[First Reprint]

ASSEMBLY, No. 2549

STATE OF NEW JERSEY

220th LEGISLATURE

INTRODUCED FEBRUARY 14, 2022

Sponsored by:

Assemblywoman  CAROL A. MURPHY

District 7 (Burlington)

Assemblywoman  ANGELA V. MCKNIGHT

District 31 (Hudson)

Assemblyman  STERLEY S. STANLEY

District 18 (Middlesex)

Co-Sponsored by:

Assemblywomen Quijano and Swain

SYNOPSIS

     Requires consumer reporting agencies to increase protection of consumers' personal information.

CURRENT VERSION OF TEXT

     As amended by the General Assembly on June 16, 2022.

An Act concerning consumer reporting agencies and amending and supplementing P.L.1997, c.172. 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.    Section 3 of P.L.1997, c.172 (C.56:11-30) is amended to read as follows:

     3.    As used in this act:

     "Adverse action" has the same meaning as in subsection (k) of section 603 of the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681a.

     "Consumer" means an individual.

     "Consumer report" (1) means any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for:

     (a)   credit or insurance to be used primarily for personal, family or household purposes;

     (b)   employment purposes; or

     (c)   any other purpose authorized under section 4 of this act.

     (2)   The term "consumer report" does not include:

     (a)   any:

     (i)    report containing information solely on transactions or experiences between the consumer and the person making the report;

     (ii)   communication of that information among persons related by common ownership or affiliated by corporate control; or

     (iii)  communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among those persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that the information not be communicated among those persons;

     (b)   any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device;

     (c)   any report in which a person, who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer, conveys his decision with respect to that

 request, if the third party advises the consumer of the name and address of the person to whom the request was made, and the person makes the disclosures to the consumer required under 15 U.S.C. s.1681m; or

     (d)   communication excluded from the definition of consumer report pursuant to subsection (o) of section 603 of the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681a.

     "Consumer reporting agency" means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages, in whole or in part, in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility for the purpose of preparing or furnishing consumer reports.

     "Director" means the Director of the Division of Consumer Affairs in the Department of Law and Public Safety.

     "Division" means the Division of Consumer Affairs in the Department of Law and Public Safety.

     "Employment purposes" means, when used in connection with a consumer report, a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.

     "File" means, when used in connection with information on any consumer, all of the information on that consumer recorded and retained by a consumer reporting agency regardless of how the information is stored.

     "Investigative consumer report" means a consumer report or a portion thereof in which information on a consumer's character, general reputation, personal characteristics or mode of living is obtained through personal interviews with neighbors, friends or associates of the consumer who is the subject of the report or with others with whom the consumer is acquainted or who may have knowledge concerning any of those items of information.  However, this information shall not include specific factual information on a consumer's credit record obtained directly from a creditor of the consumer or from a consumer reporting agency when the information was obtained directly from a creditor of the consumer or from the consumer.

     "Medical information" means information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics, or other medical or medically related facilities.

     "Personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements:  (1) Social Security number; (2) driver's license number or State identification card number; ¹[or]¹ (3) ¹Individual Taxpayer Identification Number; (4)¹ account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account ¹; and (5) any other data element identified or designated by regulation promulgated by the director¹ .  Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

     Personal information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.

     "Security freeze" means a notice placed in a consumer's consumer report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing the report or any information from it without the express authorization of the consumer, but does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer report.

(cf: P.L.2005, c.226, s.4)

     2.    Section 5 of P.L.1997, c.172 (C.56:11-32) is amended to read as follows:

     5.    a. Every consumer reporting agency shall maintain reasonable procedures designed to limit the furnishing of consumer reports to the purposes listed under section 4 of this act.  These procedures shall require that prospective users of the information identify themselves, certify each purpose for which the information is sought, and certify that the information will be used for no other purpose.  Every consumer reporting agency shall make a reasonable effort to verify the identity of a new prospective user and each use certified by the prospective user prior to furnishing the user a consumer report.  No consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed in section 4 of this act.

     b.    Whenever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.

     c.     A consumer reporting agency may not prohibit the user of a consumer report furnished by the agency from disclosing the contents of the report to the consumer, if adverse action against the consumer has been taken by the user based in whole or in part on the report.

     d.    A person may not procure a consumer report for the purpose of reselling the report unless the person discloses to the consumer reporting agency that originally furnishes the report:

     (1)   the identity of the end-user of the report; and

     (2)   each permissible purpose under section 4 of this act for which the report is furnished to the end-user of the report.

     e.     A person who procures a consumer report for the purposes of reselling the report shall:

     (1)   establish and comply with reasonable procedures designed to ensure that the report is resold by the person only for a purpose for which the report may be furnished under section 4 of this act, including procedures designed to ensure that each person to which the report is resold and that resells or provides the report to any other person:

     (a)   identifies to the person from whom the report was purchased each end-user of the resold report;

     (b)   certifies to the person from whom the report was purchased each purpose for which the report will be used; and

     (c)   certifies to the person from whom the report was purchased that the report will be used for no other purpose; and

     (2)   before reselling the report, make reasonable efforts to verify the identifications and certifications made under paragraph (1) of this subsection.

     f.     For the purposes of subsections d. and e. of this section, "report" means the consumer report as furnished by a consumer reporting agency or any information contained in that consumer report.

     g.    Every consumer reporting agency shall, to the extent it is technologically feasible, encrypt the personal information of consumers held by or transferred by the consumer reporting agency.  To the extent it is not technologically feasible to encrypt the information, the consumer reporting agency shall implement and maintain alternative compensating controls consistent with industry standards and the consumer reporting agency's assessment of risk, to protect the security, confidentiality and integrity of the personal information.

     ¹h.   The director may promulgate such rules and regulations as may be necessary to implement the provisions of this act.¹

(cf: P.L.1997, c.172, s.5)

     3.    Section 10 of P.L.1997, c.172 (C.56:11-37) is amended to read as follows:

     10.  a.  Except as provided in subsections b., c., d. [and] , e. and f. of this section, a consumer reporting agency may impose a reasonable charge on a consumer for:

     (1)   making a disclosure to the consumer pursuant to section 7 of this act if the request is the second or subsequent request in a 12-month period of time and is not made pursuant to subsection b. of this section; the charge for this disclosure shall not exceed $8 and shall be indicated to the consumer before making the disclosure;

     (2)   furnishing to a person designated by the consumer pursuant to subsection k. of section 9 of this act a statement, codification, or summary filed or developed under subsection i. or j. of section 9 of this act, after notification of the consumer under subsection f. of section 9 of this act with respect to the reinvestigation; this charge shall not exceed the charge that the agency would impose on each designated recipient for a consumer report and shall be indicated to the consumer before furnishing this information.

     b.    Each consumer reporting agency that maintains a file on a consumer shall make all disclosures required pursuant to section 7 of this act without charge to the consumer if, not later than 60 days after receipt by the consumer of a notification of an adverse action or notification from a debt collection agency affiliated with the consumer reporting agency stating that the consumer's credit rating may be or has been adversely affected, the consumer makes a request under section 7 of this act.

     c.     Upon the request of the consumer, a consumer reporting agency shall make all disclosures required pursuant to section 7 of this act once during any 12-month period without charge to the consumer.

     d.    A consumer reporting agency shall not impose any charge on a consumer for providing any notification required by this act, including but not limited to, the notification required pursuant to subsection k. of section 9 of this act following deletion of information from a consumer's file pursuant to section 9 of this act, or making any disclosure required by this act, except as authorized by subsection a. of this section.

     e.     Upon request of the consumer, a consumer reporting agency shall make all disclosures required pursuant to section 7 of this act once during any 12-month period without charge to that consumer if the consumer certifies in writing that the consumer:

     (1)   is unemployed and intends to apply for employment in the 60-day period beginning on the date on which certification is made;

     (2)   is a recipient of assistance under the Work First New Jersey Program;

     (3)   has reason to believe that the file on the consumer at the agency contains inaccurate information due to fraud; or

     (4)   has been a victim of a violation of  N.J.S.2C:21-1, section 1 of P.L.1983, c.565 (2C:21-2.1) or N.J.S.2C:21-17 and the court has ordered the deletion of those items of information that were the result of the unlawful use of the victim's personal identifying information.

     f.     Upon request of the consumer, a consumer reporting agency shall make all disclosures required pursuant to section 7 of P.L.1997, c.172 (C.56:11-34) ¹[three times during any 12-month period]¹without charge to that consumer if the consumer certifies in writing that the consumer was informed, pursuant to section 12 of P.L.2005, c.226 (C.56:8-163), of a breach of security concerning the consumer's personal information. ¹The consumer reporting agency shall grant up to three such requests during any 12-month period.¹

(cf: P.L.2003, c.184, s.9)

     4.    (New section) If a consumer reporting agency is required to make a disclosure of a breach of security pursuant to section 12 of P.L.2005, c.226 (C.56:8-163), concerning personal information of a consumer held by the consumer reporting agency, the consumer reporting agency shall offer to provide appropriate identity theft prevention and mitigation services at no cost to the consumer for not less than 60 months.  The consumer reporting agency shall notify the consumer of this offer along with the disclosure required pursuant to section 12 of P.L.2005, c.226 (C.56:8-163). A consumer reporting agency shall not place any further conditions on the consumer, or otherwise require the consumer to waive any of the consumer's rights, by the consumer accepting the offer. ¹The director may promulgate such rules and regulations as may be necessary to implement the provisions of this section.¹

     5.    This act shall take effect on the first day of the seventh month after enactment.