BP BHEAD INT H [atlas:bill]

AN ACT Relating to protecting the privacy of personal information held by financial institutions; adding a new chapter to Title 19 RCW; prescribing penalties; and providing an effective date.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION. Sec. 1. Every financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' personal information, including:

(1) To insure the security and confidentiality of customer records and information;

(2) To protect against any anticipated threats or hazards to the security or integrity of these records; and

(3) To protect against unauthorized access to or use of customer records or information which could result in substantial harm or inconvenience to any customer.

NEW SECTION. Sec. 2. (1) Except as provided in section 3 of this act, no financial institution shall make available any personal information to any affiliate or other person that is not an employee or agent of the institution, unless the consumer to whom the information pertains:

(a) Has affirmatively consented in writing to the transfer of such information; and

(b) Has not withdrawn the consent.

(2) A financial institution shall, in complying with subsection (1) of this section, present the opportunity to consent in a clear and conspicuous manner that permits the consumer to consent:

(a)(i) With respect to both affiliates and nonaffiliated persons;

(ii) Separately with respect to affiliates generally and nonaffiliated persons generally; or

(iii) Separately with respect to specified affiliates and nonaffiliated persons; and

(b) Separately with respect to specified financial and nonfinancial products and services that may be offered to the consumer.

(3) No financial institution shall deny any consumer a financial product or a financial service for the refusal by the consumer to grant the consent required by subsection (1) of this section.

(4) Every financial institution that makes available personal information collected by the financial institution to any person or entity other than an employee or agent of the institution shall provide that consumer:

(a) The opportunity to examine, upon request, all personal information that was made available; and

(b) The opportunity to dispute the accuracy of any of the information, and to present evidence thereon.

(5) A financial institution shall not disclose an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any affiliate or any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail or other electronic means to the consumer.

(6) Except as otherwise provided in this chapter, an affiliate or a nonaffiliated third party that receives from a financial institution personal information shall not, directly or through an affiliate of the receiving third party, disclose the information to any other person that is an affiliate or a nonaffiliated third party of both the financial institution and the receiving third party, unless the disclosure would be lawful if made directly to the other person by the financial institution.

NEW SECTION. Sec. 3. (1) Personal information may be disclosed only:

(a) As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with:

(i) Servicing or processing a financial product or service requested or authorized by the consumer;

(ii) Maintaining or servicing the consumer's account with the financial institution; or

(iii) A proposed or actual securitization, secondary market sale including sales of servicing rights, or similar transaction related to a transaction of the consumer;

(b) With the consent or at the direction of the consumer;

(c)(i) To protect the confidentiality or security of the financial institution's records pertaining to the consumer, the service or product, or the transaction therein; (ii) to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (iii) for required institutional risk control, or for resolving customer disputes or inquiries; (iv) to persons holding a legal or beneficial interest relating to the consumer; or (v) to persons acting in a fiduciary or representative capacity on behalf of the consumer;

(d) To provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, and the institution's attorneys, accountants, and auditors;

(e) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, self‑regulatory organizations, or for an investigation on a matter related to public safety;

(f)(i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act, or (ii) from a consumer report reported by a consumer reporting agency in accordance with the Fair Credit Reporting Act;

(g) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of personal information concerns solely consumers of the business or unit; or

(h)(i) To comply with federal, state, or local laws, rules, and other applicable legal requirements; (ii) to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by federal, state, or local authorities; or (iii) to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.

(2) The disclosing or use of personal information shall be treated as necessary to effect or administer a transaction with a consumer under subsection (1)(a) of this section if the disclosing or use:

(a)(i) Is required, or is a usual, appropriate, or acceptable method, to carry out the transaction, or the product or service business of which the transaction is a part; (ii) records, services, or maintains the consumer's account in the ordinary course of providing the financial service or financial product; or (iii) is to administer or service benefits or claims relating to the transaction, or the product or service business of which it is a part, and includes:

(A) Providing the consumer or the consumer's agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product; and

(B) The accrual or recognition of incentives or bonuses associated with the transaction that are provided by the financial institution or any other party;

(b) Is required, or is one of the lawful or appropriate methods, to enforce the rights of the financial institution or of other persons engaged in carrying out the financial transaction, or providing the product or service;

(c)(i) Is required, or is a usual, appropriate, or acceptable method, for insurance underwriting at the consumer's request or for reinsurance purposes; (ii) is for any of the following purposes as they relate to a consumer's insurance: Account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by federal or state law; or

(d) The disclosure is required, or is a usual, appropriate, or acceptable method, in connection with:

(i) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by other payment means;

(ii) The transfer of receivables, accounts, or interests therein; or

(iii) The audit of debit, credit, or other payment information.

NEW SECTION. Sec. 4. Every financial institution shall clearly and conspicuously disclose to the consumer at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of the relationship:

(1) The categories of personal information that are collected by the financial institution;

(2) The practices and policies of the financial institution with respect to disclosing personal information, or making unrelated uses of this information, including:

(a) The categories of persons to whom the information is or may be disclosed or who may be permitted to make unrelated uses of this information, other than the persons to whom the information must be provided to effect, administer, or enforce the transaction; and

(b) The practices and policies of the institution with respect to disclosing or making unrelated uses of personal information of persons who have ceased to be customers of the financial institution;

(3) The policies that the institution maintains to protect the confidentiality and security of personal information;

(4) The practices and policies of the institution with respect to providing consumers the opportunity to examine and dispute information; and

(5) The right of the consumer under this section to examine, upon request, the personal information, to dispute the accuracy of any of such information, and to present evidence thereon.

NEW SECTION. Sec. 5. Unless the context clearly requires otherwise, the following definitions apply throughout this chapter:

(1) "Financial institution" means any company that is engaging in financial activities or activities that are incidental or complementary to financial activities, including banks, savings banks, credit unions, insurers, securities firms, whether chartered, licensed, or regulated by the state or the federal government, and any company regulated by the department of financial institutions.

(2) "Personal information" means personally identifiable information:

(a) Provided by a consumer to a financial institution;

(b) Resulting from any transaction with the consumer or the service performed for the consumer; or

(3) "Unrelated use" when used with respect to information collected by the financial institution in connection with any transaction with a consumer in any financial product or any financial service, means any use other than a use that is necessary to effect, administer, or enforce any transaction.

(4) "Affiliate" means any company that controls, is controlled by, or is under common control with another company.

(5) "Nonaffiliated third party" means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of the institution.

(6) "Consumer" means an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of an individual.

NEW SECTION. Sec. 6. (1) The director of the department of financial institutions and the insurance commissioner are authorized to enforce this chapter regarding the companies regulated by them, and shall make compliance with this chapter a part of their company examinations.

(2) A person injured by a violation of this chapter may bring an action to recover his or her actual damages, or one hundred dollars, whichever is greater. The court may, at its discretion, increase the award of damages by an amount not to exceed one thousand dollars for a willful violation of this chapter.

NEW SECTION. Sec. 7. The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the consumer protection act, chapter 19.86 RCW, particularly in violation of RCW 19.86.020.

NEW SECTION. Sec. 8. This act takes effect July 1, 2000.

NEW SECTION. Sec. 9. This act may be known and cited as the Washington state consumers' financial privacy protection act.

NEW SECTION. Sec. 10. Sections 1 through 9 of this act constitute a new chapter in Title 19 RCW.