1. Identity theft is one of the fastest growing crimes in America.

2. Businesses and individuals alike lose billions of dollars each year because of fraud associated with identity theft.

3. Identity theft is made possible by security breaches—most commonly when personal financial data such as social security, bank account, and credit card numbers are lost by, or stolen from, businesses.

4. It is crucial that customers be notified of security breaches so they can take precautions with their credit reports and credit accounts.

1. “Data collector” means a person, corporation or other entity that handles personal information.

2. “Breach of the security of the data” means unauthorized acquisition of computerized or non-computerized data that compromises the security, confidentiality or integrity of personal information maintained by the data collector. Good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector is not a breach of the security of the data, provided that the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure.

3. “Personal information” means an individual’s last name, address or phone number in combination with any of the following data elements, when either the name or the data elements are not encrypted or redacted, or are encrypted with an encryption key that was also acquired:

“Personal information” includes the data elements listed above, when not in connection with the individual’s last name, address or phone number, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.

“Personal information” does not include information that is lawfully made available to the general public from federal, state or local government records, provided that such publicly available information has not been aggregated or consolidated into an electronic database or similar system by the governmental agency or by another person.

1. A data collector that owns or uses personal information concerning a [State] resident shall, as quickly as possible, notify the resident if there is a breach of the security of the data.

2. The notification required by this section shall be delayed if a law enforcement agency informs the data collector in writing that the notification may seriously impede a criminal investigation.

3. Notice of a breach of the security of the data shall be provided in writing by first-class mail, or by electronic mail if it complies with the requirements of Title 15, Section 7001 of the United States Code.

4. If the data collector demonstrates that the cost of providing notice would exceed $250,000, or that the data collector does not have sufficient contact information to notify affected residents, the data collector shall:

5. The notice of a breach of the security of the data shall include:

6. After a notification of a breach of the security of the data, a data collector shall make available, free of charge to affected residents, credit reports from at least one of the major credit reporting agencies, beginning not later than two months following the breach of security, and continuing on a quarterly basis for a period of two years.

1. The Department of [Consumer Affairs] shall promulgate such regulations as are necessary to enforce this section.

2. A resident of [State] injured by a violation of this section may initiate a civil action to recover damages.

3. A data collector that violates, proposes to violate, or has violated this section may be enjoined.

4. The rights and remedies available under this section do not preempt any other rights and remedies available under law.

This Act shall take effect on July 1, 2007.

1. Identity theft is one of the fastest growing crimes in America.

2. Businesses and individuals alike lose billions of dollars each year because of fraud associated with identity theft.

3. If empowered to place a security freeze on their credit reports, customers could prevent new account fraud.

1. “Credit reporting agency” means a person, corporation or other entity that regularly engages in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing credit reports to third parties.

2. “Credit report” means information that bears on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used, or serves as a factor, in establishing a consumer’s eligibility for credit or insurance.

3. “Security freeze” means a consumer’s directive that prohibits a credit reporting agency from releasing any part of the consumer’s credit report or any information derived from it to a third party without prior express authorization from the consumer.

1. A consumer may direct a credit reporting agency to place a security freeze on his or her credit report. Such a directive may be delivered to the credit reporting agency in writing, by telephone, or through a secure Internet connection. By January 1, 2007, credit reporting agencies shall make a secure Internet connection available to customers for this purpose.

2. A credit reporting agency shall implement the customer’s security freeze no later than five business days after it receives a directive in writing or by telephone, and no later than three business days after it receives a directive through a secure Internet connection. By July 1, 2007, a credit reporting agency shall implement a customer’s security freeze no later than three business days after it receives a directive in writing or by telephone, and no later than one business day after it receives a directive through secure Internet connection. By July 1, 2008, a credit reporting agency shall implement a consumer’s security freeze no later than one business day after it receives a directive in writing, by telephone, or through a secure Internet connection.

3. No later than five business days after it implements a security freeze, a credit reporting agency shall send to the consumer, by first-class mail, a unique personal identification number or password to be used by the consumer to authorize the release of his or her credit record. By July 1, 2007, a credit reporting agency shall send the unique personal identification number or password no later than one business day after it implements a security freeze.

4. After a security freeze is implemented, the consumer may authorize release of his or her credit report by contacting a credit reporting agency in writing, by telephone, or through a secure Internet connection and providing:

5. A credit reporting agency shall release a consumer’s credit report no later than three business days after a consumer authorizes the release. By July 1, 2007, a credit reporting agency shall release a consumer’s credit report no later than one business day after a consumer authorizes the release. By July 1, 2008, a credit reporting agency shall release a consumer’s credit report no later than 15 minutes after a consumer authorizes the release.

6. A credit reporting agency shall not state or imply to a third party that the consumer’s security freeze reflects a negative credit score, history, report or rating.

7. This section shall not apply to the receipt of a credit report by:

8. A consumer shall not be charged for any services associated with a security freeze, except the replacement of a unique personal identification number or password, for which the customer may be charged not more than five dollars.

9. If a credit reporting agency wrongly releases information that is subject to a security freeze, the credit reporting agency shall notify the affected consumer within five business days, and shall specify the information that was released and the third party that received it.

1. The Secretary of the [Department of Consumer Affairs] shall promulgate such regulations as are necessary to enforce this section. Regulations shall include procedures to receive, investigate and attempt to resolve complaints; issue civil penalties when warranted, not to exceed $10,000 for each violation; and bring actions for damages and injunctive relief, when necessary, in any court of competent jurisdiction.

2. An aggrieved consumer may bring a private cause of action for damages caused by violation of this section, and injunctive relief from future violations. If the consumer wins damages or injunctive relief, he or she may be awarded reasonable attorney’s fees, investigative expenses, and court costs.

3. Each violation of a security freeze shall be counted as a separate incident for purposes of imposing penalties under this section.