Bill Text: OR SB574 | 2013 | Regular Session | Enrolled
Bill Title: Relating to security freezes on protected consumers' consumer reports; and declaring an emergency.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2013-06-21 - Effective date, June 13, 2013. [SB574 Detail]
Download: Oregon-2013-SB574-Enrolled.html
77th OREGON LEGISLATIVE ASSEMBLY--2013 Regular Session
Enrolled
Senate Bill 574
Sponsored by Senator PROZANSKI
CHAPTER ................
AN ACT
Relating to security freezes on protected consumers' consumer
reports; creating new provisions; amending ORS 646A.602,
646A.606, 646A.608, 646A.610, 646A.612 and 646A.614; and
declaring an emergency.
Be It Enacted by the People of the State of Oregon:
SECTION 1. ORS 646A.602 is amended to read:
646A.602. As used in ORS 646A.600 to 646A.628:
(1)(a) 'Breach of security' means { + an + } unauthorized
acquisition of computerized data that materially compromises the
security, confidentiality or integrity of personal information
{ - maintained by the - } { + that a + } person { +
maintains + }.
(b) 'Breach of security' does not include { - good-faith - }
{ + an inadvertent + } acquisition of personal information by a
person or
{ - that - } { + the + } person's employee or agent { - for
a legitimate purpose of that person - } if the personal
information is not used in violation of applicable law or in a
manner that harms or poses an actual threat to the security,
confidentiality or integrity of the personal information.
(2) 'Consumer' means an individual { - who is also a - }
resident of this state.
(3) 'Consumer report' means a consumer report as described in
section 603(d) of the federal Fair Credit Reporting Act (15
U.S.C. 1681a(d)), as that Act existed on October 1, 2007, that
{ - is compiled and maintained by - } a consumer reporting
agency { + compiles and maintains + }.
(4) 'Consumer reporting agency' means a consumer reporting
agency as described in section 603(p) of the federal Fair Credit
Reporting Act (15 U.S.C. 1681a(p)) as that Act existed on October
1, 2007.
(5) 'Debt' means any obligation or alleged obligation arising
out of a consumer transaction, as defined in ORS 646.639.
(6) 'Encryption' means the use of an algorithmic process to
transform data into a form in which the data is rendered
unreadable or unusable without the use of a confidential process
or key.
(7) 'Extension of credit' means { - the - } { + a + } right
to defer
{ - payment of - } { + paying + } debt or { + a right + } to
incur debt and defer { - its payment - } { + paying the debt,
Enrolled Senate Bill 574 (SB 574-A) Page 1
that is + } offered or granted primarily for personal, family or
household purposes.
(8) 'Identity theft' has the meaning set forth in ORS 165.800.
(9) 'Identity theft declaration' means a completed and signed
statement { - documenting - } { + that documents + } alleged
identity theft, using the form available from the Federal Trade
Commission, or another substantially similar form.
(10) 'Person' means any individual, private or public
corporation, partnership, cooperative, association, estate,
limited liability company, organization or other entity, whether
or not organized to operate at a profit, or a public body as
defined in ORS 174.109.
(11) 'Personal information':
(a) Means a consumer's first name or first initial and last
name in combination with any one or more of the following data
elements, when the data elements are not rendered unusable
through encryption, redaction or other methods, or when the data
elements are encrypted and the encryption key has also been
acquired:
(A) Social Security number;
(B) Driver license number or state identification card number
issued by the Department of Transportation;
(C) Passport number or other United States issued
identification number; or
(D) Financial account number, credit or debit card number, in
combination with any required security code, access code or
password that would permit access to a consumer's financial
account.
(b) Means any of the data elements or any combination of the
data elements described in paragraph (a) of this subsection when
not combined with the consumer's first name or first initial and
last name and when the data elements are not rendered unusable
through encryption, redaction or other methods, if the
information obtained would be sufficient to permit a person to
commit identity theft against the consumer whose information was
compromised.
(c) Does not include information, other than a Social Security
number, in a federal, state or local government record that is
lawfully made available to the public.
{ + (12) 'Proper identification' means written information or
documentation that a consumer or representative can present to
another person as evidence of the consumer's or representative's
identity, examples of which include:
(a) A valid Social Security number or a copy of a valid Social
Security card;
(b) A certified or otherwise official copy of a birth
certificate that a governmental body issued; and
(c) A copy of a driver license or other government-issued
identification.
(13) 'Protected consumer' means an individual who is:
(a) Not older than 16 years old at the time a representative
requests a security freeze on the individual's behalf; or
(b) Incapacitated or for whom a court or other authority has
appointed a guardian or conservator.
(14) 'Protective record' means information that a consumer
reporting agency compiles to identify a protected consumer for
whom the consumer reporting agency has not prepared a consumer
report. + }
{ - (12) - } { + (15) + } 'Redacted' means altered or
truncated so that no more than the last four digits of a Social
Enrolled Senate Bill 574 (SB 574-A) Page 2
Security number, driver license number, state identification card
number, account number or credit or debit card number is
accessible as part of the data.
{ + (16) 'Representative' means a consumer who provides a
consumer reporting agency with sufficient proof of the consumer's
authority to act on a protected consumer's behalf. + }
{ - (13) - } { + (17) + } 'Security freeze' means a notice
placed in a consumer report { - , at the request of a consumer
and subject to certain exemptions, that prohibits the consumer
reporting agency from releasing the consumer report for the
extension of credit unless the consumer has temporarily lifted or
removed the freeze - } { + at a consumer's request or a
representative's request or in a protective record at a
representative's request that, subject to certain exemptions,
prohibits a consumer reporting agency from releasing information
in the consumer report or the protective record for an extension
of credit, unless the consumer temporarily lifts the security
freeze on the consumer's consumer report or a protected consumer
or representative removes the security freeze on or deletes the
protective record + }.
SECTION 2. ORS 646A.606 is amended to read:
646A.606. (1) A consumer may elect to place a security freeze
on the consumer's { + consumer report or, if the consumer is a
representative, on a protected consumer's + } consumer
report { + or protective record + } by sending a written request
to a consumer reporting agency at an address { - designated
by - } the agency { + designates + } to receive such requests,
or a secure electronic request at a website { - designated
by - } the agency { + designates + } to receive such requests
if { - such method is made available by - } the consumer
reporting agency { + , + } at the agency's discretion { + , makes
a secure electronic method available + }.
(2) If the consumer { + or protected consumer + } is the
victim of identity theft or has reported { + a theft of personal
information + } to a law enforcement agency { - the theft of
personal information - } , the consumer { + or
representative + } may include a copy of the police report,
incident report or identity theft declaration.
(3) { + (a) + } The consumer { + or representative + } must
provide proper identification and any fee authorized by ORS
646A.610.
{ + (b)(A) In addition to the information and fee described
in paragraph (a) of this subsection, a representative who seeks
to place a security freeze on a protected consumer's consumer
report or protective record shall provide sufficient proof of the
representative's authority to act on the protected consumer's
behalf.
(B) For purposes of subparagraph (A) of this paragraph,
sufficient proof of authority consists of:
(i) A court order that identifies or describes the relationship
between the representative and the protected consumer;
(ii) A valid and lawfully executed power of attorney that
permits the representative to act on the protected consumer's
behalf; or
(iii) A written affidavit that the representative signs and has
notarized in which the representative expressly describes the
relationship between the representative and the protected
consumer and the representative's authority to act on the
protected consumer's behalf. + }
Enrolled Senate Bill 574 (SB 574-A) Page 3
(4) { + (a) + } Except as provided in ORS 646A.614, if a
security freeze is in place { + for a consumer report + },
information from { - a - } { + the + } consumer report may
not be released without prior express authorization from the
consumer.
{ + (b) Information from a protective record may not be
released until the protected consumer for whom the consumer
reporting agency created the protective record, or a
representative of the protected consumer, removes the security
freeze. + }
(5) This section does not prevent a consumer reporting agency
from advising a third party that a security freeze is in effect
with respect to the consumer report { + or protective
record + }.
SECTION 3. ORS 646A.608 is amended to read:
646A.608. (1) { + (a) + } A consumer reporting agency shall
place a security freeze on a consumer report { - no - } { +
not + } later than five business days after receiving from
{ - the - } { + a + } consumer:
{ - (a) - } { + (A) + } The request described in ORS
646A.606 (1);
{ - (b) - } { + (B) + } Proper identification; and
{ - (c) - } { + (C) + } A fee, if applicable.
{ + (b) If a consumer report does not exist for a protected
consumer on behalf of whom a representative seeks to place a
security freeze, a consumer reporting agency shall create a
protective record after receiving from the representative the
request described in ORS 646A.606 (1), proper identification for
both the representative and the protected consumer and sufficient
proof of authority, as described in ORS 646A.606 (3)(b). After
creating a protective record for a protected consumer under this
paragraph, the consumer reporting agency shall place the security
freeze that the representative requested on the protected
consumer's protective record.
(c) The protective record that the consumer reporting agency
creates under paragraph (b) of this subsection does not need to
contain any information other than the protected consumer's
personal information, if other information for the protected
consumer is not available. Except as provided in ORS 646A.614, a
consumer reporting agency may not use or release to another
person the information in a protective record for the purpose of
assessing a protected consumer's eligibility or capacity for an
extension of credit, as a basis for evaluating a protected
consumer's character, reputation or personal characteristics or
for other purposes that are not related to protecting the
protected consumer from identity theft. + }
(2) { + (a) + } The consumer reporting agency shall send a
written confirmation of { - the - } { + a + } security
freeze { + on a consumer's consumer report + } to the consumer
{ - , to - } { + at + } the last known address for the
consumer { - as contained - } { + shown + } in the consumer
report { - maintained by - } { + that + } the consumer
reporting agency { + maintains + }, within 10 business days
after placing the { + security + } freeze and, with the
confirmation, shall provide the consumer with a unique personal
identification number or password or similar device { - to be
used by - } the consumer { - when providing authorization for
release of - } { + must use to authorize the consumer reporting
agency to release + } the consumer's consumer report for a
specific period of time or { - for permanently removing - }
Enrolled Senate Bill 574 (SB 574-A) Page 4
{ + to permanently remove + } the security freeze. The
consumer reporting agency shall { - also - } include with
{ - such - } { + the + } written confirmation information
{ - regarding the process of lifting a - } { + that describes
how to remove a security + } freeze { - , - } and { - the
process of temporarily lifting a - } { + how to temporarily
lift a security + } freeze { - for allowing - } { + on a
consumer report, other than a consumer report for a protected
consumer, in order to allow + } access to information from the
consumer's { - credit - } { + consumer + } report for a
period of time while the { + security + } freeze is in place.
{ + (b) This subsection does not require a consumer reporting
agency to provide a consumer or representative with a personal
identification number or password for the consumer or
representative to use to authorize the consumer reporting agency
to release information from a protective record. + }
(3) { + (a) + } If a consumer wishes to allow the consumer's
consumer report to be accessed for a specific period of time
while a { + security + } freeze is in effect, the consumer
shall contact the consumer reporting agency using a point of
contact { - designated by - } the consumer reporting
agency { + designates + }, request that the { + security + }
freeze be temporarily lifted and provide the following:
{ - (a) - } { + (A) + } Proper identification;
{ - (b) - } { + (B) + } The unique personal identification
number or password or similar device { - provided by - } the
consumer reporting agency { - pursuant to - } { + provided
under + } subsection (2) of this section;
{ - (c) - } { + (C) + } { - The information regarding the
time period for which the consumer report shall - } { + An
indication of the period of time during which the consumer report
must + } be available to users of the { - credit - }
{ + consumer + } report; and
{ - (d) - } { + (D) + } A fee, if applicable.
{ + (b) A protective record is not subject to a temporary
lift of a security freeze.
(c) Except as provided in ORS 646A.612 (2)(a), a consumer
report for a protected consumer is not subject to a temporary
lift of a security freeze. + }
(4) A consumer reporting agency that receives a request from
the consumer to temporarily lift a { + security + } freeze on a
{ - credit - } { + consumer + } report { + , other than a
consumer report for a protected consumer, + } { - pursuant
to - } { + under + } subsection (3) of this section shall
comply with the request { - no - } { + not + } later than
three business days after receiving from the consumer:
(a) Proper identification;
(b) The unique personal identification number or password or
similar device { - provided by - } the consumer reporting
agency
{ - pursuant to - } { + provided under + } subsection (2) of
this section;
(c) { - The information regarding the time period for which
the consumer report shall - } { + An indication of the period
of time during which the consumer report must + } be
available { + to users of the consumer report + }; and
(d) A fee, if applicable.
(5) { + (a) + } A security freeze { - shall - } { + for a
consumer report must + } remain in place until the consumer
requests, using a point of contact { - designated by - } the
Enrolled Senate Bill 574 (SB 574-A) Page 5
consumer reporting agency { + designates + }, that the security
freeze be removed. A consumer reporting agency shall remove a
security freeze within three business days { - of - } { +
after + } receiving a request for removal from the consumer, who
provides:
{ - (a) - } { + (A) + } Proper identification;
{ - (b) - } { + (B) + } The unique personal identification
number or password or similar device { - provided by - } the
consumer reporting agency { - pursuant to - } { + provided
under + } subsection (2) of this section; and
{ - (c) - } { + (C) + } A fee, if applicable.
{ + (b) A security freeze for a protective record must remain
in place until the protected consumer or a representative
requests, using a point of contact the consumer reporting agency
designates, that the security freeze be removed or that the
protective record be deleted. The consumer reporting agency does
not have an affirmative duty to notify the protected consumer or
the representative that a security freeze is in place or to
remove the security freeze or delete the protective record once
the protected consumer is no longer a protected consumer. A
protected consumer or a representative has the affirmative duty
to request that the consumer reporting agency remove the security
freeze or delete the protective record. A consumer reporting
agency shall remove a security freeze or delete a protective
record within 30 business days after receiving a request for
removal or deletion from the protected consumer or a
representative, who provides:
(A) Proper identification;
(B) Sufficient proof of authority, as described in ORS 646A.606
(3)(b), if the representative seeks to remove the security freeze
or delete the protective record;
(C) Proof that the representative's authority to act on the
protected consumer's behalf is no longer valid or applicable, if
the protected consumer seeks to remove the security freeze or
delete the protective record; and
(D) A fee, if applicable. + }
{ - (6) No later than December 31, 2008, the Director of the
Department of Consumer and Business Services shall report to the
chairs of the legislative committees that considered ORS 646A.600
to 646A.628 concerning the minimum amount of time necessary,
using current technology, to place, temporarily lift or remove a
freeze on a consumer report, and to verify a consumer's identity.
If the chair of any legislative committee is vacant at the time
of making the report, the report shall also be made to the
President of the Senate and the Speaker of the House of
Representatives. - }
SECTION 4. ORS 646A.610 is amended to read:
646A.610. (1) A consumer reporting agency may not charge a fee
to a consumer { + or a protected consumer + } who is the victim
of identity theft or { + to a consumer + } who has reported { +
or a protected consumer for whom a representative has
reported + } to a law enforcement agency the theft of personal
information, provided the consumer { + or the representative + }
has submitted to the consumer reporting agency a copy of a valid
police report, incident report or identity theft declaration.
(2) { + (a) + } A consumer reporting agency may charge a
reasonable fee of { - no - } { + not + } more than $10 to a
consumer, other than a consumer described in subsection (1) of
this section, for each { + placement of a security + } freeze,
temporary lift of the { + security + } freeze, removal of
Enrolled Senate Bill 574 (SB 574-A) Page 6
the { + security + } freeze or replacing a lost personal
identification number or password previously provided to the
consumer { - , regarding access to a consumer credit report - }
.
{ + (b)(A) Except as provided in subsection (1) of this
section and in subparagraph (B) of this paragraph, a consumer
reporting agency may charge a reasonable fee of not more than $10
to place or remove a security freeze for a protected consumer's
consumer report or protective record or to create or delete a
protective record for a protected consumer.
(B) A consumer reporting agency may not charge a fee to place
or remove a security freeze on an existing consumer report or
protective record for a protected consumer who is under 16 years
of age at the time a representative requests the consumer
reporting agency to place or remove the security freeze. + }
SECTION 5. ORS 646A.612 is amended to read:
646A.612. { + (1)(a) + } A consumer reporting agency shall
temporarily lift or remove a { + security + } freeze placed on a
{ - consumer's credit report only in the following cases: - }
{ + consumer report only if a consumer requests that the
consumer reporting agency lift or remove the security freeze for
the consumer report in accordance with ORS 646A.608.
(b) A consumer reporting agency shall remove a security freeze
from a protected consumer's consumer report or protective record
or delete a protective record only if the protected consumer or a
representative requests that the consumer reporting agency remove
the security freeze from the consumer report or protective record
or delete the protective record in accordance with ORS 646A.608.
(2)(a) A consumer reporting agency may temporarily lift or
remove a security freeze placed on a consumer report if the
security freeze was placed because of a consumer's, a protected
consumer's or a representative's material misrepresentation of
fact.
(b) A consumer reporting agency may remove a security freeze
from or delete a protective record if the consumer reporting
agency placed the security freeze or created the protective
record as a result of the protected consumer's or the
representative's material misrepresentation of fact.
(c) If a consumer reporting agency intends to remove a security
freeze or delete a protective record under this subsection, the
consumer reporting agency shall notify the consumer, protected
consumer or representative, as appropriate, in writing at least
five business days before removing the security freeze or
deleting the protective record. + }
{ - (1) Upon the consumer's request, pursuant to ORS 646A.608
(3) or (5). - }
{ - (2) If the consumer's credit report was frozen due to a
material misrepresentation of fact by the consumer, the consumer
reporting agency may remove the security freeze. If a consumer
reporting agency intends to remove a freeze upon a consumer's
credit report pursuant to this subsection, the consumer reporting
agency shall notify the consumer in writing at least five
business days prior to removing the freeze placed on the consumer
report. - }
SECTION 6. ORS 646A.614 is amended to read:
646A.614. { + (1) + } The provisions of ORS 646A.606 to
646A.610 do not apply to the use of a consumer report { + or a
protective record + } by or for any of the following:
{ - (1) - } { + (a) + } A person, or the person's
subsidiary, affiliate, agent or assignee with which the
Enrolled Senate Bill 574 (SB 574-A) Page 7
consumer { + or protected consumer + } has or, prior to
assignment, had an account, contract or debtor-creditor
relationship for the purposes of reviewing the account or
collecting the financial obligation owing for the account,
contract or debtor-creditor relationship. For purposes of this
subsection, 'reviewing the account' includes activities related
to account maintenance, monitoring, credit line increases and
account upgrades and enhancements { - ; - } { + . + }
{ - (2) - } { + (b) + } Any person acting pursuant to a
judgment, court order, warrant or subpoena { - ; - } { + . + }
{ - (3) - } { + (c) + } A federal, state or local
governmental entity,
{ - including - } a law enforcement agency or court, or
{ - their agents or assignees, acting to investigate - } { +
an agent or assignee of the federal, state or local governmental
entity, law enforcement agency or court, for the purpose of
investigating + } fraud or { - acting to investigate or
collect - } { + investigating or collecting + } delinquent
taxes { + , + } { - or - } unpaid judgments or court orders
or { + acting otherwise + } to fulfill { - their - }
statutory or regulatory duties { + , + } { - provided such
responsibilities - } { + if the activities or statutory or
regulatory duties + } are consistent with a permissible purpose
under section 604 of the federal Fair Credit Reporting Act (15
U.S.C. 1681b) as that Act existed on October 1, 2007 { - ; - }
{ + . + }
{ - (4) - } { + (d) + } The use of credit information for
the purposes of prescreening { - as provided by - } { + in
accordance with + } the federal Fair Credit Reporting Act (15
U.S.C. 1681 et seq.) as that Act existed on October 1, 2007
{ - ; - } { + . + }
{ - (5) - } { + (e) + } Any person for the sole purpose of
providing a credit file monitoring subscription service, or
similar service to which the consumer { + or protected
consumer + } has subscribed { + or to which a representative has
subscribed on behalf of the protected consumer + } { - ; - }
{ + . + }
{ - (6) - } { + (f) + } A consumer reporting agency for the
sole purpose of providing a consumer { + , a protected consumer
or a representative + } with a copy of the consumer's { + or
protected consumer's + } consumer report upon the
consumer's { + , protected consumer's or representative's + }
request { - ; - } { + . + }
{ - (7) - } { + (g) + } Any person or entity for the
{ - use - } { + purpose + } of setting or adjusting rates,
for { + handling + } claims { - handling - } or underwriting
for insurance purposes, to the extent permitted by law { - ; - }
{ + . + }
{ - (8) - } { + (h) + } A subsidiary, affiliate, agent,
assignee or prospective assignee of a person to whom access has
been granted under ORS 646A.608 (3) for purposes of facilitating
the extension of credit or other permissible use { - ; - }
{ + . + }
{ - (9) - } { + (i) + } A child support agency acting
pursuant to Title IV-D of the Social Security Act (42 U.S.C. 651
et seq.) as that Act existed on October 1, 2007 { - ; and - }
{ + . + }
{ - (10) - } { + (j) + } A person for the sole purpose of
screening an applicant for a residential dwelling unit as
described in ORS 90.295 (1).
Enrolled Senate Bill 574 (SB 574-A) Page 8
{ + (2) The provisions of ORS 646A.606 to 646A.610 do not
apply to a protective record used:
(a) By an entity listed in ORS 646A.618 (2); or
(b) For purposes other than an extension of credit, including:
(A) Compiling a criminal record;
(B) Detecting or preventing fraud;
(C) Compiling a personal loss history; or
(D) Screening an applicant for employment, tenancy or other
background checking purposes. + }
SECTION 7. { + (1) The amendments to ORS 646A.602, 646A.606,
646A.608, 646A.610, 646A.612 and 646A.614 by sections 1 to 6 of
this 2013 Act become operative 91 days after the effective date
of this 2013 Act.
(2) The Director of the Department of Consumer and Business
Services may take any action before the operative date specified
in subsection (1) of this section that is necessary to enable the
director to exercise, on and after the operative date specified
in subsection (1) of this section, all of the duties, functions
and powers conferred on the director by the amendments to ORS
646A.602, 646A.606, 646A.608, 646A.610, 646A.612 and 646A.614 by
sections 1 to 6 of this 2013 Act. + }
SECTION 8. { + This 2013 Act being necessary for the immediate
preservation of the public peace, health and safety, an emergency
is declared to exist, and this 2013 Act takes effect on its
passage. + }
----------
Passed by Senate April 24, 2013
.............................................................
Robert Taylor, Secretary of Senate
.............................................................
Peter Courtney, President of Senate
Passed by House June 3, 2013
.............................................................
Tina Kotek, Speaker of House
Enrolled Senate Bill 574 (SB 574-A) Page 9
Received by Governor:
......M.,............., 2013
Approved:
......M.,............., 2013
.............................................................
John Kitzhaber, Governor
Filed in Office of Secretary of State:
......M.,............., 2013
.............................................................
Kate Brown, Secretary of State
Enrolled Senate Bill 574 (SB 574-A) Page 10
