PRINTER'S NO. 1470
No. 1243 Session of 2005
INTRODUCED BY MARKOSEK, BOYD, CALTAGIRONE, CURRY, FAIRCHILD, FREEMAN, GEORGE, GOODMAN, HARHAI, HENNESSEY, JAMES, McGEEHAN, McILHATTAN, OLIVER, PALLONE, PHILLIPS, PISTELLA, READSHAW, REICHLEY, ROONEY, SHANER, R. STEVENSON, STURLA, E. Z. TAYLOR, TIGUE, WATERS AND WHEATLEY, MARCH 31, 2005
REFERRED TO COMMITTEE ON COMMERCE, MARCH 31, 2005
AN ACT 1 Providing for protection from identity theft, for security 2 alerts and freezes, for procedures for access after 3 imposition and removal of security freezes and for 4 confidentiality of Social Security numbers. 5 TABLE OF CONTENTS 6 Chapter 1. Preliminary Provisions 7 Section 101. Short title. 8 Section 102. Definitions. 9 Chapter 3. Security Alerts and Freezes 10 Section 301. Security alert. 11 Section 302. Security freeze. 12 Section 303. Credit reporting agency. 13 Section 304. Personal identification. 14 Section 305. Notification of freeze. 15 Section 306. Effect of freeze. 16 Section 307. Temporary freeze. 17 Section 308. Fees.
1 Chapter 5. Procedures 2 Section 501. Distribution of information. 3 Section 502. Dispute procedure. 4 Chapter 7. Confidentiality of Social Security Numbers 5 Section 701. Prohibitions. 6 Section 702. Limitations of use of Social Security numbers by 7 governmental entities. 8 Chapter 11. Miscellaneous Provisions 9 Section 1101. Damages. 10 Section 1102. Effective date. 11 The General Assembly of the Commonwealth of Pennsylvania 12 hereby enacts as follows: 13 CHAPTER 1 14 PRELIMINARY PROVISIONS 15 Section 101. Short title. 16 This act shall be known and may be cited as the Consumer 17 Protection and Credit Reporting Act. 18 Section 102. Definitions. 19 The following words and phrases when used in this act shall 20 have the meanings given to them in this section unless the 21 context clearly indicates otherwise: 22 "Clear and proper identification." Information generally 23 deemed sufficient to identify a person. For purposes of this 24 definition, only if a consumer is unable to reasonably identify 25 himself with information under this definition may a consumer 26 credit reporting agency require additional information 27 concerning the consumer's employment and personal or family 28 history in order to verify the consumer's identity. 29 "Consumer." A natural person who resides in this 30 Commonwealth. 20050H1243B1470 - 2 -
1 "Consumer file." A credit report. 2 "Consumer report." A credit report. 3 "Credit report." Any written, oral or other communication of 4 any credit information by a credit reporting agency, as defined 5 in the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 6 1681 et seq.), which operates or maintains a database of 7 consumer credit information bearing on a consumer's 8 creditworthiness, credit standing or credit capacity. 9 "Credit reporting agency." Any person who, for monetary 10 fees, dues or on a cooperative nonprofit basis, regularly 11 engages in whole or in part in the practice of assembling or 12 evaluating consumer credit information or other information on 13 consumers for the purpose of furnishing consumer reports to 14 third parties and who uses any means or facility of interstate 15 commerce for the purpose of preparing or furnishing consumer 16 reports. The term does not include: 17 (1) A check acceptance service which provides check 18 approval and guarantees services to merchants. 19 (2) Any governmental agency whose records are maintained 20 primarily for traffic safety, law enforcement or licensing 21 purposes. 22 "Publicly post" or "publicly display." To intentionally 23 communicate or otherwise make available to the general public. 24 "Security alert." A notice placed on a consumer file or in a 25 consumer's report, at the request of the consumer, that is sent 26 to a recipient of a consumer report or file involving that 27 consumer file, signifying the fact that the consumer's identity 28 may have been used without the consumer's consent to 29 fraudulently obtain goods or services in the consumer's name. 30 "Security freeze." A notice placed on a consumer file, at 20050H1243B1470 - 3 -
1 the request of the consumer and subject to certain exceptions, 2 that prohibits a credit reporting agency from releasing the 3 consumer's credit report or credit score without the express 4 authorization of the consumer. 5 CHAPTER 3 6 SECURITY ALERTS AND FREEZES 7 Section 301. Security alert. 8 (a) General rule.--A consumer may elect to place a security 9 alert in the credit report of the consumer by making a request 10 in writing or by telephone and with clear and proper 11 identification provided by the consumer to a consumer credit 12 reporting agency. 13 (b) Disclosures to consumers.--A written disclosure to a 14 consumer by a consumer reporting agency must include a written 15 statement that explains in clear and simple language the 16 consumer's rights under this section and includes: 17 (1) The process for receiving a consumer report or 18 consumer file. 19 (2) The process for requesting or removing a security 20 alert. 21 (3) The toll-free telephone number for requesting a 22 security alert. 23 (4) Applicable fees. 24 (5) Dispute procedures. 25 (6) The process for correcting a consumer file or 26 report. 27 (7) Information on a consumer's right to bring an action 28 in court or arbitrate a dispute. 29 (c) Notification.--A consumer credit reporting agency shall 30 notify each person requesting consumer credit information with 20050H1243B1470 - 4 -
1 respect to a consumer of the existence of a security alert in 2 the credit report of that consumer, regardless of whether a full 3 credit report, credit score or summary report is requested. 4 (d) Toll-free telephone number.--Each consumer credit 5 reporting agency shall maintain a toll-free telephone number to 6 accept security alert requests from consumers 24 hours a day, 7 seven days a week. The toll-free telephone number shall be 8 included in any written disclosure by a consumer credit 9 reporting agency to any consumer and shall be printed in a clear 10 and conspicuous manner. In the event an automated answering 11 system is utilized, calls shall be returned to the consumer no 12 later than two hours after the time the call was received. 13 (e) Security alert request.--A consumer credit reporting 14 agency shall place a security alert on a consumer's credit 15 report no later than 24 hours after receiving a request from the 16 consumer. 17 (f) Placement and renewal.--The security alert shall remain 18 in place for at least one year, and a consumer shall have the 19 right to request an unlimited number of renewals of the security 20 alert. When a one-year alert has elapsed, on request in writing 21 or by telephone and with proper identification provided by the 22 consumer, the agency shall provide the consumer with a free copy 23 of the consumer's file. A consumer may include with the security 24 alert request a telephone number to be used by persons to verify 25 the consumer's identity before entering into a transaction with 26 the consumer. 27 (g) Approval.--Any person who uses a consumer credit report 28 in connection with the approval of credit based on an 29 application for an extension of credit, or with the purchase, 30 lease or rental of goods or noncredit-related services and who 20050H1243B1470 - 5 -
1 receives notification of a security alert pursuant to subsection 2 (a) may not lend money, extend credit or complete the purchase, 3 lease or rental of goods or noncredit-related services without 4 taking reasonable steps to verify the consumer's identity, in 5 order to ensure that the application for an extension of credit 6 or for the purchase, lease or rental of goods or noncredit- 7 related services is not the result of identity theft. If the 8 consumer has placed a statement with the security alert in the 9 consumer's file requesting that identity be verified by calling 10 a specified telephone number, any person who receives that 11 statement with the security alert in a consumer's file pursuant 12 to subsection (a) shall take reasonable steps to verify the 13 identity of the consumer by contacting the consumer using the 14 specified telephone number prior to lending money, extending 15 credit or completing the purchase, lease or rental of goods or 16 noncredit-related services. If a person uses a consumer credit 17 report to facilitate the extension of credit or for another 18 permissible purpose on behalf of a subsidiary, affiliate, agent, 19 assignee or prospective assignee, that person may verify a 20 consumer's identity under this section in lieu of the 21 subsidiary, affiliate, agent, assignee or prospective assignee. 22 (h) Extension of credit.--For purposes of this section, 23 "extension of credit" does not include an increase in the dollar 24 limit of an existing open-end credit plan, as defined in 25 Regulation Z issued by the Board of Governors of the Federal 26 Reserve System of 12 CFR 226.2 (relating to definitions and 27 rules of construction), or any change to or review of an 28 existing credit account. 29 (i) Verification of identity.--If reasonable steps are taken 30 to verify the identity of the consumer, those steps constitute 20050H1243B1470 - 6 -
1 compliance with the requirements of this section, except that if 2 a consumer has placed a statement including a telephone number 3 with the security alert in the consumer's file, the consumer's 4 identity shall be verified by contacting the consumer using that 5 telephone number as specified pursuant to subsection (g). 6 (j) Notice of expiration date.--A consumer credit reporting 7 agency shall provide notification of the expiration date of a 8 security alert to each consumer who has requested that a 9 security alert be placed on the consumer's credit report. 10 Section 302. Security freeze. 11 (a) Request for freeze.--A consumer may elect to place a 12 security freeze on the consumer's credit report by written 13 request, sent by certified mail, that includes clear and proper 14 identification, to a credit reporting agency. A credit reporting 15 agency shall place a security freeze on a consumer's credit 16 report no later than five business days after receiving a 17 written request for the security freeze from the consumer. 18 (b) Disclosures to consumers.--Any written disclosure to a 19 consumer by a credit reporting agency must include a written 20 statement that explains in clear and simple language the 21 consumer's rights under this section and includes: 22 (1) The process for receiving a credit report. 23 (2) The process for requesting or removing a security 24 freeze. 25 (3) The toll-free telephone number for requesting a 26 security alert. 27 (4) Applicable fees. 28 (5) Dispute procedures. 29 (6) The process for correcting a credit report. 30 (7) Information on a consumer's right to bring an action 20050H1243B1470 - 7 -
1 in court or arbitrate a dispute. 2 (c) Effect of security freeze.--When a security freeze is in 3 place, information from a consumer's credit report shall not be 4 released to a third party without prior express authorization 5 from the consumer. This subsection shall not prevent a credit 6 reporting agency from advising a third party that a security 7 freeze is in effect with respect to the consumer's credit 8 report. 9 (d) Third-party request.--If a third party requests access 10 to a consumer credit report on which a security freeze is in 11 effect, and this request is in connection with an application 12 for credit or any other use, and the consumer does not allow the 13 consumer's credit report to be accessed for that specific party 14 or period of time, the third party may treat the application as 15 incomplete. 16 Section 303. Credit reporting agency. 17 The credit reporting agency shall, no later than ten business 18 days after the date the agency receives the request for a 19 security freeze, send the consumer a written confirmation that 20 provides the consumer with a unique personal identification 21 number or password to be used by the consumer when providing 22 authorization for the access to the consumer's credit file for a 23 specific period of time. In addition, the credit reporting 24 agency shall simultaneously provide to the consumer in writing 25 notification of the process of placing and temporarily lifting a 26 security freeze and the process for allowing access to 27 information from the consumer's credit file for a specific party 28 or for a specific period while the security freeze is in effect. 29 Section 304. Personal identification. 30 A consumer may request in writing a replacement personal 20050H1243B1470 - 8 -
1 identification number or password. The request must comply with 2 the requirements for requesting a security freeze under section 3 302 (relating to security freeze). The credit reporting agency 4 shall, no later than seven business days after the date the 5 agency receives the request for a replacement personal 6 identification number or password, provide the consumer with a 7 new, unique personal identification number or password to be 8 used by the consumer instead of the number or password that was 9 provided under section 303 (relating to credit reporting 10 agency). 11 Section 305. Notification of freeze. 12 A credit reporting agency shall notify a person who requests 13 a consumer report or score if a security alert or freeze is in 14 effect for the consumer file involved in that report or score. 15 Section 306. Effect of freeze. 16 If a third party requests access to a consumer credit report 17 on which a security freeze is in effect and this request is in 18 connection with an application for credit or any other use and 19 the consumer does not allow the consumer's credit report to be 20 accessed for that specific period of time, the third party must 21 treat the application as incomplete. 22 Section 307. Temporary freeze. 23 (a) Request.--If the consumer wishes to allow the consumer's 24 credit report or score to be accessed for a specific period of 25 time while a freeze is in place, the consumer shall contact the 26 credit reporting agency and request that the freeze be 27 temporarily lifted and provide the following: 28 (1) Clear and proper identification. 29 (2) The unique personal identification number or 30 password provided by the credit reporting agency pursuant to 20050H1243B1470 - 9 -
1 section 303 (relating to credit reporting agency). 2 (3) The proper information regarding the time period for 3 which the report shall be available to users of the credit 4 report. 5 (4) The proper information regarding the third party who 6 is to receive the credit report or the time period for which 7 the report shall be available to users of the credit report. 8 (b) Agency requirement.--A credit reporting agency that 9 receives a request from a consumer to temporarily lift a freeze 10 on a credit report pursuant to subsection (a) shall comply with 11 the request no later than three business days after receiving 12 the request. A credit reporting agency may develop procedures 13 involving the use of the telephone, facsimile, Internet or other 14 electronic media to receive and process a request from a 15 consumer to temporarily lift a freeze on a credit report or 16 score pursuant to subsection (a) in an expedited manner. 17 (c) Removal of temporary freeze.--A credit reporting agency 18 shall remove or temporarily lift a freeze placed on a consumer's 19 credit report only in the following cases: 20 (1) Upon consumer request as provided in this section. 21 (2) If the consumer's credit report was frozen due to a 22 material misrepresentation of fact by the consumer. If a 23 credit reporting agency intends to remove a freeze upon a 24 consumer's credit report pursuant to this paragraph, the 25 credit reporting agency shall notify the consumer in writing 26 prior to removing the freeze on the consumer's credit report. 27 (d) Duration of freeze.--A security freeze shall remain in 28 place until the consumer requests that the security freeze be 29 removed. A credit reporting agency shall remove a security 30 freeze within three business days of receiving a request for 20050H1243B1470 - 10 -
1 removal from the consumer who provides both of the following: 2 (1) Clear and proper identification. 3 (2) The unique personal identification number or 4 password provided by the credit reporting agency. 5 (e) Applicability of freeze.--A security freeze does not 6 apply to a consumer report provided to: 7 (1) A Federal, State or local government entity, 8 including a law enforcement agency or court, or their agents 9 or assigns. 10 (2) A private collection agency for the sole purpose of 11 assisting in the collection of an existing debt of the 12 consumer who is the subject of the credit report requested. 13 (3) A person or entity or a subsidiary, affiliate or 14 agent of that person or entity, or an assignee of a financial 15 obligation owing by the consumer to that person or entity, or 16 a prospective assignee of a financial obligation owing by the 17 consumer to that person or entity in conjunction with the 18 proposed purchase of the financial obligation, with which the 19 consumer has or had prior to assignment an account or 20 contract, including a demand deposit account, or to whom the 21 consumer issued a negotiable instrument, for the purposes of 22 reviewing the account or collecting the financial obligation 23 owing for the account, contract or negotiable instrument. For 24 purposes of this paragraph, "reviewing the account" includes 25 activities related to account maintenance, monitoring, credit 26 line increases and account upgrades and enhancements. 27 (4) A subsidiary, affiliate, agent, assignee or 28 prospective assignee of a person to whom access has been 29 granted under this section for the purposes of facilitating 30 the extension of credit. 20050H1243B1470 - 11 -
1 (5) A person, for the purposes of prescreening as 2 provided by the Fair Credit Reporting Act (Public Law 91-508, 3 15 U.S.C. § 1681 et seq.). 4 (6) A credit reporting agency for the purposes of 5 providing a consumer with a copy of the consumer's report at 6 the request of the consumer. 7 (7) A child support enforcement agency. 8 (8) A credit reporting agency that acts only as a 9 reseller of credit information by assembling and merging 10 information contained in the database of another credit 11 reporting agency or multiple credit reporting agencies and 12 does not maintain a permanent database of credit information 13 from which new credit reports are produced. However, a credit 14 reporting agency acting as a reseller shall honor any 15 security freeze placed on a credit report by another credit 16 reporting agency. 17 (9) A check services company or fraud prevention 18 services company which issues reports on incidents of fraud 19 or authorizations for the purpose of approving or processing 20 negotiable instruments, electronic funds transfers or similar 21 methods of payments. 22 (10) A deposit account information service company which 23 issues reports regarding account closures due to fraud, 24 substantial overdrafts, ATM abuse or similar negative 25 information regarding a consumer to inquiring banks or other 26 financial institutions for use only in reviewing a consumer's 27 request for a deposit account at the inquiring bank or 28 financial institution. 29 (f) Certain fees prohibited.--A consumer reporting agency 30 may not charge a fee for a request under subsection (a) or (c). 20050H1243B1470 - 12 -
1 Section 308. Fees. 2 (a) General rule.--A credit reporting agency shall not 3 impose a fee for the first copy of a consumer report provided to 4 a consumer each calendar year. 5 (b) Fee limited.--A credit reporting agency may impose a 6 reasonable charge on a consumer for initially placing a security 7 freeze on a consumer file. The amount of the charge may not 8 exceed $10. On January 1 of each year, a consumer reporting 9 agency may increase the charge for disclosure to a consumer or 10 for placing a security freeze. The increase, if any, must be 11 based proportionally on changes to the Consumer Price Index for 12 all Urban Consumers as determined by the United States 13 Department of Labor with fractional changes rounded to the 14 nearest 50¢. At no time shall the consumer be charged for 15 revoking the freeze. An exception shall be allowed whereby the 16 consumer will be charged $0 by the consumer reporting agency 17 placing the security freeze if any of the following apply: 18 (1) If the consumer is a victim of identity theft and, 19 upon the request of the consumer reporting agency, provides 20 the credit reporting agency with a police report. 21 (2) If the consumer is 62 years of age or older. 22 (c) Confirmation required.--If a security freeze is in 23 place, a credit reporting agency shall not change any of the 24 following official information in a consumer credit report 25 without sending a written confirmation of the change to the 26 consumer within 30 days of the change being posted to the 27 consumer's file: 28 (1) Name. 29 (2) Date of birth. 30 (3) Social Security number. 20050H1243B1470 - 13 -
1 (4) Address. 2 Written confirmation is not required for technical modifications 3 of a consumer's official information, including name and street 4 abbreviations, complete spellings or transposition of numbers or 5 letters. In the case of an address change, the written 6 confirmation shall be sent to both the new address and to the 7 former address. 8 CHAPTER 5 9 PROCEDURES 10 Section 501. Distribution of information. 11 A consumer credit reporting agency, upon written request and 12 the furnishing of sufficient identification to identify the 13 consumer and the subject file, shall create reasonable 14 procedures to prevent a consumer credit report or information 15 from a consumer's file from being provided to any third party 16 for marketing purposes or for any offer of credit not requested 17 by the consumer. The section does not apply to the use of 18 information by a credit grantor for purposes related to an 19 existing credit relationship. 20 Section 502. Dispute procedure. 21 If the completeness or accuracy of information contained in a 22 consumer's file is disputed by the consumer and the consumer 23 notifies the consumer reporting agency of the dispute, the 24 agency shall reinvestigate the disputed information free of 25 charge and record the current status of the disputed information 26 no later than the 30th business day after the date on which the 27 agency receives the notice. The consumer reporting agency shall 28 provide the consumer with the option of notifying the agency of 29 a dispute concerning the consumer's file by speaking directly to 30 a representative of the agency. 20050H1243B1470 - 14 -
1 CHAPTER 7 2 CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS 3 Section 701. Prohibitions. 4 (a) General rule.--A person or entity, not including a State 5 or local agency, may not do any of the following: 6 (1) Publicly post or publicly display in any manner an 7 individual's Social Security number. 8 (2) Print an individual's Social Security number on any 9 card required for the individual to access products or 10 services provided by the person or entity. 11 (3) Require an individual to transmit the individual's 12 Social Security number over the Internet website unless the 13 connection is secure or the Social Security number is 14 encrypted. 15 (4) Require an individual to use the individual's Social 16 Security number to access an Internet website unless a 17 password or unique personal identification number or other 18 authentication device is also required to access the Internet 19 website. 20 (5) (i) Print an individual's Social Security number on 21 any materials that are mailed to the individual unless 22 Federal or State law requires the Social Security number 23 to be on the document to be mailed. 24 (ii) Notwithstanding subparagraph (i), applications 25 and forms sent by mail may include Social Security 26 numbers. 27 (b) Applicability.--Except as provided in subsection (c), 28 subsection (a) applies to the use of Social Security numbers on 29 or after July 1, 2005. 30 (c) Use prior to effective date.--Except as provided in 20050H1243B1470 - 15 -
1 subsection (e), a person or entity, not including a State or 2 local entity, that has used, prior to July 1, 2005, an 3 individual's Social Security number in a manner inconsistent 4 with subsection (a) may continue using that individual's Social 5 Security number in that manner on or after July 1, 2005, if all 6 of the following conditions are met: 7 (1) The use of the Social Security number is continuous. 8 If the use is discontinued for any reason, subsection (a) 9 shall apply. 10 (2) The individual is provided an annual disclosure, 11 commencing in the year 2005, informing the individual that 12 the individual has the right to discontinue use of the 13 individual's Social Security number in a manner prohibited by 14 subsection (a). 15 (3) If a written request by an individual to discontinue 16 the use of the individual's Social Security number in a 17 manner prohibited by subsection (a) is received, the person 18 or entity shall implement the request within 30 days of the 19 receipt of the request. The person or entity may not impose a 20 fee or charge for implementing the request. 21 (4) The person or entity, not including a State or local 22 agency, does not deny services to the individual because the 23 individual makes a written request pursuant to this 24 subsection. 25 (d) Construction.--This section shall not be construed to 26 prohibit the collection, use or release of a Social Security 27 number as required by Federal or State law or the use of a 28 Social Security number for internal verification or 29 administrative purposes by a person or entity. 30 (e) Exceptions.--In the case of a health care service plan, 20050H1243B1470 - 16 -
1 a provider of health care, an insurer or pharmacy benefits 2 manager or an agent of any of these, this section shall become 3 operative as follows: 4 (1) On or before January 1, 2006, a health care service 5 plan, a provider of health care, an insurer or pharmacy 6 benefits manager or an agent of any of these shall comply 7 with subsection (a)(1), (3), (4) and (5) as these 8 requirements pertain to existing individual policyholders. 9 (2) On or before January 1, 2006, a health care service 10 plan, a provider of health care, an insurer or pharmacy 11 benefits manager or an agent of any of these shall comply 12 with subsection (a) as these requirements pertain to new 13 individual policyholders and new employer groups for policies 14 issued on or after January 1, 2006. 15 (f) Cooperation.--A health care service plan, a provider of 16 health care, an insurer or pharmacy benefits manager or an agent 17 of any of these entities shall make reasonable efforts to 18 cooperate, through systems testing and other means, to ensure 19 the requirements of this chapter are implemented on or before 20 the dates specified in this chapter. 21 Section 702. Limitations of use of Social Security numbers by 22 governmental entities. 23 Prior to posting or requiring the posting of a document in a 24 place of general public circulation, an agency, board, 25 department, commission, committee, branch, instrumentality or 26 authority of the Commonwealth or an agency, board, committee, 27 department, branch, instrumentality, commission or authority of 28 any political subdivision of the Commonwealth shall take all 29 reasonable steps to redact any Social Security numbers from the 30 documents. 20050H1243B1470 - 17 -
1 CHAPTER 11 2 MISCELLANEOUS PROVISIONS 3 Section 1101. Damages. 4 Any consumer damaged by an intentional, reckless or negligent 5 violation of this act may bring an action for and shall be 6 entitled to recovery of actual damages, plus reasonable attorney 7 fees, court costs and other reasonable costs of prosecution of 8 the suit. 9 Section 1102. Effective date. 10 This act shall take effect in 60 days. C22L12BIL/20050H1243B1470 - 18 -