SENATE, No. 208

By Mr. Morrissey, a petition (accompanied by bill, Senate, No. 208) of Michael W. Morrissey for legislation relative to security freezes and notification of data breaches. Consumer Protection and Professional Licensure.
Version with line numberspdf logo

The Commonwealth of Massachusetts

Seal of the Commonwealth of Massachusetts

In the Year Two Thousand and Seven.


AN ACT relative to security freezes and notification of data breaches.

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

SECTION 1. The General Laws, as appearing in the 2004 Official Edition, is hereby amended by inserting after Chapter 93G the following 2 new Chapters:-

Chapter 93H: Breaches of Computer Information:

Section 1. The following words as used in this chapter shall, unless the context clearly requires otherwise, have the following meanings:

"Breach of the security of the system" means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

"Commercial entity" includes corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit.

"Notice" means written notice, telephonic notice or electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 of Title 15 of the United States Code; or substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $75,000, or that the affected class of Massachusetts residents to be notified exceeds 100,000 residents, or that the individual or the commercial entity does not have sufficient contact information to provide notice.

“Substitute notice” means electronic mail notice if the individual or the commercial entity has e-mail addresses for the members of the affected class of Massachusetts residents; and conspicuous posting of the notice on the web site page of the individual or the commercial entity if the individual or the commercial entity maintains one; and notice to major statewide media.

"Personal information" means a Massachusetts resident's first name or first initial and last name in combination with any 1 or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:

a. Social Security number;

b. Driver's license number or Massachusetts Identification Card number;

c. or Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.

The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records; or otherwise as determined by the Division of Public Records.

Section 2.         An individual or a commercial entity that conducts business in Massachusetts and that owns or licenses computerized data that includes personal information about a resident of Massachusetts shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and immediate investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a Massachusetts resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Massachusetts resident.  Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Massachusetts resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach; provided further, that such disclosure shall not require the disclosure of confidential business information or trade secrets.

Notice required by this chapter may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this chapter must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

Section 3.         Under this chapter, an individual or a commercial entity that maintains and utilizes its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are consistent with this chapter and files said procedure with the Division of Corporations and the Attorney General is deemed to be in compliance with the notice requirements of this chapter if the individual or the commercial entity notifies affected Massachusetts residents in accordance with its policies in the event of a breach of security of the system.

Under this chapter, an individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the individual or the commercial entity notifies affected Massachusetts residents in accordance with the maintained procedures when a breach occurs.

Section 4.         The Attorney General may bring an action in law or equity to address violations of this chapter and for other relief that may be appropriate to ensure proper compliance with this chapter or to recover direct economic damages resulting from a violation, or both. The provisions of this chapter are not exclusive and do not relieve an individual or a commercial entity subject to this chapter from compliance with all other applicable provisions of law.

Section 5.         The Attorney General shall establish rules and regulations for the implementation of this chapter and review said rules and regulations on an annual basis.  The Attorney General shall issue an annual report on the implementation of this chapter by January 31 of each year.

Chapter 93I Security Freezes:-

Section 1.         The following words as used in this chapter shall, unless the context clearly requires otherwise, have the following meanings:

"Security freeze" means a notice placed in a consumer's credit report, at the request of the consumer and subject to certain exceptions that prohibits the consumer credit reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer.

Section 2.         A consumer may request that a security freeze be placed on his or her consumer credit report by sending a request in writing by certified mail or by overnight mail to a consumer credit reporting agency at an address designated by the consumer credit reporting agency to receive such requests. If a security freeze is in place, information from a consumer's credit report may not be released to a third party without prior express authorization from the consumer. This subdivision does not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.

A consumer credit reporting agency shall place a security freeze on a consumer's credit report no later than 3 business days after receiving a written request from the consumer.

The consumer credit reporting agency shall send a written confirmation of the security freeze to the consumer within 5 business days after the security freeze goes into effect and shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time.

If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer credit reporting agency, request that the freeze be temporarily lifted, and provide proper identification, the unique personal identification number or password provided by the credit reporting agency, and proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

A consumer credit reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to this chapter, shall comply with the request no later than three business days after receiving the request.

A consumer credit reporting agency may develop procedures involving the use of telephone, fax, the Internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report pursuant in an expedited manner.

A consumer credit reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only if the consumer requests it or if the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer.

If a consumer credit reporting agency intends to permanently remove a freeze upon a consumer's credit report due to a material misrepresentation of fact by the consumer, then consumer credit reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer's credit report.

If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

If a consumer requests a security freeze, the consumer credit reporting agency shall disclose the process of placing and temporarily lifting a freeze, and the process for allowing access to information from the consumer's credit report for a specific party or period of time while the freeze is in place.

A security freeze shall remain in place until the consumer requests that the security freeze be removed.  A consumer credit reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both proper identification and unique personal identification number or password provided by the credit reporting agency pursuant to this chapter.

A consumer credit reporting agency shall require proper identification of the person making a request to place or remove a security freeze.

The provisions of this chapter do not apply to the use of a consumer credit report by any of the following:

(a)    a person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this paragraph, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements; a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under for purposes of facilitating the extension of credit or other permissible use;

(b)   any state or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena;

(c)    a Massachusetts child support agency or Title IV-D of the Social Security Act (42 U.S.C. et seq.);

(d)   the Massachusetts Department of Medical Assistance or its agents or assigns acting to investigate Medicaid or Medicare fraud;

(e)    the Department of Revenue or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;

(f)     the use of credit information for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act;

(g)    any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed; or

(h)    any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request.

Section 3.         This chapter does not prevent a consumer credit reporting agency from charging a reasonable fee not to exceed 10 dollars to a consumer who elects to freeze, remove the freeze, or temporarily lift the freeze regarding access to a consumer credit report, except that a consumer credit reporting agency may not charge a fee to a victim of identity theft who has submitted a valid police report.

Section 4.         A check services or fraud prevention services company, which issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments or a demand deposit account information service company, which issues

reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a demand deposit account at the inquiring bank or financial institution or a consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer credit reporting agencies, and does not maintain a permanent data base of credit information from which new consumer credit reports are produced are not required to place in a credit report either a security freeze.

Section 5.         There shall be established within the Attorney General’s Office a 5 person commission to review the fees imposed by credit reporting agencies on security freezes and unfreezes, the procedure of implementing security freezes and unfreezes, and effectiveness and impact on consumers and businesses regarding of security freezes and unfreezes.  The commission shall be composed of the Attorney General or designee, the Director of the Executive Office of Consumer Affairs or designee, a member of a credit reporting agency, a member of a Massachusetts consumer group, and a member of business which regularly utilizes the services of a credit reporting agency.  The commission shall file a report with the Joint Committee on Consumer Protection and Professional Licensure and the House Clerk and the Senate Clerk by December 31 of each year.

Section 6.         The Attorney General shall establish rules and regulations for the implementation of this chapter and review said rules and regulations on an annual basis.  The Attorney General shall issue an annual report on the implementation of this chapter by January 31 of each year.