[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4028 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 4028

To amend the Federal Financial Institutions Examination Council Act of 
 1978 to establish cybersecurity supervision and examination of large 
          consumer reporting agencies, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 12, 2017

 Mr. McHenry introduced the following bill; which was referred to the 
                    Committee on Financial Services

_______________________________________________________________________

                                 A BILL


 
To amend the Federal Financial Institutions Examination Council Act of 
 1978 to establish cybersecurity supervision and examination of large 
          consumer reporting agencies, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Promoting Responsible Oversight of 
Transactions and Examinations of Credit Technology Act of 2017'' or the 
``PROTECT Act of 2017''.

            TITLE I--CONSUMER REPORTING AGENCY CYBERSECURITY

SEC. 101. CYBERSECURITY SUPERVISION AND EXAMINATION OF LARGE CONSUMER 
              REPORTING AGENCIES.

    The Federal Financial Institutions Examination Council Act of 1978 
(12 U.S.C. 3301 et seq.) is amended by adding at the end the following:

``SEC. 1012. CYBERSECURITY SUPERVISION AND EXAMINATION OF LARGE 
              CONSUMER REPORTING AGENCIES.

    ``(a) In General.--Large consumer reporting agencies shall be 
subject to cybersecurity supervision and examination by the designated 
agency.
    ``(b) Rulemaking.--The Council shall--
            ``(1) establish uniform cybersecurity supervision and 
        examination procedures for purposes of subsection (a); and
            ``(2) designate a Federal banking agency, as defined in 
        section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809), to 
        serve as the designated agency under subsection (a).
    ``(c) Large Consumer Reporting Agency Defined.--The term `large 
consumer reporting agency' has the meaning given the term `consumer 
reporting agency that compiles and maintains files on consumers on a 
nationwide basis' under section 603(p) of the Fair Credit Reporting 
Act.''.

                   TITLE II--NATIONAL SECURITY FREEZE

SEC. 201. NATIONAL SECURITY FREEZE AND ADDITIONAL PROTECTIONS FOR FILES 
              AND CREDIT RECORDS OF PROTECTED CONSUMERS.

    Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is 
amended by adding at the end the following:
    ``(i) National Security Freeze and Additional Protections for Files 
and Credit Records of Protected Consumers.--
            ``(1) Definitions.--For purposes of this subsection:
                    ``(A) The term `proper identification' has the 
                meaning of such term as used under section 610.
                    ``(B) The term `consumer reporting agency' means a 
                consumer reporting agency that compiles and maintains 
                files on consumers on a nationwide basis.
                    ``(C) The term `security freeze' means a 
                restriction placed on making consumer reports of a 
                consumer, at the request of the consumer, that 
                prohibits a consumer reporting agency from making a 
                consumer report with respect to the consumer to any 
                person for the purpose of opening a new account 
                involving the extension of credit.
            ``(2) Request for security freeze, processing time, 
        confirmation of freeze and personal identification number or 
        password.--
                    ``(A) Request.--A consumer may request that a 
                consumer reporting agency place a security freeze by 
                sending a request via mail, telephone, facsimile, 
                internet, or other electronic media to the consumer 
                reporting agency in a manner designated by the consumer 
                reporting agency to receive such requests.
                    ``(B) Placement of security freeze.--A consumer 
                reporting agency shall place a security freeze no later 
                than 5 business days after receiving from the 
                consumer--
                            ``(i) a request described under 
                        subparagraph (A);
                            ``(ii) proper identification; and
                            ``(iii) payment of the required fee, if 
                        applicable.
                    ``(C) Confirmation and additional information.--Not 
                later than 10 business days after placing a security 
                freeze, the consumer reporting agency shall--
                            ``(i) send confirmation of the placement to 
                        the consumer;
                            ``(ii) inform the consumer of the process 
                        by which the consumer may temporarily lift the 
                        security freeze and allow the consumer 
                        reporting agency to make a consumer report with 
                        respect to the consumer for a specific entity 
                        or a specific period of time;
                            ``(iii) provide the consumer with a unique 
                        personal identification number or password to 
                        be used with the process described under 
                        subparagraph (B); and
                            ``(iv) inform the consumer of the process 
                        by which the consumer may remove the security 
                        freeze.
                    ``(D) Notice to third parties.--A consumer 
                reporting agency may advise a third party that a 
                security freeze has been placed with respect to a 
                consumer.
            ``(3) Requests to temporarily lift freeze, timing, request 
        procedures.--
                    ``(A) In general.--If a consumer with a security 
                freeze in place wishes to temporarily allow a consumer 
                reporting agency to make a consumer report with respect 
                to the consumer for a specific entity or a specific 
                period of time, the consumer may notify the consumer 
                reporting agency using a method of contact designated 
                by the consumer reporting agency, requesting that the 
                freeze be temporarily lifted, and providing, to 
                complete the request, all of the following:
                            ``(i) Proper identification.
                            ``(ii) The unique personal identification 
                        number or password provided by the consumer 
                        reporting agency pursuant to paragraph (2)(C).
                            ``(iii) The applicable information 
                        regarding the entity or time period with 
                        respect to which the consumer wishes the 
                        security freeze to be lifted.
                            ``(iv) The required fee, if applicable.
                    ``(B) Temporary lifting of security freeze.--A 
                consumer reporting agency that receives a request 
                described under subparagraph (A) shall comply with the 
                request not later than 3 business days after receiving 
                the request.
                    ``(C) Procedures.--A consumer reporting agency may 
                develop procedures involving the use of telephone, 
                facsimile, the internet, or other electronic media to 
                receive and process a request from a consumer described 
                under subparagraph (A) in an expedited manner.
            ``(4) Mandatory removal or temporary lifting of freeze, 
        notice to consumer, and third party requests.--
                    ``(A) In general.--A consumer reporting agency 
                shall remove or temporarily lift a freeze placed on the 
                consumer report of a consumer only in the following 
                cases:
                            ``(i) Upon consumer request.
                            ``(ii) The security freeze was placed due 
                        to a material misrepresentation of fact by the 
                        consumer.
                    ``(B) Notice if removal not by request.--If a 
                consumer reporting agency intends to remove a security 
                freeze with respect to a consumer, and is not doing so 
                at the request of the consumer, the consumer reporting 
                agency shall notify the consumer in writing prior to 
                removing the security freeze.
                    ``(C) Third party requests.--If a third party 
                requests access to a consumer report of a consumer with 
                respect to which a security freeze is in effect, where 
                such request is in connection with an application for 
                credit or any other use, and the consumer does not 
                allow such consumer report to be accessed, the third 
                party may treat the application as incomplete.
            ``(5) Removal of freeze by consumer request.--A security 
        freeze shall remain in place until the consumer requests, using 
        a method of contact designated by the consumer reporting 
        agency, that the security freeze be removed. A consumer 
        reporting agency shall remove a security freeze within 3 
        business days of receiving such a request for removal from the 
        consumer, who provides along with it--
                    ``(A) proper identification;
                    ``(B) the unique personal identification number or 
                password provided by the consumer reporting agency 
                pursuant to paragraph (2)(C); and
                    ``(C) the required fee, if applicable.
            ``(6) Exceptions.--A security freeze shall not apply to the 
        making of a consumer report for use by the following:
                    ``(A) A person or entity, or a subsidiary, 
                affiliate, or agent of that person or entity, or an 
                assignee of a financial obligation owed by the consumer 
                to that person or entity, or a prospective assignee of 
                a financial obligation owed by the consumer to that 
                person or entity in conjunction with the proposed 
                purchase of the financial obligation, with which the 
                consumer has or had prior to assignment an account or 
                contract including a demand deposit account, or to whom 
                the consumer issued a negotiable instrument, for the 
                purposes of reviewing the account or collecting the 
                financial obligation owed for the account, contract, or 
                negotiable instrument. For purposes of this 
                subparagraph, `reviewing the account' includes 
                activities related to account maintenance, monitoring, 
                credit line increases, and account upgrades and 
                enhancements.
                    ``(B) A subsidiary, affiliate, agent, assignee, or 
                prospective assignee of a person to whom access has 
                been granted for purposes of facilitating the extension 
                of credit or other permissible use.
                    ``(C) Any Federal, State or local agency, law 
                enforcement agency, trial court, or private collection 
                agency acting pursuant to a court order, warrant, or 
                subpoena.
                    ``(D) A child support agency acting pursuant to 
                part D of title IV of the Social Security Act.
                    ``(E) A State or its agents or assigns acting to 
                investigate fraud or acting to investigate or collect 
                delinquent taxes or unpaid court orders or to fulfill 
                any of its other statutory responsibilities, provided 
                such responsibilities are consistent with a permissible 
                purpose under section 604.
                    ``(F) A person using credit information for the 
                purposes described under section 604(c).
                    ``(G) Any person or entity administering a credit 
                file monitoring subscription or similar service to 
                which the consumer has subscribed.
                    ``(H) Any person or entity for the purpose of 
                providing a consumer with a copy of the consumer's 
                consumer report or credit score, upon the request of 
                the consumer.
                    ``(I) Any person using the information in 
                connection with the underwriting of insurance.
                    ``(J) Any person using the information for 
                employment, tenant, or background screening purposes.
            ``(7) Fees.--
                    ``(A) In general.--A consumer reporting agency may 
                charge a fee of no more than $5 to a consumer for each 
                security freeze, removal of a security freeze, or 
                temporary lifting of a security freeze.
                    ``(B) Exception.--A consumer reporting agency shall 
                not charge any fee described under subparagraph (A) 
                to--
                            ``(i) a victim of identity theft who has 
                        submitted, at the time the security freeze is 
                        requested, a copy of a valid investigative or 
                        incident report or complaint with a law 
                        enforcement agency about the unlawful use of 
                        the victim's identifying information by another 
                        person;
                            ``(ii) except as provided in subsection 
                        (j), a consumer who is a minor or 65 years of 
                        age or older for the initial placement and 
                        removal of a security freeze; or
                            ``(iii) a consumer who has submitted a copy 
                        of the consumer's orders calling the service 
                        member to military service and any orders 
                        further extending the service member's period 
                        of service if currently active.
            ``(8) Modification of official information.--
                    ``(A) In general.--If a security freeze is in 
                place, a consumer reporting agency shall not change any 
                of the following official information in the file of a 
                consumer without sending confirmation of the change to 
                the consumer within 30 days of the change being posted 
                to the file of the consumer:
                            ``(i) Name.
                            ``(ii) Date of birth.
                            ``(iii) Social Security number.
                            ``(iv) Address.
                    ``(B) Exception for technical modifications.--
                Subparagraph (A) shall not apply to technical 
                modifications of official information of a consumer, 
                including name and street abbreviations, complete 
                spellings, or transposition of numbers or letters.
                    ``(C) Address changes.--In the case of an address 
                change, the confirmation described under subparagraph 
                (A) shall be sent to both the new address and to the 
                former address.
            ``(9) Notice of rights.--At any time a consumer is required 
        to receive a summary of rights required under section 609, the 
        following notice shall be included:
    ```Consumers Have the Right To Obtain a Security Freeze--You have a 
right to place a ``security freeze'' on your credit report, which will 
prohibit a consumer reporting agency from releasing information in your 
credit report without your express authorization. The security freeze 
is designed to prevent credit, loans, and services from being approved 
in your name without your consent. However, you should be aware that 
using a security freeze to take control over who gets access to the 
personal and financial information in your credit report may delay, 
interfere with, or prohibit the timely approval of any subsequent 
request or application you make regarding a new loan, credit, mortgage, 
government services or payments, rental housing, employment, 
investment, license, cellular phone, utilities, digital signature, 
internet credit card transaction, or other services, including an 
extension of credit at point of sale. When you place a security freeze 
on your credit report, you will be provided a personal identification 
number or password to use if you choose to remove the security freeze 
on your credit report or authorize the release of your credit report to 
a particular entity or for a period of time after the freeze is in 
place. To provide that authorization you must contact the consumer 
reporting agency by one of the methods that it requires, and provide 
all of the following:
            ```(1) The personal identification number or password.
            ```(2) Proper identification to verify your identity.
            ```(3) The applicable information regarding the entity or 
        time period with respect to which the consumer wishes the 
        security freeze to be lifted.
            ```(4) The payment of the appropriate fee, if applicable.
A consumer reporting agency must authorize the release of your credit 
report no later than 3 business days after receiving all of the above 
items by any method that the consumer reporting agency allows.
    ```A security freeze does not apply to a person or entity, or its 
affiliates, or collection agencies acting on behalf of the person or 
entity, with which you have an existing account that requests 
information in your credit report for the purposes of reviewing or 
collecting the account. Reviewing the account includes activities 
related to account maintenance, monitoring, credit line increases, and 
account upgrades and enhancements.
    ```You have a right to bring a civil action against anyone, 
including a consumer reporting agency, who willfully or negligently 
fails to comply with the Federal law on security freezes (section 605C 
of the Fair Credit Reporting Act).
    ```A consumer reporting agency has the right to charge you up to 
Five Dollars ($5.00) to place a security freeze, up to Five Dollars 
($5.00) to temporarily lift a security freeze, and up to Five Dollars 
($5.00) to remove a security freeze. However, you shall not be charged 
any fee if you are a victim of identity theft who has submitted, at the 
time the security freeze is requested, a copy of a valid investigative 
or incident report or complaint with a law enforcement agency about the 
unlawful use of your identifying information by another person, or if 
you are a minor or sixty-five (65) years of age or older for the 
initial placement and removal of a security freeze.'.
    ``(j) National Protections for Files and Credit Records of 
Protected Consumers.--
            ``(1) Definitions.--As used in this subsection:
                    ``(A) The term `consumer reporting agency' means a 
                consumer reporting agency that compiles and maintains 
                files on consumers on a nationwide basis.
                    ``(B) The term `protected consumer' means an 
                individual who is--
                            ``(i) under the age of 16 years at the time 
                        a request for the placement of a security 
                        freeze is made; or
                            ``(ii) an incapacitated person or a 
                        protected person for whom a guardian or 
                        conservator has been appointed.
                    ``(C) The term `record' means a compilation of 
                information that--
                            ``(i) identifies a protected consumer;
                            ``(ii) is created by a consumer reporting 
                        agency solely for the purpose of complying with 
                        this subsection; and
                            ``(iii) may not be created or used to 
                        consider the protected consumer's credit 
                        worthiness, credit standing, credit capacity, 
                        character, general reputation, personal 
                        characteristics, or mode of living.
                    ``(D) The term `representative' means a person who 
                provides to a consumer reporting agency sufficient 
                proof of authority to act on behalf of a protected 
                consumer.
                    ``(E) The term `security freeze' means--
                            ``(i) if a consumer reporting agency does 
                        not have a file pertaining to a protected 
                        consumer, a restriction that--
                                    ``(I) is placed on the protected 
                                consumer's record in accordance with 
                                this subsection; and
                                    ``(II) prohibits the consumer 
                                reporting agency from releasing the 
                                protected consumer's record except as 
                                provided in this subsection; or
                            ``(ii) if a consumer reporting agency has a 
                        file pertaining to the protected consumer, a 
                        restriction that--
                                    ``(I) is placed on the protected 
                                consumer's consumer report in 
                                accordance with this subsection; and
                                    ``(II) prohibits the consumer 
                                reporting agency from releasing the 
                                protected consumer's consumer report 
                                except as provided in this subsection.
                    ``(F) The term `sufficient proof of authority' 
                means documentation that shows a representative has 
                authority to act on behalf of a protected consumer and 
                includes--
                            ``(i) an order issued by a court of law;
                            ``(ii) a lawfully executed and valid power 
                        of attorney; or
                            ``(iii) a written, notarized statement 
                        signed by a representative that expressly 
                        describes the authority of the representative 
                        to act on behalf of a protected consumer.
                    ``(G) The term `sufficient proof of identification' 
                means information or documentation that identifies a 
                protected consumer or a representative of a protected 
                consumer and includes--
                            ``(i) a Social Security number or a copy of 
                        a Social Security card issued by the Social 
                        Security Administration;
                            ``(ii) a certified or official copy of a 
                        birth certificate issued by the entity 
                        authorized to issue the birth certificate; or
                            ``(iii) a copy of a driver's license, an 
                        identification card issued by the Motor Vehicle 
                        Administration, or any other government-issued 
                        identification.
            ``(2) Exceptions.--This subsection shall not apply to the 
        making of a consumer report for use by the following:
                    ``(A) A person or entity, or a subsidiary, 
                affiliate, or agent of that person or entity, or an 
                assignee of a financial obligation owed by the consumer 
                to that person or entity, or a prospective assignee of 
                a financial obligation owed by the consumer to that 
                person or entity in conjunction with the proposed 
                purchase of the financial obligation, with which the 
                consumer has or had prior to assignment an account or 
                contract including a demand deposit account, or to whom 
                the consumer issued a negotiable instrument, for the 
                purposes of reviewing the account or collecting the 
                financial obligation owed for the account, contract, or 
                negotiable instrument. For purposes of this 
                subparagraph, `reviewing the account' includes 
                activities related to account maintenance, monitoring, 
                credit line increases, and account upgrades and 
                enhancements.
                    ``(B) A subsidiary, affiliate, agent, assignee, or 
                prospective assignee of a person to whom access has 
                been granted for purposes of facilitating the extension 
                of credit or other permissible use.
                    ``(C) Any Federal, State or local agency, law 
                enforcement agency, trial court, or private collection 
                agency acting pursuant to a court order, warrant, or 
                subpoena.
                    ``(D) A child support agency acting pursuant to 
                part D of title IV of the Social Security Act.
                    ``(E) The State or its agents or assigns acting to 
                investigate fraud or acting to investigate or collect 
                delinquent taxes or unpaid court orders or to fulfill 
                any of its other statutory responsibilities, provided 
                such responsibilities are consistent with a permissible 
                purpose under section 604.
                    ``(F) A person using credit information for the 
                purposes described under section 604(c).
                    ``(G) Any person or entity administering a credit 
                file monitoring subscription or similar service to 
                which the consumer has subscribed.
                    ``(H) Any person or entity for the purpose of 
                providing a consumer with a copy of the consumer's 
                consumer report or credit score, upon the request of 
                the consumer.
                    ``(I) Any person using the information in 
                connection with the underwriting of insurance.
                    ``(J) Any person using the information for 
                employment, tenant or background screening purposes.
            ``(3) Placing a freeze for a protected consumer.--
                    ``(A) In general.--A consumer reporting agency 
                shall place a security freeze for a protected consumer 
                if--
                            ``(i) the consumer reporting agency 
                        receives a request from the protected 
                        consumer's representative for the placement of 
                        the security freeze under this subsection; and
                            ``(ii) the protected consumer's 
                        representative--
                                    ``(I) submits the request to the 
                                consumer reporting agency at the 
                                address or other point of contact and 
                                in the manner specified by the consumer 
                                reporting agency;
                                    ``(II) provides to the consumer 
                                reporting agency sufficient proof of 
                                identification of the protected 
                                consumer and the representative;
                                    ``(III) provides to the consumer 
                                reporting agency sufficient proof of 
                                authority to act on behalf of the 
                                protected consumer; and
                                    ``(IV) pays to the consumer 
                                reporting agency a fee as provided 
                                under this subsection.
                    ``(B) Creation of file.--If a consumer reporting 
                agency does not have a file pertaining to a protected 
                consumer when the consumer reporting agency receives a 
                request under subparagraph (A), the consumer reporting 
                agency shall create a credit record for the protected 
                consumer.
                    ``(C) Placement of security freeze.--Within 3 days 
                after receiving a request described under subparagraph 
                (A), a consumer reporting agency shall place a security 
                freeze for the protected consumer.
            ``(4) Prohibition on release of record or file of protected 
        consumer.--Unless a security freeze for a protected consumer is 
        removed in accordance with this subsection, a consumer 
        reporting agency may not release the protected consumer's 
        consumer report, any information derived from the protected 
        consumer's consumer report, or any record created for the 
        protected consumer.
            ``(5) Timeline for a freeze for a protected consumer.--A 
        security freeze for a protected consumer placed under this 
        subsection shall remain in effect until--
                    ``(A) the protected consumer or the protected 
                consumer's representative requests the consumer 
                reporting agency to remove the security freeze in 
                accordance with paragraph (6); or
                    ``(B) the security freeze is removed in accordance 
                with paragraph (9).
            ``(6) Removal of a protected consumer security freeze.--If 
        a protected consumer or a protected consumer's representative 
        wishes to remove a security freeze for the protected consumer, 
        the protected consumer or the protected consumer's 
        representative shall--
                    ``(A) submit a request for the removal of the 
                security freeze to the consumer reporting agency at the 
                address or other point of contact and in the manner 
                specified by the consumer reporting agency;
                    ``(B) provide to the consumer reporting agency--
                            ``(i) in the case of a request by the 
                        protected consumer--
                                    ``(I) proof that the sufficient 
                                proof of authority for the protected 
                                consumer's representative to act on 
                                behalf of the protected consumer is no 
                                longer valid; and
                                    ``(II) sufficient proof of 
                                identification of the protected 
                                consumer; or
                            ``(ii) in the case of a request by the 
                        representative of a protected consumer--
                                    ``(I) sufficient proof of 
                                identification of the protected 
                                consumer and the representative; and
                                    ``(II) sufficient proof of 
                                authority to act on behalf of the 
                                protected consumer; and
                            ``(iii) pay to the consumer reporting 
                        agency a fee, if applicable, as provided in 
                        paragraph (8).
            ``(7) Timing of removal of a protected consumer freeze.--
        Within 3 days after receiving a request described under 
        paragraph (6), the consumer reporting agency shall remove the 
        security freeze for the protected consumer.
            ``(8) Fees for a protected consumer freeze.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), a consumer reporting agency may not 
                charge a fee for any service performed under this 
                subsection.
                    ``(B) Reasonable fee permitted.--A consumer 
                reporting agency may charge a reasonable fee, not 
                exceeding $5, for each placement or removal of a 
                security freeze for a protected consumer.
                    ``(C) Exceptions.--Notwithstanding subparagraph 
                (B), a consumer reporting agency may not charge any fee 
                under this subsection if--
                            ``(i) the protected consumer's 
                        representative has obtained a police report or 
                        affidavit of alleged identity fraud against the 
                        protected consumer and provides a copy of the 
                        report to the consumer reporting agency; or
                            ``(ii) a request for the placement or 
                        removal of a security freeze is for a protected 
                        consumer who is under the age of sixteen years 
                        of age at the time of the request and the 
                        consumer reporting agency has a consumer report 
                        pertaining to the protected consumer.
            ``(9) Deletion of file or record created based on a 
        material misrepresentation.--A consumer reporting agency may 
        remove a security freeze for a protected consumer or delete a 
        record of a protected consumer if the security freeze was 
        placed or the record was created based on a material 
        misrepresentation of fact by the protected consumer or the 
        protected consumer's representative.''.

     TITLE III--CREDIT RATING AGENCY USE OF SOCIAL SECURITY NUMBERS

SEC. 301. PROHIBITION ON THE USE OF SOCIAL SECURITY NUMBERS.

    (a) In General.--Section 605 of the Fair Credit Reporting Act (15 
U.S.C. 1681c), as amended by title II, is amended by adding at the end 
the following:
    ``(k) Prohibition on the Use of Social Security Numbers.--A 
consumer reporting agency that compiles and maintains files on 
consumers on a nationwide basis--
            ``(1) may not make any consumer report containing a Social 
        Security number; and
            ``(2) may not use the Social Security number of a consumer 
        as a method to identify the consumer, or for any other 
        purpose.''.
    (b) Conforming Amendment.--Section 609(a)(1) of the Fair Credit 
Reporting Act (15 U.S.C. 1681g(a)(1)) is amended by striking ``except 
that--'' and all that follows through ``(B) nothing'' and inserting 
``except that nothing''.
    (c) Effective Date.--The amendments made by this section shall take 
effect on January 1, 2020.
                                 <all>