SECOND REGULAR SESSION
93RD GENERAL ASSEMBLY
INTRODUCED BY REPRESENTATIVES WILDBERGER (Sponsor), ROORDA, MOORE, YOUNG, WHORTON AND SCHAAF (Co-sponsors).
Pre-filed December 14, 2005 and copies ordered printed.
STEPHEN S. DAVIS, Chief Clerk
AN ACT
To amend chapter 407, RSMo, by adding thereto eight new sections relating to release of personal information to unauthorized persons, with penalty provisions for a certain section.
Be it enacted by the General Assembly of the state of Missouri, as follows:
Section A. Chapter 407, RSMo, is amended by adding thereto eight new sections, to be known as sections 407.1400, 407.1403, 407.1406, 407.1409, 407.1412, 407.1415, 407.1418, and 407.1421, to read as follows:
407.1400. 1. Except as otherwise allowed by state or federal law, or unless consent has been provided as it is established in this section, financial institutions, their officers, employees, agents, and directors shall not disclose to any person any financial information relating to a customer.
2. A governmental agency or law enforcement agency may obtain customer information from a financial institution pursuant to a judicial or administrative subpoena duces tecum served on the financial institution, if there is reason to believe that the customer information sought is relevant to a proper law enforcement objective or is otherwise authorized by law.
3. A governmental agency or law enforcement agency may obtain customer information from a financial institution pursuant to a search warrant if it obtains the search warrant under the rules of criminal procedure of this state.
4. No consent or waiver shall be required as a condition of doing business with any financial institution, and any consent or waiver obtained from a customer as a condition of doing business with a financial institution shall not be deemed a consent of the customer for the purpose of this section.
5. Valid consent shall be in writing and signed by the customer. In consenting to disclosure of customer information, a customer may specify any of the following:
(1) The time during which such consent will operate;
(2) The customer information to be disclosed; and
(3) The persons, government agencies, or law enforcement agencies to which disclosure can be made.
407.1403. 1. Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach. Notification shall be made to any resident of the state whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible, but no more than thirty days after such breach has been discovered.
2. The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
3. For purposes of this section, "breach of security of the system" shall mean unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business or person. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business shall not be considered a breach of security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
4. For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social Security number;
(2) Driver's license number;
(3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
5. For purposes of this section, "notice" may be provided by one of the following methods:
(1) Written notice;
(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code;
(3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:
(a) E-mail notice when the agency has an e-mail address for the subject persons;
(b) Conspicuous posting of the notice on the agency's website, if the agency maintains one; and
(c) Notification to major statewide media.
6. Notwithstanding subsection 5 of this section, an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.
7. Any person or business who violates the provisions of this section shall be guilty of a class A misdemeanor and, upon conviction, shall be punished by a fine of up to one thousand dollars for each and every act or violation, by imprisonment in the county jail for a term not to exceed one year, or by both at the discretion of the court.
407.1406. 1. A consumer may elect to place a security alert in his or her credit report by making a request in writing or by telephone to a consumer credit reporting agency. "Security alert" means a notice placed in a consumer's credit report, at the request of the consumer, that notifies a recipient of the credit report that the consumer's identity may have been used without the consumer's consent to fraudulently obtain goods or services in the consumer's name.
2. A consumer credit reporting agency shall notify each person requesting consumer credit information with respect to a consumer of the existence of a security alert in the credit report of that consumer, regardless of whether a full credit report, credit score, or summary report is requested.
3. Each consumer credit reporting agency shall maintain a toll-free telephone number to accept security alert requests from consumers twenty-four hours a day, seven days a week.
4. The toll-free telephone number shall be included in any written disclosure by a consumer credit reporting agency to any consumer under section 407.1421 and shall be printed in a clear and conspicuous manner.
5. A consumer credit reporting agency shall place a security alert on a consumer's credit report no later than five business days after receiving a request from the consumer.
6. The security alert shall remain in place for at least ninety days, and a consumer shall have the right to request a renewal of the security alert.
407.1409. 1. A consumer may elect to place a security freeze on his or her credit report by making a request in writing by certified mail to a consumer credit reporting agency. "Security freeze" means a notice placed in a consumer's credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer credit reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer. If a security freeze is in place, information from a consumer's credit report may not be released to a third party without prior express authorization from the consumer. This subsection does not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.
2. A consumer credit reporting agency shall place a security freeze on a consumer's credit report no later than five business days after receiving a written request from the consumer.
3. The consumer credit reporting agency shall send a written confirmation of the security freeze to the consumer within ten business days and shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time.
4. If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer credit reporting agency, request that the freeze be temporarily lifted, and provide the following:
(1) Proper identification, as defined in subsection 3 of section 407.1421.
(2) The unique personal identification number or password provided by the credit reporting agency under subsection 3 of this section.
(3) The proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.
5. A consumer credit reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report under subsection 4 of this section, shall comply with the request no later than three business days after receiving the request.
6. A consumer credit reporting agency may develop procedures involving the use of telephone, fax, the Internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report under subsection 4 of this section in an expedited manner.
7. A consumer credit reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases:
(1) Upon consumer request, under subsection 4 or 10 of this section;
(2) If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer credit reporting agency intends to remove a freeze upon a consumer's credit report under this subdivision, the consumer credit reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer's credit report.
8. If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.
9. If a consumer requests a security freeze, the consumer credit reporting agency shall disclose the process of placing and temporarily lifting a freeze, and the process for allowing access to information from the consumer's credit report for a specific party or period of time while the freeze is in place.
10. A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer credit reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following:
(1) Proper identification, as defined in subsection 3 of section 407.1421;
(2) The unique personal identification number or password provided by the credit reporting agency under subsection 3 of this section.
11. A consumer credit reporting agency shall require proper identification, as defined in subsection 3 of section 407.1421, of the person making a request to place or remove a security freeze.
12. The provisions of this section do not apply to the use of a consumer credit report by any of the following:
(1) A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this subdivision, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements;
(2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subdivision (2) of subsection 4 of this section for purposes of facilitating the extension of credit or other permissible use;
(3) Any state or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena;
(4) A child support agency;
(5) The department of health and senior services or its agents or assigns acting to investigate Medicaid fraud;
(6) The state tax commission or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;
(7) The use of credit information for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act;
(8) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed;
(9) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request.
13. Sections 407.1400 to 407.1421 do not prevent a consumer credit reporting agency from charging a fee of no more than ten dollars to a consumer for each freeze, removal of the freeze, or temporary lift of the freeze for a period of time, or a fee of no more than twelve dollars for a temporary lift of a freeze for a specific party, regarding access to a consumer credit report, except that a consumer credit reporting agency may not charge a fee to a victim of identity theft who has submitted a valid police report.
407.1412. 1. If a security freeze is in place, a consumer credit reporting agency shall not change any of the following official information in a consumer credit report without sending a written confirmation of the change to the consumer within thirty days of the change being posted to the consumer's file: name, date of birth, Social Security number, and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.
2. If a consumer has placed a security alert, a consumer credit reporting agency shall provide the consumer, upon request, with a free copy of his or her credit report at the time the ninety-day security alert period expires.
407.1415. The provisions of sections 407.1406 to 407.1412 do not apply to a consumer credit reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the data base of another consumer credit reporting agency or multiple consumer credit reporting agencies, and does not maintain a permanent data base of credit information from which new consumer credit reports are produced. However, a consumer credit reporting agency shall honor any security freeze placed on a consumer credit report by another consumer credit reporting agency.
407.1418. The following entities are not required to place in a credit report either a security alert, under section 407.1406, or a security freeze, under section 407.1409:
(1) A check services or fraud prevention services company, which issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments;
(2) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution.
407.1421. A consumer credit reporting agency shall supply files and information required during normal business hours and on reasonable notice. In addition to the disclosure provided by this chapter and any disclosures received by the consumer, the consumer has the right to request and receive all of the following:
(1) Either a decoded written version of the file or a written copy of the file, including all information in the file at the time of the request, with an explanation of any code used;
(2) A credit score for the consumer, the key factors, and the related information, as defined in and required by this subsection;
(3) A record of all inquiries, by recipient, which result in the provision of information concerning the consumer in connection with a credit transaction that is not initiated by the consumer and which were received by the consumer credit reporting agency in the twelve-month period immediately preceding the request for disclosure under this section;
(4) The recipients, including end users of any consumer credit report on the consumer which the consumer credit reporting agency has furnished:
(a) For employment purposes within the two-year period preceding the request;
(b) For any other purpose within the twelve-month period preceding the request.
Identification for purposes of this subdivision shall include the name of the recipient or, if applicable, the fictitious business name under which the recipient does business disclosed in full. If requested by the consumer, the identification shall also include the address of the recipient.
(5) Files maintained on a consumer shall be disclosed promptly as follows:
(a) In person, at the location where the consumer credit reporting agency maintains the trained personnel required by this subdivision, if he or she appears in person and furnishes proper identification;
(b) By mail, if the consumer makes a written request with proper identification for a copy of the file or a decoded written version of that file to be sent to the consumer at a specified address. A disclosure under this subdivision shall be deposited in the United States mail, postage prepaid, within five business days after the consumer's written request for the disclosure is received by the consumer credit reporting agency. Consumer credit reporting agencies complying with requests for mailings under this section shall not be liable for disclosures to third parties caused by mishandling of mail after the mailings leave the consumer credit reporting agencies;
(c) A summary of all information contained in files on a consumer and required to be provided shall be provided by telephone, if the consumer has made a written request, with proper identification for telephone disclosure;
(d) Information in a consumer's file required to be provided in writing under this section may also be disclosed in another form if authorized by the consumer and if available from the consumer credit reporting agency. For this purpose a consumer may request disclosure in person by telephone upon disclosure of proper identification by the consumer, by electronic means if available from the consumer credit reporting agency, or by any other reasonable means that is available from the consumer credit reporting agency.
(6) "Proper identification," as used in this section means that information generally deemed sufficient to identify a person. Only if the consumer is unable to reasonably identify himself or herself with the information described above, may a consumer credit reporting agency require additional information concerning the consumer's employment and personal or family history in order to verify his or her identity;
(7) The consumer credit reporting agency shall provide trained personnel to explain to the consumer any information furnished him or her;
(8) The consumer shall be permitted to be accompanied by one other person of his or her choosing, who shall furnish reasonable identification. A consumer credit reporting agency may require the consumer to furnish a written statement granting permission to the consumer credit reporting agency to discuss the consumer's file in that person's presence;
(9) Any written disclosure by a consumer credit reporting agency to any consumer under this section shall include a written summary of all rights the consumer has under this title and in the case of a consumer credit reporting agency which compiles and maintains consumer credit reports on a nationwide basis, a toll-free telephone number which the consumer can use to communicate with the consumer credit reporting agency. The written summary of rights required under this subdivision is sufficient if in substantially the following form:
"You have a right to obtain a copy of your credit file from a consumer credit reporting agency. You may be charged a reasonable fee not exceeding eight dollars ($8). There is no fee, however, if you have been turned down for credit, employment, insurance, or a rental dwelling because of information in your credit report within the preceding 60 days. The consumer credit reporting agency must provide someone to help you interpret the information in your credit file.
You have a right to dispute inaccurate information by contacting the consumer credit reporting agency directly. However, neither you nor any credit repair company or credit service organization has the right to have accurate, current, and verifiable information removed from your credit report. Under the Federal Fair Credit Reporting Act, the consumer credit reporting agency must remove accurate, negative information from your report only if it is over seven years old. Bankruptcy information can be reported for 10 years.
If you have notified a consumer credit reporting agency in writing that you dispute the accuracy of information in your file, the consumer credit reporting agency must then, within 30 business days, reinvestigate and modify or remove inaccurate information. The consumer credit reporting agency may not charge a fee for this service. Any pertinent information and copies of all documents you have concerning an error should be given to the consumer credit reporting agency.
If reinvestigation does not resolve the dispute to your satisfaction, you may send a brief statement to the consumer credit reporting agency to keep in your file, explaining why you think the record is inaccurate. The consumer credit reporting agency must include your statement about disputed information in a report it issues about you.
You have a right to receive a record of all inquiries relating to a credit transaction initiated in 12 months preceding your request. This record shall include the recipients of any consumer credit report.
You may request in writing that the information contained in your file not be provided to a third party for marketing purposes. You have a right to place a "security alert" in your credit report, which will warn anyone who receives information in your credit report that your identity may have been used without your consent. Recipients of your credit report are required to take reasonable steps, including contacting you at the telephone number you may provide with your security alert, to verify your identity prior to lending money, extending credit, or completing the purchase, lease, or rental of goods or services. The security alert may prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that taking advantage of this right may delay or interfere with the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, insurance, rental housing, employment, investment, license, cellular phone, utilities, digital signature, Internet credit card transaction, or other services, including an extension of credit at point of sale. If you place a security alert on your credit report, you have a right to obtain a free copy of your credit report at the time the 90-day security alert period expires. A security alert may be requested by calling the following toll-free telephone number: (Insert applicable toll-free telephone number).
You have a right to place a "security freeze" on your credit report, which will prohibit a consumer credit reporting agency from releasing any information in your credit report without your express authorization. A security freeze must be requested in writing by certified mail. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular phone, utilities, digital signature, Internet credit card transaction, or other services, including an extension of credit at point of sale. When you place a security freeze on your credit report, you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or authorize the release of your credit report for a specific party or period of time after the freeze is in place. To provide that authorization you must contact the consumer credit reporting agency and provide all of the following:
(1) The personal identification number or password.
(2) Proper identification to verify your identity.
(3) The proper information regarding the third party who is to receive the credit report or the period of time for which the report shall be available.
A consumer credit reporting agency must authorize the release of your credit report no later than three business days after receiving the above information.
A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account, that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.
You have a right to bring civil action against anyone, including a consumer credit reporting agency, who improperly obtains access to a file, knowingly or willfully misuses file data, or fails to correct inaccurate file data.".
•