PA 18-90—sSB 472

Banking Committee

AN ACT CONCERNING SECURITY FREEZES ON CREDIT REPORTS, IDENTITY THEFT PREVENTION SERVICES AND REGULATIONS OF CREDIT RATING AGENCIES

SUMMARY: This act prohibits credit rating agencies from (1) charging a fee to place, remove, or temporarily lift a credit security freeze and (2) requiring, as a condition of placing the freeze, a consumer to enter into an agreement limiting claims he or she may have against the agency. By law, a “security freeze” is a notice placed in a consumer's credit report, at the consumer's request, that bars a credit rating agency from releasing the report, or any information in it, without the consumer's express authorization (CGS 36a-701).

The act also requires that agencies place or remove the freezes as soon as practicable after receiving a request, but no later than the existing statutory deadline. By law, the deadline for (1) placing a security freeze, including for a minor child, is five business days after receipt of the request and (2) removing a security freeze is three business days after receipt of the request.

The act prohibits credit rating agencies from charging fees for any personal identification numbers (PINs), instead of prohibiting fees for first-time replacement PINs only, as under prior law.

The act increases, from 12 to 24 months, the length of time certain businesses must provide identity theft mitigation services to customers in the event of a data breach. The provision applies to any business that, in the course of ordinary business, owns or licenses electronic data that includes personal information.

It also requires the banking commissioner to adopt regulations requiring credit rating agencies to provide a dedicated point of contact through which the department may assist consumers following a data breach.

Lastly, the act makes minor and conforming changes.

EFFECTIVE DATE: October 1, 2018