BILL REQ. #:  H-4098.2 



_____________________________________________ 

HOUSE BILL 3067
_____________________________________________
State of Washington59th Legislature2006 Regular Session

By Representatives Roach, Kirby, Newhouse, Ericks, Sells, P. Sullivan, Green, Rodne, Woods, Strow, Morrell and B. Sullivan

Read first time 01/18/2006.   Referred to Committee on Financial Institutions & Insurance.



     AN ACT Relating to identity theft; amending RCW 19.182.170 and 28A.300.460; adding a new section to chapter 43.10 RCW; adding a new chapter to Title 30 RCW; and making appropriations.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION.  Sec. 1   The legislature finds that financial fraud and crimes against financial institutions and merchants are increasing exponentially in Washington state. Until recently, these crimes cost businesses and consumers thousands of dollars in losses. They now cost millions of dollars. The legislature further finds that noncredit losses to financial institutions, and credit card, debit card, and check fraud against merchants impose danger to consumers and their financial privacy, and burden law enforcement and public prosecutors with crimes that are difficult to detect and prosecute. The growth in financial fraud also provides opportunities for organized crime and terrorist organizations, and undermines the stability and reliability of financial and other businesses upon which commerce and the economy rely.
     The legislature intends to enable financial institutions and merchants, to the extent permitted by federal law, to exchange information to prevent, detect, deter, and assist in the prosecution of financial fraud, bank robbery, money laundering, identity theft, and other financial crimes.

NEW SECTION.  Sec. 2   The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
     (1) "Designated employees" means security personnel of a financial institution or merchant designated by it to participate in a fraud alert network.
     (2) "Electronic posting" means the use of a web site or other form of electronic communication used to display information gathered in connection with a fraud alert network.
     (3) "Financial crimes" means any act, including any anticipatory or completed offense, committed for financial gain, that is chargeable or indictable, regardless of whether the act is actually charged or indicted, as a violation of a state or federal criminal law prohibiting false representation, frauds and swindles in violation of chapter 9.45 RCW, forgery, obtaining a signature by deception or duress, criminal impersonation, false certification, unlawful issuance of checks, drafts, funds transfers and payment instructions, identity theft, improperly obtaining financial information, robbery, bank robbery, theft, scams, tax evasion, embezzlement, money laundering, use of proceeds of criminal profiteering, false representation concerning credit, false statement by deposit account applicant, false representation concerning title, forgery of a digital signature or other violation of RCW 9.38.060, burglary when it involves entering the premises of a financial institution or retail establishment, unlawful possession of payment instruments, unlawful production of payment instruments, unlawful possession of a personal identification device, unlawful possession of fictitious identification, unlawful possession of instruments of financial fraud, possession of another's identification, display or possession of a fraudulently issued driver's license or identicard, display or representation as one's own the driver's license or identicard of another person, unlawful factoring of a credit card or payment card transaction, or other state or federal law prohibiting a financial-related crime.
     (4) "Financial institution" means: (a) Any person doing business under the laws of any state or the United States relating to commercial banks, bank holding companies, financial holding companies, savings banks, savings and loan associations, trust companies, or credit unions; (b) any office of an international banking corporation, branch of a foreign bank, or corporation organized pursuant to the Bank Service Corporation Act (12 U.S.C. Sec. 1861-1867) or a corporation organized under the Edge Act (12 U.S.C. Sec. 611-633); (c) subsidiaries, affiliates, service corporations of the persons in (a) and (b) of this subsection; (d) third-party service providers that provide servicing, processing, account maintenance, or security for the persons in (a), (b), and (c) of this subsection; or (e) any group, organization, or association consisting primarily of the persons in (a) through (c) of this subsection including, without limitation, the Washington bankers association, the American bankers association, and other associations of banks, savings institutions, and/or credit unions, whether inside or outside the state of Washington. However, a group or association in this subsection (4)(e) that obtains access to a fraud alert network may provide access to that network or to information received from that network only to persons described in (a) through (d) of this subsection.
     (5) "Fraud alert network" means a program established by and among financial institutions and/or merchants to prevent, detect, deter, and assist in the prosecution of financial crimes, including a program in which information is shared by means of electronic posting.
     (6) "Merchant" means a person engaged in the business of selling, leasing, or distributing goods or services and has an existing contractual relationship or contract with a financial institution and: (a) Has a physical presence in the state that consumers may patronize to make purchases of goods or services; (b) is physically located in the state and sells goods or services to residents of the state via the internet; or (c) is an association or cooperative organization of persons in (a) and (b) of this subsection.
     (7) "Participant" means a financial institution or merchant that participates in a fraud alert network.

NEW SECTION.  Sec. 3   (1) This chapter provides immunity from liability for financial institutions and merchants who participate in a fraud alert network and who comply with the provisions of this chapter and the standards of use set forth in this subsection as follows:
     (a) Access to the fraud alert network is private and limited to financial institutions, merchants, and law enforcement agencies;
     (b) The sole purpose of the fraud alert network is to share information among financial institutions, merchants, and law enforcement agencies to prevent, detect, deter, and assist in the prosecution of financial crimes;
     (c) Information furnished to the fraud alert network consists of: (i) Descriptions of recent actual or suspected financial crimes perpetrated against or coming to the attention of the participant furnishing the information; (ii) descriptions, photographs, images, reproductions, fingerprints, identifying features, traits, habits, background, or other data related to identifying the person, persons, or groups suspected of committing, aiding, or abetting financial crimes; (iii) identifying information regarding methods of operation, devices, tricks, or schemes used by persons suspected of financial crimes; (iv) descriptions, photographs, images, or reproductions of writings, communications, checks, and personal identification used in connection with suspected financial crimes; (v) descriptions, photographs, images, or reproductions of vehicles, license plates, weapons, devices, or other things used in connection with suspected financial crimes; (vi) cautionary statements regarding suspects, for example a statement that a suspect is armed and dangerous; and (vii) other information that allows participants to identify financial crimes, to identify persons suspected in connection with financial crimes, to assist in the apprehension of persons suspected of financial crimes, or to contact others for further information;
     (d) Information furnished to the fraud alert network may not consist of delinquent payment information, nor may it consist of other similar evidence of a person's credit history, except in the exceptional instance where such evidence is an integral part of information provided under (c) of this subsection and is reasonably believed to be related to a financial crime;
     (e) Information posted must be accessible only to designated employees, and the distribution of information is limited to those employees, attorneys, and agents of participants who have job-related duties relevant to the use of such information in connection with preventing, detecting, deterring, or assisting in the prosecution of financial crimes;
     (f) The fraud alert network has procedures reasonably calculated to ensure the security of the information obtained;
     (g) Users of the fraud alert network are informed that the information obtained from the fraud alert network may not be used to evaluate and make decisions about applications for loans, lines of credit, and credit cards;
     (h) Information furnished pursuant to the fraud alert network is limited to statements of fact that the person furnishing the information reasonably believes to be true. However, in exigent circumstances, information may be furnished without such reasonable belief if the circumstances creating an emergency are described, and cautionary advice is provided regarding the limited knowledge of the person furnishing the information; and
     (i) The fraud alert network has an operator that: (i) Employs procedures to promptly correct and erase information that the operator learns is erroneous or was submitted or posted to the fraud alert network not in compliance with this section; (ii) takes reasonable steps to limit access to the fraud alert network to financial institutions, merchants, and law enforcement agencies; and (iii) denies access to the fraud alert network to persons who are not financial institutions, merchants, or law enforcement agencies or who do not abide by the provisions of this chapter.
     (2) Washington law governs the operation of a fraud alert network. A participant or law enforcement agency that participates in a fraud alert network in accordance with subsection (1) of this section, whether through furnishing, posting, communicating, or using information in connection thereto, has immunity from civil liability under the laws of the state of Washington and its political subdivisions and, to the extent the conflicts of law rules of any other jurisdiction refer to the law of the state of Washington, under the laws and rules of such other jurisdiction and its political subdivisions. However, this immunity does not apply to statutory violations.
     (3) Any financial institution or merchant that makes a voluntary disclosure of any possible violation of law or regulation to a federal, state, or local government or agency in connection with information obtained from a fraud alert network is immune from civil liability for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of or identified in the disclosure, under the laws and rules of the state of Washington and its political subdivisions and, to the extent the conflicts of law rules of any other jurisdiction refer to the law of the state of Washington, under the laws and rules of such other jurisdiction and its political subdivisions, and under any contract or other legally enforceable agreement.

NEW SECTION.  Sec. 4   The immunity under section 3 of this act does not apply to any participant that:
     (1) Provides false information to the fraud alert network that the participant does not reasonably believe to be true. However, in exigent circumstances, information may be furnished without that reasonable belief if the circumstances creating an emergency are described, and cautionary advice is provided regarding the limited knowledge of the person furnishing the information;
     (2) Fails to maintain review procedures to remove or correct false, outdated, incomplete, or erroneous information furnished by it to the fraud alert network;
     (3) Fails to maintain procedures to ensure that information obtained from the fraud alert network is provided only to employees, attorneys, or agents who have job-related duties relevant to the use of such information;
     (4) Uses information obtained from the fraud alert network to evaluate and make decisions about applications for loans, lines of credit, and credit cards;
     (5) Uses information for a purpose other than preventing, detecting, deterring, and assisting in the prosecution of financial crimes;
     (6) Uses, reproduces, distributes, publishes, forwards, shares, sells, or communicates any information obtained from the fraud alert network for a commercial purpose, such as for advertising or marketing; or
     (7) Provides, sells, or resells access to the fraud alert network to a person who is not a participant.

NEW SECTION.  Sec. 5   (1) It is the intent of this chapter to encourage the sharing of information consistent with federal law.
     (2) It is intended that so long as the participants comply with this chapter, the provisions of the Washington fair credit reporting act, chapter 19.182 RCW, do not apply to the fraud alert network. However, if it is determined that the federal fair credit reporting act applies to a fraud alert network, the Washington fair credit reporting act also applies.

NEW SECTION.  Sec. 6   (1) The fraud alert network and its participants shall notify the public regarding the existence of the fraud alert network and how it functions. This notice must include a description of the purpose of the network, how the network shares information, the types of information furnished to the network, how consumer complaints may be registered, and the procedures available to an individual for the correction or removal of incomplete, inaccurate, or erroneous information.
     (2) The public notice required of the fraud alert network and its participants under subsection (1) of this section must, at a minimum, include:
     (a) A toll-free telephone number maintained by the network that may be called by individuals in order to obtain the information required under subsection (1) of this section;
     (b) An internet web site maintained by the network that provides the public with the information required under subsection (1) of this section;
     (c) Written pamphlets that are made conspicuously available at each place of business of a network participant, and that contain the information required under subsection (1) of this section as well as the toll-free telephone number and web site address maintained by the network; and
     (d) A conspicuously posted sign at each place of business of a network participant that notifies the public of the business's participation in the fraud alert network and that includes both the toll-free telephone number and web site address required under this section.
     (3) The fraud alert network may not begin operating until the public notice provisions required under this section are implemented.

NEW SECTION.  Sec. 7   (1) By January 1, 2007, and again by January 1, 2008, the organizing body representing participants in the fraud alert network shall provide a comprehensive written report to the house financial institutions and insurance committee and the senate committee on financial institutions, housing, and consumer protection regarding the implementation of this chapter.
     (2) The written report must include the following:
     (a) The number of participants in the network, including the name of each participating entity;
     (b) The standards or protocols established by the network to determine compliance on the part of a participant with this chapter;
     (c) A detailed description of the procedures that are adopted by the fraud alert network, as required under section 3 of this act, to ensure the security and accuracy of information furnished to the network, including procedures for the removal or correction of incomplete or erroneous information furnished to the network;
     (d) A detailed description of the procedures adopted by the network by which an individual who has been reported to the network, or who is the subject of any information furnished to the network, may correct or remove inaccurate, incomplete, or erroneous information;
     (e) An accounting of how many actions the network has taken in the preceding year to correct or remove incomplete or erroneous information from the network, including how many actions were the result of a request or complaint from an individual whose information has been entered into the network;
     (f) The number of complaints about the fraud alert network received by each participant in the network, including a description of each complaint and what actions, either on the part of the network participant or the complainant, resulted from each complaint;
     (g) A description of any adverse action taken by the fraud alert network against a network participant resulting from noncompliance with the standards and procedures established by the network as a condition of participation in the network; and
     (h) The disclosure of the number of individuals whose names have been placed in the network data base for suspected financial crimes and a description of the type of alleged illegal activity that led to the individuals being placed in the network data base.

NEW SECTION.  Sec. 8   This chapter shall be construed to encourage the sharing of information by financial institutions, merchants, and law enforcement for the prevention and prosecution of financial fraud.

NEW SECTION.  Sec. 9   This chapter may be known and cited as the financial fraud alert act.

NEW SECTION.  Sec. 10   If any part of sections 1 through 9 of this act is found to be in conflict with federal requirements that are a prescribed condition to the allocation of federal funds to the state, the conflicting part of this act is inoperative solely to the extent of the conflict and with respect to the agencies directly affected, and this finding does not affect the operation of the remainder of this act in its application to the agencies concerned.

NEW SECTION.  Sec. 11   Sections 1 through 10 of this act constitute a new chapter in Title 30 RCW.

Sec. 12   RCW 19.182.170 and 2005 c 342 s 1 are each amended to read as follows:
     (1) ((A victim of identity theft who has submitted a valid police report to a consumer reporting agency)) Except under this section, a consumer may elect to place a security freeze on his or her report by making a request in writing by certified mail to a consumer reporting agency. "Security freeze" means a notice placed in a consumer's credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer. If a security freeze is in place, information from a consumer's credit report may not be released to a third party without prior express authorization from the consumer. This subsection does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.
     (2) For purposes of this section and RCW 19.182.180 through 19.182.210, a "victim of identity theft" means:
     (a) A victim of identity theft as defined in RCW 9.35.020; or
     (b) A person who has been notified by an agency, person, or business that owns or licenses computerized data of a breach in a computerized data system which has resulted in the acquisition of that person's unencrypted personal information by an unauthorized person or entity.
     (3) A consumer reporting agency shall place a security freeze on a consumer's credit report no later than five business days
after receiving a written request from the consumer.
     (4) The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within ten business days and shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit report for a specific party or period of time.
     (5) If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer reporting agency, request that the freeze be temporarily lifted, and provide the following:
     (a) Proper identification, which means that information generally deemed sufficient to identify a person. Only if the consumer is unable to sufficiently identify himself or herself, may a consumer reporting agency require additional information concerning the consumer's employment and personal or family history in order to verify his or her identity;
     (b) The unique personal identification number or password provided by the credit reporting agency under subsection (4) of this section; and
     (c) The proper information regarding the third party who is to receive the credit report or the time period for which the report is available to users of the credit report.
     (6) A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report under subsection (5) of this section((,)) shall comply with the request no later than three business days after receiving the request.
     (7) A consumer reporting agency may develop procedures involving the use of telephone, fax, the internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report under subsection (5) of this section in an expedited manner.
     (8) A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases:
     (a) Upon consumer request, under subsection (5) or (11) of this section; or
     (b) When the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer. When a consumer reporting agency intends to remove a freeze upon a consumer's credit report under this subsection, the consumer reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer's credit report.
     (9) When a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.
     (10) When a consumer requests a security freeze, the consumer reporting agency shall disclose the process of placing and temporarily lifting a freeze, and the process for allowing access to information from the consumer's credit report for a specific party or period of time while the freeze is in place.
     (11) A security freeze remains in place until the consumer requests that the security freeze be removed or the security freeze expires.
     (a) A consumer reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following:
     (((a))) (i) Proper identification, as defined in subsection (5)(a) of this section; and
     (((b))) (ii) The unique personal identification number or password provided by the consumer reporting agency under subsection (4) of this section.
     (b) A security freeze expires two years after the date it is put in place by the consumer reporting agency unless the consumer is a member of the national guard on active duty or the United States military on active duty.
     (12)(a) A consumer reporting agency may not charge a victim of identity theft a fee to place or remove a security freeze.
     (b) A consumer reporting agency may charge a reasonable fee, not to exceed ten dollars, to consumers that are not victims of identity theft and are sixty-five years or older.
     (c) A consumer reporting agency may charge a reasonable fee, not to exceed twenty-five dollars, to consumers that are not victims of identity theft and are less than sixty-five years of age.
     (13)
This section does not apply to the use of a consumer credit report by any of the following:
     (a) A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this subsection, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements;
     (b) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subsection (5) of this section for purposes of facilitating the extension of credit or other permissible use;
     (c) Any federal, state, or local entity, including a law enforcement agency, court, or their agents or assigns;
     (d) A private collection agency acting under a court order, warrant, or subpoena;
     (e) A child support agency acting under Title IV-D of the social security act (42 U.S.C. et seq.);
     (f) The department of social and health services acting to fulfill any of its statutory responsibilities;
     (g) The internal revenue service acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;
     (h) The use of credit information for the purposes of prescreening as provided for by the federal fair credit reporting act;
     (i) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed; ((and))
     (j) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request;
     (k) An insurance company authorized to do business in Washington state;
     (l) A mortgage broker licensed and regulated by the department of financial institutions; and
     (m) A vehicle dealer as defined in RCW 46.70.011.
     (14) A consumer reporting agency is not required to place more than ten thousand security freezes at any one time. If a consumer reporting agency does not place a security freeze because the ten thousand maximum is met, the consumer reporting agency must place the consumer on a list based on when the request for a security freeze was received by the consumer reporting agency. The first name on the list is the consumer whose request was received first. When a security freeze is removed or expires, the consumer reporting agency must place a freeze on the credit report of the consumer who is first on the list. A consumer who is a member of the national guard on active duty or the United States military on active duty does not count toward the total number of security freezes.
     (15) For the purpose of this section, "active duty" means deployed outside the United States
.

Sec. 13   RCW 28A.300.460 and 2004 c 247 s 5 are each amended to read as follows:
     The task of the financial literacy public-private partnership is to seek out and determine the best methods of equipping students with the knowledge and skills they need, before they become self-supporting, in order for them to make critical decisions regarding their personal finances. The components of personal financial literacy examined shall include, at a minimum, consumer financial education, personal finance, strategies to safeguard personal information and to recover from identity theft, and personal credit. The partnership shall identify the types of outcome measures expected from participating students, in accordance with the definitions and outcomes developed under RCW 28A.300.455.

NEW SECTION.  Sec. 14   (1) The sum of twenty-five thousand dollars, or as much thereof as may be necessary, is appropriated for the fiscal year ending June 30, 2007, from the general fund to the Washington financial literacy public-private partnership account for the purposes of RCW 28A.300.465.
     (2) The sum of twenty-five thousand dollars, or as much thereof as may be necessary, is appropriated for the fiscal year ending June 30, 2008, from the general fund to the Washington financial literacy public-private partnership account for the purposes of RCW 28A.300.465.
     (3) The amounts in this section are provided solely for the purposes of RCW 28A.300.465. The superintendent of public instruction or the superintendent's designee may authorize expenditure of the amounts provided in this section when equal matching amounts from nonstate sources are received in the Washington financial literacy public-private partnership account.

NEW SECTION.  Sec. 15   A new section is added to chapter 43.10 RCW to read as follows:
     (1) The attorney general shall develop a grant program to provide funding for persons and organizations that provide:
     (a) Education to aid seniors in preventing identity theft;
     (b) Assistance to aid seniors in recovering from identity theft;
     (c) Education to aid persons with a developmental disability and their legal representatives in preventing the theft of the identity of persons with a developmental disability;
     (d) Assistance to aid persons with a developmental disability and their legal representatives in recovering from the identity theft of the identity of persons with a developmental disability; or
     (e) Any combination of the above.
     (2) The attorney general shall make an annual report regarding the development and the implementation of the grant program to the legislature by December 1st. The first report is due December 1, 2007.

NEW SECTION.  Sec. 16   The sum of one million five hundred thousand dollars, or as much thereof as may be necessary, is appropriated for the fiscal year ending June 30, 2007, from the general fund to the attorney general for the purposes of section 15 of this act.

--- END ---