93RD GENERAL ASSEMBLY
State of Illinois
2003 and 2004
HB5006

 

Introduced 02/05/04, by Elaine Nekritz

 

SYNOPSIS AS INTRODUCED:
 
815 ILCS 505/2MM
815 ILCS 505/2QQ new

    Amends the Consumer Fraud and Deceptive Business Practices Act. Provides that any person who uses a consumer credit report in connection with the approval of credit, may not lend money, extend credit, or complete the purchase, lease, or rental of goods or non-credit related services without taking reasonable steps to verify the consumer's identity. Provides that if a consumer places a statement with a security alert in his or her file requesting that his or her identity be verified by calling a specified telephone number, any person who receives that statement with the security alert in the consumer's file must take reasonable steps to verify his or her identity by contacting the consumer using the specified telephone number, prior to lending money, extending credit, or completing the purchase, lease, or rental of goods or non-credit related services, with certain exceptions. Provides that a consumer credit reporting agency is required to provide to a consumer information about security alerts and security freezes and their consequences. Prohibits a person or entity from publicly posting or displaying an individual's social security number or doing certain other acts that might compromise the security of an individual's social security number. Provides that a person or entity shall not encode or embed a social security number on a card or document, including a bar code, chip, or magnetic strip.


LRB093 19466 RXD 45205 b

 

 

A BILL FOR

 

HB5006 LRB093 19466 RXD 45205 b

1     AN ACT concerning business transactions.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 5. The Consumer Fraud and Deceptive Business
5 Practices Act is amended by changing Section 2MM and adding
6 Section 2QQ as follows:
 
7     (815 ILCS 505/2MM)
8     Sec. 2MM. Verification of accuracy of credit reporting
9 information used to extend consumers credit; security alert
10 notices.
11     (a) A credit card issuer who mails an offer or solicitation
12 to apply for a credit card and who receives a completed
13 application in response to the offer or solicitation which
14 lists an address that is not substantially the same as the
15 address on the offer or solicitation may not issue a credit
16 card based on that application until reasonable steps have been
17 taken to verify the applicant's change of address.
18     (b) Any person who uses a consumer credit report in
19 connection with the approval of credit based on the application
20 for an extension of credit, or with the purchase, lease, or
21 rental of goods or non-credit related services, and who has
22 received notification of a police report filed with a consumer
23 reporting agency that the applicant has been a victim of
24 financial identity theft, as defined in Section 16G-15 of the
25 Criminal Code of 1961, or has received notification of a
26 security alert, may not lend money or extend credit without
27 taking reasonable steps to verify the consumer's identity and
28 confirm that the application for an extension of credit is not
29 the result of financial identity theft. If the consumer has
30 placed a statement with a security alert in his or her file
31 requesting that identity be verified by calling a specified
32 telephone number, any person who receives that statement with

 

 

HB5006 - 2 - LRB093 19466 RXD 45205 b

1 the security alert in a consumer's file shall take reasonable
2 steps to verify the identity of the consumer by contacting the
3 consumer using the specified telephone number prior to lending
4 money, extending credit, or completing the purchase, lease, or
5 rental of goods or non-credit related services. If a person
6 uses a consumer credit report to facilitate the extension of
7 credit or for another permissible purpose on behalf of a
8 subsidiary, affiliate, agent, assignee, or prospective
9 assignee, that person may verify a consumer's identity under
10 this subsection (b) instead of the subsidiary, affiliate,
11 agent, assignee, or prospective assignee.
12     (b-1) If a consumer uses a consumer credit reporting agency
13 he or she may elect to place a security alert in his or her
14 credit report by making a request in writing or by telephone to
15 a consumer credit report agency. A consumer credit reporting
16 agency shall:
17         (1) Notify each person requesting consumer credit
18     information with respect to a consumer of the existence of
19     a security alert in the credit report of that consumer,
20     regardless of whether a full credit report, credit score,
21     or summary report is requested.
22         (2) Maintain a toll-free telephone number to accept
23     security alert requests from consumers 24 hours a day,
24     seven days a week. The toll-free telephone number shall be
25     included in any written disclosure by a consumer credit
26     reporting agency to any consumer and shall be printed in a
27     clear and conspicuous manner.
28         (3) Place a security alert on a consumer's credit
29     report no later than 5 business days after receiving a
30     request from the consumer. The security alert shall remain
31     in place for at least 90 days, and a consumer shall have
32     the right to request a renewal of the security alert.
33         (4) Notify each consumer who has requested that a
34     security alert be placed on his or her consumer credit
35     report of the expiration date of the alert.
36         (5) Promptly disclose files maintained on a consumer as

 

 

HB5006 - 3 - LRB093 19466 RXD 45205 b

1     follows:
2             (A) In person, if the consumer appears and
3         furnishes proper identification at the location where
4         the consumer credit reporting agency maintains trained
5         personnel.
6             (B) By mail, if the consumer makes a written
7         request with proper identification for a copy of the
8         file or a decoded written version of that file to be
9         sent to the consumer at a specified address. A
10         disclosure under this subparagraph (B) shall be
11         deposited in the United States mail, postage prepaid,
12         within 5 business days after the consumer's written
13         request for the disclosure is received by the consumer
14         credit reporting agency. Consumer credit reporting
15         agencies complying with requests for mailings under
16         this subparagraph (B) shall not be liable for
17         disclosures to third parties caused by mishandling of
18         mail after the mailings leave the consumer credit
19         reporting agencies.
20             (C) By telephone, if the consumer has made a
21         written request, with proper identification for
22         telephone disclosure.
23     Information in a consumer's file required to be provided in
24     writing under this paragraph (5) may also be disclosed in
25     another form if authorized by the consumer and if available
26     from the consumer credit reporting agency. A consumer may
27     request disclosure by telephone upon disclosure of proper
28     identification by the consumer, by electronic means if
29     available from the consumer credit reporting agency, or by any
30     other reasonable means that is available from the consumer
31     credit reporting agency.
32         (6) Provide a consumer with a written summary of all of
33     his or her rights with any written disclosure in the
34     following form:
35         "You have a right to obtain a copy of your credit file
36     from a consumer credit reporting agency. You may be charged

 

 

HB5006 - 4 - LRB093 19466 RXD 45205 b

1     a reasonable fee not to exceed $8. There is no fee, if you
2     have been turned down for credit, employment, insurance, or
3     a rental dwelling because of information in your credit
4     report within the preceding 60 days. The consumer credit
5     reporting agency must provide trained personnel to help you
6     interpret the information in your credit file.
7         You have a right to dispute inaccurate information by
8     contacting the consumer credit reporting agency directly.
9     However, neither you or any credit repair company or credit
10     service organization has the right to have accurate,
11     current, and verifiable information removed from your
12     credit report. Under the Federal Fair Credit Reporting Act,
13     the consumer credit reporting agency must remove accurate,
14     negative information from your report only if it is over 7
15     years old. Bankruptcy information can be reported for 10
16     years.
17         If you have notified a consumer credit reporting agency
18     in writing that you dispute the accuracy of information in
19     your file, the consumer credit reporting agency must then,
20     within 30 business days, reinvestigate and modify or remove
21     inaccurate information. The consumer credit reporting
22     agency may not charge a fee for this service. Any pertinent
23     information and copies of all documents you have concerning
24     an error should be given to the consumer credit reporting
25     agency.
26         If reinvestigation does not resolve the dispute to your
27     satisfaction, you may send a brief statement to the
28     consumer credit reporting agency to keep in your file,
29     explaining why you think the record is inaccurate. The
30     consumer credit reporting agency must include your
31     statement about disputed information in a report it issues
32     about you.
33         You have a right to receive a record of all inquiries
34     relating to a credit transaction initiated in 12 months
35     preceding your request. This record shall include the
36     recipients of any consumer credit report. You may request

 

 

HB5006 - 5 - LRB093 19466 RXD 45205 b

1     in writing that the information contained in your file not
2     be provided to a third party for marketing purposes.
3         You have a right to place a "security alert" in your
4     credit report, which will warn anyone who receives
5     information in your credit report that your identity may
6     have been used without your consent. Recipients of your
7     credit report are required to take reasonable steps,
8     including contacting you at the telephone number you may
9     provide with your security alert, to verify your identity
10     prior to lending money, extending credit, or completing the
11     purchase, lease, or rental of goods or services. The
12     security alert may prevent credit, loans, and services from
13     being approved in your name without your consent. However,
14     you should be aware that taking advantage of this right may
15     delay or interfere with the timely approval of any
16     subsequent request or application you make regarding a new
17     loan, credit, mortgage, insurance, rental housing,
18     employment, investment, license, cellular phone,
19     utilities, digital signature, Internet credit card
20     transaction, or other services, including an extension of
21     credit at point of sale. If you place a security alert on
22     your credit report, you have a right to obtain a free copy
23     of your credit report at the time the 90-day security alert
24     period expires. A security alert may be requested by
25     calling the following toll-free telephone number: (Insert
26     applicable toll-free telephone number).
27         You have a right to place a "security freeze" on your
28     credit report, which will prohibit a consumer credit
29     reporting agency from releasing any information in your
30     credit report without your express authorization. A
31     security freeze must be requested in writing by certified
32     mail. The security freeze is designed to prevent credit,
33     loans, and services from being approved in your name
34     without your consent. However, you should be aware that
35     using a security freeze to take control over who gets
36     access to the personal and financial information in your

 

 

HB5006 - 6 - LRB093 19466 RXD 45205 b

1     credit report may delay, interfere with, or prohibit the
2     timely approval of any subsequent request or application
3     you make regarding a new loan, credit, mortgage, insurance,
4     government services or payments, rental housing,
5     employment, investment, license, cellular phone,
6     utilities, digital signature, Internet credit card
7     transaction, or other services, including an extension of
8     credit at point of sale. When you place a security freeze
9     on your credit report, you will be provided a personal
10     identification number or password to use if you choose to
11     remove the freeze on your credit report or authorize the
12     release of your credit report for a specific party or
13     period of time after the freeze is in place. To provide
14     that authorization you must contact the consumer credit
15     reporting agency and provide all of the following:
16             (1) the personal identification number or
17         password;
18             (2) proper identification to verify your identity;
19         and
20             (3) the proper information regarding the third
21         party who is to receive the credit report or the period
22         of time for which the report shall be available.
23         A consumer credit reporting agency must authorize the
24     release of your credit report no later than 3 business days
25     after receiving the above information.
26         A security freeze does not apply to a person or entity,
27     or its affiliates, or collection agencies acting on behalf
28     of the person or entity with which you have an existing
29     account, that requests information in your credit report
30     for the purposes of reviewing or collecting the account.
31     Reviewing the account includes activities related to
32     account maintenance, monitoring, credit line increases,
33     and account upgrades and enhancements.
34         You have a right to bring civil action against anyone,
35     including a consumer credit reporting agency, who
36     improperly obtains access to a file, knowingly or willfully

 

 

HB5006 - 7 - LRB093 19466 RXD 45205 b

1     misuses file data, or fails to correct inaccurate file
2     data.
3         If you are a victim of identity theft and provide to a
4     consumer credit reporting agency a copy of a valid police
5     report or a valid investigative report made by a Department
6     of Motor Vehicles investigator with peace officer status
7     describing your circumstances, the following shall apply:
8             (1) You have a right to have any information you
9         list on the report as allegedly fraudulent promptly
10         blocked so that the information cannot be reported. The
11         information will be unblocked only if (1) the
12         information you provide is a material
13         misrepresentation of the facts, (2) you agree that the
14         information is blocked in error, or (3) you knowingly
15         obtained possession of goods, services, or moneys as
16         result of the blocked transactions. If blocked
17         information is unblocked you will be promptly
18         notified.
19             (2) By the effective date of this amendatory Act of
20         the 93rd General Assembly, you have a right to receive,
21         free of charge and upon request, one copy of your
22         credit report each month for up to 12 consecutive
23         months.".
24     (b-2) The following entities are not required to place a
25     security alert in a consumer credit report:
26             (1) A check services or fraud prevention services
27         company, which issues reports on incidents of fraud or
28         authorizations for the purpose of approving or
29         processing negotiable instruments, electronic funds
30         transfers, or similar methods of payments.
31             (2) A deposit account information service company,
32         which issues reports regarding account closures due to
33         fraud, substantial overdrafts, ATM abuse, or similar
34         negative information regarding a consumer, to
35         inquiring banks or other financial institutions for
36         use only in reviewing a consumer request for a deposit

 

 

HB5006 - 8 - LRB093 19466 RXD 45205 b

1         account at the inquiring bank or financial
2         institution.
3     (b-3) The consumer has the right to request and receive all
4     of the following:
5         (1) Either a decoded written version of the file or a
6     written copy of the file, including all information in the
7     file at the time of the request, with an explanation of any
8     code used.
9         (2) A credit score for the consumer, the key factors,
10     and the related information.
11         (3) A record of all inquiries, by recipient, which
12     result in the provision of information concerning the
13     consumer in connection with a credit transaction that is
14     not initiated by the consumer and which were received by
15     the consumer credit reporting agency in the 12-month period
16     immediately preceding the request for disclosure.
17         (4) The recipients, of any consumer credit report on
18     the consumer which the consumer credit reporting agency has
19     furnished for employment purposes within the 12-month
20     period preceeding the request or any other purpose within
21     the 12-month period preceding the request.
22     (c) For purposes of this Section, "extension of credit"
23 does not include an increase in an existing open-end credit
24 plan, as defined in Regulation Z of the Federal Reserve System
25 (12 C.F.R. 226.2), or any change to or review of an existing
26 credit account.
27     (c-1) For purposes of this Section, "security alert" means
28 a notice placed in a consumer's credit report, at the request
29 of the consumer, which notifies a recipient of the credit
30 report that the consumer's identity may have been used without
31 the consumer's consent to fraudulently obtain goods or services
32 in the consumer's name.
33     (c-2) For purposes of this Section, "proper
34 identification" means that information generally deemed
35 sufficient to identify a person. Only if the consumer is unable
36 to reasonably identify himself or herself, may a consumer

 

 

HB5006 - 9 - LRB093 19466 RXD 45205 b

1 credit reporting agency require additional information
2 concerning the consumer's employment and personal or family
3 history in order to verify his or her identity.
4     (d) Any person who violates the provisions of this Section
5 subsection (a) or subsection (b) commits an unlawful practice
6 within the meaning of this Act. If a consumer reporting agency
7 recklessly, willfully, or intentionally fails to place a
8 security alert notice in a consumer's credit report it shall be
9 guilty of a business offense and subject to a fine in an amount
10 not to exceed $2,500 plus the cost of reasonable attorney's
11 fees.
12 (Source: P.A. 93-195, eff. 1-1-04.)
 
13     (815 ILCS 505/2QQ new)
14     Sec. 2QQ. Social security number protection.
15     (a) Notwithstanding subsection (b), any financial
16 institution may print the social security number of an
17 individual on any account statement or similar document mailed
18 to that individual, if the social security number is provided
19 in connection with a transaction governed by the rules of the
20 National Automated Clearing House Association, or a
21 transaction initiated by a federal governmental entity through
22 an automated clearing house network.
23     (b) A person or entity may not do any of the following:
24         (1) Publicly post or publicly display, in any manner,
25     an individual's social security number. "Publicly post" or
26     "publicly display" means to intentionally communicate or
27     otherwise make available to the general public.
28         (2) Print an individual's social security number on any
29     card required for the individual to access products or
30     services provided by the person or entity.
31         (3) Require an individual to transmit his or her social
32     security number over the Internet, unless the connection is
33     secure or the social security number is encrypted.
34         (4) Require an individual to use his or her social
35     security number to access an Internet Web site, unless a

 

 

HB5006 - 10 - LRB093 19466 RXD 45205 b

1     password or unique personal identification number or other
2     authentication device is also required to access the
3     Internet Web site.
4         (5) Print an individual's social security number on any
5     materials that are mailed to the individual, unless State
6     or federal law requires the social security number to be on
7     the document to be mailed. Notwithstanding this subsection
8     (a), social security numbers may be included in
9     applications and forms sent by mail, including documents
10     sent as part of an application or enrollment process, or to
11     establish, amend or terminate an account, contract or
12     policy, or to confirm the accuracy of the social security
13     number.
14     (c) Except as provided in subsection (f), a person or
15     entity that has used, prior to the effective date of this
16     amendatory Act by the 93rd General Assembly, an individual's
17     social security number in a manner inconsistent with subsection
18     (b), may continue using that individual's social security
19     number in that manner on or after the effective date of this
20     amendatory Act by the 93rd General Assembly, and a State or
21     local agency that has used, prior to the effective date of this
22     amendatory Act by the 93rd General Assembly, an individual's
23     social security number in a manner inconsistent with subsection
24     (b), may continue using that individual's social security
25     number in that manner on or after the effective date of this
26     amendatory Act by the 93rd General Assembly, if all of the
27     following conditions are met:
28         (1) The use of the social security number is
29     continuous. If the use is stopped for any reason,
30     subsection (b) shall apply.
31         (2) The individual is provided an annual disclosure
32     that informs the individual that he or she has the right to
33     stop the use of his or her social security number in a
34     manner prohibited by subsection (b).
35     A written request by an individual to stop the use of his
36     or her social security number in a manner prohibited by

 

 

HB5006 - 11 - LRB093 19466 RXD 45205 b

1     subsection (b) is implemented within 30 days of the receipt of
2     the request. There may not be a fee or charge for implementing
3     the request.
4     The person or entity may not deny services to an individual
5     because the individual makes a written request pursuant to this
6     subsection (c).
7     (d) This Section does not apply to documents that are
8     recorded or required to be open to the public.
9     (e) In the case of a health care service plan, a provider
10     of health care, an insurer or a pharmacy benefits manager, a
11     contractor, or the provision by any person or entity of
12     administrative or other services relative to health care or
13     insurance products or services, including third-party
14     administration or administrative services only, this Section
15     shall become operative in the following manner:
16             (1) By the effective date of this amendatory Act by
17         the 93rd General Assembly the entities listed in
18         subsection (e) shall comply with paragraphs (1), (3),
19         (4), and (5) of subsection (b), as these requirements
20         pertain to individual policyholders or individual
21         contract holders.
22             (2) By the effective date of this amendatory Act by
23         the 93rd General Assembly the entities listed in
24         subsection (1) shall comply with subsection (b) as
25         these requirements pertain to new individual
26         policyholders or new individual contract holders and
27         new groups.
28     (f) A health care service plan, a provider of health care,
29     an insurer or a pharmacy benefits manager, a contractor, or
30     another person or entity as described in subsection (e) shall
31     make reasonable efforts to cooperate, through systems testing
32     and other means, to ensure that the requirements of this
33     Section are implemented on or before the dates specified in
34     this Section.
35         (1) Notwithstanding paragraph (2) of this Section, the
36     Director of the Illinois Department of Public Aid, or the

 

 

HB5006 - 12 - LRB093 19466 RXD 45205 b

1     Director of the Department of Insurance, and upon a
2     determination of good cause, may grant extensions not to
3     exceed 6 months, for compliance with the requirements of
4     this Section when requested by the health care service plan
5     provider or insurer. Any extension granted shall apply to
6     the health care service plan or insurer's affected
7     providers, pharmacy benefits manager, and contractors.
8         (2) If a federal law takes effect requiring the United
9     States Department of Health and Human Services to establish
10     a national unique patient health identifier program, a
11     provider of health care, a health care service plan, a
12     licensed health care professional, or a contractor, that
13     complies with the federal law shall be deemed in compliance
14     with this Section.
15     (g) A person or entity may not encode or embed a social
16     security number in or on a card or document, including, but not
17     limited to, using a bar code, chip, magnetic strip, or other
18     technology, in place of removing the social security number, as
19     required by this Section.