BILL NUMBER: SB 1730 CHAPTERED 09/22/02 CHAPTER 786 FILED WITH SECRETARY OF STATE SEPTEMBER 22, 2002 APPROVED BY GOVERNOR SEPTEMBER 21, 2002 PASSED THE SENATE AUGUST 30, 2002 PASSED THE ASSEMBLY AUGUST 28, 2002 AMENDED IN ASSEMBLY AUGUST 27, 2002 AMENDED IN ASSEMBLY JUNE 25, 2002 AMENDED IN ASSEMBLY JUNE 13, 2002 AMENDED IN ASSEMBLY JUNE 12, 2002 AMENDED IN SENATE APRIL 18, 2002 AMENDED IN SENATE APRIL 1, 2002 INTRODUCED BY Senator Bowen (Coauthor: Assembly Member Alquist) FEBRUARY 21, 2002 An act to amend Sections 1785.11.2, 1785.11.6, and 1798.85 of the Civil Code, relating to personal information. LEGISLATIVE COUNSEL'S DIGEST SB 1730, Bowen. Personal information. (1) Existing law authorizes a consumer to place a security alert in his or her credit report by making a request in writing or by telephone to a consumer credit reporting agency, as specified. Existing law requires consumer credit reporting agencies to take specified actions in response to a request by a consumer to place a security freeze, as defined, on his or her credit report. Existing law makes various entities exempt from that requirement. This bill would additionally exempt from those requirements the use of a consumer credit report by any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed or by any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request. The bill would also exempt a fraud prevention services company from the requirement to place a security alert or a security freeze in a credit report, as specified. (2) Existing law prohibits a person or entity, except as specified, from publicly posting or displaying an individual's social security number, printing that social security number on a card required for the individual to access products or services or on materials mailed to the individual, or otherwise requiring an individual to transmit or use that social security number. These provisions become operative in the case of a health care service plan, a provider of health care, and other, specified health care related entities as the requirements pertain to individual policyholders, employer groups, and enrollees of state medical insurance programs on various dates, as specified. This bill would revise those provisions to additionally provide that they shall become operative in the case of the provision by any person or entity of administrative or other services relative to health care or insurance products or services on various dates, as specified. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 1785.11.2 of the Civil Code is amended to read: 1785.11.2. (a) A consumer may elect to place a security freeze on his or her credit report by making a request in writing by certified mail to a consumer credit reporting agency. "Security freeze" means a notice placed in a consumer's credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer credit reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer. If a security freeze is in place, information from a consumer's credit report may not be released to a third party without prior express authorization from the consumer. This subdivision does not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report. (b) A consumer credit reporting agency shall place a security freeze on a consumer's credit report no later than five business days after receiving a written request from the consumer. (c) The consumer credit reporting agency shall send a written confirmation of the security freeze to the consumer within 10 business days and shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time. (d) If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer credit reporting agency, request that the freeze be temporarily lifted, and provide the following: (1) Proper identification, as defined in subdivision (c) of Section 1785.15. (2) The unique personal identification number or password provided by the credit reporting agency pursuant to subdivision (c). (3) The proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report. (e) A consumer credit reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to subdivision (d), shall comply with the request no later than three business days after receiving the request. (f) A consumer credit reporting agency may develop procedures involving the use of telephone, fax, the Internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report pursuant to subdivision (d) in an expedited manner. (g) A consumer credit reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases: (1) Upon consumer request, pursuant to subdivision (d) or (j). (2) If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer credit reporting agency intends to remove a freeze upon a consumer's credit report pursuant to this paragraph, the consumer credit reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer's credit report. (h) If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete. (i) If a consumer requests a security freeze, the consumer credit reporting agency shall disclose the process of placing and temporarily lifting a freeze, and the process for allowing access to information from the consumer's credit report for a specific party or period of time while the freeze is in place. (j) A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer credit reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following: (1) Proper identification, as defined in subdivision (c) of Section 1785.15. (2) The unique personal identification number or password provided by the credit reporting agency pursuant to subdivision (c). (k) A consumer credit reporting agency shall require proper identification, as defined in subdivision (c) of Section 1785.15, of the person making a request to place or remove a security freeze. (l) The provisions of this section do not apply to the use of a consumer credit report by any of the following: (1) A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this paragraph, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements. (2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subdivision (d) of Section 1785.11.2 for purposes of facilitating the extension of credit or other permissible use. (3) Any state or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena. (4) A child support agency acting pursuant to Chapter 2 of Division 17 of the Family Code or Title IV-D of the Social Security Act (42 U.S.C. et seq.). (5) The State Department of Health Services or its agents or assigns acting to investigate Medi-Cal fraud. (6) The Franchise Tax Board or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities. (7) The use of credit information for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act. (8) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed. (9) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request. (m) This act does not prevent a consumer credit reporting agency from charging a reasonable fee to a consumer who elects to freeze, remove the freeze, or temporarily lift the freeze regarding access to a consumer credit report, except that a consumer credit reporting agency may not charge a fee to a victim of identity theft who has submitted a valid police report or valid Department of Motor Vehicles investigative report that alleges a violation of Section 530.5 of the Penal Code. SEC. 2. Section 1785.11.6 of the Civil Code is amended to read: 1785.11.6. The following entities are not required to place in a credit report either a security alert, pursuant to Section 1785.11.1, or a security freeze, pursuant to Section 1785.11.2: (a) A check services or fraud prevention services company, which issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments. (b) A demand deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a demand deposit account at the inquiring bank or financial institution. SEC. 3. Section 1798.85 of the Civil Code is amended to read: 1798.85. (a) A person or entity, not including a state or local agency, may not do any of the following: (1) Publicly post or publicly display in any manner an individual' s social security number. "Publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public. (2) Print an individual's social security number on any card required for the individual to access products or services provided by the person or entity. (3) Require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted. (4) Require an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site. (5) Print an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed. Notwithstanding this paragraph, social security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the social security number. (b) Except as provided in subdivision (c), subdivision (a) applies only to the use of social security numbers on or after July 1, 2002. (c) Except as provided in subdivision (f), a person or entity, not including a state or local agency, that has used, prior to July 1, 2002, an individual's social security number in a manner inconsistent with subdivision (a), may continue using that individual's social security number in that manner on or after July 1, 2002, if all of the following conditions are met: (1) The use of the social security number is continuous. If the use is stopped for any reason, subdivision (a) shall apply. (2) The individual is provided an annual disclosure, commencing in the year 2002, that informs the individual that he or she has the right to stop the use of his or her social security number in a manner prohibited by subdivision (a). (3) A written request by an individual to stop the use of his or her social security number in a manner prohibited by subdivision (a) shall be implemented within 30 days of the receipt of the request. There shall be no fee or charge for implementing the request. (4) A person or entity, not including a state or local agency, shall not deny services to an individual because the individual makes a written request pursuant to this subdivision. (d) This section does not prevent the collection, use, or release of a social security number as required by state or federal law or the use of a social security number for internal verification or administrative purposes. (e) This section does not apply to documents that are recorded or required to be open to the public pursuant to Chapter 3.5 (commencing with Section 6250), Chapter 14 (commencing with Section 7150) or Chapter 14.5 (commencing with Section 7220) of Division 7 of Title 1 of, or Chapter 9 (commencing with Section 54950) of Part 1 of Division 2 of Title 5 of, the Government Code. This section does not apply to records that are required by statute, case law, or California Rule of Court, to be made available to the public by entities provided for in Article VI of the California Constitution. (f) (1) In the case of a health care service plan, a provider of health care, an insurer or a pharmacy benefits manager, a contractor as defined in Section 56.05, or the provision by any person or entity of administrative or other services relative to health care or insurance products or services, including third-party administration or administrative services only, this section shall become operative in the following manner: (A) On or before January 1, 2003, the entities listed in paragraph (1) of subdivision (f) shall comply with paragraphs (1), (3), (4), and (5) of subdivision (a) as these requirements pertain to individual policyholders or individual contract holders. (B) On or before January 1, 2004, the entities listed in paragraph (1) of subdivision (f) shall comply with paragraphs (1) to (5), inclusive, of subdivision (a) as these requirements pertain to new individual policyholders or new individual contractholders and new groups, including new groups administered or issued on or after January 1, 2004. (C) On or before July 1, 2004, the entities listed in paragraph (1) of subdivision (f) shall comply with paragraphs (1) to (5), inclusive, of subdivision (a) for all individual policyholders and individual contractholders, for all groups, and for all enrollees of the Healthy Families and Medi-Cal programs, except that for individual policyholders, individual contractholders and groups in existence prior to January 1, 2004, the entities listed in paragraph (1) of subdivision (f) shall comply upon the renewal date of the policy, contract, or group on or after July 1, 2004, but no later than July 1, 2005. (2) A health care service plan, a provider of health care, an insurer or a pharmacy benefits manager, a contractor, or another person or entity as described in paragraph (1) of subdivision (f) shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this article are implemented on or before the dates specified in this section. (3) Notwithstanding paragraph (2), the Director of the Department of Managed Health Care, pursuant to the authority granted under Section 1346 of the Health and Safety Code, or the Insurance Commissioner, pursuant to the authority granted under Section 12921 of the Insurance Code, and upon a determination of good cause, may grant extensions not to exceed six months for compliance by health care service plans and insurers with the requirements of this section when requested by the health care service plan or insurer. Any extension granted shall apply to the health care service plan or insurer's affected providers, pharmacy benefits manager, and contractors. (g) If a federal law takes effect requiring the United States Department of Health and Human Services to establish a national unique patient health identifier program, a provider of health care, a health care service plan, a licensed health care professional, or a contractor, as those terms are defined in Section 56.05, that complies with the federal law shall be deemed in compliance with this section.