Report Title:

Financial Institutions; Personal Records.

Description:

Requires financial institutions to protect confidentiality of personal financial information, to notify consumers of breach of security measures, to remove personal identifiers when destroying records, to obtain consumer consent for disclosure of information, and to correct information when error is shown to be the result of identity theft. Establishes penalties.

HOUSE OF REPRESENTATIVES

H.B. NO.

2674

TWENTY-SECOND LEGISLATURE, 2004

 

STATE OF HAWAII

 


 

A BILL FOR AN ACT

 

RELATING TO IDENTITY THEFT.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

SECTION 1. The legislature finds that identity theft is a serious problem for consumers whose personal financial information is disclosed by business entities with control over such information.

The purpose of this Act is to:

(1) Require financial institutions to take steps to notify consumers or customers when security measures to maintain confidential personal financial information have been breached;

(2) Require financial institutions to destroy records in a manner designed to remove personal identifiers; and

(3) Require financial institutions to obtain consumer permission for disclosure of nonpublic personal financial information.

SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"CHAPTER

PROTECTION OF PRIVATE CONSUMER FINANCIAL INFORMATION

§ -1 Definitions. As used in this chapter unless the context clearly requires otherwise:

"Adverse action" means action taken by a financial institution adverse to the interest of the consumer that affects the relationship between the financial institution and the consumer. Adverse action does not mean any action relating to reporting to or receiving information from a consumer reporting agency.

"Commercial use" means the sale or transfer for consideration of a consumer's nonpublic personal information by a financial institution to a person or entity that is not related to the financial institution by common ownership or affiliated by corporate control for the purpose of marketing services or products to the consumer.

"Consumer" means an individual who obtains, from a financial institution, financial products or services that are to be used primarily for personal, family, or household purposes, regardless of whether a fiduciary relationship exists.

"Consumer information of a financial institution" means any information maintained by or for a financial institution that is derived from the relationship between the financial institution and a consumer of the financial institution and is identified with the consumer.

"Document" or "record" means any information in any form.

"Financial institution" means any entity engaged in the business of providing financial services to consumers who maintain a credit, deposit, trust, or other financial account or relationship with the institution. Certain financial institutions specifically included are any:

(1) Depository institution as defined in Title 12 United States Code section 461(b)(1)(A);

(2) Financial institution subject to section 501 of the Gramm-Leach-Bliley Act of 1999, Title 15 United States Code section 6801, et seq.;

(3) Broker or dealer as defined in the Securities and Exchange Act of 1934, Title 15 United States Code section 78c;

(4) Investment adviser as defined in Investment Advisers Act of 1940, Title 15 United States Code section 80b-2;

(5) Investment company as defined in the Investment Company Act, Title 15 United States Code section 80a-3;

(6) Insurance licensee covered by chapter 431;

(7) Loan or finance company; and

(8) Credit card issuer or operator of a credit card system.

Financial institution does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act, the Agricultural Mortgage Corporation, Farm Credit Act of 1971, or any consumer reporting agency covered by the Fair and Accurate Credit Transactions Act of 2003.

"Identity theft" means the unauthorized use of another person's personal identifiers to obtain credit, goods, services, money, or property.

"Nonpublic personal information" means personally identifiable information that is not publicly available, which is provided by a consumer to a financial institution resulting from any transaction with the consumer or any service performed for the consumer or information that is otherwise obtained by the financial institution.

"Personally identifiable" means information maintained or collected by personal identifiers such as name, address, telephone number, birth date, account number, credit card number, social security number, driver's license number, place of employment, employee identification number, mother's maiden name, personal identification number, password, fingerprint, or photograph.

"Publicly available information" means any information that a financial institution has a reasonable basis to believe is lawfully made available to the general public from governmental records, widely distributed media, or disclosures to the public that are required by law.

§ -2 Purpose; scope; applicability. This chapter governs the treatment of nonpublic personal financial information of consumers by all financial institutions doing business in Hawaii. This chapter is intended to provide greater privacy protections to consumers to guard against identity theft than currently provided by state and federal law, except as may be preempted by federal law.

§ -3 Duty to prevent unauthorized disclosures. (a) Financial institutions have an affirmative and continuing duty to respect the privacy of its consumer's nonpublic personal financial information and to protect the security and confidentiality of that information. A financial institution shall adopt policies and practices to ensure that nonpublic personal financial information is maintained in a secure and confidential manner within its custody, to protect against anticipated threats or hazards to the security or integrity of those records, and to protect against unauthorized access to and use of information that could result in substantial harm or inconvenience to a customer or consumer. A financial institution has a reasonable basis to believe that the information is lawfully made available to the general public if it has taken steps to determine that the information is the type that is available to the general public and the consumer has not made the information public or directed that the information not be made public.

(b) A financial institution shall include policies and practices regarding methods of destruction of records, whether discarded routinely in the normal course of business or in accordance with a legally mandated records destruction policy, to remove personal identifiers from a consumer's nonpublic personal financial information.

(c) A financial institution shall not include personally identifiable information in communication with the consumer for the purpose of marketing services or products, except for use of the consumer's name and address.

§ -4 Notice to consumer for unauthorized disclosures. A financial institution that discovers that any records that contain nonpublic personally identifiable financial information have been disclosed without authorization, or not in accordance with law, for the suspected purpose of committing identity theft, shall notify the affected consumers promptly.

§ -5 Disclosure for commercial use prohibited without consent of the customer. A financial institution is prohibited from disclosing personally identifiable information of a consumer, including mailing lists of consumer names and addresses, for commercial use without the express written consent of the consumer. This prohibition does not extend to any disclosure authorized by law or the use by a financial institution of consumer information for marketing its own products or services.

§ -6 Disputes over financial information. (a) When a consumer disputes the accuracy of financial information maintained by a financial institution on the consumer and claims that the consumer is the victim of identity theft, the financial institution shall take reasonable steps to investigate and cooperate with the consumer to resolve the dispute prior to taking adverse action.

(b) A financial institution shall permit the consumer who claims to be a victim of identity theft no less than ninety days to resolve the dispute before taking adverse action.

(c) A financial institution that receives credible information to support the consumer's claim of identity theft shall immediately correct the financial information.

§ -7 Violation and penalties. (a) The attorney general or commissioner of financial institutions may bring an action against any financial institution to restrain and prevent violation of this chapter.

(b) A financial institution that engages in acts in violation of this chapter shall be fined not less than $500 nor more than $2,000 for each violation, which sum may be awarded in a civil action.

§ -8 Civil action. A consumer who is damaged by a violation of this chapter may bring a civil action for damages, penalties, and attorney's fees and costs."

SECTION 3. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act, which can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.

SECTION 4. This Act shall take effect on January 1, 2005, and shall apply to any proceeding commenced after its effective date.

INTRODUCED BY:

_____________________________