House File 2484 - Introduced
HOUSE FILE
BY PETTENGILL, DAVITT, GASKILL,
PETERSEN, SHOMSHOR, and WISE
Passed House, Date Passed Senate, Date
Vote: Ayes Nays Vote: Ayes Nays
Approved
A BILL FOR
1 An Act relating to identity theft including providing for the
2 notification of a breach in the security of computerized data
3 of personal information, allowing a security alert or block on
4 a consumer report, allowing the issuance of an identity theft
5 passport, requiring the deletion of certain records relating
6 to dishonored checks, prohibiting the collection of certain
7 unauthorized debt obligations, requiring the protection and
8 destruction of customer records containing personal
9 information, and providing for civil remedies and penalties.
10 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
11 TLSB 5549HH 81
12 kk/je/5
PAG LIN
1 1 Section 1. NEW SECTION. 715C.1 DEFINITIONS.
1 2 As used in this chapter unless the context otherwise
1 3 requires:
1 4 1. "Breach of the security of the system" means
1 5 unauthorized acquisition of computerized data maintained by a
1 6 person that compromises the security, confidentiality, or
1 7 integrity of personal information maintained by the person.
1 8 Good faith acquisition of personal information by an employee
1 9 or agent of the person for the purposes of the person is not a
1 10 breach of the security of the system, provided that the
1 11 personal information is not used for or subject to further
1 12 unauthorized disclosure.
1 13 2. "Consumer" means a natural person.
1 14 3. "Consumer report" means the same as defined by the
1 15 federal Fair Credit Reporting Act, 15 U.S.C. } 1681a.
1 16 4. "Consumer reporting agency" means the same as defined
1 17 by the federal Fair Credit Reporting Act, 15 U.S.C. } 1681a.
1 18 5. "Debt collector" means the same as provided in section
1 19 537.7102.
1 20 6. "File", when used in connection with information on any
1 21 consumer, means all of the information on that consumer
1 22 recorded and retained by a consumer reporting agency
1 23 regardless of how the information is stored.
1 24 7. "Personal information" means the same as
1 25 "identification information" as defined in section 715A.8.
1 26 "Personal information" does not include publicly available
1 27 information that is lawfully made available to the general
1 28 public from federal, state, or local government records.
1 29 8. "Security alert" means a notice placed on a consumer
1 30 file at the request of the consumer that is sent to a
1 31 recipient of a consumer report involving that consumer file,
1 32 signifying the fact that the consumer's identity may have been
1 33 used without the consumer's consent to fraudulently obtain
1 34 goods or services in the consumer's name.
1 35 9. "Security block" means a notice placed on a consumer
2 1 file that prohibits a consumer reporting agency from releasing
2 2 a consumer report relating to the extension of credit
2 3 involving that consumer file without the express authorization
2 4 of the consumer.
2 5 10. "State agency" means any executive, judicial, or
2 6 legislative department, commission, board, institution,
2 7 division, bureau, office, agency, or other entity of state
2 8 government.
2 9 Sec. 2. NEW SECTION. 715C.2 NOTIFICATION OF SECURITY
2 10 BREACH == REMEDIES.
2 11 1. A person that owns or licenses computerized data that
2 12 includes personal information shall provide notice of any
2 13 breach of the security of the system following discovery or
2 14 notification of the breach in the security of the data to any
2 15 resident of this state whose unencrypted personal information
2 16 was, or is reasonably believed to have been, acquired by an
2 17 unauthorized person. The notice shall be made in the most
2 18 expedient manner possible and without unreasonable delay,
2 19 consistent with the legitimate needs of law enforcement, as
2 20 provided in subsection 3, or any measures necessary to
2 21 determine the scope of the breach and restore the reasonable
2 22 integrity of the data system. The notice shall include
2 23 contact information for applicable state and federal services
2 24 available for victims of identity theft.
2 25 2. A person that maintains computerized data that includes
2 26 personal information that the person does not own shall notify
2 27 the owner or licensee of the information of any breach of the
2 28 security of the system maintaining the data immediately
2 29 following discovery, if the personal information was, or is
2 30 reasonably believed to have been, acquired by an unauthorized
2 31 person.
2 32 3. The notice required by subsection 1 may be delayed if a
2 33 law enforcement agency determines that the notification will
2 34 impede a criminal investigation. The notice required by
2 35 subsection 1 shall be made after the law enforcement agency
3 1 determines that such notice will not compromise the
3 2 investigation.
3 3 4. The notice required by subsection 1 shall be provided
3 4 by one of the following methods:
3 5 a. Written notice.
3 6 b. Electronic notice, if the notice provided is consistent
3 7 with the provisions regarding electronic records and
3 8 signatures required in chapter 554D and 15 U.S.C. } 7001.
3 9 c. Substitute notice, if the person demonstrates that the
3 10 cost of providing notice would exceed two hundred fifty
3 11 thousand dollars, or that the affected class of subject
3 12 persons to be notified exceeds five hundred thousand persons,
3 13 or the person does not have sufficient contact information.
3 14 Substitute notice shall consist of all of the following:
3 15 (1) Electronic mail notice when the person has an
3 16 electronic mail address for the subject persons.
3 17 (2) Conspicuous posting of the notice on the person's
3 18 internet website, if the person maintains an internet website.
3 19 (3) Notification to major statewide media.
3 20 5. Notwithstanding subsection 4, a person that maintains
3 21 its own notification procedures as part of an information
3 22 security policy for the treatment of personal information and
3 23 is otherwise consistent with the timing requirements of this
3 24 section shall be deemed to be in compliance with the notice
3 25 requirements of subsection 1 if the person notifies subject
3 26 persons in accordance with the person's policies in the event
3 27 of a breach of security of the system.
3 28 6. a. A person injured by a violation of this section may
3 29 bring a civil action for an injunction, actual damages,
3 30 attorney fees, interest, and court costs.
3 31 b. The attorney general may bring an action on behalf of
3 32 an injured person for an injunction, actual damages incurred
3 33 by the person, attorney fees, interest, and court costs.
3 34 c. The rights and remedies available under this section
3 35 are cumulative to each other and to any other rights and
4 1 remedies available under law.
4 2 7. As used in this section, "person" means a person as
4 3 defined in section 4.1 that conducts business in this state
4 4 and includes a state agency.
4 5 Sec. 3. NEW SECTION. 715C.3 SECURITY ALERT.
4 6 1. REQUESTING ALERT. Upon request by a consumer in
4 7 writing or by telephone, with proper identification provided
4 8 by the consumer, a consumer reporting agency shall place a
4 9 security alert on the consumer's file not later than two
4 10 business days after the agency receives the request. A
4 11 consumer may include with the security alert request a
4 12 telephone number to be used by persons to verify the
4 13 consumer's identity before entering into a transaction with
4 14 the consumer. The security alert must remain in effect for
4 15 not less than ninety days after the date the agency places the
4 16 security alert on the file. There is no limit on the number
4 17 of security alerts a consumer may request. At the termination
4 18 of the security alert, upon written request or telephone
4 19 authorization by the consumer, and with proper identification
4 20 provided by the consumer, the agency shall provide the
4 21 consumer with a copy of the consumer's file.
4 22 2. NOTIFICATION OF ALERT.
4 23 a. A consumer reporting agency shall send an alert to each
4 24 person who requests a consumer report if a security alert is
4 25 in effect for the consumer file involved regardless of whether
4 26 a full credit report or summary report is requested and shall
4 27 include a verification telephone number for the consumer if
4 28 the consumer has provided a telephone number under subsection
4 29 1.
4 30 b. A person who receives notification of a security alert
4 31 in connection with a request for a consumer report for the
4 32 approval of a credit=based application including an
4 33 application for a new extension of credit, a purchase, lease,
4 34 or rental agreement for goods, or for an application for a
4 35 non=credit=related service, shall not lend money, extend
5 1 credit, or authorize an application without taking reasonable
5 2 steps to verify the consumer's identity. For the purposes of
5 3 this section, "extension of credit" does not include an
5 4 increase in an existing open=end credit plan or any change to
5 5 or review of an existing credit account.
5 6 c. If a consumer has included with a security alert
5 7 request a specified telephone number to be used for identity
5 8 verification purposes, a person who receives that telephone
5 9 number with a security alert shall contact the consumer using
5 10 that telephone number or take reasonable steps to verify the
5 11 consumer's identity and confirm that an application for an
5 12 extension of credit is not the result of identity theft before
5 13 lending money, extending credit, or completing any purchase,
5 14 lease, or rental of goods, or approving any non=credit=
5 15 related services.
5 16 3. TOLL=FREE ALERT REQUEST NUMBER. A consumer reporting
5 17 agency that compiles and maintains files on a nationwide basis
5 18 as defined by 15 U.S.C. } 1681a(p) shall maintain a toll=free
5 19 telephone number that will accept security alert requests from
5 20 consumers twenty=four hours a day, seven days a week, subject
5 21 to reasonable maintenance or service outages beyond the
5 22 control of the consumer reporting agency.
5 23 4. VIOLATIONS OF ALERT. A creditor, potential creditor,
5 24 consumer reporting agency, or other entity that violates any
5 25 provision of this section shall be liable to the victim of an
5 26 identity theft for all of the documented out=of=pocket
5 27 expenses caused by the violation committed by such creditor,
5 28 potential creditor, consumer reporting agency, or other entity
5 29 and suffered by the victim as a result of the identity theft,
5 30 plus reasonable attorney fees and court costs. A violation of
5 31 this section is an unlawful practice under section 714.16.
5 32 Sec. 4. NEW SECTION. 715C.4 SECURITY BLOCK.
5 33 1. REQUESTING BLOCK. On written request by a consumer
5 34 that includes proper identification and a copy of a valid
5 35 police report or complaint alleging a violation of section
6 1 715A.8, a consumer reporting agency shall, within five
6 2 business days of receipt, place a security block on a
6 3 consumer's file.
6 4 2. DECLINING BLOCK. A consumer reporting agency may
6 5 decline to block or may rescind any block of consumer
6 6 information in the exercise of good faith and reasonable
6 7 judgment, if the consumer reporting agency believes any of the
6 8 following:
6 9 a. The information was blocked due to a misrepresentation
6 10 of a material fact by the consumer.
6 11 b. The information was blocked due to fraud, in which the
6 12 consumer participated, or of which the consumer had knowledge,
6 13 and which may for purposes of this section be demonstrated by
6 14 circumstantial evidence.
6 15 c. The consumer agrees that portions of the blocked
6 16 information or all of the information was blocked in error.
6 17 d. The consumer knowingly obtained or should have known
6 18 that the consumer obtained possession of goods, services, or
6 19 money as a result of the blocked transaction or transactions.
6 20 e. The consumer's report of a violation of section 715A.8
6 21 was not authentic.
6 22 3. NOTIFICATION OF BLOCK. A consumer reporting agency
6 23 shall promptly notify a person who requests a consumer report
6 24 if a security block is in effect for the consumer file
6 25 involved in that report and the effective date of the block.
6 26 4. RELEASE OF BLOCK.
6 27 a. On written request or by telephone and with proper
6 28 identification provided by a consumer, a consumer reporting
6 29 agency shall remove a security block not later than the third
6 30 business day after the date the agency receives the request.
6 31 The block may be temporarily lifted for a certain
6 32 predesignated period of time if requested by the consumer.
6 33 b. If blocked information is unblocked pursuant to this
6 34 subsection, the consumer shall be notified in the same manner
6 35 as consumers are notified of the reinsertion of information
7 1 pursuant to the federal Fair Credit Reporting Act, 15 U.S.C. }
7 2 1681i. The prior presence of the blocked information in the
7 3 consumer reporting agency's file on the consumer is not
7 4 evidence of whether the consumer knew or should have known
7 5 that the consumer obtained possession of any goods, services,
7 6 or money as described in subsection 2, paragraph "d".
7 7 5. FALSE INQUIRIES. A consumer reporting agency shall
7 8 delete from a consumer report inquiries for consumer reports
7 9 based upon credit requests that the consumer reporting agency
7 10 verifies were initiated as a result of a violation of section
7 11 715A.8.
7 12 6. FEES. A consumer reporting agency may impose a
7 13 reasonable charge on a consumer for placing a security block
7 14 on a consumer file.
7 15 7. EXEMPTIONS FROM BLOCK. The provisions of this section
7 16 do not apply to any of the following:
7 17 a. A state or local governmental entity, including a law
7 18 enforcement agency or private collection agency, if the entity
7 19 or agency is acting under a court order, warrant, subpoena, or
7 20 administrative subpoena.
7 21 b. A consumer reporting agency that acts as a reseller of
7 22 credit information by assembling and merging information
7 23 contained in the databases of other consumer reporting
7 24 agencies, and that does not maintain a permanent database of
7 25 credit information from which new consumer reports are
7 26 produced.
7 27 c. A check services or fraud prevention services company
7 28 that issues reports on incidents of fraud or authorizations
7 29 for the purpose of approving or processing negotiable
7 30 instruments, electronic funds transfers, or similar payment
7 31 methods.
7 32 d. A demand deposit account information service company
7 33 that issues reports regarding account closures due to fraud,
7 34 substantial overdrafts, automatic teller machine abuse, or
7 35 similar negative information regarding a consumer to inquiring
8 1 banks or other financial institutions for use only in
8 2 reviewing a consumer request for a demand deposit account at
8 3 the inquiring bank or financial institution.
8 4 8. VIOLATIONS OF BLOCK. A violation of this section is an
8 5 unlawful practice under section 714.16.
8 6 Sec. 5. NEW SECTION. 715C.5 IDENTITY THEFT PASSPORT.
8 7 1. The attorney general, in cooperation with any law
8 8 enforcement agency, may issue an identity theft passport to a
8 9 person who meets both of the following requirements:
8 10 a. Is a victim of identity theft in this state as
8 11 described in section 715A.8.
8 12 b. Has filed a police report with any law enforcement
8 13 agency citing that the person is a victim of identity theft.
8 14 2. A victim who has filed a report of identity theft with
8 15 a law enforcement agency may apply for an identity theft
8 16 passport through the law enforcement agency. The law
8 17 enforcement agency shall send a copy of the police report and
8 18 the application to the attorney general, who shall process the
8 19 application and supporting report and may issue the victim an
8 20 identity theft passport in the form of a card or certificate.
8 21 3. A victim of identity theft issued an identity theft
8 22 passport may present the passport to any of the following:
8 23 a. A law enforcement agency, to help prevent the victim's
8 24 arrest or detention for an offense committed by someone other
8 25 than the victim who is using the victim's identity.
8 26 b. A creditor of the victim, to aid in the creditor's
8 27 investigation and establishment of whether fraudulent charges
8 28 were made against accounts in the victim's name or whether
8 29 accounts were opened using the victim's identity.
8 30 c. A consumer reporting agency, which shall accept the
8 31 passport as notice of a dispute and shall include notice of
8 32 the dispute in all future reports that contain disputed
8 33 information caused by identity theft.
8 34 4. A law enforcement agency, creditor, or consumer
8 35 reporting agency may accept an identity theft passport issued
9 1 pursuant to this section and presented by a victim at the
9 2 discretion of the law enforcement agency, creditor, or
9 3 consumer reporting agency. A law enforcement agency,
9 4 creditor, or consumer reporting agency may consider the
9 5 surrounding circumstances and available information regarding
9 6 the offense of identity theft pertaining to the victim.
9 7 5. An application made with the attorney general under
9 8 subsection 2, including any supporting documentation, shall be
9 9 confidential and shall not be a public record subject to
9 10 disclosure under chapter 22.
9 11 6. The attorney general shall adopt rules necessary to
9 12 implement this section, which shall include a procedure by
9 13 which the attorney general shall ensure that an identity theft
9 14 passport applicant has an identity theft claim that is
9 15 legitimate and adequately substantiated.
9 16 Sec. 6. NEW SECTION. 715C.6 DISHONORED CHECK ELECTRONIC
9 17 RECORDS == PENALTY.
9 18 1. Any person doing business in this state who accepts a
9 19 check from a consumer in the ordinary course of business shall
9 20 delete any electronic records containing information relating
9 21 to a consumer's dishonored check upon which the person bases a
9 22 refusal to accept a check from the consumer not later than
9 23 thirty days after the date that any of the following occur:
9 24 a. The consumer and the person doing business agree that
9 25 the information in the electronic records is incorrect.
9 26 b. The consumer presents to the person doing business a
9 27 report filed by the consumer with a law enforcement agency, or
9 28 any other written notice by the consumer, stating that the
9 29 dishonored check was not authorized by the consumer.
9 30 2. The attorney general may file an action in district
9 31 court to seek the assessment of a civil penalty of one hundred
9 32 dollars for each violation of subsection 1 and may recover
9 33 reasonable expenses incurred, including attorney fees,
9 34 investigative costs, witness fees, and deposition expenses.
9 35 3. This section shall not apply to electronic records
10 1 containing information relating to the checking account number
10 2 or bank routing transit number of a dishonored check.
10 3 4. This section shall not apply to a financial institution
10 4 as defined in section 527.2.
10 5 Sec. 7. NEW SECTION. 715C.7 DEBT COLLECTION OF
10 6 UNAUTHORIZED TRANSACTION.
10 7 1. A debt collector shall not collect or attempt to
10 8 collect an obligation under a check, debit payment, or credit
10 9 card payment if all of the following conditions apply:
10 10 a. The check, debit payment, or credit card payment was
10 11 dishonored or refused because the obligation was not incurred
10 12 by a person authorized to use the check, debit, or credit card
10 13 account.
10 14 b. The debt collector has received written notice from a
10 15 person authorized to use the check, debit, or credit card
10 16 account that the obligation under the check, debit payment, or
10 17 credit card payment was not authorized.
10 18 c. A person authorized to use the check, debit, or credit
10 19 card account has filed a report concerning the unauthorized
10 20 obligation under a check, debit payment, or credit card
10 21 payment with a law enforcement agency and has provided a copy
10 22 of the report to the debt collector.
10 23 2. This section does not prohibit a debt collector from
10 24 collecting or attempting to collect an obligation under a
10 25 check, debit payment, or credit card payment, if the debt
10 26 collector has credible evidence that the report filed with a
10 27 law enforcement agency is fraudulent and that the obligation
10 28 under a check, debit payment, or credit card payment was
10 29 authorized.
10 30 Sec. 8. NEW SECTION. 715C.8 PROTECTION OF CUSTOMER
10 31 INFORMATION.
10 32 1. Any person doing business in this state shall implement
10 33 and maintain reasonable procedures, including taking any
10 34 appropriate corrective action, to protect and safeguard from
10 35 unlawful use or disclosure any personal information collected
11 1 or maintained by the person in the regular course of business.
11 2 2. A person doing business in this state shall destroy or
11 3 arrange for the destruction of customer records containing
11 4 personal information within the person's custody or control
11 5 that are not to be retained by the business by one of the
11 6 following methods:
11 7 a. Shredding.
11 8 b. Erasing.
11 9 c. Otherwise modifying the personal information in the
11 10 records to make the information unreadable or undecipherable
11 11 through any means.
11 12 3. This section shall not apply to a financial institution
11 13 as defined in section 527.2.
11 14 EXPLANATION
11 15 This bill provides for certain consumer protections against
11 16 identity theft including notification of a breach in the
11 17 security of computerized data of personal information,
11 18 providing for a security alert or block on a consumer report,
11 19 and for the issuance of an identity theft passport.
11 20 The bill requires a person that owns or licenses
11 21 computerized data that includes personal information to
11 22 provide notice of any breach of the person's security of the
11 23 data to those residents of this state whose personal
11 24 information was or may have been acquired by an unauthorized
11 25 person. The bill requires a person that maintains
11 26 computerized data that includes personal information that the
11 27 person does not own to notify the owner of the data of any
11 28 breach in the security of the data. A "person" is defined by
11 29 the bill to include persons that conduct business in this
11 30 state and state agencies. The notice shall be provided
11 31 immediately unless a law enforcement agency determines that
11 32 the notification will impede a criminal investigation. The
11 33 notice may be made in writing, through electronic means, or by
11 34 substitute notice. as defined by the bill, and must contain
11 35 information regarding state and federal services available for
12 1 victims of identity theft.
12 2 The bill provides that a person who is injured by the
12 3 failure to notify of a security breach required by the bill
12 4 may file a civil action for an injunction, actual damages,
12 5 attorney fees, interest, and court costs. The attorney
12 6 general may also bring a civil action on behalf of an injured
12 7 person for an injunction, actual damages, attorney fees, and
12 8 court costs.
12 9 The bill permits victims of identity theft to request that
12 10 a security alert be placed on the victim's consumer report,
12 11 which is more commonly known as a credit report. Before
12 12 issuing credit on a consumer report containing a security
12 13 alert, the creditor must take reasonable steps to verify the
12 14 identity of the person whose consumer report contains the
12 15 security alert. Failure to verify the identity of the person
12 16 before issuing credit may result in liability of the creditor
12 17 for any damages suffered by the person as a result of the
12 18 credit being issued. A violation is also a consumer fraud
12 19 under Code section 714.16. The bill requires consumer
12 20 reporting agencies to maintain a nationwide toll=free
12 21 telephone number to accept requests for security alerts.
12 22 The bill permits victims of identity theft to request that
12 23 a security block be placed on the victim's consumer report. A
12 24 security block prohibits a consumer reporting agency from
12 25 releasing the victim's consumer report relating to the
12 26 extension of credit without the victim's express
12 27 authorization. A consumer reporting agency may decline to
12 28 place the block under specific circumstances. With proper
12 29 identification, the victim may request that the block be
12 30 temporarily lifted or permanently released. The consumer
12 31 reporting agency must notify the consumer when a block is
12 32 placed and when a block is released. A consumer reporting
12 33 agency may impose a reasonable fee to place a block on a
12 34 consumer file. Certain entities are exempt from compliance
12 35 with a security block. Violations are treated as consumer
13 1 fraud under Code section 714.16.
13 2 The bill authorizes the attorney general to issue an
13 3 identity theft passport to a victim of the criminal offense of
13 4 identity theft, as defined in Code section 715A.8, who has
13 5 filed a police report with a law enforcement agency. A victim
13 6 of identity theft may apply for an identity theft passport
13 7 with the law enforcement agency, which shall send a copy of
13 8 the police report and application to the attorney general.
13 9 The identity theft passport shall be in the form of a card
13 10 or certificate which the victim may present to a law
13 11 enforcement agency, creditor, or consumer reporting agency to
13 12 help protect the victim from false criminal charges and
13 13 fraudulent credit charges. A law enforcement agency,
13 14 creditor, or consumer reporting agency may use discretion as
13 15 to whether to accept the identity theft passport after
13 16 considering surrounding circumstances and available
13 17 information concerning the commission of identity theft
13 18 against the victim presenting the passport.
13 19 An application for an identity theft passport and all
13 20 supporting documents shall be confidential and not considered
13 21 a public record under Code chapter 22. The attorney general
13 22 shall adopt rules necessary to issue the identity theft
13 23 passports and to ensure that applications for the identity
13 24 theft passports are legitimate.
13 25 The bill requires any person doing business in this state
13 26 to delete any electronic records which contain information
13 27 about a consumer's dishonored check which has caused the
13 28 person doing business to refuse to accept other checks from
13 29 the consumer if the information in the electronic records is
13 30 incorrect or if the consumer has provided the person doing
13 31 business with a report filed with a law enforcement agency or
13 32 other notice that the dishonored check was not authorized by
13 33 the consumer. The bill provides that the attorney general may
13 34 seek a civil penalty of up to $100 plus reasonable expenses
13 35 per violation.
14 1 The bill prohibits a debt collector from collecting or
14 2 attempting to collect an obligation under a payment by check,
14 3 debit, or credit card if the debt collector has received
14 4 written notice that, and payment was dishonored or refused
14 5 because, the obligation was not made by a person authorized to
14 6 use the check, debit, or credit card, and a report of the
14 7 unauthorized use has been filed with a law enforcement agency.
14 8 A debt collector is not prohibited from collecting or
14 9 attempting to collect an obligation under the bill if the debt
14 10 collector has credible evidence that the report filed with a
14 11 law enforcement agency is fraudulent and the obligation was
14 12 authorized.
14 13 The bill requires any person doing business in this state
14 14 to implement and maintain reasonable procedures to protect
14 15 from unlawful use or disclosure any personal information
14 16 collected or maintained by the person in the regular course of
14 17 business. The bill requires any person doing business in this
14 18 state to destroy or arrange for the destruction of customer
14 19 records containing personal information that are within the
14 20 person's custody or control and not otherwise retained by the
14 21 business. The destruction is required to be performed by
14 22 shredding, erasing, or modifying in a way to make the personal
14 23 information unreadable.
14 24 LSB 5549HH 81
14 25 kk:nh/je/5.1