Substitute Senate Bill No. 650
AN ACT REQUIRING CONSUMER CREDIT BUREAUS TO OFFER SECURITY FREEZES.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. (NEW) (Effective January 1, 2006) As used in this section and section 2 of this act:
(1) "Consumer" means any person who is utilizing or seeking credit for personal, family or household purposes;
(2) "Credit rating agency" means credit rating agency, as defined in section 36a-695 of the general statutes;
(3) "Credit report" means credit report, as defined in section 36a-695 of the general statutes;
(4) "Creditor" means creditor, as defined in section 36a-695 of the general statutes; and
(5) "Security freeze" means a notice placed in a consumer's credit report, at the request of the consumer, that prohibits the credit rating agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer.
Sec. 2. (NEW) (Effective January 1, 2006) (a) Any consumer may submit a written request, by certified mail or such other secure method as authorized by a credit rating agency, to a credit rating agency to place a security freeze on such consumer's credit report. Such credit rating agency shall place a security freeze on a consumer's credit report not later than five business days after receipt of such request. Not later than ten business days after placing a security freeze on a consumer's credit report, such credit rating agency shall send a written confirmation of such security freeze to such consumer that provides the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of such consumer's report to a third party or for a period of time.
(b) In the event such consumer wishes to authorize the disclosure of such consumer's credit report to a third party, or for a period of time, while such security freeze is in effect, such consumer shall contact such credit rating agency and provide: (1) Proper identification, (2) the unique personal identification number or password described in subsection (a) of this section, and (3) proper information regarding the third party who is to receive the credit report or the time period for which the credit report shall be available. Any credit rating agency that receives a request from a consumer pursuant to this section shall lift such security freeze not later than three business days after receipt of such request.
(c) Except for the temporary lifting of a security freeze as provided in subsection (b) of this section, any security freeze authorized pursuant to the provisions of this section shall remain in effect until such time as such consumer requests such security freeze to be removed. A credit rating agency shall remove such security freeze not later than three business days after receipt of such request provided such consumer provides proper identification to such credit rating agency and the unique personal identification number or password described in subsection (a) of this section at the time of such request for removal of the security freeze.
(d) Any credit rating agency may develop procedures to receive and process such request from a consumer to temporarily lift or remove a security freeze on a credit report pursuant to subsection (b) of this section. Such procedures, at a minimum, shall include, but not be limited to, the ability of a consumer to send such temporary lift or removal request by electronic mail, letter or facsimile.
(e) In the event that a third party requests access to a consumer's credit report that has such a security freeze in place and such third party request is made in connection with an application for credit or any other use and such consumer has not authorized the disclosure of such consumer's credit report to such third party, such third party may deem such credit application as incomplete.
(f) Any credit rating agency may refuse to implement or may remove such security freeze if such agency believes, in good faith, that: (1) The request for a security freeze was made as part of a fraud that the consumer participated in, had knowledge of, or that can be demonstrated by circumstantial evidence, or (2) the consumer credit report was frozen due to a material misrepresentation of fact by the consumer. In the event any such credit rating agency refuses to implement or remove a security freeze pursuant to this subsection, such credit rating agency shall promptly notify such consumer in writing of such refusal not later than five business days after such refusal or, in the case of a removal of a security freeze, prior to removing the freeze on the consumer's credit report.
(g) Nothing in this section shall be construed to prohibit disclosure of a consumer's credit report to: (1) A person, or the person's subsidiary, affiliate, agent or assignee with which the consumer has or, prior to assignment, had an account, contract or debtor-creditor relationship for the purpose of reviewing the account or collecting the financial obligation owing for the account, contract or debt; (2) a subsidiary, affiliate, agent, assignee or prospective assignee of a person to whom access has been granted under subsection (b) of this section for the purpose of facilitating the extension of credit or other permissible use; (3) any person acting pursuant to a court order, warrant or subpoena; (4) any person for the purpose of using such credit information to prescreen as provided by the federal Fair Credit Reporting Act; (5) any person for the sole purpose of providing a credit file monitoring subscription service to which the consumer has subscribed; (6) a credit rating agency for the sole purpose of providing a consumer with a copy of his or her credit report upon the consumer's request; or (7) a federal, state or local governmental entity, including a law enforcement agency, or court, or their agents or assignees pursuant to their statutory or regulatory duties. For purposes of this subsection, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements.
(h) The following persons shall not be required to place a security freeze on a consumer's credit report, provided such persons shall be subject to any security freeze placed on a credit report by another credit rating agency: (1) A check services or fraud prevention services company that reports on incidents of fraud or issues authorizations for the purpose of approving or processing negotiable instruments, electronic fund transfers or similar methods of payment; (2) a deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution; or (3) a credit rating agency that: (A) Acts only to resell credit information by assembling and merging information contained in a database of one or more credit reporting agencies; and (B) does not maintain a permanent database of credit information from which new credit reports are produced.
(i) A credit rating agency may charge a fee of not more than ten dollars to a consumer for each security freeze, removal of such freeze or temporary lift of such freeze for a period of time, and a fee of not more than twelve dollars for a temporary lift of such freeze for a specific party.
(j) An insurer, as defined in section 38a-1 of the general statutes, may deny an application for insurance if an applicant has placed a security freeze on such applicant's credit report and fails to authorize the disclosure of such applicant's credit report to such insurer pursuant to the provisions of subsection (b) of this section.
Sec. 3. (NEW) (Effective January 1, 2006) (a) For purposes of this section, "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable; "personal information" means an individual's first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; (2) driver's license number or state identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
(b) Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall disclose any breach of security following the discovery of the breach to any resident of this state whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security. Such disclosure shall be made without unreasonable delay, subject to the provisions of subsection (c) of this section and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.
(c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information was, or is reasonably believed to have been accessed by an unauthorized person.
(d) Any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.
(e) Any notice required by the provisions of this section may be provided by one of the following methods: (1) Written notice; (2) telephone notice; (3) electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001; (4) substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2) or (3) of this subsection would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand persons or the person does not have sufficient contact information. Substitute notice shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the web site of the person, business or agency if the person maintains one; and (C) notification to major state-wide media, including newspapers, radio and television.
(f) Any person that maintains its own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies subject persons in accordance with such person's policies in the event of a breach of security. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(4), shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies subject persons in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security of the system.
(g) Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b of the general statutes and shall be enforced by the Attorney General.
Approved June 24, 2005