See other bills
under the
same topic
PRINTER'S NO. 461
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
498
Session of
2021
INTRODUCED BY DRISCOLL, ZABEL, HILL-EVANS, BURGOS, MERSKI,
SANCHEZ, KENYATTA, SOLOMON, SCHLOSSBERG, FREEMAN, GALLOWAY,
DeLUCA, CIRESI, WARREN, DELLOSO, ROZZI, HENNESSEY, PARKER,
McCLINTON AND O'MARA, FEBRUARY 10, 2021
REFERRED TO COMMITTEE ON COMMERCE, FEBRUARY 10, 2021
AN ACT
Amending the act of November 29, 2006 (P.L.1463, No.163),
entitled "An act providing for protection from identity
theft, for security freezes, for procedures for access after
imposition and removal of security freezes and for related
matters," further providing for definitions, for security
freeze and for fees; and providing for credit monitoring
services, for prohibiting the waiver of rights and for
protected persons security freeze.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Section 2 of the act of November 29, 2006
(P.L.1463, No.163), known as the Credit Reporting Agency Act, is
amended to read:
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Breach of system security."
(1) The unauthorized access and acquisition of
unencrypted data, or encrypted data with the confidential
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
process or key required to decrypt the data, that is likely
to compromise the security or confidentiality of personal
information maintained by the entity as part of a database of
personal information regarding multiple individuals and that
causes, or the entity reasonably believes has caused or will
cause, loss or injury to any resident of this Commonwealth.
(2) The term does not include the good faith acquisition
of personal information by an employee or agent of the entity
for the purposes of the entity if the personal information is
not used for a purpose other than the lawful purpose of the
entity and is not subject to further unauthorized disclosure.
"Consumer." An individual who is not a protected person.
"Consumer report." A written, oral or other communication of
any information by a consumer reporting agency bearing on a
consumer's or protected person's creditworthiness, credit
standing or credit capacity.
"Consumer reporting agency." Any person who, for monetary
fees, dues or on a cooperative basis, regularly engages in whole
or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers or
protected persons for the purpose of furnishing consumer reports
to third parties.
"Credit monitoring services." The process of periodically
reviewing a consumer report for activity and changes that could
be indicative of fraudulent activity and reporting the results
of each review to the consumer.
"Protected person." An individual who is any of the
following:
(1) Not emancipated and under 16 years of age at the
time a request for the placement of a protected persons
20210HB0498PN0461 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
security freeze is made.
(2) An incapacitated person under 20 Pa.C.S. Ch. 55
(relating to incapacitated persons).
(3) A protected person under 20 Pa.C.S. Ch. 59 (relating
to uniform adult guardianship and protective proceedings
jurisdiction).
"Protected persons security freeze." Either of the
following:
(1) If a consumer reporting agency does not have a file
pertaining to a protected person, a restriction that:
(i) Is placed on the protected person's record in
accordance with section 10.1.
(ii) Prohibits the consumer reporting agency from
releasing the protected person's record except as
provided in section 10.1.
(2) If a consumer reporting agency has a file pertaining
to a protected person, a restriction that:
(i) Is placed on the protected person's consumer
report in accordance with section 10.1.
(ii) Prohibits the consumer reporting agency from
releasing the protected person's consumer report or any
information derived from the protected person's consumer
report except as provided in section 10.1.
"Record." A compilation of information that:
(1) Identifies a protected person.
(2) Is created by a consumer reporting agency solely for
the purpose of complying with section 10.1.
(3) May not be created or used to consider the protected
person's credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics or
20210HB0498PN0461 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
mode of living for any purpose listed in the Fair Credit
Reporting Act (Public Law 91-508, 15 U.S.C. ยง 1681b).
"Representative." A person providing to a consumer reporting
agency sufficient proof of authority to act on behalf of a
protected person.
"Security freeze." A notice placed on a consumer report, at
the request of the consumer and subject to certain exceptions,
that prohibits a consumer reporting agency from releasing the
consumer report without the express authorization of the
consumer.
"Sufficient proof of authority." Documentation showing that
a representative has authority to act on behalf of a protected
person, including, but not limited to, any of the following:
(1) An order issued by a court of law.
(2) A lawfully executed and valid power of attorney.
(3) A written and notarized statement signed by the
representative that expressly describes the authority of the
representative to act on behalf of the protected person.
"Sufficient proof of identification." Information or
documentation that identifies a protected person or a
representative, including, but not limited to, any of the
following:
(1) A Social Security number or a copy of a Social
Security card issued by the Social Security Administration.
(2) A certified or official copy of a birth certificate
issued by the entity authorized to issue the birth
certificate.
(3) A copy of a driver's license, an identification card
issued by the Department of Transportation or any other
government-issued identification.
20210HB0498PN0461 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(4) A copy of a bill, including, but not limited to, a
bill for telephone, sewer, septic tank, water, electric, oil
or natural gas services, that shows a name and home address.
Section 2. Sections 3(d) and 9 of the act are amended to
read:
Section 3. Security freeze.
* * *
(d) Duration of freeze.--A security freeze shall:
(1) remain in place [until the earlier of], except as
provided under section 7(a); or
(2) be removed within three business days after the date
the consumer reporting agency receives a request from the
consumer to remove the security freeze [or until seven years
from the date that the security freeze was put in place by
the consumer reporting agency] in accordance with this act.
* * *
Section 9. Fees.
[(a) General rule.--A consumer reporting agency may impose a
reasonable charge on a consumer for initially placing a security
freeze on a consumer report. The amount of the charge may not
exceed $10. The charge to temporarily lift the security freeze
may not exceed $10 per request. At no time shall the consumer be
charged for removing the freeze.
(b) Exceptions.--
(1) A consumer will not be charged by a consumer
reporting agency for placing a security freeze or temporarily
lifting a security freeze if the consumer is a victim of
identity theft and provides, or has provided, the consumer
reporting agency with a copy of a police report.
(2) A consumer will not be charged by a consumer
20210HB0498PN0461 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
reporting agency for placing a security freeze if the
consumer is 65 years of age or older.
(c) Confirmation required.--If a security freeze is in
place, a consumer reporting agency shall not change any of the
following information regarding a consumer without sending a
written confirmation of the change to the consumer within 30
days of the change being posted:
(1) Name.
(2) Date of birth.
(3) Social Security number.
(4) Address.
Written confirmation is not required for technical modifications
of a consumer's official information, including name and street
abbreviations, complete spellings or transposition of numbers or
letters. In the case of an address change, the written
confirmation shall be sent to both the new address and to the
former address.] A consumer reporting agency may not impose a
charge on a consumer for placing or temporarily lifting a
security freeze on a consumer report.
Section 3. The act is amended by adding sections to read:
Section 9.1. Credit monitoring services .
A consumer reporting agency which has been affected by a
breach of system security shall provide each consumer affected
by the breach of system security with credit monitoring services
at no charge to the consumer for three years following the
breach of system security.
Section 9.2. Prohibition.
A consumer reporting agency which has been affected by a
breach of system security may not require a consumer to waive
the consumer's rights under section 9.1 in order to use the
20210HB0498PN0461 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
credit monitoring services provided.
Section 10.1. Protected persons security freeze.
(a) Applicability.--
(1) Notwithstanding any other provision of this act,
this section shall apply to protected persons and their
representatives.
(2) This section shall not apply to:
(i) A person or entity under section 3(e)(1), (6),
(7), (8), (9), (10) or (12).
(ii) A person or entity that maintains or is a
database used solely for any of the following:
(A) Criminal record information.
(B) Personal loss history information.
(C) Fraud prevention or detection.
(D) Employment screening.
(E) Tenant screening.
(b) Placement.--
(1) A consumer reporting agency shall place a protected
persons security freeze if:
(i) The consumer reporting agency receives a request
from a representative for the placement of the protected
persons security freeze.
(ii) The representative does the following:
(A) Submits the request to the consumer
reporting agency at the address or other point of
contact and in the manner specified by the consumer
reporting agency.
(B) Provides to the consumer reporting agency
sufficient proof of identification of the protected
person and the representative.
20210HB0498PN0461 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(C) Provides to the consumer reporting agency
sufficient proof of authority to act on behalf of the
protected person.
(2) If a consumer reporting agency does not have a file
pertaining to a protected person when the consumer reporting
agency receives a request under paragraph (1), the consumer
reporting agency shall create a record for the protected
person.
(c) Timing of placement.--Within 30 days after receiving a
request that meets the requirements under subsection (b)(1), a
consumer reporting agency shall place a protected persons
security freeze.
(d) Release of consumer report prohibited.--Unless a
protected persons security freeze is removed in accordance with
subsection (f) or (i), a consumer reporting agency may not
release the protected person's consumer report, any information
derived from the protected person's consumer report or any
record created for the protected person.
(e) Effective period.--A protected persons security freeze
shall remain in effect until either of the following occurs:
(1) The protected person or representative requests the
consumer reporting agency to remove the security freeze in
accordance with subsection (f).
(2) The protected persons security freeze is removed in
accordance with subsection (i).
(f) Removal.--If a protected person or representative wishes
to remove a protected persons security freeze, the protected
person or representative shall:
(1) Submit a request for the removal of the security
freeze to the consumer reporting agency at the address or
20210HB0498PN0461 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
other point of contact and in the manner specified by the
consumer reporting agency.
(2) Provide the following to the consumer reporting
agency:
(i) In the case of a request by the protected
person:
(A) Proof under subsection (b)(1)(ii)(B) for the
representative to act on behalf of the protected
person is no longer valid.
(B) Sufficient proof of identification of the
protected person.
(ii) In the case of a request by a representative:
(A) Sufficient proof of identification of the
protected person and representative.
(B) Sufficient proof of authority to act on
behalf of the protected person.
(g) Timing of removal.--Within 30 days after receiving a
request that meets the requirements of subsection (f), the
consumer reporting agency shall remove the protected persons
security freeze.
(h) Notice.--Any time that a consumer is entitled to receive
a summary of rights under the Fair Credit Reporting Act (Public
Law 91-508, 15 U.S.C. ยง 1681g(c)), the following notice shall be
included:
Parents, guardians or custodians of a minor child under
16 years of age, guardians of an incapacitated person
under State law and guardians of a protected person under
State law have a right to have a record created with
certain consumer reporting agencies, more commonly known
as credit bureaus, to prevent the creation of a credit
20210HB0498PN0461 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
report for a protected person as defined under the act.
To place or remove a record, you should contact a
consumer reporting agency at the contact point provided
for these requests. A consumer reporting agency may not
charge a fee for the placement and removal of a record.
(i) Effect of material misrepresentation of fact.--A
consumer reporting agency may remove a protected persons
security freeze or delete a record of a protected person if the
protected persons security freeze was placed or the record was
created based on a material misrepresentation of fact by the
protected person or representative.
(j) Remedy for violation of section.--A consumer reporting
agency's sole liability is for actual damages as a result of a
violation of this section.
Section 4. This act shall take effect as follows:
(1) The addition of section 10.1 of the act shall take
effect January 1, 2021, or immediately, whichever is later.
(2) This section shall take effect immediately.
(3) The remainder of this act shall take effect in 60
days.
20210HB0498PN0461 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20