Connecticut Seal

General Assembly

File No. 341

    February Session, 2018

Substitute Senate Bill No. 472

Senate, April 9, 2018

The Committee on Banking reported through SEN. WINFIELD of the 10th Dist. and SEN. MARTIN of the 31st Dist., Chairpersons of the Committee on the part of the Senate, that the substitute bill ought to pass.

AN ACT CONCERNING SECURITY FREEZES ON CREDIT REPORTS, IDENTITY THEFT PREVENTION SERVICES, EMPLOYER CREDIT INQUIRIES AND REGULATIONS OF CREDIT RATING AGENCIES.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. Section 36a-701a of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2018):

(a) Any consumer may submit a written request, by certified mail or such other secure method as authorized by a credit rating agency, to a credit rating agency to place a security freeze on such consumer's credit report. Such credit rating agency shall place a security freeze on a consumer's credit report as soon as practicable, but not later than five business days after receipt of such request. Not later than ten business days after placing a security freeze on a consumer's credit report, such credit rating agency shall send a written confirmation of such security freeze to such consumer that provides the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of such consumer's report to a third party or for a period of time. Nothing in this subsection shall be deemed to require a consumer reporting agency to provide to a minor child or the parent or legal guardian of a minor child, on behalf of the minor child, a unique personal identification number, password or similar device to be used to authorize the consumer reporting agency to release such minor child's credit report.

(b) In the event such consumer, other than a minor child or the parent or legal guardian of a minor child, wishes to authorize the disclosure of such consumer's credit report to a third party, or for a period of time, while such security freeze is in effect, such consumer shall contact such credit rating agency and provide: (1) Proper identification, (2) the unique personal identification number or password described in subsection (a) of this section, and (3) proper information regarding the third party who is to receive the credit report or the time period for which the credit report shall be available. Any credit rating agency that receives a request from a consumer pursuant to this section shall lift such security freeze not later than three business days after receipt of such request.

(c) Except for the temporary lifting of a security freeze as provided in subsection (b) of this section, any security freeze authorized pursuant to the provisions of this section shall remain in effect until such time as such consumer requests such security freeze to be removed. A credit rating agency shall remove such security freeze as soon as practicable, but not later than three business days after receipt of such request provided such consumer provides proper identification to such credit rating agency and the unique personal identification number or password described in subsection (a) of this section at the time of such request for removal of the security freeze. In the case of a minor child, the credit rating agency shall remove such security freeze not later than fifteen business days after receipt of such request, provided the minor child or the parent or legal guardian of the minor child uses the unique personal identification number, password or similar device provided under subsection (a) of this section at the time of such request, if applicable.

(d) Any credit rating agency may develop procedures to receive and process such request from a consumer to temporarily lift or remove a security freeze on a credit report pursuant to subsection (b) of this section. Such procedures, at a minimum, shall include, but not be limited to, the ability of a consumer to send such temporary lift or removal request by electronic [mail] means, letter or facsimile.

(e) In the event that a third party requests access to a consumer's credit report that has such a security freeze in place and such third party request is made in connection with an application for credit or any other use and such consumer has not authorized the disclosure of such consumer's credit report to such third party, such third party may deem such credit application as incomplete.

(f) Any credit rating agency may refuse to implement or may remove such security freeze if such agency believes, in good faith, that: (1) The request for a security freeze was made as part of a fraud that the consumer participated in, had knowledge of, or that can be demonstrated by circumstantial evidence, or (2) the consumer credit report was frozen due to a material misrepresentation of fact by the consumer. In the event any such credit rating agency refuses to implement or removes a security freeze pursuant to this subsection, such credit rating agency shall promptly notify such consumer in writing of such refusal not later than five business days after such refusal or, in the case of a removal of a security freeze, prior to removing the freeze on the consumer's credit report.

(g) Nothing in this section shall be construed to prohibit disclosure of a consumer's credit report to: (1) A person, or the person's subsidiary, affiliate, agent or assignee with which the consumer has or, prior to assignment, had an account, contract or debtor-creditor relationship for the purpose of reviewing the account or collecting the financial obligation owing for the account, contract or debt; (2) a subsidiary, affiliate, agent, assignee or prospective assignee of a person to whom access has been granted under subsection (b) of this section for the purpose of facilitating the extension of credit or other permissible use; (3) any person acting pursuant to a court order, warrant or subpoena; (4) any person for the purpose of using such credit information to prescreen as provided by the federal Fair Credit Reporting Act; (5) any person for the sole purpose of providing a credit file monitoring subscription service to which the consumer has subscribed; (6) a credit rating agency for the sole purpose of providing a consumer with a copy of his or her credit report upon the consumer's request; or (7) a federal, state or local governmental entity, including a law enforcement agency, or court, or their agents or assignees pursuant to their statutory or regulatory duties. For purposes of this subsection, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements.

(h) The following persons shall not be required to place a security freeze on a consumer's credit report, provided such persons shall be subject to any security freeze placed on a credit report by another credit rating agency: (1) A check services or fraud prevention services company that reports on incidents of fraud or issues authorizations for the purpose of approving or processing negotiable instruments, electronic fund transfers or similar methods of payment; (2) a deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution; or (3) a credit rating agency that: (A) Acts only to resell credit information by assembling and merging information contained in a database of one or more credit reporting agencies; and (B) does not maintain a permanent database of credit information from which new credit reports are produced.

(i) (1) [Except as provided in subdivision (2) of this subsection, a] A credit rating agency [may] shall not (A) charge a fee [of not more than ten dollars] to a consumer for [each] a security freeze, removal of such freeze, [or] temporary lift of such freeze for a period of time [, and a fee of not more than twelve dollars for] or a temporary lift of such freeze for a specific party, or (B) require as a condition for placing a security freeze that a consumer enter into an agreement that limits any claim the consumer may have against such credit rating agency.

(2) [A credit rating agency shall not charge the fees authorized by subdivision (1) of this subsection to: (A) A victim of identity theft or the spouse of any victim of identity theft, who has submitted a copy of a police report prepared pursuant to section 54-1n to the credit rating agency; (B) any person who is covered under the victim of identity theft's individual or group health insurance policy providing coverage of the type specified in subdivisions (1), (2), (4), (11) and (12) of section 38a-469, who has submitted a copy of a police report prepared pursuant to section 54-1n to the credit rating agency; (C) a person sixty-two years of age or older; (D) a person under eighteen years of age; (E) a person for whom a guardian or conservator has been appointed by a court; and (F) a victim of domestic violence, as defined in subdivision (1) of subsection (a) of section 17b-112a, who has provided evidence of such domestic violence as specified in subsection (b) of section 17b-112a to the credit rating agency.] Whenever a consumer requests that a credit rating agency place or remove a security freeze, temporary or otherwise, on such consumer's credit report, the credit rating agency shall provide the consumer with the option of having such credit rating agency notify any or all other credit rating agencies of such request. If the consumer requests such notification, the credit rating agency shall notify the specified other credit rating agencies of the consumer's request to place or remove a security freeze, as the case may be. A credit rating agency receiving such notification shall treat the consumer's request to place or remove a security freeze as if it received the request directly from the consumer and shall be subject to the provisions of this section. No credit rating agency shall charge a fee to a consumer for a [replacement] personal identification number. [when such replacement is the first one requested by the consumer.]

(j) The parent or legal guardian of a minor child may place a security freeze on the credit report of a minor child by submitting a written request to the credit rating agency in the manner described in this section and subject to the same conditions and by providing the credit rating agency with proper identification and sufficient proof of authority to act on behalf of the minor child. The credit rating agency shall place the security freeze on the credit report of a minor child as soon as practicable, but not later than five business days after receipt of such request. If the credit rating agency does not have any information in its files pertaining to the minor child at the time the credit rating agency receives a request pursuant to this subsection, the credit rating agency shall create a record for the minor child and place a security freeze on such record. Such record shall consist of a compilation of information created by a credit rating agency that identifies a minor child. A credit rating agency shall not create or use such record to consider the minor child's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living. A credit rating agency shall not release a minor child's credit report, any information derived from a minor child's credit report or any record created for a minor child.

(k) The parent or legal guardian of a minor child may request the removal of a security freeze placed on the credit report or record of a minor child by submitting a written request to the credit rating agency in the manner described in this section and subject to the same conditions and by providing the credit rating agency with proper identification and sufficient proof of authority to act on behalf of the minor child. The credit rating agency shall remove the security freeze on the credit report or record of a minor child not later than fifteen business days after receipt of such request.

(l) An insurer, as defined in section 38a-1, may deny an application for insurance if an applicant has placed a security freeze on such applicant's credit report and fails to authorize the disclosure of such applicant's credit report to such insurer pursuant to the provisions of subsection (b) of this section.

(m) Any security freeze in a credit report in effect as of October 1, 2016, shall continue to be in effect until the consumer or the parent or legal guardian of a minor child requests the removal of the security freeze.

Sec. 2. Section 36a-701b of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2018):

(a) For purposes of this section, (1) "breach of security" means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable; and (2) "personal information" means an individual's first name or first initial and last name in combination with any one, or more, of the following data: (A) Social Security number; (B) driver's license number or state identification card number; [or] (C) [account number,] credit or debit card number; [,] or (D) financial account number in combination with any required security code, access code or password that would permit access to [an individual's] such financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

(b) (1) Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall provide notice of any breach of security following the discovery of the breach to any resident of this state whose personal information was breached or is reasonably believed to have been breached. Such notice shall be made without unreasonable delay but not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law, subject to the provisions of subsection (d) of this section and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.

(2) If notice of a breach of security is required by subdivision (1) of this subsection:

(A) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General; and

(B) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns or licenses computerized data that includes personal information, shall offer to each resident whose personal information under subparagraph (A) of subdivision (4) of subsection (a) of section 38a-999b or subparagraph (A) of subdivision (2) of subsection (a) of this section was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than [twelve] twenty-four months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.

(c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information of a resident of this state was breached or is reasonably believed to have been breached.

(d) Any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.

(e) Any notice to a resident, owner or licensee required by the provisions of this section may be provided by one of the following methods: (1) Written notice; (2) telephone notice; (3) electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001; (4) substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2) or (3) of this subsection would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand persons or that the person does not have sufficient contact information. Substitute notice shall consist of the following: (A) Electronic mail notice when the person has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the web site of the person if the person maintains one; and (C) notification to major state-wide media, including newspapers, radio and television.

(f) Any person that maintains such person's own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies, as applicable, residents of this state, owners and licensees in accordance with such person's policies in the event of a breach of security and in the case of notice to a resident, such person also notifies the Attorney General not later than the time when notice is provided to the resident. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements of this section, provided (1) such person notifies, as applicable, such residents of this state, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security, and (2) if notice is given to a resident of this state in accordance with subdivision (1) of this subsection regarding a breach of security, such person also notifies the Attorney General not later than the time when notice is provided to the resident.

(g) Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General.

Sec. 3. Section 31-51tt of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2018):

(a) As used in this section:

(1) "Employee" means any person engaged in service to an employer in a business of his employer;

(2) "Employer" means any person engaged in business who has one or more employees, including the state or any political subdivision of the state;

(3) "Financial institution" means (A) any entity or affiliate of a state bank and trust company, national banking association, state or federally chartered savings bank, state or federally chartered savings and loan association, state or federally chartered credit union, insurance company, investment advisor, broker-dealer, (B) an entity registered with the Securities and Exchange Commission, or (C) any mortgage broker, mortgage correspondent lender or mortgage lender licensed pursuant to chapter 668 or any mortgage servicing company, as defined in section 36a-715; and

(4) "Substantially related to the employee's current or potential job" means the information contained in the credit report is related to the position for which the employee or prospective employee who is the subject of the report is being evaluated because the position:

(A) Is a managerial position which involves setting the direction or control of a business, division, unit or an agency of a business;

(B) Involves access to customers', employees' or the employer's personal or financial information other than information customarily provided in a retail transaction;

(C) Involves a fiduciary responsibility to the employer, including, but not limited to, the authority to issue payments, collect debts, transfer money or enter into contracts;

(D) Provides an expense account or corporate debit or credit card;

(E) Provides access to (i) confidential or proprietary business information, or (ii) information, including a formula, pattern, compilation, program, device, method, technique, process or trade secret that: (I) Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from the disclosure or use of the information; and (II) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy; or

(F) Involves access to [the employer's nonfinancial assets valued at two thousand five dollars or more, including, but not limited to,] museum and library collections and to prescription drugs and other pharmaceuticals.

(b) No employer or employer's agent, representative or designee may require an employee or prospective employee to consent to a request for a credit report that contains information about the employee's or prospective employee's credit score, credit account balances, payment history, savings or checking account balances or savings or checking account numbers as a condition of employment unless (1) such employer is a financial institution, (2) such report is required by law, (3) the employer reasonably believes that the employee has engaged in specific activity that constitutes a violation of the law related to the employee's employment, or (4) such report is substantially related to the employee's current or potential job or the employer has a bona fide purpose for requesting or using information in the credit report that is substantially job-related and is disclosed in writing to the employee or applicant.

(c) Any employee or prospective employee may file a complaint with the Labor Commissioner alleging a violation of the provisions of subsection (b) of this section. Within thirty days after the filing of such complaint, the commissioner shall conduct an investigation and shall render his findings. Should such findings warrant, the commissioner shall hold a hearing, in accordance with the provisions of chapter 54. An employer shall be liable to the Labor Department for a civil penalty of three hundred dollars for each inquiry made in violation of subsection (b) of this section.

(d) The Attorney General, upon complaint of the Labor Commissioner, shall institute civil actions to recover the penalties provided for under subsection (c) of this section. Any amount recovered shall be deposited in the General Fund.

Sec. 4. (NEW) (Effective October 1, 2018) The Banking Commissioner shall adopt regulations in accordance with chapter 54 of the general statutes to require credit rating agencies to (1) provide to the Banking Commissioner dedicated points of contact through which the Department of Banking may assist consumers in the event of a data breach; (2) respond not later than ten days after the Department of Banking makes a request for information on behalf of a consumer; (3) report to the Banking Commissioner all fees associated with the purchase or use of products and services marketed as identity theft protection products and a description of all business affiliations and contractual relationships with any other entities relating to the provision of any identity theft prevention or mitigation products or services; and (4) disclose to the Banking Commissioner the fees associated with the purchase or use of any proprietary products offered to consumers for the prevention of identity theft, including, if offered on a trial basis, any fees charged to purchase or use such product after the trial period ends.

This act shall take effect as follows and shall amend the following sections:

Section 1

October 1, 2018

36a-701a

Sec. 2

October 1, 2018

36a-701b

Sec. 3

October 1, 2018

31-51tt

Sec. 4

October 1, 2018

New section

BA

Joint Favorable Subst.

 

The following Fiscal Impact Statement and Bill Analysis are prepared for the benefit of the members of the General Assembly, solely for purposes of information, summarization and explanation and do not represent the intent of the General Assembly or either chamber thereof for any purpose. In general, fiscal impacts are based upon a variety of informational sources, including the analyst's professional knowledge. Whenever applicable, agency data is consulted as part of the analysis, however final products do not necessarily reflect an assessment from any specific department.


OFA Fiscal Note

State Impact: None

Municipal Impact: None

Explanation

The bill requires the Department of Banking to adopt regulations concerning transactions between private entities and individuals and results in no fiscal impact as the agency has the expertise to adopt regulations.

The Out Years

State Impact: None

Municipal Impact: None

OLR Bill Analysis

sSB 472

AN ACT CONCERNING SECURITY FREEZES ON CREDIT REPORTS, IDENTITY THEFT PREVENTION SERVICES, EMPLOYER CREDIT INQUIRIES AND REGULATIONS OF CREDIT RATING AGENCIES.

SUMMARY

This bill makes several changes related to credit security freezes, identity theft prevention services, and employment-related credit checks.

It requires credit rating agencies to place and remove a credit security freeze as soon as practicable after receiving a request and prohibits them from charging a fee to do so. It also (1) requires agencies to offer to notify the other credit agencies on a consumer's behalf, (2) requires agencies receiving such a notification to treat it as if it came from the consumer, and (3) prohibits such agencies from requiring, as a condition of placing a security freeze, a consumer to enter into an agreement limiting claims he or she may have against the agency.

The bill increases, from 12 to 24 months, the length of time certain individuals must provide identity theft mitigation services to customers in the event of a data breach. It also requires the banking commissioner to adopt regulations requiring credit rating agencies to (1) provide a dedicated point of contact following a data breach and (2) report certain financial information associated with identity theft protection and mitigation services.

The bill limits when certain employers can require an employee or applicant to undergo a credit check. But it broadens the credit check requirement for other individuals with access to museum and library collections or prescription drugs or other pharmaceuticals.

The bill also makes minor and conforming changes.

EFFECTIVE DATE: October 1, 2018

1 — SECURITY FREEZES

By law, a “security freeze” is a notice placed in a consumer's credit report, at the consumer's request, that bars a credit rating agency from releasing the report, or any information in it, without the consumer's express authorization (CGS 36a-701).

Time Frame

The bill requires a credit rating agency to place and remove security freezes as soon as practicable after receiving a request to do so. By law, such agencies must (1) place a security freeze, including for a minor child, within five business days, and (2) remove a security freeze within three business days.

Fees and Limiting Claims

The bill prohibits credit rating agencies from charging a fee to place, remove, or temporarily lift a credit security freeze. Under current law, credit rating agencies may charge consumers up to $10 to place, remove, or temporarily lift a credit freeze and up to $12 to temporary lift a freeze for a specific party. But they are prohibited from charging fees to certain consumers, including children and identity theft or domestic violence victims.

Under the bill, a credit rating agency must offer the consumer the option to notify any and all other credit rating agencies of a consumer's request to place or remove a security freeze. If the consumer agrees, the rating agency must notify the other rating agencies of the consumer's request; any agency receiving such a notification must place or remove the security freeze as if it received the request from the consumer.

The bill also prohibits credit rating agencies from (1) requiring, as a condition of placing a security freeze, that consumers agree to limit their claims against the agency and (2) charging fees for any personal identification numbers (PINs), instead of for first-time replacement PINs, as under current law.

2 & 4 — IDENTITY THEFT SERVICES AND DATA BREACH REGULATIONS

The bill increases, from 12 to 24 months, the period for which certain individuals must offer identity theft mitigation services to customers in the event of a data breach. The bill applies to any individual who, in the course of ordinary business, owns or licenses electronic data that includes personal information.

The bill requires the banking commissioner to adopt regulations requiring credit rating agencies to (1) provide the banking commissioner dedicated points of contact through which it may assist consumers after a data breach, (2) respond within 10 days after the department makes a request for information on a consumer's behalf, (3) report to the commissioner all fees associated with the purchase or use of identity theft protection services, (4) provide a description of all business affiliations and contractual relationships with other entities that provide identity theft prevention or mitigation products or services, and (5) disclose to the commissioner any fees associated with the purchase or use of proprietary identity theft prevention products, including any fees resulting from a purchase after a trial offer.

3 — EMPLOYMENT CREDIT CHECKS

This bill prohibits employers or their agents, representatives, or designees from requiring, as a condition of employment, a current or prospective employee's consent to a request for a credit report solely because the job involves access to nonfinancial assets valued at more than $2,500. It does so by removing jobs with access to such nonfinancial assets from the statutory definition of “substantially related.”

By law, employers may require current or prospective employees to consent to a credit report request when the report is “substantially related” to the employee's current or potential job, or the employer has a bona fide reason to request or use information in the report that is substantially job-related, and this reason is disclosed to the employee or applicant in writing.

By doing so, the bill also allows an employer to require such a credit check for an employee with access to museum and library collections, or prescription drugs or other pharmaceuticals, regardless of their value. Under current law, a credit check for these employees may only be required if the collection, prescription drugs, or pharmaceuticals are worth more than $2,500.

COMMITTEE ACTION

Banking Committee

Joint Favorable Substitute

Yea

10

Nay

9

(03/20/2018)

TOP