Bill H.298

HOUSE DOCKET, NO. 2045 FILED ON: 1/17/2013

HOUSE . . . . . . . . . . . . . . . No. 298

By Mr. Straus of Mattapoisett, a petition (accompanied by bill, House, No. 298) of William M. Straus relative to the protection of personal information in consumer transactions. Consumer Protection and Professional Licensure.

[SIMILAR MATTER FILED IN PREVIOUS SESSION
SEE HOUSE, NO. 126 OF 2011-2012.]

The Commonwealth of Massachusetts

_______________

In the Year Two Thousand Thirteen

_______________

An Act relative to identity theft protection..

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

SECTION 1. Section 50 of chapter 93 of the General Laws, as so appearing, is hereby amended by inserting after the definition “user” the following definition:

“Security freeze”, a notice, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing all or any part of the consumer’s credit report or any information derived from it without the express authorization of the consumer. If a security freeze is in place, such a report or information may not be released to a third party without prior express authorization from the consumer. This subdivision does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer’s credit report.

“Reviewing the account" or "account review" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements

SECTION 2. Said chapter 93 is hereby amended by inserting after section 51A the following section:-

Section 51B Consumer Report Security Freeze

1)A consumer may elect to place a “security freeze” on his or her credit r e port by:

a)making a request by mail,

b)making a request by telephone by providing certain personal identification, or

c)making a request directly to the consumer reporting agency through a secure electronic mail connection if such connection is made available by the agency. Credit reporting agencies shall make a secure electronic mail method of requesting a security freeze available within 180 days of this Act’s effective date.

2)A consumer reporting agency shall place a security freeze on a consumer’s credit report no later than five business days after receiving a written or telephone request from the consumer or three business days after receiving a secure electronic mail request. Within one year of this Act’s effective date, a consumer reporting agency shall place a security freeze on a consumer’s credit report no later than 3 business days after receiving a written or telephone request from the consumer or one business day after receiving a secure electronic mail request. Within two years of this Act’s effective date, a consumer reporting agency shall place a security freeze on a consumer’s credit reporting agency no later than one business day after receiving a written or telephone request.

3)The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within five business days of placing the freeze and at the same time shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time, or when permanently lifting the freeze.

4)If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer reporting agency via telephone, mail, or secure electronic mail, with a request that the freeze be temporarily lifted, and provide the following:

a)proper identification,

b)the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (3) of subsection B, and

c)the proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

5)A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to paragraph (4) of subsection (B) shall comply with the request no later than three business days after receiving the request. Within one year of this Act’s effective date, a consumer reporting agency shall honor such a request no later than one business day after receiving the request. Within two years of this Act’s effective date, a consumer reporting agency shall honor such a request made by electronic mail or by telephone within fifteen minutes of receiving the request.

6)A consumer reporting agency shall develop procedures involving the use of telephone, fax, or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act [E-Sign] for legally required notices, by the Internet, e-mail, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report pursuant to paragraph (4) of subsection (B) in an expedited manner.

7)A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer’s credit report only in the following cases:

a)upon consumer request, pursuant to paragraph (4) or paragraph (10) of subsection (B);

b)if the consumer’s credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer reporting agency intends to remove a freeze upon a consumer’s credit report pursuant to this paragraph, the consumer reporting agency shall notify the consumer in writing five business days prior to removing the freeze on the consumer’s credit report.

8)If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

9)If a third party requests access to a consumer credit report on which a security freeze is in effect for the purpose of receiving, extending, or otherwise utilizing the credit therein, and not for the sole purpose of account review, the consumer credit report agency must notify the consumer that an attempt has been made to access the credit report.

10)A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following:

a)proper identification, and

b)the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (3) of subsection (B).

Not later than one year after the effective date of this Act, a consumer reporting agency shall remove a security freeze within one business day after receiving such a request.

11)A consumer reporting agency shall require proper identification of the person making a request to place or remove a security freeze.

12)A consumer reporting agency may not suggest or otherwise state or imply to a third party that the consumer’s security freeze reflects a negative credit score, history, report or rating.

13)The provisions of this section do not apply to the use of a consumer credit report by any of the following:

a)a person, or the person's subsidiary, affiliate, agent, or assignee with which the consumer has or, prior to assignment, had an account, contract, or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or debt.

b)a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under paragraph (4) of subsection (B) for purposes of facilitating the extension of credit or other permissible use.

c)any person acting pursuant to a court order, warrant, or subpoena.

d)a State or local agency which administers a program for establishing and enforcing child support obligations.

e)the [state health department] or its agents or assigns acting to investigate fraud.

f)the [state tax authority] or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities.

g)a person for the purposes of prescreening as defined by the federal Fair Credit Reporting Act.

h)any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed.

i)any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer’s request.

14)A consumer reporting agency shall not charge a consumer any fee to place a security freeze or for temporary or permanent removal of the security freeze on a consumer report. A consumer reporting agency may charge up to $5 for a replacement of the personal identification number or password provided by the consumer reporting agency when the security freeze was requested. There shall be no such fees if a consumer:—

a)provides the consumer reporting agency with a copy of a police incident report or criminal complaint alleging identity theft;

b)is 62 years or older; or

c)is a person with a disability, as defined in section 1 of chapter 123B, or who is otherwise mentally or physically disabled and as a result of such mental or physical disability is wholly or partially dependent on another person or persons to meet his daily living needs.

d)is a veteran of the United States armed services or a person who receives veteran’s benefits.

Subsection C. Notice of Rights. At any time that a consumer is required to receive a summary of rights required under Section 609 of the federal Fair Credit Reporting Act the following notice shall be included:

Massachusetts Consumers Have the Right to Obtain a Security Freeze

You may obtain a security freeze on your credit report at no charge to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a “security freeze” on your credit report pursuant to [State law].

The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.

The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days (and by [date], no later than one business day ) you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties or period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

1.The unique personal identification number or password provided by the consumer reporting agency.

2.Proper identification to verify your identity.

3.The proper information regarding the third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report.

A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request (By [date] the consumer reporting agency must temporarily lift the freeze within 15 minutes of receiving the request.)

A security freeze does not apply to circumstances where you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account r e view, collection, fraud control or similar activities.

If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze – either completely if you are shopping around, or specifically for a certain creditor – with enough advance notice before you apply for new credit for the lifting to take effect. Until [date], you should lift the freeze at least 3 business days before applying; between [date] and [date] you should lift the freeze at least one business day before applying; and after [date] you should lift the freeze at least 15 minutes before applying for a new account.

You have a right to bring a civil action against someone who violates your rights under the credit reporting laws. The action can be brought against a consumer reporting agency or a user of your credit report.”

Subsection D. Violations; Penalties.

If a consumer reporting agency erroneously, whether by accident or design, violates the security freeze by releasing credit information that has been placed under a security freeze, the affected consumer is entitled to:

1)Notification within five business days of the release of the information, including specificity as to the information released and the third party recipient of the information.

2)File a complaint with the Federal Trade Commission and the state Attorney General and the office of Consumer Affairs and Business Regulation.

3)In a civil action against the consumer reporting agency recover:

a)injunctive relief to prevent or restrain further violation of the security freeze, and/or

b)a civil penalty in an amount not to exceed $1,000 for each violation plus any damages available under other civil laws, and

c)reasonable expenses, court costs, investigative costs, and attorney’s fees.

4)Each violation of the security freeze shall be counted as a separate incident for purposes of imposing penalties under this section.

SECTION 3. The General Laws are amended to create a new Chapter 66B entitled “Consumer Breach Notification” and providing as follows:--

Section 1. Definitions. For the purposes of this chapter, the following terms shall have the following meanings:

1)“Data Collector” may include but is not limited to government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity which, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with personal information.

2)‘‘Personal information,’’ means an individual’s last name, address, or phone number in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted, or encrypted with an encryption key that was also acquired:

a)Social Security number.

b)Driver’s license number or state identification card number.

c)Account number, credit or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords.

d)Account passwords or personal identification numbers (PINs) or other access codes.

e)Biometric data

f)Any of items (a)-(e) when not in connection with the individual’s last name, address or phone number if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.

"Personal information’’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records and in the possession of a data receiver.

3)“Security Breach”, the unauthorized acquisition of computerized or non-computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. Good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector is not a breach of the security of the data, provided that the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure. Breach of the security of non-computerized data may include but is not limited to unauthorized photocopying, facsimiles, or other paper-based transmittal of documents.

Section 2. Notice of Breach.

1)Any data collector that owns or uses personal information in any form (whether computerized, paper, or otherwise) that includes personal information concerning a Massachusetts resident shall notify the resident that there has been a breach of the security of the data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (2) of subsection B, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.

2)The notification required by this section may be delayed if a law enforcement agency determines in writing that the notification may seriously impede a criminal investigation.

3)For purposes of this section, ‘‘notice’’ to consumers may be provided by one of the following methods:

a)Written notice.

b)Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, for notices legally required to be in writing, set forth in Section 7001 of Title 15 of the United States Code.

c)Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:

1.Conspicuous posting of the notice on the Internet site of the agency or person, if the agency or person maintains a public Internet site; and

2.Notification to major statewide media. The notice to media shall include a toll-free phone number where an individual can learn whether or not that individual’s personal data is included in the security breach.

4)Content of Notice

Such notice shall include —

a)to the extent possible, a description of the categories of information that was, or is reasonably believed to have been, acquired by an unauthorized person, including social security numbers, driver's license or State identification numbers and financial data;

b)a toll-free number —

1.that the individual may use to contact the agency or person, or the agent of the agency or person; and

2.from which the individual may learn —

(a)what types of information the agency or person maintained about that individual or about individuals in general; and

(b)whether or not the agency or person maintained information about that individual; and

(c)the toll-free contact telephone numbers and addresses for the major credit reporting agencies.

5)The notification required by this section may be delayed if a law enforcement agency determines, in writing, that the notification may impede a criminal investigation.

6)Additional Obligation Following Breach -- A person required to provide notification under Subsection A shall provide or arrange for the provision of, to each individual to whom notification is provided under subsection and on request and at no cost to such individual, consumer credit reports from at least one of the major credit reporting agencies beginning not later than 2 months following a breach of security and continuing on a quarterly basis for a period of 2 years thereafter.

Subsection C. Remedies.

1)Violations of any provision of this section shall constitute and unfair and deceptive trade practice pursuant to the provisions of chapter ninety-three A.

Section 3. Social Security Numbers.

No person or data collector operating in the commonwealth shall:

(1)intentionally communicate or otherwise make available to the general public an individual’s Social Security number;

(2)print an individual’s Social Security number on any card required for the individual to access products or services provided by the person or data collector;

(3)require an individual to transmit his or her Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted;

(4)require an individual to use his or her Social Security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site;

(5)print an individual’s Social Security number on any materials that are mailed to the individual, unless required by law;

(6)sell, lease, loan, trade, rent, or otherwise disclose an individual’s Social Security number to a third party for any purpose without written consent to the disclosure from the individual.

Section 4. Disposal of Personal Information.

A data collector shall take all reasonable measures to protect against unauthorized access to or use of personal information in connection with, or after its disposal including, but not limited to:

(a)Implementing and monitoring compliance with polices and procedures that require the burning, pulverizing or shredding of papers containing personal information so that the information cannot practicably by read or reconstructed; and

(b)Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably by read or reconstructed.

SECTION 5. Penalties

Chapter 266 of the General Laws is hereby amended by striking out Section 37E and inserting in its place the following:-

Section 37E. Use of personal identification of another; identity fraud; penalty; restitution

(a)For purposes of this section, the following words shall have the following meanings: —

“Harass”, willfully and maliciously engage in an act directed at a specific person or persons, or at a specific organization or organizations, which act seriously alarms or annoys such person or persons or any person or persons employed by or associated with such organization or organizations, and would cause a reasonable person to suffer substantial emotional distress.

“Identifying information”, any name or number that may be used, alone or in conjunction with any other information, to assume the identity of an individual or organization including any name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, tax identification number, mother's maiden name, demand deposit account number, savings account number, credit card number, computer password identification or other identifying information.

“Organization”, any corporation, partnership, joint venture, firm, sole proprietorship, association of individuals, or any other professional or business entity.

“Person with a disability”, a person who is mentally retarded, as defined by section one of chapter one hundred and twenty-three B or who is otherwise mentally or physically disabled and as a result of such mental or physical disability is wholly or partially dependent on another person or persons to meet his daily living needs.

“Pose”, to falsely represent oneself, directly or indirectly, as another person, persons, or organization.

“Victim”, any person who, or organization that, has suffered financial loss or any entity that provided money, credit, goods, services or anything of value and has suffered financial loss as a direct result of the commission or attempted commission of a violation of this section.

(b)Whoever, with fraudulent intent, knowingly and intentionally poses as another person, living or dead, as a representative of an organization, or as being authorized to act on behalf of an organization, and uses such person's or organization’s identifying information to obtain or to attempt to obtain money, credit, goods, services, anything of value, any identification card or other evidence of such person's or organization’s identity, to harass another person or organization, to commit an illegal act, or to avoid identification, apprehension or prosecution for a crime shall be guilty of the crime of identity fraud and shall be punished for an initial offense by a fine of not more than $5,000 or imprisonment in a house of correction for not more than two and one-half years, or by both such fine and imprisonment and for a second and subsequent offense by a fine of not more than $25,000 or imprisonment in the state prison for not more than five years or a house of correction for not more than two and one half years, or both such fine and imprisonment.

(c)Whoever, with fraudulent intent, knowingly and intentionally obtains identifying information about another person, living or dead, or an organization, with the intent to pose as such person, or as a representative of such organization, or as being authorized to act on behalf of an organization in order to obtain money, credit, goods, services, anything of value, any identification card or other evidence of such person's or organization’s identity, to harass another person or organization, or to avoid identification, apprehension or prosecution for a crime shall be guilty of the crime of identity fraud and shall be punished for an initial offense by a fine of not more than $5,000 or imprisonment in a house of correction for not more than two and one-half years, or by both such fine and imprisonment and for a second and subsequent offense by a fine of not more than $25,000 or imprisonment in the state prison for not more than five years or a house of correction for not more than two and one half years, or both such fine and imprisonment.

(d)Whoever commits an offense described in this section by using the identifying information of a person sixty-five years or older or a person with a disability shall be punished by a fine of not more than $10,000 or imprisonment in the state prison for not more than five years, or in jail for not more than two and one half years, or both and for a second and subsequent offense by a fine of not more than $25,000 or imprisonment in the state prison for not more than ten years or a house of correction for not more than two and one half years, or both such fine and imprisonment.

(e)Whoever knowingly and intentionally manufactures, sells, purchases, transfers, gives, trades, loans, delivers, or possesses five or more items containing the identifying information of the same person or organization, or the identifying information of five or more separate persons or organizations with the intent to commit an offense described in this section or to assist another to commit an offense described in this section shall be guilty of the crime of trafficking in stolen identities and shall be punished by a fine of not more than $25,000 or imprisonment in the state prison for not more than five years, or in jail for not more than two and one half years, or both and for a second and subsequent offense by a fine of not more than $50,000 or imprisonment in the state prison for not more than ten years or a house of correction for not more than two and one half years, or both such fine and imprisonment.

(f)The knowledge or intent of the person alleged to have committed any of the crimes within this section may be proved by direct or circumstantial evidence and the testimony of the individual or a representative on behalf of the organization whose identifying information or item containing identifying information was obtained or used to commit any of the crimes within this section shall not be required to find a person guilty of those crimes.

(g)An offense under this section may be prosecuted in any county in which an element of the offense was committed or in the county of residence of the person or organization whose identifying information was allegedly used in the commission of the crimes of identity fraud or of trafficking in stolen identities as defined in this section.

(h)A person found guilty of violating any provisions of this section shall, in addition to any other punishment, be ordered to make restitution for financial loss sustained by a victim as a result of such violation. Financial loss may include any costs incurred by such victim in correcting the credit history of such victim or any costs incurred in connection with any civil or administrative proceeding to satisfy any debt or other obligation of such victim, including lost wages and attorney's fees.

(i)A victim who reasonably believes that his or her personal identifying information has been unlawfully used in violation of this section may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her actual residence or by contacting a local law enforcement agency that has jurisdiction over any location where his or her personal identifying information has been unlawfully used. Said law enforcement agency shall provide the victim with a written report of the incident and may begin an investigation of the facts or, if the suspected crime was committed in a different jurisdiction, refer the matter to the law enforcement agency where the suspected crime was committed for an investigation of the facts. Nothing in this section shall interfere with the discretion of a local police department to allocate resources for investigations of crimes and a complaint filed under this section shall not be counted as an open case for the purpose compiling open case statistics.

(j)A law enforcement officer may arrest without warrant any person he has probable cause to believe has committed the offense of identity fraud or trafficking in stolen identities as defined in this section.

Name:	District/Address:	Date Added:
William M. Straus	10th Bristol