[Congressional Bills 107th Congress] [From the U.S. Government Publishing Office] [S. 450 Introduced in Senate (IS)] 107th CONGRESS 1st Session S. 450 To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES March 1, 2001 Mr. Nelson of Florida introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban Affairs _______________________________________________________________________ A BILL To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Financial Institution Privacy Protection Act of 2001''. SEC. 2. PROTECTION OF PRIVATE HEALTH INFORMATION. Section 509(4) of the Gramm-Leach-Bliley Act (15 U.S.C. 6809(4)) is amended by adding at the end the following: ``(D) The term `nonpublic personal information' includes health information, defined as any information, including genetic information, demographic information, and tissue samples collected from an individual, whether oral or recorded in any form or medium-- ``(i) that is created or received by a health care provider, health researcher, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university; and ``(ii) that -- ``(I) relates to the past, present, or future physical or mental health or condition of an individual (including individual cells and their components), the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and ``(II) that identifies an individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify an individual.''. SEC. 3. OPT-IN FOR SHARING OF INFORMATION. Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended-- (1) in subsection (a)-- (A) by inserting ``any affiliate or'' before ``a nonaffiliated''; (B) by striking ``unless such'' and inserting the following: ``unless-- ``(1) the institution provides''; and (C) by striking the period at the end and inserting the following: ``; and ``(2) the consumer to whom the information pertains-- ``(A) has affirmatively consented (in writing, in the case of health information, as defined in section 509(4)(D)), in accordance with rules prescribed under section 504, to the disclosure of such information; and ``(B) has not withdrawn such consent.''; and (2) by striking subsection (b) and inserting the following: ``(b) Denial of Service Prohibited.--A financial institution may not deny a financial product or a financial service to any consumer based on the refusal by the consumer to grant the consent required by this section.''. SEC. 4. COMPLIANCE OFFICERS. Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended by adding at the end the following: ``(c) Compliance Officers.--Each financial institution shall designate a privacy compliance officer, who shall be responsible for ensuring compliance by the institution with the requirements of this title and the privacy policies of the institution.''. SEC. 5. LIABILITY. Section 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6805) is amended by adding at the end the following: ``(e) Civil Penalties.--The Attorney General of the United States may bring a civil action in the appropriate district court of the United States against any financial institution that engages in conduct constituting a violation of this title, and, upon proof of such violation-- ``(1) the financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation; and ``(2) the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation.''. <all>