S.B. No. 473
AN ACT
relating to assisting consumers to prevent and detect identity
theft; providing penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 20.01, Business & Commerce Code, is
amended by adding Subdivisions (7) and (8) to read as follows:
(7) "Security alert" means a notice placed on a
consumer file that alerts a recipient of a consumer report
involving that consumer file that the consumer's identity may have
been used without the consumer's consent to fraudulently obtain
goods or services in the consumer's name.
(8) "Security freeze" means a notice placed on a
consumer file that prohibits a consumer reporting agency from
releasing a consumer report relating to the extension of credit
involving that consumer file without the express authorization of
the consumer.
SECTION 2. Section 20.03, Business & Commerce Code, is
amended by adding Subsection (d) to read as follows:
(d) Any written disclosure to a consumer by a consumer
reporting agency under this chapter must include a written
statement that explains in clear and simple language the consumer's
rights under this chapter and includes:
(1) the process for receiving a consumer report or
consumer file;
(2) the process for requesting or removing a security
alert or freeze;
(3) the toll-free telephone number for requesting a
security alert;
(4) applicable fees;
(5) dispute procedures;
(6) the process for correcting a consumer file or
report; and
(7) information on a consumer's right to bring an
action in court or arbitrate a dispute.
SECTION 3. Chapter 20, Business & Commerce Code, is amended
by adding Sections 20.031 through 20.039 to read as follows:
Sec. 20.031. REQUESTING SECURITY ALERT. On a request in
writing or by telephone and with proper identification provided by
a consumer, a consumer reporting agency shall place a security
alert on the consumer's consumer file not later than 24 hours after
the date the agency receives the request. The security alert must
remain in effect for not less than 45 days after the date the agency
places the security alert on the file. There is no limit on the
number of security alerts a consumer may request. At the end of a
45-day security alert, on request in writing or by telephone and
with proper identification provided by the consumer, the agency
shall provide the consumer with a copy of the consumer's file. A
consumer may include with the security alert request a telephone
number to be used by persons to verify the consumer's identity
before entering into a transaction with the consumer.
Sec. 20.032. NOTIFICATION OF SECURITY ALERT. A consumer
reporting agency shall notify a person who requests a consumer
report if a security alert is in effect for the consumer file
involved in that report and include a verification telephone number
for the consumer if the consumer has provided a number under Section
20.031.
Sec. 20.033. TOLL-FREE SECURITY ALERT REQUEST NUMBER. A
consumer reporting agency shall maintain a toll-free telephone
number that is answered at a minimum during normal business hours to
accept security alert requests from consumers. If calls are not
answered after normal business hours, an automated answering system
shall record requests and calls shall be returned to the consumer
not later than two hours after the time the normal business day
begins on the next business day after the date the call was
received.
Sec. 20.034. REQUESTING SECURITY FREEZE. (a) On written
request sent by certified mail that includes proper identification
provided by a consumer and a copy of a valid police report,
investigative report, or complaint made under Section 32.51, Penal
Code, a consumer reporting agency shall place a security freeze on a
consumer's consumer file not later than the fifth business day
after the date the agency receives the request.
(b) On written request for a security freeze provided by a
consumer under Subsection (a), a consumer reporting agency shall
disclose to the consumer the process of placing, removing, and
temporarily lifting a security freeze and the process for allowing
access to information from the consumer's consumer file for a
specific requester or period while the security freeze is in
effect.
(c) A consumer reporting agency shall, not later than the
10th business day after the date the agency receives the request for
a security freeze:
(1) send a written confirmation of the security freeze
to the consumer; and
(2) provide the consumer with a unique personal
identification number or password to be used by the consumer to
authorize a removal or temporary lifting of the security freeze
under Section 20.037.
(d) A consumer may request in writing a replacement personal
identification number or password. The request must comply with
the requirements for requesting a security freeze under Subsection
(a). The consumer reporting agency shall not later than the third
business day after the date the agency receives the request for a
replacement personal identification number or password provide the
consumer with a new unique personal identification number or
password to be used by the consumer instead of the number or
password that was provided under Subsection (c).
Sec. 20.035. NOTIFICATION OF CHANGE. If a security freeze
is in place, a consumer reporting agency shall notify the consumer
in writing of a change in the consumer file to the consumer's name,
date of birth, social security number, or address not later than 30
calendar days after the date the change is made. The agency shall
send notification of a change of address to the new address and
former address. This section does not require notice of an
immaterial change, including a street abbreviation change or
correction of a transposition of letters or misspelling of a word.
Sec. 20.036. NOTIFICATION OF SECURITY FREEZE. A consumer
reporting agency shall notify a person who requests a consumer
report if a security freeze is in effect for the consumer file
involved in that report.
Sec. 20.037. REMOVAL OR TEMPORARY LIFTING OF SECURITY
FREEZE. (a) On a request in writing or by telephone and with
proper identification provided by a consumer, including the
consumer's personal identification number or password provided
under Section 20.034, a consumer reporting agency shall remove a
security freeze not later than the third business day after the date
the agency receives the request.
(b) On a request in writing or by telephone and with proper
identification provided by a consumer, including the consumer's
personal identification number or password provided under Section
20.034, a consumer reporting agency, not later than the third
business day after the date the agency receives the request, shall
temporarily lift the security freeze for:
(1) a certain properly designated period; or
(2) a certain properly identified requester.
(c) A consumer reporting agency may develop procedures
involving the use of a telephone, a facsimile machine, the
Internet, or another electronic medium to receive and process a
request from a consumer under this section.
(d) A consumer reporting agency shall remove a security
freeze placed on a consumer file if the security freeze was placed
due to a material misrepresentation of fact by the consumer. The
consumer reporting agency shall notify the consumer in writing
before removing the security freeze under this subsection.
(e) A consumer reporting agency may not charge a fee for a
request under Subsection (a) or (b).
Sec. 20.038. EXEMPTION FROM SECURITY FREEZE. A security
freeze does not apply to a consumer report provided to:
(1) a state or local governmental entity, including a
law enforcement agency or court or private collection agency, if
the entity, agency, or court is acting under a court order, warrant,
subpoena, or administrative subpoena;
(2) a child support agency as defined by Section
101.004, Family Code, acting to investigate or collect child
support payments or acting under Title IV-D of the Social Security
Act (42 U.S.C. Section 651 et seq.);
(3) the Health and Human Services Commission acting
under Section 531.102, Government Code;
(4) the comptroller acting to investigate or collect
delinquent sales or franchise taxes;
(5) a tax assessor-collector acting to investigate or
collect delinquent ad valorem taxes;
(6) a person for the purposes of prescreening as
provided by the Fair Credit Reporting Act (15 U.S.C. Section 1681 et
seq.), as amended;
(7) a person with whom the consumer has an account or
contract or to whom the consumer has issued a negotiable
instrument, or the person's subsidiary, affiliate, agent,
assignee, prospective assignee, or private collection agency, for
purposes related to that account, contract, or instrument;
(8) a subsidiary, affiliate, agent, assignee, or
prospective assignee of a person to whom access has been granted
under Section 20.037(b);
(9) a person who administers a credit file monitoring
subscription service to which the consumer has subscribed;
(10) a person for the purpose of providing a consumer
with a copy of the consumer's report on the consumer's request;
(11) a check service or fraud prevention service
company that issues consumer reports:
(A) to prevent or investigate fraud; or
(B) for purposes of approving or processing
negotiable instruments, electronic funds transfers, or similar
methods of payment;
(12) a deposit account information service company
that issues consumer reports related to account closures caused by
fraud, substantial overdrafts, automated teller machine abuses, or
similar negative information regarding a consumer to an inquiring
financial institution for use by the financial institution only in
reviewing a consumer request for a deposit account with that
institution; or
(13) a consumer reporting agency that:
(A) acts only to resell credit information by
assembling and merging information contained in a database of
another consumer reporting agency or multiple consumer reporting
agencies; and
(B) does not maintain a permanent database of
credit information from which new consumer reports are produced.
Sec. 20.0385. APPLICABILITY OF SECURITY ALERT AND SECURITY
FREEZE. The requirement under this chapter to place a security
alert or security freeze on a consumer file does not apply to:
(1) a check service or fraud prevention service
company that issues consumer reports:
(A) to prevent or investigate fraud; or
(B) for purposes of approving or processing
negotiable instruments, electronic funds transfers, or similar
methods of payment; or
(2) a deposit account information service company that
issues consumer reports related to account closures caused by
fraud, substantial overdrafts, automated teller machine abuses, or
similar negative information regarding a consumer to an inquiring
financial institution for use by the financial institution only in
reviewing a consumer request for a deposit account with that
institution.
Sec. 20.039. RESPECT OF SECURITY FREEZE. A consumer
reporting agency shall honor a security freeze placed on a consumer
file by another consumer reporting agency.
SECTION 4. Section 20.04, Business & Commerce Code, is
amended to read as follows:
Sec. 20.04. CHARGES FOR CERTAIN DISCLOSURES OR SERVICES.
(a) Except as provided by Subsection (b), a consumer reporting
agency may impose a reasonable charge on a consumer for the
disclosure of information pertaining to the consumer or for placing
a security freeze on a consumer file. The amount of the charge may
not exceed $8. On January 1 of each year, a consumer reporting
agency may increase the charge for disclosure to a consumer or for
placing a security freeze. The increase, if any, must be based
proportionally on changes to the Consumer Price Index for All Urban
Consumers as determined by the United States Department of Labor
with fractional changes rounded to the nearest 50 cents.
(b) A consumer reporting agency may not charge a fee for:
(1) a request by a consumer for a copy of the
consumer's file:
(A) made not later than the 60th day after the
date on which adverse action is taken against the consumer; or
(B) made on the expiration of a 45-day security
alert;
(2) notification of the deletion of information that
is found to be inaccurate or can no longer be verified sent to a
person designated by the consumer, as prescribed by Section 611 of
the Fair Credit Reporting Act (15 U.S.C. Section 1681i), as
amended;
(3) a set of instructions for understanding the
information presented on the consumer report; [or]
(4) a toll-free telephone number that consumers may
call to obtain additional assistance concerning the consumer report
or to request a security alert; or
(5) a request for a security alert made by a consumer.
SECTION 5. Chapter 20, Business & Commerce Code, is amended
by adding Sections 20.11, 20.12, and 20.13 to read as follows:
Sec. 20.11. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The
attorney general may file a suit against a person for:
(1) injunctive relief to prevent or restrain a
violation of this chapter; or
(2) a civil penalty in an amount not to exceed $2,000
for each violation of this chapter.
(b) If the attorney general brings an action against a
person under Subsection (a) and an injunction is granted against
the person or the person is found liable for a civil penalty, the
attorney general may recover reasonable expenses, court costs,
investigative costs, and attorney's fees.
(c) Each day a violation continues or occurs is a separate
violation for purposes of imposing a penalty under this section.
Sec. 20.12. DECEPTIVE TRADE PRACTICE. A violation of this
chapter is a false, misleading, or deceptive act or practice under
Subchapter E, Chapter 17.
Sec. 20.13. VENUE. An action brought under this chapter
shall be filed in a district court:
(1) in Travis County;
(2) in any county in which the violation occurred; or
(3) in the county in which the victim resides,
regardless of whether the alleged violator has resided, worked, or
done business in the county in which the victim resides.
SECTION 6. Subchapter D, Chapter 35, Business & Commerce
Code, is amended by adding Section 35.58 to read as follows:
Sec. 35.58. CONFIDENTIALITY OF SOCIAL SECURITY NUMBER.
(a) A person, other than government or a governmental subdivision
or agency, may not:
(1) intentionally communicate or otherwise make
available to the general public an individual's social security
number;
(2) display an individual's social security number on
a card or other device required to access a product or service
provided by the person;
(3) require an individual to transmit the individual's
social security number over the Internet unless the connection with
the Internet is secure or the number is encrypted;
(4) require an individual's social security number for
access to an Internet website, unless a password or unique personal
identification number or other authentication device is also
required for access; or
(5) print an individual's social security number on
any materials, except as provided by Subsection (f), that are sent
by mail, unless state or federal law requires that the individual's
social security number be included in the materials.
(b) A person that is using an individual's social security
number before January 1, 2005, in a manner prohibited by Subsection
(a) may continue that use if:
(1) the use is continuous; and
(2) the person provides annual disclosure to the
individual, beginning January 1, 2006, stating that on written
request from the individual the person will cease to use the
individual's social security number in a manner prohibited by
Subsection (a).
(c) A person, other than government or a governmental
subdivision or agency, may not deny services to an individual
because the individual makes a written request under Subsection
(b).
(d) If a person receives a written request from an
individual directing the person to stop using the individual's
social security number in a manner prohibited by Subsection (a),
the person shall comply with the request not later than the 30th day
after the date the request is received. The person may not impose a
fee or charge for complying with the request.
(e) This section does not apply to:
(1) the collection, use, or release of a social
security number that is required by state or federal law, including
Chapter 552, Government Code;
(2) the use of a social security number for internal
verification or administrative purposes;
(3) documents that are recorded or required to be open
to the public under Chapter 552, Government Code;
(4) court records; or
(5) an institution of higher education if the use of a
social security number by the institution is regulated by Chapter
51, Education Code, or another provision of the Education Code.
(f) Subsection (a)(5) does not apply to an application or
form sent by mail, including a document sent:
(1) as part of an application or enrollment process;
(2) to establish, amend, or terminate an account,
contract, or policy; or
(3) to confirm the accuracy of a social security
number.
SECTION 7. Subchapter D, Chapter 35, Business & Commerce
Code, is amended by adding Section 35.59 to read as follows:
Sec. 35.59. VERIFICATION OF CONSUMER IDENTITY. (a) In
this section:
(1) "Consumer report" has the meaning assigned by
Section 20.01.
(2) "Extension of credit" does not include an increase
in the dollar limit of an existing open-end credit plan as defined
by Regulation Z (12 C.F.R. Section 226.2), as amended, or any change
to, or review of, an existing credit account.
(3) "Security alert" has the meaning assigned by
Section 20.01.
(b) A person who receives notification of a security alert
under Section 20.032 in connection with a request for a consumer
report for the approval of a credit-based application, including an
application for an extension of credit, a purchase, lease, or
rental agreement for goods, or for an application for a
noncredit-related service, may not lend money, extend credit, or
authorize an application without taking reasonable steps to verify
the consumer's identity.
(c) If a consumer has included with a security alert a
specified telephone number to be used for identity verification
purposes, a person who receives that number with a security alert
must take reasonable steps to contact the consumer using that
number before lending money, extending credit, or completing any
purchase, lease, or rental of goods, or approving any
noncredit-related services.
(d) If a person uses a consumer report to facilitate the
extension of credit or for any other transaction on behalf of a
subsidiary, affiliate, agent, assignee, or prospective assignee,
that person, rather than the subsidiary, affiliate, agent,
assignee, or prospective assignee, may verify the consumer's
identity.
SECTION 8. Section 1701.253, Occupations Code, is amended
by adding Subsection (i) to read as follows:
(i) As part of the minimum curriculum requirements, the
commission shall establish a statewide comprehensive education and
training program on identity theft under Section 32.51, Penal Code,
for officers licensed under this chapter. An officer shall
complete a program established under this subsection not later than
the second anniversary of the date the officer is licensed under
this chapter or the date the officer applies for an intermediate
proficiency certificate, whichever date is earlier.
SECTION 9. Section 1701.402, Occupations Code, is amended
by adding Subsection (f) to read as follows:
(f) As a requirement for an intermediate proficiency
certificate, an officer must complete an education and training
program on identity theft established by the commission under
Section 1701.253(i).
SECTION 10. (a) Except as provided by Subsection (b) of
this section, this Act takes effect September 1, 2003.
(b) Section 35.58, Business & Commerce Code, as added by
this Act, takes effect January 1, 2005.
(c) The Office of Consumer Credit Commissioner shall review
the impact and efficacy of this Act and shall make a recommendation
to the lieutenant governor and the speaker of the house of
representatives not later than December 31, 2004, as to whether the
provisions of this Act should remain in effect after September 1,
2005.
(d) Not later than January 1, 2004, the Commission on Law
Enforcement Officer Standards and Education shall establish the
education and training programs on identity theft required under
Subsection (i), Section 1701.253, and Subsection (f), Section
1701.402, Occupations Code, as added by this Act.
(e) A person who, on September 1, 2003, holds an
intermediate proficiency certificate issued under Section
1701.402, Occupations Code, or has held a peace officer license
issued by the Commission on Law Enforcement Officer Standards and
Education for more than two years shall complete an educational
training program on identity theft established under Subsection
(i), Section 1701.253, Occupations Code, as added by this Act, not
later than September 1, 2005.
(f) An institution of higher education that is not subject
to the exemption prescribed by Subdivision (5), Subsection (e),
Section 35.58, Business & Commerce Code, as added by this Act, shall
begin acting in compliance with Section 35.58, Business & Commerce
Code, as added by this Act, on or before September 1, 2007.
______________________________ ______________________________
President of the Senate Speaker of the House
I hereby certify that S.B. No. 473 passed the Senate on
March 26, 2003, by a viva-voce vote; May 29, 2003, Senate refused
to concur in House amendments and requested appointment of
Conference Committee; May 30, 2003, House granted request of the
Senate; June 1, 2003, Senate adopted Conference Committee Report
by a viva-voce vote.
______________________________
Secretary of the Senate
I hereby certify that S.B. No. 473 passed the House, with
amendments, on May 25, 2003, by a non-record vote; May 30, 2003,
House granted request of the Senate for appointment of Conference
Committee; June 1, 2003, House adopted Conference Committee Report
by a non-record vote.
______________________________
Chief Clerk of the House
Approved:
______________________________
Date
______________________________
Governor