PRINTER'S NO. 2716
No. 1975 Session of 2005
INTRODUCED BY McCALL, BELARDI, BELFANTI, BOYD, CALTAGIRONE, COHEN, CORRIGAN, DeLUCA, DeWEESE, FABRIZIO, FRANKEL, FREEMAN, GEORGE, GOOD, GOODMAN, GRUCELA, HALUSKA, HERSHEY, JAMES, JOSEPHS, KAUFFMAN, KENNEY, KOTIK, MANDERINO, MARKOSEK, McGEEHAN, MUNDY, O'NEILL, PETRARCA, PRESTON, ROONEY, SCHRODER, SHANER, SOLOBAY, STURLA, TANGRETTI, TIGUE, WALKO, WHEATLEY, YOUNGBLOOD AND YUDICHAK, SEPTEMBER 27, 2005
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, SEPTEMBER 27, 2005
AN ACT 1 Regulating the use of credit reports, business records, Social 2 Security numbers and other personal information. 3 TABLE OF CONTENTS 4 Chapter 1. Preliminary Provisions 5 Section 101. Short title. 6 Section 102. Definitions. 7 Chapter 3. Personal Information 8 Section 301. Credit reports. 9 Section 302. Business records. 10 Chapter 5. Procedures 11 Section 501. Distribution of information. 12 Section 502. Dispute procedure. 13 Chapter 7. Confidentiality of Social Security Numbers 14 Section 701. Prohibitions. 15 Section 702. Limitations of use of Social Security numbers by
1 governmental entities. 2 Chapter 11. Miscellaneous Provisions 3 Section 1101. Damages. 4 Section 1102. Violations. 5 Section 1103. Effective date. 6 The General Assembly of the Commonwealth of Pennsylvania 7 hereby enacts as follows: 8 CHAPTER 1 9 PRELIMINARY PROVISIONS 10 Section 101. Short title. 11 This act shall be known and may be cited as the Personal 12 Information Protection Act. 13 Section 102. Definitions. 14 The following words and phrases when used in this act shall 15 have the meanings given to them in this section unless the 16 context clearly indicates otherwise: 17 "Consumer." A natural person who resides in this 18 Commonwealth. 19 "Credit report." Any written, oral or other communication of 20 any credit information by a credit reporting agency, as defined 21 in the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 22 1681 et seq.), which operates or maintains a database of 23 consumer credit information bearing on a consumer's 24 creditworthiness, credit standing or credit capacity. 25 "Credit reporting agency." Any person who, for monetary 26 fees, dues or on a cooperative nonprofit basis, regularly 27 engages in whole or in part in the practice of assembling or 28 evaluating consumer credit information or other information on 29 consumers for the purpose of furnishing consumer reports to 30 third parties and who uses any means or facility of interstate 20050H1975B2716 - 2 -
1 commerce for the purpose of preparing or furnishing consumer 2 reports. The term does not include: 3 (1) A check acceptance service which provides check 4 approval and guarantees services to merchants. 5 (2) Any governmental agency whose records are maintained 6 primarily for traffic safety, law enforcement or licensing 7 purposes. 8 CHAPTER 3 9 PERSONAL INFORMATION 10 Section 301. Credit reports. 11 (a) General rule.--A credit report shall not be released to 12 a third party without prior express authorization from the 13 consumer except as set forth in subsection (b). 14 (b) Exceptions.--A credit report shall be released to: 15 (1) A Federal, State or local government entity, 16 including a law enforcement agency or court, or their agents 17 or assigns. 18 (2) A private collection agency for the sole purpose of 19 assisting in the collection of an existing debt of the 20 consumer who is the subject of the credit report requested. 21 (3) A person or entity or a subsidiary, affiliate or 22 agent of that person or entity, an assignee of a financial 23 obligation owing by the consumer to that person or entity or 24 a prospective assignee of a financial obligation owing by the 25 consumer to that person or entity in conjunction with the 26 proposed purchase of the financial obligation, with which the 27 consumer has or had prior to assignment an account or 28 contract, including a demand deposit account, or to whom the 29 consumer issued a negotiable instrument, for the purposes of 30 reviewing the account or collecting the financial obligation 20050H1975B2716 - 3 -
1 owing for the account, contract or negotiable instrument. For 2 purposes of this paragraph, the term "reviewing the account" 3 includes activities related to account maintenance, 4 monitoring, credit line increases and account upgrades and 5 enhancements. 6 (4) A subsidiary, affiliate, agent, assignee or 7 prospective assignee of a person to whom access has been 8 granted under this section for the purposes of facilitating 9 the extension of credit. 10 (5) A person, for the purposes of prescreening as 11 provided by the Fair Credit Reporting Act (Public Law 91-508, 12 15 U.S.C. § 1681 et seq.). 13 (6) A credit reporting agency for the purposes of 14 providing a consumer with a copy of the consumer's report at 15 the request of the consumer. 16 (7) A child support enforcement agency. 17 (8) A credit reporting agency that acts only as a 18 reseller of credit information by assembling and merging 19 information contained in the database of another credit 20 reporting agency or multiple credit reporting agencies and 21 does not maintain a permanent database of credit information 22 from which new credit reports are produced. 23 (9) A check services company or fraud prevention 24 services company which issues reports on incidents of fraud 25 or authorizations for the purpose of approving or processing 26 negotiable instruments, electronic funds transfers or similar 27 methods of payments. 28 (10) A deposit account information service company which 29 issues reports regarding account closures due to fraud, 30 substantial overdrafts, ATM abuse or similar negative 20050H1975B2716 - 4 -
1 information regarding a consumer to inquiring banks or other 2 financial institutions for use only in reviewing a consumer's 3 request for a deposit account at the inquiring bank or 4 financial institution. 5 (c) Personal identification number.--Beginning June 1, 2006, 6 consumer credit reporting agencies must provide consumers with a 7 unique personal identification number or password to be used by 8 the consumer when providing authorization for access to his 9 credit file. In addition, the credit reporting agency shall 10 simultaneously provide to the consumer in writing notification 11 of: 12 (1) The process for receiving a consumer credit report 13 or consumer credit file. 14 (2) The process for releasing a consumer credit report. 15 (3) The toll-free telephone number for requesting the 16 release of a consumer credit report. 17 (4) Dispute procedures. 18 (5) The process for correcting a consumer report. 19 (6) Information on a consumer's right to bring an action 20 in court or arbitrate a dispute. 21 (d) Request.--A consumer may request a replacement unique 22 personal identification number or password to be used by the 23 consumer when providing authorization for access to his credit 24 file by written request, sent by certified mail, that includes 25 clear and proper identification, sent to a consumer credit 26 reporting agency. 27 (e) Authorization.--A consumer's express authorization to a 28 consumer credit reporting agency shall include: 29 (1) Clear and proper identification. 30 (2) The unique personal identification number or 20050H1975B2716 - 5 -
1 password provided by the consumer credit reporting agency. 2 (3) The proper information regarding the time period for 3 which the consumer credit report shall be available to users 4 of the credit report. 5 (4) The proper information regarding the third party who 6 is to receive the consumer credit report. 7 (f) Toll-free telephone number.--Each consumer credit 8 reporting agency shall maintain a toll-free telephone number 24 9 hours a day, seven days a week to accept the consumer's express 10 authorization for the release of consumer credit reports and to 11 accept the consumer's revocation of authorization to a consumer 12 credit reporting agency to release the consumer's credit report 13 to any creditor. The toll-free telephone number shall be 14 included in any written disclosure by a consumer credit 15 reporting agency to any consumer and shall be printed in a clear 16 and conspicuous manner. In the event an automated answering 17 system is utilized, calls shall be returned to the consumer no 18 later than two hours after the time the call was received. In 19 addition to the required toll-free telephone number, a credit- 20 reporting agency may develop procedures involving the use of the 21 facsimile, Internet or other electronic media to receive and 22 process a request from a consumer to release a consumer credit 23 report or to receive a consumer's revocation of authorization to 24 release the consumer's consumer credit report. 25 (g) Notification.--The consumer may notify a consumer credit 26 reporting agency to release the consumer's credit report to any 27 creditor for any specified period of time provided: 28 (1) The request is in writing or by the toll-free 29 telephone number provided in subsection (f), or by any means 30 that a consumer credit reporting may offer, including use of 20050H1975B2716 - 6 -
1 the facsimile, Internet or other electronic media. 2 (2) The request shall specify the period of time that a 3 consumer credit report may be released without prior express 4 authorization. 5 (3) Clear and proper identification is provided. 6 (4) The unique personal identification number or 7 password afforded by the consumer credit reporting agency is 8 provided. 9 (h) Revocation.--A consumer may revoke the consumer's 10 authorization to a consumer credit reporting agency to release 11 the consumer's credit report to any creditor for any specified 12 period of time provided: 13 (1) The request is in writing, or by the toll-free 14 telephone number provided in subsection (f), or by any means 15 that a consumer credit reporting may offer, including use of 16 the facsimile, Internet or other electronic media. 17 (2) Clear and proper identification is afforded. 18 (3) The unique personal identification number or 19 password provided by the consumer credit reporting agency is 20 included. 21 (i) Third parties.--If a third party requests access to a 22 consumer credit report and this request is in connection with an 23 application for credit or any other use, and the consumer has 24 not allowed the consumer's credit report to be accessed for that 25 specific party or period of time, the third party shall treat 26 the application as incomplete. 27 (j) Confirmation.--A consumer credit reporting agency shall 28 not change the name, date of birth, Social Security number or 29 address of a consumer in a credit report without sending a 30 written confirmation of the change to the consumer within 30 20050H1975B2716 - 7 -
1 days of the change being posted to the consumer's file. No 2 written confirmation is required for technical modifications of 3 a consumer's official information, including name and street 4 abbreviations, complete spellings or transposition of numbers or 5 letters. In the case of an address change, the written 6 confirmation shall be sent to both new address and to the former 7 address. 8 (k) Fee restrictions.--A consumer credit reporting agency 9 shall not impose a fee for: 10 (1) The first copy of a consumer credit report provided 11 to a consumer each calendar year. 12 (2) The first issuance of a consumer's unique personal 13 identification number or password. 14 (3) A request by a consumer to a consumer credit 15 reporting agency to release the consumer's consumer credit 16 report to any creditor for a specified period of time. 17 (l) Fees.--A consumer credit reporting agency may impose a 18 reasonable charge on a consumer provided that the fee does not 19 exceed $10: 20 (1) For the issuance of a consumer's unique personal 21 identification number or password provided that the issuance 22 is not the first such issuance. 23 (2) For the revocation of authorization to a consumer 24 credit reporting agency to release the consumer's consumer 25 credit report to any creditor for any specified period of 26 time. 27 (m) Timely response.--Within 72 hours of receipt of a 28 request, a consumer credit reporting agency shall complete a 29 consumer's request to: 30 (1) Release the consumer's credit report. 20050H1975B2716 - 8 -
1 (2) Revoke authorization to release a consumer credit 2 report. 3 (3) Obtain a unique personal identification number or 4 password. 5 (n) Enforcement of law.--A person who reasonably believes or 6 reasonably suspects that he has been the victim of identity 7 theft in violation of 18 Pa.C.S. § 4120 (relating to identity 8 theft) may contact the local law enforcement agency in the 9 jurisdiction where he resides and notwithstanding the fact that 10 jurisdiction may lie elsewhere for investigation and prosecution 11 of identity theft, the local law enforcement agency shall take 12 the complaint and provide the complainant with a copy and refer 13 the complaint to the appropriate law enforcement agency. Nothing 14 in this section shall interfere with the discretion of a local 15 law enforcement agency to allocate resources for investigations 16 of crimes. A complaint filed under this subsection shall not be 17 counted as an open case for purposes such as compiling open case 18 statistics. 19 Section 302. Business records. 20 (a) General rule.--A business or public entity shall destroy 21 or arrange for the destruction of a customer's records within 22 its custody or control which contain personal information, which 23 is no longer to be retained by the business or public entity, by 24 shredding, erasing or otherwise modifying the personal 25 information in those records to make it unreadable, 26 undecipherable or nonreconstructible through generally available 27 means. 28 (b) Disclosure of security breach.--A business that conducts 29 business in this Commonwealth or any public entity that compiles 30 or maintains computerized records that include personal 20050H1975B2716 - 9 -
1 information shall disclose any breach of security of those 2 computerized records following discovery or notification of the 3 breach to any customer who is a resident of this Commonwealth 4 whose personal information was, or is reasonably believed to 5 have been, accessed by an unauthorized person. The disclosure 6 shall be made in the most expedient time possible and without 7 unreasonable delay, consistent with the legitimate needs of law 8 enforcement and measures necessary to determine the scope of the 9 breach and restore the reasonable integrity of the data system. 10 Disclosure shall not be required if the business or public 11 entity establishes that misuse of the information is not 12 reasonably possible. Any determination shall be documented in 13 writing and retained for five years. A business or public entity 14 that compiles or maintains computerized records that include 15 personal information on behalf of another business or public 16 entity shall notify that business or public entity, who shall 17 notify its Pennsylvania customers of any breach of security of 18 the computerized records immediately following discovery if the 19 personal information was or is reasonably believed to have been 20 accessed by an unauthorized person. 21 (c) Attorney General.--A business or public entity required 22 under this section to disclose a breach of security of a 23 customer's personal information shall, in advance of the 24 disclosure to the customer, report the breach of security and 25 any information pertaining to the breach to the Office of 26 Attorney General for investigation or handling, which may 27 include dissemination or referral to other appropriate law 28 enforcement entities. The notification shall be delayed if a law 29 enforcement agency determines that the notification will impede 30 a criminal or civil investigation and that agency has made a 20050H1975B2716 - 10 -
1 request that the notification be delayed. The notification shall 2 be made after the law enforcement agency determines that its 3 disclosure will not compromise the investigation and notifies 4 that business or public entity. 5 (d) Notice.--For purposes of this section, notice may be 6 provided by one of the following methods: 7 (1) Written 319 notice. 8 (2) Electronic notice, if the notice provided is 9 consistent with the provisions regarding electronic records 10 and signatures set forth in the Electronic Signatures in 11 Global and National Commerce Act (Public Law 106-229, 15 12 U.S.C. § 7001 et seq.). 13 (3) Substitute notice, if the business or public entity 14 demonstrates that the cost of providing notice would exceed 15 $250,000, or that the affected class of subject persons to be 16 notified exceeds 500,000, or the business or public entity 17 does not have sufficient contact information. Substitute 18 notice shall consist of all of the following: 19 (i) E-mail notice when the business or public entity 20 has an e-mail address. 21 (ii) Conspicuous posting of the notice on the 22 Internet website page of the business or public entity, 23 if the business or public entity maintains one. 24 (iii) Notification to major Statewide media. 25 (e) Exception.--Notwithstanding subsection (d), a business 26 or public entity that maintains its own notification procedures 27 as part of an information security policy for the treatment of 28 personal information, and is otherwise consistent with the 29 requirements of this section, shall be deemed to be in 30 compliance with the notification requirements of this section if 20050H1975B2716 - 11 -
1 the business or public entity notifies subject customers in 2 accordance with its policies in the event of a breach of 3 security of the system. 4 (f) Additional notification.--In addition to any other 5 disclosure or notification required under this section, in the 6 event that a business or public entity discovers circumstances 7 requiring notification pursuant to this section of more than 8 1,000 persons at one time, the business or public entity shall 9 also notify, without unreasonable delay, all consumer reporting 10 agencies that compile or maintain files on consumers on a 11 nationwide basis, as defined by section 603(p) of the Fair 12 Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a(p)), 13 of the timing, distribution and content of the notices. 14 CHAPTER 5 15 PROCEDURES 16 Section 501. Distribution of information. 17 A credit reporting agency shall create reasonable procedures 18 to prevent a consumer credit report or information from a 19 consumer's file from being provided to any third party for 20 marketing purposes or for any offer of credit not requested by 21 the consumer. This section does not apply to the use of 22 information by a credit grantor for purposes related to an 23 existing credit relationship. 24 Section 502. Dispute procedure. 25 If the completeness or accuracy of information contained in a 26 consumer's file is disputed by the consumer and the consumer 27 notifies the consumer reporting agency of the dispute, the 28 agency shall reinvestigate the disputed information free of 29 charge and record the current status of the disputed information 30 no later than the 30th business day after the date on which the 20050H1975B2716 - 12 -
1 agency receives the notice. The consumer reporting agency shall 2 provide the consumer with the option of notifying the agency of 3 a dispute concerning the consumer's file by speaking directly to 4 a representative of the agency. No disputed debt shall be 5 included in a credit report without first obtaining a written 6 record indicating that judgment has been entered in favor of a 7 debt collector. 8 CHAPTER 7 9 CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS 10 Section 701. Prohibitions. 11 (a) General rule.--A person or entity, not including a State 12 or local agency, may not do any of the following: 13 (1) Publicly post or publicly display in any manner an 14 individual's Social Security number. 15 (2) Print an individual's Social Security number on any 16 card required for the individual to access products or 17 services provided by the person or entity. 18 (3) Require an individual to transmit the individual's 19 Social Security number over the Internet website unless the 20 connection is secure or the Social Security number is 21 encrypted. 22 (4) Require an individual to use the individual's Social 23 Security number to access an Internet website unless a 24 password or unique personal identification number or other 25 authentication device is also required to access the Internet 26 website. 27 (5) (i) Print an individual's Social Security number on 28 any materials that are mailed to the individual unless 29 Federal or State law requires the Social Security number 30 to be on the document to be mailed. 20050H1975B2716 - 13 -
1 (ii) Notwithstanding subparagraph (i), applications 2 and forms sent by mail may include Social Security 3 numbers. 4 (b) Applicability.--Except as provided in subsection (c), 5 subsection (a) applies to the use of Social Security numbers on 6 or after January 1, 2006. 7 (c) Use prior to effective date.--Except as provided in 8 subsection (e), a person or entity, not including a State or 9 local entity that has used, prior to January 1, 2006, an 10 individual's Social Security number in a manner inconsistent 11 with subsection (a) may continue using that individual's Social 12 Security number in that manner on or after January 1, 2006, if 13 all of the following conditions are met: 14 (1) The use of the Social Security number is continuous. 15 If the use is discontinued for any reason, subsection (a) 16 shall apply. 17 (2) The individual is provided an annual disclosure, 18 commencing in the year 2005, informing the individual that 19 the individual has the right to discontinue use of the 20 individual's Social Security number in a manner prohibited by 21 subsection (a). 22 (3) If a written request by an individual to discontinue 23 the use of the individual's Social Security number in a 24 manner prohibited by subsection (a) is received, the person 25 or entity shall implement the request within 30 days of the 26 receipt of the request. The person or entity may not impose a 27 fee or charge for implementing the request. 28 (4) The person or entity, not including a State or local 29 agency, does not deny services to the individual because the 30 individual makes a written request pursuant to this 20050H1975B2716 - 14 -
1 subsection. 2 (d) Construction.--This section shall not be construed to 3 prohibit the collection, use or release of a Social Security 4 number as required by Federal or State law or the use of a 5 Social Security number for internal verification or 6 administrative purposes by a person or entity. 7 (e) Exceptions.--In the case of a health care service plan, 8 a provider of health care, an insurer or pharmacy benefits 9 manager or an agent of any of these, this section shall become 10 operative as follows: 11 (1) On or before July 1, 2006, a health care service 12 plan, a provider of health care, an insurer or pharmacy 13 benefits manager or an agent of any of these shall comply 14 with subsection (a)(1), (3), (4) and (5) as these 15 requirements pertain to existing individual policyholders. 16 (2) On or before July 1, 2006, a health care service 17 plan, a provider of health care, an insurer or pharmacy 18 benefits manager or an agent of any of these shall comply 19 with subsection (a) as these requirements pertain to new 20 individual policyholders and new employer groups for policies 21 issued on or after July 1, 2006. 22 (f) Cooperation.--A health care service plan, a provider of 23 health care, an insurer or pharmacy benefits manager or an agent 24 of any of these entities shall make reasonable efforts to 25 cooperate, through systems testing and other means, to ensure 26 the requirements of this chapter are implemented on or before 27 the dates specified in this chapter. 28 Section 702. Limitations of use of Social Security numbers by 29 governmental entities. 30 Prior to posting or requiring the posting of a document in a 20050H1975B2716 - 15 -
1 place of general public circulation, an agency, board, 2 department, commission, committee, branch, instrumentality or 3 authority of the Commonwealth or an agency, board, committee, 4 department, branch, instrumentality, commission or authority of 5 any political subdivision of the Commonwealth shall take all 6 reasonable steps to redact any Social Security numbers from the 7 documents. 8 CHAPTER 11 9 MISCELLANEOUS PROVISIONS 10 Section 1101. Damages. 11 Any consumer damaged by an intentional, reckless or negligent 12 violation of this act may bring an action for and shall be 13 entitled to recovery of actual damages, plus reasonable attorney 14 fees, court costs and other reasonable costs of prosecution of 15 the suit. 16 Section 1102. Violations. 17 (a) Concealment.--A person having knowledge of a security 18 breach requiring notice to individuals under this act who 19 intentionally and willfully conceals the fact of or information 20 related to the security breach commits a felony of the first 21 degree. 22 (b) Unlawful use of identifying information.--During and in 23 relation to any felony violation, a person who knowingly 24 obtains, accesses or transmits, without lawful authority, a 25 means of identification of another person may, in addition to 26 the punishment provided for the felony, be sentenced to serve up 27 to two additional years of imprisonment. 28 Section 1103. Effective date. 29 This act shall take effect in 60 days. G22L12RLE/20050H1975B2716 - 16 -