|
||||||||||||||||||||||
|
||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
1 | AN ACT concerning business transactions.
| |||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||||
4 | Section 5. The Consumer Fraud and Deceptive Business | |||||||||||||||||||||
5 | Practices Act is amended by changing Section 2MM and adding | |||||||||||||||||||||
6 | Section 2QQ as follows:
| |||||||||||||||||||||
7 | (815 ILCS 505/2MM)
| |||||||||||||||||||||
8 | Sec. 2MM. Verification of accuracy of credit reporting | |||||||||||||||||||||
9 | information used to
extend consumers credit ; security alert | |||||||||||||||||||||
10 | notices .
| |||||||||||||||||||||
11 | (a) A credit card issuer who mails an offer or solicitation | |||||||||||||||||||||
12 | to apply for a
credit card and who receives a completed | |||||||||||||||||||||
13 | application in response to the offer
or
solicitation which | |||||||||||||||||||||
14 | lists an address that is not substantially the same as the
| |||||||||||||||||||||
15 | address on the offer or solicitation may not issue a credit | |||||||||||||||||||||
16 | card based on that
application until reasonable steps have been | |||||||||||||||||||||
17 | taken to verify the applicant's
change of address.
| |||||||||||||||||||||
18 | (b) Any person who uses a consumer credit report in | |||||||||||||||||||||
19 | connection with the
approval of credit based on the application | |||||||||||||||||||||
20 | for an extension of credit, or with the purchase, lease, or | |||||||||||||||||||||
21 | rental of goods or non-credit related services, and who
has | |||||||||||||||||||||
22 | received notification of a police report filed with a consumer | |||||||||||||||||||||
23 | reporting
agency that the applicant has been a victim of | |||||||||||||||||||||
24 | financial
identity theft, as defined in Section 16G-15 of the | |||||||||||||||||||||
25 | Criminal Code of 1961, or has received notification of a | |||||||||||||||||||||
26 | security alert, may
not lend money or extend credit without | |||||||||||||||||||||
27 | taking reasonable steps to verify the
consumer's identity and | |||||||||||||||||||||
28 | confirm that the application for an extension of
credit
is not | |||||||||||||||||||||
29 | the result of financial identity theft. If the consumer has | |||||||||||||||||||||
30 | placed a statement with a security alert in his or her file | |||||||||||||||||||||
31 | requesting that identity be verified by calling a specified | |||||||||||||||||||||
32 | telephone number, any person who receives that statement with |
| |||||||
| |||||||
1 | the security alert in a consumer's file shall take reasonable | ||||||
2 | steps to verify the identity of the consumer by contacting the | ||||||
3 | consumer using the specified telephone number prior to lending | ||||||
4 | money, extending credit, or completing the purchase, lease, or | ||||||
5 | rental of goods or non-credit related services. If a person | ||||||
6 | uses a consumer credit report to facilitate the extension of | ||||||
7 | credit or for another permissible purpose on behalf of a | ||||||
8 | subsidiary, affiliate, agent, assignee, or prospective | ||||||
9 | assignee, that person may verify a consumer's identity under | ||||||
10 | this subsection (b) instead of the subsidiary, affiliate, | ||||||
11 | agent, assignee, or prospective assignee. | ||||||
12 | (b-1) If a consumer uses a consumer credit reporting agency | ||||||
13 | he or she may elect to place a security alert in his or her | ||||||
14 | credit report by making a request in writing or by telephone to | ||||||
15 | a consumer credit report agency. A consumer credit reporting | ||||||
16 | agency shall: | ||||||
17 | (1) Notify each person requesting consumer credit | ||||||
18 | information with respect to a consumer of the existence of | ||||||
19 | a security alert in the credit report of that consumer, | ||||||
20 | regardless of whether a full credit report, credit score, | ||||||
21 | or summary report is requested. | ||||||
22 | (2) Maintain a toll-free telephone number to accept | ||||||
23 | security alert requests from consumers 24 hours a day, | ||||||
24 | seven days a week. The toll-free telephone number shall be | ||||||
25 | included in any written disclosure by a consumer credit | ||||||
26 | reporting agency to any consumer and shall be printed in a | ||||||
27 | clear and conspicuous manner. | ||||||
28 | (3) Place a security alert on a consumer's credit | ||||||
29 | report no later than 5 business days after receiving a | ||||||
30 | request from the consumer. The security alert shall remain | ||||||
31 | in place for at least 90 days, and a consumer shall have | ||||||
32 | the right to request a renewal of the security alert. | ||||||
33 | (4) Notify each consumer who has requested that a | ||||||
34 | security alert be placed on his or her consumer credit | ||||||
35 | report of the expiration date of the alert. | ||||||
36 | (5) Promptly disclose files maintained on a consumer as |
| |||||||
| |||||||
1 | follows: | ||||||
2 | (A) In person, if the consumer appears and | ||||||
3 | furnishes proper identification at the location where | ||||||
4 | the consumer credit reporting agency maintains trained | ||||||
5 | personnel. | ||||||
6 | (B) By mail, if the consumer makes a written | ||||||
7 | request with proper identification for a copy of the | ||||||
8 | file or a decoded written version of that file to be | ||||||
9 | sent to the consumer at a specified address. A | ||||||
10 | disclosure under this subparagraph (B) shall be | ||||||
11 | deposited in the United States mail, postage prepaid, | ||||||
12 | within 5 business days after the consumer's written | ||||||
13 | request for the disclosure is received by the consumer | ||||||
14 | credit reporting agency. Consumer credit reporting | ||||||
15 | agencies complying with requests for mailings under | ||||||
16 | this subparagraph (B) shall not be liable for | ||||||
17 | disclosures to third parties caused by mishandling of | ||||||
18 | mail after the mailings leave the consumer credit | ||||||
19 | reporting agencies. | ||||||
20 | (C) By telephone, if the consumer has made a | ||||||
21 | written request, with proper identification for | ||||||
22 | telephone disclosure. | ||||||
23 | Information in a consumer's file required to be provided in | ||||||
24 | writing under this paragraph (5) may also be disclosed in | ||||||
25 | another form if authorized by the consumer and if available | ||||||
26 | from the consumer credit reporting agency. A consumer may | ||||||
27 | request disclosure by telephone upon disclosure of proper | ||||||
28 | identification by the consumer, by electronic means if | ||||||
29 | available from the consumer credit reporting agency, or by any | ||||||
30 | other reasonable means that is available from the consumer | ||||||
31 | credit reporting agency. | ||||||
32 | (6) Provide a consumer with a written summary of all of | ||||||
33 | his or her rights with any written disclosure in the | ||||||
34 | following form: | ||||||
35 | "You have a right to obtain a copy of your credit file | ||||||
36 | from a consumer credit reporting agency. You may be charged |
| |||||||
| |||||||
1 | a reasonable fee not to exceed $8. There is no fee, if you | ||||||
2 | have been turned down for credit, employment, insurance, or | ||||||
3 | a rental dwelling because of information in your credit | ||||||
4 | report within the preceding 60 days. The consumer credit | ||||||
5 | reporting agency must provide trained personnel to help you | ||||||
6 | interpret the information in your credit file. | ||||||
7 | You have a right to dispute inaccurate information by | ||||||
8 | contacting the consumer credit reporting agency directly. | ||||||
9 | However, neither you or any credit repair company or credit | ||||||
10 | service organization has the right to have accurate, | ||||||
11 | current, and verifiable information removed from your | ||||||
12 | credit report. Under the Federal Fair Credit Reporting Act, | ||||||
13 | the consumer credit reporting agency must remove accurate, | ||||||
14 | negative information from your report only if it is over 7 | ||||||
15 | years old. Bankruptcy information can be reported for 10 | ||||||
16 | years. | ||||||
17 | If you have notified a consumer credit reporting agency | ||||||
18 | in writing that you dispute the accuracy of information in | ||||||
19 | your file, the consumer credit reporting agency must then, | ||||||
20 | within 30 business days, reinvestigate and modify or remove | ||||||
21 | inaccurate information. The consumer credit
reporting | ||||||
22 | agency may not charge a fee for this service. Any pertinent
| ||||||
23 | information and copies of all documents you have concerning | ||||||
24 | an error
should be given to the consumer credit reporting | ||||||
25 | agency. | ||||||
26 | If reinvestigation does not resolve the dispute to your | ||||||
27 | satisfaction, you may send a brief statement to the | ||||||
28 | consumer credit reporting agency to
keep in your file, | ||||||
29 | explaining why you think the record is inaccurate. The
| ||||||
30 | consumer credit reporting agency must include your | ||||||
31 | statement about
disputed information in a report it issues | ||||||
32 | about you. | ||||||
33 | You have a right to receive a record of all inquiries | ||||||
34 | relating to a credit transaction initiated in 12 months | ||||||
35 | preceding your request. This record shall include the | ||||||
36 | recipients of any consumer credit report.
You may request |
| |||||||
| |||||||
1 | in writing that the information contained in your file not | ||||||
2 | be provided to a third party for marketing purposes. | ||||||
3 | You have a right to place a "security alert" in your | ||||||
4 | credit report, which will warn anyone who receives | ||||||
5 | information in your credit report that your identity may | ||||||
6 | have been used without your consent. Recipients of
your | ||||||
7 | credit report are required to take reasonable steps, | ||||||
8 | including
contacting you at the telephone number you may | ||||||
9 | provide with your
security alert, to verify your identity | ||||||
10 | prior to lending money, extending
credit, or completing the | ||||||
11 | purchase, lease, or rental of goods or services.
The | ||||||
12 | security alert may prevent credit, loans, and services from | ||||||
13 | being
approved in your name without your consent. However, | ||||||
14 | you should be
aware that taking advantage of this right may | ||||||
15 | delay or interfere with the
timely approval of any | ||||||
16 | subsequent request or application you make
regarding a new | ||||||
17 | loan, credit, mortgage, insurance, rental housing,
| ||||||
18 | employment, investment, license, cellular phone, | ||||||
19 | utilities, digital
signature, Internet credit card | ||||||
20 | transaction, or other services, including an
extension of | ||||||
21 | credit at point of sale. If you place a security alert on | ||||||
22 | your
credit report, you have a right to obtain a free copy | ||||||
23 | of your credit report
at the time the 90-day security alert | ||||||
24 | period expires. A security alert may
be requested by | ||||||
25 | calling the following toll-free telephone number: (Insert
| ||||||
26 | applicable toll-free telephone number). | ||||||
27 | You have a right to place a "security freeze" on your | ||||||
28 | credit report,
which will prohibit a consumer credit | ||||||
29 | reporting agency from releasing
any information in your | ||||||
30 | credit report without your express authorization.
A | ||||||
31 | security freeze must be requested in writing by certified | ||||||
32 | mail. The
security freeze is designed to prevent credit, | ||||||
33 | loans, and services from
being approved in your name | ||||||
34 | without your consent. However, you
should be aware that | ||||||
35 | using a security freeze to take control over who gets
| ||||||
36 | access to the personal and financial information in your |
| |||||||
| |||||||
1 | credit report may
delay, interfere with, or prohibit the | ||||||
2 | timely approval of any subsequent
request or application | ||||||
3 | you make regarding a new loan, credit, mortgage,
insurance, | ||||||
4 | government services or payments, rental housing,
| ||||||
5 | employment, investment, license, cellular phone, | ||||||
6 | utilities, digital
signature, Internet credit card | ||||||
7 | transaction, or other services, including an
extension of | ||||||
8 | credit at point of sale. When you place a security freeze | ||||||
9 | on
your credit report, you will be provided a personal | ||||||
10 | identification number
or password to use if you choose to | ||||||
11 | remove the freeze on your credit
report or authorize the | ||||||
12 | release of your credit report for a specific party
or | ||||||
13 | period of time after the freeze is in place. To provide | ||||||
14 | that authorization
you must contact the consumer credit | ||||||
15 | reporting agency and provide all
of the following: | ||||||
16 | (1) the personal identification number or | ||||||
17 | password; | ||||||
18 | (2) proper identification to verify your identity; | ||||||
19 | and | ||||||
20 | (3) the proper information regarding the third | ||||||
21 | party who is to receive the credit report or the period | ||||||
22 | of time for which the report shall be
available. | ||||||
23 | A consumer credit reporting agency must authorize the | ||||||
24 | release of your credit report no later than 3 business days | ||||||
25 | after receiving the above information. | ||||||
26 | A security freeze does not apply to a person or entity, | ||||||
27 | or its affiliates, or collection agencies acting on behalf | ||||||
28 | of the person or entity with which you have an existing | ||||||
29 | account, that requests information in your credit report | ||||||
30 | for the purposes of reviewing or collecting the account.
| ||||||
31 | Reviewing the account includes activities related to | ||||||
32 | account
maintenance, monitoring, credit line increases, | ||||||
33 | and account upgrades
and enhancements. | ||||||
34 | You have a right to bring civil action against anyone, | ||||||
35 | including a
consumer credit reporting agency, who | ||||||
36 | improperly obtains access to a
file, knowingly or willfully |
| |||||||
| |||||||
1 | misuses file data, or fails to correct
inaccurate file | ||||||
2 | data. | ||||||
3 | If you are a victim of identity theft and provide to a | ||||||
4 | consumer credit reporting agency a copy of a valid police | ||||||
5 | report or a valid investigative report made by a Department | ||||||
6 | of Motor Vehicles investigator with peace officer status | ||||||
7 | describing your circumstances, the following shall apply: | ||||||
8 | (1) You have a right to have any information you | ||||||
9 | list on the report as allegedly fraudulent promptly | ||||||
10 | blocked so that the information cannot be
reported. The | ||||||
11 | information will be unblocked only if (1) the | ||||||
12 | information
you provide is a material | ||||||
13 | misrepresentation of the facts, (2) you agree
that the | ||||||
14 | information is blocked in error, or (3) you knowingly | ||||||
15 | obtained
possession of goods, services, or moneys as | ||||||
16 | result of the blocked
transactions. If blocked | ||||||
17 | information is unblocked you will be promptly
| ||||||
18 | notified. | ||||||
19 | (2) By the effective date of this amendatory Act of | ||||||
20 | the 93rd General Assembly, you have a right to receive, | ||||||
21 | free of charge and upon request, one copy of your | ||||||
22 | credit report each month for up to 12 consecutive | ||||||
23 | months.". | ||||||
24 | (b-2) The following entities are not required to place a | ||||||
25 | security alert in a consumer credit report: | ||||||
26 | (1) A check services or fraud prevention services | ||||||
27 | company, which issues reports on incidents of fraud or | ||||||
28 | authorizations for the purpose of approving or | ||||||
29 | processing negotiable instruments, electronic funds | ||||||
30 | transfers, or similar methods of payments. | ||||||
31 | (2) A deposit account information service company, | ||||||
32 | which issues reports regarding account closures due to | ||||||
33 | fraud, substantial overdrafts, ATM abuse, or similar | ||||||
34 | negative information regarding a consumer, to | ||||||
35 | inquiring banks or other financial institutions for | ||||||
36 | use only in reviewing a consumer request for a deposit |
| |||||||
| |||||||
1 | account at the inquiring bank or financial | ||||||
2 | institution. | ||||||
3 | (b-3) The consumer has the right to request and receive all | ||||||
4 | of the following: | ||||||
5 | (1) Either a decoded written version of the file or a | ||||||
6 | written copy of the file, including all information in the | ||||||
7 | file at the time of the request, with an explanation of any | ||||||
8 | code used. | ||||||
9 | (2) A credit score for the consumer, the key factors, | ||||||
10 | and the related information. | ||||||
11 | (3) A record of all inquiries, by recipient, which | ||||||
12 | result in the provision of information concerning the | ||||||
13 | consumer in connection with a credit transaction that is | ||||||
14 | not initiated by the consumer and which were received by | ||||||
15 | the consumer credit reporting agency in the 12-month period | ||||||
16 | immediately preceding the request for disclosure. | ||||||
17 | (4) The recipients, of any consumer credit report on | ||||||
18 | the consumer which the consumer credit reporting agency has | ||||||
19 | furnished for employment purposes within the 12-month | ||||||
20 | period preceeding the request or any other purpose within | ||||||
21 | the 12-month period preceding the request.
| ||||||
22 | (c) For purposes of this Section, "extension of credit" | ||||||
23 | does not include
an increase in an existing open-end credit | ||||||
24 | plan, as defined in Regulation Z of
the Federal Reserve System | ||||||
25 | (12 C.F.R. 226.2), or any change to or review of an
existing | ||||||
26 | credit account. | ||||||
27 | (c-1) For purposes of this Section, "security alert" means | ||||||
28 | a notice placed in a consumer's credit report, at the request | ||||||
29 | of the consumer, which notifies a recipient of the credit | ||||||
30 | report that the consumer's identity may have been used without | ||||||
31 | the consumer's consent to fraudulently obtain goods or services | ||||||
32 | in the consumer's name. | ||||||
33 | (c-2) For purposes of this Section, "proper | ||||||
34 | identification" means that information generally deemed | ||||||
35 | sufficient to identify a person. Only if the consumer is unable | ||||||
36 | to reasonably identify himself or herself, may a consumer |
| |||||||
| |||||||
1 | credit reporting agency require additional information | ||||||
2 | concerning the consumer's employment and personal or family | ||||||
3 | history in order to verify his or her identity.
| ||||||
4 | (d) Any person who violates the provisions of this Section
| ||||||
5 | subsection (a) or subsection (b) commits an
unlawful practice | ||||||
6 | within the meaning of this Act. If a consumer reporting agency | ||||||
7 | recklessly, willfully, or intentionally fails to place a | ||||||
8 | security alert notice in a consumer's credit report it shall be | ||||||
9 | guilty of a business offense and subject to a fine in an amount | ||||||
10 | not to exceed $2,500 plus the cost of reasonable attorney's | ||||||
11 | fees.
| ||||||
12 | (Source: P.A. 93-195, eff. 1-1-04.)
| ||||||
13 | (815 ILCS 505/2QQ new)
| ||||||
14 | Sec. 2QQ. Social security number protection. | ||||||
15 | (a) Notwithstanding subsection (b), any financial | ||||||
16 | institution may print the social security number of an | ||||||
17 | individual on any account statement or similar document mailed | ||||||
18 | to that individual, if the social security number is provided | ||||||
19 | in connection with a transaction governed by the rules of the | ||||||
20 | National Automated Clearing House Association, or a | ||||||
21 | transaction initiated by a federal governmental entity through | ||||||
22 | an automated clearing house network. | ||||||
23 | (b) A person or entity may not do any of the following: | ||||||
24 | (1) Publicly post or publicly display, in any manner, | ||||||
25 | an individual's social security number. "Publicly post" or | ||||||
26 | "publicly display" means to intentionally communicate or | ||||||
27 | otherwise make available to the general public. | ||||||
28 | (2) Print an individual's social security number on any | ||||||
29 | card required for the individual to access products or | ||||||
30 | services provided by the person or entity. | ||||||
31 | (3) Require an individual to transmit his or her social | ||||||
32 | security number over the Internet, unless the connection is | ||||||
33 | secure or the social security number is encrypted. | ||||||
34 | (4) Require an individual to use his or her social | ||||||
35 | security number to access an Internet Web site, unless a |
| |||||||
| |||||||
1 | password or unique personal identification number or other | ||||||
2 | authentication device is also required to access the | ||||||
3 | Internet Web site. | ||||||
4 | (5) Print an individual's social security number on any | ||||||
5 | materials that are mailed to the individual, unless State | ||||||
6 | or federal law requires the social security number to be on | ||||||
7 | the document to be mailed. Notwithstanding this subsection | ||||||
8 | (a), social security numbers may be included in | ||||||
9 | applications and forms sent by mail, including documents | ||||||
10 | sent as part of an application or enrollment process, or to | ||||||
11 | establish, amend or terminate an account, contract or | ||||||
12 | policy, or to confirm the accuracy of the social security | ||||||
13 | number. | ||||||
14 | (c) Except as provided in subsection (f), a person or | ||||||
15 | entity that has used, prior to the effective date of this | ||||||
16 | amendatory Act by the 93rd General Assembly, an individual's | ||||||
17 | social security number in a manner inconsistent with subsection | ||||||
18 | (b), may continue using that individual's social security | ||||||
19 | number in that manner on or after the effective date of this | ||||||
20 | amendatory Act by the 93rd General Assembly, and a State or | ||||||
21 | local agency that has used, prior to the effective date of this | ||||||
22 | amendatory Act by the 93rd General Assembly, an individual's | ||||||
23 | social security number in a manner inconsistent with subsection | ||||||
24 | (b), may continue using that individual's social security | ||||||
25 | number in that manner on or after the effective date of this | ||||||
26 | amendatory Act by the 93rd General Assembly, if all of the | ||||||
27 | following conditions are met: | ||||||
28 | (1) The use of the social security number is | ||||||
29 | continuous. If the use is stopped for any reason, | ||||||
30 | subsection (b) shall apply. | ||||||
31 | (2) The individual is provided an annual disclosure | ||||||
32 | that informs the individual that he or she has the right to | ||||||
33 | stop the use of his or her social security number in a | ||||||
34 | manner prohibited by subsection (b). | ||||||
35 | A written request by an individual to stop the use of his | ||||||
36 | or her social security number in a manner prohibited by |
| |||||||
| |||||||
1 | subsection (b) is implemented within 30 days of the receipt of | ||||||
2 | the request. There may not be a fee or charge for implementing | ||||||
3 | the request. | ||||||
4 | The person or entity may not deny services to an individual | ||||||
5 | because the individual makes a written request pursuant to this | ||||||
6 | subsection (c). | ||||||
7 | (d) This Section does not apply to documents that are | ||||||
8 | recorded or required to be open to the public. | ||||||
9 | (e) In the case of a health care service plan, a provider | ||||||
10 | of health care, an insurer or a pharmacy benefits manager, a | ||||||
11 | contractor, or the provision by any person or entity of | ||||||
12 | administrative or other services relative to health care or | ||||||
13 | insurance products or services, including third-party | ||||||
14 | administration or administrative services only, this Section | ||||||
15 | shall become operative in the following manner: | ||||||
16 | (1) By the effective date of this amendatory Act by | ||||||
17 | the 93rd General Assembly the entities listed in | ||||||
18 | subsection (e) shall comply with paragraphs (1), (3), | ||||||
19 | (4), and (5) of subsection (b), as these requirements | ||||||
20 | pertain to individual policyholders or individual | ||||||
21 | contract holders. | ||||||
22 | (2) By the effective date of this amendatory Act by | ||||||
23 | the 93rd General Assembly the entities listed in | ||||||
24 | subsection (1) shall comply with subsection (b) as | ||||||
25 | these requirements pertain to new individual | ||||||
26 | policyholders or new individual contract holders and | ||||||
27 | new groups. | ||||||
28 | (f) A health care service plan, a provider of health care, | ||||||
29 | an insurer or a pharmacy benefits manager, a contractor, or | ||||||
30 | another person or entity as described in subsection (e) shall | ||||||
31 | make reasonable efforts to cooperate, through systems testing | ||||||
32 | and other means, to ensure that the requirements of this | ||||||
33 | Section are implemented on or before the dates specified in | ||||||
34 | this Section. | ||||||
35 | (1) Notwithstanding paragraph (2) of this Section, the | ||||||
36 | Director of the Illinois Department of Public Aid, or the |
| |||||||
| |||||||
1 | Director of the Department of Insurance, and upon a | ||||||
2 | determination of good cause, may grant extensions not to | ||||||
3 | exceed 6 months, for compliance with the requirements of | ||||||
4 | this Section when requested by the health care service plan | ||||||
5 | provider or insurer. Any extension granted shall apply to | ||||||
6 | the health care service plan or insurer's affected | ||||||
7 | providers, pharmacy benefits manager, and contractors. | ||||||
8 | (2) If a federal law takes effect requiring the United | ||||||
9 | States Department of Health and Human Services to establish | ||||||
10 | a national unique patient health identifier program, a | ||||||
11 | provider of health care, a health care service plan, a | ||||||
12 | licensed health care professional, or a contractor, that | ||||||
13 | complies with the federal law shall be deemed in compliance | ||||||
14 | with this Section. | ||||||
15 | (g) A person or entity may not encode or embed a social | ||||||
16 | security number in or on a card or document, including, but not | ||||||
17 | limited to, using a bar code, chip, magnetic strip, or other | ||||||
18 | technology, in place of removing the social security number, as | ||||||
19 | required by this Section.
|