SECOND REGULAR SESSION
HOUSE BILL NO. 1746
94TH GENERAL ASSEMBLY
INTRODUCED BY REPRESENTATIVES LAMPE (Sponsor), TALBOY, DARROUGH, LeVOTA, SCHIEFFER, HUGHES, HARRIS (110), BAKER (25), MEINERS, WILDBERGER, CURLS AND OXFORD (Co-sponsors).
Read 1st time January 22, 2008 and copies ordered printed.
D. ADAM CRUMBLISS, Chief Clerk
To repeal section 570.223, RSMo, and to enact in lieu thereof eleven new sections relating to identity theft, with penalty provisions.
Be it enacted by the General Assembly of the state of Missouri, as follows:
Section A. Section 570.223, RSMo, is repealed and eleven new sections enacted in lieu thereof, to be known as sections 407.1650, 407.1653, 407.1656, 407.1659, 407.1662, 407.1665, 407.1668, 407.1671, 407.1674, 407.1677, and 570.223, to read as follows:
407.1650. As used in sections 407.1650 to 407.1677 the following terms mean:
(1) "Breach of security of the system", unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business or person. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business shall not be considered a breach of security of the system, provided that the personal information is not used or subject to further unauthorized disclosure;
(2) "Personal information", an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(a) Social Security number;
(b) Driver's license number;
(c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records;
(3) "Proper identification", any document that identifies an individual and may include, but not be limited to, the individual's photograph, Social Security number, driver's identification number, name, address, and telephone number;
(4) "Security alert", a notice placed in a consumer's credit report, at the request of the consumer, that notifies a recipient of the credit report that the consumer's identity may have been used without the consumer's consent to fraudulently obtain goods or services in the consumer's name;
(5) "Security freeze", a notice placed in a consumer's credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer credit reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer.
407.1653. 1. Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach. Notification shall be made to any resident of the state whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible, but no later than thirty days after such breach has been discovered.
2. The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
3. For purposes of this section notification may be provided by one of the following methods:
(1) Written notice;
(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code;
(3) Substitute notification, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand, or the agency does not have sufficient contact information. Substitute notification shall consist of all of the following:
(a) E-mail notice when the agency has an e-mail address for the persons;
(b) Conspicuous posting of the notice on the agency's web site, if the agency maintains one; and
(c) Notification to major statewide media.
4. An agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system. The agency shall provide a copy of the notification procedures to the attorney general.
5. Any person or business who violates the provisions of this section shall be guilty of a class A misdemeanor and, upon conviction, shall be punished by a fine of up to one thousand dollars for each and every act or violation, by imprisonment in the county jail for a term not to exceed one year, or by both at the discretion of the court.
407.1656. 1. A consumer may elect to place a security alert in his or her credit report by making a request in writing or by telephone to a consumer credit reporting agency.
2. A consumer credit reporting agency shall notify each person requesting consumer credit information with respect to a consumer of the existence of a security alert in the credit report of that consumer, regardless of whether a full credit report, credit score, or summary report is requested.
3. Each consumer credit reporting agency shall maintain a toll-free telephone number to accept security alert requests from consumers twenty-four hours a day, seven days a week.
4. The toll-free telephone number shall be included in any written disclosure by a consumer credit reporting agency to any consumer under section 407.1671 and shall be printed in a clear and conspicuous manner.
5. A consumer credit reporting agency shall place a security alert on a consumer's credit report no later than five business days after receiving a request from the consumer.
6. The security alert shall remain in place for at least ninety days, and a consumer shall have the right to request a renewal of the security alert.
7. If a consumer has placed a security alert, a consumer credit reporting agency shall provide the consumer, upon request, with a free copy of his or her credit report at the time the ninety-day security alert period expires.
407.1659. 1. A consumer may elect to place a security freeze on his or her credit report by making a request in writing by certified mail to a consumer credit reporting agency. If a security freeze is in place, information from a consumer's credit report may not be released to a third party without prior express authorization from the consumer. This subsection does not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.
2. A consumer credit reporting agency shall place a security freeze on a consumer's credit report no later than five business days after receiving a written request from the consumer.
3. The consumer credit reporting agency shall send a written confirmation of the security freeze to the consumer within ten business days and shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time.
4. If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer credit reporting agency, request that the freeze be temporarily lifted, and provide the following:
(1) Proper identification;
(2) The unique personal identification number or password provided by the credit reporting agency to the consumer;
(3) The proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.
5. A consumer credit reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report under subsection 4 of this section, shall comply with the request no later than three business days after receiving the request.
6. A consumer credit reporting agency may develop procedures involving the use of telephone, fax, the Internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report under subsection 4 of this section in an expedited manner.
7. A consumer credit reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases:
(1) Upon consumer request, under subsection 4 or 10 of this section;
(2) If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer credit reporting agency intends to remove a freeze upon a consumer's credit report under this subdivision, the consumer credit reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer's credit report.
8. If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.
9. If a consumer requests a security freeze, the consumer credit reporting agency shall disclose the process of placing and temporarily lifting a freeze, and the process for allowing access to information from the consumer's credit report for a specific party or period of time while the freeze is in place.
10. A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer credit reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following:
(1) Proper identification;
(2) The unique personal identification number or password provided by the credit reporting agency to the consumer.
11. The provisions of this section do not apply to the use of a consumer credit report by any of the following:
(1) A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purpose of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this subdivision, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements;
(2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subdivision (3) of subsection 4 of this section for purposes of facilitating the extension of credit or other permissible use;
(3) Any state or local agency, law enforcement agency, trial court, or private collection agency acting under a court order, warrant, or subpoena;
(4) A child support agency;
(5) The department of health and senior services, the attorney general, or their agents or assigns acting to investigate Medicaid fraud;
(6) The state tax commission or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;
(7) The use of credit information for the purpose of prescreening as provided for by the Federal Fair Credit Reporting Act;
(8) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed;
(9) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request.
12. The provisions of sections 407.1650 to 407.1677 do not prevent a consumer credit reporting agency from charging a fee of no more than ten dollars to a consumer for each freeze, removal of the freeze, or temporary lift of the freeze for a period of time, or a fee of no more than twelve dollars for a temporary lift of a freeze for a specific party, regarding access to a consumer credit report, except that a consumer credit reporting agency may not charge a fee to a victim of identity theft who has submitted a valid police report or a consumer sixty-five years of age or older. However, if the consumer credit reporting agency relies on a consumer's material misrepresentation of fact, the agency may charge the consumer for any costs incurred as a result of such reliance on the misrepresentation.
407.1662. If a security freeze is in place, a consumer credit reporting agency shall not change any of the following official information in a consumer credit report without sending a written confirmation of the change to the consumer within thirty days of the change being posted to the consumer's file: name, date of birth, Social Security number, and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.
407.1665. The provisions of sections 407.1653 to 407.1662 do not apply to a consumer credit reporting agency that acts only as a resaler of credit information by assembling and merging information contained in the database of another consumer credit reporting agency or multiple consumer credit reporting agencies, and does not maintain a permanent database of credit information from which new consumer credit reports are produced. However, a consumer credit reporting agency shall honor any security freeze placed on a consumer credit report by another consumer credit reporting agency.
407.1668. The following entities are not required to place in a credit report either a security alert or a security freeze:
(1) A check services or fraud prevention services company, which issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments;
(2) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution.
407.1671. Any written disclosure by a consumer credit reporting agency to any consumer under this section shall include a written summary of all rights the consumer has under this section and in the case of a consumer credit reporting agency which compiles and maintains consumer credit reports on a nationwide basis, a toll-free telephone number which the consumer can use to communicate with the consumer credit reporting agency. The written summary of rights required under this section is sufficient if in substantially the following form:
Missouri Consumers Have the Right to Obtain a Security Freeze
You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a security freeze on your credit report under Missouri law. The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties, or period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:
(1) The unique personal identification number or password provided by the consumer reporting agency;
(2) Proper identification to verify your identity;
(3) The proper information regarding third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report. A security freeze does not apply to circumstances in which you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control, or similar activities. If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around, or specifically for a certain creditor, a few days before actually applying for new credit.
You have a right to bring a civil action against someone who violates your rights under the credit reporting laws. The action can be brought against a consumer reporting agency or a user of your credit;
(4) If a consumer requests information about a security freeze, he or she shall be provided with the notice provided in this section and with any other information, as prescribed by the attorney general by regulation, about how to place, temporarily lift, and permanently lift a security freeze.
407.1674. Any person who willfully fails to comply with any requirement imposed under sections 407.1650 to 407.1677 with respect to any consumer is liable to that consumer in an amount equal to the sum of:
(1) Any actual damages sustained by the consumer as a result of the failure; and
(2) Such amount of punitive damages as the court may allow; and
(3) In the case of any successful action to enforce any liability under this section, the costs of the action together with reasonable attorneys' fees as determined by the court.
407.1677. Any person who is negligent in failing to comply with any requirement imposed under sections 407.1650 to 407.1677 with respect to any consumer is liable to that consumer in an amount equal to the sum of:
(1) Any actual damages sustained by the consumer as a result of the failure; and
(2) In the case of any successful action to enforce any liability under this section, the costs of the action together with any reasonable attorneys' fees as determined by the court.
570.223. 1. A person commits the crime of identity theft if he or she knowingly and with the intent to deceive or defraud obtains, possesses, transfers, uses, or attempts to obtain, transfer or use, one or more means of identification not lawfully issued for his or her use.
2. The term "means of identification" as used in this section includes, but is not limited to, the following:
(1) Social Security numbers;
(2) Drivers license numbers;
(3) Checking account numbers;
(4) Savings account numbers;
(5) Credit card numbers;
(6) Debit card numbers;
(7) Personal identification (PIN) code;
(8) Electronic identification numbers;
(9) Digital signatures;
(10) Any other numbers or information that can be used to access a person's financial resources;
(11) Biometric data;
(14) Parent's legal surname prior to marriage;
(15) Passports; [or]
(16) Birth certificates; or
(17) Telephone or cellular phone call logs.
3. A person found guilty of identity theft shall be punished as follows:
(1) Identity theft or attempted identity theft which does not result in the theft or appropriation of credit, money, goods, services, or other property is a class B misdemeanor;
(2) Identity theft which results in the theft or appropriation of credit, money, goods, services, or other property not exceeding five hundred dollars in value is a class A misdemeanor unless the person whose identification is used to commit the crime is a disabled person or elderly person as defined in section 570.145 in which case identity theft is a class D felony;
(3) Identity theft which results in the theft or appropriation of credit, money, goods, services, or other property exceeding five hundred dollars and not exceeding five thousand dollars in value is a class C felony unless the person whose identification is used to commit the crime is a disabled person or elderly person as defined in section 570.145 in which case identity theft is a class B felony;
(4) Identity theft which results in the theft or appropriation of credit, money, goods, services, or other property exceeding five thousand dollars and not exceeding fifty thousand dollars in value is a class B felony;
(5) Identity theft which results in the theft or appropriation of credit, money, goods, services, or other property exceeding fifty thousand dollars in value is a class A felony.
4. In addition to the provisions of subsection 3 of this section, the court may order that the defendant make restitution to any victim of the offense. Restitution may include payment for any costs, including attorney fees, incurred by the victim:
(1) In clearing the credit history or credit rating of the victim; and
(2) In connection with any civil or administrative proceeding to satisfy any debt, lien, or other obligation of the victim arising from the actions of the defendant.
5. In addition to the criminal penalties in subsections 3 and 4 of this section, any person who commits an act made unlawful by subsection 1 of this section shall be liable to the person to whom the identifying information belonged for civil damages of up to five thousand dollars for each incident, or three times the amount of actual damages, whichever amount is greater. A person damaged as set forth in subsection 1 of this section may also institute a civil action to enjoin and restrain future acts that would constitute a violation of subsection 1 of this section. The court, in an action brought under this subsection, may award reasonable attorneys' fees to the plaintiff.
6. If the identifying information of a deceased person is used in a manner made unlawful by subsection 1 of this section, the deceased person's estate shall have the right to recover damages pursuant to subsection 5 of this section.
7. Civil actions under this section must be brought within five years from the date on which the identity of the wrongdoer was discovered or reasonably should have been discovered.
8. Civil action pursuant to this section does not depend on whether a criminal prosecution has been or will be instituted for the acts that are the subject of the civil action. The rights and remedies provided by this section are in addition to any other rights and remedies provided by law.
9. This section and section 570.224 shall not apply to the following activities:
(1) A person obtains the identity of another person to misrepresent his or her age for the sole purpose of obtaining alcoholic beverages, tobacco, going to a gaming establishment, or another privilege denied to minors. Nothing in this subdivision shall affect the provisions of subsection 10 of this section;
(2) A person obtains means of identification or information in the course of a bona fide consumer or commercial transaction;
(3) A person exercises, in good faith, a security interest or right of offset by a creditor or financial institution;
(4) A person complies, in good faith, with any warrant, court order, levy, garnishment, attachment, or other judicial or administrative order, decree, or directive, when any party is required to do so;
(5) A person is otherwise authorized by law to engage in the conduct that is the subject of the prosecution.
10. Any person who obtains, transfers, or uses any means of identification for the purpose of manufacturing and providing or selling a false identification card to a person under the age of twenty-one for the purpose of purchasing or obtaining alcohol shall be guilty of a class A misdemeanor.
11. Notwithstanding the provisions of subdivision (1) or (2) of subsection 3 of this section, every person who has previously pled guilty to or been found guilty of identity theft or attempted identity theft, and who subsequently pleads guilty to or is found guilty of identity theft or attempted identity theft of credit, money, goods, services, or other property not exceeding five hundred dollars in value is guilty of a class D felony and shall be punished accordingly.
12. The value of property or services is its highest value by any reasonable standard at the time the identity theft is committed. Any reasonable standard includes, but is not limited to, market value within the community, actual value, or replacement value.
13. If credit, property, or services are obtained by two or more acts from the same person or location, or from different persons by two or more acts which occur in approximately the same location or time period so that the identity thefts are attributable to a single scheme, plan, or conspiracy, the acts may be considered as a single identity theft and the value may be the total value of all credit, property, and services involved.
14. It shall be unlawful for any person, without legal authorization, to purchase, sell, or otherwise obtain the telephone or cellular phone call logs of another individual without consent. Violation of the provisions of this subsection is a class B misdemeanor.