Substitute Senate Bill No. 472

Public Act No. 18-90

AN ACT CONCERNING SECURITY FREEZES ON CREDIT REPORTS, IDENTITY THEFT PREVENTION SERVICES AND REGULATIONS OF CREDIT RATING AGENCIES.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. Section 36a-701a of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2018):

(a) Any consumer may submit a written request, by certified mail or such other secure method as authorized by a credit rating agency, to a credit rating agency to place a security freeze on such consumer's credit report. Such credit rating agency shall place a security freeze on a consumer's credit report as soon as practicable, but not later than five business days after receipt of such request. Not later than ten business days after placing a security freeze on a consumer's credit report, such credit rating agency shall send a written confirmation of such security freeze to such consumer that provides the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of such consumer's report to a third party or for a period of time. Nothing in this subsection shall be deemed to require a consumer reporting agency to provide to a minor child or the parent or legal guardian of a minor child, on behalf of the minor child, a unique personal identification number, password or similar device to be used to authorize the consumer reporting agency to release such minor child's credit report.

(b) In the event such consumer, other than a minor child or the parent or legal guardian of a minor child, wishes to authorize the disclosure of such consumer's credit report to a third party, or for a period of time, while such security freeze is in effect, such consumer shall contact such credit rating agency and provide: (1) Proper identification, (2) the unique personal identification number or password described in subsection (a) of this section, and (3) proper information regarding the third party who is to receive the credit report or the time period for which the credit report shall be available. Any credit rating agency that receives a request from a consumer pursuant to this section shall lift such security freeze not later than three business days after receipt of such request.

(c) Except for the temporary lifting of a security freeze as provided in subsection (b) of this section, any security freeze authorized pursuant to the provisions of this section shall remain in effect until such time as such consumer requests such security freeze to be removed. A credit rating agency shall remove such security freeze as soon as practicable, but not later than three business days after receipt of such request provided such consumer provides proper identification to such credit rating agency and the unique personal identification number or password described in subsection (a) of this section at the time of such request for removal of the security freeze. In the case of a minor child, the credit rating agency shall remove such security freeze not later than fifteen business days after receipt of such request, provided the minor child or the parent or legal guardian of the minor child uses the unique personal identification number, password or similar device provided under subsection (a) of this section at the time of such request, if applicable.

(d) Any credit rating agency may develop procedures to receive and process such request from a consumer to temporarily lift or remove a security freeze on a credit report pursuant to subsection (b) of this section. Such procedures, at a minimum, shall include, but not be limited to, the ability of a consumer to send such temporary lift or removal request by electronic [mail] means, letter or facsimile.

(e) In the event that a third party requests access to a consumer's credit report that has such a security freeze in place and such third party request is made in connection with an application for credit or any other use and such consumer has not authorized the disclosure of such consumer's credit report to such third party, such third party may deem such credit application as incomplete.

(f) Any credit rating agency may refuse to implement or may remove such security freeze if such agency believes, in good faith, that: (1) The request for a security freeze was made as part of a fraud that the consumer participated in, had knowledge of, or that can be demonstrated by circumstantial evidence, or (2) the consumer credit report was frozen due to a material misrepresentation of fact by the consumer. In the event any such credit rating agency refuses to implement or removes a security freeze pursuant to this subsection, such credit rating agency shall promptly notify such consumer in writing of such refusal not later than five business days after such refusal or, in the case of a removal of a security freeze, prior to removing the freeze on the consumer's credit report.

(g) Nothing in this section shall be construed to prohibit disclosure of a consumer's credit report to: (1) A person, or the person's subsidiary, affiliate, agent or assignee with which the consumer has or, prior to assignment, had an account, contract or debtor-creditor relationship for the purpose of reviewing the account or collecting the financial obligation owing for the account, contract or debt; (2) a subsidiary, affiliate, agent, assignee or prospective assignee of a person to whom access has been granted under subsection (b) of this section for the purpose of facilitating the extension of credit or other permissible use; (3) any person acting pursuant to a court order, warrant or subpoena; (4) any person for the purpose of using such credit information to prescreen as provided by the federal Fair Credit Reporting Act; (5) any person for the sole purpose of providing a credit file monitoring subscription service to which the consumer has subscribed; (6) a credit rating agency for the sole purpose of providing a consumer with a copy of his or her credit report upon the consumer's request; or (7) a federal, state or local governmental entity, including a law enforcement agency, or court, or their agents or assignees pursuant to their statutory or regulatory duties. For purposes of this subsection, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements.

(h) The following persons shall not be required to place a security freeze on a consumer's credit report, provided such persons shall be subject to any security freeze placed on a credit report by another credit rating agency: (1) A check services or fraud prevention services company that reports on incidents of fraud or issues authorizations for the purpose of approving or processing negotiable instruments, electronic fund transfers or similar methods of payment; (2) a deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution; or (3) a credit rating agency that: (A) Acts only to resell credit information by assembling and merging information contained in a database of one or more credit reporting agencies; and (B) does not maintain a permanent database of credit information from which new credit reports are produced.

(i) (1) [Except as provided in subdivision (2) of this subsection, a] A credit rating agency [may] shall not (A) charge a fee [of not more than ten dollars] to a consumer for [each] a security freeze, removal of such freeze, [or] temporary lift of such freeze for a period of time [, and a fee of not more than twelve dollars for] or a temporary lift of such freeze for a specific party, or (B) require as a condition for placing a security freeze that a consumer enter into an agreement that limits any claim the consumer may have against such credit rating agency.

(2) [A credit rating agency shall not charge the fees authorized by subdivision (1) of this subsection to: (A) A victim of identity theft or the spouse of any victim of identity theft, who has submitted a copy of a police report prepared pursuant to section 54-1n to the credit rating agency; (B) any person who is covered under the victim of identity theft's individual or group health insurance policy providing coverage of the type specified in subdivisions (1), (2), (4), (11) and (12) of section 38a-469, who has submitted a copy of a police report prepared pursuant to section 54-1n to the credit rating agency; (C) a person sixty-two years of age or older; (D) a person under eighteen years of age; (E) a person for whom a guardian or conservator has been appointed by a court; and (F) a victim of domestic violence, as defined in subdivision (1) of subsection (a) of section 17b-112a, who has provided evidence of such domestic violence as specified in subsection (b) of section 17b-112a to the credit rating agency.] No credit rating agency shall charge a fee to a consumer for a [replacement] personal identification number. [when such replacement is the first one requested by the consumer.]

(j) The parent or legal guardian of a minor child may place a security freeze on the credit report of a minor child by submitting a written request to the credit rating agency in the manner described in this section and subject to the same conditions and by providing the credit rating agency with proper identification and sufficient proof of authority to act on behalf of the minor child. The credit rating agency shall place the security freeze on the credit report of a minor child as soon as practicable, but not later than five business days after receipt of such request. If the credit rating agency does not have any information in its files pertaining to the minor child at the time the credit rating agency receives a request pursuant to this subsection, the credit rating agency shall create a record for the minor child and place a security freeze on such record. Such record shall consist of a compilation of information created by a credit rating agency that identifies a minor child. A credit rating agency shall not create or use such record to consider the minor child's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living. A credit rating agency shall not release a minor child's credit report, any information derived from a minor child's credit report or any record created for a minor child.

(k) The parent or legal guardian of a minor child may request the removal of a security freeze placed on the credit report or record of a minor child by submitting a written request to the credit rating agency in the manner described in this section and subject to the same conditions and by providing the credit rating agency with proper identification and sufficient proof of authority to act on behalf of the minor child. The credit rating agency shall remove the security freeze on the credit report or record of a minor child not later than fifteen business days after receipt of such request.

(l) An insurer, as defined in section 38a-1, may deny an application for insurance if an applicant has placed a security freeze on such applicant's credit report and fails to authorize the disclosure of such applicant's credit report to such insurer pursuant to the provisions of subsection (b) of this section.

(m) Any security freeze in a credit report in effect as of October 1, 2016, shall continue to be in effect until the consumer or the parent or legal guardian of a minor child requests the removal of the security freeze.

Sec. 2. Section 36a-701b of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2018):

(a) For purposes of this section, (1) "breach of security" means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable; and (2) "personal information" means an individual's first name or first initial and last name in combination with any one, or more, of the following data: (A) Social Security number; (B) driver's license number or state identification card number; [or] (C) [account number,] credit or debit card number; [,] or (D) financial account number in combination with any required security code, access code or password that would permit access to [an individual's] such financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

(b) (1) Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall provide notice of any breach of security following the discovery of the breach to any resident of this state whose personal information was breached or is reasonably believed to have been breached. Such notice shall be made without unreasonable delay but not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law, subject to the provisions of subsection (d) of this section and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.

(2) If notice of a breach of security is required by subdivision (1) of this subsection:

(A) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General; and

(B) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns or licenses computerized data that includes personal information, shall offer to each resident whose personal information under subparagraph (A) of subdivision (4) of subsection (a) of section 38a-999b or subparagraph (A) of subdivision (2) of subsection (a) of this section was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than [twelve] twenty-four months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.

(c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information of a resident of this state was breached or is reasonably believed to have been breached.

(d) Any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.

(e) Any notice to a resident, owner or licensee required by the provisions of this section may be provided by one of the following methods: (1) Written notice; (2) telephone notice; (3) electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001; (4) substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2) or (3) of this subsection would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand persons or that the person does not have sufficient contact information. Substitute notice shall consist of the following: (A) Electronic mail notice when the person has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the web site of the person if the person maintains one; and (C) notification to major state-wide media, including newspapers, radio and television.

(f) Any person that maintains such person's own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies, as applicable, residents of this state, owners and licensees in accordance with such person's policies in the event of a breach of security and in the case of notice to a resident, such person also notifies the Attorney General not later than the time when notice is provided to the resident. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements of this section, provided (1) such person notifies, as applicable, such residents of this state, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security, and (2) if notice is given to a resident of this state in accordance with subdivision (1) of this subsection regarding a breach of security, such person also notifies the Attorney General not later than the time when notice is provided to the resident.

(g) Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General.

Sec. 3. (NEW) (Effective October 1, 2018) The Banking Commissioner shall adopt regulations in accordance with chapter 54 of the general statutes to require credit rating agencies to provide to the Banking Commissioner dedicated points of contact through which the Department of Banking may assist consumers in the event of a data breach.