PRINTER'S NO. 2716
No. 1975 Session of 2005
INTRODUCED BY McCALL, BELARDI, BELFANTI, BOYD, CALTAGIRONE,
COHEN, CORRIGAN, DeLUCA, DeWEESE, FABRIZIO, FRANKEL, FREEMAN,
GEORGE, GOOD, GOODMAN, GRUCELA, HALUSKA, HERSHEY, JAMES,
JOSEPHS, KAUFFMAN, KENNEY, KOTIK, MANDERINO, MARKOSEK,
McGEEHAN, MUNDY, O'NEILL, PETRARCA, PRESTON, ROONEY,
SCHRODER, SHANER, SOLOBAY, STURLA, TANGRETTI, TIGUE, WALKO,
WHEATLEY, YOUNGBLOOD AND YUDICHAK, SEPTEMBER 27, 2005
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, SEPTEMBER 27, 2005
AN ACT
1 Regulating the use of credit reports, business records, Social
2 Security numbers and other personal information.
3 TABLE OF CONTENTS
4 Chapter 1. Preliminary Provisions
5 Section 101. Short title.
6 Section 102. Definitions.
7 Chapter 3. Personal Information
8 Section 301. Credit reports.
9 Section 302. Business records.
10 Chapter 5. Procedures
11 Section 501. Distribution of information.
12 Section 502. Dispute procedure.
13 Chapter 7. Confidentiality of Social Security Numbers
14 Section 701. Prohibitions.
15 Section 702. Limitations of use of Social Security numbers by
1 governmental entities.
2 Chapter 11. Miscellaneous Provisions
3 Section 1101. Damages.
4 Section 1102. Violations.
5 Section 1103. Effective date.
6 The General Assembly of the Commonwealth of Pennsylvania
7 hereby enacts as follows:
8 CHAPTER 1
9 PRELIMINARY PROVISIONS
10 Section 101. Short title.
11 This act shall be known and may be cited as the Personal
12 Information Protection Act.
13 Section 102. Definitions.
14 The following words and phrases when used in this act shall
15 have the meanings given to them in this section unless the
16 context clearly indicates otherwise:
17 "Consumer." A natural person who resides in this
18 Commonwealth.
19 "Credit report." Any written, oral or other communication of
20 any credit information by a credit reporting agency, as defined
21 in the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. §
22 1681 et seq.), which operates or maintains a database of
23 consumer credit information bearing on a consumer's
24 creditworthiness, credit standing or credit capacity.
25 "Credit reporting agency." Any person who, for monetary
26 fees, dues or on a cooperative nonprofit basis, regularly
27 engages in whole or in part in the practice of assembling or
28 evaluating consumer credit information or other information on
29 consumers for the purpose of furnishing consumer reports to
30 third parties and who uses any means or facility of interstate
20050H1975B2716 - 2 -
1 commerce for the purpose of preparing or furnishing consumer
2 reports. The term does not include:
3 (1) A check acceptance service which provides check
4 approval and guarantees services to merchants.
5 (2) Any governmental agency whose records are maintained
6 primarily for traffic safety, law enforcement or licensing
7 purposes.
8 CHAPTER 3
9 PERSONAL INFORMATION
10 Section 301. Credit reports.
11 (a) General rule.--A credit report shall not be released to
12 a third party without prior express authorization from the
13 consumer except as set forth in subsection (b).
14 (b) Exceptions.--A credit report shall be released to:
15 (1) A Federal, State or local government entity,
16 including a law enforcement agency or court, or their agents
17 or assigns.
18 (2) A private collection agency for the sole purpose of
19 assisting in the collection of an existing debt of the
20 consumer who is the subject of the credit report requested.
21 (3) A person or entity or a subsidiary, affiliate or
22 agent of that person or entity, an assignee of a financial
23 obligation owing by the consumer to that person or entity or
24 a prospective assignee of a financial obligation owing by the
25 consumer to that person or entity in conjunction with the
26 proposed purchase of the financial obligation, with which the
27 consumer has or had prior to assignment an account or
28 contract, including a demand deposit account, or to whom the
29 consumer issued a negotiable instrument, for the purposes of
30 reviewing the account or collecting the financial obligation
20050H1975B2716 - 3 -
1 owing for the account, contract or negotiable instrument. For
2 purposes of this paragraph, the term "reviewing the account"
3 includes activities related to account maintenance,
4 monitoring, credit line increases and account upgrades and
5 enhancements.
6 (4) A subsidiary, affiliate, agent, assignee or
7 prospective assignee of a person to whom access has been
8 granted under this section for the purposes of facilitating
9 the extension of credit.
10 (5) A person, for the purposes of prescreening as
11 provided by the Fair Credit Reporting Act (Public Law 91-508,
12 15 U.S.C. § 1681 et seq.).
13 (6) A credit reporting agency for the purposes of
14 providing a consumer with a copy of the consumer's report at
15 the request of the consumer.
16 (7) A child support enforcement agency.
17 (8) A credit reporting agency that acts only as a
18 reseller of credit information by assembling and merging
19 information contained in the database of another credit
20 reporting agency or multiple credit reporting agencies and
21 does not maintain a permanent database of credit information
22 from which new credit reports are produced.
23 (9) A check services company or fraud prevention
24 services company which issues reports on incidents of fraud
25 or authorizations for the purpose of approving or processing
26 negotiable instruments, electronic funds transfers or similar
27 methods of payments.
28 (10) A deposit account information service company which
29 issues reports regarding account closures due to fraud,
30 substantial overdrafts, ATM abuse or similar negative
20050H1975B2716 - 4 -
1 information regarding a consumer to inquiring banks or other
2 financial institutions for use only in reviewing a consumer's
3 request for a deposit account at the inquiring bank or
4 financial institution.
5 (c) Personal identification number.--Beginning June 1, 2006,
6 consumer credit reporting agencies must provide consumers with a
7 unique personal identification number or password to be used by
8 the consumer when providing authorization for access to his
9 credit file. In addition, the credit reporting agency shall
10 simultaneously provide to the consumer in writing notification
11 of:
12 (1) The process for receiving a consumer credit report
13 or consumer credit file.
14 (2) The process for releasing a consumer credit report.
15 (3) The toll-free telephone number for requesting the
16 release of a consumer credit report.
17 (4) Dispute procedures.
18 (5) The process for correcting a consumer report.
19 (6) Information on a consumer's right to bring an action
20 in court or arbitrate a dispute.
21 (d) Request.--A consumer may request a replacement unique
22 personal identification number or password to be used by the
23 consumer when providing authorization for access to his credit
24 file by written request, sent by certified mail, that includes
25 clear and proper identification, sent to a consumer credit
26 reporting agency.
27 (e) Authorization.--A consumer's express authorization to a
28 consumer credit reporting agency shall include:
29 (1) Clear and proper identification.
30 (2) The unique personal identification number or
20050H1975B2716 - 5 -
1 password provided by the consumer credit reporting agency.
2 (3) The proper information regarding the time period for
3 which the consumer credit report shall be available to users
4 of the credit report.
5 (4) The proper information regarding the third party who
6 is to receive the consumer credit report.
7 (f) Toll-free telephone number.--Each consumer credit
8 reporting agency shall maintain a toll-free telephone number 24
9 hours a day, seven days a week to accept the consumer's express
10 authorization for the release of consumer credit reports and to
11 accept the consumer's revocation of authorization to a consumer
12 credit reporting agency to release the consumer's credit report
13 to any creditor. The toll-free telephone number shall be
14 included in any written disclosure by a consumer credit
15 reporting agency to any consumer and shall be printed in a clear
16 and conspicuous manner. In the event an automated answering
17 system is utilized, calls shall be returned to the consumer no
18 later than two hours after the time the call was received. In
19 addition to the required toll-free telephone number, a credit-
20 reporting agency may develop procedures involving the use of the
21 facsimile, Internet or other electronic media to receive and
22 process a request from a consumer to release a consumer credit
23 report or to receive a consumer's revocation of authorization to
24 release the consumer's consumer credit report.
25 (g) Notification.--The consumer may notify a consumer credit
26 reporting agency to release the consumer's credit report to any
27 creditor for any specified period of time provided:
28 (1) The request is in writing or by the toll-free
29 telephone number provided in subsection (f), or by any means
30 that a consumer credit reporting may offer, including use of
20050H1975B2716 - 6 -
1 the facsimile, Internet or other electronic media.
2 (2) The request shall specify the period of time that a
3 consumer credit report may be released without prior express
4 authorization.
5 (3) Clear and proper identification is provided.
6 (4) The unique personal identification number or
7 password afforded by the consumer credit reporting agency is
8 provided.
9 (h) Revocation.--A consumer may revoke the consumer's
10 authorization to a consumer credit reporting agency to release
11 the consumer's credit report to any creditor for any specified
12 period of time provided:
13 (1) The request is in writing, or by the toll-free
14 telephone number provided in subsection (f), or by any means
15 that a consumer credit reporting may offer, including use of
16 the facsimile, Internet or other electronic media.
17 (2) Clear and proper identification is afforded.
18 (3) The unique personal identification number or
19 password provided by the consumer credit reporting agency is
20 included.
21 (i) Third parties.--If a third party requests access to a
22 consumer credit report and this request is in connection with an
23 application for credit or any other use, and the consumer has
24 not allowed the consumer's credit report to be accessed for that
25 specific party or period of time, the third party shall treat
26 the application as incomplete.
27 (j) Confirmation.--A consumer credit reporting agency shall
28 not change the name, date of birth, Social Security number or
29 address of a consumer in a credit report without sending a
30 written confirmation of the change to the consumer within 30
20050H1975B2716 - 7 -
1 days of the change being posted to the consumer's file. No
2 written confirmation is required for technical modifications of
3 a consumer's official information, including name and street
4 abbreviations, complete spellings or transposition of numbers or
5 letters. In the case of an address change, the written
6 confirmation shall be sent to both new address and to the former
7 address.
8 (k) Fee restrictions.--A consumer credit reporting agency
9 shall not impose a fee for:
10 (1) The first copy of a consumer credit report provided
11 to a consumer each calendar year.
12 (2) The first issuance of a consumer's unique personal
13 identification number or password.
14 (3) A request by a consumer to a consumer credit
15 reporting agency to release the consumer's consumer credit
16 report to any creditor for a specified period of time.
17 (l) Fees.--A consumer credit reporting agency may impose a
18 reasonable charge on a consumer provided that the fee does not
19 exceed $10:
20 (1) For the issuance of a consumer's unique personal
21 identification number or password provided that the issuance
22 is not the first such issuance.
23 (2) For the revocation of authorization to a consumer
24 credit reporting agency to release the consumer's consumer
25 credit report to any creditor for any specified period of
26 time.
27 (m) Timely response.--Within 72 hours of receipt of a
28 request, a consumer credit reporting agency shall complete a
29 consumer's request to:
30 (1) Release the consumer's credit report.
20050H1975B2716 - 8 -
1 (2) Revoke authorization to release a consumer credit
2 report.
3 (3) Obtain a unique personal identification number or
4 password.
5 (n) Enforcement of law.--A person who reasonably believes or
6 reasonably suspects that he has been the victim of identity
7 theft in violation of 18 Pa.C.S. § 4120 (relating to identity
8 theft) may contact the local law enforcement agency in the
9 jurisdiction where he resides and notwithstanding the fact that
10 jurisdiction may lie elsewhere for investigation and prosecution
11 of identity theft, the local law enforcement agency shall take
12 the complaint and provide the complainant with a copy and refer
13 the complaint to the appropriate law enforcement agency. Nothing
14 in this section shall interfere with the discretion of a local
15 law enforcement agency to allocate resources for investigations
16 of crimes. A complaint filed under this subsection shall not be
17 counted as an open case for purposes such as compiling open case
18 statistics.
19 Section 302. Business records.
20 (a) General rule.--A business or public entity shall destroy
21 or arrange for the destruction of a customer's records within
22 its custody or control which contain personal information, which
23 is no longer to be retained by the business or public entity, by
24 shredding, erasing or otherwise modifying the personal
25 information in those records to make it unreadable,
26 undecipherable or nonreconstructible through generally available
27 means.
28 (b) Disclosure of security breach.--A business that conducts
29 business in this Commonwealth or any public entity that compiles
30 or maintains computerized records that include personal
20050H1975B2716 - 9 -
1 information shall disclose any breach of security of those
2 computerized records following discovery or notification of the
3 breach to any customer who is a resident of this Commonwealth
4 whose personal information was, or is reasonably believed to
5 have been, accessed by an unauthorized person. The disclosure
6 shall be made in the most expedient time possible and without
7 unreasonable delay, consistent with the legitimate needs of law
8 enforcement and measures necessary to determine the scope of the
9 breach and restore the reasonable integrity of the data system.
10 Disclosure shall not be required if the business or public
11 entity establishes that misuse of the information is not
12 reasonably possible. Any determination shall be documented in
13 writing and retained for five years. A business or public entity
14 that compiles or maintains computerized records that include
15 personal information on behalf of another business or public
16 entity shall notify that business or public entity, who shall
17 notify its Pennsylvania customers of any breach of security of
18 the computerized records immediately following discovery if the
19 personal information was or is reasonably believed to have been
20 accessed by an unauthorized person.
21 (c) Attorney General.--A business or public entity required
22 under this section to disclose a breach of security of a
23 customer's personal information shall, in advance of the
24 disclosure to the customer, report the breach of security and
25 any information pertaining to the breach to the Office of
26 Attorney General for investigation or handling, which may
27 include dissemination or referral to other appropriate law
28 enforcement entities. The notification shall be delayed if a law
29 enforcement agency determines that the notification will impede
30 a criminal or civil investigation and that agency has made a
20050H1975B2716 - 10 -
1 request that the notification be delayed. The notification shall
2 be made after the law enforcement agency determines that its
3 disclosure will not compromise the investigation and notifies
4 that business or public entity.
5 (d) Notice.--For purposes of this section, notice may be
6 provided by one of the following methods:
7 (1) Written 319 notice.
8 (2) Electronic notice, if the notice provided is
9 consistent with the provisions regarding electronic records
10 and signatures set forth in the Electronic Signatures in
11 Global and National Commerce Act (Public Law 106-229, 15
12 U.S.C. § 7001 et seq.).
13 (3) Substitute notice, if the business or public entity
14 demonstrates that the cost of providing notice would exceed
15 $250,000, or that the affected class of subject persons to be
16 notified exceeds 500,000, or the business or public entity
17 does not have sufficient contact information. Substitute
18 notice shall consist of all of the following:
19 (i) E-mail notice when the business or public entity
20 has an e-mail address.
21 (ii) Conspicuous posting of the notice on the
22 Internet website page of the business or public entity,
23 if the business or public entity maintains one.
24 (iii) Notification to major Statewide media.
25 (e) Exception.--Notwithstanding subsection (d), a business
26 or public entity that maintains its own notification procedures
27 as part of an information security policy for the treatment of
28 personal information, and is otherwise consistent with the
29 requirements of this section, shall be deemed to be in
30 compliance with the notification requirements of this section if
20050H1975B2716 - 11 -
1 the business or public entity notifies subject customers in
2 accordance with its policies in the event of a breach of
3 security of the system.
4 (f) Additional notification.--In addition to any other
5 disclosure or notification required under this section, in the
6 event that a business or public entity discovers circumstances
7 requiring notification pursuant to this section of more than
8 1,000 persons at one time, the business or public entity shall
9 also notify, without unreasonable delay, all consumer reporting
10 agencies that compile or maintain files on consumers on a
11 nationwide basis, as defined by section 603(p) of the Fair
12 Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a(p)),
13 of the timing, distribution and content of the notices.
14 CHAPTER 5
15 PROCEDURES
16 Section 501. Distribution of information.
17 A credit reporting agency shall create reasonable procedures
18 to prevent a consumer credit report or information from a
19 consumer's file from being provided to any third party for
20 marketing purposes or for any offer of credit not requested by
21 the consumer. This section does not apply to the use of
22 information by a credit grantor for purposes related to an
23 existing credit relationship.
24 Section 502. Dispute procedure.
25 If the completeness or accuracy of information contained in a
26 consumer's file is disputed by the consumer and the consumer
27 notifies the consumer reporting agency of the dispute, the
28 agency shall reinvestigate the disputed information free of
29 charge and record the current status of the disputed information
30 no later than the 30th business day after the date on which the
20050H1975B2716 - 12 -
1 agency receives the notice. The consumer reporting agency shall
2 provide the consumer with the option of notifying the agency of
3 a dispute concerning the consumer's file by speaking directly to
4 a representative of the agency. No disputed debt shall be
5 included in a credit report without first obtaining a written
6 record indicating that judgment has been entered in favor of a
7 debt collector.
8 CHAPTER 7
9 CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS
10 Section 701. Prohibitions.
11 (a) General rule.--A person or entity, not including a State
12 or local agency, may not do any of the following:
13 (1) Publicly post or publicly display in any manner an
14 individual's Social Security number.
15 (2) Print an individual's Social Security number on any
16 card required for the individual to access products or
17 services provided by the person or entity.
18 (3) Require an individual to transmit the individual's
19 Social Security number over the Internet website unless the
20 connection is secure or the Social Security number is
21 encrypted.
22 (4) Require an individual to use the individual's Social
23 Security number to access an Internet website unless a
24 password or unique personal identification number or other
25 authentication device is also required to access the Internet
26 website.
27 (5) (i) Print an individual's Social Security number on
28 any materials that are mailed to the individual unless
29 Federal or State law requires the Social Security number
30 to be on the document to be mailed.
20050H1975B2716 - 13 -
1 (ii) Notwithstanding subparagraph (i), applications
2 and forms sent by mail may include Social Security
3 numbers.
4 (b) Applicability.--Except as provided in subsection (c),
5 subsection (a) applies to the use of Social Security numbers on
6 or after January 1, 2006.
7 (c) Use prior to effective date.--Except as provided in
8 subsection (e), a person or entity, not including a State or
9 local entity that has used, prior to January 1, 2006, an
10 individual's Social Security number in a manner inconsistent
11 with subsection (a) may continue using that individual's Social
12 Security number in that manner on or after January 1, 2006, if
13 all of the following conditions are met:
14 (1) The use of the Social Security number is continuous.
15 If the use is discontinued for any reason, subsection (a)
16 shall apply.
17 (2) The individual is provided an annual disclosure,
18 commencing in the year 2005, informing the individual that
19 the individual has the right to discontinue use of the
20 individual's Social Security number in a manner prohibited by
21 subsection (a).
22 (3) If a written request by an individual to discontinue
23 the use of the individual's Social Security number in a
24 manner prohibited by subsection (a) is received, the person
25 or entity shall implement the request within 30 days of the
26 receipt of the request. The person or entity may not impose a
27 fee or charge for implementing the request.
28 (4) The person or entity, not including a State or local
29 agency, does not deny services to the individual because the
30 individual makes a written request pursuant to this
20050H1975B2716 - 14 -
1 subsection.
2 (d) Construction.--This section shall not be construed to
3 prohibit the collection, use or release of a Social Security
4 number as required by Federal or State law or the use of a
5 Social Security number for internal verification or
6 administrative purposes by a person or entity.
7 (e) Exceptions.--In the case of a health care service plan,
8 a provider of health care, an insurer or pharmacy benefits
9 manager or an agent of any of these, this section shall become
10 operative as follows:
11 (1) On or before July 1, 2006, a health care service
12 plan, a provider of health care, an insurer or pharmacy
13 benefits manager or an agent of any of these shall comply
14 with subsection (a)(1), (3), (4) and (5) as these
15 requirements pertain to existing individual policyholders.
16 (2) On or before July 1, 2006, a health care service
17 plan, a provider of health care, an insurer or pharmacy
18 benefits manager or an agent of any of these shall comply
19 with subsection (a) as these requirements pertain to new
20 individual policyholders and new employer groups for policies
21 issued on or after July 1, 2006.
22 (f) Cooperation.--A health care service plan, a provider of
23 health care, an insurer or pharmacy benefits manager or an agent
24 of any of these entities shall make reasonable efforts to
25 cooperate, through systems testing and other means, to ensure
26 the requirements of this chapter are implemented on or before
27 the dates specified in this chapter.
28 Section 702. Limitations of use of Social Security numbers by
29 governmental entities.
30 Prior to posting or requiring the posting of a document in a
20050H1975B2716 - 15 -
1 place of general public circulation, an agency, board,
2 department, commission, committee, branch, instrumentality or
3 authority of the Commonwealth or an agency, board, committee,
4 department, branch, instrumentality, commission or authority of
5 any political subdivision of the Commonwealth shall take all
6 reasonable steps to redact any Social Security numbers from the
7 documents.
8 CHAPTER 11
9 MISCELLANEOUS PROVISIONS
10 Section 1101. Damages.
11 Any consumer damaged by an intentional, reckless or negligent
12 violation of this act may bring an action for and shall be
13 entitled to recovery of actual damages, plus reasonable attorney
14 fees, court costs and other reasonable costs of prosecution of
15 the suit.
16 Section 1102. Violations.
17 (a) Concealment.--A person having knowledge of a security
18 breach requiring notice to individuals under this act who
19 intentionally and willfully conceals the fact of or information
20 related to the security breach commits a felony of the first
21 degree.
22 (b) Unlawful use of identifying information.--During and in
23 relation to any felony violation, a person who knowingly
24 obtains, accesses or transmits, without lawful authority, a
25 means of identification of another person may, in addition to
26 the punishment provided for the felony, be sentenced to serve up
27 to two additional years of imprisonment.
28 Section 1103. Effective date.
29 This act shall take effect in 60 days.
G22L12RLE/20050H1975B2716 - 16 -