HOUSE DOCKET, NO. 5076        FILED ON: 8/6/2018

HOUSE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 4873

The Commonwealth of Massachusetts

_________________

August 6, 2018

To the Honorable Senate and House of Representatives,

Pursuant to Article LVI, as amended by Article XC, Section 3 of the Amendments to the Constitution of the Commonwealth, I am returning to you for amendment House Bill No. 4806, “An Act Relative to Consumer Protection from Security Breaches.” 

I support the improvements this bill makes to Massachusetts laws that protect consumers from the consequences of data breaches that may expose their personal information.   I also approve of the bill’s provisions requiring that consumer credit rating agencies implement a “security freeze” on a consumer’s credit report for no charge at the request of the consumer and prohibiting the use of credit reports for the purpose of making hiring decisions.

I am concerned, however, that as drafted these new restrictions will prevent State agencies charged with ensuring payment of child support obligations and protecting the credit history of children under State care from fulfilling their statutory responsibilities.  I am therefore recommending an amendment to the bill that will allow these agencies to continue to access the consumer credit information they need to perform their important reviews. Likewise, the courts and State agencies that are required by law to review consumer credit information also should not be restricted in their functions by the consent provisions introduced by the bill.  For good reason, each of these uses have long been expressly permitted under State and Federal law. 

In addition, some of the bill’s new restrictions on access to consumer credit reports may have unintended consequences for financial institutions seeking to extend pre-qualified offers of credit and insurance coverage to Massachusetts consumers, a practice that is also expressly permitted under Federal law. 

Finally, I believe that a number of the useful reporting and remedial measures that the bill requires of entities that experience a data breach involving consumer information will require implementing regulations to be effective.

Accordingly, I recommend that the bill be amended by striking out Section 3 in its entirety and inserting in place thereof the following section:-

SECTION 3.  Said chapter 93 is hereby further amended by inserting after section 51A the following section:-

Section 51B.  Except for the purposes described in paragraphs (1), (4), and (5) of subsection (a), subparagraphs (A), (C), (D) and (E) of paragraph (3) of subsection (a), and subsection (c) of 15 U.S.C. section 1681b and subclause (i) of clause (3) of subsection (a) of section 51, a user shall not obtain, use or seek the consumer report of a consumer unless the user: (i) obtains the prior written, verbal or electronic consent of the consumer, as is appropriate for the manner in which the transaction or extension of credit was negotiated or entered into; and (ii) discloses, prior to obtaining the consumer’s consent, the user’s reason for accessing the consumer report to the consumer.

Nothing in this section shall prohibit a user who has already secured the consent of the consumer, or an investor or potential investor of an existing credit obligation, from obtaining a consumer report in connection with: (i) the same transaction; (ii) reviewing an existing account; (iii) increasing the credit line on an existing account; (iv) taking collection action on an existing account; (v) providing products and services or offering of products and services to an existing customer’s account; or (vi) any other permissible purpose pursuant to paragraphs (1), (4), and (5) of subsection (a), or subparagraphs (A), (C), (D) or (E) of paragraph (3) of subsection (a), or subsection (c) of 15 U.S.C. section 1681b, or pursuant to subclause (i) of clause (3) of subsection (a) of section 51.

A user shall not require or request that a consumer waive this section and any such waiver shall be void.  Failure to comply with this section shall constitute an unfair practice under clause (a) of section 2 of chapter 93A.

Notwithstanding the restrictions of this section, the department of children and families shall be permitted to obtain a consumer report for any child in the department’s custody who is 14 years of age or older without obtaining the consent of the child or disclosing to the child the department’s reason for accessing the consumer report in order to fulfill the department’s obligations pursuant to 42 U.S.C. 675(5)(I) and Public Law 113-183 or any other similar requirement of federal law.

I further recommend that the bill be amended by inserting after subsection (e) in Section 10 the following subsection:-

(f) The department of consumer affairs and business regulation may promulgate regulations interpreting and applying this section and section 3A.

Respectfully submitted

Charles D. Baker,

Governor