SENATE, No. 2235

[Senate, May 10, 2007 - Substituted by amendment by the Senate (Morrissey) as a new text for House, No. 4018, relative to the protection of personal information.]

Version with line numberspdf logo

The Commonwealth of Massachusetts

Seal of the Commonwealth of Massachusetts

In the Year Two Thousand and Seven.


SECTION 1. Section 50 of chapter 93 of the General Laws, as appearing in the 2004 Official Edition, is hereby amended by inserting after the definition of “Firm offer of credit” the following 3 definitions:-

“Identity theft report”,  report that alleges a violation of section 37E of chapter 266, 18 United States Code, section 1028, or a similar statute in any other jurisdiction, or a copy of an official report filed by a consumer with an appropriate federal, state or local law enforcement agency, and the filing of which subjects the person filing the report to criminal penalties pursuant to section 67B of chapter 266 or section 13A of chapter 269.

"Lift", to suspend a security freeze for the purpose of releasing a consumer’s credit information to  a specific party or for a specified period of time, as authorized by such consumer.

SECTION 1A. Said section 50 of said chapter 93 of the General Laws, as so appearing, is hereby further amended by inserting after the definition of “Prescreening” the following 2 definitions:-

 “Password” or “Personal identification number”, a unique and random number or a unique and random combination of numbers, letters or symbols,but shall not contain a consumer’s social security number or any sequence of 3 or more numbers of a consumer’s social security number, or other personal identifying information.

“Proper identification”, information generally sufficient to identify a person.  Such information shall not include information concerning the consumer’s employment and personal or family history unless the consumer is unable to reasonably identify himself or herself with the information described in the preceding sentence.

"Security freeze", a notice placed on a consumer's credit report at a consumer reporting agency, at the request of the consumer and subject to certain exceptions, which prohibits the consumer reporting agency from releasing the consumer's report or any information derived there from without the express authorization of the consumer.

SECTION 3. 
Section 55 of said chapter 93, as so appearing, is hereby amended by striking out, in line 1, the word “fifty-one” and inserting in place thereof the following words:- 51 and 62A.

SECTION 2.  Subsection (b) of section 56 of chapter 93 of the General Laws, as so appearing, is hereby amended by striking out, in line 75, the word “act.” “and inserting in place thereof the following words:-  act.

You have a right to request a “security freeze” on your credit report.  The security freeze will prohibit a consumer reporting agency from releasing any information in your consumer report,also known as your credit report, without your express authorization.  A security freeze must be requested by sending a written request via certified mail, overnight mail, or regular stamped mail to a consumer reporting agency. The security freeze is designed to prevent credit, loans or services from being approved in your name without your consent.  You should be aware that using a security freeze may delay, interfere with, or prevent the timely approval of any subsequent request or application you make regarding new loans, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular phone, utilities, digital signature, internet credit card transactions, or other services, including an extension of credit at point of sale.

When you place a security freeze on your credit report, within 5 business days of your request for a security freeze, the consumer reporting agency shall provide you with a personal identification number or password for use if you choose to remove the freeze on your credit report or authorize the release of your credit report for a specific party, parties or period of time after the freeze is in place.  To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

(1) the personal identification number or password provided by the credit reporting agency;
(2) proper identification to verify your identity; and
(3) the proper information regarding the third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report.

“A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than 3 business days after receiving the request.

“A security freeze shall not apply to a person or entity, or to its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account, if you have previously given your consent to use of your credit reports.  “Reviewing the account” includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.”

SECTION 4.  Chapter 93 of the General Laws, as so appearing, is hereby amended by inserting after section 62 the following section:-

Section 62A. If a consumer requests a security freeze, the consumer reporting agency shall disclose to the consumer the process of placing, removing and lifting a security freeze. A consumer reporting agency shall require proper identification of the person making a request to place, lift or remove a security freeze.

A consumer may request that a security freeze be placed on his or her consumer report by sending a request in writing via certified mail, overnight mail, or regular stamped mail to a consumer reporting agency at an address designated by the consumer reporting agency to receive such requests. If a security freeze is in place, the information from a consumer's report may not be released to a third party without prior express authorization from the consumer. This section shall not prohibit a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's report.

A consumer reporting agency shall place a security freeze on a consumer's report not later than 3 business days after receiving a written request from the consumer. The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within 5 business days after receiving the written request and shall provide the consumer with a unique personal identification number or a unique password or both to be used by the consumer for the purpose of providing authorization for the removal or lifting of the security freeze.

If the consumer wishes to lift a security freeze that is in place, he or she shall contact the consumer reporting agency, request that the freeze be lifted, and provide proper identification, the personal identification number or password, or both, provided by the consumer reporting agency, and proper information regarding the third party who is to receive the consumer report or the time period for which the report shall be available to users of the consumer report.

A consumer reporting agency that receives a request from a consumer to lift a security freeze on a consumer report pursuant to this chapter shall comply with the request no later than 3 business days after receiving the request.

A consumer reporting agency may develop procedures involving the use of telephone, fax, the Internet, or other electronic media to receive and process a request from a consumer to lift a security freeze or remove a security freeze on a consumer report in an expedited manner. 

A security freeze shall remain in place until the consumer requests that the security freeze be lifted or removed in the manner provided in this section; provided, however, that a consumer reporting agency may remove a security freeze if the consumer's report was frozen due to a material misrepresentation. If a consumer reporting agency intends to remove a freeze upon a consumer's report due to a material misrepresentation of fact by the consumer, the consumer reporting agency shall notify the consumer in writing 5 business days prior to removing the freeze on the consumer's report.

While a security freeze is in place, a consumer reporting agency shall not change any of the following official information in a consumer report without sending a written confirmation of the change to the consumer within 30 days of the change being posted to the consumer’s file: name, date of birth, social security number, and address.  Written confirmation shall not be required for technical modifications of a consumer’s official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters.  In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.

If a third party requests access to a consumer report on which a security freeze is in effect, and this request is submitted in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

A consumer reporting agency shall remove a security freeze within 3 business days of receiving a request for removal from a consumer who provides both proper identification and the personal identification number or password provided by the consumer reporting agency pursuant to this chapter.

The provisions of this chapter shall not apply to the use of a consumer report by any of the following:

1) a person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to such person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract or negotiable instrument. For purposes of this paragraph, "reviewing the account" shall include activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements; or a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under for purposes of facilitating the extension of credit or other permissible use;
2) any federal, state or local agency, law enforcement agency, trial court, or acting pursuant to a court order, warrant, or subpoena;
3) the Massachusetts child support agency under Title IV-D of the Social Security Act (42 U.S.C. et seq.);
4) the executive office of health and human services or its agents or assigns acting to investigate Medicaid fraud;
5) the department of revenue or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;
6) a person or entity using credit information for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act;
7) any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed;
8) any person or entity acting solely for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request; or
9) to the extent otherwise allowed by statute, any property and casualty insurer licensed by the commonwealth for use in rating or underwriting insurance policies.

This section shall not prohibit a consumer reporting agency from charging a reasonable fee, not to exceed $10, to a consumer who requests to place a security freeze, except that a consumer reporting agency shall not charge a fee to a victim of identity theft that provides a report of identify theft  to a consumer reporting agency,if such report is accompanied by a police report filed in response to the identity theft in the appropriate municipality.

This section shall not prohibit a consumer reporting agency from charging a reasonable fee, not to exceed $10, to a consumer who elects to lift the security freeze.  No fee shall be charged for a permanent removal of a security freeze.

The following entities or persons shall not be required to place a security freeze on a consumer report: 

1) a check services or fraud prevention services company, which issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers or similar methods of payments;
2) a deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a demand deposit account at the inquiring bank; or
3) a consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer credit reporting agencies, and does not maintain a permanent database of credit information from which new consumer credit reports are produced; provided, however, that such financial institution or consumer reporting agency shall be subject to any security freeze placed on a consumer report by another consumer reporting agency from which it obtains information.

Nonwithstanding any general or special law to the contrary, the director of the office of consumer affairs and business regulation, in consultation with the secretary of housing and economic development, shall promulgate rules and regulations pursuant to this chapter including, but not limited to, the fees to be charged, and the method for requesting security freezes and the lifting or removing thereof.

SECTION 5.   Section 63 of said chapter 93, as so appearing, is hereby amended by striking out the words “sixty-two” and inserting in place thereof the following word:- sixty-two-A

SECTION 6.   Section 64 of said chapter 93, as so appearing, is hereby amended by striking out, in line 4, the words “fifty to sixty-two”, and inserting in place thereof the following words:- 50 to 62A.

SECTION 7.   The General Laws, as so appearing, is hereby amended by inserting after Chapter 93G the following new chapter:-

CHAPTER 93H
Electronic Security Breaches

Section 1. The following words as used in this chapter shall, unless the context clearly requires otherwise, have the following meanings:

“Agency”, any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.

"Breach of the security of the system", the unauthorized acquisition of unencrypted electronic data that may compromise the security, confidentiality, or integrity of personal information maintained by a commercial entity or agency that creates a material risk of identity theft or fraud against a resident of this state.

"Commercial entity", an individual, corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, company, limited liability company, association, organization, joint venture or any other legal, whether for profit or not-for-profit, conducting business or operating in Massachusetts, but does not mean an agency as defined in this chapter.

“Electronic”, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

"Encrypted" means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or securing the information by another method that renders the data elements unreadable or unusable.

"Notice" shall include:

(i)written notice;
(ii) electronic notice, if the agency’s or commercial entity’s primary means of communication with the Massachusetts resident is by electronic means or if notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 (c) of Title 15 of the United States Code; and section 110G of the General Laws; or
(iii) substitute notice, if the commercial entity or agency required to provide notice demonstrates that the cost of providing written notice will exceed $150,000, or that the affected class of Massachusetts residents to be notified exceeds 250,000 residents, or that the commercial entity or agency does not have sufficient contact information to provide notice.

"Personal information" a  resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:

a. Social Security number;
b. Driver's license number or state-issued identification card number;
c. or financial account number,  credit or debit card number, if unauthorized use of such account does not require a security code, access code, or password to be accessed or used.  The term “personal information” shall not include information that is lawfully obtained from publicly available information, or from Federal, State or local government records lawfully made available to the general public.

“Substitute notice”, shall  consists of all of the following:

(i)  electronic mail notice if the commercial entity or agency has electronic mail addresses for the members of the affected class of Massachusetts residents; and
(ii) clear and conspicuous posting of the notice on the home page of the Web site of the commercial entity or agency if the commercial entity or agency maintains a web site; and
(iii) notice to major statewide media.

Section 2.         The executive office of consumer affairs and business regulations shall adopt regulations for commercial entities that own or license, from another, personal information about a resident of the commonwealth.  Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the commercial entity is regulated.  The objectives of the regulations shall be to insure the security and confidentiality of customer information in a manner fully consistent with nationwide standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The regulations shall take into account the commercial entities' size, scope and type of businesses, the amount of resources available to such entities, the amount of stored data, and the need for security and confidentiality of both customer and employee information.

The division of public records shall establish rules and regulations for agencies that own or license, from another, personal information about a resident of the commonwealth and shall take into account the size, scope and type of services such agencies provide, the amount of resources available to such agencies, the amount of electronically stored data, and the need for security and confidentiality of both customer and employee information.

Section 3. A commercial entity that owns or licenses from another, data that includes personal information about a resident of the commonwealth shall give notice to such resident of any breach of the security of the system in which data relevant to such resident is held, as soon as practicable and without unreasonable delay when such entity knows or has reason to know of a breach in the security of such system  or when the entity knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose.  Concurrently, such entity shall institute all measures necessary to notify such resident of the breach and to notify such resident of such acquisition or use of his personal information, to determine the scope of the breach and to undertake to restore the integrity, security and confidentiality of the resident’s personal information.
A commercial entity or agency that maintains or stores but does not own or license from another, electronic data medium that includes personal info
rmation shall give notice to and cooperate with the owner or licensor of the information of any breach of the security of the system as soon as possible when such entity or agency knows or has reason to know that such personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose.  Such cooperation shall include sharing with the owner or licensor information relevant to the breach, except that such cooperation shall not be deemed to require the disclosure of confidential business information or trade secrets.  Such commercial entity or agency that maintains or stores, but does not own, electronic data shall not be responsible for providing notice to such resident if it does not materially know what the information is that is stored on the electronic data medium.

Nonwithstanding any general or special law to the contrary, the director of the office of consumer affairs and business regulation, in consultation with the secretary of housing and economic development, shall promulgate rules and regulations pursuant to this chapter including, but not limited to, the method of notice and substitute notice.

Section 4. An agency that maintains electronic data that includes personal information of a resident of the commonwealth shall give notice to such resident of any breach of the security of its electronic data system when it knows or has reason to know of a breach in the security of system or when it knows or has reason to know that the personal information of such resident was acquired by an unauthorized person or used in an unauthorized manner.

Section 5. Notice required under this chapter may be delayed if a law enforcement agency determines and informs the commercial entity or agency that provision of such notice may impede a criminal investigation.  If notice is delayed pursuant to this section, such delay shall be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines and informs the commercial entity or agency that notification no longer poses a risk of impeding an investigation.  The commercial entity or agency shall cooperate with law enforcement on investigating a breach, which includes the sharing of information about an owner or licensee information relevant to the breach; provided however, that such disclosure shall not require the disclosure of confidential business information or trade secrets.

Section 6. A commercial entity or agency that is required to give notice of a breach in the security of a system pursuant to this chapter shall also provide written notification of the nature and circumstances of the breach to the attorney general and the state regulatory agency that regulates the commercial entity, if any, as soon as possible following the discovery of a breach in the security of system.  In addition, if such agency is within the executive department, it shall provide written notification of the nature and circumstances of the breach to the information technology division and the division of public records as soon as possible following the discovery of a breach in the security of system, and shall comply with all policies and procedures adopted by that division pertaining to the reporting and investigation of breaches of the system.

Section 7. This chapter does not relieve a commercial entity or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information; provided however, a commercial entity that is regulated by federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional federal regulator is deemed to be in compliance with this chapter if the commercial entity notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the commercial entity also notifies the attorney general of the breach as soon as practicable and without unreasonable delay following the discovery of its occurrence. Notification to the attorney general shall consist of, but not be limited to, the steps the commercial entity has taken or plans to take relating to the breach pursuant to the applicable federal regulation or statute; provided further that if said entity does not comply with federal laws, rules and regulations pursuant to its regulator then it shall be subject to the provisions of this chapter.

SECTION 8.  The attorney general may bring an action pursuant to section 4 of chapter 93A against a commercial entity or otherwise to remedy violations of this chapter, and for other relief that may be appropriate.” ;  and

further moves to amend the bill by striking out the title and inserting in place thereof the following title:-  “AN ACT RELATIVE TO SECURITY FREEZES AND NOTIFICATIONS OF DATA BREACHES. .”