HOUSE DOCKET, NO. 760        FILED ON: 1/13/2009

HOUSE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 316



The Commonwealth of Massachusetts



In the Year Two Thousand Nine



An Act relative to identity theft in the commonwealth..


Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

SECTION 1. Chapter 266 of the General Laws is hereby amended by adding the following section:-

Section 37F.  Identity Theft Investigation

A person who has learned or reasonably suspects that his or hers personal identifying information has been unlawfully used by another, as described in section 37E of Chapter 266, may initiate a law enforcement investigation by contacting the local law enforcement that has jurisdiction over his or her actual residence, which shall take an identity theft police report of the matter, provide the complainant with a copy of that report, and begin an investigation of the facts. If the suspected crime was committed in a different jurisdiction, the local law enforcement agency must refer the matter to the jurisdiction’s local law enforcement agency where the suspected crime was committed for further investigation of the facts.

b) Any city, town, or district police department which requires an investigating police officer to make a report concerning an incident, offense or alleged offense investigated, or any arrest made, on a form provided by the department shall include on said form a space to indicate whether said incident, offense, alleged offense or arrest involved identity fraud as defined in section 37E of chapter 266.Said officer shall also provide any victim, as defined in section 37E of chapter 266, a copy of said report and may be redacted by the investigating police officer. 

Section 2. Chapter 24A of the General Laws is hereby amended by inserting the following new section:- Section 6. (a) There shall be in the office a division of Privacy Protection whose primary purpose shall be protecting the privacy of individuals' personal information by identifying consumer problems in the privacy area and facilitating development of fair information practices. (b) The office shall inform the public of potential options for protecting the privacy of, and avoiding the misuse of, personal information. (c) The office shall make recommendations to organizations for privacy policies and practices that promote and protect the interests of consumers. (d) The office may promote voluntary and mutually agreed upon non-binding arbitration and mediation of privacy related disputes where appropriate. (e) The Director of the Consumer Affairs and Business Regulation shall do all of the following: (1) Receive complaints from individuals concerning any persons obtaining, compiling, maintaining, using, disclosing or disposing of personal information in a manner that may be potentially unlawful or violate a stated privacy policy relating to that individual, and provide advice, information, and referral where available. (2) Provide information to consumers on effective ways of handling complaints that involve violations of privacy related laws, including identity theft and identity fraud. Where appropriate local, state, or federal agencies are available to assist consumers with those complaints, the director shall refer those complaints to those agencies. (3) Develop information and educational programs and materials to foster public understanding and recognition of the purposes of this article. (4) Investigate and assist in the prosecution of identity theft and other privacy related crimes, and, as necessary, coordinate with local, state, and federal law enforcement agencies in the investigation of similar crimes. (5) Assist and coordinate in the training of local, state, and federal law enforcement agencies regarding identity theft and other privacy related crimes, as appropriate. (6) The authority of the office or the director, to adopt regulations under this article shall be limited exclusively to those regulations necessary and appropriate to implement paragraphs (b), (c), (d), and (e). (f) Commencing in 2010, the director shall report to the Legislature on an annual basis, on or before January 31, detailing the activities engaged in by the department under this article.

Section 3.Chapter 93 of The Massachusetts General Laws, as appearing in the 2006 Official Edition, is hereby amended by inserting after section 55 the following section:-

Section 55A. (a) No person or entity, including a state or local agency may not do any of the following:

(1)intentionally communicate or otherwise make available to the general public an individual’s Social Security number;

(2) print an individual’s Social Security number on any card required for the individual to access products or services provided by the person or data collector;

(3) require an individual to transmit his or her Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted;

(4) require an individual to use his or her Social Security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site;

(5) print an individual’s Social Security number on any materials that are mailed to the individual, unless required by law;

(6) sell, lease, loan, trade, rent, or otherwise disclose an individual’s Social Security number to a third party for any purpose without written consent to the disclosure from the individual.

Nothing in this section shall apply to medical information or documents that are recorded or required to be open to the public pursuant to section 7 of chapter 4. 

(b)  Violations of any provision of this section shall constitute and unfair and deceptive trade practice pursuant to the provisions of chapter ninety-three A.

SECTION 4. Each state department and state agency shall enact and maintain a permanent privacy policy that includes, but is not limited to, the following principles: (a) Personally identifiable information is only obtained through lawful means. (b) The purposes for which personally identifiable data are collected are specified at or prior to the time of collection, and any subsequent use is limited to the fulfillment of purposes not inconsistent with those purposes previously specified. (c) Personal data shall not be disclosed, made available, or otherwise used for purposes other than those specified, except with the consent of the subject of the data, or as authorized by law or regulation. (d) Personal data collected must be relevant to the purpose for which it is collected. (e) The general means by which personal data is protected against loss, unauthorized access, use modification or disclosure shall be posted, unless such disclosure of general means would compromise legitimate state department or state agency objectives or law enforcement purposes. (f) Each state department or state agency shall designate a position within the department or agency, the duties of which shall include, but not be limited to, responsibility for the privacy policy within that department or agency.