Please wait while the document is loaded.

A05721
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1847
Session of
2017
INTRODUCED BY DRISCOLL, THOMAS, MILLARD, DAVIS, WARREN, BOBACK,
ELLIS, RABB, BAKER, PICKETT, SCHLOSSBERG, V. BROWN, KORTZ,
C. QUINN, D. COSTA, W. KELLER, PASHINSKI, HILL-EVANS, MILNE,
IRVIN AND KAMPF, OCTOBER 13, 2017
REFERRED TO COMMITTEE ON COMMERCE, OCTOBER 13, 2017
AN ACT
Amending the act of November 29, 2006 (P.L.1463, No.163),
entitled "An act providing for protection from identity
theft, for security freezes, for procedures for access after
imposition and removal of security freezes and for related
matters," further providing for definitions and for fees;
providing for credit monitoring and consumer reports
services; and prohibiting the waiver of rights; and further
providing for civil relief.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Section 2 of the act of November 29, 2006
(P.L.1463, No.163), known as the Credit Reporting Agency Act, is
amended by adding definitions to read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Breach of the security of the system." The loss,
unauthorized access, acquisition or use of unencrypted data,
encrypted data, the confidential process or key, that is capable
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
of compromising the security or confidentiality of personal
information maintained by the entity as part of a database of
personal information regarding multiple individuals. The term
does not include good faith acquisition of personal information
by an employee or agent of the entity for the purposes of the
entity if the personal information is not used for a purpose
other than the lawful purpose of the entity and is not subject
to further unauthorized disclosure.
* * *
"Credit monitoring." The process of periodically reviewing a
consumer report by a consumer for accuracy and changes that
could be indicative of fraudulent activity.
The unauthorized access and acquisition of unencrypted data,
or encrypted data with the confidential process or key required
to decrypt the data, that is likely to compromise the security
or confidentiality of personal information maintained by the
entity as part of a database of personal information regarding
multiple individuals and that causes or the entity reasonably
believes has caused or will cause loss or injury to any resident
of this Commonwealth. Good faith acquisition of personal
information by an employee or agent of the entity for the
purposes of the entity is not a breach of the security of the
system if the personal information is not used for a purpose
other than the lawful purpose of the entity and is not subject
to further unauthorized disclosure.
* * *
"Credit monitoring services." The process of periodically
reviewing a consumer report for activity and changes that could
be indicative of fraudulent activity and reporting the results
of each review to the consumer.
A05721 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
* * *
Section 2. Section 9(a) and (b) of the act is are amended to
read:
Section 9. Fees.
(a) General rule.--
(1) A consumer reporting agency may impose a reasonable
charge on a consumer for initially placing a security freeze
on a consumer report. The amount of the charge may not exceed
[$10] $5. The charge to temporarily lift the security freeze
may not exceed [$10] $5 per request. At no time shall the
consumer be charged for removing the freeze.
(2) A consumer reporting agency who has been affected by
a breach of the security of the system may not impose a
charge on a consumer for placing a security freeze on a
consumer report.
[A] No consumer reporting agency may impose a [reasonable
charge] fee on a consumer for initially placing a security
freeze or temporarily lifting the security freeze on a
consumer report. [The amount of the charge may not exceed
$10. The charge to temporarily lift the security freeze may
not exceed $10 per request. At no time shall the consumer be
charged for removing the freeze.
(b) Exceptions.--
(1) A consumer will not be charged by a consumer
reporting agency for placing a security freeze or temporarily
lifting a security freeze if the consumer is a victim of
identity theft and provides, or has provided, the consumer
reporting agency with a copy of a police report.
(2) A consumer will not be charged by a consumer
reporting agency for placing a security freeze if the
A05721 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
consumer is 65 years of age or older.]
* * *
Section 3. The act is amended by adding sections to read:
Section 9.1. Credit monitoring and consumer reports services .
(a) Credit monitoring.-- A consumer reporting agency which
has been affected by a breach of the security of the system
shall provide each consumer affected by the breach of the
security of the system with credit monitoring of the consumer's
consumer report services at no charge to the consumer for three
years following a breach of the security of the system.
(b) Consumer reports.--A consumer reporting agency which has
been affected by a breach of the security of the system shall
provide each consumer affected by the breach of the security of
the system with up to three consumer reports for one calendar
year after the breach is reported at no charge to the consumer.
following the breach of the security of the system.
Section 9.2. Prohibition.
A consumer reporting agency which has been affected by a
breach of the security of the system may not require a consumer
to waive the consumer's rights under section 9.1 in order to use
the credit monitoring services provided under section 9.1 .
Section 4. Section 10 of the act is amended to read:
Section 10. Civil relief.
A violation of this act shall be deemed to be an unfair
method of competition and an unfair or deceptive act or practice
in violation of the act of December 17, 1968 (P.L.1224, No.387),
known as the Unfair Trade Practices and Consumer Protection Law.
The Office of Attorney General shall have exclusive authority to
bring an action under the Unfair Trade Practices and Consumer
Protection Law for a violation of this act.
A05721 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Section 5 4. This act shall take effect in 60 days.
A05721 - 5 -
1