[Senate Report 110-235]
[From the U.S. Government Publishing Office]
110th Congress
1st Session SENATE Report
110-235
_______________________________________________________________________
Calendar No. 520
IDENTITY THEFT PREVENTION ACT OF 2007
__________
R E P O R T
OF THE
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S.1178
DATE deg.December 5, 2007.--Ordered to be printed
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred tenth congress
first session
DANIEL K. INOUYE, Hawaii, Chairman
TED STEVENS, Alaska, Vice-Chairman
JOHN D. ROCKEFELLER IV, West JOHN McCAIN, Arizona
Virginia TRENT LOTT, Mississippi
JOHN F. KERRY, Massachusetts KAY BAILEY HUTCHISON, Texas
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California GORDON H. SMITH, Oregon
BILL NELSON, Florida JOHN ENSIGN, Nevada
MARIA CANTWELL, Washington JOHN E. SUNUNU, New Hampshire
FRANK R. LAUTENBERG, New Jersey JIM DEMINT, South Carolina
MARK PRYOR, Arkansas DAVID VITTER, Louisiana
THOMAS CARPER, Delaware JOHN THUNE, South Dakota
CLAIRE McCASKILL, Missouri
AMY KLOBUCHAR, Minnesota
Margaret Cummisky, Staff Director and Chief Counsel
Lila Helms, Deputy Staff Director and Policy Director
Jean Toal Eisen, Senior Advisor and Deputy Policy Director
Christine Kurth, Republican Staff Director and General Counsel
Paul J. Nagle, Republican Chief Counsel
Mimi Braniff, Republican Deputy Chief Counsel
Calendar No. 520
110th Congress Report
SENATE
1st Session 110-235
======================================================================
IDENTITY THEFT PREVENTION ACT OF 2007
_______
December 5, 2007.--Ordered to be printed
_______
Mr. Inouye, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
[To accompany S. 1178]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill joint resolution deg. (S.
1178) TITLE deg. to strengthen data protection and
safeguards, require data breach notification, and further
prevent identity theft, having considered the same, reports
favorably thereon with amendments and recommends that the bill
joint resolution deg. (as amended) do pass.
Purpose of the Bill
S. 1178 would bolster data security procedures for covered
entities that collect, dispose, maintain, sell, or transfer
sensitive personal information. The bill would require covered
entities to provide consumer notification under circumstances
when that entity suffers a breach of security, and the exposure
of that sensitive personal information would create a
reasonable risk that an identity theft may occur. S. 1178 also
would direct the Federal Trade Commission (FTC) to develop
rules that would require procedures for authenticating the
credentials of third parties to which sensitive personal
information may be sold or otherwise transferred. To further
protect consumers from identity theft, S. 1178 would allow
consumers to freeze their credit report. As amended, S. 1178
also would prohibit the solicitation, sale, or display of
Social Security numbers by covered entities, except under
certain specified circumstances, and would require Federal
agencies to protect sensitive personal information and provide
notification to affected individuals in the event of a breach
of security that creates a reasonable risk of identity theft.
Background and Needs
DATA SECURITY
In 1998, Congress responded to an explosion in identity theft
activity by passing the Identity Theft Assumption and
Deterrence Act.\1\ This Act addressed identity theft in 2 ways:
First, the Act strengthened then-existing criminal law
governing identity theft\2\ to make it a Federal crime to
knowingly transfer or use, without lawful authority, a means of
identification of another person with the intent to commit, or
to aid or abet, any unlawful activity. Second, the Act required
the FTC to develop a centralized complaint and consumer
education service for victims of identity theft. This FTC
clearinghouse was established and currently serves as an
investigative tool for the FTC and Federal law enforcement to
track and thwart identity theft.
---------------------------------------------------------------------------
\1\P.L. 105-318, 112 Stat. 3007 (Oct. 30, 1998)
\2\18 U.S.C. 1028 (``Fraud and related activity in connection with
identification documents'')
---------------------------------------------------------------------------
Despite the existence of several Federal and State laws
designed to reduce identity theft, the crime continues to be
perpetrated against American consumers at an alarming rate. A
2003 FTC survey found that, during a one-year period, identity
thieves victimized nearly 10 million Americans, or roughly 4.6
percent of the domestic adult population. The FTC has further
reported that identity theft--physical and online--accounted
for 36 percent of the more than 674,000 consumer fraud
complaints filed last year with the agency.
The aggregation and distribution of consumers' sensitive
personal information for marketing, lending, and other purposes
has expanded significantly over the past few decades in the
United States, enabled by increased, affordable computing
power. Such practices have increased the opportunities for
identity thieves to access and misappropriate sensitive
personal information.
Starting in 2005, a string of highly publicized data breaches
occurred at a variety of private and public organizations
ranging from financial institutions and commercial retailers,
to public universities, to the Federal government. These data
breaches involved the sensitive personal information of
millions of consumers, including Social Security numbers and
financial information. Many of these security breaches led to
identity theft. The most widely publicized data breaches
involved the unauthorized access of data held by 2 large
information (or data) brokers. These breaches raised a question
as to whether consumers' sensitive personal information is
adequately protected from identity thieves by the entities that
collect, maintain, and transfer sensitive personal information.
While several Federal laws address data security in different
contexts, there is no single Federal law that requires the
protection of sensitive personal information regardless of the
type of entity that is in possession of that information. In
addition, no Federal law requires all entities that possess
sensitive personal information to notify consumers when a
breach involving such consumers' sensitive personal information
has occurred. S. 1178 is intended to fill gaps in current
Federal data security laws and provide a uniform preemptive
Federal standard for the safeguarding of sensitive personal
information for all entities not currently covered by law. The
legislation ensures the adequate security of sensitive personal
information, while permitting the legitimate free flow of
information that is necessary to the U.S. economy.
Congress has legislated data privacy and security in several
contexts. Among other things, Congress has placed certain
limits on the dissemination of credit report, financial, motor
vehicle, and health information. The following is a brief
description of existing data security laws.
The Fair Credit Reporting Act (FCRA)\3\ was enacted, in part,
to ensure that ``consumer reporting agencies exercise their
grave responsibilities with fairness, impartiality, and a
respect for the consumer's right to privacy.''\4\ The FCRA
requires that consumer reporting agencies only disclose
consumer credit reports if such a disclosure is for a
``permissible purpose'' as defined in the statute.\5\
---------------------------------------------------------------------------
\3\15 U.S.C. 1681-1681u, as amended; In 2003, FCRA was enhanced by
the Fair and Accurate Credit Transactions Act (FACT) Act. The FTC has
not completed implementation of the FACT Act.
\4\15 U.S.C. 1681(a)(4)
\5\15 U.S.C. 1681b(a)(3)(A) through (F)
---------------------------------------------------------------------------
In the FCRA, a permissible purpose is generally a legitimate
business need by the individual or entity seeking the credit
report, which includes, among others, verification for
employment, extension of credit or insurance, or property
tenancy background checks. The FCRA also requires credit-
reporting agencies (CRAs) to use reasonable procedures to
ensure that those requesting consumer credit reports are who
they claim to be, and that they are eligible to receive the
report for a permissible purpose.
Title V of the Gramm-Leach-Bliley Act (GLBA)\6\ was enacted
to ensure the privacy and security of personally identifiable
information handled by financial institutions. Title V of the
GLBA requires financial institutions to provide notice to
customers of a possible disclosure of non-public personal
information to non-affiliates and an opportunity to opt out of
such disclosure. This non-public information includes an
individual's address, as well as Social Security number,
telephone number, and mother's maiden name. The prohibition
against disclosure of this information without notice and the
ability to opt out are subject to statutory exceptions provided
in the GLBA. These exceptions allow for disclosure primarily
for reasons of law enforcement, prosecution, or fraud
prevention. The GLBA's privacy rule for re-disclosure binds
recipients of non-public personal financial information. The
GLBA requires financial institutions to adopt and implement
appropriate safeguards for the personal information of their
customers.\7\
---------------------------------------------------------------------------
\6\15 U.S.C. 6801-09
\7\15 U.S.C. 6801(b)
---------------------------------------------------------------------------
The Health Information Portability and Accountability Act
(HIPAA)\8\ was enacted partly to provide strong Federal
protections for the privacy rights of patients. The HIPAA
privacy rule prohibits health care providers from disclosing
personal health information except when required or permitted
under the rule. The HIPAA Privacy Rule permits health care
providers to disclose personal health information for the
purpose of carrying out essential health care functions such as
patient treatment, payment for care, or health care operations
that support treatment and payment. The rule also requires
disclosure of personal health information when requested by the
Department of Health and Human Services (HHS) for an
investigation or to determine compliance with the privacy rule,
or at the request of a patient or health care enrollee. Like
the GLBA, the HIPAA requires health care providers to adopt and
implement appropriate safeguards to protect personal health
information.\9\
---------------------------------------------------------------------------
\8\42 U.S.C. 1320d et seq.
\9\45 C.F.R. 164.530(c)
---------------------------------------------------------------------------
Section 5 of the Federal Trade Commission Act (FTCA)\10\
grants authority to the FTC to prevent unfair or deceptive
trade practices in or affecting interstate commerce. Entities
operating in interstate commerce are subject to section 5 of
the FTCA to the extent that they deceptively make false claims
concerning their information security policies on which
consumers rely to their detriment. Such entities are subject to
section 5 of the FTCA if they falsely claim to have adequate
information security safeguards in place, and/or if they
knowingly cause consumers substantial economic injury that
could have been reasonably avoided.
---------------------------------------------------------------------------
\10\15 U.S.C. 45(a)
---------------------------------------------------------------------------
The Driver's Privacy Protection Act (DPPA)\11\ prohibits the
disclosure of personal information by State departments of
motor vehicles except for uses specifically stated by DPPA. It
contains 14 permissible uses, mostly for purposes of law
enforcement, vehicle insurance claims or policies, or judicial
proceedings.
---------------------------------------------------------------------------
\11\15 U.S.C. 2721-25
---------------------------------------------------------------------------
In April 2004, the California legislature enacted SB 1386,
which represented the first effort by a State legislature to
address data breach notification. The law provides strict
disclosure requirements for commercial entities or government
agencies that experience security breaches when the breaches
may contain the personal information of California residents.
According to many observers, were it not for the breach
notification requirements of the California law, most of the
data security breaches that were highly publicized in 2005
would not have become publicly known. Thirty-four other States
and the District of Columbia have passed data breach
legislation. Two prevalent themes among these initiatives are
consumer notification requirements in the event of a data
breach and consumer redress in the event of such breach.
CREDIT FREEZE
The Fair and Accurate Credit Transaction Act (FACTA) of
2003,\12\ added new sections to the FCRA that were intended to
provide consumers with tools to combat the effects of identity
theft. FACTA allows a consumer who seeks to mitigate or prevent
the occurrence of identity theft to contact CRAs and place a
``fraud alert'' on their credit file. Once placed, any entity
that attempts to extend credit to the consumer is required to
contact the consumer by telephone and take other reasonable
steps to ensure that the credit application is not that of an
identity thief. Failure to contact the consumer in such
instances subjects the entity to civil penalty. The fraud alert
is effective initially for 90 days and can be extended for up
to 7 years for victims of identity theft by providing a police
report or an affidavit proving a theft occurred.
---------------------------------------------------------------------------
\12\P. L. 108-159, 111 Stat. 1952
---------------------------------------------------------------------------
S. 1178 would take an added step to protect consumers by
allowing them to place a ``freeze'' on their credit report for
a fee of no more than $10. A freeze effectively would preclude
(with limited exceptions) unauthorized third parties from
accessing a credit report. Victims of identity theft,
individuals age 65 and older, and individuals on active duty or
in the ready reserve component of an armed force of the United
States, as well as their spouses, would be permitted to place
freezes on their credit report without a fee.
The credit freeze provision of the bill provides consumers
with a proactive tool to combat the threat of identity theft.
Currently, more than 35 States and the District of Columbia
have enacted credit freeze laws.
Summary of Provisions
S. 1178, the Identity Theft Prevention Act, would require
covered entities to comply with the existing requirements of
the FTC rules on Standards for Safeguarding Customer
Information and Disposal of Consumer Report Information and
Records (Safeguards Rule),\13\ which require covered entities
to develop, implement, maintain, and enforce written programs
for the security of sensitive personal information to ensure
security of and protect against any anticipated threats or
unauthorized access to consumers' sensitive personal
information.
---------------------------------------------------------------------------
\12\16 C.F.R. Part 314. The FTC was required to promulgate this
rule in GLBA, 15 U.S.C. Subchapter I, Sec. 6801-6809 (Disclosure of
Nonpublic Personal Information).
---------------------------------------------------------------------------
The bill would apply the Safeguards Rule to entities not
currently subject to the rule and require those entities that
handle sensitive personal information to provide notice to
affected consumers in the event of a security breach. S. 1178
also would allow consumers to place, remove, and temporarily
remove a security freeze on their credit, which would prevent
credit from being extended to third parties without
authorization from the consumer. In addition, S. 1178 would
prohibit (with limited exceptions) the sale or purchase of
consumers' Social Security numbers. This provision would
prohibit employers, educational institutions, and others from
using Social Security numbers for any employee benefit plan,
card, or tag that is provided by employers, educational
institutions, and others, for the purpose of identification.
The use of Social Security numbers as identifiers on State
driver's licenses would be prohibited as well. S. 1178 also
would require Federal agencies to develop, implement, maintain,
and enforce a written program for the security of sensitive
personal information and to notify affected individuals in the
event of a breach of security that creates a reasonable risk of
identity theft. These requirements would be enforced by the
inspector general of the respective Federal agency.
Legislative History
On April 10, 2007, the Committee held an oversight hearing,
chaired by Chairman Inouye, on the FTC during which all 5 FTC
Commissioners testified on various issues including data
security and identity theft. On May 10, 2005, and June 16,
2005, the Committee held hearings to examine the issues
pertaining to data security. At those hearings, representatives
of private companies, industry trade associations, public
interest groups, State Attorneys General, and each of the FTC
Commissioners testified before the Committee.
On April 20, 2007, Chairman Inouye introduced S. 1178, ``The
Identity Theft Prevention Act,'' which was referred to the
Committee. Senators Stevens, Pryor, and Smith were original co-
sponsors of the bill.
On April 25, 2007, the Committee met in open executive
session and by voice vote ordered S. 1178 reported with
amendments. The managers' package of amendments included 8
items: 1) Senator Dorgan's amendment to add separate provisions
dealing with Social Security numbers; 2) Chairman Inouye's
technical amendment; 3) Senator Carper's second degree
amendment to the Inouye technical amendment to apply sensitive
personal information safeguard and notification obligations to
the agencies of the Federal government; 4) Senator Pryor's
second degree amendment to the Inouye technical to clarify the
reference to consumer credit reporting entities in the
notification process; 5) Senators Cantwell and Stevens'
amendment to move up the completion date for the study of the
correlation, if any, between methamphetamine use and identity
theft crimes; 6) Senator Cantwell's amendment to allow State
Attorneys General to recover reasonable costs and attorneys
fees if they prevail; 7) Senators Snowe and Kerry's amendment
to require the Chairman of the FTC to consult representatives
of the small business community in selecting the members of the
Information Security and Consumer Privacy Advisory Committee;
and 8) Senators Snowe and Kerry's amendment to clarify that
companies that use e-mails as the primary form of communication
are allowed to use e-mail to send security breach notices.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
S. 1178--Identity Theft Protection Act
Summary: S. 1178 would require private companies and
federal agencies to develop and enforce a system to safeguard
the personal information of consumers and to notify consumers
whenever there has been a breach in the security system. Under
the bill, consumers also would have the option to freeze their
credit reports in the event of a threat to their personal
information. The bill also would restrict the use, display, and
sale of Social Security numbers (SSNs). The Federal Trade
Commission (FTC) would enforce those restrictions and
requirements. Assuming appropriation of amounts specifically
authorized in the bill, CBO estimates that implementing S. 1178
would cost $2 million in 2008 and $8 million over the 2008-2012
period.
Enacting S. 1178 could increase federal revenues as a
result of the collection of additional civil and criminal
penalties assessed for violations of data security regulations.
Collections of criminal penalties are recorded on the budget as
revenues, deposited in the Crime Victims
Fund, and later spent. CBO estimates, however, that any
additional revenues that would result from enacting the bill
would not be significant because of the relatively small number
of cases likely to be involved.
S. 1178 contains a number of intergovernmental mandates as
defined in the Unfunded
Mandates Reform Act (UMRA): some would preempt state law
and others would place new requirements on state, local, and
tribal governments (particularly on educational organizations
and schools). The preemptions of state law would not impose
significant direct costs on states. The other requirements of
the bill could result in additional spending for the affected
public entities, but CBO estimates that the costs of those
mandates would not exceed the threshold established in UMRA
($66 million in 2007, adjusted annually for inflation).
S. 1178 would impose private-sector mandates on consumer
credit-reporting agencies and other entities that acquire,
maintain, or utilize sensitive personal information, including
Social Security numbers. Because of uncertainty about the
number of entities that are already in compliance with most of
the mandates in the bill, CBO cannot estimate the incremental
cost of complying with those mandates and cannot determine
whether the aggregate direct cost of all the mandates in the
bill would exceed the annual threshold established by UMRA for
private-sector mandates ($131 million in 2007, adjusted
annually for inflation).
Estimated Cost to the Federal Government: The estimated
budgetary impact of S. 1178 is shown in the following table.
The costs of this legislation fall within budget function 370
(commerce and housing credit).
------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-------------------------------------------------------------------------
2008 2009 2010 2011 2012
------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION \1\
Authorization Level............. 2 2 2 2 0
Estimated Outlays............... 2 2 2 2 0
------------------------------------------------------------------------
\1\ Enacting S. 1178 also could affect revenues from the assessment of
civil criminal penalties; and it could affect direct spending from the
expenditure of any criminal penalties assessed. CBO estimates that any
such effects would be less than $500,000 a year.
Basis of Estimate: For this estimate, CBO assumes that the
bill will be enacted in 2007 and that the specified amounts
will be appropriated for each year. CBO estimates that
implementing the bill would cost $2 million in 2008 and $8
million over the 2008-2012 period to issue regulations and
enforce the bill's new provisions restricting the use of
personal information.
Section 12 would require federal agencies to develop,
implement, maintain, and enforce programs for the security of
personal information an agency possesses. In the event of a
security breach involving a reasonable risk of identity theft,
S. 1178 would require government agencies to notify an
individual whose information may have been compromised.
Notification would be in the form of individual notice (written
notice to a home mailing address or via e-mail) as well as
through an Internet Web site and the mass media. The
legislation also would require the agency to provide affected
individuals with a description of the accessed information, a
toll-free number to contact the agency, the names and toll-free
telephone numbers of the major credit reporting agencies, and a
toll-free telephone number and Web site that the individual can
use to obtain information on identity theft.
This provision would codify the current practice of the
federal government regarding data security and security breach
notification. The Federal Information Security Management Act
of 2002 provides requirements for securing the federal
government's information systems, including the protection of
personal privacy. The National Institute of Standards and
Technology develops information security standards and
guidelines for other federal agencies, and the Office of
Management and Budget (OMB) oversees information technology
security policies and practices. OMB estimates that federal
agencies spend around $5.5 billion a year to secure the
government's information systems.
While existing laws generally do not require agencies to
notify affected individuals of data breaches, this has been the
practice of agencies that have experienced security breaches.
Therefore, CBO expects that implementing this provision would
probably not lead to a significant increase in spending.
Nonetheless, the federal government is also one of the largest
providers, collectors, consumers, and disseminators of
personnel information in the United States. Although CBO cannot
anticipate the number of security breaches nor the extent of
any such occurances, a significant breach of security involving
a major collector of personnel information-such as the Internal
Revenue Service or the Social Security Administration-could
involve millions of individuals, and there would be significant
costs to notify individuals of such a security breach.
Estimated impact on state, local, and tribal governments:
S. 1178 contains a number of intergovernmental mandates, but
CBO estimates that the costs of those mandates would not exceed
the threshold established in UMRA ($66 million in 2007,
adjusted annually for inflation).
Safeguarding personal information and notifying individuals of security
breaches
The bill would establish new requirements for safeguarding
personal information and put in place a new federal requirement
for notifying individuals and the Federal Trade Commission in
the event that personal information is compromised. Those new
federal requirements would apply to educational organizations
and schools, including public school systems and universities.
(It would not apply to state, local, or tribal governments
broadly.)
Under current law, educational institutions that receive
federal funds already are required to safeguard certain
personal information and must comply with standards required
under the Family Educational Rights and Privacy Act and
established by the Department of Education.
Depending on the differences between the rules promulgated
by the FTC and those already required by the department,
educational institutions may have to make changes to their
current systems. The bill also would require schools to notify
affected individuals of any breach of security in which
personal information of more than 1,000 individuals may have
been compromised and to maintain a toll-free number for
contacting the school. If schools are required to change
procedures for handling information, implement new controls on
computer systems, provide additional information to the FTC, or
provide notifications, they could face added costs. However,
existing regulations cover, at least in a broad manner, many of
the issues that S. 1178 addresses; additional costs likely
would not exceed the threshold.
Preemptions of state and local laws
S. 1178 would preempt a number of state and local laws that
establish rules for safeguarding personal information and that
restrict the use of SSNs. The bill would preempt state laws
that require schools or other entities that collect personal
information to notify individuals in the event of a security
breach, and it would preempt state laws that do not afford
individuals greater protection regarding the release of private
information by credit-reporting agencies. The bill also would
establish a federal law that would place a number of
restrictions on the display, collection, sale, and transfer of
SSNs and would preempt similar state and local laws. Those
preemptions would be intergovernmental mandates as defined in
UMRA, but they would impose no duty on states that would result
in additional spending.
The bill would place notification requirements on state
attorneys general that prosecute cases involving breaches of
security or violations of the new rules governing Social
Security numbers. Since state laws would be preempted by the
bill, the new federal law would be the primary avenue for
prosecuting cases. Consequently, the notification requirements
would be an intergovernmental mandate, but CBO estimates that
the costs of such notifications would be small.
Social Security Numbers
In some cases, the bill's restrictions on the collection,
sale, or use of SSNs would place requirements on state and
local governments, including schools. The bill would prohibit
states from displaying SSNs on driver's licenses, but this
practice is already prohibited by federal law as part of the
Intelligence Reform and Terrorism Prevention Act of 2004. The
bill also would prohibit state and local governments from
allowing prisoners access to SSNs of other individuals. While
those prohibitions would be intergovernmental mandates, they
would place no new requirement on states that would result in
significant additional spending.
The bill would prohibit schools from displaying SSNs on
identification cards or tags. Federal law currently places some
restrictions on the use of SSNs by colleges, universities, and
other schools that receive federal funding. While the specific
prohibition on the use of SSNs on identification materials
would be new, indications from organizations that represent
public schools and universities are that few schools, if any,
still use SSNs as identifiers. Consequently, CBO estimates any
additional costs as a result of this requirement would be
small.
Estimated impact on the private sector: S. 1178 would
impose private-sector mandates on credit-reporting agencies and
other entities that acquire, maintain, or utilize sensitive
personal information, including SSNs. Because of uncertainty
about the number of entities that are already in compliance
with most of the mandates in the bill, CBO cannot estimate the
incremental cost of complying with those mandates. Therefore,
CBO cannot determine the total direct cost of the mandates
contained in the bill or whether such costs would exceed the
annual threshold established by UMRA for private-sector
mandates ($131 million in 2007, adjusted annually for
inflation).
Security program
Section 2 of S. 1178 would require covered entities to
implement and enforce a written program to secure sensitive
personal information, which includes a person's name, address,
or telephone number in combination with their social security
number. Covered entities include businesses, employers,
educational and nonprofit institutions that acquire, maintain,
and utilize sensitive personal information. According to
industry and government sources, many states already have laws
requiring business entities to utilize data security programs.
Moreover, it is the current practice of many businesses to use
security measures to protect sensitive data. However, because
of uncertainty about the number of entities that are already in
compliance with the data security mandates, CBO cannot estimate
the incremental cost of complying with those mandates.
Additionally, this section would require the FTC to promulgate
regulations that would require procedures for authenticating
the credentials of any third party to which a covered entity
transfers or sells sensitive personal information. CBO cannot
estimate the cost of complying with this mandate because the
cost would depend on the rules to be established by the FTC.
Notification of security breach risk
In the case of a security breach affecting 1,000 or more
persons, section 3 would require covered entities to report the
breach to the Federal Trade Commission and notify all consumer
reporting agencies. If the required investigation of the breach
finds that there is a reasonable risk of identity theft, the
entity also would be required to notify all affected
individuals. According to industry and government sources,
millions of individuals' sensitive personally identifiable
information is illegally accessed every year. However,
according to those sources, a majority of states already have
laws requiring notification in the event of a security breach.
In addition, it is the current practice of many business
entities to notify individuals in the event of a security
breach. Because of uncertainty about the number of entities
that are already in compliance with the notification mandates,
CBO cannot estimate the incremental cost of complying with the
notification requirement under the bill.
Security freeze on credit reports
Section 4 would allow consumers to place a security freeze
on their credit report by making a request to a consumer credit
reporting agency. The credit reporting agency would be
prevented from releasing the credit report to any third parties
without prior authorization from the consumer. The agency also
would be required to notify all other consumer reporting
agencies of the security freeze at the consumer's request.
According to industry sources, most states currently have
credit freeze laws in place. Because of uncertainty about the
number of entities that are already in compliance with the
security freeze mandate, CBO cannot estimate the incremental
cost of complying with the notification requirement under the
bill.
Social Security Number protection
Section 11 would prevent covered entities from soliciting a
social security number from an individual unless no other
identifier can be used reasonably. This section also would
prevent covered entities from displaying SSNs, or any part of
such a number, on any card or tag used for identification, such
as student or employee identification cards. CBO estimates that
the cost imposed on all covered entities would be small, since
relatively few covered entities still use SSNs in this manner.
Estimate prepared by: Federal Costs: Susan Willie and
Matthew Pickford Impact on State, Local, and Tribal
Governments: Leo Lex Impact on the Private Sector: Fatimot
Ladipo.
Estimate approved by: Peter H. Fontaine Deputy Assistant
Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
NUMBER OF PERSONS COVERED
The notice and safeguards provisions would apply to all sole
proprietorships, partnerships, corporations, trusts, estates,
cooperatives, sole proprietors, associations, or other
commercial entities, and any charitable, educational, or
nonprofit organizations that acquire, maintain, or utilize
sensitive personal information. The security freeze protections
in section 4 would be available to every person with a consumer
credit report and would be enforced against every consumer
reporting agency. The Social Security number protections would
protect every person with a Social Security number, and be
enforceable against all non-governmental entities that sell,
transmit, or use Social Security numbers.
ECONOMIC IMPACT
S. 1178 would require covered entities to develop, implement,
maintain, and enforce a written program for the security of
sensitive personal information in their possession. In
addition, covered entities would be required to notify
consumers in the event of a breach of sensitive personal
information that creates a reasonable risk of identity theft.
While some covered entities may already have safeguards and
notification procedures in place, nonetheless, the legislation
may create compliance costs for such entities in the form of
equipment upgrades or personnel addition in order to ensure
that their practices satisfy the new Federal requirements.
PRIVACY
S. 1178 would likely bolster consumer privacy by ensuring
that covered entities that handle sensitive personal
information take appropriate measures to safeguard such
information.
PAPERWORK
The legislation would increase paperwork requirements for
private industry and the Federal government to the extent that
such paperwork is necessary to comply with the information
safeguards, breach notification, and credit freeze
requirements, as well as the Social Security number use
prohibitions of this Act. The bill would require 2 reports
submitted to Congress by the FTC. The first, a report by the
FTC containing the findings of an advisory committee
established by the FTC Chairman pursuant to this Act. And, the
second, a report by the FTC developed in conjunction with the
Department of Justice (DOJ) on the correlation between
methamphetamine use and identity theft crimes.
Section-by-Section Analysis
Section 1. Short title
This section would provide that the legislation be cited as
the ``Identity Theft Prevention Act.''
Section 2. Protection of sensitive personal information
Section 2 would require covered entities to include
administrative, technical, and physical safeguards within the
written program to ensure security, protect against any
anticipated threats, and protect against unauthorized access to
sensitive personal information. The Committee notes that the
implementation and enforcement of the data security policy is
as important as the data security policy itself. Covered
entities that are in full compliance with the current FTC
Safeguards Rule would be deemed in compliance with this
section. The Act also would require that, within 1 year of
enactment, the FTC promulgate regulations that would require
procedures for authenticating the credentials of third parties
to which sensitive personal information is to be transferred or
sold.
The Committee's purposes for allowing covered entities the
option of complying with the existing FTC Safeguards Rule are
twofold: First, to provide covered entities regulatory
consistency without an interim gap that would require such
entities to modify their safeguards procedures more than once
in order to comply; and, second, to take into account the
impact of mandating safeguards rules on small businesses,
particularly sole proprietors. With respect to the latter
purpose, the Committee draws a parallel between the Safeguards
Rule and S. 1178 to the extent that small businesses should be
afforded flexibility to comply with S. 1178 in a manner that is
dependent on their size and complexity, the nature and scope of
their activities, and the sensitivity of the information that
they handle.
Accordingly, in promulgating the regulations required under
section 3(c), the FTC should consider the impact that such
regulations would have on small businesses, as the FTC did when
developing the existing Safeguards Rule.
The Committee encourages the FTC in its promulgation of rules
to fulfill the requirements of section 2 to take into account
the use of technological safeguards and effective alternative
methods to reduce the chances of identity theft.
Section 3. Notification of security breach risk
Section 3 would require a covered entity that, after using
due diligence, determines that a breach of security has created
a reasonable risk of identity theft exists, to notify each
individual affected by the breach of security. In determining
whether a reasonable risk of identity theft exists, a covered
entity shall consider factors about the nature of the breach,
such as if the data is usable or could be made usable by an
unauthorized third party and whether the data is in the
possession and control of an unauthorized third party. If a
covered entity cannot make a determination of whether the
breach of security creates a reasonable risk of identity theft,
it may request guidance from the FTC or relevant enforcement
agency and the relevant agency would be required to respond in
writing within 5 business days after receiving the request.
This section also would require covered entities that suffer
a breach of security that affects 1,000 or more individuals to
report the breach to the FTC or other appropriate market
regulator and notify all CRAs of the breach. The FTC would be
required in such an instance to post a report of the breach of
security on the agency's website without personally identifying
any individual affected by the breach. The report would include
the number of individuals impacted by the breach of security.
In the event that the breach of security affects fewer than
1,000, but more than 50, individuals, and a covered entity
determines that the breach of security does not create a
reasonable risk of identity theft, it shall report the breach
to the FTC or appropriate market regulator under section 5 of
this Act. The report would be required to contain the number of
individuals affected, and the type of information that was
exposed, as a result of the breach of security.
If a covered entity determines that notification to consumers
of the breach of security is warranted, the entity would be
required to contact individuals affected by the breach through
a written or electronic notice. Where there is a direct
relationship between the affected individual and an entity, the
entity shall provide notice of the breach to the individual
even if the entity is not the covered entity subject to the
breach of security. For example, if a retailer hires a third
party to maintain the sensitive personal data of its customers
and the third party is subject to a breach of security, then
the retailer shall notify the affected customers of the breach.
If a covered entity lacks the contact information for
affected individuals, the entity would have the option to
provide a substitute notice through electronic mail, a posting
on the website of the entity, and via appropriate Statewide or
regional media. In the event that this substitute notice is
necessary, the covered entity would be required to include in
such notice the name of the individual whose information was
subject to the security breach, the name of the entity
suffering the breach, a description of the sensitive personal
information that was compromised, the date indicating the
discovery of the breach, and the toll-free numbers necessary to
contact the entity, CRAs, and the FTC.
Section 3 would require a covered entity to give notice to
consumers when required by this Act in the most expeditious
manner practicable, but not later than 25 business days
following the discovery of the breach, unless a Federal or
State law enforcement agency determines that the timely
provision of notice would materially impede a civil or criminal
investigation, or a Federal national security or homeland
security agency determines that notice would threaten national
security or homeland security.
This section would not apply to electronic communications of
a third party stored by a cable operator, information service,
or telecommunications carrier in the network of such operator,
service, or carrier in the course of transferring or
transmitting such communication.
Section 4. Security freeze
Section 4 would allow a consumer to place a security freeze
on his or her credit report by making a request to a CRA in
writing, by telephone, or through a secure electronic
connection made available by the CRA. The security freeze would
prevent a consumer's credit report from being released to a
third party without express authorization from the consumer.
The placing of a freeze on a credit report may not be taken
into account in calculating the credit score of the consumer.
The Committee encourages the CRAs to provide consumers the most
expedient means to place and lift security freezes.
The consumer whose credit report was frozen would be
permitted to remove a security freeze on his or her credit
report only upon request to the CRA. The CRA would be permitted
to remove a security freeze upon the consumer's request, or if
the CRA believes the report was frozen due to a material
misrepresentation of fact. A consumer may have a security
freeze temporarily lifted upon request to the CRA. Such request
shall specify the time period of the temporary lift or
specifying a specific third party to which access to the
consumer's credit report may be granted.
A CRA would have up to 3 business days after receiving a
request by a consumer to place a security freeze, and 3 days
after receiving a request to lift a freeze permanently. A CRA
would be required to temporarily suspend a security freeze
within 1 business day after receiving a request.
This section would allow a consumer who places, removes, or
temporarily suspends a security freeze to request that the CRA
that initiates the action on the security freeze notify all
other CRAs of the request within 1 day. A CRA that is notified
of such a request shall ensure the validity of the request,
including the identity of the requesting consumer within 3
business days after receiving the notification, and comply with
the request no later than 3 days after validating the request.
Under this section, a CRA would be required to send written
confirmation to a consumer within 10 days after placing,
removing, or temporarily suspending a security freeze. A CRA
may not place, remove, or temporarily suspend a security freeze
unless the consumer provides proper identification within the
meaning of section 610(a)(1) of the FCRA. A CRA may not change
the name, date of birth, Social Security number, or address in
a frozen credit report without sending a written confirmation
to the consumer with 30 days after the change is made.
Section 4 would not apply to the use of a credit report by
any of the following: a person or entity with which the
consumer has had a prior business relationship for the purpose
of reviewing an account or collecting the financial obligation
owing from an account or contract; any Federal, State or local
agency, law enforcement agency, trial court, or private
collection agency acting pursuant to a court order, warrant, or
subpoena; a child support agency or its agents acting pursuant
to subtitle D of title IV of the Social Security Act; HHS or
any similar State agency acting to investigate Medicare or
Medicaid fraud; the Internal Revenue Service or a State
municipal taxing authority to investigate or collect delinquent
taxes or unpaid court orders or any of their other statutory
responsibilities; any person administering a credit file
monitoring subscription to which the consumer has subscribed;
any person or entity for the purpose of providing a consumer
with his or her credit report or credit score at the consumer's
request; or any person who seeks access during the time period
that a security freeze is temporarily suspended for the purpose
of facilitating the extension of credit or another permissible
use.
This section would allow a CRA to charge a fee, not in excess
of $10, for placing a security freeze. A CRA could not charge a
consumer for up to 2 requests per year per credit reporting
agency for temporary suspension of a credit freeze. CRAs would
be permitted to charge no more than $5 for each additional
temporary suspension. A CRA could not charge for removing a
security freeze permanently. Notwithstanding the foregoing,
CRAs could not charge a fee for placing, removing, or
temporarily suspending a consumer's credit report if the
consumer: is a victim of identity theft; is age 65 or older; is
on active duty or in the ready reserve component of an armed
force of the United States; or is the spouse of an individual
on active duty or in the ready reserve component.
Section 4 would exempt any CRA that acts only as a reseller
of credit information by assembling and merging information
contained in the data base of another CRA and does not maintain
a permanent data base of credit information from which new
consumer reports are produced. This section, further, would
exempt check services or fraud prevention services companies
and a deposit account information services companies from
having to place a security freeze in a credit report.
Section 5. Information security and consumer privacy advisory committee
Section 5 would require the Chairman of the FTC to establish
a 5 member Information Security and Consumer Privacy Advisory
Committee comprised of at least 1 member from the following
groups: a non-profit consumer advocacy group; a business
organization that collects personally identifiable information;
and state attorney general's office. The advisory committee
would collect, review, disseminate, and advise on guidance to
protect sensitive personal information. The advisory committee
would be required to submit to Congress a report on its
findings within 12 months after its establishment.
Section 6. Related crime study
Section 6 would require the FTC, in conjunction with the DOJ,
to conduct a study within 9 months of enactment of this Act to
examine the correlation, if any, between methamphetamine use
and identity theft crimes, as well as the needs of law
enforcement to address methamphetamine crimes related to
identity theft and the Federal government's role in addressing
and deterring identity theft crimes. The FTC would be required
to submit a report of its findings and recommendations to
Congress not later than 9 months after the date of enactment.
Section 7. Prohibition on technology mandates
This section would make clear that nothing in this Act should
be construed as authorizing the FTC to issue regulations that
require or impose a specific technology, product, or
technological standard.
Section 8. Enforcement
Section 8 would provide new authority for the FTC to take
action against covered entities that fail to develop,
implement, maintain, or enforce a written program for the
security of sensitive personal information as unfair or
deceptive acts or practices proscribed under section
18(a)(1)(B) of the FTCA (15 U.S.C. 57a(a)(1)(B)). This
authority is analogous to the authority that the FTC currently
possesses under Title V of the GLBA with respect to financial
institutions.
This section also would provide that compliance with this Act
with respect to certain entities be enforced by the agency
traditionally regulating the entity under the statute of
jurisdiction.
In addition, any covered entity to which title V of the GLBA
(15 U.S.C. 6801 et seq.) or section 607(a) of the FCRA (15
U.S.C. 1681e(a)) applies would be deemed in compliance with
sections 2 and 3 of this Act to the extent that the person is
in compliance with the provisions of those Acts, which require
the protection of sensitive personal information and
notification in the event of a breach of security.
It is not the intent of this Committee to impose
prohibitively onerous safeguards and notification requirements
on small businesses. Thus, it is the Committee's expectation
that the FTC or appropriate market regulator should consider
the size of the business and its ability to comply as 1 of many
factors when enforcing this Act.
Section 9. Enforcement by State Attorneys General
Section 9 would allow a State to bring an action under this
Act in State or Federal court on behalf of its residents. The
State would be required to notify the FTC or the appropriate
Federal market regulator of the action at least 60 days prior
to bringing the action. In the event that such notice is not
feasible, the State would be required to provide notice
immediately upon instituting the action. The FTC or appropriate
Federal market regulator would be authorized to intervene in
such civil action. If the FTC or appropriate Federal market
regulator institutes an action for a violation of this Act, no
State attorney general, or official or agency of the State,
would be permitted to bring an action during the pendency of
that action against any defendant named in the complaint. If a
State prevails in a civil action under the Act, it could
recover reasonable costs and attorney fees from the defendant.
Nothing in this section would prevent the attorney general of
a State from exercising the powers conferred on the Attorney
General by the laws of such State with respect to the
conducting of investigations, compelling of witnesses, and
production of evidence.
Section 10. Preemption of State law
Section 10 of this Act would preempt any State or local law
that requires a covered entity to develop implement, maintain
or enforce information security programs to which this Act
applies and any State or local law that requires a covered
entity to notify individuals of breaches of security related to
their sensitive personal information. This section, further,
would preempt State and local laws with respect to CRAs'
compliance with a consumer's request to place, remove, or
temporarily suspend the prohibition on the release of
information from a consumer's credit report only to the extent
that they conflict with the provisions of this Act. State laws
that afford greater protections with respect to CRAs'
compliance with a consumer's request to place, remove, or
temporarily suspend the prohibition on the release of
information from a consumer's credit report are not
inconsistent with the Act. Section 10 would preempt any State
or local law prohibiting or limiting collection, solicitation,
sale, provision, or display of Social Security numbers of the
type described in section 11.
Section 11. Social Security number protection
Section 11(a) would prohibit the solicitation of a Social
Security number from an individual unless there is a specific
use of the number for which no other identifying number
reasonably can be used. Section 11(a) would provide certain
exceptions for the solicitation of a Social Security number,
including: for use in an identification, verification,
accuracy, or identity proofing process; for any purpose
permitted under section 502(e) of the GLBA (15 U.S.C. 6802(e))
or the FCRA (15 U.S.C. 1681 et seq.); to comply with a
requirement of Federal, State, or local law; for the purpose of
verifying or obtaining proof of identity by a CRA; to the
extent necessary for verifying the accuracy of information
submitted to a company, organization, or others; to identify or
locate missing or abducted children, witnesses, criminals and
fugitives, parties to lawsuits, parents delinquent in child
support payments, organ and bone marrow donors, pension fund
beneficiaries, and missing heirs; or to the extent necessary to
prevent, detect, or investigate fraud, unauthorized
transactions, or to facilitate the enforcement of an obligation
of, or collection of, a debt from a consumer.
Section 11(b) would prohibit employers, educational
institutions, and others from using Social Security numbers for
any employee card, or tag that is provided by employers,
educational institutions, and others for the purpose of
identification. This subsection also would prohibit the use of
Social Security numbers as driver identifiers on State driver's
licenses.
Section 11(c) would amend the Social Security Act (42 U.S.C.
405(c)(2)(C)) to prohibit any Federal, State, or judicial
agency from employing or entering into a contract to utilize
inmates who would have access to the Social Security numbers of
other individuals. This prohibition would go into effect 90
days after the date of enactment.
Section 11(d) would prohibit any person from selling,
purchasing, or providing a Social Security number to the
general public or to display Social Security numbers to the
general public. The subsection would provide exceptions to this
prohibition: to the extent necessary for law enforcement or
national security purposes; to the extent necessary for public
health purposes and emergency situations to protect the health
or safety of an individual; to the extent that the sale or
display is required or permitted under Federal or State law;
for any purpose permitted under section 502(e) of the GLBA (15
U.S.C. 6802(e)) or the FCRA (15 U.S.C. 1681 et seq.); to the
extent necessary for verifying the accuracy of information
submitted to a company, organization, or others; to the extent
necessary to identify or locate missing or abducted children,
witnesses to a lawsuit, criminals, parents delinquent in child
support payments, organ donors, missing heirs, and for similar
legal, medical, or family related purposes, provided that
person providing or obtaining the information does not do so
for marketing purposes; to the extent necessary to prevent,
detect, or investigate fraud, unauthorized transactions, or to
facilitate the enforcement of an obligation of, or collection
of a debt from a consumer, provided that person providing or
obtaining the information does not do so for marketing
purposes; to the extent incidental to a merger or acquisition
of a business; to the extent necessary for certain research
conducted by the Federal, State, or local government; or to the
extent incidental to the sale of a Federal, State, or local
government document made available to the general public, which
includes the Social Security number. Section 11(d) further
would allow the sale or purchase of an individual's Social
Security number if written consent is obtained.
Section 12. Protection of information at Federal agencies
Section 12 would require each Federal agency to develop,
implement, maintain, and enforce a written program for the
security of sensitive personal information. Federal agencies
would be required to investigate any suspected breach of
security affecting sensitive personal information and to notify
individuals if the breach creates a reasonable risk of identity
theft. The inspector general of each Federal agency would
enforce compliance with the requirements of this section.
Section 13. Definitions
Section 13 would provide for a number of notable definitions,
as follows:
Breach of Security: The unauthorized access to, and
acquisition of, data in any form or format containing sensitive
personal information that compromises the security or
confidentiality of such information.
Consumer Credit Reporting Agency: Any person engaging in the
practice of assembling or evaluating consumer credit
information or other information on consumers for the purpose
of furnishing credit reports to third parties.
Covered Entity: A sole proprietorship, partnership,
corporation, trust, estate, cooperative, sole propriety,
association, or other commercial entity, and any charitable,
educational, or nonprofit organization, that acquires,
maintains, or utilizes sensitive personal information.
Credit Report: A consumer report as defined in section 603(d)
of the FCRA (15 U.S.C. 1681a(p)), as well as any associated
credit score, that is used for the purpose of serving as a
factor in establishing a consumer's eligibility for credit for
personal, family, or household purposes.
Identity Theft: The unauthorized acquisition, purchase, sale,
or use by any person of an individual's sensitive personal
information that violates section 1028 of title 18, United
States Code, or any provision of State law; or that results in
harm to the individual whose sensitive personal information was
used.
Reasonable Risk of Identity Theft: The preponderance of the
evidence available to the covered entity that has experienced a
breach of security establishes that identity theft for 1 or
more individuals from the breach of security is foreseeable.
Sensitive Personal Information: An individual's name,
address, or phone number combined with 1 or more data elements
as listed in this definition. The term ``sensitive personal
information'' also includes an account identifier combined with
a password or other security code, which permits access to an
account from which an individual can conduct certain financial
transactions or gain access to information that could be used
to identity theft. Sensitive personal information would not
include information that has been made available to the general
public by the Federal, State, or local government or that has
been widely distributed in the media. In an enforcement action
brought under this Act, the covered entity shall have the
burden of proving that it had obtained the information at issue
from a source permitted under this definition. The FTC would be
authorized through a rulemaking to designate or delete data
elements or identifying information that may be used to
effectuate identity theft as sensitive personal information.
Section 14. Authorization of appropriations
Section 14 would authorize $2,000,000 to be appropriated to
the FTC to carry out this Act for fiscal years 2007 through
2011.
Section 15. Effective dates
This section would require covered entities under section
2(a) to implement the information safeguards program within 6
months after the date of enactment of this Act.
Under this Act, the FTC would be required to initiate
rulemakings under sections 2(c), 3, and 4, including a
rulemaking proceeding to determine what constitutes proper
identification under 610(a)(1) of the FCRA (15 U.S.C.
1681(h)(a)(1)) within 45 days after enactment and promulgate
final rules within 1 year after the date of enactment. The
provisions of sections 2(c), 3, and 4 would take effect 6
months after each of the final rules are promulgated. Section
10 would take effect at the same time as sections 2(c), 3, and
4. All other provisions of this Act would take effect upon its
enactment.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the Standing
Rules of the Senate, changes in existing law made by the bill,
as reported, are shown as follows (existing law proposed to be
omitted is enclosed in black brackets, new material is printed
in italic, existing law in which no change is proposed is shown
in roman):
SOCIAL SECURITY ACT
SEC. 205. EVIDENCE AND PROCEDURE FOR ESTABLISHMENT OF BENEFITS.
[42 U.S.C. 405]
(a) Rules and regulations; procedures.--The Commissioner of
Social Security shall have full power and authority to make
rules and regulations and to establish procedures, not
inconsistent with the provisions of this title, which are
necessary or appropriate to carry out such provisions, and
shall adopt reasonable and proper rules and regulations to
regulate and provide for the nature and extent of the proofs
and evidence and the method of taking and furnishing the same
in order to establish the right to benefits hereunder.
(b) Administrative determination of entitlement to benefits;
findings of fact; hearings; investigations; evidentiary
hearings in reconsiderations of disability benefit
terminations.--
(1) The Commissioner of Social Security is directed
to make findings of fact, and decisions as to the
rights of any individual applying for a payment under
this title. Any such decision by the Commissioner of
Social Security which involves a determination of
disability and which is in whole or in part unfavorable
to such individual shall contain a statement of the
case, in understandable language, setting forth a
discussion of the evidence, and stating the
Commissioner's determination and the reason or reasons
upon which it is based. Upon request by any such
individual or upon request by a wife, divorced wife,
surviving divorced mother, surviving divorced father
husband, divorced husband, widower, surviving divorced
husband, child, or parent who makes a showing in
writing that his or her rights may be prejudiced by any
decision the Commissioner of Social Security has
rendered, the Commissioner shall give such applicant
and such other individual reasonable notice and
opportunity for a hearing with respect to such
decision, and, if a hearing is held, shall, on the
basis of evidence adduced at the hearing, affirm,
modify, or reverse the Commissioner's findings of fact
and such decision. Any such request with respect to
such a decision must be filed within sixty days after
notice of such decision is received by the individual
making such request. The Commissioner of Social
Security is further authorized, on the Commissioner's
own motion, to hold such hearings and to conduct such
investigations and other proceedings as the
Commissioner may deem necessary or proper for the
administration of this title. In the course of any
hearing, investigation or other proceeding, the
Commissioner may administer oaths and affirmations,
examine witnesses and receive evidence. Evidence may be
received at any hearing before the Commissioner of
Social Security even though inadmissible under rules of
evidence applicable to court procedure.
(2) In any case where--
(A) an individual is a recipient of
disability insurance benefits, or of child's,
widow's, or widower's insurance benefits based
on disability,
(B) the physical or mental impairment on the
basis of which such benefits are payable is
found to have ceased, not to have existed, or
to no longer be disabling, and
(C) as a consequence of the finding described
in subparagraph (B), such individual is
determined by the Commissioner of Social
Security not to be entitled to such benefits,
any reconsideration of the finding described in
subparagraph (B), in connection with a
reconsideration by the Commissioner of Social
Security (before any hearing under paragraph
(1) on the issue of such entitlement) of the
Commissioner's determination described in
subparagraph (C), shall be made only after
opportunity for an evidentiary hearing, with
regard to the finding described in subparagraph
(B), which is reasonably accessible to such
individual. Any reconsideration of a finding
described in subparagraph (B) may be made
either by the State agency or the Commissioner
of Social Security where the finding was
originally made by the State agency, and shall
be made by the Commissioner of Social Security
where the finding was originally made by the
Commissioner of Social Security. In the case of
a reconsideration by a State agency of a
finding described in subparagraph (B) which was
originally made by such State agency, the
evidentiary hearing shall be held by an
adjudicatory unit of the State agency other
than the unit that made the finding described
in subparagraph (B). In the case of a
reconsideration by the Commissioner of Social
Security of a finding described in subparagraph
(B) which was originally made by the
Commissioner of Social Security, the
evidentiary hearing shall be held by a person
other than the person or persons who made the
finding described in subparagraph (B).
(3)(A) A failure to timely request review of an
initial adverse determination with respect to an
application for any benefit under this title or an
adverse determination on reconsideration of such an
initial determination shall not serve as a basis for
denial of a subsequent application for any benefit
under this title if the applicant demonstrates that the
applicant, or any other individual referred to in
paragraph (1), failed to so request such a review
acting in good faith reliance upon incorrect,
incomplete, or misleading information, relating to the
consequences of reapplying for benefits in lieu of
seeking review of an adverse determination, provided by
any officer or employee of the Social Security
Administration or any State agency acting under section
221.
(B) In any notice of an adverse determination with
respect to which a review may be requested under
paragraph (1), the Commissioner of Social Security
shall describe in clear and specific language the
effect on possible entitlement to benefits under this
title of choosing to reapply in lieu of requesting
review of the determination.
(c) Records of wages and self-employment income.--
(1) For the purposes of this subsection--
(A) The term ``year'' means a calendar year
when used with respect to wages and a taxable
year when used with respect to self-employment
income.
(B) The term ``time limitation'' means a
period of 3 years, 3 months, and 15 days.
(C) The term ``survivor'' means an
individual's spouse, surviving divorced wife,
surviving divorced husband, surviving divorced
mother, surviving divorced father, child, or
parent, who survives such individual.
(D) The term ``period'' when used with
respect to self-employment income means a
taxable year and when used with respect to
wages means--
(i) a quarter if wages were reported
or should have been reported on a
quarterly basis on tax returns filed
with the Secretary of the Treasury or
his delegate under section 6011 of the
Internal Revenue Code of 1986 or
regulations thereunder (or on reports
filed by a State under section 218(e)
(as in effect prior to December 31,
1986) or regulations thereunder),
(ii) a year if wages were reported or
should have been reported on a yearly
basis on such tax returns or reports,
or
(iii) the half year beginning January
1 or July 1 in the case of wages which
were reported or should have been
reported for calendar year 1937.
(2)(A) On the basis of information obtained by or
submitted to the Commissioner of Social Security, and
after such verification thereof as the Commissioner
deems necessary, the Commissioner of Social Security
shall establish and maintain records of the amounts of
wages paid to, and the amounts of self-employment
income derived by, each individual and of the periods
in which such wages were paid and such income was
derived and, upon request, shall inform any individual
or his survivor, or the legal representative of such
individual or his estate, of the amounts of wages and
self-employment income of such individual and the
periods during which such wages were paid and such
income was derived, as shown by such records at the
time of such request.
(B)(i) In carrying out the Commissioner's duties
under subparagraph (A) and subparagraph (F), the
Commissioner of Social Security shall take affirmative
measures to assure that social security account numbers
will, to the maximum extent practicable, be assigned to
all members of appropriate groups of categories of
individuals by assigning such numbers (or ascertaining
that such numbers have already been assigned):
(I) to aliens at the time of their lawful
admission to the United States either for
permanent residence or under other authority of
law permitting them to engage in employment in
the United States and to other aliens at such
time as their status is so changed as to make
it lawful for them to engage in such
employment;
(II) to any individual who is an applicant
for or recipient of benefits under any program
financed in whole or in part from Federal funds
including any child on whose behalf such
benefits are claimed by another person; and
(III) to any other individual when it appears
that he could have been but was not assigned an
account number under the provisions of
subclauses (I) or (II) but only after such
investigation as is necessary to establish to
the satisfaction of the Commissioner of Social
Security, the identity of such individual, the
fact that an account number has not already
been assigned to such individual, and the fact
that such individual is a citizen or a
noncitizen who is not, because of his alien
status, prohibited from engaging in employment;
and, in carrying out such duties, the
Commissioner of Social Security is authorized
to take affirmative measures to assure the
issuance of social security numbers:
(IV) to or on behalf of children who are
below school age at the request of their
parents or guardians; and
(V) to children of school age at the time of
their first enrollment in school.
(ii) The Commissioner of Social Security shall
require of applicants for social security account
numbers such evidence as may be necessary to establish
the age, citizenship, or alien status, and true
identity of such applicants, and to determine which (if
any) social security account number has previously been
assigned to such individual. With respect to an
application for a social security account number for an
individual who has not attained the age of 18 before
such application, such evidence shall include the
information described in subparagraph (C)(ii).
(iii) In carrying out the requirements of this
subparagraph, the Commissioner of Social Security shall
enter into such agreements as may be necessary with the
Attorney General and other officials and with State and
local welfare agencies and school authorities
(including nonpublic school authorities).
(C)(i) It is the policy of the United States that any State
(or political subdivision thereof) may, in the administration
of any tax, general public assistance, driver's license, or
motor vehicle registration law within its jurisdiction, utilize
the social security account numbers issued by the Commissioner
of Social Security for the purpose of establishing the
identification of individuals affected by such law, and may
require any individual who is or appears to be so affected to
furnish to such State (or political subdivision thereof) or any
agency thereof having administrative responsibility for the law
involved, the social security account number (or numbers, if he
has more than 1 such number) issued to him by the Commissioner
of Social Security.
(ii) In the administration of any law involving the issuance
of a birth certificate, each State shall require each parent to
furnish to such State (or political subdivision thereof) or any
agency thereof having administrative responsibility for the law
involved, the social security account number (or numbers, if
the parent has more than 1 such number) issued to the parent
unless the State (in accordance with regulations prescribed by
the Commissioner of Social Security) finds good cause for not
requiring the furnishing of such number. The State shall make
numbers furnished under this subclause available to the
Commissioner of Social Security and the agency administering
the State's plan under part D of title IV in accordance with
Federal or State law and regulation. Such numbers shall not be
recorded on the birth certificate. A State shall not use any
social security account number, obtained with respect to the
issuance by the State of a birth certificate, for any purpose
other than for the enforcement of child support orders in
effect in the State, unless section 7(a) of the Privacy Act of
1974 does not prohibit the State from requiring the disclosure
of such number, by reason of the State having adopted, before
January 1, 1975, a statute or regulation requiring such
disclosure.
(iii)(I) In the administration of section 9 of the Food Stamp
Act of 1977 (7 U.S.C 2018) involving the determination of the
qualifications of applicants under such Act, the Secretary of
Agriculture may require each applicant retail store or
wholesale food concern to furnish to the Secretary of
Agriculture the social security account number of each
individual who is an officer of the store or concern and, in
the case of a privately owned applicant, furnish the social
security account numbers of the owners of such applicant. No
officer or employee of the Department of Agriculture shall have
access to any such number for any purpose other than the
establishment and maintenance of a list of the names and social
security account numbers of such individuals for use in
determining those applicants who have been previously
sanctioned or convicted under section 12 or 15 of such Act (7
U.S.C. 2021 or 2024).
(II) The Secretary of Agriculture may share any information
contained in any list referred to in subclause (I) with any
other agency or instrumentality of the United States which
otherwise has access to social security account numbers in
accordance with this subsection or other applicable Federal
law, except that the Secretary of Agriculture may share such
information only to the extent that such Secretary determines
such sharing would assist in verifying and matching such
information against information maintained by such other agency
or instrumentality. Any such information shared pursuant to
this subclause may be used by such other agency or
instrumentality only for the purpose of effective
administration and enforcement of the Food Stamp Act of 1977 or
for the purpose of investigation of violations of other Federal
laws or enforcement of such laws.
(III) The Secretary of Agriculture, and the head of any other
agency or instrumentality referred to in this subclause, shall
restrict, to the satisfaction of the Commissioner of Social
Security, access to social security account numbers obtained
pursuant to this clause only to officers and employees of the
United States whose duties or responsibilities require access
for the purposes described in subclause (II).
(IV) The Secretary of Agriculture, and the head of any agency
or instrumentality with which information is shared pursuant to
clause (II), shall provide such other safeguards as the
Commissioner of Social Security determines to be necessary or
appropriate to protect the confidentiality of the social
security account numbers.
(iv) In the administration of section 506 of the Federal Crop
Insurance Act, the Federal Crop Insurance Corporation may
require each policyholder and each reinsured company to furnish
to the insurer or to the Corporation the social security
account number of such policyholder, subject to the
requirements of this clause. No officer or employee of the
Federal Crop Insurance Corporation shall have access to any
such number for any purpose other than the establishment of a
system of records necessary for the effective administration of
such Act. The Manager of the Corporation may require each
policyholder to provide to the Manager, at such times and in
such manner as prescribed by the Manager, the social security
account number of each individual that holds or acquires a
substantial beneficial interest in the policyholder. For
purposes of this clause, the term ``substantial beneficial
interest'' means not less than 5 percent of all beneficial
interest in the policyholder. The Secretary of Agriculture
shall restrict, to the satisfaction of the Commissioner of
Social Security, access to social security account numbers
obtained pursuant to this clause only to officers and employees
of the United States or authorized persons whose duties or
responsibilities require access for the administration of the
Federal Crop Insurance Act. The Secretary of Agriculture shall
provide such other safeguards as the Commissioner of Social
Security determines to be necessary or appropriate to protect
the confidentiality of such social security account numbers.
For purposes of this clause the term ``authorized person''
means an officer or employee of an insurer whom the Manager of
the Corporation designates by rule, subject to appropriate
safeguards including a prohibition against the release of such
social security account number (other than to the Corporation)
by such person.
(v) If and to the extent that any provision of Federal law
heretofore enacted is inconsistent with the policy set forth in
clause (i), such provision shall, on and after the date of the
enactment of this subparagraph, be null, void, and of no
effect. If and to the extent that any such provision is
inconsistent with the requirement set forth in clause (ii),
such provision shall, on and after the date of the enactment of
such subclause, be null, void, and of no effect.
(vi)(I) For purposes of clause (i) of this subparagraph, an
agency of a State (or political subdivision thereof) charged
with the administration of any general public assistance,
driver's license, or motor vehicle registration law which did
not use the social security account number for identification
under a law or regulation adopted before January 1, 1975, may
require an individual to disclose his or her social security
number to such agency solely for the purpose of administering
the laws referred to in clause (i) above and for the purpose of
responding to requests for information from an agency
administering a program funded under part A of title IV or an
agency operating pursuant to the provisions of part D of such
title.
(II) Any State or political subdivision thereof (and any
person acting as an agent of such an agency or
instrumentality), in the administration of any driver's license
or motor vehicle registration law within its jurisdiction, may
not display a social security account number issued by the
Commissioner of Social Security (or any derivative of such
number) on any driver's license, motor vehicle registration, or
personal identification card (as defined in section 7212(a)(2)
of the 9/11 Commission Implementation Act of 2004), or include,
on any such license, registration, or personal identification
card, a magnetic strip, bar code, or other means of
communication which conveys such number (or derivative
thereof).
(vii) For purposes of this subparagraph, the term ``State''
includes the District of Columbia, the Commonwealth of Puerto
Rico, the Virgin Islands, Guam, the Commonwealth of the
Northern Marianas, and the Trust Territory of the Pacific
Islands.
(viii)(I) Social security account numbers and related records
that are obtained or maintained by authorized persons pursuant
to any provision of law, enacted on or after October 1, 1990,
shall be confidential, and no authorized person shall disclose
any such social security account number or related record.
(II) Paragraphs (1), (2), and (3) of section 7213(a) of the
Internal Revenue Code of 1986 shall apply with respect to the
unauthorized willful disclosure to any person of social
security account numbers and related records obtained or
maintained by an authorized person pursuant to a provision of
law enacted on or after October 1, 1990, in the same manner and
to the same extent as such paragraphs as such paragraphs apply
with respect to unauthorized disclosures of returns and return
information described in such paragraphs. Paragraph (4) of such
7213(a) of such Code shall apply with respect to the willful
offer of any item of material value in exchange for any such
social security account number or related record in the same
manner and to the same extent as such paragraph applies with
respect to offers (in exchange for any return or return
information) described in such paragraph.
(III) For purposes of this clause, the term ``authorized
person'' means an officer or employee of the United States, an
officer or employee of any State, political subdivision of a
State, or agency of a State or political subdivision of a
State, and any other person (or officer or employee thereof),
who has or had access to social security account numbers or
related records pursuant to any provision of law enacted on or
after October 1, 1990. For purposes of this subclause, the term
``officer or employee'' includes a former officer or employee.
(IV) For purposes of this clause, the term ``related record''
means any record, list, or compilation that indicates, directly
or indirectly, the identity of any individual with respect to
whom a social security account number or a request for a social
security account number is maintained pursuant to this clause.
(ix) In the administration of the provisions of chapter 81 of
title 5, United States Code, and the Longshore and Harbor
Workers' Compensation Act (33 U.S.C. 901 et seq.), the
Secretary of Labor may require by regulation that any person
filing a notice of injury or a claim for benefits under such
provisions provide as part of such notice or claim such
person's social security account number, subject to the
requirements of this clause. No officer or employee of the
Department of Labor shall have access to any such number for
any purpose other than the establishment of a system of records
necessary for the effective administration of such provisions.
The Secretary of Labor shall restrict, to the satisfaction of
the Commissioner of Social Security, access to social security
account numbers obtained pursuant to this clause to officers
and employees of the United States whose duties or
responsibilities require access for the administration or
enforcement of such provisions. The Secretary of Labor shall
provide such other safeguards as the Commissioner of Social
Security determines to be necessary or appropriate to protect
the confidentiality of the social security account numbers.
(x) No executive, legislative, or judicial agency or
instrumentality of the Federal Government or of a State or
political subdivision thereof (or person acting as an agent of
such an agency or instrumentality) may employ, or enter into a
contract for the use or employment of, prisoners in any
capacity that would allow such prisoners access to the social
security account numbers of other individuals. For purposes of
this clause, the term `prisoner' means an individual who is
confined in a jail, prison, or other penal institution or
correctional facility, serving community service as a term of
probation or parole, or serving a sentence through a work-
furlough program.
(D)(i) It is the policy of the United States that--
(I) any State (or any political subdivision of a
State) and any authorized blood donation facility may
utilize the social security account numbers issued by
the Commissioner of Social Security for the purpose of
identifying blood donors, and
(II) any State (or political subdivision of a State)
may require any individual who donates blood within
such State (or political subdivision) to furnish to
such State (or political subdivision), to any agency
thereof having related administrative responsibility,
or to any authorized blood donation facility the social
security account number (or numbers, if the donor has
more than 1 such number) issued to the donor by the
Commissioner of Social Security.
(ii) If and to the extent that any provision of Federal law
enacted before the date of the enactment of this subparagraph
is inconsistent with the policy set forth in clause (i), such
provision shall, on and after such date, be null, void, and of
no effect.
(iii) For purposes of this subparagraph--
(I) the term ``authorized blood donation facility''
means an entity described in section 1141(h)(1)(B), and
(II) the term ``State'' includes the District of
Columbia, the Commonwealth of Puerto Rico, the Virgin
Islands, Guam, the Commonwealth of the Northern
Marianas, and the Trust Territory of the Pacific
Islands.
(E)(i) It is the policy of the United States that--
(I) any State (or any political subdivision of a
State) may utilize the social security account numbers
issued by the Commissioner of Social Security for the
additional purposes described in clause (ii) if such
numbers have been collected and are otherwise utilized
by such State (or political subdivision) in accordance
with applicable law, and
(II) any district court of the United States may use,
for such additional purposes, any such social security
account numbers which have been so collected and are so
utilized by any State.
(ii) The additional purposes described in this clause are the
following:
(I) Identifying duplicate names of individuals on
master lists used for jury selection purposes.
(II) Identifying on such master lists those
individuals who are ineligible to serve on a jury by
reason of their conviction of a felony.
(iii) To the extent that any provision of Federal law enacted
before the date of the enactment of this subparagraph is
inconsistent with the policy set forth in clause (i), such
provision shall, on and after that date, be null, void, and of
no effect.
(iv) For purposes of this subparagraph, the term ``State''
has the meaning such term has in subparagraph (D).
(F) The Commissioner of Social Security shall require, as a
condition for receipt of benefits under this title, that an
individual furnish satisfactory proof of a social security
account number assigned to such individual by the Commissioner
of Social Security or, in the case of an individual to whom no
such number has been assigned, that such individual make proper
application for assignment of such a number.
(G) The Commissioner of Social Security shall issue a social
security card to each individual at the time of the issuance of
a social security account number to such individual. The social
security card shall be made of banknote paper, and (to the
maximum extent practicable) shall be a card which cannot be
counterfeited.
(H) The Commissioner of Social Security shall share with the
Secretary of the Treasury the information obtained by the
Commissioner pursuant to the second sentence of subparagraph
(B)(ii) and to subparagraph (C)(ii) for the purpose of
administering those sections of the Internal Revenue Code of
1986 which grant tax benefits based on support or residence of
children.
(3) The Commissioner's records shall be evidence for
the purpose of proceedings before the Commissioner of
Social Security or any court of the amounts of wages
paid to, and self-employment income derived by, an
individual and of the periods in which such wages were
paid and such income was derived. The absence of an
entry in such records as to wages alleged to have been
paid to, or as to self-employment income alleged to
have been derived by, an individual in any period shall
be evidence that no such alleged wages were paid to, or
that no such alleged income was derived by, such
individual during such period.
(4) Prior to the expiration of the time limitation
following any year the Commissioner of Social Security
may, if it is brought to the Commissioner's attention
that any entry of wages or self-employment income in
the Commissioner's records for such year is erroneous
or that any item of wages or self-employment income for
such year has been omitted from such records, correct
such entry or include such omitted item in the
Commissioner's records, as the case may be. After the
expiration of the time limitation following any year--
(A) the Commissioner's records (with changes,
if any, made pursuant to paragraph (5)) of the
amounts of wages paid to, and self-employment
income derived by, an individual during any
period in such year shall be conclusive for the
purposes of this title;
(B) the absence of an entry in the
Commissioner's records as to the wages alleged
to have been paid by an employer to an
individual during any period in such year shall
be presumptive evidence for the purposes of
this title that no such alleged wages were paid
to such individuals in such period; and
(C) the absence of an entry in the
Commissioner's records as to the self-
employment income alleged to have been derived
by an individual in such year shall be
conclusive for the purposes of this title that
no such alleged self-employment income was
derived by such individual in such year unless
it is shown that he filed a tax return of his
self-employment income for such year before the
expiration of the time limitation following
such year, in which case the Commissioner of
Social Security shall include in the
Commissioner's records the self-employment
income of such individual for such year.
(5) After the expiration of the time limitation
following any year in which wages were paid or alleged
to have been paid to, or self-employment income was
derived or alleged to have been derived by, an
individual, the Commissioner of Social Security may
change or delete any entry with respect to wages or
self-employment income in the Commissioner's records of
such year for such individual or include in the
Commissioner's records of such year for such individual
any omitted item of wages or self-employment income but
only--
(A) if an application for monthly benefits or
for a lump-sum death payment was filed within
the time limitation following such year; except
that no such change, deletion, or inclusion may
be made pursuant to this subparagraph after a
final decision upon the application for monthly
benefits or lump-sum death payment;
(B) if within the time limitation following
such year an individual or his survivor makes a
request for a change or deletion, or for an
inclusion of an omitted item, and alleges in
writing that the Commissioner's records of the
wages paid to, or the self-employment income
derived by, such individual in such year are in
1 or more respects erroneous; except that no
such change, deletion, or inclusion may be made
pursuant to this subparagraph after a final
decision upon such request. Written notice of
the Commissioner's decision on any such request
shall be given to the individual who made the
request;
(C) to correct errors apparent on the face of
such records;
(D) to transfer items to records of the
Railroad Retirement Board if such items were
credited under this title when they should have
been credited under the Railroad Retirement Act
of 1937 or 1974, or to enter items transferred
by the Railroad Retirement Board which have
been credited under the Railroad Retirement Act
of 1937 or 1974 when they should have been
credited under this title;
(E) to delete or reduce the amount of any
entry which is erroneous as a result of fraud;
(F) to conform his records to--
(i) tax returns or portions thereof
(including information returns and
other written statements) filed with
the Commissioner of Internal Revenue
under title VIII of the Social Security
Act, under subchapter E of chapter 1 or
subchapter A of chapter 9 of the
Internal Revenue Code of 1939, under
chapter 2 or 21 of the Internal Revenue
Code of 1954 or the Internal Revenue
Code of 1986, or under regulations made
under authority of such title,
subchapter, or chapter;
(ii) wage reports filed by a State
pursuant to an agreement under section
218 or regulations of the Commissioner
of Social Security thereunder; or
(iii) assessments of amounts due
under an agreement pursuant to section
218 (as in effect prior to December 31,
1986), if such assessments are made
within the period specified in
subsection (q) of such section (as so
in effect), or allowances of credits or
refunds of overpayments by a State
under an agreement pursuant to such
section; except that no amount of self-
employment income of an individual for
any taxable year (if such return or
statement was filed after the
expiration of the time limitation
following the taxable year) shall be
included in the Commissioner's records
pursuant to this subparagraph;
(G) to correct errors made in the allocation,
to individuals or periods, of wages or self-
employment income entered in the records of the
Commissioner of Social Security;
(H) to include wages paid during any period
in such year to an individual by an employer;
(I) to enter items which constitute
remuneration for employment under subsection
(o), such entries to be in accordance with
certified reports of records made by the
Railroad Retirement Board pursuant to section
5(k)(3) of the Railroad Retirement Act of 1937
or section 7(b)(7) of the Railroad Retirement
Act of 1974; or
(J) to include self-employment income for any
taxable year, up to, but not in excess of, the
amount of wages deleted by the Commissioner of
Social Security as payments erroneously
included in such records as wages paid to such
individual, if such income (or net earnings
from self-employment), not already included in
such records as self-employment income, is
included in a return or statement (referred to
in subparagraph (F)) filed before the
expiration of the time limitation following the
taxable year in which such deletion of wages is
made.
(6) Written notice of any deletion or reduction under
paragraph (4) or (5) shall be given to the individual
whose record is involved or to his survivor, except
that (A) in the case of a deletion or reduction with
respect to any entry of wages such notice shall be
given to such individual only if he has previously been
notified by the Commissioner of Social Security of the
amount of his wages for the period involved, and (B)
such notice shall be given to such survivor only if he
or the individual whose record is involved has
previously been notified by the Commissioner of Social
Security of the amount of such individual's wages and
self-employment income for the period involved.
(7) Upon request in writing (within such period,
after any change or refusal of a request for a change
of the Commissioner's records pursuant to this
subsection, as the Commissioner of Social Security may
prescribe), opportunity for hearing with respect to
such change or refusal shall be afforded to any
individual or his survivor. If a hearing is held
pursuant to this paragraph the Commissioner of Social
Security shall make findings of fact and a decision
based upon the evidence adduced at such hearing and
shall include any omitted items, or change or delete
any entry, in the Commissioner's records as may be
required by such findings and decision.
(8) A translation into English by a third party of a
statement made in a foreign language by an applicant
for or beneficiary of monthly insurance benefits under
this title shall not be regarded as reliable for any
purpose under this title unless the third party, under
penalty of perjury--
(A) certifies that the translation is
accurate; and
(B) discloses the nature and scope of the
relationship between the third party and the
applicant or recipient, as the case may be.
(9) Decisions of the Commissioner of Social Security
under this subsection shall be reviewable by commencing
a civil action in the United States district court as
provided in subsection (g).
(d) Issuance of subpenas in administrative proceedings.--For
the purpose of any hearing, investigation, or other proceeding
authorized or directed under this title, or relative to any
other matter within the the Commissioner's jurisdiction
hereunder, the Commissioner of Social Security shall have power
to issue subpenas requiring the attendance and testimony of
witnesses and the production of any evidence that relates to
any matter under investigation or in question before the
Commissioner of Social Security. Such attendance of witnesses
and production of evidence at the designated place of such
hearing, investigation, or other proceeding may be required
from any place in the United States or in any Territory or
possession thereof. Subpenas of the Commissioner of Social
Security shall be served by anyone authorized by the
Commissioner (1) by delivering a copy thereof to the individual
named therein, or (2) by registered mail or by certified mail
addressed to such individual at his last dwelling place or
principal place of business. A verified return by the
individual so serving the subpena setting forth the manner of
service, or, in the case of service by registered mail or by
certified mail, the return post-office receipt therefor signed
by the individual so served, shall be proof of service.
Witnesses so subpenaed shall be paid the same fees and mileage
as are paid witnesses in the district courts of the United
States.
(e) Judicial enforcement of subpenas; contempt.--In case of
contumacy by, or refusal to obey a subpena duly served upon,
any person, any district court of the United States for the
judicial district in which said person charged with contumacy
or refusal to obey is found or resides or transacts business,
upon application by the Commissioner of Social Security, shall
have jurisdiction to issue an order requiring such person to
appear and give testimony, or to appear and produce evidence,
or both; any failure to obey such order of the court may be
punished by said court as contempt thereof.
(f) [Repealed]
(g) Judicial review.--Any individual, after any final
decision of the Commissioner of Social Security made after a
hearing to which he was a party, irrespective of the amount in
controversy, may obtain a review of such decision by a civil
action commenced within sixty days after the mailing to him of
notice of such decision or within such further time as the
Commissioner of Social Security may allow. Such action shall be
brought in the district court of the United States for the
judicial district in which the plaintiff resides, or has his
principal place of business, or, if he does not reside or have
his principal place of business within any such judicial
district, in the District Court of the United States for the
District of Columbia. As part of the Commissioner's answer the
Commissioner of Social Security shall file a certified copy of
the transcript of the record including the evidence upon which
the findings and decision complained of are based. The court
shall have power to enter, upon the pleadings and transcript of
the record, a judgment affirming, modifying, or reversing the
decision of the Commissioner of Social Security, with or
without remanding the cause for a rehearing. The findings of
the Commissioner of Social Security as to any fact, if
supported by substantial evidence, shall be conclusive, and
where a claim has been denied by the Commissioner of Social
Security or a decision is rendered under subsection (b) hereof
which is adverse to an individual who was a party to the
hearing before the Commissioner of Social Security, because of
failure of the claimant or such individual to submit proof in
conformity with any regulation prescribed under subsection (a)
hereof, the court shall review only the question of conformity
with such regulations and the validity of such regulations. The
court may, on motion of the Commissioner of Social Security
made for good cause shown before the Commissioner files the
Commissioner's answer, remand the case to the Commissioner of
Social Security for further action by the Commissioner of
Social Security, and it may at any time order additional
evidence to be taken before the Commissioner of Social
Security, but only upon a showing that there is new evidence
which is material and that there is good cause for the failure
to incorporate such evidence into the record in a prior
proceeding; and the Commissioner of Social Security shall,
after the case is remanded, and after hearing such additional
evidence if so ordered, modify or affirm the Commissioner's
findings of fact or the Commissioner's decision, or both, and
shall file with the court any such additional and modified
findings of fact and decision, and, in any case in which the
Commissioner has not made a decision fully favorable to the
individual, a transcript of the additional record and testimony
upon which the Commissioner's action in modifying or affirming
was based. Such additional or modified findings of fact and
decision shall be reviewable only to the extent provided for
review of the original findings of fact and decision. The
judgment of the court shall be final except that it shall be
subject to review in the same manner as a judgment in other
civil actions. Any action instituted in accordance with this
subsection shall survive notwithstanding any change in the
person occupying the office of Commissioner of Social Security
or any vacancy in such office.
(h) Finality of Commissioner's decision.--The findings and
decisions of the Commissioner of Social Security after a
hearing shall be binding upon all individuals who were parties
to such hearing. No findings of fact or decision of the
Commissioner of Social Security shall be reviewed by any
person, tribunal, or governmental agency except as herein
provided. No action against the United States, the Commissioner
of Social Security, or any officer or employee thereof shall be
brought under section 1331 or 1346 of title 28, United States
Code, to recover on any claim arising under this title.
(i) Certification for payment.--Upon final decision of the
Commissioner of Social Security, or upon final judgment of any
court of competent jurisdiction, that any person is entitled to
any payment or payments under this title, the Commissioner of
Social Security shall certify to the Managing Trustee the name
and address of the person so entitled to receive such payment
or payments, the amount of such payment or payments, and the
time at which such payment or payments should be made, and the
Managing Trustee, through the Fiscal Service of the Department
of the Treasury, and prior to any action thereon by the General
Accounting Office, shall make payment in accordance with the
certification of the Commissioner of Social Security (except
that in the case of (A) an individual who will have completed
10 years of service (or 5 or more years of service, all of
which accrues after December 31, 1995) creditable under the
Railroad Retirement Act of 1937 or the Railroad Retirement Act
of 1974, (B) the wife or husband of such an individual, (C) any
survivor of such an individual if such survivor is entitled, or
could upon application become entitled, to an annuity under
section 2 of the Railroad Retirement Act of 1974, and (D) any
other person entitled to benefits under section 202 of this Act
on the basis of the wages and self-employment income of such an
individual (except a survivor of such an individual where such
individual did not have a current connection with the railroad
industry, as defined in the Railroad Retirement Act of 1974, at
the time of his death), such certification shall be made to the
Railroad Retirement Board which shall provide for such payment
or payments to such person on behalf of the Managing Trustee in
accordance with the provisions of the Railroad Retirement Act
of 1974): Provided, That where a review of the Commissioner's
decision is or may be sought under subsection (g) the
Commissioner of Social Security may withhold certification of
payment pending such review. The Managing Trustee shall not be
held personally liable for any payment or payments made in
accordance with a certification by the Commissioner of Social
Security.
(j) Representative payees.--
(1)(A) If the Commissioner of Social Security
determines that the interest of any individual under
this title would be served thereby, certification of
payment of such individual's benefit under this title
may be made, regardless of the legal competency or
incompetency of the individual, either for direct
payment to the individual, or for his or her use and
benefit, to another individual, or an organization,
with respect to whom the requirements of paragraph (2)
have been met (hereinafter in this subsection referred
to as the individual's ``representative payee''). If
the Commissioner of Social Security or a court of
competent jurisdiction determines that a representative
payee has misused any individual's benefit paid to such
representative payee pursuant to this subsection or
section 807 or 1631(a)(2), the Commissioner of Social
Security shall promptly revoke certification for
payment of benefits to such representative payee
pursuant to this subsection and certify payment to an
alternative representative payee or, if the interest of
the individual under this title would be served
thereby, to the individual.
(B) In the case of an individual entitled to benefits
based on disability, the payment of such benefits shall
be made to a representative payee if the Commissioner
of Social Security determines that such payment would
serve the interest of the individual because the
individual also has an alcoholism or drug addiction
condition (as determined by the Commissioner) and the
individual is incapable of managing such benefits.
(2)(A) Any certification made under paragraph (1) for
payment of benefits to an individual's representative
payee shall be made on the basis of--
(i) an investigation by the Commissioner of
Social Security of the person to serve as
representative payee, which shall be conducted
in advance of such certification and shall, to
the extent practicable, include a face-to-face
interview with such person, and
(ii) adequate evidence that such
certification is in the interest of such
individual (as determined by the Commissioner
of Social Security in regulations).
(B)(i) As part of the investigation referred to in
subparagraph (A)(i), the Commissioner of Social
Security shall--
(I) require the person being investigated to
submit documented proof of the identity of such
person, unless information establishing such
identity has been submitted with an application
for benefits under this title, title VIII, or
title XVI,
(II) verify such person's social security
account number (or employer identification
number),
(III) determine whether such person has been
convicted of a violation of section 208, 811,
or 1632,
(IV) obtain information concerning whether
such person has been convicted of any other
offense under Federal or State law which
resulted in imprisonment for more than 1 year,
(V) obtain information concerning whether
such person is a person described in section
202(x)(1)(A)(iv), and
(VI) determine whether certification of
payment of benefits to such person has been
revoked pursuant to this subsection, the
designation of such person as a representative
payee has been revoked pursuant to section
807(a), or payment of benefits to such person
has been terminated pursuant to section
1631(a)(2)(A)(iii) by reason of misuse of funds
paid as benefits under this title, title VIII,
or title XVI.
(ii) The Commissioner of Social Security shall
establish and maintain a centralized file, which shall
be updated periodically and which shall be in a form
which renders it readily retrievable by each servicing
office of the Social Security Administration. Such file
shall consist of--
(I) a list of the names and social security
account numbers (or employer identification
numbers) of all persons with respect to whom
certification of payment of benefits has been
revoked on or after January 1, 1991, pursuant
to this subsection, whose designation as a
representative payee has been revoked pursuant
to section 807(a), or with respect to whom
payment of benefits has been terminated on or
after such date pursuant to section
1631(a)(2)(A)(iii), by reason of misuse of
funds paid as benefits under this title, title
VIII, or title XVI, and
(II) a list of the names and social security
account numbers (or employer identification
numbers) of all persons who have been convicted
of a violation of section 208, 811, or 1632.
(iii) Notwithstanding the provisions of section 552a
of title 5, United States Code, or any other provision
of Federal or State law (other than section 6103 of the
Internal Revenue Code of 1986 and section 1106(c) of
this Act), the Commissioner shall furnish any Federal,
State, or local law enforcement officer, upon the
written request of the officer, with the current
address, social security account number, and photograph
(if applicable) of any person investigated under this
paragraph, if the officer furnishes the Commissioner
with the name of such person and such other identifying
information as may reasonably be required by the
Commissioner to establish the unique identity of such
person, and notifies the Commissioner that--
(I) such person is described in section
202(x)(1)(A)(iv),
(II) such person has information that is
necessary for the officer to conduct the
officer's official duties, and
(III) the location or apprehension of such
person is within the officer's official duties.
(C)(i) Benefits of an individual may not be certified
for payment to any other person pursuant to this
subsection if--
(I) such person has previously been convicted
as described in subparagraph (B)(i)(III),
(II) except as provided in clause (ii),
certification of payment of benefits to such
person under this subsection has previously
been revoked as described in subparagraph
(B)(i)(VI) the designation of such person as a
representative payee has been revoked pursuant
to section 807(a), or payment of benefits to
such person pursuant to section
1631(a)(2)(A)(ii) has previously been
terminated as described in section
1631(a)(2)(B)(ii)(VI),
(III) except as provided in clause (iii),
such person is a creditor of such individual
who provides such individual with goods or
services for consideration,
(IV) such person has previously been
convicted as described in subparagraph
(B)(i)(IV), unless the Commissioner determines
that such certification would be appropriate
notwithstanding such conviction, or
(V) such person is a person described in
section 202(x)(1)(A)(iv).
(ii) The Commissioner of Social Security shall
prescribe regulations under which the Commissioner of
Social Security may grant exemptions to any person from
the provisions of clause (i)(II) on a case-by-case
basis if such exemption is in the best interest of the
individual whose benefits would be paid to such person
pursuant to this subsection.
(iii) Clause (i)(III) shall not apply with respect to
any person who is a creditor referred to therein if
such creditor is--
(I) a relative of such individual if such
relative resides in the same household as such
individual,
(II) a legal guardian or legal representative
of such individual,
(III) a facility that is licensed or
certified as a care facility under the law of a
State or a political subdivision of a State,
(IV) a person who is an administrator, owner,
or employee of a facility referred to in
subclause (III) if such individual resides in
such facility, and the certification of payment
to such facility or such person is made only
after good faith efforts have been made by the
local servicing office of the Social Security
Administration to locate an alternative
representative payee to whom such certification
of payment would serve the best interests of
such individual, or
(V) an individual who is determined by the
Commissioner of Social Security, on the basis
of written findings and under procedures which
the Commissioner of Social Security shall
prescribe by regulation, to be acceptable to
serve as a representative payee.
(iv) The procedures referred to in clause (iii)(V)
shall require the individual who will serve as
representative payee to establish, to the satisfaction
of the Commissioner of Social Security, that--
(I) such individual poses no risk to the
beneficiary,
(II) the financial relationship of such
individual to the beneficiary poses no
substantial conflict of interest, and
(III) no other more suitable representative
payee can be found.
(v) In the case of an individual described in
paragraph (1)(B), when selecting such individual's
representative payee, preference shall be given to--
(I) a certified community-based nonprofit
social service agency (as defined in paragraph
(10)),
(II) a Federal, State, or local government
agency whose mission is to carry out income
maintenance, social service, or health care-
related activities,
(III) a State or local government agency with
fiduciary responsibilities, or
(IV) a designee of an agency (other than of a
Federal agency) referred to in the preceding
subclauses of this clause, if the Commissioner
of Social Security deems it appropriate, unless
the Commissioner of Social Security determines
that selection of a family member would be
appropriate.
(D)(i) Subject to clause (ii), if the Commissioner of
Social Security makes a determination described in the
first sentence of paragraph (1) with respect to any
individual's benefit and determines that direct payment
of the benefit to the individual would cause
substantial harm to the individual, the Commissioner of
Social Security may defer (in the case of initial
entitlement) or suspend (in the case of existing
entitlement) direct payment of such benefit to the
individual, until such time as the selection of a
representative payee is made pursuant to this
subsection.
(ii)(I) Except as provided in subclause (II), any
deferral or suspension of direct payment of a benefit
pursuant to clause (i) shall be for a period of not
more than 1 month.
(II) Subclause (I) shall not apply in any case in
which the individual is, as of the date of the
Commissioner's determination, legally incompetent,
under the age of 15 years, or described in paragraph
(1)(B).
(iii) Payment pursuant to this subsection of any
benefits which are deferred or suspended pending the
selection of a representative payee shall be made to
the individual or the representative payee as a single
sum or over such period of time as the Commissioner of
Social Security determines is in the best interest of
the individual entitled to such benefits.
(E)(i) Any individual who is dissatisfied with a
determination by the Commissioner of Social Security to
certify payment of such individual's benefit to a
representative payee under paragraph (1) or with the
designation of a particular person to serve as
representative payee shall be entitled to a hearing by
the Commissioner of Social Security to the same extent
as is provided in subsection (b), and to judicial
review of the Commissioner's final decision as is
provided in subsection (g).
(ii) In advance of the certification of payment of an
individual's benefit to a representative payee under
paragraph (1), the Commissioner of Social Security
shall provide written notice of the Commissioner's
initial determination to certify such payment. Such
notice shall be provided to such individual, except
that, if such individual--
(I) is under the age of 15,
(II) is an unemancipated minor under the age
of 18, or
(III) is legally incompetent, then such
notice shall be provided solely to the legal
guardian or legal representative of such
individual.
(iii) Any notice described in clause (ii) shall be
clearly written in language that is easily
understandable to the reader, shall identify the person
to be designated as such individual's representative
payee, and shall explain to the reader the right under
clause (i) of such individual or of such individual's
legal guardian or legal representative--
(I) to appeal a determination that a
representative payee is necessary for such
individual,
(II) to appeal the designation of a
particular person to serve as the
representative payee of such individual, and
(III) to review the evidence upon which such
designation is based and submit additional
evidence.
(3)(A) In any case where payment under this title is
made to a person other than the individual entitled to
such payment, the Commissioner of Social Security shall
establish a system of accountability monitoring whereby
such person shall report not less often than annually
with respect to the use of such payments. The
Commissioner of Social Security shall establish and
implement statistically valid procedures for reviewing
such reports in order to identify instances in which
such persons are not properly using such payments.
(B) Subparagraph (A) shall not apply in any case
where the other person to whom such payment is made is
a State institution. In such cases, the Commissioner of
Social Security shall establish a system of
accountability monitoring for institutions in each
State.
(C) Subparagraph (A) shall not apply in any case
where the individual entitled to such payment is a
resident of a Federal institution and the other person
to whom such payment is made is the institution.
(D) Notwithstanding subparagraphs (A), (B), and (C),
the Commissioner of Social Security may require a
report at any time from any person receiving payments
on behalf of another, if the Commissioner of Social
Security has reason to believe that the person
receiving such payments is misusing such payments.
(E) In any case in which the person described in
subparagraph (A) or (D) receiving payments on behalf of
another fails to submit a report required by the
Commissioner of Social Security under subparagraph (A)
or (D), the Commissioner may, after furnishing notice
to such person and the individual entitled to such
payment, require that such person appear in person at a
field office of the Social Security Administration
serving the area in which the individual resides in
order to receive such payments.
(F) The Commissioner of Social Security shall
maintain a centralized file, which shall be updated
periodically and which shall be in a form which will be
readily retrievable by each servicing office of the
Social Security Administration, of--
(i) the address and the social security
account number (or employer identification
number) of each representative payee who is
receiving benefit payments pursuant to this
subsection, section 807, or section 1631(a)(2),
and
(ii) the address and social security account
number of each individual for whom each
representative payee is reported to be
providing services as representative payee
pursuant to this subsection, section 807, or
section 1631(a)(2).
(G) Each servicing office of the Administration shall
maintain a list, which shall be updated periodically,
of public agencies and certified community-based
nonprofit social service agencies (as defined in
paragraph (10)) which are qualified to serve as
representative payees pursuant to this subsection or
section 807 or 1631(a)(2) and which are located in the
area served by such servicing office.
(4)(A)(i) Except as provided in the next sentence, a
qualified organization may collect from an individual a
monthly fee for expenses (including overhead) incurred
by such organization in providing services performed as
such individual's representative payee pursuant to this
subsection if such fee does not exceed the lesser of--
(I) 10 percent of the monthly benefit
involved, or
(II) $25.00 per month ($50.00 per month in
any case in which the individual is described
in paragraph (1)(B)). A qualified organization
may not collect a fee from an individual for
any month with respect to which the
Commissioner of Social Security or a court of
competent jurisdiction has determined that the
organization misused all or part of the
individual's benefit, and any amount so
collected by the qualified organization for
such month shall be treated as a misused part
of the individual's benefit for purposes of
paragraphs (5) and (6). The Commissioner of
Social Security shall adjust annually (after
1995) each dollar amount set forth in subclause
(II) under procedures providing for adjustments
in the same manner and to the same extent as
adjustments are provided for under the
procedures used to adjust benefit amounts under
section 215(i)(2)(A), except that any amount so
adjusted that is not a multiple of $1.00 shall
be rounded to the nearest multiple of $1.00.
(ii) In the case of an individual who is no longer
currently entitled to monthly insurance benefits under
this title but to whom all past-due benefits have not
been paid, for purposes of clause (i), any amount of
such past-due benefits payable in any month shall be
treated as a monthly benefit referred to in clause
(i)(I). Any agreement providing for a fee in excess of
the amount permitted under this subparagraph shall be
void and shall be treated as misuse by such
organization of such individual's benefits.
(B) For purposes of this paragraph, the term
``qualified organization'' means any State or local
government agency whose mission is to carry out income
maintenance, social service, or health care-related
activities, any State or local government agency with
fiduciary responsibilities, or any certified community-
based nonprofit social service agency (as defined in
paragraph (10)), if such agency, in accordance with any
applicable regulations of the Commissioner of Social
Security--
(i) regularly provides services as the
representative payee, pursuant to this
subsection or section 807 or 1631(a)(2),
concurrently to 5 or more individuals,
(ii) demonstrates to the satisfaction of the
Commissioner of Social Security that such
agency is not otherwise a creditor of any such
individual. The Commissioner of Social Security
shall prescribe regulations under which the
Commissioner of Social Security may grant an
exception from clause (ii) for any individual
on a case-by-case basis if such exception is in
the best interests of such individual.
(C) Any qualified organization which knowingly
charges or collects, directly or indirectly, any fee in
excess of the maximum fee prescribed under subparagraph
(A) or makes any agreement, directly or indirectly, to
charge or collect any fee in excess of such maximum
fee, shall be fined in accordance with title 18, United
States Code, or imprisoned not more than 6 months, or
both.
(5) In cases where the negligent failure of the
Commissioner of Social Security to investigate or
monitor a representative payee results in misuse of
benefits by the representative payee, the Commissioner
of Social Security shall certify for payment to the
beneficiary or the beneficiary's alternative
representative payee an amount equal to such misused
benefits. In any case in which a representative payee
that--
(A) is not an individual (regardless of
whether it is a ``qualified organization''
within the meaning of paragraph (4)(B)); or
(B) is an individual who, for any month
during a period when misuse occurs, serves 15
or more individuals who are beneficiaries under
this title, title VIII, title XVI, or any
combination of such titles; misuses all or part
of an individual's benefit paid to such
representative payee, the Commissioner of
Social Security shall certify for payment to
the beneficiary or the beneficiary's
alternative representative payee an amount
equal to the amount of such benefit so misused.
The provisions of this paragraph are subject to
the limitations of paragraph (7)(B). The
Commissioner of Social Security shall make a
good faith effort to obtain restitution from
the terminated representative payee.
(6)(A) In addition to such other reviews of
representative payees as the Commissioner of Social
Security may otherwise conduct, the Commissioner shall
provide for the periodic onsite review of any person or
agency located in the United States that receives the
benefits payable under this title (alone or in
combination with benefits payable under title VIII or
title XVI) to another individual pursuant to the
appointment of such person or agency as a
representative payee under this subsection, section
807, or section 1631(a)(2) in any case in which--
(i) the representative payee is a person who
serves in that capacity with respect to 15 or
more such individuals;
(ii) the representative payee is a certified
community-based nonprofit social service agency
(as defined in paragraph (10) of this
subsection or section 1631(a)(2)(I)); or
(iii) the representative payee is an agency
(other than an agency described in clause (ii))
that serves in that capacity with respect to 50
or more such individuals.
(B) Within 120 days after the end of each fiscal
year, the Commissioner shall submit to the Committee on
Ways and Means of the House of Representatives and the
Committee on Finance of the Senate a report on the
results of periodic onsite reviews conducted during the
fiscal year pursuant to subparagraph (A) and of any
other reviews of representative payees conducted during
such fiscal year in connection with benefits under this
title. Each such report shall describe in detail all
problems identified in such reviews and any corrective
action taken or planned to be taken to correct such
problems, and shall include--
(i) the number of such reviews;
(ii) the results of such reviews;
(iii) the number of cases in which the
representative payee was changed and why;
(iv) the number of cases involving the
exercise of expedited, targeted oversight of
the representative payee by the Commissioner
conducted upon receipt of an allegation of
misuse of funds, failure to pay a vendor, or a
similar irregularity;
(v) the number of cases discovered in which
there was a misuse of funds;
(vi) how any such cases of misuse of funds
were dealt with by the Commissioner;
(vii) the final disposition of such cases of
misuse of funds, including any criminal
penalties imposed; and
(viii) such other information as the
Commissioner deems appropriate.
(7)(A) If the Commissioner of Social Security or a
court of competent jurisdiction determines that a
representative payee that is not a Federal, State, or
local government agency has misused all or part of an
individual's benefit that was paid to such
representative payee under this subsection, the
representative payee shall be liable for the amount
misused, and such amount (to the extent not repaid by
the representative payee) shall be treated as an
overpayment of benefits under this title to the
representative payee for all purposes of this Act and
related laws pertaining to the recovery of such
overpayments. Subject to subparagraph (B), upon
recovering all or any part of such amount, the
Commissioner shall certify an amount equal to the
recovered amount for payment to such individual or such
individual's alternative representative payee.
(B) The total of the amount certified for payment to
such individual or such individual's alternative
representative payee under subparagraph (A) and the
amount certified for payment under paragraph (5) may
not exceed the total benefit amount misused by the
representative payee with respect to such individual.
(8) For purposes of this subsection, the term
``benefit based on disability'' of an individual means
a disability insurance benefit of such individual under
section 223 or a child's, widow's, or widower's
insurance benefit of such individual under section 202
based on such individual's disability.
(9) For purposes of this subsection, misuse of
benefits by a representative payee occurs in any case
in which the representative payee receives payment
under this title for the use and benefit of another
person and converts such payment, or any part thereof,
to a use other than for the use and benefit of such
other person. The Commissioner of Social Security may
prescribe by regulation the meaning of the term ``use
and benefit'' for purposes of this paragraph.
(10) For purposes of this subsection, the term
``certified community-based nonprofit social service
agency'' means a community-based nonprofit social
service agency which is in compliance with
requirements, under regulations which shall be
prescribed by the Commissioner, for annual
certification to the Commissioner that it is bonded in
accordance with requirements specified by the
Commissioner and that it is licensed in each State in
which it serves as a representative payee (if licensing
is available in the State) in accordance with
requirements specified by the Commissioner. Any such
annual certification shall include a copy of any
independent audit on the agency which may have been
performed since the previous certification.
(k) Payments to incompetents.--Any payment made after
December 31, 1939, under conditions set forth in subsection (j)
any payment made before January 1, 1940, to, or on behalf of, a
legally incompetent individual, and any payment made after
December 31, 1939, to a legally incompetent individual without
knowledge by the Commissioner of Social Security of
incompetency prior to certification of payment, if otherwise
valid under this title, shall be a complete settlement and
satisfaction of any claim, right, or interest in and to such
payment.
(l) Delegation of powers and duties by Commissioner of Social
Security.--The Commissioner of Social Security is authorized to
delegate to any member, officer, or employee of the Social
Security Administration designated by the Commissioner any of
the powers conferred upon the Commissioner by this section, and
is authorized to be represented by the Commissioner's own
attorneys in any court in any case or proceeding arising under
the provisions of subsection (e).
(m) [Repealed]
(n) Joint payments.--The Commissioner of Social Security may,
in the Commissioner's discretion, certify to the Managing
Trustee any 2 or more individuals of the same family for joint
payment of the total benefits payable to such individuals for
any month, and if 1 of such individuals dies before a check
representing such joint payment is negotiated, payment of the
amount of such unnegotiated check to the surviving individual
or individuals may be authorized in accordance with regulations
of the Secretary of the Treasury; except that appropriate
adjustment or recovery shall be made under section 204(a) with
respect to so much of the amount of such check as exceeds the
amount to which such surviving individual or individuals are
entitled under this title for such month.
(o) Crediting of compensation under the Railroad Retirement
Act.--If there is no person who would be entitled, upon
application therefor, to an annuity under section 5 of the
Railroad Retirement Act of 1974, or to a lump-sum payment under
section 6(b) of such Act, with respect to the death of an
employee (as defined in such Act), then, notwithstanding
section 210(a)(10) of this Act, compensation (as defined in
such Railroad Retirement Act, but excluding compensation
attributable as having been paid during any month on account of
military service creditable under section 3(i) of such Act if
wages are deemed to have been paid to such employee during such
month under subsection (a) or (e) of section 217 of this Act)
of such employee shall constitute remuneration for employment
for purposes of determining (A) entitlement to and the amount
of any lump-sum death payment under this title on the basis of
such employee's wages and self-employment income and (B)
entitlement to and the amount of any monthly benefit under this
title, for the month in which such employee died or for any
month thereafter, on the basis of such wages and self-
employment income. For such purposes, compensation (as so
defined) paid in a calendar year before 1978 shall, in the
absence of evidence to the contrary, be presumed to have been
paid in equal proportions with respect to all months in the
year in which the employee rendered services for such
compensation.
(p) Special rules in case of Federal service.--
(1) With respect to service included as employment
under section 210 which is performed in the employ of
the United States or in the employ of any
instrumentality which is wholly owned by the United
States, including service, performed as a member of a
uniformed service, to which the provisions of
subsection (l)(1) of such section are applicable, and
including service, performed as a volunteer or
volunteer leader within the meaning of the Peace Corps
Act, to which the provisions of section 210(o) are
applicable, the Commissioner of Social Security shall
not make determinations as to the amounts of
remuneration for such service, or the periods in which
or for which such remuneration was paid, but shall
accept the determinations with respect thereto of the
head of the appropriate Federal agency or
instrumentality, and of such agents as such head may
designate, as evidenced by returns filed in accordance
with the provisions of section 3122 of the Internal
Revenue Code of 1954 and certifications made pursuant
to this subsection. Such determinations shall be final
and conclusive. Nothing in this paragraph shall be
construed to affect the Commissioner's authority to
determine under sections 209 and 210 whether any such
service constitutes employment, the periods of such
employment, and whether remuneration paid for any such
service constitutes wages.
(2) The head of any such agency or instrumentality is
authorized and directed, upon written request of the
Commissioner of Social Security, to make certification
to the Commissioner with respect to any matter
determinable for the Commissioner of Social Security by
such head or his agents under this subsection, which
the Commissioner of Social Security finds necessary in
administering this title.
(3) The provisions of paragraphs (1) and (2) shall be
applicable in the case of service performed by a
civilian employee, not compensated from funds
appropriated by the Congress, in the Army and Air Force
Exchange Service, Army and Air Force Motion Picture
Service, Navy Exchanges, Marine Corps Exchanges, or
other activities, conducted by an instrumentality of
the United States subject to the jurisdiction of the
Secretary of Defense, at installations of the
Department of Defense for the comfort, pleasure,
contentment, and mental and physical improvement of
personnel of such Department; and for purposes of
paragraphs (1) and (2) the Secretary of Defense shall
be deemed to be the head of such instrumentality. The
provisions of paragraphs (1) and (2) shall be
applicable also in the case of service performed by a
civilian employee, not compensated from funds
appropriated by the Congress, in the Coast Guard
Exchanges or other activities, conducted by an
instrumentality of the United States subject to the
jurisdiction of the Secretary of Transportation, at
installations of the Coast Guard for the comfort,
pleasure, contentment, and mental and physical
improvement of personnel of the Coast Guard; and for
purposes of paragraphs (1) and (2) the Secretary of
Transportation shall be deemed to be the head of such
instrumentality.
(q) Expedited benefit payments.--
(1) The Commissioner of Social Security shall
establish and put into effect procedures under which
expedited payment of monthly insurance benefits under
this title will, subject to paragraph (4) of this
subsection, be made as set forth in paragraphs (2) and
(3) of this subsection.
(2) In any case in which--
(A) an individual makes an allegation that a
monthly benefit under this title was due him in
a particular month but was not paid to him, and
(B) such individual submits a written request
for the payment of such benefit--
(i) in the case of an individual who
received a regular monthly benefit in
the month preceding the month with
respect to which such allegation is
made, not less than 30 days after the
15th day of the month with respect to
which such allegation is made (and in
the event that such request is
submitted prior to the expiration of
such 30-day period, it shall be deemed
to have been submitted upon the
expiration of such period), and
(ii) in any other case, not less than
90 days after the later of (I) the date
on which such benefit is alleged to
have been due, or (II) the date on
which such individual furnished the
last information requested by the
Commissioner of Social Security (and
such written request will be deemed to
be filed on the day on which it was
filed, or the ninetieth day after the
first day on which the Commissioner of
Social Security has evidence that such
allegation is true, whichever is
later), the Commissioner of Social
Security shall, if the Commissioner
finds that benefits are due, certify
such benefits for payment, and payment
shall be made within 15 days
immediately following the date on which
the written request is deemed to have
been filed.
(3) In any case in which the Commissioner of Social
Security determines that there is evidence, although
additional evidence might be required for a final
decision, that an allegation described in paragraph
(2)(A) is true, the Commissioner may make a preliminary
certification of such benefit for payment even though
the 30-day or 90-day periods described in paragraph
(2)(B)(i) and (B)(ii) have not elapsed.
(4) Any payment made pursuant to a certification
under paragraph (3) of this subsection shall not be
considered an incorrect payment for purposes of
determining the liability of the certifying or
disbursing officer.
(5) For purposes of this subsection, benefits payable
under section 228 shall be treated as monthly insurance
benefits payable under this title. However, this
subsection shall not apply with respect to any benefit
for which a check has been negotiated, or with respect
to any benefit alleged to be due under either section
223, or section 202 to a wife, husband, or child of an
individual entitled to or applying for benefits under
section 223, or to a child who has attained age 18 and
is under a disability, or to a widow or widower on the
basis of being under a disability.
(r) Use of death certificates to correct program
information.--
(1) The Commissioner of Social Security shall
undertake to establish a program under which--
(A) States (or political subdivisions
thereof) voluntarily contract with the
Commissioner of Social Security to furnish the
Commissioner of Social Security periodically
with information (in a form established by the
Commissioner of Social Security in consultation
with the States) concerning individuals with
respect to whom death certificates (or
equivalent documents maintained by the States
or subdivisions) have been officially filed
with them; and
(B) there will be (i) a comparison of such
information on such individuals with
information on such individuals in the records
being used in the administration of this Act,
(ii) validation of the results of such
comparisons, and (iii) corrections in such
records to accurately reflect the status of
such individuals.
(2) Each State (or political subdivision thereof)
which furnishes the Commissioner of Social Security
with information on records of deaths in the State or
subdivision under this subsection may be paid by the
Commissioner of Social Security from amounts available
for administration of this Act the reasonable costs
(established by the Commissioner of Social Security in
consultations with the States) for transcribing and
transmitting such information to the Commissioner of
Social Security.
(3) In the case of individuals with respect to whom
federally funded benefits are provided by (or through)
a Federal or State agency other than under this Act,
the Commissioner of Social Security shall to the extent
feasible provide such information through a cooperative
arrangement with such agency, for ensuring proper
payment of those benefits with respect to such
individuals if--
(A) under such arrangement the agency
provides reimbursement to the Commissioner of
Social Security for the reasonable cost of
carrying out such arrangement, and
(B) such arrangement does not conflict with
the duties of the Commissioner of Social
Security under paragraph (1).
(4) The Commissioner of Social Security may enter
into similar agreements with States to provide
information for their use in programs wholly funded by
the States if the requirements of subparagraphs (A) and
(B) of paragraph (3) are met.
(5) The Commissioner of Social Security may use or
provide for the use of such records as may be corrected
under this section, subject to such safeguards as the
Commissioner of Social Security determines are
necessary or appropriate to protect the information
from unauthorized use or disclosure, for statistical
and research activities conducted by Federal and State
agencies.
(6) Information furnished to the Commissioner of
Social Security under this subsection may not be used
for any purpose other than the purpose described in
this subsection and is exempt from disclosure under
section 552 of title 5, United States Code, and from
the requirements of section 552a of such title.
(7) The Commissioner of Social Security shall include
information on the status of the program established
under this section and impediments to the effective
implementation of the program in the 1984 report
required under section 704 of the Act.
(8)(A) The Commissioner of Social Security shall,
upon the request of the official responsible for a
State driver's license agency pursuant to the Help
America Vote Act of 2002--
(i) enter into an agreement with such
official for the purpose of verifying
applicable information, so long as the
requirements of subparagraphs (A) and (B) of
paragraph (3) are met; and
(ii) include in such agreement safeguards to
assure the maintenance of the confidentiality
of any applicable information disclosed and
procedures to permit such agency to use the
applicable information for the purpose of
maintaining its records.
(B) Information provided pursuant to an agreement
under this paragraph shall be provided at such time, in
such place, and in such manner as the Commissioner
determines appropriate.
(C) The Commissioner shall develop methods to verify
the accuracy of information provided by the agency with
respect to applications for voter registration, for
whom the last 4 digits of a social security number are
provided instead of a driver's license number.
(D) For purposes of this paragraph--
(i) the term ``applicable information'' means
information regarding whether--
(I) the name (including the first
name and any family forename or
surname), the date of birth (including
the month, day, and year), and social
security number of an individual
provided to the Commissioner match the
information contained in the
Commissioner's records, and
(II) such individual is shown on the
records of the Commissioner as being
deceased; and
(ii) the term ``State driver's license
agency'' means the State agency which issues
driver's licenses to individuals within the
State and maintains records relating to such
licensure.
(E) Nothing in this paragraph may be construed to
require the provision of applicable information with
regard to a request for a record of an individual if
the Commissioner determines there are exceptional
circumstances warranting an exception (such as safety
of the individual or interference with an
investigation).
(F) Applicable information provided by the Commission
pursuant to an agreement under this paragraph or by an
individual to any agency that has entered into an
agreement under this paragraph shall be considered as
strictly confidential and shall be used only for the
purposes described in this paragraph and for carrying
out an agreement under this paragraph. Any officer or
employee or former officer or employee of a State, or
any officer or employee or former officer or employee
of a contractor of a State who, without the written
authority of the Commissioner, publishes or
communicates any applicable information in such
individual's possession by reason of such employment or
position as such an officer, shall be guilty of a
felony and upon conviction thereof shall be fined or
imprisoned, or both, as described in section 208.
(s) Notice requirements.--The Commissioner of Social Security
shall take such actions as are necessary to ensure that any
notice to 1 or more individuals issued pursuant to this title
by the Commissioner of Social Security or by a State agency--
(1) is written in simple and clear language, and
(2) includes the address and telephone number of the
local office of the Social Security Administration
which serves the recipient. In the case of any such
notice which is not generated by a local servicing
office, the requirements of paragraph (2) shall be
treated as satisfied if such notice includes the
address of the local office of the Social Security
Administration which services the recipient of the
notice and a telephone number through which such office
can be reached.
(t) Same-day personal interviews at field offices in cases
where time is of the essence.--In any case in which an
individual visits a field office of the Social Security
Administration and represents during the visit to an officer or
employee of the Social Security Administration in the office
that the individual's visit is occasioned by--
(1) the receipt of a notice from the Social Security
Administration indicating a time limit for response by
the individual, or
(2) the theft, loss, or nonreceipt of a benefit
payment under this title, the Commissioner of Social
Security shall ensure that the individual is granted a
face-to-face interview at the office with an officer or
employee of the Social Security Administration before
the close of business on the day of the visit.
(u) Redetermination of entitlement in cases of fraud or
similar fault.--
(1)(A) The Commissioner of Social Security shall
immediately redetermine the entitlement of individuals
to monthly insurance benefits under this title if there
is reason to believe that fraud or similar fault was
involved in the application of the individual for such
benefits, unless a United States attorney, or
equivalent State prosecutor, with jurisdiction over
potential or actual related criminal cases, certifies,
in writing, that there is a substantial risk that such
action by the Commissioner of Social Security with
regard to beneficiaries in a particular investigation
would jeopardize the criminal prosecution of a person
involved in a suspected fraud.
(B) When redetermining the entitlement, or making an
initial determination of entitlement, of an individual
under this title, the Commissioner of Social Security
shall disregard any evidence if there is reason to
believe that fraud or similar fault was involved in the
providing of such evidence.
(2) For purposes of paragraph (1), similar fault is
involved with respect to a determination if--
(A) an incorrect or incomplete statement that
is material to the determination is knowingly
made; or
(B) information that is material to the
determination is knowingly concealed.
(3) If, after redetermining pursuant to this
subsection the entitlement of an individual to monthly
insurance benefits, the Commissioner of Social Security
determines that there is insufficient evidence to
support such entitlement, the Commissioner of Social
Security may terminate such entitlement and may treat
benefits paid on the basis of such insufficient
evidence as overpayments.