AN ACT REQUIRING CONSUMER CREDIT BUREAUS TO OFFER SECURITY FREEZES

This bill (1) allows a consumer to freeze his credit report and (2) requires businesses to inform the public if there has been a security breach involving their computerized personal information.

The bill prohibits a credit rating agency from releasing a frozen credit report or any information in it without the consumer’s express authorization. It requires an agency to freeze a report in five business days if a police case number accompanies a consumer’s request. Otherwise, an agency has 15 days to freeze it. The bill creates a means by which a consumer can release his report, either permanently or temporarily. It allows an agency to deny a request to implement or remove a freeze if, in good faith, it believes the request is fraudulent. It authorizes a business to deem a credit application incomplete if it finds that the credit report is frozen. It exempts certain disclosures from the freeze.

The bill requires a business that has suffered a security breach to inform the public in writing or by e-mail. But if the breach involves more than 100 individuals, the bill requires a business to inform the public through Connecticut-based newspapers and television and radio stations.

EFFECTIVE DATE: Upon passage, except the provisions concerning security breaches take effect on October 1, 2005

The bill allows a consumer to ask a credit rating agency to place a security freeze on his credit report. Consumer requests to freeze the report must be made in writing by certified mail or by another secure method authorized by the agency. The bill requires an agency to freeze the report within (1) five business days if the request is accompanied by a police case number and (2) 15 days if the consumer did not submit a police case number. It requires an agency to keep the freeze in effect unless temporarily or permanently removed at the consumer’s request. A “credit report” is a written or oral report, recommendation, or representation made by a credit rating agency relating to a consumer’s credit worthiness, credit standing, or credit capacity, including information that sought to determine credit eligibility. A “consumer” is an individual seeking credit for personal, family, or household purposes.

The bill defines “security freeze” as a notice placed in a consumer’s credit report, at his request, that prohibits an agency from releasing the report, or any information in it, without the consumer’s express authorization.

The bill establishes a way for a consumer to remove the freeze or to temporarily release information in a credit report. It requires an agency to send the consumer a written confirmation including a unique personal identification number or password within 10 business days after freezing a report. The consumer can use the unique identifier to authorize the removal of the freeze or the report’s release to a third party.

The bill requires an agency that has received a request to permanently or temporarily lift a freeze to do so by the third business day after receiving it. If a consumer wants to remove the freeze, he must provide (1) proper identification and (2) his unique identification number or password. If a consumer wants to disclose his information to a third party or for a period of time, he must provide (1) proper identification, (2) the unique identification number or password, and (3) information concerning the third party to receive the credit report. The bill authorizes agencies to develop procedures to receive and process the requests by telephone or through facsimile, the Internet, or other electronic means.

The bill authorizes a credit agency to decline to implement or remove a credit freeze if it believes, in good faith, that the request was part of a fraud that (1) the consumer participated in or knew about or (2) can be demonstrated by circumstantial evidence. In these cases, the bill requires an agency to promptly notify the consumer by the fifth day after the refusal.

The bill authorizes a third party to deem a credit application incomplete if it requests access to a consumer’s frozen credit report in conjunction with a credit application, or for another purpose, and the consumer has not authorized disclosure to the third party.

1. state or local agencies, law enforcement agencies, courts or private collection agencies acting under a court order, warrant, or subpoena;

2. any person, including a subsidiary, affiliate, agent, or assignee, with which a consumer has or had an account, contract, or debtor-creditor relationship for the purpose of reviewing the account or collecting a debt on it;

3. a state or municipal agency to (a) collect taxes or child support or (b) investigate fraud or any other violation;

4. anyone for (a) “prescreening” as defined by the federal law on credit rating agencies (see BACKGROUND), (b) administration of a credit file monitoring service to which a consumer subscribes, and (c) providing a consumer with a copy of his credit report at his request;

5. check or fraud prevention service companies that report on fraud for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar payment methods; and

6. demand deposit account information service companies that inform banks or other financial institutions reviewing a request for a demand deposit account about a potential consumer’s account closures due to fraud, substantial overdrafts, automatic teller machine abuse, or similar negative information.

The bill requires anyone who owns, maintains, or licenses computerized data containing non-encrypted personal information in the course of business to notify state residents whenever the information has been, or is reasonably believed to have been, acquired by a third party due to a breach of the security system. The bill defines “breach of the security system” as the unauthorized acquisition of computerized data that includes personal information. The bill provides that a breach does not include the acquisition, in good faith, of personal information by the business’s employee or agent in connection with his duties, if the information is not used for a purpose unrelated to his duties and is not disclosed without authorization.

“Personal information” is a person’s first name or initial and last name in addition to one or more of the following non-encrypted facts: (1) Social Security number; (2) driver’s license number; and (3) a financial account number, including a credit or debit card number with its security or access code. The bill excludes information available to the public from a federal, state, or local government.

The bill requires a business to notify the public of a security breach within 15 days after discovering it, but the notification may be delayed at the request of a law enforcement officer investigating the breach. If the breach affects up to 100 individuals, the notice may be sent in writing or by e-mail. If it affects more, the notice must be posted on the business’s website and published in Connecticut-based newspapers or broadcast on radio and television stations.

A violation of the bill’s provision on security breaches is an unfair trade practice.

Federal law on credit rating agencies (15 USC 1681 et seq. ) does not define “prescreening,” but it does prohibit states from adopting any requirements or prohibitions concerning prescreening reports for credit or insurance transactions not initiated by a consumer (15 USC §§ 1681t, 1681b(c), and 1681(e)).

The law prohibits businesses from engaging in unfair and deceptive acts or practices. CUTPA allows the DCP commissioner to issue regulations defining what constitutes an unfair trade practice, investigate complaints, issue cease and desist orders, order restitution in cases involving less than $ 5,000, enter into consent agreements, ask the attorney general to seek injunctive relief, and accept voluntary statements of compliance. The act also allows individuals to sue. Courts may issue restraining orders; award actual and punitive damages, costs, and reasonable attorneys fees; and impose civil penalties of up to $ 5,000 for willful violations and $ 25,000 for violation of a restraining order.