0353L.01I                                                                                                                                                  D. ADAM CRUMBLISS, Chief Clerk



To amend chapter 407, RSMo, by adding thereto three new sections relating to release of personal information to unauthorized persons, with penalty provisions for a certain section.

Be it enacted by the General Assembly of the state of Missouri, as follows:

            Section A. Chapter 407, RSMo, is amended by adding thereto three new sections, to be known as sections 407.1400, 407.1402, and 407.1404, to read as follows:

            407.1400. 1. Except as otherwise allowed by state or federal law, or unless consent has been provided as it is established in this section, financial institutions, their officers, employees, agents, and directors shall not disclose to any person any financial information relating to a customer.

            2. A governmental agency or law enforcement agency may obtain customer information from a financial institution under a judicial or administrative subpoena duces tecum served on the financial institution, if there is reason to believe that the customer information sought is relevant to a proper law enforcement objective or is otherwise authorized by law.

            3. A governmental agency or law enforcement agency may obtain customer information from a financial institution under a search warrant if it obtains the search warrant under the rules of criminal procedure of this state.

            4. No consent or waiver shall be required as a condition of doing business with any financial institution, and any consent or waiver obtained from a customer as a condition of doing business with a financial institution shall not be deemed a consent of the customer for the purpose of this section.

            5. Valid consent shall be in writing and signed by the customer. In consenting to disclosure of customer information, a customer may specify any of the following:

            (1) The time during which such consent will operate;

            (2) The customer information to be disclosed; and

            (3) The persons, government agencies, or law enforcement agencies to which disclosure can be made.

            407.1402. 1. Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach. Notification shall be made to any resident of the state whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible, but no more than thirty days after such breach has been discovered.

            2. The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

            3. For purposes of this section, "breach of security of the system" shall mean unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business or person. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business shall not be considered a breach of security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

            4. For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

            (1) Social Security number;

            (2) Driver's license number;

            (3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.


For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

            5. For purposes of this section, "notice" may be provided by one of the following methods:

            (1) Written notice;

            (2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code;

            (3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:

            (a) E-mail notice when the agency has an e-mail address for the subject persons;

            (b) Conspicuous posting of the notice on the agency's website, if the agency maintains one; and

            (c) Notification to major statewide media.

            6. Notwithstanding subsection 5 of this section, an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

            7. Any person or business who violates the provisions of this section shall be guilty of a class A misdemeanor and, upon conviction, shall be punished by a fine of up to one thousand dollars for each and every act or violation, by imprisonment in the county jail for a term not to exceed one year, or by both at the discretion of the court.

            407.1404. 1. A consumer may elect to place a security alert in his or her credit report by making a request in writing or by telephone to a consumer credit reporting agency. "Security alert" means a notice placed in a consumer's credit report, at the request of the consumer, that notifies a recipient of the credit report that the consumer's identity may have been used without the consumer's consent to fraudulently obtain goods or services in the consumer's name.

            2. A consumer credit reporting agency shall notify each person requesting consumer credit information with respect to a consumer of the existence of a security alert in the credit report of that consumer, regardless of whether a full credit report, credit score, or summary report is requested.

            3. Each consumer credit reporting agency shall maintain a toll-free telephone number to accept security alert requests from consumers twenty-four hours a day, seven days a week.

            4. The toll-free telephone number shall be included in any written disclosure by a consumer credit reporting agency to any consumer under section 407.1914 and shall be printed in a clear and conspicuous manner.

            5. A consumer credit reporting agency shall place a security alert on a consumer's credit report no later than five business days after receiving a request from the consumer.

            6. The security alert shall remain in place for at least ninety days, and a consumer shall have the right to request a renewal of the security alert.