[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3766 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 3766

 To amend the Fair Credit Reporting Act to require consumer reporting 
agencies to place a security freeze on a consumer report without a fee 
    if the consumer reporting agency is subject to a breach of data 
                   security, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 13, 2017

  Mr. Himes introduced the following bill; which was referred to the 
                    Committee on Financial Services

_______________________________________________________________________

                                 A BILL


 
 To amend the Fair Credit Reporting Act to require consumer reporting 
agencies to place a security freeze on a consumer report without a fee 
    if the consumer reporting agency is subject to a breach of data 
                   security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Credit Information Protection Act of 
2017''.

SEC. 2. SECURITY FREEZES ON CONSUMER REPORTS.

    Section 605A of the Fair Credit Reporting Act (15 U.S.C. 1681c-1) 
is amended by adding at the end the following:
    ``(i) Security Freezes.--
            ``(1) In general.--A consumer reporting agency described in 
        section 603(p) shall provide to a consumer, upon request, a 
        security freeze on the consumer report of such consumer after a 
        breach of data security at such a consumer reporting agency.
            ``(2) Types of security freezes.--A consumer reporting 
        agency shall--
                    ``(A) place a security freeze on a consumer report 
                without a fee to any consumer; and
                    ``(B) with respect to a consumer that has been 
                specifically notified by the consumer reporting agency 
                that the consumer was affected by the breach of data 
                security, place or remove an unlimited amount of 
                security freezes, upon request, without a fee.
            ``(3) Definitions.--In this subsection:
                    ``(A) Breach of data security.--
                            ``(i) In general.--The term `breach of data 
                        security' means the unauthorized acquisition of 
                        sensitive financial account information or 
                        sensitive personal information.
                            ``(ii) Exception for data that is not in 
                        usable form.--The term `breach of data 
                        security' does not include the unauthorized 
                        acquisition of sensitive financial account 
                        information or sensitive personal information 
                        that is encrypted, redacted, or otherwise 
                        protected by another method that renders the 
                        information unreadable and unusable if the 
                        encryption, redaction, or protection process or 
                        key is not also acquired without authorization.
                    ``(B) Security freeze.--The term `security freeze' 
                means a notice placed in a consumer report, at the 
                request of a consumer, that prohibits the credit 
                reporting agency from releasing the consumer report or 
                any information in the consumer report without the 
                express authorization of the consumer.
                    ``(C) Sensitive financial account information.--The 
                term `sensitive financial account information' means a 
                financial account number relating to a consumer, 
                including a credit card number or debit card number, in 
                combination with any security code, access code, 
                password, or other personal identification information 
                required to access the financial account.
                    ``(D) Sensitive personal information.--
                            ``(i) In general.--The term `sensitive 
                        personal information' includes--
                                    ``(I) a Social Security number; and
                                    ``(II) the first and last name of a 
                                consumer in combination with--
                                            ``(aa) the consumer's 
                                        driver's license number, 
                                        passport number, military 
                                        identification number, or other 
                                        similar number issued on a 
                                        government document used to 
                                        verify identity;
                                            ``(bb) information that 
                                        could be used to access a 
                                        consumer's account, such as a 
                                        user name and password or e-
                                        mail and password; or
                                            ``(cc) biometric data of 
                                        the consumer used to gain 
                                        access to financial accounts of 
                                        the consumer.
                            ``(ii) Exception.--The term `sensitive 
                        personal information' does not include publicly 
                        available information that is lawfully made 
                        available to the general public and obtained 
                        from--
                                    ``(I) Federal, State, or local 
                                government records; or
                                    ``(II) widely distributed media.''.
                                 <all>