Report Title:

Identity Theft; Privacy

Description:

Requires government agencies and private businesses that maintain personal information to inform the subject of the information if the security of the information is breached. Permits consumer to place "security alert" and "credit freeze" on credit report to warn of possible identity theft and to prevent release of information without express authorization. Provides civil remedies.

THE SENATE

S.B. NO.

2220

TWENTY-THIRD LEGISLATURE, 2006

 

STATE OF HAWAII

 


 

A BILL FOR AN ACT

 

relating to identity theft.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

SECTION 1. The legislature finds that the privacy and financial security of individuals is increasingly at risk due to the widespread collection of personal information by both the private and public sector. Credit card transactions, magazine subscriptions, telephone numbers, real estate records, automobile registrations, consumer surveys, warranty registrations, credit reports, and internet web sites are all sources of personal information and provide material for identity thieves. As a result, identity theft is one of the fastest growing crimes committed in Hawaii.

The legislature further finds that criminals who steal personal information such as social security numbers use the information to open credit card accounts, write bad checks, buy cars, and commit other financial crimes with other peoples' identities. Victims of identity theft must act quickly to minimize the damage. Therefore, expeditious notification of possible misuse of a person's personal information is imperative. At the same time, prevention of identity theft requires consumers to be vigilant in protecting their personal information. Consumers must be provided with tools to safeguard their personal information by limiting access to it.

The purpose of this Act is to require a state agency, or a person or business that conducts business in Hawaii, that possesses, owns, or licenses computerized data that includes personal information to disclose any breach of the security of the data to any resident of Hawaii whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This Act permits the notifications required by its provisions to be delayed if a law enforcement agency determines that it would impede a criminal investigation.

This Act also permits consumers to place a security alert on their credit report to warn those who legitimately request credit information that the consumer's identity may have been stolen. This Act also permits consumers to place a security freeze on their credit report that prohibits release of any information without their express authorization.

SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"Chapter

INFORMATION SECURITY

   -1 Definitions. For purposes of this chapter:

"Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

"Extension of credit" does not include an increase in the dollar limit of an existing open-end credit plan, as defined in Regulation Z issued by the Board of Governors of the Federal Reserve System (12 C.F.R. 226.2), or any change to, or review of, an existing credit account.

"Personal information" has the same meaning as in section 708-800. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

"Security alert" means a notice placed in a consumer's credit report, at the request of the consumer, that notifies a recipient of the credit report that the consumer's identity may have been used, without the consumer's consent, to fraudulently obtain goods or services in the consumer's name.

"Security freeze" means a notice placed in a consumer's credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer credit reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer.

-2 Security of personal information held by governmental agency. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach to any resident of the State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(b) Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

(d) For purposes of this section, "notice" may be provided by one of the following methods:

(1) Written notice;

(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or

(3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds $500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:

(A) E-mail notice when the agency has an e-mail address for the subject persons;

(B) Conspicuous posting of the notice on the agency's internet web site, if the agency maintains one; and

(C) Notification to major statewide media.

(e) Notwithstanding subsection (d), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this chapter shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

-3 Security of personal information held by private business person or entity. (a) Any person or business that conducts business in the State, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach to any resident of the State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(b) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

(d) For purposes of this section, "notice" may be provided by one of the following methods:

(1) Written notice;

(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or

(3) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds $500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following:

(A) E-mail notice when the person or business has an e-mail address for the subject persons;

(B) Conspicuous posting of the notice on the web site page of the person or business, if the person or business maintains one; and

(C) Notification to major statewide media.

(e) Notwithstanding subsection (d), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.

-4 Security alert. (a) A consumer may elect to place a security alert in the consumer's credit report by making a request in writing or by telephone to a consumer credit reporting agency.

(b) A consumer credit reporting agency shall notify each person requesting consumer credit information with respect to a consumer of the existence of a security alert in the credit report of that consumer, regardless of whether a full credit report, credit score, or summary report is requested.

(c) Each consumer credit reporting agency shall maintain a toll-free telephone number to accept security alert requests from consumers twenty-four hours a day, seven days a week.

(d) The toll-free telephone number shall be included in any written disclosure by a consumer credit reporting agency to any consumer and shall be printed in a clear and conspicuous manner.

(e) A consumer credit reporting agency shall place a security alert on a consumer's credit report no later than five business days after receiving a request from the consumer.

(f) The security alert shall remain in place for at least ninety days, and a consumer shall have the right to request a renewal of the security alert.

(g) Any person who uses a consumer credit report in connection with the approval of credit based upon an application for an extension of credit, or with the purchase, lease, or rental of goods or non-credit-related services, and who receives notification of a security alert pursuant to subsection (a) may not lend money, extend credit, or complete the purchase, lease, or rental of goods or non-credit-related services without taking reasonable steps to verify the consumer's identity, in order to ensure that the application for an extension of credit or for the purchase, lease, or rental of goods or non-credit-related services is not the result of identity theft. If the consumer has placed a statement with the security alert in the consumer's file requesting that identity be verified by calling a specified telephone number, any person who receives that statement with the security alert in a consumer's file pursuant to subsection (a) shall take reasonable steps to verify the identity of the consumer by contacting the consumer, using the specified telephone number, prior to lending money, extending credit, or completing the purchase, lease, or rental of goods or non-credit-related services. If a person uses a consumer credit report to facilitate the extension of credit or for another permissible purpose on behalf of a subsidiary, affiliate, agent, assignee, or prospective assignee, that person may verify a consumer's identity under this section in lieu of the subsidiary, affiliate, agent, assignee, or prospective assignee.

(h) If reasonable steps are taken to verify the identity of the consumer, those steps constitute compliance with the requirements of this section, provided that if a consumer has placed a statement including a telephone number with the security alert in the consumer's file, the consumer's identity shall be verified by contacting the consumer using that telephone number as specified pursuant to subsection (g).

(i) A consumer credit reporting agency shall notify each consumer who has requested that a security alert be placed on the consumer's consumer credit report of the expiration date of the alert.

-5 Security freeze. (a) A consumer may elect to place a security freeze on the consumer's credit report by making a request in writing by certified mail to a consumer credit reporting agency.

If a security freeze is in place, information from a consumer's credit report may not be released to a third party without prior express authorization from the consumer. This subsection does not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.

(b) A consumer credit reporting agency shall place a security freeze on a consumer's credit report no later than five business days after receiving a written request from the consumer.

(c) The consumer credit reporting agency shall send a written confirmation of the security freeze to the consumer within ten business days and shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of the consumer's credit for a specific party or period of time.

(d) If the consumer wishes to allow the consumer's credit report to be accessed for a specific party or period of time while a freeze is in place, the consumer shall contact the consumer credit reporting agency, request that the freeze be temporarily lifted, and provide the following:

(1) Proper identification;

(2) The unique personal identification number or password provided by the credit reporting agency pursuant to subsection (c); and

(3) The proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

(e) A consumer credit reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report, pursuant to subsection (d), shall comply with the request no later than three business days after receiving the request.

(f) A consumer credit reporting agency may develop procedures involving the use of telephone, fax, the internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report, pursuant to subsection (d), in an expedited manner.

(g) A consumer credit reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases:

(1) Upon consumer request, pursuant to subsection (d) or (j); or

(2) If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer.

If a consumer credit reporting agency intends to remove a freeze upon a consumer's credit report pursuant to this subsection, the consumer credit reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer's credit report.

(h) If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow the consumer's credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

(i) If a consumer requests a security freeze, the consumer credit reporting agency shall disclose the process of placing and temporarily lifting a freeze, and the process for allowing access to information from the consumer's credit report for a specific party or period of time while the freeze is in place.

(j) A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer credit reporting agency shall remove a security freeze within three business days of receiving a request for removal from a consumer who provides both of the following:

(1) Proper identification; and

(2) The unique personal identification number or password provided by the credit reporting agency pursuant to subsection (c).

(k) A consumer credit reporting agency shall require proper identification of the person making a request to place or remove a security freeze.

(l) The provisions of this section do not apply to the use of a consumer credit report by any of the following:

(1) A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this paragraph, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements;

(2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted for purposes of facilitating the extension of credit or other permissible use;

(3) Any state or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena;

(4) A child support agency acting pursuant to chapter 576D or Title IV-D of the Social Security Act (42 U.S.C. et seq.);

(5) The department of the attorney general or its agents or assigns acting to investigate medicaid fraud;

(6) The department of taxation or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;

(7) The use of credit information for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act;

(8) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed; or

(9) Any person or entity for the purpose of providing a consumer with a copy of the consumer's credit report upon the consumer's request.

(m) This section does not prevent a consumer credit reporting agency from charging a fee of no more than $10 to a consumer for each freeze, removal of the freeze, or temporary lift of the freeze for a period of time, or a fee of no more than $12 for a temporary lift of a freeze for a specific party, regarding access to a consumer credit report.

-6 Duties of credit reporting agency. (a) If a security freeze is in place, a consumer credit reporting agency shall not change any of the following official information in a consumer credit report without sending a written confirmation of the change to the consumer within thirty days of the change being posted to the consumer's file: name, date of birth, social security number, and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.

(b) If a consumer has placed a security alert, a consumer credit reporting agency shall provide the consumer, upon request, with a free copy of the consumer's credit report at the time the ninety-day security alert period expires.

-7 Certain consumer credit reporting agencies exempt. The provisions of this chapter do not apply to a consumer credit reporting agency that acts only as a reseller of credit information, by assembling and merging information contained in the data base of another consumer credit reporting agency or multiple consumer credit reporting agencies, and does not maintain a permanent data base of credit information from which new consumer credit reports are produced. However, a consumer credit reporting agency shall honor any security freeze placed on a consumer credit report by another consumer credit reporting agency.

-8 Certain entities exempt from credit alert or freeze requirement. The following entities are not required to place in a credit report either a security alert, pursuant to section    -4, or a security freeze, pursuant to section    -5:

(1) A check services or fraud prevention services company, which issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments; or

(2) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution.

-9 Removal from credit card solicitation list. A consumer may elect to have the consumer's name removed from any list that a consumer credit reporting agency furnishes for credit card solicitations, by notifying the consumer credit reporting agency, by telephone or in writing, pursuant to the notification system maintained by the consumer credit reporting agency pursuant to section    -3. The election shall be effective for a minimum of two years, unless otherwise specified by the consumer.

-10 Government access. Notwithstanding any other provision to the contrary in this chapter, a consumer credit reporting agency may furnish to a governmental agency a consumer's name, address, former address, places of employment, or former places of employment.

-11 Civil remedies. (a) Any consumer injured by a violation of this chapter may institute a civil action to recover damages.

(b) Any business that violates, proposes to violate, or has violated this title may be enjoined.

(c) Any agency, business, or person that intentionally, knowingly, or recklessly violates this chapter shall be fined up to $2,500 for each violation.

(d) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law."

SECTION 3. This Act shall take effect on July 1, 2006.

INTRODUCED BY:

_____________________________