Amendment 1

SENATE . . . . . . . . . . . . . . No. 2455

The Commonwealth of Massachusetts

_______________

In the One Hundred and Ninetieth General Court
(2017-2018)

_______________

SECTION 1. Section 50 of chapter 93 of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by striking out the definition of “Consumer” and inserting in place thereof the following 2 definitions:–

“Breach of security”, shall have the same meaning as in section 1 of chapter 93H.

“Consumer”, an individual.

SECTION 2. Said section 50 of said chapter 93, as so appearing, is hereby further amended by inserting after the definition of “Person” the following definition:–

“Personal information”, shall have the same meaning as in section 1 of chapter 93H.

SECTION 3. Said chapter 93 is hereby further amended by inserting after section 51A the following section:-

Section 51B. A user shall not obtain, use or seek the consumer report of a consumer unless the user: (i) obtains the written, verbal or electronic consent of the consumer, as is appropriate for the manner in which the transaction or extension of credit was negotiated or entered into; and (ii) discloses the user’s reason for accessing the consumer report to the consumer.

Nothing in this section shall prohibit a user who has secured the consent of the consumer from obtaining a credit report in connection with: (i) the same transaction; (ii) reviewing an existing account for purpose of the extension of credit; (iii) increasing the credit line on an existing account; (iv) taking collection action on an existing account; or (v) for any other legitimate purpose associated with an existing account.

A user shall not require or request that a consumer waive this section and any such waiver shall be void.

Failure to comply with this section shall constitute an unfair practice under clause (a) of section 2 of chapter 93A.

SECTION 4. Section 56 of said chapter 93, as appearing in the 2016 Official Edition, is hereby amended by inserting after the word “copy”, in line 8, the following words:- , electronic copy.

SECTION 5. Said section 56 of said chapter 93, as so appearing, is hereby further amended by inserting after the word “mail,”, in line 32, the following word:- electronically.

SECTION 6. Said section 56 of said chapter 93, as so appearing, is hereby further amended by inserting after the word “writing”, in line 51, the following words:- , by electronic mail through the credit reporting agency website.

SECTION 7. Said section 56 of said chapter 93, as so appearing, is hereby further amended by inserting after the word “agency”, in line 83, the following words:- electronically or.

SECTION 8. Said section 56 of said chapter 93, as so appearing, is hereby further amended by striking out, in lines 91 and 92, the words “or regular stamped mail” and inserting in place thereof the following words:- , regular stamped mail or electronically.

SECTION 9. Said section 56 of said chapter 93, as so appearing, is hereby further amended by inserting after the word “agency”, in line 104, the following words:- shall send a written or electronic confirmation of the security freeze and.

SECTION 10. Said section 56 of said chapter 93, as so appearing, is hereby further amended by inserting after the word “consumer”, in lines 116 and 117, the following words:- in writing by mail.

SECTION 11. Said section 56 of said chapter 93, as so appearing, is hereby further amended by inserting after the word “days”, in line 118, the following words:- after receiving the request; provided, however, that a consumer reporting agency that receives such request electronically or by telephone shall comply with the request as soon as practicable and without unreasonable delay, but not later than 15 minutes.

SECTION 12. Said section 56 of said chapter 93, as so appearing, is hereby further amended by striking out, in lines 123 and 124, the words “, if you have previously given consent to the use of your consumer report”.

SECTION 13. Section 57 of said chapter 93, as so appearing, is hereby amended by inserting after the word “only”, in line 13, the following words:- ; or

(4) by electronic means if the consumer has made a request therefor, with proper identification.

SECTION 14. Section 59 of said chapter 93, as so appearing, is hereby amended by adding the following 2 subsections:-

(f) If a breach of security occurs at a consumer reporting agency and includes a social security number, the consumer reporting agency shall offer to each consumer whose personal information, including social security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to the consumer for not less than 5 years. The consumer reporting agency shall provide all information necessary for the consumer to enroll in such services and shall include information on how the consumer may place a security freeze on the consumer report.

(g) A consumer reporting agency shall not require a consumer to waive the consumer’s right to a private right of action as a condition of exercising any of the provisions of this chapter.

SECTION 15. Section 62A of said chapter 93, as so appearing, is hereby amended by inserting after the words “requests,”, in line 10, the following words:- electronically, by telephone.

SECTION 16. Said section 62A of said chapter 93, as so appearing, is hereby further amended by striking out the third paragraph and inserting in place thereof the following paragraph:-

A consumer reporting agency shall place a security freeze on a consumer report not later than 3 business days after receiving a written request from the consumer by mail. A consumer reporting agency that receives a request electronically or by telephone shall comply with the request not later than 1 business day after receiving the request. The consumer reporting agency shall send a written or electronic confirmation of the security freeze to the consumer not later than 3 business days after receiving the request and shall provide the consumer with a unique personal identification number or a unique password, or both, to be used by the consumer for the purpose of providing authorization for the removal or lifting of the security freeze.

SECTION 17. Said section 62A of said chapter 93, as so appearing, is hereby further amended by inserting after the word “request”, in line 35, the following words:- ; provided, however, that a consumer reporting agency that receives such a request electronically or by telephone shall comply with the request as soon as practicable and without unreasonable delay but not later than 15 minutes after receiving the request.

SECTION 18. Said section 62A of said chapter 93, as so appearing, is hereby further amended by inserting after the word “writing”, in line 43, the following words:- or electronically at least.

SECTION 19. Said section 62A of said chapter 93, as so appearing, is hereby further amended by striking out the ninth paragraph and inserting in place thereof the following 2 paragraphs:-

A consumer reporting agency shall remove a security freeze not later than 3 business days after receiving a written request for removal from a consumer who provides both proper identification and the personal identification number or password provided by the consumer reporting agency pursuant to this section. A consumer reporting agency shall remove a security freeze not later than 15 minutes after receiving an electronic or telephone request for such removal from a consumer who provides both proper identification and the personal identification number or password provided by the consumer reporting agency pursuant to this section.

A consumer reporting agency shall not be required to remove a security freeze within the time provided in this section if failure to do so resulted from: (i) an act of God, war, natural disaster or strike; (ii) unauthorized or illegal acts by a third party; (iii) operational interruption; (iv) governmental action; (v) regularly scheduled maintenance, except during normal business hours, of, or updates to, the consumer reporting agency’s systems; (vi) commercially reasonable maintenance or repair of the consumer reporting agency’s systems that is unexpected or unscheduled; or (vii) receipt of a removal request outside of normal business hours; provided, however, that a security freeze that was not removed pursuant to this paragraph shall be removed promptly upon resuming regular business activities.

SECTION 20. Said section 62A of said chapter 93, as so appearing, is hereby further amended by striking out the eleventh paragraph and inserting in place thereof the following 3 paragraphs:-

A consumer reporting agency shall not charge a fee to a consumer who elects to freeze, lift or remove a security freeze from a consumer report.

A consumer reporting agency that compiles and maintains files on consumers on a nationwide basis and receives a request by a consumer for a security freeze shall identify, to the best of its knowledge, any other consumer reporting agency that compiles and maintains files on consumers on a nationwide basis and inform consumers of appropriate websites, toll-free telephone numbers and mailing addresses that would permit the consumer to place, lift or remove a security freeze from those other consumer reporting agencies. Upon sending confirmation of a security freeze to a consumer under the third paragraph of this section, a consumer reporting agency shall forward an official copy of the confirmation to other consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. A consumer reporting agency that has received a forwarded official copy of a security freeze confirmation and has not placed a security freeze on that consumer’s account within 2 business days shall, not later than the third business day after receiving the forwarded official copy, use its best efforts to contact the consumer and inform the consumer how a security freeze may be placed on the consumer’s account held by that consumer reporting agency.

Consumer reporting agencies subject to this section may establish a centralized source including, but not limited to, a website, that directs consumers to that website or to a toll-free telephone number and mailing address.

SECTION 21. Said chapter 93 is hereby further amended by inserting after section 62A the following section:-

Section 62B. (a) For the purposes of this section, the following words shall have the following meanings unless the context requires otherwise:-

“Protected consumer”, an individual who is under 16 years of age at the time a request for the placement of a security freeze is made or an individual who is an incapacitated person or a protected person as defined in section 5-101 of article V of chapter 190B.

“Record”, a compilation of information that identifies a protected consumer that was created by a consumer reporting agency solely for the purpose of complying with this section; provided, however, that the record shall not be created or used to consider the protected consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living.

“Representative”, a person who provides to a consumer reporting agency sufficient proof of authority to act on behalf of a protected consumer.

“Security freeze”, if a consumer reporting agency does not have a file that pertains to a protected consumer, (i) a restriction that: (A) is placed on the protected consumer’s record in accordance with this section; and (B) except as otherwise provided in this section, prohibits the consumer reporting agency from releasing the protected consumer’s record; or (ii) if a consumer reporting agency has a file that pertains to the protected consumer, a restriction that prevents the consumer reporting agency from releasing the protected consumer’s consumer report or any information derived from the protected consumer’s consumer report.

“Sufficient proof of authority”, documentation that shows a representative has authority to act on behalf of a protected consumer including, but not limited to, a court order, a lawfully executed and valid power of attorney or a written, notarized statement signed by a representative that expressly describes the authority of the representative to act on behalf of a protected consumer.

“Sufficient proof of identification”, information or documentation that identifies a protected consumer or a representative of a protected consumer including, but not limited to, a social security number or a copy of a social security card issued by the social security administration, a certified or official copy of a birth certificate issued by the entity authorized to issue the birth certificate or a copy of a driver’s license or identification card issued by the registry of motor vehicles or any other government-issued identification.

(b) This section shall not apply to the use of a protected consumer’s consumer report or record by:

(i) a person, that person’s agent or an assignee or prospective assignee of a financial obligation owing by the consumer to that person or that person’s agent in conjunction with the proposed purchase of the financial obligation, with whom the consumer has or had, prior to assignment, an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract or negotiable instrument; provided, however, that for purposes of this clause, “reviewing the account” shall include activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements or access to the account by a subsidiary, affiliate, agent, assignee or prospective assignee of a person or that person’s agent, to whom access has been granted for purposes of facilitating the extension of credit or for any other permissible use;

(ii) a federal, state or local agency, law enforcement agency or the trial court, including the grand jury, acting pursuant to a court order, warrant or subpoena;

(iii) the Massachusetts child support agency under Title IV-D of the Social Security Act, 42 U.S.C. et seq.;

(iv) the executive office of health and human services or its agents or assigns acting to investigate Medicaid fraud;

(v) the department of revenue or its agents or assignees acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;

(vi) a person using credit information for prescreening under the federal Fair Credit Reporting Act;

(vii) a person administering a credit file monitoring subscription service to which the protected consumer has subscribed or the protected consumer’s representative has subscribed on the protected consumer’s behalf;

(viii) a person who, upon request from the protected consumer or the protected consumer’s representative, provides the protected consumer or the protected consumer’s representative with a copy of the protected consumer’s consumer report;

(ix) to the extent otherwise allowed by law, a property and casualty insurer licensed by the commonwealth for use in rating or underwriting insurance policies;

(x) a check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers or similar payment methods;

(xi) a deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse or similar information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing an individual’s request for a deposit account at the inquiring bank or financial institution;

(xii) an insurance company, for the purpose of conducting the insurance company’s ordinary business;

(xiii) a consumer reporting agency that only resells credit information by assembling and merging information contained in a database of another consumer reporting agency and that does not maintain a permanent database of credit information from which new consumer reports are produced, except that such financial institution or consumer reporting agency shall be subject to any security freeze placed on a consumer report by another consumer reporting agency from which it obtains information; or

(xiv) a consumer reporting agency’s database or file that consists of information that: (A) concerns and is used for criminal record information, fraud prevention or detection, personal loss history information or employment or tenant or individual background screening; and (B) is not used for credit-granting purposes.

(c) A consumer reporting agency shall place a security freeze on a consumer report for a protected consumer if the consumer reporting agency receives a request from the protected consumer or, if required by law, the protected consumer’s representative, for the placement of the security freeze. If the request is from a protected consumer’s representative, the protected consumer’s representative shall submit to the consumer reporting agency: (i) sufficient proof of identification of the protected consumer; (ii) sufficient proof of identification of the protected consumer’s representative; and (iii) sufficient proof of authority to act on behalf of the protected consumer.

If a consumer reporting agency does not have a file that pertains to a protected consumer when the consumer reporting agency receives a request described in this section, the consumer reporting agency shall create a record for the protected consumer and comply with the request if all other requirements of this section are met.

A consumer reporting agency shall place a security freeze on a consumer report not later than 30 business days after receiving a request from the protected consumer or the protected consumer’s representative to place that security freeze.

(d) To remove a security freeze placed pursuant to this section, the protected consumer or the protected consumer’s representative shall submit a request for the removal of the security freeze to the consumer reporting agency. In the case of a request submitted by a protected consumer’s representative, sufficient proof of identification of the protected consumer and the representative and sufficient proof of authority to act on behalf of the protected consumer shall be presented before the security freeze is lifted. In the case of a request submitted by a protected consumer who is subject to a security freeze, sufficient proof of identification of the protected consumer and proof that the protected consumer is no longer a protected consumer because the person is no longer under the age of 16 or an incapacitated person or a protected person as defined in section 5-101 of article V of chapter 190B shall be presented before the security freeze is lifted. For an incapacitated person or a protected person as defined in said section 5-101 of said article V of said chapter 190B, sufficient proof of identification shall include, but not be limited to, an order issued by a court.

A consumer reporting agency shall remove a security freeze on a consumer report not later than 30 business days after receiving a request to remove the security freeze from the protected consumer or the protected consumer’s representative.

A consumer reporting agency may remove a security freeze for a protected consumer or delete a record of a protected consumer if the security freeze was placed or the record was created based on a material misrepresentation of fact by the protected consumer or the protected consumer’s representative. A consumer reporting agency shall notify the protected consumer or the protected consumer’s representative in writing or electronically at least 30 business days before removing a security freeze on the protected consumer’s consumer report or before deleting a record of the protected consumer.

SECTION 22. Subsection (a) of section 2 of chapter 93H of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by adding the following sentence:- The regulations shall require, taking into account said factors, appropriate persons to certify to the office of consumer affairs and business regulation, under penalty of perjury, that they maintain an information security program that complies with this section.

SECTION 23. Section 3 of said chapter 93H, as so appearing, is hereby amended by striking out the paragraph in lines 45 to 52, inclusive, and inserting in place thereof the following 2 paragraphs:-

The notice to be provided to the resident shall include, but not be limited to: (i) the consumer’s right to obtain a police report; (ii) instructions to the consumer on how to request a security freeze and the necessary information to be provided when requesting the security freeze; and (iii) mitigation services to be provided pursuant to this chapter; provided, however, that the notice shall not include the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by the breach or unauthorized access or use. The person or agency breached shall provide a sample copy of the notice it intends to distribute to consumers to the attorney general and to the office of consumer affairs and business regulation.

The notice to be provided under this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning that additional information.

SECTION 24. Said section 3 of said chapter 93H is hereby further amended by adding the following subsection:-

(d) If a breach of security includes a social security number, the person who maintains, stores, owns or licenses the data that was breached shall offer to each resident whose personal information was breached or is reasonably believed to have been breached credit monitoring services for a period of at least 2 years at no cost to the resident. The person shall provide all information necessary for the resident to enroll in such services and shall include information on how the resident can place a security freeze on the resident’s consumer report.

SECTION 25. The department of consumer affairs and business regulation shall promulgate regulations implementing section 22 of this act not later than 9 months after the effective date of this act.

SECTION 26. The twelfth paragraph of section 62A of chapter 93 of the General Laws, as appearing in section 20, shall take effect upon its passage.

SECTION 27. Unless otherwise provided, this act shall take effect 90 days after its passage.