H. B. 2263
(By Delegates Brown, Caputo, Marshall, Rowan and Mahan)
[Introduced January 16, 2007; referred to the
Committee on the Judiciary.]
A BILL to amend the Code of West Virginia, 1931, as amended, by
adding thereto a new article, designated §46A-2A-101,
§46A-2A-102, §46A-2A-103, §46A-2A-104, §46A-2A-105,
§46A-2A-106, §46A-2A-107, §46A-2A-108, §46A-2A-109 and
§46A-2A-110, all relating to consumer protection generally;
ensuring clean credit information and identity theft
protection; defining certain terms; providing a security
freeze procedure; providing protection for credit header
information; establishing a right to file a police report on
identity theft; declaration of innocence for crimes committed
by identity thieves; consumer credit monitoring; security
breaches; protection of social security numbers; prohibiting
credit scoring and insurance scoring for use in insurance
decisions; requiring adequate destruction of certain personal
records; and providing for fines, criminal penalties and civil actions for violations.
Be it enacted by the Legislature of West Virginia:
That the Code of West Virginia, 1931, as amended, be amended
by adding thereto a new article, designated §46A-2A-101,
§46A-2A-102, §46A-2A-103, §46A-2A-104, §46A-2A-105, §46A-2A-106,
§46A-2A-107, §46A-2A-108, §46A-2A-109 and §46A-2A-110, all
ARTICLE 2A. CLEAN CREDIT AND IDENTITY THEFT PROTECTION.
For the purposes of this article, the following terms shall
have the following meanings:
(1) "Person" means any individual, partnership, corporation,
trust, estate, cooperative, association, government or governmental
subdivision or agency, or other entity.
(2) "Consumer" means an individual.
(3) "Consumer reporting agency" means any person which, for
monetary fees, dues, or on a cooperative nonprofit basis, regularly
engages, in whole or in part, in the practice of assembling or
evaluating consumer credit information or other information on
consumers for the purpose of furnishing consumer reports to third
(4) "Consumer report" or "credit report" means any written,
oral, or other communication of any information by a consumer
reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be
used or collected, in whole or in part, for the purpose of serving
as a factor in establishing the consumer's eligibility for:
(a) Credit or insurance to be used primarily for personal,
family, or household purposes, except that nothing in this article
authorizes the use of credit evaluations, credit scoring or
insurance scoring in the underwriting of personal lines of property
or casualty insurance;
(b) Employment purposes; or
(c) Any other purpose authorized under section 15 U.S.C.
(5) "Credit card" has the same meaning as in section 103 of
the Federal Truth in Lending Act.
(6) "Credit header information" means written, oral, or other
communication of any information by a consumer reporting agency
regarding the social security number of the consumer, or any
derivative thereof, and any other personally identifiable
information of the consumer that is derived using any nonpublic
personal information, except the name, address, and telephone
number of the consumer if all are listed in a residential telephone
directory available in the locality of the consumer.
(7) "Credit history" means any written, oral, or other
communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, or
credit capacity that is used or expected to be used, or collected,
in whole or in part, for the purpose of determining personal lines
insurance premiums or eligibility for coverage.
(8) "Debit card" means any card or device issued by a
financial institution to a consumer for use in initiating an
electronic fund transfer from the account holding assets of the
consumer at the financial institution, for the purpose of
transferring money between accounts or obtaining money, property,
labor, or services.
§46A-2A-102. Security freeze.
(a) For the purposes of this section, the following terms have
the following meanings:
(1) "Security freeze" means a notice, at the request of the
consumer and subject to certain exceptions, that prohibits the
consumer reporting agency from releasing all or any part of the
consumer's credit report or any information derived from it without
the express authorization of the consumer. If a security freeze is
in place, a report or information may not be released to a third
party without prior express authorization from the consumer. This
subdivision does not prevent a consumer reporting agency from
advising a third party that a security freeze is in effect with
respect to the consumer's credit report.
(2)"Reviewing the account" or "account review" includes activities related to account maintenance, monitoring, credit line
increases, and account upgrades and enhancements.
(b) A consumer may elect to place a security freeze on his or
her credit under the provisions of this article.
(1) A consumer may elect to place a "security freeze" on his
or her credit report by:
(A) Making a request by certified or overnight mail,
(B) Making a request by telephone by providing certain
personal identification, or
(C) Making a request directly to the consumer reporting agency
through a secure electronic mail connection if the secure
connection is made available by the agency. Credit reporting
agencies shall make a secure electronic mail method of requesting
a security freeze available within one hundred eighty days of the
effective date of this article.
(2) A consumer reporting agency shall place a security freeze
on a consumer's credit report no later than five business days
after receiving a written or telephone request from the consumer or
three business days after receiving a secure electronic mail
request. Within one year of the effective date of this article, a
consumer reporting agency shall place a security freeze on a
consumer's credit report no later than three business days after
receiving a written or telephone request from the consumer or one
business day after receiving a secure electronic mail request. Within two years of the effective date of this article, a consumer
reporting agency shall place a security freeze on a consumer's
credit reporting agency no later than one business day after
receiving a written or telephone request.
(3) The consumer reporting agency shall send a written
confirmation of the security freeze to the consumer within five
business days of placing the freeze and at the same time shall
provide the consumer with a unique personal identification number
or password to be used by the consumer when providing authorization
for the release of his or her credit for a specific party or period
of time, or when permanently lifting the freeze. Within one year
of the effective date of this article, the consumer reporting
agency shall send a written confirmation and unique personal
identification number of password to the consumer no later than one
business day after placing the freeze.
(4) If the consumer wishes to allow his or her credit report
to be accessed for a specific party or period of time while a
freeze is in place, he or she shall contact the consumer reporting
agency via telephone, certified mail, overnight mail, or secure
electronic mail, with a request that the freeze be temporarily
lifted, and provide the following:
(A) Proper identification;
(B) The unique personal identification number or password
provided by the consumer reporting agency; and
(C) The proper information regarding the third party who is to
receive the credit report or the time period for which the report
shall be available to users of the credit report.
(5) A consumer reporting agency that receives a request from
a consumer to temporarily lift a freeze on a credit report pursuant
to subdivision (4) of paragraph (B) shall comply with the request
no later than three business days after receiving the request.
Within one year of the effective date this article, a consumer
reporting agency shall honor a request no later than one business
day after receiving the request. Within two years of the effective
date of this article, a consumer reporting agency shall honor a
request made by electronic mail or by telephone within fifteen
minutes of receiving the request.
(6) A consumer reporting agency shall develop procedures
involving the use of telephone, fax, or, upon the consent of the
consumer in the manner required by the Electronic Signatures in
Global and National Commerce Act for legally required notices, by
the Internet, e-mail, or other electronic media to receive and
process a request from a consumer to temporarily lift a freeze on
a credit report pursuant to subdivision (4), subsection (b) of this
section in an expedited manner.
(7) A consumer reporting agency shall remove or temporarily
lift a freeze placed on a consumer's credit report only in the
(A) Upon consumer request, pursuant to subdivision (4) or
subdivision (10) of this subsection);
(B) If the consumer's credit report was frozen due to a
material misrepresentation of fact by the consumer. If a consumer
reporting agency intends to remove a freeze upon a consumer's
credit report pursuant to this paragraph, the consumer reporting
agency shall notify the consumer in writing five business days
prior to removing the freeze on the consumer's credit report.
(8) If a third party requests access to a consumer credit
report on which a security freeze is in effect, and this request is
in connection with an application for credit or any other use, and
the consumer does not allow his or her credit report to be accessed
for that specific party or period of time, the third party may
treat the application as incomplete.
(9) If a third party requests access to a consumer credit
report on which a security freeze is in effect for the purpose of
receiving, extending, or otherwise utilizing the credit therein,
and not for the sole purpose of account review, the consumer credit
report agency must notify the consumer that an attempt has been
made to access the credit report.
(10) A security freeze shall remain in place until the
consumer requests that the security freeze be removed. A consumer
reporting agency shall remove a security freeze within three
business days of receiving a request for removal from the consumer, who provides both of the following:
(A) Proper identification, and
(B) The unique personal identification number or password
provided by the consumer reporting agency pursuant to subdivision
(3) of subsection (b). Not later than one year after the effective
date of this article, a consumer reporting agency shall remove a
security freeze within one business day after receiving a request.
(11) A consumer reporting agency shall require proper
identification of the person making a request to place or remove a
(12)A consumer reporting agency may not suggest or otherwise
state or imply to a third party that the consumer's security freeze
reflects a negative credit score, history, report or rating.
(13)The provisions of this section do not apply to the use of
a consumer credit report by any of the following:
(A) A person, or the person's subsidiary, affiliate, agent, or
assignee with which the consumer has or, prior to assignment, had
an account, contract, or debtor-creditor relationship for the
purposes of reviewing the account or collecting the financial
obligation owing for the account, contract, or debt.
(B) A subsidiary, affiliate, agent, assignee, or prospective
assignee of a person to whom access has been granted under
subdivision (4) of subsection (b) for purposes of facilitating the
extension of credit or other permissible use.
(C) Any person acting pursuant to a court order, warrant, or
(D) A state or local agency which administers a program for
establishing and enforcing child support obligations.
(E) The State Health Department or its agents or assigns
acting to investigate fraud.
(F) The Department of Revenue or its agents or assigns acting
to investigate or collect delinquent taxes or unpaid court orders
or to fulfill any of its other statutory responsibilities.
(G) A person for the purposes of prescreening as defined by
the Federal Fair Credit Reporting Act.
(H) Any person or entity administering a credit file
monitoring subscription service to which the consumer has
(I) Any person or entity for the purpose of providing a
consumer with a copy of his or her credit report upon the
(14)A consumer may not be charged for any security freeze
services, including, but not limited to, the placement or lifting
of a security freeze. A consumer, however, may be charged no more
than five dollars only if the consumer fails to retain the original
personal identification number provided by the agency, the consumer
may not be charged for a one-time reissue of the same or a new
personal identification number; however, the consumer may be charged no more than five dollars for subsequent instances of loss
of the personal identification number.
(c) At any time that a consumer is required to receive a
summary of rights required under Section 609 of the Federal Fair
Credit Reporting Act or under this code, the following notice shall
be included: "West Virginia Consumers Have the Right to Obtain a
"You may obtain a security freeze on your credit report at no
charge to protect your privacy and ensure that credit is not
granted in your name without your knowledge. You have a right to
place a 'security freeze' on your credit report.
The security freeze will prohibit a consumer reporting agency
from releasing any information in your credit report without your
express authorization or approval.
The security freeze is designed to prevent credit, loans, and
services from being approved in your name without your consent.
When you place a security freeze on your credit report, within five
business days, no later than one business day you will be provided
a personal identification number or password to use if you choose
to remove the freeze on your credit report or to temporarily
authorize the release of your credit report for a specific party,
parties or period of time after the freeze is in place. To provide
that authorization, you must contact the consumer reporting agency
and provide all of the following:
(1) The unique personal identification number or password
provided by the consumer reporting agency.
(2) Proper identification to verify your identity.
(3) The proper information regarding the third party or
parties who are to receive the credit report or the period of time
for which the report shall be available to users of the credit
A consumer reporting agency that receives a request from a
consumer to lift temporarily a freeze on a credit report shall
comply with the request no later than three business days after
receiving the request, the consumer reporting agency must
temporarily lift the freeze within fifteen minutes of receiving the
A security freeze does not apply to circumstances where you
have an existing account relationship and a copy of your report is
requested by your existing creditor or its agents or affiliates for
certain types of account review, collection, fraud control or
If you are actively seeking a new credit, loan, utility,
telephone, or insurance account, you should understand that the
procedures involved in lifting a security freeze may slow your own
applications for credit. You should plan ahead and lift a freeze
either completely if you are shopping around, or specifically for
a certain creditor with enough advance notice before you apply for new credit for the lifting to take effect.
You should lift the freeze at least three business days before
applying. Effective the first day of July, two thousand seven, you
should lift the freeze at least one business day before applying;
and effective the first day of July, two thousand eight, you should
lift the freeze at least fifteen minutes before applying for a new
You have a right to bring a civil action against someone who
violates your rights under the credit reporting laws. The action
can be brought against a consumer reporting agency or a user of
your credit report.
(d) If a consumer reporting agency erroneously, whether by
accident or design, violates the security freeze by releasing
credit information that has been placed under a security freeze,
the affected consumer is entitled to:
(1) Notification within five business days of the release of
the information, including specificity as to the information
released and the third party recipient of the information.
(2) File a complaint with the Federal Trade Commission and the
state Attorney General.
(3) In a civil action against the consumer reporting agency
(A) Injunctive relief to prevent or restrain further violation
of the security freeze, and/or
(B) A civil penalty in an amount not to exceed ten thousand
dollars for each violation plus any damages available under other
civil laws, and
(C) Reasonable expenses, court costs, investigative costs, and
Each violation of the security freeze shall be counted as a
separate incident for purposes of imposing penalties under this
§46A-2A-103. Protection for credit header information.
A consumer reporting agency may furnish information from a
consumer's credit header only to those who have a permissible
purpose to obtain the consumer's consumer report, under Section 604
of the Federal Fair Credit Reporting Act, as codified at 15 U.S.C.
1681(b), and that permissible purpose applies to the request for
the credit header information.
§46A-2A-104. Right to file a police report regarding identity
(a) A person who has learned or reasonably suspects that he or
she has been the victim of identity theft may contact the local
law-enforcement agency that has jurisdiction over his or her actual
residence, which shall take a police report of the matter, and
provide the complainant with a copy of that report.
Notwithstanding the fact that jurisdiction may lie elsewhere for
investigation and prosecution of a crime of identity theft, the local law-enforcement agency shall take the complaint and provide
the complainant with a copy of the complaint and may refer the
complaint to a law-enforcement agency in that different
(b) Nothing in this section interferes with the discretion of
a local police department to allocate resources for investigations
of crimes. A complaint filed under this section is not required to
be counted as an open case for purposes of compiling open case
§46A-2A-105. Factual declaration of innocence after identity
(a) A person who reasonably believes that he or she is the
victim of identity theft may petition the circuit court having
jurisdiction over the person's residence, or the circuit court, on
its own motion or upon application of the prosecuting attorney, may
move for an expedited judicial determination of his or her factual
innocence, where the perpetrator of the identity theft was arrested
for, cited for, or convicted of a crime under the victim's
identity, or where a criminal complaint has been filed against the
perpetrator in the victim's name, or where the victim's identity
has been mistakenly associated with a record of criminal
conviction. Any judicial determination of factual innocence made
pursuant to this section may be heard and determined upon
declarations, affidavits, police reports, or other material, relevant, and reliable information submitted by the parties or
ordered to be part of the record by the court. Where the court
determines that the petition or motion is meritorious and that
there is no reasonable cause to believe that the victim committed
the offense for which the perpetrator of the identity theft was
arrested, cited, convicted, or subject to a criminal complaint in
the victim's name, or that the victim's identity has been
mistakenly associated with a record of criminal conviction, the
court shall find the victim factually innocent of that offense. If
the victim is found factually innocent, the court shall issue an
order certifying this determination.
(b) After a circuit court has issued a determination of
factual innocence pursuant to this section, the court may order the
name and associated personal identifying information contained in
court records, files, and indexes accessible by the public deleted,
sealed, or labeled to show that the data is impersonated and does
not reflect the defendant's identity.
(c) Upon making a determination of factual innocence, the
circuit court must provide the consumer written documentation of
(d) A circuit court that has issued a determination of factual
innocence pursuant to this section may at any time vacate that
determination if the petition, or any information submitted in
support of the petition, is found to contain any material misrepresentation or fraud.
(e) The Supreme Court shall develop a form for use in issuing
an order pursuant to this section.
(f) The Attorney General shall establish and maintain a data
base of individuals who have been victims of identity theft and
that have received determinations of factual innocence. The
Attorney General shall provide a victim of identity theft or his or
her authorized representative access to the data base in order to
establish that the individual has been a victim of identity theft.
Access to the data base shall be limited to criminal justice
agencies, victims of identity theft, and individuals and agencies
authorized by the victims.
(g) The Attorney General shall establish and maintain a toll
free number to provide access to information under subdivision (f)
of this section.
(h) In order for a victim of identity theft to be included in
the data base established pursuant to subsection (f) of this
section, he or she shall submit to the Attorney General a court
order obtained pursuant to any provision of law, a full set of
fingerprints, and any other information prescribed by the Attorney
(i) Upon receiving information pursuant to subsection (h) of
this section, the Attorney General shall verify the identity of
the victim against any driver's license or other identification record maintained by the Department of Motor Vehicles.
(j) This section is effective on the first day of January, two
§46A-2A-106. Credit monitoring.
(a) Every consumer credit reporting agency shall, upon request
from a consumer that is not covered by the free disclosures
provided in 15 U.S.C. 1681j subsections (a) through (d), clearly
and accurately disclose to the consumer:
(1) All information in the consumer's file at the time of the
request, except that nothing in this paragraph shall be construed
to require a consumer reporting agency to disclose to a consumer
any information concerning credit scores or other risk scores or
predictors that are governed by 15 U.S.C. 1681g (f).
(2) The sources of the information.
(3) Identification of each person (including each end-user
identified under 15 U.S.C. 1681e) that procured a consumer report:
(A) For employment purposes, during the two-year period
preceding the date on which the request is made; or
(B) For any other purpose, during the one-year period
preceding the date on which the request is made.
(4) An identification of a person under subdivision (3) of
this subsection shall include:
(A) The name of the person or, if applicable, the trade name
(written in full) under which the person conducts business; and
(B) Upon request of the consumer, the address and telephone
number of the person.
(5) Subdivision (3) of this subsection does not apply if:
(A) The end user is an agency or department of the United
States Government that procures the report from the person for
purposes of determining the eligibility of the consumer to whom the
report relates to receive access or continued access to classified
information (as defined in section 15 U.S.C. 1681b (b)(4)(E)(i));
(B) The head of the agency or department makes a written
finding as prescribed under section 15 U.S.C. 1681b (b)(4)(A).
(6) The dates, original payees, and amounts of any checks upon
which is based any adverse characterization of the consumer,
included in the file at the time of the disclosure or which can be
inferred from the file.
(7) A record of all inquiries received by the agency during
the one-year period preceding the request that identified the
consumer in connection with a credit or insurance transaction that
was not initiated by the consumer.
(8) If the consumer requests the credit file and not the
credit score, a statement that the consumer may request and obtain
a credit score.
(b) In the case of a request under subsection (a), a consumer
reporting agency may impose a reasonable charge on a consumer for making a report pursuant to this section, which charge:
(1) Shall not exceed two dollars for each of the first twelve
requests from the consumer in a calendar year;
(2) Shall not exceed eight dollars for any additional request
beyond the initial twelve requests from the consumer in a calendar
(3) Shall be indicated to the consumer before making the
(c) In the case of a request under subsection (a), a consumer
reporting agency must provide the consumer with an opportunity to
access his or her report through all of the following means:
(1) In writing;
(2) In person, upon the appearance of the consumer at the
place of business of the consumer reporting agency where
disclosures are regularly provided, during normal business hours,
and on reasonable notice;
(3) By telephone, if the consumer has made a written request
(4) By electronic means, if the agency offers electronic
access for any other purpose; and
(5) By any other reasonable means that is available from the
(d) A consumer reporting agency shall provide a report under
paragraph (A) no later than:
(1) Twenty-four hours after the date on which the request is
made, if the disclosure is made by electronic means, as requested
under subdivision (4),
subsection (c); and
(2) Five days after the date on which the request is made, if
the disclosure is made in writing, in person, by telephone or by
any other reasonable means that is available from the agency.
§46A-2A-107. Prevention of security breaches.
(a) For the purposes of this section, the following terms
shall have the following meanings:
(1) "Data collector" may include, but is not limited to,
government agencies, public and private universities, privately and
publicly held corporations, financial institutions, retail
operators, and any other entity which, for any purpose, whether by
automated collection or otherwise, handles, collects, disseminates,
or otherwise deals with personal information.
(2) "Breach of the security of the data" means unauthorized
acquisition of computerized or noncomputerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the data collector. Good faith
acquisition of personal information by an employee or agent of the
data collector for a legitimate purpose of the data collector is
not a breach of the security of the data, provided that the
personal information is not used for a purpose unrelated to the
data collector or subject to further unauthorized disclosure. Breach of the security of noncomputerized data may include, but is
not limited to, unauthorized photocopying, facsimiles, or other
paper-based transmittal of documents.
(3) "Personal information" means an individual's last name,
address, or phone number in combination with any one or more of the
following data elements, when either the name or the data elements
are not encrypted or redacted, or encrypted with an encryption key
that was also acquired:
(A) Social Security number.
(B) Driver's license number or state identification card
(C) Account number, credit or debit card number, if
circumstances exist wherein a number could be used without
additional identifying information, access codes, or passwords.
(D) Account passwords or personal identification numbers
(PINs) or other access codes.
(E) Biometric data.
(F) Any of item (A)-(E) when not in connection with the
individual's last name, address or phone number if the information
compromised would be sufficient to perform or attempt to perform
identity theft against the person whose information was
compromised. Personal information does not include publicly
available information that is lawfully made available to the
general public from federal, state, or local government records, provided that the publicly available information has not been
aggregated or consolidated into an electronic database or similar
system by the governmental agency or by another person.
(b) A consumer shall be given notice of breach of security.
(1) Except as provided in subdivision (2) of this subsection,
any data collector that owns or uses personal information in any
form, whether computerized, paper, or otherwise, that includes
personal information concerning a resident of West Virginia shall
notify the resident that there has been a breach of the security of
the data following discovery or notification of the breach. The
disclosure notification shall be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as provided in subdivision
(2), subsection (b), or with any measures necessary to determine
the scope of the breach and restore the reasonable integrity,
security and confidentiality of the data system.
(2) The notification required by this section may be delayed
if a law-enforcement agency determines in writing that the
notification may seriously impede a criminal investigation.
(3) For purposes of this section, notice to consumers may be
provided by one of the following methods:
(A) Written notice.
(B) Electronic notice, if the notice provided is consistent
with the provisions regarding electronic records and signatures, for notices legally required to be in writing, set forth in Section
7001 of Title 15 of the United States Code.
(C) Substitute notice, if the agency demonstrates that the
cost of providing notice would exceed two hundred fifty thousand
dollars or that the affected class of subject persons to be
notified exceeds five hundred thousand people, or the agency does
not have sufficient contact information. Substitute notice shall
consist of all of the following:
(I) Conspicuous posting of the notice on the Internet site of
the agency or person, if the agency or person maintains a public
Internet site; and
(II) Notification to major statewide media. The notice to
media shall include a toll-free phone number where an individual
can learn whether or not that individual's personal data is
included in the security breach.
(4) The notice shall include:
(A) To the extent possible, a description of the categories of
information that was, or is reasonably believed to have been,
acquired by an unauthorized person, including social security
numbers, driver's license or state identification numbers and
(B) A toll-free number:
(I) That the individual may use to contact the agency or
person, or the agent of the agency or person; and
(II) From which the individual may learn:
(i) What types of information the agency or person maintained
about that individual or about individuals in general;
(ii) Whether or not the agency or person maintained
information about that individual; and
(iii) The toll-free contact telephone numbers and addresses
for the major credit reporting agencies.
(5) The notification required by this section may be delayed
if a law-enforcement agency determines, in writing, that the
notification may impede a criminal investigation.
(6) A person required to provide notification under this
subsection shall provide or arrange for the provision of the
notification, to each individual as required and on request and at
no cost to the individual, consumer credit reports from at least
one of the major credit reporting agencies beginning not later than
two months following a breach of security and continuing on a
quarterly basis for a period of two years thereafter.
(c) Any waiver of the provisions of this title is contrary to
public policy, and is void and unenforceable.
(d) The following remedies are available to a consumer under
(1) Any individual injured by a violation of this section may
institute a civil action to recover damages; and
(2) Any business that violates, proposes to violate, or has violated this section may be enjoined. The rights and remedies
available under this section are cumulative to each other and to
any other rights and remedies available under law.
§46A-2A-108. Social security number protection.
(a) Except as provided in subsection (b), a person or entity,
including a state or local agency, may not do any of the following:
(1) Intentionally communicate or otherwise make available to
the general public an individual's social security number.
(2) Print an individual's social security number on any card
required for the individual to access products or services provided
by the person or entity.
(3) Require an individual to transmit his or her social
security number over the Internet, unless the connection is secure
or the social security number is encrypted, the number is essential
to the transaction, and there is no other identifier that could
reasonably be used.
(4) Require an individual to use his or her social security
number to access an Internet web site.
(5) Print an individual's social security number on any
materials that are mailed to the individual, unless state or
federal law requires the social security number to be on the
document to be mailed.
(6) Sell, lease, loan, trade, rent, or otherwise disclose an
individual's social security number to a third party for any purpose without written consent to the disclosure from the
(7) Refuse to do business with an individual because the
individual will not consent to the receipt by the person of the
social security account number of the individual, unless the person
is expressly required under federal law, in connection with doing
business with an individual, to submit to the federal government
the individual's social security account number.
(b) This section does not apply to documents that are recorded
or required to be open to the public pursuant to this code. This
section does not apply to records that are required by statute or
case law to be made available to the public by entities provided in
(c) Any entity covered by this section shall make reasonable
efforts to cooperate, through systems testing and other means, to
ensure that the requirements of this article are implemented on or
before the dates specified in this section.
(d) The following fines, penalties and civil actions may apply
(1) A person who violates this section is responsible for the
payment of a civil fine of not more than three thousand dollars.
(2) A person who knowingly violates this section is guilty of
a misdemeanor and, upon conviction thereof, may be imprisoned in
jail for not more than sixty days or fined not more than five thousand dollars, or both fined and imprisoned.
(3) An individual may bring a civil action against a person
who violates this section and may recover actual damages or five
thousand dollars, whichever is greater, plus reasonable court costs
and attorney's fees.
§46A-2A-109. Banning credit scoring and insurance scoring for use
in insurance decisions.
With respect to private passenger automobile, residential
property and other personal lines insurance, an insurer may not:
(a) Refuse to underwrite, cancel, refuse to renew a risk, or
increase a renewal premium based, in whole or in part, on the
credit history of an applicant or insured; or
(b) Rate a risk based, in whole or in part, on the credit
history of an applicant or insured in any manner, including:
(1) The provision or removal of a discount;
(2) Assigning the insured or applicant to a rating tier;
(3) Placing an insured or applicant with an affiliated
(4) Require a particular payment plan based, in whole or in
part, on the credit history of the insured or applicant.
§46A-2A-110. Definitions; adequate destruction of personal
(a) For the purposes of this section, the following terms
shall have the following meanings:
(1) "Business" means sole proprietorship, partnership,
corporation, association, or other group, however organized and
whether or not organized to operate at a profit. The term includes
a financial institution organized, chartered, or holding a license
or authorization certificate under the laws of this state, any
other state, the United States, or any other country, or the parent
or the subsidiary of any financial institution. The term also
includes an entity that destroys records.
(2) "Dispose" includes:
(A) The discarding or abandonment of records containing
personal information, and
(B) The sale, donation, discarding or transfer of any medium,
including computer equipment, or computer media, containing records
of personal information, or other nonpaper media upon which records
of personal information is stored, or other equipment for nonpaper
storage of information.
(3) "Personal information" means any information that
identifies, relates to, describes, or is capable of being
associated with a particular individual, including, but not limited
to, a name, signature, social security number, fingerprint and
other biometric information, photograph or computerized image,
physical characteristics or description, address, telephone number,
passport number, driver's license or state identification care
number, date of birth, medical information, bank account number, credit card number, debit card number, or any other financial
(4) "Records" means any material on which written, drawn,
spoken, visual or electromagnetic information is recorded or
preserved, regardless of physical form or characteristics.
"Records" does not include publicly available directories
containing information an individual has voluntarily consented to
have publicly disseminated or listed, including the name, address
or telephone number.
(b) Any business that conducts business in this state and any
business that maintains or otherwise possesses personal information
of residents of this state must take all reasonable measures to
protect against unauthorized access to or use of the information in
connection with, or after its disposal. The reasonable measures
must include, but may not be limited to:
(1) Implementing and monitoring compliance with polices and
procedures that require the burning, pulverizing or shredding of
papers containing personal information so that the information
cannot practicably be read or reconstructed;
(2) Implementing and monitoring compliance with policies and
procedures that require the destruction or erasure of electronic
media and other nonpaper media containing personal information so
that the information cannot practicably be read or reconstructed;
(3) After due diligence, entering into and monitoring compliance with a written contract with another party engaged in
the business of record destruction to dispose of personal
information in a manner consistent with this statute. Due
diligence should ordinarily include, but may not be limited to, one
or more of the following: Reviewing an independent audit of the
disposal company's operations and/or its compliance with this
statute or its equivalent; obtaining information about the disposal
company from several references or other reliable sources and
requiring that the disposal company be certified by a recognized
trade association or similar third party with a reputation for high
standards of quality review; reviewing and evaluating the disposal
company's information security policies or procedures, or taking
other appropriate measures to determine the competency and
integrity of the disposal company;
(4) For disposal companies explicitly hired to dispose of
records containing personal information: Implementing and
monitoring compliance with policies and procedures that protect
against unauthorized access to or use of personal information
during or after the collection and transportation and disposing of
the information in accordance with examples (1) and (2) above.
(c) Procedures relating to the adequate destruction or proper
disposal of personal records must be comprehensively described and
classified as official policy in the writings of the business
entity, including corporate and employee handbooks and similar corporate documents.
(d) The following penalties and civil action may apply to:
(1) Any person or business that violates this section may be
subject to a civil penalty of not more than three thousand dollars;
(2) Any individual aggrieved by a violation of this section
may bring a civil action in the circuit court with jurisdiction to
enjoin further violations and to recover actual damages, costs, and
reasonable attorney's fees.
NOTE: The purpose of this bill is to ensure clean credit
information and identity theft protection. Under the bill, a
security freeze procedure and a procedure to protect credit header
information on a consumer's name and address. The bill also gives
a consumer the right to file a local police report on identity
theft and to declare his or her innocence for crimes committed by
identity thieves. This bill is based on a Model Clean Credit and
Identity Theft Protection Act.
Penalties, fines and legal actions are also made available to
consumers who are harmed by violations of the article.
This article is new; therefore, strike-throughs and
underscoring have been omitted.