SECTION 1.  Section 50 of said chapter 93 of the General Laws,  as appearing in the 2002 Official Edition, is hereby amended by inserting the following definitions:-

 “Breach”, any unauthorized acquisition of computerized data that compromises the security, and confidentiality, or integrity of personal information maintained by a data collector including, but not limited to, unauthorized photocopying, facsimiles, or other paper-based transmittal of documents.

"Credit Header", all identifying consumer information, not included in the definition of "consumer report", including, but not limited to, complete first and last name, date of birth, current phone number, social security number and current employer.

“Data Collector”, any entity which, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information, including, but not limited to government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators and businesses.

“Dispose”, the discarding, abandonment, sale, donation, discarding or transfer of any records or instruments containing personal information including, but not limited to, files, letters, documents, computer equipment, and computer media.

“Personal Information”, any information that identifies, relates to, describes, or is capable of being associated with a particular individual including, but not limited to, a name, signature, social security number, fingerprint, photograph or computerized image, physical characteristics or description, address, telephone number, passport number, driver's license or state identification care number, date of birth, medical information, bank account number, credit card number, debit card number, or any other financial information.

“Records”, any material on which written, drawn, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics, and which is not part of a publicly available directory containing information that an individual has voluntarily consented to have publicly disseminated or listed.

SECTION 2. Section 51 of said chapter 93, as so appearing, is hereby amended by inserting after the word “report, in line 2, the following words:- "or a credit header".

SECTION 3. Said chapter 93 is hereby amended by inserting after section 51A the following section:-

Section 51B.  (a) A consumer may place a security freeze on his or her credit report by submitting a security freeze request to a consumer reporting agency.  A security freeze shall prohibit a consumer reporting agency from releasing any part of the consumer’s credit report or any information derived from said report without the express authorization of the consumer.  A security freeze request may be made by a consumer via certified mail, telephone, or a secure electronic mail connection if such connection is made available by the agency.  Nothing in this section shall prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to a consumer’s credit report. 

(b) Upon receiving a security freeze request from a consumer, a consumer reporting agency shall place a security freeze on a consumer’s credit report no later than five business days after receiving a written or telephone request from the consumer or three business days after receiving a secure electronic mail request. The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within five business days of placing the freeze and shall further provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit to a specific party or for a period of time.

(c) A consumer may allow a credit report to be accessed by a specific party or for a period of time while a freeze is in place by contacting the consumer reporting agency via telephone, certified mail, or secure electronic mail, request that the freeze be temporarily lifted, and providing the following:

          (1) proper identification,

          (2) the unique personal identification number or password provided by the consumer reporting agency pursuant to this section, and

(3) the name of the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

Any consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than three business days after receiving the request.  A consumer reporting agency may develop procedures involving the use of telephone, fax, or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act [E-Sign] for legally required notices, by the Internet, e-mail, or other electronic media, to receive and process a request from a consumer to temporarily lift a freeze on a credit report in an expedited manner.

(d) A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer’s credit report only (1) upon consumer request, pursuant to this section or (2) if the consumer’s credit report was frozen due to a material misrepresentation of fact by the consumer, provided that if a consumer reporting agency intends to remove a freeze upon a consumer’s credit report pursuant to this paragraph, the consumer reporting agency shall notify the consumer in writing five business days prior to removing the freeze on the consumer’s credit report. 

(e) If a third party requests access to a consumer credit report on which a security freeze is in effect for the purpose of receiving, extending, or otherwise utilizing the credit therein, and not for the sole purpose of account review such as activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements, the consumer credit report agency must notify the consumer that an attempt has been made to access the credit report.  A consumer reporting agency shall not suggest, state, or imply to a third party that the consumer’s security freeze reflects a negative credit score, history, report or rating.

          (f) The provisions of this section shall not apply to the use of a consumer credit report by any of the following:

(1) A person, or the person's subsidiary, affiliate, agent, or assignee with which the consumer has or, prior to assignment, had an account, contract, or debtor-creditor relationship for the purposes of reviewing the account, including activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements, or collecting the financial obligation owing for the account, contract, or debt;

(2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under paragraph (4) of subsection (B) for purposes of facilitating the extension of credit or other permissible use;

(3) Any person acting pursuant to a court order, warrant, or subpoena.

(4) A state or local agency which administers a program for establishing and enforcing child support obligations;

(5) The department of public health or its agents or assigns acting to investigate fraud;

(6) The department of revenue or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;

(7) A person for the purposes of prescreening as defined by the federal Fair Credit Reporting Act;

(8) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed; or

(9) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer’s request.

(g) A consumer shall not be charged for any security freeze services, including but not limited to the placement or lifting of a security freeze, provided, however, that a consumer may be charged not more than $5 for a new personal identification number if the consumer fails to retain the original personal identification number given to them by the agency.

(h) At any time that a consumer is required to receive a summary of rights required under Section 609 of the federal Fair Credit Reporting Act or under any law of the commonwealth, the following notice, in at least 10 point font, shall be included:

“Massachusetts Consumers Have the Right to Obtain a Security Freeze

You may obtain a security freeze on your credit report at no charge to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a “security freeze” on your credit report pursuant to Massachusetts law.  The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval. 

The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  When you place a security freeze on your credit report, within five business days you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties or period of time after the freeze is in place.  To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

(1) The unique personal identification number or password provided by the consumer reporting agency.

(2) Proper identification to verify your identity.

(3) The proper information regarding the third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report.

A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request.  A security freeze does not apply to circumstances where you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review such as activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements, collection, fraud control or similar activities.  If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze – either completely if you are shopping around, or specifically for a certain creditor – a few days before actually applying for new credit.

You have a right to bring a civil action against someone who violates your rights under the credit reporting laws.  The action can be brought against a consumer reporting agency or a user of your credit report.” 

(i) Violations of any provision of this section shall constitute and unfair and deceptive trade practice pursuant to the provisions of chapter ninety-three A. 

SECTION 4.  Said chapter 93 is hereby amended by inserting after section 55 the following section:-

Section 55A. (a) Any data collector who owns or uses the personal information of any resident of the commonwealth shall notify the resident that there has been a breach of the security the personal information following discovery or notification of said breach, without regard for whether or not the data has or has not been accessed by an unauthorized third party for legal or illegal purposes. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity security and confidentiality of the data system. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise impede a criminal investigation. For purposes of this section, ‘‘notice’’ to consumers may be written, electronic , or by substitute notice if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds 500,000 or the agency does not have sufficient contact information. Substitute notice shall consist of a e-mail notice when the agency has an e-mail address for the subject persons, conspicuous posting of the notice on the agency’s web site page, if the agency maintains one and notification to major statewide media.

(b) No person or data collector operating in the commonwealth shall:

(1)            intentionally communicate or otherwise make available to the general public an individual’s Social Security number;

(2) print an individual’s Social Security number on any card required for the individual to access products or services provided by the person or data collector;

(3) require an individual to transmit his or her Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted;

(4) require an individual to use his or her Social Security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site;

(5) print an individual’s Social Security number on any materials that are mailed to the individual, unless required by law;

(6) sell, lease, loan, trade, rent, or otherwise disclose an individual’s Social Security number to a third party for any purpose without written consent to the disclosure from the individual.

Nothing in this section shall apply to medical information or documents that are recorded or required to be open to the public pursuant to section 7 of chapter 4. 

(c) A data collector shall take all reasonable measures to protect against unauthorized access to or use of the information in connection with, or after its disposal including, but not limited to:

(1) Implementing and monitoring compliance with polices and procedures that require the burning, pulverizing or shredding of papers containing personal information so that the information cannot practicably by read or reconstructed; and

(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably by read or reconstructed.

(d) Violations of any provision of this section shall constitute and unfair and deceptive trade practice pursuant to the provisions of chapter ninety-three A. 

SECTION 5.  Section 59 of said chapter 93, as so appearing, is hereby amended by inserting after the word “year”, in line 23, the following words:- “;provided further that a consumer under this paragraph shall be entitled to 11 complete consumer reports per calendar year for a reasonable fee not to exceed 3 dollars.”

SECTION 6.  Section 59 of said chapter 93, as so appearing, is hereby amended by inserting after the word “year”, in line 29, the following words:- “;provided further that a consumer under this paragraph shall be entitled to 11 complete consumer reports per calendar year for a reasonable fee not to exceed 3 dollars.”

SECTION 7.  Section 37E of chapter 266, of the General Laws, as appearing in the 2002 Official Edition, is hereby amended by striking out, in line 25, the words “$5000 or imprisonment in a house of correction for not more than two and one half years” and inserting in place thereof the following words:-

“$10,000 or imprisonment for not less than two and one half years or more than ten years”

SECTION 8.  Section 37E of said chapter 266, as so appearing, is hereby amended by striking out, in line 36, the words “$5000 or imprisonment in a house of correction for not more than two and one half years” and inserting in place thereof the following words:-

“$10,000 or imprisonment for not less than two and one half years or more than ten years”

SECTION 9.  Section 37E of said chapter 266, as so appearing, is hereby amended by inserting the following:-

(f) A victim who reasonably believes that his or her personal identifying information has been unlawfully used in violation of this section may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her actual residence or by contacting a local law enforcement agency that has jurisdiction over any location where his or her personal identifying information has been unlawfully used.  Said law enforcement agency shall provide the victim with a written report of the incident and may begin an investigation of the facts or, if the suspected crime was committed in a different jurisdiction, refer the matter to the law enforcement agency where the suspected crime was committed for an investigation of the facts.  Nothing in this section shall interfere with the discretion of a local police department to allocate resources for investigations of crimes and a complaint filed under this section is shall not be counted as an open case for the purpose compiling open case statistics.