OLR Bill Analysis

sSB 472

AN ACT CONCERNING SECURITY FREEZES ON CREDIT REPORTS, IDENTITY THEFT PREVENTION SERVICES, EMPLOYER CREDIT INQUIRIES AND REGULATIONS OF CREDIT RATING AGENCIES.

SUMMARY

This bill makes several changes related to credit security freezes, identity theft prevention services, and employment-related credit checks.

It requires credit rating agencies to place and remove a credit security freeze as soon as practicable after receiving a request and prohibits them from charging a fee to do so. It also (1) requires agencies to offer to notify the other credit agencies on a consumer's behalf, (2) requires agencies receiving such a notification to treat it as if it came from the consumer, and (3) prohibits such agencies from requiring, as a condition of placing a security freeze, a consumer to enter into an agreement limiting claims he or she may have against the agency.

The bill increases, from 12 to 24 months, the length of time certain individuals must provide identity theft mitigation services to customers in the event of a data breach. It also requires the banking commissioner to adopt regulations requiring credit rating agencies to (1) provide a dedicated point of contact following a data breach and (2) report certain financial information associated with identity theft protection and mitigation services.

The bill limits when certain employers can require an employee or applicant to undergo a credit check. But it broadens the credit check requirement for other individuals with access to museum and library collections or prescription drugs or other pharmaceuticals.

The bill also makes minor and conforming changes.

EFFECTIVE DATE: October 1, 2018

1 — SECURITY FREEZES

By law, a “security freeze” is a notice placed in a consumer's credit report, at the consumer's request, that bars a credit rating agency from releasing the report, or any information in it, without the consumer's express authorization (CGS 36a-701).

Time Frame

The bill requires a credit rating agency to place and remove security freezes as soon as practicable after receiving a request to do so. By law, such agencies must (1) place a security freeze, including for a minor child, within five business days, and (2) remove a security freeze within three business days.

Fees and Limiting Claims

The bill prohibits credit rating agencies from charging a fee to place, remove, or temporarily lift a credit security freeze. Under current law, credit rating agencies may charge consumers up to $10 to place, remove, or temporarily lift a credit freeze and up to $12 to temporary lift a freeze for a specific party. But they are prohibited from charging fees to certain consumers, including children and identity theft or domestic violence victims.

Under the bill, a credit rating agency must offer the consumer the option to notify any and all other credit rating agencies of a consumer's request to place or remove a security freeze. If the consumer agrees, the rating agency must notify the other rating agencies of the consumer's request; any agency receiving such a notification must place or remove the security freeze as if it received the request from the consumer.

The bill also prohibits credit rating agencies from (1) requiring, as a condition of placing a security freeze, that consumers agree to limit their claims against the agency and (2) charging fees for any personal identification numbers (PINs), instead of for first-time replacement PINs, as under current law.

2 & 4 — IDENTITY THEFT SERVICES AND DATA BREACH REGULATIONS

The bill increases, from 12 to 24 months, the period for which certain individuals must offer identity theft mitigation services to customers in the event of a data breach. The bill applies to any individual who, in the course of ordinary business, owns or licenses electronic data that includes personal information.

The bill requires the banking commissioner to adopt regulations requiring credit rating agencies to (1) provide the banking commissioner dedicated points of contact through which it may assist consumers after a data breach, (2) respond within 10 days after the department makes a request for information on a consumer's behalf, (3) report to the commissioner all fees associated with the purchase or use of identity theft protection services, (4) provide a description of all business affiliations and contractual relationships with other entities that provide identity theft prevention or mitigation products or services, and (5) disclose to the commissioner any fees associated with the purchase or use of proprietary identity theft prevention products, including any fees resulting from a purchase after a trial offer.

3 — EMPLOYMENT CREDIT CHECKS

This bill prohibits employers or their agents, representatives, or designees from requiring, as a condition of employment, a current or prospective employee's consent to a request for a credit report solely because the job involves access to nonfinancial assets valued at more than $2,500. It does so by removing jobs with access to such nonfinancial assets from the statutory definition of “substantially related.”

By law, employers may require current or prospective employees to consent to a credit report request when the report is “substantially related” to the employee's current or potential job, or the employer has a bona fide reason to request or use information in the report that is substantially job-related, and this reason is disclosed to the employee or applicant in writing.

By doing so, the bill also allows an employer to require such a credit check for an employee with access to museum and library collections, or prescription drugs or other pharmaceuticals, regardless of their value. Under current law, a credit check for these employees may only be required if the collection, prescription drugs, or pharmaceuticals are worth more than $2,500.

COMMITTEE ACTION

Banking Committee

Joint Favorable Substitute

Yea

10

Nay

9

(03/20/2018)