H. B. 2705
(By Delegate Marshall)
[Introduced January 9, 2008; referred to the
Committee on the Judiciary.]
A BILL to amend the Code of West Virginia, 1931, as amended, by
adding thereto a new article, designated §46A-2A-101,
§46A-2A-102, §46A-2A-103, §46A-2A-104, §46A-2A-105,
§46A-2A-106, §46A-2A-107, §46A-2A-108, §46A-2A-109,
§46A-2A-110 and §46A-2-A-111, all relating generally to
consumer credit and identity theft protection; defining
certain terms; providing a procedure for consumers to
implement a security freeze; providing for notice of consumer
rights; providing for protection for consumer credit header
information; providing for the right to file a police report
in the event of security theft; requiring a notice to
consumers of information systems
breach; providing for factual
declaration of innocence after identity theft; protecting
social security numbers;
providing for civil penalties for
violations; providing for making a violation an unfair or deceptive act or practice; and providing for severability of
the provisions of the article under certain circumstances.
Be it enacted by the Legislature of West Virginia:
That the Code of West Virginia, 1931, as amended, be amended
by adding thereto a new article, designated §46A-2A-101,
§46A-2A-102, §46A-2A-103, §46A-2A-104, §46A-2A-105, §46A-2A-106,
§46A-2A-107, §46A-2A-108, §46A-2A-109, §46A-2A-110 and §46A-2A-111,
all to read as follows:
ARTICLE 2A. THEFT OF CONSUMER IDENTITY PROTECTIONS.
§46A-2A-101. Definitions.
For the purposes of this article, the following terms have the
following meanings:
(1) "Person" means any individual, partnership, corporation,
trust, estate, cooperative, association, government or governmental
subdivision or agency, or other entity.
(2) "Consumer" means an individual.
(3) "Consumer reporting agency" means any entity which, for
monetary fees, dues or on a cooperative nonprofit basis, regularly
engages, in whole or in part, in the practice of assembling or
evaluating consumer credit information or other information on
consumers for the purpose of furnishing consumer reports to third
parties.
(4) "Consumer report" or "credit report" means any written,
oral or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit
standing, credit capacity, character, general reputation, personal
characteristics or mode of living which is used or expected to be
used or collected, in whole or in part, for the purpose of serving
as a factor in establishing the consumer's eligibility for:
(A) Credit or insurance to be used primarily for personal,
family or household purposes, except that nothing in this article
authorizes the use of credit evaluations, credit scoring or
insurance scoring in the underwriting of personal lines of property
or casualty insurance;
(B) Employment purposes; or
(C) Any other purpose authorized under section 15 U.S.C. §
1681b.
(5) "Credit card" has the same meaning as in section 103 of
the Truth in Lending Act, 15 U.S.C. § 1601 et. seq.
(6) "Credit header information" means written, oral or other
communications of any information by a consumer reporting agency
regarding the social security number of the consumer, or any
derivative thereof, and any other personally identifiably
information of the consumer that is derived using any nonpublic
personal information, except the name, address and telephone number
of the consumer if all are listed in a residential telephone
directory available in the locality of the consumer.
(7) "Credit history" means written, oral or other communications of any information by a consumer reporting agency
bearing on a consumer's creditworthiness, credit standing or credit
capacity that is used or expected to be used, or collected, in
whole or in part, for the purpose of determining personal lines
insurance premiums or eligibility for coverage.
(8) "Security freeze" means a notice, at the request of the
consumer and subject to certain exceptions, that prohibits the
consumer reporting agency from releasing all or any part of the
consumer's credit report or any information derived from it without
the express authorization of the consumer. If a security freeze is
in place, a report or information may not be released to a third
party without prior express authorization from the consumer. This
subdivision does not prevent a consumer reporting agency from
advising a third party that a security freeze is in effect with
respect to the consumer's credit report.
(9) "Reviewing the account" or "account review" includes
activities related to account maintenance, monitoring, credit line
increases and account upgrades and enhancements.
§46A-2A-102. Security freeze; timing, covered entities, cost.
(a) A consumer may elect to place a security freeze on his or
her consumer report by:
(1) Making a request by mail; or
(2) Making a request by telephone by providing certain
personal identification; or
(3) Making a request directly to the consumer reporting agency
through a secure electronic mail connection if an electronic mail
connection is provided by the consumer reporting agency.
(b) A consumer reporting agency shall place a security freeze
on a consumer report no later than five business days after
receiving a written request from the consumer.
(c) The consumer reporting agency shall send a written
confirmation of the security freeze to the consumer within five
business days of placing the freeze and at the same time shall
provide the consumer with a unique personal identification number
or password to be used by the consumer when providing authorization
for the release of his or her credit for a specific party or period
of time.
(d) If the consumer wishes to allow his or her consumer report
to be accessed for a specific party or period of time while a
freeze is in place, he or she shall contact the consumer reporting
agency via telephone, mail, secure website or secure electronic
mail, with a request that the freeze be temporarily lifted, and
provide all of the following:
(1) Proper identification;
(2) The unique personal identification number or password
provided by the consumer reporting agency pursuant to subsection
(c) of this section; and
(3) The proper information regarding the third party who is to receive the consumer report or the time period for which the
consumer report shall be available to users of the consumer report.
(e) A consumer reporting agency that receives a request from
a consumer to temporarily lift a freeze on a consumer report
pursuant to subsection (d) of this section shall comply with the
request no later than three business days after receiving the
request by mail and no later than fifteen minutes after receiving
the request by electronic mail or by telephone.
(f) A consumer reporting agency shall develop procedures
involving the use of telephone, fax, the Internet or other
electronic media to receive and process a request from a consumer
to temporarily lift a freeze on a consumer report pursuant to
subsection (d) of this section in an expedited manner.
(g) A consumer reporting agency shall remove or temporarily
lift a freeze placed on a consumer report only upon consumer
request, pursuant to subsection (d) of this section.
(h) If a third party requests access to a consumer report on
which a security freeze is in effect, and this request is in
connection with an application for credit or any other use, and the
consumer does not allow his or her
consumer report to be accessed
for that specific party or period of time, the third party may
treat the application as incomplete.
(i) A security freeze shall remain in place until the consumer
requests that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days of
receiving a request for removal from the consumer, who provides the
following:
(1) Proper identification; and
(2) The unique personal identification number or password
provided by the consumer reporting agency pursuant to subsection
(c) of this section.
(j) A consumer reporting agency shall require proper
identification of the person making a request to place or remove a
security freeze.
(k) A consumer reporting agency may not suggest or otherwise
state or imply to a third party that the consumer's security freeze
reflects a negative credit score, history, report or rating.
(l) The provisions of this section do not apply to the use of
a consumer credit report by any of the following:
(1) A person, or the person's subsidiary, affiliate, agent or
assignee with which the consumer has or, prior to assignment, had
an account, contract or debtor-creditor relationship for the
purposes of reviewing the account or collecting the financial
obligation owing for the account, contract or debt.
(2) A subsidiary, affiliate, agent, assignee or prospective
assignee of a person to whom access has been granted under section
one hundred two-d of this article for purposes of facilitating the
extension of credit or other permissible use.
(3) Any person acting pursuant to a court order, warrant or
subpoena.
(4) A state or local agency that administers a program for
establishing and enforcing child support obligations.
(5) The West Virginia Department of Health and Human
Resources, its agents or assigns acting to investigate fraud.
(6) The West Virginia Department of Revenue or its agents or
assigns acting to investigate or collect delinquent taxes or unpaid
court orders or to fulfill any of its other statutory
responsibilities.
(7) A person for the purposes of prescreening as defined by
the Federal Fair Credit Reporting Act.
(8) Any person or entity administering a credit file
monitoring subscription service to which the consumer has
subscribed.
(9) Any person or entity for the purpose of providing a
consumer with a copy of his or her credit report upon the
consumer's request.
(m) A consumer reporting agency shall not charge a consumer
any fee to place a security freeze on that consumer's consumer
report.
(n) A consumer reporting agency may charge a reasonable fee,
not to exceed five dollars, to a consumer who elects to remove or
temporarily lift a security freeze on that consumer's consumer report.
(o) A consumer may be charged a reasonable fee, not to exceed
five dollars, if the consumer fails to retain the original personal
identification number provided by the consumer reporting agency and
must be reissued the same or a new personal identification number.
§46A-2A-103. Notice of right to obtain security freeze.
(a) At any time that a consumer is required to receive a
summary of rights required under section 609 of the Federal "Fair
Credit Reporting Act," 15 U.S.C. §1681g, the following notice shall
be included:
"West Virginia Consumers Have the Right to Obtain a Security Freeze"
You may obtain a security freeze on your credit report to
protect your privacy and ensure that credit is not granted in your
name without your knowledge. You have a right to place a security
freeze on your credit report pursuant to West Virginia law.
The security freeze will prohibit a consumer reporting agency
from releasing any information in your credit report without your
express authorization or approval.
The security freeze is designed to prevent credit, loans, and
services from being approved in your name without your consent.
When you place a security freeze on your credit report, within five
business days you will be provided a personal identification number
or password to use if you choose to remove the freeze on your
credit report or to temporarily authorize the release of your credit report for a specific party, parties or period of time after
the freeze is in place. To provide that authorization, you must
contact the consumer reporting agency and provide all of the
following:
(1) The unique personal identification number or password
provided by the consumer reporting agency;
(2) Proper identification to verify your identity; and
(3) The proper information regarding the third party or
parties who are to receive the credit report or the period of time
for which the report shall be available to users of the credit
report.
A consumer reporting agency that receives a request from a
consumer to lift temporarily a freeze on a credit report shall
comply with the request no later than three business days or less,
as provided by regulation, after receiving the request. A security
freeze does not apply to circumstances in which you have an
existing account relationship and a copy of your report is
requested by your existing creditor or its agents or affiliates for
certain types of account review, collection, fraud control or
similar activities.
If you are actively seeking credit, you should understand that
the procedures involved in lifting a security freeze may slow your
own applications for credit. You should plan ahead and lift a
freeze, either completely if you are shopping around, or specifically for a certain creditor, a few days before actually
applying for new credit.
You have a right to bring a civil action against someone who
violates your rights under the credit reporting laws. The action
can be brought against a consumer reporting agency or a user of
your credit report.
(b) If a consumer requests information about a security
freeze, he or she shall be provided with the notice provided in
this section, about how to place, temporarily lift and permanently
lift a security freeze.
§46A-2A-104. Violations; penalties.
If a consumer reporting agency erroneously, whether by
accident or design, violates the security freeze by releasing
credit information that has been placed under a security freeze,
the affected consumer is entitled to:
(1) Notification within five business days of the release of
the information, including specificity as to the information
released and the third party recipient of the information.
(2) File a complaint with the Federal Trade Commission and the
State Attorney General.
(3) File a civil action against the consumer reporting agency
seeking:
(A) Injunctive relief to prevent or restrain further violation
of the security freeze; and
(B) A civil penalty in an amount not to exceed ten thousand
dollars for each violation plus any damages available under other
civil laws; and
(C) Reasonable expenses, court costs, investigative costs, and
attorney's fees.
(4) Each violation of the security freeze is a separate
incident for purposes of imposing penalties under this section.
§46A-2A-105. Protection for credit header information.
A consumer reporting agency may furnish information from a
consumer's credit header only to those who have a permissible
purpose to obtain the consumer's consumer report, under section 604
of the federal Fair Credit Reporting Act, as codified at 15 U.S.C.
§ 1681(b), and that permissible purpose applies to the request for
the credit header information.
§46A-2A-106.
Right to file a police report regarding identity
theft.
(a) A person who has learned or reasonably suspects that he or
she has been the victim of identity theft may contact the local
law-enforcement agency that has jurisdiction over his or her actual
residence, which shall take a police report of the matter, and
provide the complainant with a copy of that report.
Notwithstanding the fact that jurisdiction may lie elsewhere for
investigation and prosecution of a crime of identity theft, the
local law-enforcement agency shall take the complaint and provide the complainant with a copy of the complaint and may refer the
complaint to a law-enforcement agency in that different
jurisdiction.
(b) Nothing in this section interferes with the discretion of
a local police department to allocate resources for investigations
of crimes. A complaint filed under this section is not required to
be counted as an open case for purposes such as compiling open case
statistics.
§46A-2A-107. Factual declaration of innocence after identity
theft.
(a) A person who reasonably believes that he or she has been
the victim of identity theft may petition a court, or the court, on
its own motion or upon application of the prosecuting attorney, may
move for an expedited judicial determination of his or her factual
innocence, where the perpetrator of the identity theft was arrested
for, cited for or convicted of a crime under the victim's identity,
or where a criminal complaint has been filed against the
perpetrator in the victim's name, or where the victim's identity
has been mistakenly associated with a record of criminal
conviction. Any judicial determination of factual innocence made
pursuant to this section may be heard and determined upon
declarations, affidavits, police reports or other material,
relevant, and reliable information submitted by the parties or
ordered to be part of the record by the court. Where the court determines that the petition or motion is meritorious and that
there is no reasonable cause to believe that the victim committed
the offense for which the perpetrator of the identity theft was
arrested, cited or subject to a criminal complaint in the victim's
name, or that the victim's identity has been mistakenly associated
with a record of criminal conviction, the court shall find the
victim factually innocent of that offense. If the victim is found
factually innocent, the court shall issue an order certifying this
determination.
(b) After the court has issued a determination of factual
innocence pursuant to this section, the court may order the name
and associated personal identifying information contained in court
records, files and indexes accessible by the public deleted, sealed
or labeled to show that the data is impersonated and does not
reflect the defendant's identity.
(c) Upon making a determination of factual innocence, the
court must provide the consumer written documentation of such
order.
(d) A court that has issued a determination of factual
innocence pursuant to this section may at any time vacate that
determination if the petition, or any information submitted in
support of the petition, is found to contain any material
misrepresentation or fraud.
(e) The Supreme Court of Appeals of West Virginia shall develop a form for use in issuing an order pursuant to this
section.
(f) The Division of Consumer Protection shall establish and
maintain a data base of individuals who have been victims of
identity theft and that have received determinations of factual
innocence. The Division of Consumer Protection shall provide a
victim of identity theft or his or her authorized representative
access to the data base in order to establish that the individual
has been a victim of identity theft.
(g) The Division of Consumer Protection shall establish and
maintain a toll free number to provide access to information under
subdivision (f) of this section.
(h) In order for a victim of identity theft to be included in
the database established pursuant to subdivision (f) of this
section, he or she shall submit to the Division of Consumer
Protection a court order obtained pursuant to any provision of law,
a full set of fingerprints, and any other information prescribed by
the division.
(i) Upon receiving information pursuant to subdivision (h) of
this section, the Division of Consumer Protection shall verify the
identity of the victim against any driver's license or other
identification record maintained by the Division of Motor Vehicles.
(j) This section shall be operative within one hundred eighty
days of the passage of this article.
§46A-2A-108. Notice of breach of information systems.
(a) As used in this section:
(1) "Breach of the security of the system" means the
unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of personal information
maintained by an individual or a commercial entity. Good faith
acquisition of personal information by an employee or agent of an
individual or a commercial entity for the purposes of the
individual or the commercial entity is not a breach of the security
of the system, provided that the personal information is not used
for or is not subject to further unauthorized disclosure.
(2) "Notice" means:
(A) Written notice;
(B) Electronic notice, if the notice provided is consistent
with the provisions regarding electronic records and signatures set
forth in §7001 of Title 15 of the United States Code; or
(C) Substitute notice, if the individual or the commercial
entity required to provide notice demonstrates that the cost of
providing notice will exceed one hundred thousand dollars, or that
the affected class of West Virginia residents to be notified
exceeds 200,000 residents, or that the individual or the commercial
entity does not have sufficient contact information to provide
notice. Substitute notice consists of all of the following:
(i) E-mail notice if the individual or the commercial entity has e-mail addresses for the members of the affected class of West
Virginia residents;
(ii) Conspicuous posting of the notice on the website of the
individual or the commercial entity if the individual or the
commercial entity maintains one; and
(iii) Notification to major statewide media.
(3)"Personal information" means a West Virginia resident's
first name or first initial and last name in combination with any
one or more of the following data elements that relate to the
resident, when either the name or the data elements are not
encrypted:
(A) Social Security number;
(B) Driver's license number;
(C) Account number, or credit or debit card number, alone or
in combination with any required security code, access code or
password that would permit access to a resident's financial
account; or
(D) Individually identifiable information, in electronic or
physical form, regarding the West Virginia resident's medical
history or medical treatment or diagnosis by a health care
professional.
The term "personal information" does not include publicly
available information that is lawfully made available to the
general public from federal, state or local government records.
(b) An individual or a commercial entity that conducts
business in West Virginia and that owns or licenses computerized
data that includes personal information shall give notice to a
resident of West Virginia of any breach of the security of the
system immediately following the discovery of a breach in the
security of personal information of the West Virginia resident
whose unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
Notification must be made in good faith, in the most expedient time
possible, and without unreasonable delay, consistent with the
legitimate needs of law enforcement as provided in subsection (d)
of this section and consistent with any measures necessary to
determine the scope of the breach and to restore the reasonable
integrity of the computerized data system.
(c) An individual or a commercial entity that maintains
computerized data that includes personal information that the
individual or the commercial entity does not own or license shall
give notice to the owner or licensee of the information of any
breach of the security of the data immediately following discovery
of a breach, if the personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
(d) Notice required by this section may be delayed if a
law-enforcement agency determines that the notice will impede a
criminal investigation. Notice required by this section must be made in good faith, without unreasonable delay, and as soon as
possible after the law-enforcement agency determines that
notification will no longer impede the investigation.
(e) An individual or a commercial entity that is required to
give notice of a breach in the security of personal information
pursuant to this section shall also promptly provide written
notification of the nature and circumstances of the breach to the
Office of the Attorney General.
(f) Notwithstanding the definition of notice in this section,
an individual or a commercial entity that maintains its own
notification procedures as part of an information security policy
for the treatment of personal information, and whose procedures are
otherwise consistent with the timing requirements of this section,
is deemed to be in compliance with the notice requirements of this
section if the individual or the commercial entity notifies
affected West Virginia residents in accordance with its policies in
the event of a breach of security of the system. If an individual
or a commercial entity that is regulated by state or federal law
provides greater protection to personal information than that
provided by this section in regard to the subjects addressed by
this section, compliance with that state or federal law is deemed
compliance with this section with regard to those subjects. This
section does not relieve an individual or a commercial entity from
a duty to comply with other requirements of state and federal law regarding the protection and privacy of personal information.
(g) Any West Virginia resident damaged by a violation of this
section may bring an action for recovery of damages. If damages
are awarded to the West Virginia resident, the damages shall be
triple the amount of the actual damages proved plus reasonable
attorney fees. Nothing in this section may be construed so as to
nullify or impair any right which a West Virginia resident may have
at common law, by statute, or otherwise.
(h) In addition to the remedy provided in subsection (g) of
this section, the Office of the Attorney General may bring an
action in law or equity to address violations of this section and
for other relief that may be appropriate. The provisions of this
section are not exclusive and do not relieve an individual or a
commercial entity subject to this section from compliance with all
other applicable provisions of law.
§46A-2A-109. Protection of social security numbers.
(a) A person may not without the consent of the individual:
(1) Intentionally communicate or otherwise make available to
the general public an individual's social security number;
(2) Print an individual's social security number on a card
required for the individual to access products or services provided
by the person;
(3) Require an individual to transmit the individual's social
security number over the Internet unless the Internet connection is secure or the social security number is encrypted;
(4) Require an individual to use the individual's social
security number to access an Internet site unless a password, a
unique personal identification number, or another authentication
device is also required in order to access the site;
(5) Print an individual's social security number on materials
that are mailed to the individual, unless state or federal law
requires the social security number to be on the material;
(6) Refuse to do business with an individual because the
individual does not consent to the receipt by the person of the
social security number of the individual, unless the person is
expressly required under federal law, in connection with doing
business with an individual, to submit the individual's social
security number to the federal government.
(b) A person may not sell, lease, loan, trade, rent or
otherwise disclose an individual's social security number to a
third party for any purpose without the individual's written
consent.
(c) A person who knowingly violates this section is liable to
the state for a civil penalty not to exceed $3,000.
(d) An individual may bring a civil action in court against a
person who knowingly violates this section and may recover actual
damages or five thousand dollars, whichever amount is greater, and
court costs and attorney fees allowed by the rules of the court.
§46A-2A-110. Unfair or deceptive acts or practices.
Any violation of the provisions of this article is an unfair
or deceptive act or practice.
§46A-2A-111. Severability.
The provisions of this article are severable. If any phrase,
clause, sentence, provision or section is declared to be invalid or
preempted, in whole or in part, by federal law or regulation, the
validity of the remainder of this article shall not be affected
thereby.
NOTE: The purpose of this bill is to establish a procedure
whereby a consumer may implement a security freeze to prohibit a
consumer reporting agency from releasing all or any part of the
consumer's credit report or any information derived from it without
the express authorization of the consumer; to provide for
protection for consumer credit header information; to provide for
the right to file a police report in the event of security theft;
to require a notice to consumers of a breach of information
systems
; to provide for a judicial declaration of factual innocence
for victims of identity theft; and to provide for protection of
social security numbers. Civil penalties are provided for
violations.
This article is new; therefore, strike-throughs and
underscoring have been omitted.