FILED ON: 2/14/2018
SENATE . . . . . . . . . . . . . . No. 2304
Senate, February 14, 2018 -- Substituted by amendment by the Senate (Senator L'Italien) as a new draft for Senate, No. 130
The Commonwealth of Massachusetts
In the One Hundred and Ninetieth General Court
An Act relative to consumer protection from security breaches.
Whereas, The deferred operation of this act would tend to defeat its purpose, which is to enhance consumers’ ability to protect their credit reports, therefore, it is hereby declared to be an emergency law, necessary for the immediate preservation of the public convenience.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
SECTION 1. Section 50 of chapter 93, as appearing in the 2016 Official Edition, is hereby amended by striking out the definition of “Consumer”, and inserting in place thereof the following 2 definitions:–
“Consumer”, an individual.
“Breach of security”, shall have the same meaning as in section 1 of chapter 93H.
SECTION 2. Said section 50 of said chapter 93, as so appearing, is hereby further amended by inserting after the definition of “Person” the following definition:–
“Personal information”, shall have the same meaning as in section 1 of chapter 93H.
SECTION 3. Chapter 93 is hereby amended by inserting after section 51A the following new section:-
Section 51B. A user shall not obtain, use or seek the consumer report or credit score of a consumer unless the user: (i) obtains the written consent of the consumer in a document that consists solely of the consent and does so each time that the user seeks to obtain the consumer report or credit score of a consumer; and (ii) discloses the user’s reason for accessing the consumer report or credit score to the consumer or applicant in writing.
A waiver of this section shall be void and a user shall not require or request that a consumer waive it.
Failure to comply with this section shall constitute an unfair practice under clause (a) of section 2 of chapter 93A.
SECTION 4. Section 59 of said chapter 93, as so appearing, is hereby amended by inserting at the end thereof, the following 3 subsections:-
(f) In addition to the requirements of subsection (d), and for the purpose of preventing or mitigating identify theft or financial fraud, when a consumer is informed through notice under section 93H that the consumer’s personal information was acquired or used by an unauthorized person or used for an unauthorized purpose, or that the consumer was the subject of a breach of security, then the consumer shall be entitled to not less than 3 free copies of a consumer report from each consumer reporting agency which compiles and maintains files on consumers on a nationwide basis.
(g) If a consumer receives the notice under subsection (f) or is the subject of a breach of security, and the consumer’s personal information was held by a consumer reporting agency, then that consumer reporting agency shall offer to provide appropriate identity theft prevention and mitigation services at no cost to the consumer for not less than 60 months. The consumer reporting agency shall provide the consumer with information necessary to take advantage of the offer.
(h) A consumer reporting agency shall not require a consumer to waive his or her right to a private right of action as a condition of exercising any of the provisions of this chapter.
SECTION 5. Section 62A of said chapter 93, as so appearing, is hereby amended by striking out the eleventh paragraph and inserting in place thereof the following 3 paragraphs:-
A consumer reporting agency shall not charge a fee to any consumer, including a minor, who elects to freeze, lift or remove a security freeze from a consumer report.
If a consumer requests a security freeze from a consumer reporting agency which compiles and maintains files on consumers on a nationwide basis, then the consumer shall have the option to have said security freeze applicable to any other consumer reporting agency which compiles and maintains files on consumers on a nationwide basis. A consumer reporting agency shall not charge a fee to a consumer who selects this option.
SECTION 6. Subsection (a) of section 2 of chapter 93H, as so appearing, is hereby amended by inserting at the end thereof the following:-
Such regulations shall require each such person who owns or licenses the information of not less than 1,000 residents of the commonwealth to encrypt, to the extent technologically feasible, personal information transmitted by the person and held by the person; or, if encryption is not technologically feasible, that each such person develop, implement and maintain alternative compensating controls consistent with industry standards and the person's assessment of risk, to protect the security, confidentiality and integrity of the personal information.
SECTION 7. The department of consumer affairs and business regulation shall promulgate regulations implementing section 6 of this act not later than 12 months after the effective date of this act.