[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9783 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 9783
To establish a Government-wide approach to improving digital identity,
and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 24, 2024
Mr. Foster introduced the following bill; which was referred to the
Committee on Oversight and Accountability
_______________________________________________________________________
A BILL
To establish a Government-wide approach to improving digital identity,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Improving Digital Identity Act of
2024''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) The lack of an easy, affordable, reliable, and secure
way for organizations, businesses, and government agencies to
identify whether an individual is who they claim to be online
creates an attack vector that is widely exploited by
adversaries in cyberspace and precludes many high-value
transactions from being available online.
(2) Incidents of identity theft and identity fraud continue
to rise in the United States, where more than 293,000,000
people were impacted by data breaches in 2021.
(3) Since 2017, losses resulting from identity fraud have
increased by 333 percent, and, in 2020, those losses totaled
$56,000,000,000.
(4) The Director of the Financial Crimes Enforcement
Network of the Department of the Treasury has stated that the
abuse of personally identifiable information and other building
blocks of identity is a key enabler behind much of the fraud
and cybercrime affecting the United States today.
(5) The inadequacy of current digital identity solutions
degrades security and privacy for all people in the United
States, and next generation solutions are needed that improve
security, privacy, equity, and accessibility.
(6) Government entities, as authoritative issuers of
identity in the United States, are uniquely positioned to
deliver critical components that address deficiencies in the
digital identity infrastructure of the United States and
augment private sector digital identity and authentication
solutions.
(7) State governments are particularly well-suited to play
a role in enhancing digital identity solutions used by both the
public and private sectors, given the role of State governments
as the issuers of driver's licenses and other identity
documents commonly used today.
(8) The public and private sectors should collaborate to
deliver solutions that promote confidence, privacy, choice,
equity, accessibility, and innovation. The private sector
drives much of the innovation around digital identity in the
United States and has an important role to play in delivering
digital identity solutions.
(9) The bipartisan Commission on Enhancing National
Cybersecurity has called for the Federal Government to ``create
an interagency task force directed to find secure, user-
friendly, privacy-centric ways in which agencies can serve as 1
authoritative source to validate identity attributes in the
broader identity market. This action would enable Government
agencies and the private sector to drive significant risk out
of new account openings and other high-risk, high-value online
services, and it would help all citizens more easily and
securely engage in transactions online.''.
(10) It should be the policy of the Federal Government to
use the authorities and capabilities of the Federal Government,
in coordination with State, local, Tribal, and territorial
partners and private sector innovators, to enhance the
security, reliability, privacy, equity, accessibility, and
convenience of consent-based digital identity solutions that
support and protect transactions between individuals,
government entities, and businesses, and that enable people in
the United States to prove who they are online.
SEC. 3. DEFINITIONS.
In this Act:
(1) Appropriate notification entities.--The term
``appropriate notification entities'' means--
(A) the President;
(B) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
(C) the Committee on Oversight and Accountability
of the House of Representatives.
(2) Digital identity verification.--The term ``digital
identity verification'' means a process to verify the identity
or an identity attribute of an individual accessing a service
online or through another electronic means.
(3) Director.--The term ``Director'' means the Director of
the Task Force.
(4) Federal agency.--The term ``Federal agency'' has the
meaning given the term in section 102 of the Robert T. Stafford
Disaster Relief and Emergency Assistance Act (42 U.S.C. 5122).
(5) Identity attribute.--The term ``identity attribute''
means a data element associated with the identity of an
individual, including, the name, address, or date of birth of
an individual.
(6) Identity credential.--The term ``identity credential''
means a document or other evidence of the identity of an
individual issued by a government agency that conveys the
identity of the individual, including a driver's license or
passport.
(7) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(8) Task force.--The term ``Task Force'' means the
Improving Digital Identity Task Force established under section
4(a).
SEC. 4. IMPROVING DIGITAL IDENTITY TASK FORCE.
(a) Establishment.--There is established in the Executive Office of
the President a task force to be known as the ``Improving Digital
Identity Task Force''.
(b) Purpose.--The purpose of the Task Force shall be to establish
and coordinate a government-wide effort to develop secure methods for
Federal, State, local, Tribal, and territorial agencies to improve
access and enhance security between physical and digital identity
credentials, particularly by promoting the development of digital
versions of existing physical identity credentials, including driver's
licenses, e-Passports, social security credentials, and birth
certificates, to--
(1) protect the privacy and security of individuals;
(2) support reliable, interoperable digital identity
verification in the public and private sectors; and
(3) in achieving paragraphs (1) and (2), place a particular
emphasis on--
(A) reducing identity theft and fraud;
(B) enabling trusted transactions; and
(C) ensuring equitable access to digital identity
verification.
(c) Director.--
(1) In general.--The Task Force shall have a Director, who
shall be appointed by the President.
(2) Position.--The Director shall serve at the pleasure of
the President.
(3) Pay and allowances.--The Director shall be compensated
at the rate of basic pay prescribed for level II of the
Executive Schedule under section 5313 of title 5, United States
Code.
(4) Qualifications.--The Director shall have substantive
technical expertise and managerial acumen that--
(A) is in the business of digital identity
management, information security, or benefits
administration;
(B) is gained from not less than 1 organization;
and
(C) includes specific expertise gained from
academia, advocacy organizations, or the private
sector.
(5) Exclusivity.--The Director may not serve in any other
capacity within the Federal Government while serving as
Director.
(6) Term.--The term of the Director, including any official
acting in the role of the Director, shall terminate on the date
described in subsection (k).
(d) Membership.--
(1) Federal government representatives.--The Task Force
shall include the following individuals or the designees of
such individuals:
(A) The Secretary.
(B) The Secretary of the Treasury.
(C) The Director of the National Institute of
Standards and Technology.
(D) The Director of the Financial Crimes
Enforcement Network.
(E) The Commissioner of Social Security.
(F) The Secretary of State.
(G) The Administrator of General Services.
(H) The Director of the Office of Management and
Budget.
(I) The Postmaster General of the United States
Postal Service.
(J) The National Cyber Director.
(K) The Attorney General.
(L) The heads of other Federal agencies or offices
as the President may designate or invite, as
appropriate.
(2) State, local, tribal, and territorial government
representatives.--The Director shall appoint to the Task Force
6 State, local, Tribal, or territorial government officials who
represent agencies that issue identity credentials and who
have--
(A) experience in identity technology and services;
(B) knowledge of the systems used to provide
identity credentials; or
(C) any other qualifications or competencies that
may help achieve balance or otherwise support the
mission of the Task Force.
(3) Nongovernmental experts.--
(A) In general.--The Director shall appoint to the
Task Force 5 nongovernmental experts.
(B) Specific appointments.--The experts appointed
under subparagraph (A) shall include the following:
(i) A member who is a privacy and civil
liberties expert.
(ii) A member who is a technical expert in
identity verification.
(iii) A member who is a technical expert in
cybersecurity focusing on identity verification
services.
(iv) A member who represents the identity
verification services industry.
(v) A member who represents a party that
relies on effective identity verification
services to conduct business.
(e) Working Groups.--The Director shall organize the members of the
Task Force into appropriate working groups for the purpose of
increasing the efficiency and effectiveness of the Task Force, as
appropriate.
(f) Meetings.--The Task Force shall--
(1) convene at the call of the Director; and
(2) provide an opportunity for public comment in accordance
with section 1009(a)(3) of title 5, United States Code.
(g) Duties.--In carrying out the purpose described in subsection
(b), the Task Force shall--
(1) identify Federal, State, local, Tribal, and territorial
agencies that issue identity credentials or hold information
relating to identifying an individual;
(2) assess restrictions with respect to the abilities of
the agencies described in paragraph (1) to verify identity
information for other agencies and nongovernmental
organizations;
(3) assess any necessary changes in statutes, regulations,
or policy to address any restrictions assessed under paragraph
(2);
(4) recommend a strategy, based on existing standards, to
enable agencies to provide services relating to digital
identity verification in a way that--
(A) is secure, protects privacy, and protects
individuals against unfair and misleading practices;
(B) prioritizes equity and accessibility;
(C) requires individual consent for the provision
of digital identify verification services by a Federal,
State, local, Tribal, or territorial agency;
(D) is interoperable among participating Federal,
State, local, Tribal, and territorial agencies, as
appropriate and in accordance with applicable laws; and
(E) prioritizes technical standards developed by
voluntary consensus standards bodies in accordance with
section 12(d) of the National Technology Transfer and
Advancement Act of 1995 (15 U.S.C. 272 note) and
guidance under OMB Circular A-119, entitled ``Federal
Participation in the Development and Use of Voluntary
Consensus Standards and in Conformity Assessment
Activities'', or any successor thereto;
(5) recommend principles to promote policies for shared
identity proofing across public sector agencies, which may
include single sign-on or broadly accepted attestations;
(6) identify funding or other resources needed to support
the agencies described in paragraph (4) that provide digital
identity verification, including recommendations with respect
to the need for and the design of a Federal grant program to
implement the recommendations of the Task Force and facilitate
the development and upgrade of State, local, Tribal, and
territorial highly secure interoperable systems that enable
digital identity verification;
(7) recommend funding models to provide digital identity
verification to private sector entities, which may include fee-
based funding models;
(8) determine if any additional steps are necessary with
respect to Federal, State, local, Tribal, and territorial
agencies to improve digital identity verification and
management processes for the purpose of enhancing the security,
reliability, privacy, accessibility, equity, and convenience of
digital identity solutions that support and protect
transactions between individuals, government entities, and
businesses; and
(9) undertake other activities necessary to assess and
address other matters relating to digital identity
verification, including with respect to--
(A) the potential exploitation of digital identity
tools or associated products and services by malign
actors;
(B) privacy implications; and
(C) increasing access to foundational identity
documents.
(h) Prohibition.--The Task Force may not implicitly or explicitly
recommend the creation of--
(1) a single identity credential provided or mandated by
the Federal Government for the purposes of verifying identity
or associated attributes;
(2) a unilateral central national identification registry
relating to digital identity verification; or
(3) a requirement that any individual be forced to use
digital identity verification for a given public purpose.
(i) Required Consultation.--The Task Force shall closely consult
with leaders of Federal, State, local, Tribal, and territorial
governments and nongovernmental leaders, which shall include the
following:
(1) The Secretary of Education.
(2) The heads of other Federal agencies and offices
determined appropriate by the Director.
(3) State, local, Tribal, and territorial government
officials focused on identity, such as information technology
officials and directors of State departments of motor vehicles
and vital records bureaus.
(4) Digital privacy experts.
(5) Civil liberties experts.
(6) Technology and cybersecurity experts.
(7) Users of identity verification services.
(8) Representatives with relevant expertise from academia
and advocacy organizations.
(9) Industry representatives with experience implementing
digital identity systems.
(10) Identity theft and fraud prevention experts, including
advocates for victims of identity theft and fraud.
(j) Reports.--
(1) Initial report.--Not later than 180 days after the date
of enactment of this Act, the Director shall submit to the
appropriate notification entities a report on the activities of
the Task Force, including--
(A) recommendations on--
(i) implementing the strategy pursuant to
subsection (g)(4); and
(ii) methods to leverage digital driver's
licenses, distributed ledger technology, and
other technologies; and
(B) summaries of the input and recommendations of
the leaders consulted under subsection (i).
(2) Interim reports.--
(A) In general.--The Director may submit to the
appropriate notification entities interim reports the
Director determines necessary to support the work of
the Task Force and educate the public.
(B) Mandatory report.--Not later than the date that
is 18 months after the date of enactment of this Act,
the Director shall submit to the appropriate
notification entities an interim report addressing--
(i) the matters described in paragraphs
(1), (2), (4), and (6) of subsection (g); and
(ii) any other matters the Director
determines necessary to support the work of the
Task Force and educate the public.
(3) Final report.--Not later than 180 days before the date
described in subsection (k), the Director shall submit to the
appropriate notification entities a final report that includes
recommendations for the President and Congress relating to any
relevant matter within the scope