SECTION 1. Section 50 of chapter 93 of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by striking out the definition of “Consumer”, and inserting in place thereof the following 2 definitions:-
“Breach of security”, shall have the same meaning as in section 1 of chapter 93H.
“Consumer”, an individual.
SECTION 2. Said section 50 of said chapter 93, as so appearing, is hereby further amended by inserting after the definition of “Person” the following definition:-
“Personal information”, shall have the same meaning as in section 1 of chapter 93H.
SECTION 3. Said chapter 93, as so appearing, is hereby amended by inserting after section 51A the following new section:-
Section 51B. A user shall not obtain, use or seek the consumer report of a consumer in connection with an application for credit unless the user obtains the consent of the consumer via written, verbal, or electronic means as is appropriate in the manner in which an application for credit is made. A user shall not obtain, use or seek the consumer report of a consumer in connection with an application for credit without the consumer’s written, verbal, or electronic consent.
The user shall issue a consent form to the consumer within 15 minutes of receiving the consumer’s verbal or electronic consent to request the consumer report.
A waiver of this section shall be void and a user shall not require or request that a consumer waive it. Failure to comply with this section shall constitute an unfair practice under clause (a) of section 2 of chapter 93A.
SECTION 4. Section 56 of said chapter 93 of the General Laws, as so appearing, is hereby amended by striking out section 56 and inserting in place thereof the following;-
Section 56. (a) Every consumer reporting agency shall, upon request and proper identification of any consumer, clearly and accurately disclose to the consumer:
(1) the nature, contents and substance of all information, except medical information, in its file on the consumer at the time of the request, and which is obtainable based upon the identifying information supplied by the consumer when making such request, and if such consumer has made a written request, delivered a written copy, photocopy or electronic copy, of all such information except any code identifications which are used solely for purposes of transferring such information to and from consumer reporting agencies; provided, however, that the names of the users corresponding to the code identifications shall be disclosed to the consumer; provided, further, that the agency shall provide a clear, simple and plain meaning explanation of the information provided under this paragraph and such explanation shall be in a readable format and type, which shall in no case be smaller than ten point type;
(2) the sources of all credit information obtained through routine credit reporting or through any other credit reporting techniques in the file at the time of the request, except that the sources of information acquired solely for use in preparing an investigative consumer report and actually used for no other purpose need not be disclosed; provided, however, that in the event an action is brought pursuant to section sixty-five, such sources shall be available to the plaintiff under appropriate discovery procedures in the court in which the action is brought; and
(3) the recipients of any consumer report on the consumer which it has furnished for employment purposes within the two-year period preceding the request, and for any other purpose within the six-month period preceding the request.
(b) Every consumer reporting agency, upon contact by a consumer by phone, mail or electronically, or in person regarding information which may be contained in the agency files regarding that consumer, shall with each written disclosure, or in response to a request by the consumer to be advised as to his rights, promptly advise the consumer of the consumer's rights under this section. The written notice shall be in a clear and conspicuous format and be no smaller than ten point type. The notice shall inform the consumer of the consumer's rights under this chapter, provided in a clear and conspicuous manner, in substantially the following manner:
''You have a right to obtain a copy of your credit file from a consumer credit reporting agency. You may be charged a reasonable fee not exceeding eight dollars. There is no fee, however, if you have been turned down for credit, employment, insurance, or rental dwelling because of information in your credit report within the preceding sixty days. The consumer credit reporting agency must provide someone to help you interpret the information in your credit file. Each calendar year you are entitled to receive, upon request, one free consumer credit report.
You have a right to dispute inaccurate information by contacting the consumer reporting agency directly, either in writing, by electronic mail, through the credit reporting agency website, or by telephone. The consumer reporting agency shall provide, upon request and without unreasonable delay, a live representative of the consumer reporting agency to assist in dispute resolution whenever possible and practicable, or to the extent consistent with federal law. However, neither you nor any credit repair company or credit service organization has the right to have accurate, current, and verifiable information removed from your credit report. In most cases, under state and federal law, the consumer credit reporting agency must remove accurate, negative information from your report only if it is over seven years old, and must remove bankruptcy information only if it is over ten years old.
If you have notified a consumer credit reporting agency in writing that you dispute the accuracy of information in your file, the consumer credit reporting agency must then, within thirty business days, reinvestigate and modify or remove inaccurate information. The consumer credit reporting agency may not charge a fee for this service. Any pertinent information and copies of all documents you have concerning a dispute should be given to the consumer credit reporting agency.
If reinvestigation does not resolve the dispute to your satisfaction, you may send a statement to the consumer credit reporting agency to keep in your file, explaining why you think the record is inaccurate. The consumer credit reporting agency must include your statement about the disputed information in a report it issues about you.
You have a right to receive a record of all inquiries relating to a credit transaction initiated in the six months preceding your request, or two years in the case of a credit report used for employment purposes. This record shall include the recipients of any consumer credit report.
You have the right to opt out of any prescreening lists compiled by or with the assistance of a consumer credit reporting agency by calling the agency's toll-free telephone number, or contacting the agency electronically or in writing. You may be entitled to collect compensation, in certain circumstances, if you are damaged by a person's negligent or intentional failure to comply with the credit reporting act.
You have a right to request a ''security freeze'' on your consumer report. The security freeze will prohibit a consumer reporting agency from releasing any information in your consumer report without your express authorization. A security freeze shall be requested by sending a request either by certified mail, overnight mail, regular stamped mail, or electronically to a consumer reporting agency, or as authorized by regulation. The security freeze is designed to prevent credit, loans or services from being approved in your name without your consent. You should be aware that using a security freeze may delay, interfere with, or prevent the timely approval of any subsequent request or application you make regarding new loans, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular phone, utilities, digital signature, internet credit card transactions, or other services, including an extension of credit at point of sale.
When you place a security freeze on your consumer report, within 3 business days of receiving your request for a security freeze, the consumer reporting agency shall send a written or electronic confirmation of the security freeze and shall provide you with a personal identification number or password to use if you choose to remove the freeze on your consumer report or to authorize the release of your consumer report to a specific party or for a specified period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide the following:-
(1) the personal identification number or password provided by the consumer reporting agency;
(2) proper identification to verify your identity; and
(3) the third party or parties who are to receive the consumer report or the specified period of time for which the report shall be available to authorized users of the consumer report.
A consumer reporting agency that receives a request from a consumer to lift a freeze on a consumer report in writing by certified mail shall comply with the request not later than 3 business days after receiving the request; provided however, a consumer reporting agency that receives such a request electronically or by telephone shall comply with the request as soon as practicable and without unreasonable delay, but not later than 15 minutes after receiving the request.
A security freeze shall not apply to a person or entity, or to its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account, that requests information relative to your consumer report for the purposes of reviewing or collecting the account. ''Reviewing the account'' includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.”
SECTION 5. Section 57 of said chapter 93, as so appearing, is hereby amended, in line 13, by striking the words “only.” and inserting in place thereof the following words:- only; or (4) by electronic means if the consumer has made a written, verbal, or electronic request, with proper identification.
SECTION 6. Section 62A of said chapter 93, as so appearing, is hereby amended by inserting, in line 10, after the words “requests,” the following words:- or by secure website or by telephone,
SECTION 7. Said section 62A of said chapter 93, as so appearing, is hereby further amended by striking out the third paragraph and inserting in place thereof the following paragraph:-
A consumer reporting agency shall place a security freeze on a consumer report not later than 3 business days after receiving a written request from the consumer by mail. A consumer reporting agency that receives such a request electronically or by telephone shall comply with the request no later than 1 business day after receiving the request. The consumer reporting agency shall send a written or electronic confirmation of the security freeze to the consumer within 3 business days after receiving the request and shall provide the consumer with a unique personal identification number or a unique password, or both, to be used by the consumer for the purpose of providing authorization for the removal or lifting of the security freeze.
SECTION 8. Said section 62A of said chapter 93, as so appearing, is hereby further amended, in line 35, by inserting after the word “request.” the following sentence:- A consumer reporting agency that receives such a request electronically or by telephone shall comply with the request as soon as practicable and without unreasonable delay, not later than 15 minutes of receiving the request.
SECTION 9. Said section 62A of said chapter 93, as so appearing, is hereby further amended by inserting, in line 43, after the word “writing” the following words:- “or electronically”
SECTION 10. Said section 62A of said chapter 93, as so appearing, is hereby further amended by striking out the ninth paragraph and inserting in place thereof the following paragraphs:-
A consumer reporting agency shall remove a security freeze within 3 business days of receiving a written request for removal from a consumer who provides both proper identification and the personal identification number or password provided by the consumer reporting agency pursuant to this section. A consumer reporting agency shall remove a security freeze within 15 minutes of receiving an electronic or telephone request for removal from a consumer who provides both proper identification and the personal identification number or password provided by the consumer reporting agency pursuant to this section.
A consumer reporting agency need not remove a security freeze within the time provided in this section if failure to do so resulted from (1) an act of God, war, natural disaster, strike, or (2) unauthorized or illegal acts by a third party; (3) operational interruption; (4) governmental action; (5) regularly scheduled maintenance, during other than normal business hours, of, or updates to, the consumer reporting agency's systems; (6) commercially reasonable maintenance of, or repair to, the consumer reporting agency's systems that is unexpected or unscheduled; or (7) receipt of a removal request outside of normal business hours.
SECTION 11. Said section 62A of said chapter 93, as so appearing, is hereby further amended by striking out the eleventh paragraph and inserting the following 2 paragraphs:-
A consumer reporting agency shall not charge a fee to any consumer who elects to freeze, lift, or remove a security freeze from a consumer report.
A consumer reporting agency that compiles and maintains files on consumers on a nationwide basis and receives a request by a consumer for a security freeze shall identify, to the best of its knowledge, any other consumer reporting agency that compiles and maintains files on consumers on a nationwide basis and inform consumers of appropriate websites, toll-free telephone numbers and mailing addresses that would permit the consumer to place, lift or remove a security freeze from such other consumer reporting agency. The consumer reporting agencies subject to this section may establish a centralized source, including, but not limited to, a website, that directs a consumer to such websites, toll-free telephone numbers and mailing addresses.
SECTION 12. Said Chapter 93 of the General Laws, as so appearing, is hereby amended by inserting after section 62A the following section:-
Section 62B. (a) As used in this section, the following words shall have the following meanings:
“Protected consumer”, an individual who is under the age of seventeen years at the time a request for the placement of a security freeze is made or an incapacitated person or a protected person, as defined in section 5-101 of article V of chapter 190B.
“Record”, a compilation of information that identifies a protected consumer created by a consumer reporting agency solely for the purpose of complying with this section. This record may not be created or used to consider the protected consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.
“Representative”, a person who provides to a consumer reporting agency sufficient proof of authority to act on behalf of a protected consumer.
“Security freeze”, (1) if a consumer reporting agency does not have a file that pertains to a protected consumer, a restriction that (i) is placed on the protected consumer’s record in accordance with this section; and (ii) except as otherwise provided in this section, prohibits the consumer reporting agency from releasing the protected consumer’s record; or (2) if a consumer reporting agency has a file that pertains to the protected consumer, a restriction that prevents the consumer reporting agency from releasing the protected consumer’s consumer report or any information derived from the protected consumer’s consumer report.
“Sufficient proof of authority”, documentation that shows a representative has authority to act on behalf of a protected consumer and includes an order issued by a court of law, a lawfully executed and valid power of attorney or a written, notarized statement signed by a representative that expressly describes the authority of the representative to act on behalf of a protected consumer.
“Sufficient proof of identification”, information or documentation that identifies a protected consumer or a representative of a protected consumer and includes a social security number or a copy of a social security card issued by the social security administration, a certified or official copy of a birth certificate issued by the entity authorized to issue the birth certificate, or a copy of a driver’s license, an identification card issued by the motor vehicle administration, or any other government issued identification.
(b) This section shall not apply to the use of a protected consumer’s consumer report or record by any of the following-
(1) a person or agent thereof, or an assignee of a financial obligation owing by the consumer to such person or agent thereof, or a prospective assignee of a financial obligation owing by the consumer to that person or agent thereof in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had, prior to assignment, an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract or negotiable instrument. For purposes of this paragraph, ''reviewing the account'' shall include activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements; or access to said account by a subsidiary, affiliate, agent, assignee or prospective assignee of a person, or agent thereof, to whom access has been granted for purposes of facilitating the extension of credit or other permissible use;
(2) any federal, state or local agency, law enforcement agency, or trial court acting pursuant to a court order, warrant or subpoena;
(3) the Massachusetts child support agency under Title IV-D of the Social Security Act, 42 U.S.C. et seq;
(4) the executive office of health and human services or its agents or assigns acting to investigate Medicaid fraud;
(5) the department of revenue or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;
(6) a person using credit information for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act;
(7) any person administering a credit file monitoring subscription service to which the protected consumer has subscribed or the protected consumer's representative has subscribed on the protected consumer's behalf;
(8) a person who, upon request from the protected consumer or the protected consumer’s representative, provides the protected consumer or the protected consumer’s representative with a copy of the protected consumer’s consumer report;
(9) to the extent otherwise allowed by statute, any property and casualty insurer licensed by the commonwealth for use in rating or underwriting insurance policies;
(10) a check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar payment methods;
(11) a deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing an individual's request for a deposit account at the inquiring bank or financial institution;
(12) an insurance company for the purpose of conducting the insurance company's ordinary business;
(13) a consumer reporting agency that only resells credit information by assembling and merging information contained in a database of another consumer reporting agency or multiple consumer reporting agencies and that does not maintain a permanent database of credit information from which new consumer reports are produced, except that such financial institution or consumer reporting agency shall be subject to any security freeze placed on a consumer report by another consumer reporting agency from which it obtains information; or
(14) a consumer reporting agency's database or file that consists of information that (a) concerns and is used for criminal record information, fraud prevention or detection, personal loss history information, or employment, tenant, or individual background screening and (b) is not used for credit granting purposes.
(c) A consumer reporting agency shall place a security freeze on a consumer report for a protected consumer if (1) the consumer reporting agency receives a request from the protected consumer’s representative for the placement of the security freeze and (2) the protected consumer’s representative (submits to the consumer reporting agency (i) sufficient proof of identification of the protected consumer; (ii) sufficient proof of identification of the protected consumer’s representative; and (iii) sufficient proof of authority to act on behalf of the protected consumer.
If a consumer reporting agency does not have a file that pertains to a protected consumer when the consumer reporting agency receives a request described in this section, the consumer reporting agency shall create a record for the protected consumer.
Upon receiving a request for a security freeze on a consumer report by a protected consumer or the protected consumer’s representative, a consumer reporting agency shall place a security freeze for a protected consumer within 30 days.
(d) To remove a security freeze that is placed under this section, the protected consumer's representative or the protected consumer shall submit a request for the removal of the security freeze to the consumer reporting agency in writing, electronically, or by telephone. In the case of a request by the representative of a protected consumer, sufficient proof of identification of the protected consumer and the representative, and sufficient proof of authority to act on behalf of the protected consumer must be presented before the security freeze is lifted. In the case of a request by a protected consumer who is subject to a security freeze, sufficient proof of identification of the consumer and proof that the consumer is no longer a protected consumer must be presented before the security freeze is lifted.
A consumer reporting agency shall remove the security freeze on a consumer report not later than 30 business days after receiving a request from the protected consumer or the protected consumer’s representative.
A consumer reporting agency may remove a security freeze for a protected consumer or delete a record of a protected consumer if the security freeze was placed or the record was created based on a material misrepresentation of fact by the protected consumer or the protected consumer's representative. If a consumer reporting agency intends to remove a freeze on a protected consumer report or delete a record of a protected consumer due to a material misrepresentation of fact, the consumer reporting agency shall notify the protected consumer’s representative in writing or electronically 5 business days prior to removing the freeze on the consumer report.
SECTION 13. Subsection (b) of section 3 of chapter 93H of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by striking out lines 45 through 52, inclusive and inserting in place thereof the following paragraph:-
The notice to be provided to the resident shall include, but not be limited to, the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, mitigation services to be provided pursuant to this chapter, and any fees required to be paid to any of the consumer reporting agencies, provided however, that said notification shall not include the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by said breach or unauthorized access or use. The person or agency breached shall provide a sample copy of the notification it intends to distribute to consumers to the attorney general and the office of consumer affairs and business regulations. The office of consumer affairs and business regulations shall make available electronic copies of the breach notices on its website and post the breach notification within 24 hours of receipt. As practicable and as such not to impede active investigation by the attorney general, the office of consumer affairs and business regulations shall update the breach notification on its website over time as new information is discovered through the investigation process. The attorney general shall provide information to consumers through its website on how consumers can access the data breach notifications posted by the office of consumer affairs and business regulations.”
SECTION 14. Section 3 of chapter 93H of the General Laws, as so appearing, is hereby amended by inserting after subsection (c) the following paragraph:-
The notice to be provided under this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.
SECTION 15. Said section 3 of said chapter 93H, as so appearing, is amended by inserting at the end thereof the following subsection:-
(d) If the person or agency that is breached is owned by another person or corporation, the notice to the consumer shall include the name of parent, or affiliated corporation, trustee, or agent thereof.
SECTION 16. Said section 3 of said chapter 93H, as so appearing, is hereby amended by inserting at the end thereof the following:-
If the breach of security includes a social security number or federal tax identification number, the person shall offer to each resident, whose personal information, including social security number or federal tax identification number was breached or is reasonably believed to have been breached, credit monitoring services at no cost to such resident for a period of 1 year. Such person shall provide all information necessary for such resident to enroll in such services and shall include information on how such resident can place a credit freeze on such resident’s credit file.
The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.