See other bills
under the
same topic
PRINTER'S NO. 2629
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1879
Session of
2017
INTRODUCED BY TALLMAN, MILLARD, RYAN, ROZZI, PICKETT, BARRAR,
DiGIROLAMO, LAWRENCE, IRVIN AND GILLEN, OCTOBER 24, 2017
REFERRED TO COMMITTEE ON COMMERCE, OCTOBER 24, 2017
AN ACT
Amending the act of November 29, 2006 (P.L.1463, No.163),
entitled "An act providing for protection from identity
theft, for security freezes, for procedures for access after
imposition and removal of security freezes and for related
matters," further providing for definitions and for fees; and
providing for reimbursement for security breach and for
notice of security breach.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Section 2 of the act of November 29, 2006
(P.L.1463, No.163), known as the Credit Reporting Agency Act, is
amended by adding a definition to read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
* * *
"Security breach." An incident of unauthorized access to and
acquisition of records or data:
(1) that was not rendered unusable through encryption,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
redaction or other methods containing consumer identifying
information;
(2) that compromises the security, confidentiality or
integrity of the consumer identifying information maintained
by a consumer; and
(3) when illegal use of the consumer identifying
information has occurred or is reasonably likely to occur or
use of the consumer identifying information creates a
material risk of harm to the consumer.
The term does not include good faith acquisition of consumer
identifying information by an employee or agent of the consumer
for a legitimate purpose, if the consumer identifying
information is not used for a purpose other than a lawful
purpose of the consumer and is not subject to further
unauthorized disclosure.
* * *
Section 2. Section 9 of the act is amended to read:
Section 9. Fees.
(a) General rule.--[A] No consumer reporting agency may
impose a [reasonable charge] fee on a consumer for initially
placing a security freeze or temporarily lifting the security
freeze on a consumer report. [The amount of the charge may not
exceed $10. The charge to temporarily lift the security freeze
may not exceed $10 per request. At no time shall the consumer be
charged for removing the freeze.
(b) Exceptions.--
(1) A consumer will not be charged by a consumer
reporting agency for placing a security freeze or temporarily
lifting a security freeze if the consumer is a victim of
identity theft and provides, or has provided, the consumer
20170HB1879PN2629 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
reporting agency with a copy of a police report.
(2) A consumer will not be charged by a consumer
reporting agency for placing a security freeze if the
consumer is 65 years of age or older.]
(c) Confirmation required.--If a security freeze is in
place, a consumer reporting agency shall not change any of the
following information regarding a consumer without sending a
written confirmation of the change to the consumer within 30
days of the change being posted:
(1) Name.
(2) Date of birth.
(3) Social Security number.
(4) Address.
Written confirmation is not required for technical modifications
of a consumer's official information, including name and street
abbreviations, complete spellings or transposition of numbers or
letters. In the case of an address change, the written
confirmation shall be sent to both the new address and to the
former address.
Section 3. The act is amended by adding sections to read:
Section 9.1. Reimbursement for security breach.
A consumer reporting agency that sustains a security breach
shall reimburse the consumers affected by the security breach
for the expense of not more than two consumer reports from all
credit agencies within 90 days of the security breach.
Section 9.2. Notice of security breach.
(a) Duty to notify consumers.--In the event a security
breach occurs at a consumer reporting agency, the consumer
reporting agency shall, within five business days after the
security breach occurs or the credit reporting agency has notice
20170HB1879PN2629 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
of the security breach, whichever occurs later, send a notice to
the consumers affected by the security breach that a security
breach has occurred.
(b) Contents of notice.--The notice required under
subsection (a) shall include the date of the security breach and
a statement that the consumer reporting agency will reimburse
the consumers for the expense of not more than two consumer
reports from all credit agencies within 90 days of the security
breach.
(c) Penalty.--In addition to any other penalty provided by
this act or other law, a consumer reporting agency that
willfully fails to send the notice to consumers as required
under this section shall be liable for not more than $1,000 for
each consumer to whom the notice was not sent.
Section 4. This act shall take effect in 60 days.
20170HB1879PN2629 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15