SENATE, No. 163

By Mr. Barrios, a petition (accompanied by bill, Senate, No. 163) of Jarrett T. Barrios, Mark C. Montigny, Brian A. Joyce, Denise Provost and other members of the General Court for legislation to prevent regarding public safety and policing practices to prevent identity theft. Consumer Protection and Professional Licensure.
Version with line numberspdf logo

The Commonwealth of Massachusetts

Seal of the Commonwealth of Massachusetts

In the Year Two Thousand and Seven.


AN ACT to prevent regarding public safety and policing practices to prevent identity theft

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

SECTION 1. Section 18 ¾ of the General Laws, as appearing in the 2004 Official Edition, is herby amended by adding the following paragraph:-

(9) The secretary of public safety shall establish a commission to study and publish findings and information concerning the incidence of identity theft in the commonwealth. The commission shall include 7 members consisting of the secretary of public safety or his designee, a representative of the state police, a police chief appointed by the Massachusetts Chiefs of Police Association, the attorney general or his designated appointee, a consumer advocate appointed by the governor, and a representative from the banking industry appointed by the governor.  The secretary shall file said report annually, together with his analysis of any trends discerned from the same, with the clerk of the senate and the clerk of the house of representatives, who shall forward copies to the joint committee on public safety and homeland security and the judiciary, the house and senate committees on ways and means and the attorney general. 

SECTION 2.  Chapter 266 of the General Laws is hereby amended by striking out section 37E and inserting in place thereof following section:-

            Section 37E.  (a) For purposes of this section, the following words shall have the following meanings:--

“Harass”,  to willfully and maliciously engage in an act directed at a specific person or persons, or at a specific organization or organizations, which act seriously alarms or annoys such person or persons or any person or persons employed by or associated with such organization or organizations, and would cause a reasonable person to suffer substantial emotional distress.

“Identifying information”,  any name or number that may be used, alone or in conjunction with any other information, to assume the identity of an individual or organization including any name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, tax identification number, mother's maiden name, demand deposit account number, savings or checking account number, credit card number, computer password identification or another identifying information.

“Organization”, any corporation, partnership, joint venture, firm, sole proprietorship, association of individuals, or any other professional or business entity.

“Person with a disability”, a person who is mentally retarded, as defined by section 123B or who is otherwise mentally or physically disabled and as a result of such mental or physical disability is wholly or partially dependent on another person or persons to meet his daily living needs.

“Pose”, to falsely represent oneself, directly or indirectly, as another person, persons, or organization.

“Victim”, any person who, or organization that, has suffered financial loss or any entity that provided money, credit, goods, services or anything of value and has suffered financial loss as a direct result of the commission or attempted commission of a violation of this section.

(b) Whoever, with fraudulent intent, knowingly and intentionally poses as another person, living or dead, as a representative of an organization, or as being authorized to act on behalf of an organization, and uses such person's or organization’s identifying information to obtain or to attempt to obtain money, credit, goods, services, anything of value, any identification card or other evidence of such person's or organization’s identity, to harass another person or organization, to commit an illegal act, or to avoid identification, apprehension or prosecution for a crime shall be guilty of the crime of identity fraud and shall be punished  by a fine of not more than $5,000 or imprisonment in the house of correction for not more than 2 ½ years or by both such fine and imprisonment for a first offense and, and for any subsequent offense by imprisonment in the state prison for not more than 5 years or a fine of not more than $25,000 or by both such fine and imprisonment.

(c) Whoever, with fraudulent intent, knowingly and intentionally obtains identifying information about another person, living or dead, or an organization, with the intent to pose as such person, or as a representative of such organization, or as being authorized to act on behalf of an organization in order to obtain money, credit, goods, services, anything of value, any identification card or other evidence of such person's or organization’s identity, to harass another person or organization, or to avoid identification, apprehension or prosecution for a crime shall be guilty of the crime of identity fraud and shall be punished by imprisonment in a house of correction for not more than 2 ½ years or by a fine of not more than $5,000 or by both such fine and imprisonment for a first offense and for any subsequent offense or imprisonment in the state prison for not more than 5 years or by a fine of not more than $25,000 or by both such fine and imprisonment.

(d) Whoever violates this section by using the identifying information of a person 65 years or older or of a person with a disability shall be punished by imprisonment in the state prison for not more than 5 years or by a fine of not more than $10,000 and for any subsequent offense by imprisonment in the state prison for not more than 10 years or by a fine of not more than $25,000 or by both such fine and imprisonment.

(e) Whoever knowingly and intentionally manufactures, sells, purchases, transfers, gives, trades, loans, delivers or possesses 5 or more items containing the identifying information of the same person or organization, or the identifying information of 5 or more separate persons or organizations with the intent to violate this section shall be guilty of the crime of trafficking in stolen identities and shall be punished by imprisonment in the state prison for not more than 5 years or by a fine of not more than $25,000 for a first offense and for any subsequent offense imprisonment in the state prison for not more than 10 years or by a fine of not more than $50,000 or by both such fine and imprisonment.

(f) The knowledge or intent of the person alleged to have violated this section may be proved by direct or circumstantial evidence and the testimony of the individual or a representative on behalf of the organization whose identifying information or item containing identifying information was obtained or used to violate this section shall not be required to prove a violation of this section.

(g) This section may be prosecuted in any county in which an element of the offense was committed or in the county of residence of the person or organization whose identifying information was allegedly used in the commission of the crimes of identity fraud or of trafficking in stolen identities.

(h) A person found guilty of violating this section shall, in addition to any other punishment, be ordered to make restitution for financial loss sustained by a victim as a result of such violation.  Financial loss may include any costs incurred by such victim in correcting the credit history of such victim or any costs incurred in connection with any civil or administrative proceeding to satisfy any debt or other obligation of such victim, including lost wages and attorney's fees.

(i) A victim who reasonably believes that his personal identifying information has been unlawfully used in violation of this section may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her actual residence or by contacting a local law enforcement agency that has jurisdiction over any location where his or her personal identifying information has been unlawfully used.  Such law enforcement agency shall provide the victim with a written report of the incident and may begin an investigation of the facts or, if the suspected crime was committed in a different jurisdiction, refer the matter to the law enforcement agency where the suspected crime was committed for an investigation of the facts.  Nothing in this section shall interfere with the discretion of a local police department to allocate resources for investigations of crimes and a complaint for violating this section shall not be counted as an open case for the purpose compiling open case statistics.

(j) A law enforcement officer may arrest without warrant any person he has probable cause to believe has committed the offense of identity fraud or trafficking in stolen identities.

SECTION 3.  Section 50 of chapter 93 of the General Laws, as so appearing, is hereby amended by inserting after the definition “Prescreening” the following 2 definitions:-

“Reviewing the account" or "account review," includes activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements

 “Security freeze”, a notice, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing all or any part of the consumer’s credit report or any information derived from it without the express authorization of the consumer. 

SECTION 4. Said chapter 93 is hereby amended by inserting after section 51A the following 4 sections:-

Section 51B.

1)      A consumer may elect to place a “security freeze” on his or her credit report by:

a)      making a request by mail;

b)      making a request by telephone by providing certain personal identification; or

c)      making a request directly to the consumer reporting agency through a secure electronic mail connection if such connection is made available by the agency.  Credit reporting agencies shall make a secure electronic mail method of requesting a security freeze available within 180 days of this Act’s effective date.   

2)      A consumer reporting agency shall place a security freeze on a consumer’s credit report no later than 5 business days after receiving a written or telephone request from the consumer or 3 business days after receiving a secure electronic mail request.  Within 1 year of this act’s effective date, a consumer reporting agency shall place a security freeze on a consumer’s credit report no later than 3 business days after receiving a written or telephone request from the consumer or 1 business day after receiving a secure electronic mail request.  Within 2 years of this act’s effective date, a consumer reporting agency shall place a security freeze on a consumer’s credit reporting agency no later than 1 business day after receiving a written or telephone request.

3)      The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within 5 business days of placing the freeze and at the same time shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his credit for a specific party or period of time, or when permanently lifting the freeze. 

4)      If the consumer wishes to allow his credit report to be accessed for a specific party or period of time while a freeze is in place, he shall contact the consumer reporting agency via telephone, mail or secure electronic mail, with a request that the freeze be temporarily lifted, and provide the following:

a)      proper identification;

b)      the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (3) of subsection B; and

c)      the proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

5)      A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to paragraph (4) of subsection (B) shall comply with the request no later than 3 business days after receiving the request.  Within 1 year of this act’s effective date, a consumer reporting agency shall honor such a request no later than 1 business day after receiving the request.  Within 2 years of this act’s effective date, a consumer reporting agency shall honor such a request made by electronic mail or by telephone within 15 minutes of receiving the request.       

6)      A consumer reporting agency shall develop procedures involving the use of telephone, fax or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act [E-Sign] for legally required notices, by the Internet, e-mail or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report pursuant to paragraph (4) of subsection (B) in an expedited manner.

7)      A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer’s credit report only in the following cases:

a)      upon consumer request, pursuant to paragraph (4) or paragraph (10) of subsection (B); or

b)      if the consumer’s credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer reporting agency intends to remove a freeze upon a consumer’s credit report pursuant to this paragraph, the consumer reporting agency shall notify the consumer in writing 5 business days prior to removing the freeze on the consumer’s credit report. 

8)      If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

9)      If a third party requests access to a consumer credit report on which a security freeze is in effect for the purpose of receiving, extending or otherwise utilizing the credit therein, and not for the sole purpose of account review, the consumer credit report agency shall notify the consumer that an attempt has been made to access such credit report.

10)   A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer reporting agency shall remove a security freeze within 3 business days of receiving a request for removal from the consumer, who provides both of the following:

a)      proper identification; and

b)      the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (3) of subsection (B).

Not later than 1 year after the effective date of this act, a consumer reporting agency shall remove a security freeze within 1 business day after receiving such a request.

11)   A consumer reporting agency shall require proper identification of the person making a request to place or remove a security freeze. 

12)   A consumer reporting agency shall not suggest or otherwise state or imply to a third party that the consumer’s security freeze reflects a negative credit score, history, report or rating.

13)   This section shall not apply to the use of a consumer credit report by any of the following:

a)      a person, or the person's subsidiary, affiliate, agent or assignee with which the consumer has or, prior to assignment, had an account, contract, or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract or debt;

b)      a subsidiary, affiliate, agent, assignee or prospective assignee of a person to whom access has been granted under paragraph (4) of subsection (B) for purposes of facilitating the extension of credit or other permissible use;

c)      any person acting pursuant to a court order, warrant or subpoena.

d)      a state or local agency which administers a program for establishing and enforcing child support obligations;

e)      the department of public health or its agents or assigns acting to investigate fraud; 

f)       the department of revenue or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;

g)      a person for the purposes of prescreening as defined by the federal Fair Credit Reporting Act;

h)      any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed; or

i)        any person or entity for the purpose of providing a consumer with a copy of his credit report upon the consumer’s request.

14) A consumer reporting agency shall not charge a consumer any fee to place a security freeze or for temporary or permanent removal of the security freeze on a consumer report.  A consumer reporting agency may charge up to $5 for a replacement of the personal identification number or password provided by the consumer reporting agency when the security freeze was requested.  There shall be no such fees if a consumer:—   

a)        provides the consumer reporting agency with a copy of a police incident report or criminal complaint alleging identity theft;

b)        is 62 years or older;

c)        is a person with a disability, as defined in section 1 of chapter 123B, or who is otherwise mentally or physically disabled and as a result of such mental or physical disability is wholly or partially dependent on another person or persons to meet his daily living needs; or

d)        is a veteran of the United States Armed Services or a person who receives veteran’s benefits.

15)  If a security freeze is in place, such a report or information may not be released to a third party without prior express authorization from the consumer. A security freeze shall not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer’s credit report.

           Section 51C. At any time that a consumer is required to receive a summary of rights required under Section 609 of the federal Fair Credit Reporting Act the following notice shall be included:

          Massachusetts Consumers Have the Right to Obtain a Security Freeze

You may obtain a security freeze on your credit report at no charge to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a “security freeze” on your credit report pursuant to section 51B of chapter 93 of the Generals Laws.

The security freeze shall prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval. 

The security freeze is designed to prevent credit, loans and services from being approved in your name without your consent.  When you place a security freeze on your credit report, within 5 business days you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties or period of time after the freeze is in place.  To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

(1)  the unique personal identification number or password provided by the consumer reporting agency;

(2)  proper identification to verify your identity; or

(3)  the proper information regarding the third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report.

A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than 3 business days after receiving the request.

A security freeze does not apply if you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.

If you are actively seeking a new credit, loan, utility, telephone or insurance account, you should understand that the procedures involved in lifting a security freeze may result in slowing your application for credit. You should plan ahead and lift a freeze – either completely if you are researching creditors, or specifically for a certain creditor – with enough advance notice before you apply for new credit for the lifting to take effect.

You have a right to bring a civil action against anyone who violates your rights under the credit reporting laws.  The action can be brought against a consumer reporting agency or a user of your credit report. 

If a consumer reporting agency erroneously, whether by accident or design, violates the security freeze by releasing credit information that has been placed under a security freeze, the affected consumer is entitled to:

1)      notification within 5 business days of the release of the information, including specificity as to the information released and the third party recipient of the information;

2)      file a complaint with the Federal Trade Commission and the attorney general and the office of consumer affairs and business regulation; and

3)      in a civil action against the consumer reporting agency, recover:

a)      injunctive relief to prevent or restrain further violation of the security freeze;

b)      a civil penalty in an amount not to exceed $1,000 for each violation plus any damages available under other civil laws; and

c)      reasonable expenses, court costs, investigative costs and attorney’s fees.

4)      Each violation of the security freeze shall be counted as a separate incident for purposes of imposing penalties under this section.

Section 51C.  (A)  For the purposes of this section, the following terms shall have the following meanings:

 “Data Collector”,  may include, but is not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators and any other entity which, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with personal information.

            ‘‘Personal information’’, means an individual’s last name, address or phone number in combination with any 1 or more of the following data elements, when either the name or the data elements are not encrypted or redacted or encrypted with an encryption key that was also acquired:

a) Social Security number;

b) driver’s license number or state identification card number;

c) account number, credit or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords;

d) account passwords or personal identification numbers or other access codes;

e) biometric data; or

f) any of items in clauses (a) to (e), inclusive, when not in connection with the individual’s last name, address or phone number if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.

"Personal information’’ shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records and in the possession of a data receiver.

 “Security Breach”, the unauthorized acquisition of computerized or non-computerized data that compromises the security, confidentiality or integrity of personal information maintained by the data collector. Good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector is not a breach of the security of the data, provided that the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure.  Breach of the security of non-computerized data may include, but is not limited to, unauthorized photocopying, facsimiles or other paper-based transmittal of documents.

(B)

1)      Any data collector that owns or uses personal information in any form, whether computerized, paper or otherwise that includes personal information concerning a resident of the commonwealth, shall notify such resident that there has been a breach of the security of the data following discovery or notification of the breach.  The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (2) of subsection B, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data system.

2)      The notification required by this section may be delayed if a law enforcement agency determines in writing that the notification may impede a criminal investigation.

3)      For purposes of this section, ‘‘notice’’ to consumers may be provided by 1 of the following methods:

a)      written notice;

b)      electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, for notices legally required to be in writing, set forth in Section 7001 of Title 15 of the United States Code;

c)      substitute notice, if the agency demonstrates that the cost of providing notice would exceed $250,000 or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:

1. conspicuous posting of the notice on the Internet site of the agency or person, if the agency or person maintains a public Internet site; and

2.  notification to major statewide media, which notice shall include a toll-free phone number with which an individual may learn whether or not that individual’s personal data is included in the security breach.

4)  Such notice shall include--

a) to the extent possible, a description of the categories of information that was, or is reasonably believed to have been, acquired by an unauthorized person including social security numbers, driver's license or state identification numbers and financial data;

b) a toll-free number:

1. that the individual may use to contact the agency or person, or the agent of the agency or person; and

2. from which the individual may learn:

(a) what types of information the agency or person maintained about that individual or about individuals in general;

(b) whether or not the agency or person maintained information about that individual; and

c) the toll-free contact telephone numbers and addresses for the major credit reporting agencies.

5)  The notification required by this section may be delayed if a law enforcement agency determines, in writing, that the notification may impede a criminal investigation.

6)  A person required to provide notification under subsection A shall provide or arrange for the provision of such notice, to each individual to whom notification is required by statute and on request and at no cost to such individual, consumer credit reports from at least 1 of the major credit reporting agencies beginning not later than 2 months following a breach of security and continuing on a quarterly basis for a period of 2 years thereafter. 

(D) A violation of this section shall constitute an unfair and deceptive trade practice under chapter 93A. 

Section 51D.  (A) No person or data collector operating in the commonwealth shall:

(1)            intentionally communicate or otherwise make available to the general public an individual’s Social Security number;

(2) print an individual’s Social Security number on any card required for the individual to access products or services provided by the person or data collector;

(3) require an individual to transmit his or her Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted;

(4) require an individual to use his Social Security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site;

(5) print an individual’s Social Security number on any materials that are mailed to the individual, unless required by law; or

(6) sell, lease, loan, trade, rent or otherwise disclose an individual’s Social Security number to a third party for any purpose without written consent to the disclosure from such individual.

A violation of this section shall constitute an unfair and deceptive trade practice pursuant to chapter 93A.