposed Legislation
th
in the 107 Congress
February 21, 2003
Angie A. Welborn
Legislative Attorney
American Law Division

Congressional Research Service ˜ The Library of Congress

Identity Theft: An Overview of Proposed Legislation in
the 107th Congress
Summary
This report provides an overview of legislation proposed during the 107^th
Congress to address the growing problem of identity theft.¹ Much of the legislation
from the 107^th Congress sought to prevent identity theft through a variety of
measures, including placing limitations on the use of social security numbers,
requiring the truncation of credit card numbers, and placing additional limitations on
access to consumer credit reports. Legislation was also introduced aimed at assisting
victims with the oftentimes arduous task of removing information resulting from
identity theft from their credit reports, and providing greater criminal penalties for
those convicted of identity theft and related crimes. The bills are arranged by
chamber and presented in numerical order (Senate Bills: S. 848, S. 1014, S. 1399, S.

1723, S. 1742, S. 2541, S. 3100, House Bills: H.R. 220, H.R. 1478, H.R. 2036, H.R.

3053, H.R. 3368, H.R. 4513, H.R. 4678, H.R. 5424, H.R. 5474, H.R. 5588).

During the 108^th Congress, identity theft is likely to once again be a focus of the
legislative agenda. Since the Federal Trade Commission first identified identity theft
as the number one consumer complaint in 2000, problems associated with identity
theft have grown. Despite efforts at the state level to prevent identity theft and
provide assistance to victims, many consumer organizations believe that
comprehensive federal legislation is necessary.

¹ For additional information about identity theft and related legislation, see CRS Report
RS21083, Identity Theft and the Fair Credit Reporting Act: An Analysis of TRW v. Andrews
and Current Legislation, and CRS Report RS21163, Remedies Available to Victims of
Identity Theft.

Contents
Senate Bills..................................................1
S. 848...................................................1
S. 1014..................................................3
S. 1399..................................................4
S. 1723..................................................5
S. 1742..................................................5
S. 2541..................................................7
S. 3100..................................................8
House Bills...................................................9
H.R. 220.................................................9
H.R. 1478...............................................10
H.R. 2036...............................................10
H.R. 3053...............................................11
H.R. 3368...............................................11
H.R. 4513...............................................11
H.R. 4678...............................................12
H.R. 5424...............................................13
H.R. 5474...............................................13
H.R. 5588...............................................14

Identity Theft: An Overview of Proposed
Legislation in the 107th Congress
Senate Bills
S. 848. The Social Security Number Misuse Prevention Act of 2001, as
introduced, would have amended Title 18 of the United States Code to limit the
misuse of Social Security numbers and establish criminal penalties for such misuse.
The bill would have prohibited the display, sale or purchase of an individual’s Social
Security number without that individual’s “affirmatively expressed consent.”² The
bill would have also prohibited any person from obtaining any individual’s Social
Security number for purposes of locating or identifying an individual with the intent
to physically injure, harm, or use the identity of the individual for any illegal
purpose.³
Exceptions to the general prohibition included permissible uses under the Social
Security Act, the Privacy Act, the Internal Revenue Code, and the Professional
Boxing Safety Act of 1996; uses relating to public health, national security or law
enforcement; certain business-to-business uses; and required submissions as part of
the process for applying for any type of Federal, State, or local government benefit
or program.⁴ The prohibition would not have applied to Social Security numbers
included in certain public records, but agencies would have been required to institute
procedures to restrict access to an individual’s Social Security number.⁵
The Attorney General was given authority to prescribe rules and regulations
necessary to carry out the general prohibition provisions, and is directed to consult
with “the Commissioner of Social Security, the Chairman of the Federal Trade
Commission, and such other heads of Federal agencies as the Attorney General
determines appropriate” to promulgate regulations “to implement and clarify the uses
occurring as a result of the interaction between businesses, governments, or
businesses and governments.”⁶ The bill also provided for factors to be considered
when promulgating such rules.
The bill would have also prohibited the use of Social Security numbers on
checks issued by governmental agencies and on driver’s licenses, motor vehicle

² S. 848, as introduced, Sec. 3.
³ Id.
⁴ Id.
⁵ S. 848, as introduced, Sec. 4.
⁶ S. 848, as introduced, Sec. 5.

registration documents, or any other document issued to an individual for
identification purposes.⁷ S. 848 would also prohibit inmate access to Social Security
numbers.
Under S. 848, as introduced, a commercial entity would have been prohibited
from requiring an individual to provide his or her Social Security number when
purchasing a commercial good or service or denying an individual the good or service
for refusing to provide the number.⁸ The prohibition did not apply with respect to
any purpose relating to obtaining a consumer report for any purpose permitted under
the Fair Credit Reporting Act; a background check of the individual conducted by a
landlord, lessor, employer, voluntary service agency, or other entity as determined by
the Attorney General. An individual may have also been required to provide his or
her Social Security number for law enforcement purposes; by Federal, State or local
law; or if the Social Security number is necessary to verify the identity and to prevent
fraud with respect to the specific transaction requested by the consumer and no other
form of identification can produce comparable results.⁹ These provisions did not
prohibit a commercial entity from requiring an individual to provide two forms of
identification that do not contain the Social Security number of the individual; or
denying an individual a good or service for refusing to provide two forms of such
identification.¹⁰
S. 848, as introduced, also extended civil monetary penalties for misuse of a
Social Security number.¹¹
S. 848 was referred to the Senate Committee on the Judiciary and reported by
Senator Leahy with an amendment in the nature of a substitute on May 16, 2002.
The bill was then reported to the Committee on Finance. The Subcommittee on
Social Security and Family Policy held hearings on July 11, 2002. No additional
action was taken.
As reported, S. 848 included similar provisions relating to prohibitions on the
display, sale or purchase of Social Security numbers.¹² However, unlike the
introduced version, the bill as reported provided for civil actions in state courts for
violations of those prohibitions, and allows an aggrieved individual to recover for
actual monetary loss or up to $500 in damages for each violation, whichever is
greater.¹³ Any such action would have been required to be commenced not later than
the earlier of five years after the date on which the alleged violation occurred; or
three years after the date on which the alleged violation was or should have been

⁷ S. 848, as introduced, Sec. 6.
⁸ S. 848, as introduced, Sec. 7.
⁹ Id.
¹⁰ Id.
¹¹ S. 848, as introduced, Sec. 8.
¹² S. 848, as reported, Sec. 3.
¹³ Id.

reasonably discovered by the aggrieved individual.¹⁴ The bill, as reported, also
provided for civil penalties for violations of the prohibitions set forth and criminal
sanctions for knowing and willful violations.¹⁵
The general prohibition would not have applied to Social Security numbers in
public records. However, S. 848, as reported, would have required agencies to
institute procedures to limit the disclosure of an individual’s Social Security number
on certain types of records.¹⁶
S. 1014. The Social Security Number Privacy and Identity Theft
Prevention Act of 2001, would have made several amendments to the Social
Security Act aimed at enhancing privacy protections for individuals and preventing
fraudulent misuse of Social Security numbers. The bill would have prohibited - with
limited exceptions - the sale of an individual’s Social Security number by any state
or federal governmental entity in possession of such number.¹⁷ The display to the
general public of an individual’s Social Security number would have also been
prohibited, as would the display of a Social Security number on any check issued for
any payment by any governmental agency.¹⁸ In addition, the appearance of Social
Security account numbers on driver’s licenses would have been prohibited, as would
the display of Social Security numbers on personal identification card or tags
provided to state or federal government employees.¹⁹ Access to Social Security
numbers by inmates would have also been prohibited, and independent verification
of birth records provided by an applicant for a Social Security account number would
have been required.²⁰
S. 1014 would have also prohibited the sale and display of Social Security
numbers in the private sector.²¹ The general prohibition would have been subject to
certain exceptions. Social Security numbers could have been sold, purchased or
displayed to the extent necessary for law enforcement purposes, including the
enforcement of a child support obligation; to the extent necessary for national
security purposes; to the extent necessary for public health purposes; to the extent
necessary in emergency situations; and to the extent necessary for research conducted
for the purpose of advancing public knowledge, on the condition that the researcher
provide adequate assurances that the privacy of the individual and the individual’s
number would have been protected.²² Individuals would have also been able to

¹⁴ Id.
¹⁵ Id.
¹⁶ S. 848, as reported, Sec. 4.
¹⁷ S. 1014, Title I, Sec. 101(a).
¹⁸ S. 1014, Title I, Sec. 102, Sec. 103.
¹⁹ S. 1014, Title I, Sec. 104, Sec. 105.
²⁰ S. 1014, Title I, Sec. 106, Sec. 107.
²¹ S. 1014, Title II, Sec. 201.
²² Id.

consent to the sale, purchase or display of their Social Security numbers. The bill
directed the Attorney General to promulgate regulations regarding such restrictions.²³
S. 1014 would have made refusal to do business without receipt of a Social
Security number an unfair or deceptive trade practice under the Federal Trade
Commission Act.²⁴ However, situations in which a person was required under
federal law to submit an individual’s Social Security number in connection with a
business transaction would have been exempt.²⁵
An amendment to the Fair Credit Reporting Act would have prohibited a credit
reporting agency from furnishing an individual’s Social Security number unless a full
consumer report is being furnished.²⁶
With regard to enforcement, S. 1014 would have established new criminal
penalties for misuse of a Social Security number, and extends the authority under the
Social Security Act to impose civil monetary penalties for misuse of a Social Security
number.²⁷ The bill would have also authorized a court to order a defendant to make
restitution to the Social Security Administration.²⁸
S. 1014 was referred to the Senate Committee on Finance on June 12, 2001. No
additional action was taken.
S. 1399. The Identity Theft Prevention Act of 2001, included several
provisions aimed at preventing identity theft. First, the bill would have required
credit card issuers to confirm changes of address when a request for an additional
card with respect to an existing account is received no more than 30 days after the²⁹
address change request. Additionally, consumer reporting agencies would have
been required to notify requesters of information of potential fraud when the request
includes an address for the consumer that differs from the most recent address on file
with the consumer reporting agency.³⁰ The Federal Trade Commission would have
had primary enforcement authority, with other agencies responsible for enforcement
with respect to entities outside the FTC’s jurisdiction.³¹

²³ Id.
²⁴ S. 1014, Title II, Sec. 202.
²⁵ Id.
²⁶ S. 1014, Title II, Sec. 203.
²⁷ S. 1014, Title III, Sec. 301, Sec. 302.
²⁸ S. 1014, Title III, Sec. 303.
²⁹ S. 1399, Sec. 3(a).
³⁰ Id.
³¹ Id.

Under S. 1399, consumer reporting agencies would have also been required to
include a fraud alert in a consumer’s file, if requested by the consumer.³² The
consumer reporting agency would have been responsible for notifying each person
procuring consumer credit information of the existence of a fraud alert in the
consumer’s file regardless of whether a full credit report, credit score, or summary
report is requested.³³
The bill would have also directed the Federal Trade Commission to promulgate
rules requiring each consumer reporting agency to investigate discrepancies between
personal or identifying information contained in the file maintained by the agency
and the personal identifying information supplied to the agency by the user of the
consumer report.³⁴ The rules promulgated pursuant to S. 1399 would have also been
required to include procedures for referral of consumer complaints about identity
theft and fraud alerts between and among the consumer reporting agencies and to the
Federal Trade Commission.³⁵
The truncation of credit card numbers on receipts that are electronically printed
would have also been required under S. 1399.³⁶
S. 1399 was referred to the Senate Committee on Banking, Housing and Urban
Affairs on September 4, 2001. No additional action was taken.
S. 1723. The Protect Victims of Identity Theft Act of 2001, would have
amended the Fair Credit Reporting Act’s statute of limitations. The amendment
proposed under S. 1723 would have allowed suit to be brought “not later than 2 years
after the date on which the violation is discovered or should have been discovered by³⁷
the exercise of reasonable diligence.”
S. 1723 was referred to the Senate Committee on Banking, Housing, and Urban
Affairs on November 16, 2001. No additional action was taken.
S. 1742. The Restore Your Identity Act of 2001, as introduced, included
several provisions aimed at preventing identity theft and aiding victims of identity
theft. The bill set forth a mechanism enabling victims of identity theft to receive
application and transaction information related to the theft from any business entity
possessing such information.³⁸ The bill included provisions for verification of the
victim’s identity and places limitations on a business’ liability with regard to the

³² S. 1399, Sec. 3(b).
³³ Id.
³⁴ S. 1399, Sec. 3(c).
³⁵ Id.
³⁶ S. 1399, Sec. 4.
³⁷ S. 1723, Sec. 2.
³⁸ S. 1742, as introduced, Sec. 5.

provision of the requested information.³⁹ Among the other provisions set forth in the
bill was an amendment to the Fair Credit Reporting Act which would have required
a consumer reporting agency to “permanently block the reporting of information
identified by the consumer in the file of the consumer resulting from the identity
theft, so that the information could be reported.”⁴⁰ Consumer reporting agencies
would have had the authority to decline or rescind the request to block information
under certain circumstances.⁴¹ Another amendment to the FCRA would have
affected the statute of limitations for filing a claim against a credit reporting agency.
The proposed amendment would have allowed suit to be filed “not later than two
years after the discovery by the individual of the misrepresentation.”⁴²
The bill also amended the Internet False Identification Act to establish a
commission to study coordination between federal, state, and local authorities in
enforcing identity theft laws,⁴³ and provided for enforcement of the provisions set
forth in the legislation by state attorneys general and by the Attorney General of the
United States.⁴⁴
S. 1742 was referred to the Senate Committee on the Judiciary, and was reported
on May 21, 2002, by Senator Leahy with an amendment in the nature of a substitute
entitled the Identity Theft Victims Assistance Act of 2002. The amendment was
similar to the introduced bill, but some substantive changes were made, including the
addition of a provision allowing businesses to establish notification systems to⁴⁵
comply with the information sharing provisions discussed above. Additionally, the
bill, as reported, provided for enforcement actions by state attorneys general or the
Attorney General of the United States for violations of the provisions related to the
release of information by business entities.⁴⁶
Substantive changes were also made with regard to the Fair Credit Reporting
Act amendments. As reported, S. 1742 included the provisions discussed above
related to the blocking of information on a consumer’s credit report resulting from⁴⁷
an identity theft, but added certain exceptions to the general rule. Additional
changes were made to the statute of limitations under the FCRA. S. 1742, as
reported, would have amended the FCRA to allow suit to be brought “not later than

2 years from the date of the defendant’s violation of any requirement under this

³⁹ Id.
⁴⁰ S. 1742, as introduced, Sec. 6.
⁴¹ Id.
⁴² Id.
⁴³ S. 1742, as introduced, Sec. 7.
⁴⁴ S. 1742, as introduced, Sec. 8.
⁴⁵ S. 1742, as reported, Sec. 4.
⁴⁶ S. 1742, as reported, Sec. 7.
⁴⁷ S. 1742, as reported, Sec. 5.

title.”⁴⁸ Actions by victims of identity theft could have been brought not later than
5 years from the date of the defendant’s violation if the victim “has reasonable
grounds to believe that [he or she] is the victim of an identity theft; and has not
materially and willfully misrepresented such a claim.”⁴⁹
The Senate passed S. 1742 on November 14, 2002, with an amendment
proposed by Senator Reed for Senator Cantwell. As passed, the bill did not include
the notification system provision discussed above. Language was included to
preclude private rights of action or claims for relief for violations of the provisions
related to the release of information by business entities.⁵⁰ The bill, as passed, also
added to the exceptions related to the blocking of information on a consumer’s credit
file resulting from an identity theft, and changed the statute of limitations for actions
relating to identity theft from 5 years to 4 years.⁵¹
S. 1742 was referred to the House Committee on the Judiciary and the
Committee on Financial Services on November 15, 2002. No additional action was
taken by the House of Representatives.
S. 2541. The Identity Theft Penalty Enhancement Act of 2002, would have
amended Title 18 of the United States Code to establish penalties for aggravated⁵²
identity theft and make changes to the existing identity theft provisions of Title 18.
Under S. 2541, aggravated identity theft would have occurred when a person
“knowingly transfers, possesses, or uses, without lawful authority, a means of
identification of another person” during and in relation to the commission of certain⁵³
enumerated felonies. The penalty for aggravated identity theft would have been a
term of imprisonment of 2 years in addition to the punishment provided for the⁵⁴
original felony committed. The felonies for which a penalty for aggravated identity
theft could have been imposed included felonies related to theft from employee
benefit plans; false impersonation of citizenship; false statements in connection with
the acquisition of a firearm; other types of fraud and false statements; mail, bank and
wire fraud; fraud relating to passports and visas; violations of the Gramm-Leach-
Bliley Act relating to obtaining consumer information under false pretenses; certain
violations of the Immigration and Nationality Act relating to willfully failing to leave
the United States after deportation and creating a counterfeit alien registration card;⁵⁵

and certain violations of the Social Security Act.
⁴⁸ Id.
⁴⁹ Id.
⁵⁰ S. 1742, as passed, Sec. 3.
⁵¹ S. 1742, as passed, Sec. 4.
⁵² See S. 2541, Sec. 3, for amendments to the 18 U.S.C. 1028.
⁵³ S. 2541, Sec. 2.
⁵⁴ Id.
⁵⁵ Id.

S. 2541 was referred to the Senate Committee on the Judiciary. The
Subcommittee on Technology, Terrorism, and Government Information held hearings
on July 9, 2002. On November 14, 2002, the bill was reported out of Committee
favorably and without amendment. No additional action was taken.
S. 3100. The Social Security Number Misuse Prevention Act of 2002, would
have amended Title 18 of the United States Code to limit the misuse of Social
Security numbers and establish criminal penalties for such misuse. The bill would
have prohibited the display, sale or purchase of Social Security numbers without the
“affirmatively expressed consent of the individual.”⁵⁶ Certain exceptions would have
applied, including cases where required, authorized, or excepted under any Federal
law; for public health purposes; for a national security purpose; for a law
enforcement purpose; and under certain circumstances if the display, sale or purchase
of the number is for a use occurring as a result of an interaction between businesses,⁵⁷
governments, or business and government. The bill provided for limitations on the
prohibition with respect to uses permitted under the Gramm-Leach-Bliley Act, the
Fair Credit Reporting Act, and with respect to the display, sale or purchase of public
records containing Social Security numbers.⁵⁸ The Attorney General was given
rulemaking authority substantially similar to that provided for in S. 848, as
introduced, discussed above.
Additional prohibitions would have applied to the display of the Social Security
number, or any derivative of such number, on any check issued for any payment by
the Federal, State, or local [social security] agency; on a driver’s license, motor
vehicle registration or any other document issues for purposes of identification. The
bill also prohibited inmate access to Social Security numbers.⁵⁹
In general, S. 3100 precluded a commercial entity from requiring that an
individual provide his or her Social Security number when purchasing a consumer
good or service, or denying an individual the good or service for failing to provide⁶⁰
his or her Social Security number. The preclusion did not apply with respect to any
purpose relating to obtaining a consumer report for any purpose permitted under the
Fair Credit Reporting Act; a background check of the individual conducted by a
landlord, lessor, employer, voluntary service agency, or other entity as determined by
the Attorney General. An individual could have also been required to provide his or
her Social Security number for law enforcement purposes; by Federal, State or local
law; or if the Social Security number is necessary to verify the identity of the
consumer to effect, administer, or enforce the specific transaction requested or⁶¹
authorized by the consumer, or to prevent fraud. Violations of these provisions

⁵⁶ S. 3100, Sec. 3. These provisions are similar to those in S. 848, as introduced.
⁵⁷ Id.
⁵⁸ S. 3100, Sec. 3 and Sec. 4.
⁵⁹ S. 3100, Sec. 6.
⁶⁰ S. 3100, Sec. 7.
⁶¹ Id.

could have been pursued by state attorneys general or by the Attorney General of the
United States. The provisions would have expired 6 years after the effective date.⁶²
Unrelated to Social Security numbers, an additional section of S. 3100 would
have required the truncation of credit card account numbers, prohibiting the printing
of more than the last 5 digits of the credit card account number or the expiration date
upon any receipt provided to the card holder.⁶³
The bill provided for civil monetary penalties, criminal penalties, and civil
actions for certain misuses of Social Security numbers.⁶⁴
S. 3100 was placed on the Senate legislative calendar, but no additional action
was taken.
House Bills
H.R. 220. The Identity Theft Protection Act of 2001, would have repealed
provisions of the Social Security Act which authorize certain usages of an
individual’s Social Security number, including, the use of Social Security numbers
for general public assistance offered by a state, driver’s licenses or motor vehicle
registration; and the use of Social Security numbers in the administration of the food⁶⁵
stamp program. The bill would have also required all Social Security numbers to
be randomly generated and prohibit the Social Security Administration from
divulging an individual’s account number to any other federal or state governmental
entity.⁶⁶
In addition to the provisions related to Social Security numbers, the bill would
have prohibited any two agencies or instrumentalities of the federal government from
implementing the same identifying number with respect to any individual.⁶⁷ The
federal government would have also been prohibited from establishing or mandating
a uniform standard for identification for an individual; and could not have
conditioned the receipt of any federal funding on the adoption, by a state, a state
agency, or a political subdivision of a state, of a uniform standard for identification⁶⁸
of an individual.
H.R. 220 was referred to the House Committee on Ways and Means and the
Committee on Government reform on January 3, 2001, with subsequent referrals to
various subcommittees. No additional action was taken.

⁶² Id.
⁶³ S. 3100, Sec. 11.
⁶⁴ S. 3100, Sec. 8, Sec. 9, and Sec. 10.
⁶⁵ H.R. 220, Sec. 2.
⁶⁶ Id.
⁶⁷ H.R. 220, Sec. 4.
⁶⁸ H.R. 220, Sec. 5.

H.R. 1478. The Personal Information Privacy Act of 2001, would have made
several amendments to the Fair Credit Reporting Act (FCRA) aimed at protecting a
consumer’s personal information. The bill would have amended the FCRA to
expand the definition of “consumer report” to include “any other identifying
information of the consumer, except the name, address, and telephone number of the
consumer if listed in a residential telephone directory available in the locality of the⁶⁹
consumer.” Other amendments to the FCRA would have prohibited the furnishing
of consumer credit reports in connection with credit or insurance transactions that
were not initiated by the consumer without the consumer’s express written
authorization and would have required full disclosure to the consumer of what was
being authorized and any potential positive and negative effects of such
authorization.⁷⁰ The sale or transfer of transaction or experience information⁷¹ would⁷²
have also been prohibited without the express written consent of the consumer.
H.R. 1478 would have also prohibited certain misuses of an individual’s Social
Security number. The commercial use of an individual’s Social Security number⁷³
would have been prohibited without the written consent of the individual. Refusal
to do business with an individual because the individual would not consent to the use
of his or her Social Security number would have been treated as an unfair or
deceptive act or practice in violation of Section 5 of the Federal Trade Commission⁷⁴
Act. The use of an individual’s Social Security number as a personal identification
number would have also been prohibited without written consent.⁷⁵
H.R. 1478 was referred to the House Committee on Ways and Means and the
Committee on Financial Services on April 24, 2001, with subsequent referrals to the
Subcommittee on Financial Institutions and Consumer Credit. No additional action
was taken.
H.R. 2036. The Social Security Number Privacy and Identity Theft
Prevention Act of 2001, was substantially similar to S. 1014 discussed above. H.R.
2036 was referred to the House Committee on Ways and Means, the Committee on
Energy and Commerce, and the Committee on Financial Services on May 25, 2001.
The bill was subsequently referred to various subcommittees. No additional action
was taken.

⁶⁹ H.R. 1478, Sec. 2.
⁷⁰ H.R. 1478, Sec. 4.
⁷¹ Transaction or experience information is defined as “any information identifying the
content or subject of one or more transactions between the consumer and a person doing
business with a consumer, including any component part of any transaction, any brand name
involved, or any quantity or category of merchandise involved in any party of the
transaction.” H.R. 1478, Sec. 5.
⁷² H.R. 1478, Sec. 5.
⁷³ H.R. 1478, Sec. 3.
⁷⁴ Id.
⁷⁵ Id.

H.R. 3053. The Identity Theft Prevention Act of 2001, was substantially
similar to S. 1399, discussed above. Unlike S. 1399, H.R. 3053 would have required
consumer reporting agencies to provide free copies of consumer credit reports on a
yearly basis, at the request of the consumer.⁷⁶ H.R. 3053 would have also required
the Federal Trade Commission to develop a model form and standard procedures to
be used by consumers who are victims of identity fraud for contacting and informing⁷⁷
creditors and consumer reporting agencies of the fraud.
H.R. 3053 was referred to the House Committee on Financial Services on
October 5, 2001, and subsequently to the Subcommittee on Financial Institutions and
Consumer Credit. No additional action was taken.
H.R. 3368. The Protect Victims of Identity Theft Act of 2001, was
substantially similar to S. 1723 discussed above. The bill would have amended the
Fair Credit Reporting Act’s statute of limitations. The proposed amendment would
have allowed suit to be brought “not later than 2 years after the date on which the
violation is discovered or should have been discovered by the exercise of reasonable
diligence.”⁷⁸
H.R. 3368 was referred to the House Committee on Financial Services on
November 28, 2001, and subsequently to the Subcommittee on Financial Institutions
and Consumer Credit. The bill was also referred to the House Committee on the
Judiciary Subcommittee on Courts, the Internet, and Intellectual Property. No
additional action was taken.
H.R. 4513. The Social Security Number Protection Act of 2002, included
several provisions that were somewhat similar to those in S. 1014 discussed above.
H.R. 4513 directed the Federal Trade Commission to promulgate regulations
regarding the sale and purchase of Social Security numbers. It would have been
unlawful for any person to sell or purchase a Social Security number in a manner that
violates a regulation promulgated by the Commission.⁷⁹ The Commission was
directed to consult with the Commissioner of Social Security, the Department of
Justice, and other agencies deemed appropriate to promulgate regulations restricting
the sale and purchase of Social Security numbers and any unfair or deceptive acts or
practices in connection with the sale and purchase of such.⁸⁰ The regulations
promulgated were to be no broader than necessary “to provide reasonable assurance
that Social Security numbers and Social Security account numbers will not be used
to commit or facilitate fraud, deception, or crime; and to prevent an undue risk of
bodily, emotional, or financial harm to individuals.”⁸¹

⁷⁶ H.R. 3053, Sec. 5.
⁷⁷ H.R. 3053, Sec. 3(c).
⁷⁸ H.R. 3368, Sec. 2.
⁷⁹ H.R. 4513, Sec. 4(a).
⁸⁰ H.R. 4513, Sec. 4(b)(1).
⁸¹ H.R. 4513, Sec. 4(b)(2).

Under H.R. 4513, certain exceptions would have applied to the general
restrictions on the sale and purchase of Social Security numbers. The sale and
purchase of Social Security numbers would have been permitted under the
regulations to the extent necessary for law enforcement and national security
purposes; to the extent necessary for public health purposes; to the extent necessary
in emergency situations to protect the health or safety of one or more individuals; and
to the extent necessary for research conducted for the purpose of advancing public
knowledge, on the condition that the researcher provided adequate assurances that
certain measures would have been employed to protect the privacy of the individual
and the confidentiality of the individual’s Social Security number.⁸² An individual
could have also consented to the sale or purchase of his or her Social Security
number.⁸³
Violations of the regulations promulgated pursuant to H.R. 4513 would have
been enforced by the Federal Trade Commission and treated as an unfair or deceptive
act or practice.⁸⁴ State attorneys general would have also had authority to bring
actions on behalf of the residents of their states.⁸⁵ The Attorney General of the
United States would have also had some enforcement authority.⁸⁶
H.R. 4513 was referred to the House Committee on Energy and Commerce and
the Committee on Ways and Means on April 18, 2002. No additional action was
taken.
H.R. 4678. The Consumer Privacy Protection Act of 2002, included
provisions related to both privacy protection and identity theft. Title I of H.R. 4678
specifically addressed privacy with regard to consumer information gathered and
used by data collection organizations, and included provisions related to privacy
statements, opt-out opportunities for consumers, information security obligations,
and self-regulatory programs for data collection organizations. Title II of the bill
specifically addressed identity theft prevention and remedies. These provisions will
be discussed in detail below.
Title II of H.R. 4678 directed the Federal Trade Commission to take specific
actions to assist victims of identity theft. The Commission was directed to take such
action as necessary to permit (including by electronic means) consumers that have
a reasonable belief that they are a victims of identity theft to enter required consumer
information into the commission-developed “Identity Theft Affidavit,” and to submit
completed forms and other supplemental information to the Commission and other⁸⁷
entities. The Commission would have also been required to “take such action as
necessary to solicit the acceptance and acknowledgment of standardized Identity

⁸² H.R. 4513, Sec. 4(b)(3).
⁸³ Id.
⁸⁴ H.R. 4513, Sec. 4(d).
⁸⁵ H.R. 4513, Sec. 4(e).
⁸⁶ Id.
⁸⁷ H.R. 4678, Sec. 201.

Theft Affidavit by entities that receive disputes regarding the unauthorized use of
accounts of such entities from consumers that have reason to believe that they are a
victim of identity theft.”⁸⁸ Additionally, the Commission would have required such
entities to conduct any necessary investigation and decide an outcome of a claim
from a consumer within 90 days from the date on which all necessary information has
been submitted.⁸⁹
Under H.R. 4678, the Federal Trade Commission would have also been required
to make improvements to the Identity Theft Clearinghouse which would allow
consumers to submit identity theft information to appropriate entities via the
Clearinghouse.⁹⁰ The Commission would have also been required to obtain identity
theft data from public and private entities that receive and process complaints from
consumers and include such information in the Identity Theft Clearinghouse
database.⁹¹
In an effort to prevent identity theft, H.R. 4678 directed the Commission to
require “appropriate entities to take reasonable steps to verify the accuracy of a
consumer’s address, including by confirming a consumer’s change of address by
sending a confirmation of such change to the old and new address of the consumer.”⁹²
H.R. 4678 was referred to the House Committee on Energy and Commerce
Subcommittee on Commerce, Trade and Consumer Protection. Subcommittee
hearings were held on September 24, 2002, but not additional action was taken.⁹³
H.R. 5424. The Identity Theft Victims Assistance Act of 2002, appeared to
be substantially similar to S. 1742, as reported, discussed above. H.R. 5424 was
referred to the House Committee on the Judiciary and the Committee on Financial
Services on September 19, 2002, and subsequently to the Subcommittee on Crime,
Terrorism and Homeland Security and the Subcommittee on Financial Institutions
and Consumer Credit. No additional action was taken.
H.R. 5474. The Identity Theft Consumer Notification Act, would have
amended the Gramm-Leach-Bliley Act to further protect consumers whose identities
are stolen from their financial institutions. Under H.R. 5474, a financial institution
would have been required to promptly notify a consumer if his or her personal
information had been compromised in any way by an employee of the financial
institution or through any unauthorized entry into the records of the institution.⁹⁴ In
the event of such compromise, the financial institution would have been obligated to

⁸⁸ H.R. 4678, Sec. 202.
⁸⁹ H.R. 4678, Sec. 203.
⁹⁰ H.R. 4678, Sec. 204.
⁹¹ H.R. 4678, Sec. 205.
⁹² H.R. 4678, Sec. 206.
⁹³ Title III of the bill includes provisions related to international privacy laws which were
referred to the House Committee on International Relations.
⁹⁴ H.R. 5474, Sec. 2.

notify the consumer of the compromise and any misuse of the information; to provide
assistance to the consumer to remedy any such compromise; to reimburse the
consumer for any losses the consumer incurred as a result of the compromise,
including any fees for obtaining, investigating, and correcting a consumer report; and
to provide information concerning the manner in which the consumer can obtain such
assistance.⁹⁵ Financial institutions would have been able to delay notification at the
request of a law enforcement agency investigating the violation that led to the
compromise of the consumer’s information.
The bill would have also amended the Fair Credit Reporting Act’s statute of
limitations to allow an action to be brought “not later than 2 years after the date on
which the violation is discovered or should have been discovered by the exercise of
reasonable diligence.”⁹⁶
H.R. 5474 was referred to the House Committee on Financial Services
Subcommittee on Financial Institutions and Consumer Credit on October 7, 2002.
No additional action was taken.
H.R. 5588. The Identity Theft Penalty Enhancement Act of 2002, was
substantially similar to S. 2541 discussed above. H.R. 5588 was referred to the
House Committee on the Judiciary Subcommittee on Crime, Terrorism, and
Homeland Security on November 12, 2002. No additional action was taken.

⁹⁵ Id.
⁹⁶ H.R. 5474, Sec. 3.