InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States pass legislation updating security freeze laws
On April 12, the Kansas governor signed HB 2580, which amends existing law to prohibit consumer reporting agencies (CRAs) from charging a fee to a consumer for placing, temporarily lifting, or removing a security freeze on his or her credit report. Moreover, it prevents CRAs from charging fees for replacing a previously requested personal identification number. The law is effective July 1.
Additionally, on April 10, the Iowa governor signed SF 2177, which updates the state’s security freeze law to prohibit CRAs from charging a fee to a consumer for placing, temporarily lifting, removing, or reinstating a security freeze on his or her credit report. Additionally, among other things, the law (i) expands the methods a consumer may use to submit a request for a security freeze; (ii) reduces the number of days CRAs must commence a security freeze after receiving a request from five to three business days; (iii) requires CRAs to send written confirmation within three business days to a consumer after placing a security freeze; and (iv) states that if a consumer requests a security freeze from a CRA that “compiles and maintains files on a nationwide basis,” the CRA must attempt to identify other CRAs that also maintain nationwide files so that the consumer may request additional security freezes. The amendments generally take effect July 1, with the exception of certain provisions that take effect January 1, 2019.
Visit here for additional InfoBytes coverage on states that have recently enacted similar prohibitions.
Arizona governor amends data breach law, updates security freeze legislation
On April 11, the Arizona governor signed HB 2154 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state that maintain, own, or licenses unencrypted and unredacted computerized data to conduct a reasonable investigation of possible breaches of personal information. Owners or licensees of personal information must then notify affected individuals within 45 days, pending the needs of law enforcement. Key amendment highlights are as follows:
- makes revisions to definitions, which include (i) expanding “personal information” to include a combination of a user’s name, password/security question, and answer that grants access to an online account; (ii) defining the term “redact”; and (iii) clarifying that a “specified data element” now includes an individual’s unique “private key” used when authenticating or signing an electronic record;
- adds a requirement that for breaches impacting more than 1,000 individuals, the Attorney General and the three largest consumer reporting agencies must be notified in writing;
- amends a provision concerning “substitute notice,” which removes requirements that a notification must to be sent to affected individuals via email as well as notifying major statewide media. The amendments now stipulate that an entity is required to notify the Attorney General’s office in writing to demonstrate the reasons for substitute notice in addition to posting a notice on the entity’s website for at least 45 days; and
- clarifies a section that states entities are no longer required to notify affected individuals if an independent third-party forensic auditor or law enforcement agency “determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
Separately, on April 3, the governor signed SB 1163, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the placement, removal, or temporary lifting of a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password.
Both bills are scheduled to take effect 91 days after the end of the legislative session.
States pass bills amending security freeze laws
On March 29, the Colorado governor signed HB 1233, which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a ward of the legal guardian. According to HB 1233, if no credit file exists for the protected consumer, the credit reporting agency is required to create a record and then initiate the security freeze on such record without charge. Additionally, among other things, the law prohibits the charging of a fee for the “placement, temporary lift, partial lift, or removal of a security freeze” on a protected consumer’s credit file and allows for a protected consumer to remove the security freeze if they demonstrate the representative’s authority is no longer valid. HB 1233 becomes effective on January 1, 2019.
On March 30, the Kentucky governor signed HB 46, which updates Kentucky’s security freeze law to, among other things, allow a consumer to request a security freeze by methods established by the credit reporting agency in addition to written notification, and remove the requirement that a security freeze expire after seven years. The law continues to allow for a charge of up to ten dollars for the placement, temporary lift, or removal of a security freeze unless the consumer is a victim of identity theft and provides the credit reporting agency with a valid police report. The law is effective immediately, as the text notes that security breaches and the risk of identity theft are on the rise.
Multiple states update security freeze legislation
On March 23, the Governor of Tennessee signed HB 1486, which prohibits credit reporting agencies from charging a fee to a consumer for the placement or removal of a security freeze if the need to place or remove the security freeze was caused by the credit reporting agency. Tennessee already prohibited charging a fee for a security freeze if the consumer is a victim of identity theft and presents a copy of a police report (or other official documentation) to the credit reporting agency at the time of the request. Under Section 47-18-2108 of the Tennessee Code Annotated, the state still allows charging a fee of up to seven dollars and fifty cents for all other placements of a security freeze and up to five dollars to permanently remove a security freeze. HB 1486 is effective immediately.
On March 20, the Governor of Idaho signed SB 1265, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the first placement of a security freeze and for the first temporary lift of a security freeze during a twelve-month period. The law allows for a fee of up to six dollars for the second placement or temporary lift within a twelve-month period. SB 1265 still allows for a fee of up to $10.00 for the reissuance of a personal identification number or password. The legislation is effective July 1.
Coalition of state Attorneys General urges Congress to oppose data breach bill
On March 19, the Illinois Attorney General, along with 30 other state Attorneys General and the Executive Director of the Hawaii Office of Consumer Protection, issued a letter to selected members of Congress opposing the Data Acquisition and Technology Accountability and Security Act (the DATAS Act), which would establish broad standards for data protection across industries and create federal notification requirements for covered entities after certain types of data breaches. (See previous InfoBytes coverage here.) According to the Illinois Attorney General’s letter, the DATAS Act would preempt state data breach and data security laws. The letter also stated that “States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.” Serious potential concerns arising from the DATAS Act raised in the letter include (i) reduced transparency to consumers; (ii) delayed notification to consumers affected by data breaches; and (iii) an overly narrow focus on large-scale data breaches “affecting 5,000 or more consumers” which “prevent[s] attorneys general from learning of or addressing breaches that happen on a smaller national scale.”
Florida prohibits fees for security freezes
On March 21, the Florida governor signed HB 953, which prohibits credit reporting agencies from charging any fee to consumers or their representatives for “placing, removing, or temporarily lifting” security freezes on a credit report. Previously the state allowed for a fee of up to $10 to use the service. HB 953 still allows a consumer reporting agency to charge a fee of up to $10 for replacing or reissuing a personal identification number or password. The legislation is effective July 1.
States enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).
Multiple states address cost of security freezes
On March 19, the Michigan governor signed legislation, HB 5094, which amends the Michigan Security Freeze Act to prohibit consumer reporting agencies (CRAs) from charging a fee for “placing, temporarily lifting, or removing a security freeze” on a credit report. Previously, the state allowed for a fee of up to $10 to use the service, if the consumer had not previously filed a police report alleging identity theft. HB 5094 is effective immediately.
On March 15, the Utah governor signed legislation, HB 45, which amends the Utah Consumer Credit Protection Act to prohibit CRAs from charging a fee in connection with placing or removing a security freeze. Additionally, the bill also prohibits CRAs from charging a fee in connection with mobile applications through which a consumer would place or remove a security freeze. The legislation outlines the manner in which a consumer may request a security freeze and the requirements CRAs must follow in responding to the requests. Previously, Utah allowed for CRAs to charge a “reasonable fee” in connection with a security freeze service.
Washington governor enacts amendment relating to security freeze fees
On March 13, the Washington governor signed Senate Bill 6018, which amends sections of the state’s Fair Credit Reporting Act addressing the removal of security freezes. Among other things, the amended act prohibits credit reporting agencies (CRAs) from charging a fee for placing, temporarily lifting, or removing a security freeze, or when assigning consumers unique personal identification numbers. Additionally, the offices of cybersecurity and privacy and data protection and the Attorney General’s office are instructed to work with stakeholders to evaluate the amendment’s impact on consumers and CRAs. A findings report must be submitted by December 1, 2020, and include data breach trends and recommendations by federal and state agencies. The amendment takes effect June 7.
Virginia governor enacts amendment relating to security freeze fees
On March 9, the governor of Virginia signed House Bill 1027, which amends sections of the Code of Virginia relating to security freezes and lowers the maximum amount that a credit reporting agency may charge to place, remove, or lift a security freeze on a protected consumer’s credit report from $10 to $5. Victims of identity theft remain exempt from the fee. The amendment takes effect July 1.