[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3316 Introduced in House (IH)]







110th CONGRESS
  1st Session
                                H. R. 3316

   To amend the Fair Credit Reporting Act to provide individuals the 
   ability to control access to their credit reports, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             August 2, 2007

 Mrs. Maloney of New York (for herself and Mr. Gillmor) introduced the 
   following bill; which was referred to the Committee on Financial 
                                Services

_______________________________________________________________________

                                 A BILL


 
   To amend the Fair Credit Reporting Act to provide individuals the 
   ability to control access to their credit reports, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Identity Theft Protection Act of 
2007''.

SEC. 2. PROTECTION OF DATA THROUGH SECURITY FREEZE.

    (a) In General.--The Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.) is amended by inserting after section 605B (relating to block 
resulting from identity theft) the following new section:
``Sec. 605C. Protection of data through security freeze
    ``(a) In General.--
            ``(1) Emplacement.--
                    ``(A) Consumer request.--A consumer may place a 
                security freeze on the consumer report of the consumer 
                by making a request to a consumer reporting agency in 
                writing, by telephone, by fax, or by a secure 
                electronic method.
                    ``(B) Availability of methods for making 
                requests.--A consumer reporting agency shall maintain, 
                in addition to a mailing address, telephone, fax, and 
                electronic communication access for consumers to make 
                requests for--
                            ``(i) security freezes under this 
                        paragraph; and
                            ``(ii) removal or temporary suspensions of 
                        existing security freezes under subsection (c).
                    ``(C) Confirmation of action on request.--With 
                respect to each request under subparagraph (A) for a 
                security freeze, a consumer reporting agency shall--
                            ``(i) send a written confirmation of the 
                        security freeze to the consumer within 3 
                        business days of placing the freeze; and
                            ``(ii) at the same time shall provide the 
                        consumer with a unique personal identification 
                        number (hereafter in this section referred to 
                        as a `PIN') or password to be used by the 
                        consumer when providing authorization for the 
                        release of the credit report or information 
                        from it for a specific period of time.
            ``(2) Centralized source for freeze placement.--
                    ``(A) In general.--The Commission shall prescribe 
                regulations applicable to consumer reporting agencies 
                to require the establishment of--
                            ``(i) a centralized source, that meets the 
                        requirements of subparagraph (B), through which 
                        consumers can make a single request for--
                                    ``(I) a security freeze on the 
                                consumer report of the consumer as 
                                provided in paragraph (1)(A) from each 
                                consumer reporting agency; or
                                    ``(II) the suspension or removal of 
                                such freeze under subsection (c); and
                            ``(ii) a standardized form for a consumer 
                        to make such a request for a security freeze on 
                        the consumer report of the consumer, or the 
                        suspension or removal of such freeze, in 
                        writing, by telephone, by fax, and by secure 
                        electronic method.
                    ``(B) Requirements for centralized source system.--
                A centralized source established pursuant to 
                subparagraph (A) meets the requirements of this 
                subparagraph if--
                            ``(i) the consumer is not required to 
                        request the placement, suspension, or removal 
                        of the security freeze from such centralized 
                        source and shall be able to use any means 
                        specified in subsection (a)(1)(A) to request 
                        the placement, suspension, or removal of the 
                        security freeze from each such consumer 
                        reporting agency individually;
                            ``(ii) the centralized source may be used 
                        solely for consumer requests to place, suspend, 
                        or remove a security freeze and to provide 
                        information about placement, suspension, or 
                        removal of the freeze; and
                            ``(iii) the centralized source, with 
                        respect to a single request for the placement, 
                        suspension, or removal of a security freeze 
                        under paragraph (1)(A) or subsection (c) by a 
                        consumer, provides for such request to be made 
                        in all of the following methods, at the 
                        discretion of the consumer:
                                    ``(I) A toll-free telephone for 
                                such purpose.
                                    ``(II) Use of a secure Internet web 
                                site for such purpose.
                                    ``(III) A process for submitting a 
                                written request for such purpose.
                                    ``(IV) A process for use of toll-
                                free fax number for such purpose.
                    ``(C) Information about placement, suspension or 
                removal.--For purposes of subparagraph (B)(ii), the 
                term `information about placement, suspension or 
                removal'--
                            ``(i) includes--
                                    ``(I) general information about the 
                                security freeze;
                                    ``(II) information on how to place, 
                                suspend or remove a security freeze;
                                    ``(III) information on the benefits 
                                of placing a security freeze;
                                    ``(IV) information about Federal 
                                and State consumer security freeze 
                                rights, including fee waivers;
                                    ``(V) information about a 
                                consumer's right to a free annual 
                                credit report from the credit reporting 
                                agencies provided for by section 612; 
                                and
                                    ``(VI) other information related to 
                                the function, placement, and use of the 
                                freeze; and
                            ``(ii) does not include any information 
                        about products or services other than or in 
                        addition to the security freeze offered by the 
                        credit reporting agency or third parties for a 
                        fee, links to web sites of such credit 
                        reporting agencies or third parties offering 
                        products or services for a fee, or other 
                        marketing information.
            ``(3) Consumer disclosure.--If a consumer requests a 
        security freeze, the consumer reporting agency shall disclose 
        to the consumer--
                    ``(A) the process of placing and removing the 
                security freeze;
                    ``(B) the potential consequences of the security 
                freeze; and
                    ``(C) the following statement:
                ```Disclosure relating to security freeze.--A security 
                freeze gives you the ability to ``freeze'' or prevent 
                access to your credit file by anyone trying to open up 
                a new account or to receive new credit in your name. 
                Before you place a security freeze you should have a 
                clear understanding of how a freeze works and the 
                consequences. When a security freeze is in place, an 
                identity thief cannot open a new account in your name 
                because the potential creditor or seller of services 
                will not be able to check your credit file. When you 
                are applying for credit, you can temporarily lift the 
                freeze using a personal identification number (PIN) so 
                that legitimate applications for credit or services can 
                be processed. Without lifting the freeze, you will not 
                be able to get new credit. A freeze does not affect 
                your ability to use your existing lines of credit such 
                as your present credit cards, mortgage, or car 
                loan.'''.
    ``(b) Effect of Security Freeze.--
            ``(1) Release of information blocked.--If a security freeze 
        is in place on a consumer report of a consumer, a consumer 
        reporting agency may not release the consumer report or 
        information from the consumer report to a third party without 
        prior express authorization from the consumer.
            ``(2) Information provided to third parties.--Paragraph (1) 
        shall not be construed as preventing a consumer reporting 
        agency from advising a third party that a security freeze is in 
        effect with respect to a consumer report of a consumer.
            ``(3) Treatment as incomplete application.--If a third 
        party, in connection with an application for credit, requests 
        access to a consumer report on which a security freeze is in 
        place, the third party may treat the application as incomplete.
    ``(c) Removal; Temporary Suspensions.--
            ``(1) In general.--Except as provided in paragraph (4) or 
        (5), a security freeze shall remain in place until the consumer 
        requests that the security freeze be removed in any manner in 
        which a security freeze may be requested under subsection 
        (a)(1)(A) or through a centralized source established under 
        subsection (a)(2).
            ``(2) Conditions.--A consumer reporting agency may remove a 
        security freeze placed on the consumer report of a consumer 
        only--
                    ``(A) upon the consumer's request, pursuant to 
                paragraph (1) if accompanied by appropriate 
                identification of the consumer and the appropriate 
                unique PIN or password provided in accordance with 
                subsection (a)(1)(C)(ii); or
                    ``(B) if the agency determines that the consumer 
                report of a consumer was frozen due to a material 
                misrepresentation of fact by the consumer.
            ``(3) Notification to consumer.--If a consumer reporting 
        agency intends to remove a freeze upon the consumer report of a 
        consumer pursuant to paragraph (2)(B), the consumer reporting 
        agency shall notify the consumer in writing prior to removing 
        the freeze on the consumer report.
            ``(4) Temporary suspension for specified time period.--A 
        consumer may have a security freeze on the consumer report of 
        the consumer temporarily suspended for a specified period of 
        time by making a request to a consumer reporting agency--
                    ``(A) in any manner in which a security freeze may 
                be requested under subsection (a)(1)(A) or through a 
                centralized source established under subsection (a)(2), 
                if accompanied by appropriate identification of the 
                consumer and the appropriate unique PIN or password 
                provided in accordance with subsection (a)(1)(C)(ii); 
                and
                    ``(B) specifying the beginning and ending dates for 
                the period during which the security freeze is not to 
                apply to the consumer report of the consumer.
            ``(5) Confirmation.--Whenever a consumer reporting agency 
        removes or temporarily suspends a security freeze on the 
        consumer report of a consumer at the request of that consumer 
        under this subsection, the consumer reporting agency shall send 
        a written confirmation of such action to the consumer within 3 
        business days after removing or temporarily suspending the 
        security freeze on the consumer report.
    ``(d) Use of Identification Information.--
            ``(1) In general.--Any information requested by a consumer 
        reporting agency for the purpose of identifying a consumer in 
        order to place, lift, or remove a security freeze or to replace 
        a lost PIN or password may not be used by the consumer 
        reporting agency for any other purpose.
            ``(2) Rule of construction.--Paragraph (1) shall not be 
        construed as limiting the use by a consumer reporting agency of 
        information described in such paragraph that was acquired by 
        the consumer reporting agency in any other manner or for any 
        other purpose.
    ``(e) Response Times.--
            ``(1) In general.--A consumer reporting agency shall--
                    ``(A) place a security freeze on the consumer 
                report of a consumer in accordance with subsection (a) 
                not later than 1 business day after receiving a request 
                from the consumer under subsection (a)(1); and
                    ``(B) remove, or temporarily suspend, a security 
                freeze in accordance with subsection (c) within 1 
                business day after--
                            ``(i) receiving a request by mail or fax 
                        for removal or temporary suspension of the 
                        freeze from the consumer under subsection (c); 
                        or
                            ``(ii) receiving such a request from a 
                        consumer by telephone, fax, or a secure 
                        electronic method in any case in which 
                        paragraph (2)(A) does not apply pursuant to 
                        paragraph (2)(B).
            ``(2) Fast response to request by telephone or a secure 
        electronic method.--
                    ``(A) In general.--Subject to subparagraph (B), a 
                consumer reporting agency shall remove, or temporarily 
                suspend, a security freeze in accordance with 
                subsection (c) within 15 minutes of receiving a request 
                for removal or temporary suspension of the freeze from 
                the consumer by telephone or a secure electronic 
                method.
                    ``(B) Exception.--Subparagraph (A) shall not apply 
                to a request by consumer if--
                            ``(i) the consumer fails to meet the 
                        requirements of paragraph (2)(A), (4), or (5) 
                        of subsection (c); or
                            ``(ii) the ability of the consumer 
                        reporting agency to remove the security freeze 
                        within 15 minutes is prevented by--
                                    ``(I) an act of God, including 
                                fire, earthquakes, hurricanes, storms, 
                                or similar natural disaster or 
                                phenomena;
                                    ``(II) unauthorized or illegal acts 
                                by a third party, including terrorism, 
                                sabotage, riot, vandalism, labor 
                                strikes or disputes disrupting 
                                operations, or similar occurrence;
                                    ``(III) operational interruption, 
                                including electrical failure, 
                                unanticipated delay in equipment or 
                                replacement part delivery, computer 
                                hardware or software failures 
                                inhibiting response time, or similar 
                                disruption;
                                    ``(IV) governmental action, 
                                including emergency orders or 
                                regulations, judicial or law 
                                enforcement action, or similar 
                                directives;
                                    ``(V) regularly scheduled 
                                maintenance, during other than normal 
                                business hours, of, or updates to, the 
                                consumer reporting agency's systems; or
                                    ``(VI) commercially reasonable 
                                maintenance of, or repair to, the 
                                consumer reporting agency's systems 
                                that is unexpected or unscheduled.
    ``(f) Exceptions.--This section shall not apply to the use of a 
consumer credit report by any of the following:
            ``(1) A person or entity, or an affiliate or agent of that 
        person or entity, or an assignee of a financial obligation 
        owing by the consumer to that person or entity, or a 
        prospective assignee of a financial obligation owing by the 
        consumer to that person or entity in conjunction with the 
        proposed purchase of the financial obligation, with which the 
        consumer has or had prior to assignment an account or contract, 
        including a demand deposit account, or to whom the consumer 
        issued a negotiable instrument, for the purposes of reviewing 
        the account or collecting the financial obligation owing for 
        the account, contract, or negotiable instrument.
            ``(2) Any Federal, State or local agency, law enforcement 
        agency, trial court, or private collection agency acting 
        pursuant to a court order, warrant, or subpoena.
            ``(3) A child support agency or its agents or assigns 
        acting pursuant to subtitle D of title IV of the Social 
        Security Act or similar State law.
            ``(4) The Department of Health and Human Services, a 
        similar State agency, or the agents or assigns of the Federal 
        or State agency acting to investigate medicare or medicaid 
        fraud.
            ``(5) The Internal Revenue Service or a State or municipal 
        taxing authority, or a State department of motor vehicles, or 
        any of the agents or assigns of these Federal, State, or 
        municipal agencies acting to investigate or collect delinquent 
        taxes or unpaid court orders or to fulfill any of their other 
        statutory responsibilities.
            ``(6) The use of consumer credit information for the 
        purposes of prescreening as provided under this title.
            ``(7) Any person or entity administering a credit file 
        monitoring subscription to which the consumer has subscribed.
            ``(8) Any person or entity for the purpose of providing a 
        consumer with a copy of his or her credit report or credit 
        score upon the consumer's request.
    ``(g) Fees.--
            ``(1) In general.--
                    ``(A) Certain reasonable fees allowed.--Except as 
                provided in paragraph (2), a consumer reporting agency 
                may charge--
                            ``(i) a fee of not to exceed $10 for 
                        placing a security freeze on the consumer 
                        report of a consumer; and
                            ``(ii) an annual renewal fee of not to 
                        exceed $10 for maintaining such security freeze 
                        after the first year.
                    ``(B) Other fees prohibited.--No fee may be charged 
                for any service in connection with a security freeze, 
                including for removing or temporarily suspending the 
                security freeze, except the fees authorized under 
                subparagraph (A).
            ``(2) ID theft victims.--
                    ``(A) In general.--A consumer reporting agency may 
                not charge a fee for placing or maintaining a security 
                freeze on the consumer report of a consumer if--
                            ``(i) the consumer--
                                    ``(I) is a victim of identity 
                                theft; and
                                    ``(II) has filed a police report, 
                                investigative report, or complaint made 
                                to a police department with respect to 
                                the theft; or
                            ``(ii) the consumer is the recipient of a 
                        notice that a breach of data security has 
                        occurred with respect to sensitive personal 
                        information of the consumer.
                    ``(B) Liability of responsible entity for costs.--
                Any person or entity who commits identity theft or is 
                responsible for a breach of data security with respect 
                to any consumer referred to in subparagraph (A) shall 
                be liable to any consumer reporting agency for the cost 
                of placing and maintaining a security freeze on the 
                consumer report of the consumer.
    ``(h) Notice to Consumers of Freeze Option.--
            ``(1) In general.--Each consumer reporting agency that 
        makes information publicly available on the World Wide Web 
        shall include, at the first location accessible by the general 
        consumer public, a link to a location at which the consumer can 
        place the security freeze by a secure electronic connection and 
        a link to a location where the consumer can review instructions 
        to obtain the security freeze by all available methods for 
        obtaining such a freeze.
            ``(2) Format requirements.--The link referred to in 
        paragraph (1) shall be at least as conspicuous, including in 
        size, font, color and visibility, as any other service which is 
        marketed or offered to consumers at the first location 
        accessible by the general consumer public.
    ``(i) Limitation on Information Changes in Frozen Reports.--
            ``(1) In general.--If a security freeze is in place on the 
        consumer report of a consumer, a consumer reporting agency may 
        not change any of the following official information in that 
        consumer report without sending a written confirmation of the 
        change to the consumer within 30 days after the change is made:
                    ``(A) Name.
                    ``(B) Date of birth.
                    ``(C) Social Security number.
                    ``(D) Address.
            ``(2) Confirmation.--
                    ``(A) In general.--Paragraph (1) shall not be 
                construed as requiring written confirmation for 
                technical modifications of a consumer's official 
                information, including name and street abbreviations, 
                complete spellings, or transposition of numbers or 
                letters.
                    ``(B) Old and new addresses.--In the case of an 
                address change, the written confirmation shall be sent 
                to both the new address and to the former address.
    ``(j) Certain Exemptions.--
            ``(1) Aggregators and other agencies.--
                    ``(A) In general.--The provisions of subsections 
                (a) through (h) shall not apply to a consumer reporting 
                agency that acts only as a reseller of credit 
                information by assembling and merging information 
                contained in the data base of another consumer 
                reporting agency or multiple consumer reporting 
                agencies, and does not maintain a permanent data base 
                of consumer information from which new consumer reports 
                are produced.
                    ``(B) Further distribution prohibited.--Each 
                consumer reporting agency described in subparagraph (A) 
                shall be subject to the security freeze placed on the 
                consumer report of any consumer and no such agency may 
                distribute any information from the consumer report of 
                such consumer in contravention of the security freeze 
                while such freeze is in effect.
            ``(2) Other exempted entities.--The following entities 
        shall not be required to place a security freeze in a consumer 
        report under this section:
                    ``(A) A check services or fraud prevention services 
                company, which issues reports on incidents of fraud or 
                authorizations for the purpose of approving or 
                processing negotiable instruments, electronic funds 
                transfers, or similar methods of payments.
                    ``(B) A deposit account information service 
                company, which issues reports regarding account 
                closures due to fraud, substantial overdrafts, 
                automated teller machine abuse, or similar negative 
                information regarding a consumer, to inquiring 
                depository institutions or other financial institutions 
                for use only in reviewing a consumer request for a 
                deposit account at the inquiring depository institution 
                or other financial institution.
            ``(3) Exempted databases.--This section shall not apply a 
        database or file maintained by a consumer reporting agency that 
        is used solely for any of the following purposes:
                    ``(A) Criminal record information.
                    ``(B) Fraud prevention or detection.
                    ``(C) Tenant screening.
                    ``(D) Employee screening.''.
    (b) Effective Date.--The amendment made by subsection (a) shall 
take effect at the end of the 6-month period beginning on the date of 
the enactment of this Act.
                                 <all>