Amendment #4 to H4232
W&M Tech
Mr. Sánchez of Boston moves to amend the bill by striking out section 12, in its entirety, and inserting in place thereof the following section:-
SECTION 12. Said chapter 93 is hereby further amended by inserting after section 62A the following section:-
Section 62B. (a) For the purposes of this section, the following words shall have the following meanings:-
“Protected consumer”, an individual who is under 16 years of age at the time a request for the placement of a security freeze is made, or an incapacitated person or a protected person as such are defined in section 5-101 of article V of chapter 190B.
“Record”, a compilation of information that identifies a protected consumer created by a consumer reporting agency solely for the purpose of complying with this section. This record may not be created or used to consider the protected consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living.
“Representative”, a person who provides to a consumer reporting agency sufficient proof of authority to act on behalf of a protected consumer.
“Security freeze”, (1) if a consumer reporting agency does not have a file that pertains to a protected consumer, a restriction that; (i) is placed on the protected consumer’s record in accordance with this section, and (ii) except as otherwise provided in this section, prohibits the consumer reporting agency from releasing the protected consumer’s record; or (2) if a consumer reporting agency has a file that pertains to the protected consumer, a restriction that prevents the consumer reporting agency from releasing the protected consumer’s consumer report or any information derived from the protected consumer’s consumer report.
“Sufficient proof of authority”, documentation that shows a representative has authority to act on behalf of a protected consumer, including but not limited to, an order issued by a court of law, a lawfully executed and valid power of attorney or a written, notarized statement signed by a representative that expressly describes the authority of the representative to act on behalf of a protected consumer.
“Sufficient proof of identification”, information or documentation that identifies a protected consumer or a representative of a protected consumer, including but not limited to, a social security number or a copy of a social security card issued by the social security administration, a certified or official copy of a birth certificate issued by the entity authorized to issue the birth certificate, or a copy of a driver’s license, an identification card issued by the motor vehicle administration, or any other government issued identification.
(b) This section shall not apply to the use of a protected consumer’s consumer report or record by any of the following:-
(1) a person or agent thereof, or an assignee of a financial obligation owing by the consumer to such person or agent thereof, or a prospective assignee of a financial obligation owing by the consumer to that person or agent thereof in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had, prior to assignment, an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract or negotiable instrument. For purposes of this paragraph, ''reviewing the account'' shall include activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements; or access to said account by a subsidiary, affiliate, agent, assignee or prospective assignee of a person, or agent thereof, to whom access has been granted for purposes of facilitating the extension of credit or other permissible use;
(2) any federal, state or local agency, law enforcement agency, or trial court acting pursuant to a court order, warrant or subpoena;
(3) the Massachusetts child support agency under Title IV-D of the Social Security Act, 42 U.S.C. et seq.;
(4) the executive office of health and human services or its agents or assigns acting to investigate Medicaid fraud;
(5) the department of revenue or its agents or assignees acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;
(6) a person using credit information for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act;
(7) any person administering a credit file monitoring subscription service to which the protected consumer has subscribed or the protected consumer's representative has subscribed on the protected consumer's behalf;
(8) a person who, upon request from the protected consumer or the protected consumer’s representative, provides the protected consumer or the protected consumer’s representative with a copy of the protected consumer’s consumer report;
(9) to the extent otherwise allowed by statute, any property and casualty insurer licensed by the commonwealth for use in rating or underwriting insurance policies;
(10) a check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar payment methods;
(11) a deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse or similar information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing an individual's request for a deposit account at the inquiring bank or financial institution;
(12) an insurance company for the purpose of conducting the insurance company's ordinary business;
(13) a consumer reporting agency that only resells credit information by assembling and merging information contained in a database of another consumer reporting agency or multiple consumer reporting agencies and that does not maintain a permanent database of credit information from which new consumer reports are produced, except that such financial institution or consumer reporting agency shall be subject to any security freeze placed on a consumer report by another consumer reporting agency from which it obtains information; or
(14) a consumer reporting agency's database or file that consists of information that; (a) concerns and is used for criminal record information, fraud prevention or detection, personal loss history information, or employment, tenant or individual background screening, and (b) is not used for credit granting purposes.
(c) A consumer reporting agency shall place a security freeze on a consumer report for a protected consumer if: (1) the consumer reporting agency receives a written, electronic or verbal request from the protected consumer, or, if required by law, their representative, for the placement of the security freeze; and (2) the protected consumer’s representative submits to the consumer reporting agency (i) sufficient proof of identification of the protected consumer, (ii) sufficient proof of identification of the protected consumer’s representative, and (iii) sufficient proof of authority to act on behalf of the protected consumer.
If a consumer reporting agency does not have a file that pertains to a protected consumer when the consumer reporting agency receives a request described in this section, the consumer reporting agency shall create a record for the protected consumer.
A consumer reporting agency shall place a security freeze on a consumer report for a protected consumer within 30 days of receiving a request for a security freeze on a consumer report by a protected consumer or the protected consumer’s representative.
(d) To remove a security freeze that is placed pursuant to this section, the protected consumer's representative or the protected consumer shall submit a request for the removal of the security freeze to the consumer reporting agency in writing, electronically or by telephone. In the case of a request by a protected consumer’s representative, sufficient proof of identification of the protected consumer and the representative, and sufficient proof of authority to act on behalf of the protected consumer shall be presented before the security freeze is lifted. In the case of a request by a protected consumer who is subject to a security freeze, sufficient proof of identification of the protected consumer and proof that the protected consumer is no longer a protected consumer, including but not limited to, an order issued by a court, shall be presented before the security freeze is lifted.
A consumer reporting agency shall remove the security freeze on a consumer report not later than 30 business days after receiving a request to remove the security freeze from the protected consumer or the protected consumer’s representative.
A consumer reporting agency may remove a security freeze for a protected consumer or delete a record of a protected consumer if the security freeze was placed or the record was created based on a material misrepresentation of fact by the protected consumer or the protected consumer's representative. A consumer reporting agency shall notify the protected consumer’s representative in writing or electronically 30 business days prior to removing a security freeze on the protected consumer’s consumer report or deleting a record of the protected consumer.
And moves to further amend the bill, by striking out section 13, in its entirety, and inserting in place thereof the following section:-
SECTION 13. Subsection (b) of section 3 of chapter 93H of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by striking out lines 45 through 52, inclusive and inserting in place thereof the following two paragraphs:-
The notice to be provided to the resident shall include, but shall not be limited to; (i) the consumer’s right to obtain a police report, (ii) how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, (iii) and mitigation services to be provided pursuant to this chapter; provided, however, that said notice shall not include the nature of the breach or unauthorized acquisition or use, or the number of residents of the commonwealth affected by said breach or unauthorized access or use. The person or agency breached shall provide a sample copy of the notice it intends to distribute to consumers to the attorney general and the office of consumer affairs and business regulation. The office of consumer affairs and business regulation shall make available electronic copies of the breach notices on its website and post the breach notice within 24 hours of receipt from the person or agency. As practicable and as such not to impede active investigation by the attorney general, the office of consumer affairs and business regulation shall update the breach notice on its website over time as new information is discovered through the investigation process. The attorney general shall provide information to consumers through its website on how consumers can access the data breach notices posted by the office of consumer affairs and business regulation.
The notice to be provided under this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.
And moves to further amend the bill, by striking out section 14 in its entirety.
And moves to further amend the bill, in section 15, by striking out, in lines 316 and 317, the words “amended by inserting at the end thereof” and inserting in place thereof the following words:- further amended by adding.
And moves to further amend the bill, by striking out section 16, in its entirety, and inserting in place thereof the following section:-
SECTION 16. Said section 3 of said chapter 93H, as so appearing, is hereby further amended by adding the following subsection:-
(e) If the breach of security includes a social security number, the person or agency shall offer to each resident whose personal information, including social security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to such resident for a period of 1 year. Such person or agency shall provide all information necessary for such resident to enroll in such services and shall include information on how such resident can place a security freeze on such resident’s consumer report.
Additional co-sponsor(s) added to Amendment #4 to H4232
W&M Tech
Representative: |
Jeffrey Sánchez |