hb2263 intr

H. B. 2263

(By Delegates Brown, Caputo, Marshall, Rowan and Mahan)
[Introduced January 16, 2007; referred to the
Committee on the Judiciary.]

A BILL to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article, designated §46A-2A-101, §46A-2A-102, §46A-2A-103, §46A-2A-104, §46A-2A-105, §46A-2A-106, §46A-2A-107, §46A-2A-108, §46A-2A-109 and §46A-2A-110, all relating to consumer protection generally; ensuring clean credit information and identity theft protection; defining certain terms; providing a security freeze procedure; providing protection for credit header information; establishing a right to file a police report on identity theft; declaration of innocence for crimes committed by identity thieves; consumer credit monitoring; security breaches; protection of social security numbers; prohibiting credit scoring and insurance scoring for use in insurance decisions; requiring adequate destruction of certain personal records; and providing for fines, criminal penalties and civil actions for violations.

Be it enacted by the Legislature of West Virginia:
That the Code of West Virginia, 1931, as amended, be amended by adding thereto a new article, designated §46A-2A-101, §46A-2A-102, §46A-2A-103, §46A-2A-104, §46A-2A-105, §46A-2A-106, §46A-2A-107, §46A-2A-108, §46A-2A-109 and §46A-2A-110, all to read as follows:
ARTICLE 2A. CLEAN CREDIT AND IDENTITY THEFT PROTECTION.

§46A-2A-101. Definitions.

For the purposes of this article, the following terms shall have the following meanings:
(1) "Person" means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.
(2) "Consumer" means an individual.
(3) "Consumer reporting agency" means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages, in whole or in part, in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.
(4) "Consumer report" or "credit report" means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected, in whole or in part, for the purpose of serving as a factor in establishing the consumer's eligibility for:
(a) Credit or insurance to be used primarily for personal, family, or household purposes, except that nothing in this article authorizes the use of credit evaluations, credit scoring or insurance scoring in the underwriting of personal lines of property or casualty insurance;
(b) Employment purposes; or
(c) Any other purpose authorized under section 15 U.S.C. 1681b.
(5) "Credit card" has the same meaning as in section 103 of the Federal Truth in Lending Act.
(6) "Credit header information" means written, oral, or other communication of any information by a consumer reporting agency regarding the social security number of the consumer, or any derivative thereof, and any other personally identifiable information of the consumer that is derived using any nonpublic personal information, except the name, address, and telephone number of the consumer if all are listed in a residential telephone directory available in the locality of the consumer.
(7) "Credit history" means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, or credit capacity that is used or expected to be used, or collected, in whole or in part, for the purpose of determining personal lines insurance premiums or eligibility for coverage.
(8) "Debit card" means any card or device issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account holding assets of the consumer at the financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor, or services.

§46A-2A-102. Security freeze.

(a) For the purposes of this section, the following terms have the following meanings:
(1) "Security freeze" means a notice, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing all or any part of the consumer's credit report or any information derived from it without the express authorization of the consumer. If a security freeze is in place, a report or information may not be released to a third party without prior express authorization from the consumer. This subdivision does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.
(2)"Reviewing the account" or "account review" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.
(b) A consumer may elect to place a security freeze on his or her credit under the provisions of this article.
(1) A consumer may elect to place a "security freeze" on his or her credit report by:
(A) Making a request by certified or overnight mail,
(B) Making a request by telephone by providing certain personal identification, or
(C) Making a request directly to the consumer reporting agency through a secure electronic mail connection if the secure connection is made available by the agency. Credit reporting agencies shall make a secure electronic mail method of requesting a security freeze available within one hundred eighty days of the effective date of this article.
(2) A consumer reporting agency shall place a security freeze on a consumer's credit report no later than five business days after receiving a written or telephone request from the consumer or three business days after receiving a secure electronic mail request. Within one year of the effective date of this article, a consumer reporting agency shall place a security freeze on a consumer's credit report no later than three business days after receiving a written or telephone request from the consumer or one business day after receiving a secure electronic mail request. Within two years of the effective date of this article, a consumer reporting agency shall place a security freeze on a consumer's credit reporting agency no later than one business day after receiving a written or telephone request.
(3) The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within five business days of placing the freeze and at the same time shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time, or when permanently lifting the freeze. Within one year of the effective date of this article, the consumer reporting agency shall send a written confirmation and unique personal identification number of password to the consumer no later than one business day after placing the freeze.
(4) If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer reporting agency via telephone, certified mail, overnight mail, or secure electronic mail, with a request that the freeze be temporarily lifted, and provide the following:
(A) Proper identification;
(B) The unique personal identification number or password provided by the consumer reporting agency; and
(C) The proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.
(5) A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to subdivision (4) of paragraph (B) shall comply with the request no later than three business days after receiving the request. Within one year of the effective date this article, a consumer reporting agency shall honor a request no later than one business day after receiving the request. Within two years of the effective date of this article, a consumer reporting agency shall honor a request made by electronic mail or by telephone within fifteen minutes of receiving the request.
(6) A consumer reporting agency shall develop procedures involving the use of telephone, fax, or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act for legally required notices, by the Internet, e-mail, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report pursuant to subdivision (4), subsection (b) of this section in an expedited manner.
(7) A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases:
(A) Upon consumer request, pursuant to subdivision (4) or subdivision (10) of this subsection);
(B) If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer reporting agency intends to remove a freeze upon a consumer's credit report pursuant to this paragraph, the consumer reporting agency shall notify the consumer in writing five business days prior to removing the freeze on the consumer's credit report.
(8) If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.
(9) If a third party requests access to a consumer credit report on which a security freeze is in effect for the purpose of receiving, extending, or otherwise utilizing the credit therein, and not for the sole purpose of account review, the consumer credit report agency must notify the consumer that an attempt has been made to access the credit report.
(10) A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following:
(A) Proper identification, and
(B) The unique personal identification number or password provided by the consumer reporting agency pursuant to subdivision (3) of subsection (b). Not later than one year after the effective date of this article, a consumer reporting agency shall remove a security freeze within one business day after receiving a request.
(11) A consumer reporting agency shall require proper identification of the person making a request to place or remove a security freeze.
(12)A consumer reporting agency may not suggest or otherwise state or imply to a third party that the consumer's security freeze reflects a negative credit score, history, report or rating.
(13)The provisions of this section do not apply to the use of a consumer credit report by any of the following:
(A) A person, or the person's subsidiary, affiliate, agent, or assignee with which the consumer has or, prior to assignment, had an account, contract, or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or debt.
(B) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subdivision (4) of subsection (b) for purposes of facilitating the extension of credit or other permissible use.
(C) Any person acting pursuant to a court order, warrant, or subpoena.
(D) A state or local agency which administers a program for establishing and enforcing child support obligations.
(E) The State Health Department or its agents or assigns acting to investigate fraud.
(F) The Department of Revenue or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities.
(G) A person for the purposes of prescreening as defined by the Federal Fair Credit Reporting Act.
(H) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed.
(I) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request.
(14)A consumer may not be charged for any security freeze services, including, but not limited to, the placement or lifting of a security freeze. A consumer, however, may be charged no more than five dollars only if the consumer fails to retain the original personal identification number provided by the agency, the consumer may not be charged for a one-time reissue of the same or a new personal identification number; however, the consumer may be charged no more than five dollars for subsequent instances of loss of the personal identification number.
(c) At any time that a consumer is required to receive a summary of rights required under Section 609 of the Federal Fair Credit Reporting Act or under this code, the following notice shall be included: "West Virginia Consumers Have the Right to Obtain a Security Freeze."
"You may obtain a security freeze on your credit report at no charge to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a 'security freeze' on your credit report.
The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.
The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days, no later than one business day you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties or period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:
(1) The unique personal identification number or password provided by the consumer reporting agency.
(2) Proper identification to verify your identity.
(3) The proper information regarding the third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report.
A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request, the consumer reporting agency must temporarily lift the freeze within fifteen minutes of receiving the request.
A security freeze does not apply to circumstances where you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.
If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze either completely if you are shopping around, or specifically for a certain creditor with enough advance notice before you apply for new credit for the lifting to take effect.
You should lift the freeze at least three business days before applying. Effective the first day of July, two thousand seven, you should lift the freeze at least one business day before applying; and effective the first day of July, two thousand eight, you should lift the freeze at least fifteen minutes before applying for a new account.
You have a right to bring a civil action against someone who violates your rights under the credit reporting laws. The action can be brought against a consumer reporting agency or a user of your credit report.
(d) If a consumer reporting agency erroneously, whether by accident or design, violates the security freeze by releasing credit information that has been placed under a security freeze, the affected consumer is entitled to:
(1) Notification within five business days of the release of the information, including specificity as to the information released and the third party recipient of the information.
(2) File a complaint with the Federal Trade Commission and the state Attorney General.
(3) In a civil action against the consumer reporting agency recover:
(A) Injunctive relief to prevent or restrain further violation of the security freeze, and/or
(B) A civil penalty in an amount not to exceed ten thousand dollars for each violation plus any damages available under other civil laws, and
(C) Reasonable expenses, court costs, investigative costs, and attorney's fees.
Each violation of the security freeze shall be counted as a separate incident for purposes of imposing penalties under this section.
§46A-2A-103. Protection for credit header information.
A consumer reporting agency may furnish information from a consumer's credit header only to those who have a permissible purpose to obtain the consumer's consumer report, under Section 604 of the Federal Fair Credit Reporting Act, as codified at 15 U.S.C. 1681(b), and that permissible purpose applies to the request for the credit header information.

§46A-2A-104. Right to file a police report regarding identity theft.

(a) A person who has learned or reasonably suspects that he or she has been the victim of identity theft may contact the local law-enforcement agency that has jurisdiction over his or her actual residence, which shall take a police report of the matter, and provide the complainant with a copy of that report. Notwithstanding the fact that jurisdiction may lie elsewhere for investigation and prosecution of a crime of identity theft, the local law-enforcement agency shall take the complaint and provide the complainant with a copy of the complaint and may refer the complaint to a law-enforcement agency in that different jurisdiction.
(b) Nothing in this section interferes with the discretion of a local police department to allocate resources for investigations of crimes. A complaint filed under this section is not required to be counted as an open case for purposes of compiling open case statistics.

§46A-2A-105. Factual declaration of innocence after identity theft.

(a) A person who reasonably believes that he or she is the victim of identity theft may petition the circuit court having jurisdiction over the person's residence, or the circuit court, on its own motion or upon application of the prosecuting attorney, may move for an expedited judicial determination of his or her factual innocence, where the perpetrator of the identity theft was arrested for, cited for, or convicted of a crime under the victim's identity, or where a criminal complaint has been filed against the perpetrator in the victim's name, or where the victim's identity has been mistakenly associated with a record of criminal conviction. Any judicial determination of factual innocence made pursuant to this section may be heard and determined upon declarations, affidavits, police reports, or other material, relevant, and reliable information submitted by the parties or ordered to be part of the record by the court. Where the court determines that the petition or motion is meritorious and that there is no reasonable cause to believe that the victim committed the offense for which the perpetrator of the identity theft was arrested, cited, convicted, or subject to a criminal complaint in the victim's name, or that the victim's identity has been mistakenly associated with a record of criminal conviction, the court shall find the victim factually innocent of that offense. If the victim is found factually innocent, the court shall issue an order certifying this determination.
(b) After a circuit court has issued a determination of factual innocence pursuant to this section, the court may order the name and associated personal identifying information contained in court records, files, and indexes accessible by the public deleted, sealed, or labeled to show that the data is impersonated and does not reflect the defendant's identity.
(c) Upon making a determination of factual innocence, the circuit court must provide the consumer written documentation of the order.
(d) A circuit court that has issued a determination of factual innocence pursuant to this section may at any time vacate that determination if the petition, or any information submitted in support of the petition, is found to contain any material misrepresentation or fraud.
(e) The Supreme Court shall develop a form for use in issuing an order pursuant to this section.
(f) The Attorney General shall establish and maintain a data base of individuals who have been victims of identity theft and that have received determinations of factual innocence. The Attorney General shall provide a victim of identity theft or his or her authorized representative access to the data base in order to establish that the individual has been a victim of identity theft. Access to the data base shall be limited to criminal justice agencies, victims of identity theft, and individuals and agencies authorized by the victims.
(g) The Attorney General shall establish and maintain a toll free number to provide access to information under subdivision (f) of this section.
(h) In order for a victim of identity theft to be included in the data base established pursuant to subsection (f) of this section, he or she shall submit to the Attorney General a court order obtained pursuant to any provision of law, a full set of fingerprints, and any other information prescribed by the Attorney General.
(i) Upon receiving information pursuant to subsection (h) of this section, the Attorney General shall verify the identity of the victim against any driver's license or other identification record maintained by the Department of Motor Vehicles.
(j) This section is effective on the first day of January, two thousand eight.
§46A-2A-106. Credit monitoring.
(a) Every consumer credit reporting agency shall, upon request from a consumer that is not covered by the free disclosures provided in 15 U.S.C. 1681j subsections (a) through (d), clearly and accurately disclose to the consumer:
(1) All information in the consumer's file at the time of the request, except that nothing in this paragraph shall be construed to require a consumer reporting agency to disclose to a consumer any information concerning credit scores or other risk scores or predictors that are governed by 15 U.S.C. 1681g (f).
(2) The sources of the information.
(3) Identification of each person (including each end-user identified under 15 U.S.C. 1681e) that procured a consumer report:
(A) For employment purposes, during the two-year period preceding the date on which the request is made; or
(B) For any other purpose, during the one-year period preceding the date on which the request is made.
(4) An identification of a person under subdivision (3) of this subsection shall include:
(A) The name of the person or, if applicable, the trade name (written in full) under which the person conducts business; and
(B) Upon request of the consumer, the address and telephone number of the person.
(5) Subdivision (3) of this subsection does not apply if:
(A) The end user is an agency or department of the United States Government that procures the report from the person for purposes of determining the eligibility of the consumer to whom the report relates to receive access or continued access to classified information (as defined in section 15 U.S.C. 1681b (b)(4)(E)(i)); and
(B) The head of the agency or department makes a written finding as prescribed under section 15 U.S.C. 1681b (b)(4)(A).
(6) The dates, original payees, and amounts of any checks upon which is based any adverse characterization of the consumer, included in the file at the time of the disclosure or which can be inferred from the file.
(7) A record of all inquiries received by the agency during the one-year period preceding the request that identified the consumer in connection with a credit or insurance transaction that was not initiated by the consumer.
(8) If the consumer requests the credit file and not the credit score, a statement that the consumer may request and obtain a credit score.
(b) In the case of a request under subsection (a), a consumer reporting agency may impose a reasonable charge on a consumer for making a report pursuant to this section, which charge:
(1) Shall not exceed two dollars for each of the first twelve requests from the consumer in a calendar year;
(2) Shall not exceed eight dollars for any additional request beyond the initial twelve requests from the consumer in a calendar year; and
(3) Shall be indicated to the consumer before making the disclosure.
(c) In the case of a request under subsection (a), a consumer reporting agency must provide the consumer with an opportunity to access his or her report through all of the following means:
(1) In writing;
(2) In person, upon the appearance of the consumer at the place of business of the consumer reporting agency where disclosures are regularly provided, during normal business hours, and on reasonable notice;
(3) By telephone, if the consumer has made a written request for disclosure;
(4) By electronic means, if the agency offers electronic access for any other purpose; and
(5) By any other reasonable means that is available from the agency.
(d) A consumer reporting agency shall provide a report under paragraph (A) no later than:
(1) Twenty-four hours after the date on which the request is made, if the disclosure is made by electronic means, as requested under subdivision (4), subsection (c); and
(2) Five days after the date on which the request is made, if the disclosure is made in writing, in person, by telephone or by any other reasonable means that is available from the agency.
§46A-2A-107. Prevention of security breaches.
(a) For the purposes of this section, the following terms shall have the following meanings:
(1) "Data collector" may include, but is not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity which, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with personal information.
(2) "Breach of the security of the data" means unauthorized acquisition of computerized or noncomputerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. Good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector is not a breach of the security of the data, provided that the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure. Breach of the security of noncomputerized data may include, but is not limited to, unauthorized photocopying, facsimiles, or other paper-based transmittal of documents.
(3) "Personal information" means an individual's last name, address, or phone number in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted, or encrypted with an encryption key that was also acquired:
(A) Social Security number.
(B) Driver's license number or state identification card number.
(C) Account number, credit or debit card number, if circumstances exist wherein a number could be used without additional identifying information, access codes, or passwords.
(D) Account passwords or personal identification numbers (PINs) or other access codes.
(E) Biometric data.
(F) Any of item (A)-(E) when not in connection with the individual's last name, address or phone number if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records, provided that the publicly available information has not been aggregated or consolidated into an electronic database or similar system by the governmental agency or by another person.
(b) A consumer shall be given notice of breach of security.
(1) Except as provided in subdivision (2) of this subsection, any data collector that owns or uses personal information in any form, whether computerized, paper, or otherwise, that includes personal information concerning a resident of West Virginia shall notify the resident that there has been a breach of the security of the data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (2), subsection (b), or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.
(2) The notification required by this section may be delayed if a law-enforcement agency determines in writing that the notification may seriously impede a criminal investigation.
(3) For purposes of this section, notice to consumers may be provided by one of the following methods:
(A) Written notice.
(B) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, for notices legally required to be in writing, set forth in Section 7001 of Title 15 of the United States Code.
(C) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand people, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:
(I) Conspicuous posting of the notice on the Internet site of the agency or person, if the agency or person maintains a public Internet site; and
(II) Notification to major statewide media. The notice to media shall include a toll-free phone number where an individual can learn whether or not that individual's personal data is included in the security breach.
(4) The notice shall include:
(A) To the extent possible, a description of the categories of information that was, or is reasonably believed to have been, acquired by an unauthorized person, including social security numbers, driver's license or state identification numbers and financial data;
(B) A toll-free number:
(I) That the individual may use to contact the agency or person, or the agent of the agency or person; and
(II) From which the individual may learn:
(i) What types of information the agency or person maintained about that individual or about individuals in general;
(ii) Whether or not the agency or person maintained information about that individual; and
(iii) The toll-free contact telephone numbers and addresses for the major credit reporting agencies.
(5) The notification required by this section may be delayed if a law-enforcement agency determines, in writing, that the notification may impede a criminal investigation.
(6) A person required to provide notification under this subsection shall provide or arrange for the provision of the notification, to each individual as required and on request and at no cost to the individual, consumer credit reports from at least one of the major credit reporting agencies beginning not later than two months following a breach of security and continuing on a quarterly basis for a period of two years thereafter.
(c) Any waiver of the provisions of this title is contrary to public policy, and is void and unenforceable.
(d) The following remedies are available to a consumer under this section:
(1) Any individual injured by a violation of this section may institute a civil action to recover damages; and
(2) Any business that violates, proposes to violate, or has violated this section may be enjoined. The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
§46A-2A-108. Social security number protection.
(a) Except as provided in subsection (b), a person or entity, including a state or local agency, may not do any of the following:
(1) Intentionally communicate or otherwise make available to the general public an individual's social security number.
(2) Print an individual's social security number on any card required for the individual to access products or services provided by the person or entity.
(3) Require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted, the number is essential to the transaction, and there is no other identifier that could reasonably be used.
(4) Require an individual to use his or her social security number to access an Internet web site.
(5) Print an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed.
(6) Sell, lease, loan, trade, rent, or otherwise disclose an individual's social security number to a third party for any purpose without written consent to the disclosure from the individual.
(7) Refuse to do business with an individual because the individual will not consent to the receipt by the person of the social security account number of the individual, unless the person is expressly required under federal law, in connection with doing business with an individual, to submit to the federal government the individual's social security account number.
(b) This section does not apply to documents that are recorded or required to be open to the public pursuant to this code. This section does not apply to records that are required by statute or case law to be made available to the public by entities provided in the Constitution.
(c) Any entity covered by this section shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this article are implemented on or before the dates specified in this section.
(d) The following fines, penalties and civil actions may apply to:
(1) A person who violates this section is responsible for the payment of a civil fine of not more than three thousand dollars.
(2) A person who knowingly violates this section is guilty of a misdemeanor and, upon conviction thereof, may be imprisoned in jail for not more than sixty days or fined not more than five thousand dollars, or both fined and imprisoned.
(3) An individual may bring a civil action against a person who violates this section and may recover actual damages or five thousand dollars, whichever is greater, plus reasonable court costs and attorney's fees.
§46A-2A-109. Banning credit scoring and insurance scoring for use in insurance decisions.

With respect to private passenger automobile, residential property and other personal lines insurance, an insurer may not:
(a) Refuse to underwrite, cancel, refuse to renew a risk, or increase a renewal premium based, in whole or in part, on the credit history of an applicant or insured; or
(b) Rate a risk based, in whole or in part, on the credit history of an applicant or insured in any manner, including:
(1) The provision or removal of a discount;
(2) Assigning the insured or applicant to a rating tier;
(3) Placing an insured or applicant with an affiliated company; or
(4) Require a particular payment plan based, in whole or in part, on the credit history of the insured or applicant.

§46A-2A-110. Definitions; adequate destruction of personal records.

(a) For the purposes of this section, the following terms shall have the following meanings:
(1) "Business" means sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit. The term includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this state, any other state, the United States, or any other country, or the parent or the subsidiary of any financial institution. The term also includes an entity that destroys records.
(2) "Dispose" includes:
(A) The discarding or abandonment of records containing personal information, and
(B) The sale, donation, discarding or transfer of any medium, including computer equipment, or computer media, containing records of personal information, or other nonpaper media upon which records of personal information is stored, or other equipment for nonpaper storage of information.
(3) "Personal information" means any information that identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, a name, signature, social security number, fingerprint and other biometric information, photograph or computerized image, physical characteristics or description, address, telephone number, passport number, driver's license or state identification care number, date of birth, medical information, bank account number, credit card number, debit card number, or any other financial information.
(4) "Records" means any material on which written, drawn, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics. "Records" does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including the name, address or telephone number.
(b) Any business that conducts business in this state and any business that maintains or otherwise possesses personal information of residents of this state must take all reasonable measures to protect against unauthorized access to or use of the information in connection with, or after its disposal. The reasonable measures must include, but may not be limited to:
(1) Implementing and monitoring compliance with polices and procedures that require the burning, pulverizing or shredding of papers containing personal information so that the information cannot practicably be read or reconstructed;
(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed;
(3) After due diligence, entering into and monitoring compliance with a written contract with another party engaged in the business of record destruction to dispose of personal information in a manner consistent with this statute. Due diligence should ordinarily include, but may not be limited to, one or more of the following: Reviewing an independent audit of the disposal company's operations and/or its compliance with this statute or its equivalent; obtaining information about the disposal company from several references or other reliable sources and requiring that the disposal company be certified by a recognized trade association or similar third party with a reputation for high standards of quality review; reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal company;
(4) For disposal companies explicitly hired to dispose of records containing personal information: Implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of the information in accordance with examples (1) and (2) above.
(c) Procedures relating to the adequate destruction or proper disposal of personal records must be comprehensively described and classified as official policy in the writings of the business entity, including corporate and employee handbooks and similar corporate documents.
(d) The following penalties and civil action may apply to:
(1) Any person or business that violates this section may be subject to a civil penalty of not more than three thousand dollars; and
(2) Any individual aggrieved by a violation of this section may bring a civil action in the circuit court with jurisdiction to enjoin further violations and to recover actual damages, costs, and reasonable attorney's fees.

NOTE: The purpose of this bill is to ensure clean credit information and identity theft protection. Under the bill, a security freeze procedure and a procedure to protect credit header information on a consumer's name and address. The bill also gives a consumer the right to file a local police report on identity theft and to declare his or her innocence for crimes committed by identity thieves. This bill is based on a Model Clean Credit and Identity Theft Protection Act.

Penalties, fines and legal actions are also made available to consumers who are harmed by violations of the article.

This article is new; therefore, strike-throughs and underscoring have been omitted.