BILL REQ. #: H-4098.2
| State of Washington | 59th Legislature | 2006 Regular Session |
Read first time 01/18/2006. Referred to Committee on Financial Institutions & Insurance.
AN ACT Relating to identity theft; amending RCW 19.182.170 and 28A.300.460; adding a new section to chapter 43.10 RCW; adding a new chapter to Title 30 RCW; and making appropriations.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
NEW SECTION. Sec. 1 The legislature finds that financial fraud
and crimes against financial institutions and merchants are increasing
exponentially in Washington state. Until recently, these crimes cost
businesses and consumers thousands of dollars in losses. They now cost
millions of dollars. The legislature further finds that noncredit
losses to financial institutions, and credit card, debit card, and
check fraud against merchants impose danger to consumers and their
financial privacy, and burden law enforcement and public prosecutors
with crimes that are difficult to detect and prosecute. The growth in
financial fraud also provides opportunities for organized crime and
terrorist organizations, and undermines the stability and reliability
of financial and other businesses upon which commerce and the economy
rely.
The legislature intends to enable financial institutions and
merchants, to the extent permitted by federal law, to exchange
information to prevent, detect, deter, and assist in the prosecution of
financial fraud, bank robbery, money laundering, identity theft, and
other financial crimes.
NEW SECTION. Sec. 2 The definitions in this section apply
throughout this chapter unless the context clearly requires otherwise.
(1) "Designated employees" means security personnel of a financial
institution or merchant designated by it to participate in a fraud
alert network.
(2) "Electronic posting" means the use of a web site or other form
of electronic communication used to display information gathered in
connection with a fraud alert network.
(3) "Financial crimes" means any act, including any anticipatory or
completed offense, committed for financial gain, that is chargeable or
indictable, regardless of whether the act is actually charged or
indicted, as a violation of a state or federal criminal law prohibiting
false representation, frauds and swindles in violation of chapter 9.45
RCW, forgery, obtaining a signature by deception or duress, criminal
impersonation, false certification, unlawful issuance of checks,
drafts, funds transfers and payment instructions, identity theft,
improperly obtaining financial information, robbery, bank robbery,
theft, scams, tax evasion, embezzlement, money laundering, use of
proceeds of criminal profiteering, false representation concerning
credit, false statement by deposit account applicant, false
representation concerning title, forgery of a digital signature or
other violation of RCW 9.38.060, burglary when it involves entering the
premises of a financial institution or retail establishment, unlawful
possession of payment instruments, unlawful production of payment
instruments, unlawful possession of a personal identification device,
unlawful possession of fictitious identification, unlawful possession
of instruments of financial fraud, possession of another's
identification, display or possession of a fraudulently issued driver's
license or identicard, display or representation as one's own the
driver's license or identicard of another person, unlawful factoring of
a credit card or payment card transaction, or other state or federal
law prohibiting a financial-related crime.
(4) "Financial institution" means: (a) Any person doing business
under the laws of any state or the United States relating to commercial
banks, bank holding companies, financial holding companies, savings
banks, savings and loan associations, trust companies, or credit
unions; (b) any office of an international banking corporation, branch
of a foreign bank, or corporation organized pursuant to the Bank
Service Corporation Act (12 U.S.C. Sec. 1861-1867) or a corporation
organized under the Edge Act (12 U.S.C. Sec. 611-633); (c)
subsidiaries, affiliates, service corporations of the persons in (a)
and (b) of this subsection; (d) third-party service providers that
provide servicing, processing, account maintenance, or security for the
persons in (a), (b), and (c) of this subsection; or (e) any group,
organization, or association consisting primarily of the persons in (a)
through (c) of this subsection including, without limitation, the
Washington bankers association, the American bankers association, and
other associations of banks, savings institutions, and/or credit
unions, whether inside or outside the state of Washington. However, a
group or association in this subsection (4)(e) that obtains access to
a fraud alert network may provide access to that network or to
information received from that network only to persons described in (a)
through (d) of this subsection.
(5) "Fraud alert network" means a program established by and among
financial institutions and/or merchants to prevent, detect, deter, and
assist in the prosecution of financial crimes, including a program in
which information is shared by means of electronic posting.
(6) "Merchant" means a person engaged in the business of selling,
leasing, or distributing goods or services and has an existing
contractual relationship or contract with a financial institution and:
(a) Has a physical presence in the state that consumers may patronize
to make purchases of goods or services; (b) is physically located in
the state and sells goods or services to residents of the state via the
internet; or (c) is an association or cooperative organization of
persons in (a) and (b) of this subsection.
(7) "Participant" means a financial institution or merchant that
participates in a fraud alert network.
NEW SECTION. Sec. 3 (1) This chapter provides immunity from
liability for financial institutions and merchants who participate in
a fraud alert network and who comply with the provisions of this
chapter and the standards of use set forth in this subsection as
follows:
(a) Access to the fraud alert network is private and limited to
financial institutions, merchants, and law enforcement agencies;
(b) The sole purpose of the fraud alert network is to share
information among financial institutions, merchants, and law
enforcement agencies to prevent, detect, deter, and assist in the
prosecution of financial crimes;
(c) Information furnished to the fraud alert network consists of:
(i) Descriptions of recent actual or suspected financial crimes
perpetrated against or coming to the attention of the participant
furnishing the information; (ii) descriptions, photographs, images,
reproductions, fingerprints, identifying features, traits, habits,
background, or other data related to identifying the person, persons,
or groups suspected of committing, aiding, or abetting financial
crimes; (iii) identifying information regarding methods of operation,
devices, tricks, or schemes used by persons suspected of financial
crimes; (iv) descriptions, photographs, images, or reproductions of
writings, communications, checks, and personal identification used in
connection with suspected financial crimes; (v) descriptions,
photographs, images, or reproductions of vehicles, license plates,
weapons, devices, or other things used in connection with suspected
financial crimes; (vi) cautionary statements regarding suspects, for
example a statement that a suspect is armed and dangerous; and (vii)
other information that allows participants to identify financial
crimes, to identify persons suspected in connection with financial
crimes, to assist in the apprehension of persons suspected of financial
crimes, or to contact others for further information;
(d) Information furnished to the fraud alert network may not
consist of delinquent payment information, nor may it consist of other
similar evidence of a person's credit history, except in the
exceptional instance where such evidence is an integral part of
information provided under (c) of this subsection and is reasonably
believed to be related to a financial crime;
(e) Information posted must be accessible only to designated
employees, and the distribution of information is limited to those
employees, attorneys, and agents of participants who have job-related
duties relevant to the use of such information in connection with
preventing, detecting, deterring, or assisting in the prosecution of
financial crimes;
(f) The fraud alert network has procedures reasonably calculated to
ensure the security of the information obtained;
(g) Users of the fraud alert network are informed that the
information obtained from the fraud alert network may not be used to
evaluate and make decisions about applications for loans, lines of
credit, and credit cards;
(h) Information furnished pursuant to the fraud alert network is
limited to statements of fact that the person furnishing the
information reasonably believes to be true. However, in exigent
circumstances, information may be furnished without such reasonable
belief if the circumstances creating an emergency are described, and
cautionary advice is provided regarding the limited knowledge of the
person furnishing the information; and
(i) The fraud alert network has an operator that: (i) Employs
procedures to promptly correct and erase information that the operator
learns is erroneous or was submitted or posted to the fraud alert
network not in compliance with this section; (ii) takes reasonable
steps to limit access to the fraud alert network to financial
institutions, merchants, and law enforcement agencies; and (iii) denies
access to the fraud alert network to persons who are not financial
institutions, merchants, or law enforcement agencies or who do not
abide by the provisions of this chapter.
(2) Washington law governs the operation of a fraud alert network.
A participant or law enforcement agency that participates in a fraud
alert network in accordance with subsection (1) of this section,
whether through furnishing, posting, communicating, or using
information in connection thereto, has immunity from civil liability
under the laws of the state of Washington and its political
subdivisions and, to the extent the conflicts of law rules of any other
jurisdiction refer to the law of the state of Washington, under the
laws and rules of such other jurisdiction and its political
subdivisions. However, this immunity does not apply to statutory
violations.
(3) Any financial institution or merchant that makes a voluntary
disclosure of any possible violation of law or regulation to a federal,
state, or local government or agency in connection with information
obtained from a fraud alert network is immune from civil liability for
such disclosure or for any failure to provide notice of such disclosure
to the person who is the subject of or identified in the disclosure,
under the laws and rules of the state of Washington and its political
subdivisions and, to the extent the conflicts of law rules of any other
jurisdiction refer to the law of the state of Washington, under the
laws and rules of such other jurisdiction and its political
subdivisions, and under any contract or other legally enforceable
agreement.
NEW SECTION. Sec. 4 The immunity under section 3 of this act
does not apply to any participant that:
(1) Provides false information to the fraud alert network that the
participant does not reasonably believe to be true. However, in
exigent circumstances, information may be furnished without that
reasonable belief if the circumstances creating an emergency are
described, and cautionary advice is provided regarding the limited
knowledge of the person furnishing the information;
(2) Fails to maintain review procedures to remove or correct false,
outdated, incomplete, or erroneous information furnished by it to the
fraud alert network;
(3) Fails to maintain procedures to ensure that information
obtained from the fraud alert network is provided only to employees,
attorneys, or agents who have job-related duties relevant to the use of
such information;
(4) Uses information obtained from the fraud alert network to
evaluate and make decisions about applications for loans, lines of
credit, and credit cards;
(5) Uses information for a purpose other than preventing,
detecting, deterring, and assisting in the prosecution of financial
crimes;
(6) Uses, reproduces, distributes, publishes, forwards, shares,
sells, or communicates any information obtained from the fraud alert
network for a commercial purpose, such as for advertising or marketing;
or
(7) Provides, sells, or resells access to the fraud alert network
to a person who is not a participant.
NEW SECTION. Sec. 5 (1) It is the intent of this chapter to
encourage the sharing of information consistent with federal law.
(2) It is intended that so long as the participants comply with
this chapter, the provisions of the Washington fair credit reporting
act, chapter 19.182 RCW, do not apply to the fraud alert network.
However, if it is determined that the federal fair credit reporting act
applies to a fraud alert network, the Washington fair credit reporting
act also applies.
NEW SECTION. Sec. 6 (1) The fraud alert network and its
participants shall notify the public regarding the existence of the
fraud alert network and how it functions. This notice must include a
description of the purpose of the network, how the network shares
information, the types of information furnished to the network, how
consumer complaints may be registered, and the procedures available to
an individual for the correction or removal of incomplete, inaccurate,
or erroneous information.
(2) The public notice required of the fraud alert network and its
participants under subsection (1) of this section must, at a minimum,
include:
(a) A toll-free telephone number maintained by the network that may
be called by individuals in order to obtain the information required
under subsection (1) of this section;
(b) An internet web site maintained by the network that provides
the public with the information required under subsection (1) of this
section;
(c) Written pamphlets that are made conspicuously available at each
place of business of a network participant, and that contain the
information required under subsection (1) of this section as well as
the toll-free telephone number and web site address maintained by the
network; and
(d) A conspicuously posted sign at each place of business of a
network participant that notifies the public of the business's
participation in the fraud alert network and that includes both the
toll-free telephone number and web site address required under this
section.
(3) The fraud alert network may not begin operating until the
public notice provisions required under this section are implemented.
NEW SECTION. Sec. 7 (1) By January 1, 2007, and again by January
1, 2008, the organizing body representing participants in the fraud
alert network shall provide a comprehensive written report to the house
financial institutions and insurance committee and the senate committee
on financial institutions, housing, and consumer protection regarding
the implementation of this chapter.
(2) The written report must include the following:
(a) The number of participants in the network, including the name
of each participating entity;
(b) The standards or protocols established by the network to
determine compliance on the part of a participant with this chapter;
(c) A detailed description of the procedures that are adopted by
the fraud alert network, as required under section 3 of this act, to
ensure the security and accuracy of information furnished to the
network, including procedures for the removal or correction of
incomplete or erroneous information furnished to the network;
(d) A detailed description of the procedures adopted by the network
by which an individual who has been reported to the network, or who is
the subject of any information furnished to the network, may correct or
remove inaccurate, incomplete, or erroneous information;
(e) An accounting of how many actions the network has taken in the
preceding year to correct or remove incomplete or erroneous information
from the network, including how many actions were the result of a
request or complaint from an individual whose information has been
entered into the network;
(f) The number of complaints about the fraud alert network received
by each participant in the network, including a description of each
complaint and what actions, either on the part of the network
participant or the complainant, resulted from each complaint;
(g) A description of any adverse action taken by the fraud alert
network against a network participant resulting from noncompliance with
the standards and procedures established by the network as a condition
of participation in the network; and
(h) The disclosure of the number of individuals whose names have
been placed in the network data base for suspected financial crimes and
a description of the type of alleged illegal activity that led to the
individuals being placed in the network data base.
NEW SECTION. Sec. 8 This chapter shall be construed to encourage
the sharing of information by financial institutions, merchants, and
law enforcement for the prevention and prosecution of financial fraud.
NEW SECTION. Sec. 9 This chapter may be known and cited as the
financial fraud alert act.
NEW SECTION. Sec. 10 If any part of sections 1 through 9 of this
act is found to be in conflict with federal requirements that are a
prescribed condition to the allocation of federal funds to the state,
the conflicting part of this act is inoperative solely to the extent of
the conflict and with respect to the agencies directly affected, and
this finding does not affect the operation of the remainder of this act
in its application to the agencies concerned.
NEW SECTION. Sec. 11 Sections 1 through 10 of this act
constitute a new chapter in Title
Sec. 12 RCW 19.182.170 and 2005 c 342 s 1 are each amended to
read as follows:
(1) ((A victim of identity theft who has submitted a valid police
report to a consumer reporting agency)) Except under this section, a
consumer may elect to place a security freeze on his or her report by
making a request in writing by certified mail to a consumer reporting
agency. "Security freeze" means a notice placed in a consumer's credit
report, at the request of the consumer and subject to certain
exceptions, that prohibits the consumer reporting agency from releasing
the consumer's credit report or any information from it without the
express authorization of the consumer. If a security freeze is in
place, information from a consumer's credit report may not be released
to a third party without prior express authorization from the consumer.
This subsection does not prevent a consumer reporting agency from
advising a third party that a security freeze is in effect with respect
to the consumer's credit report.
(2) For purposes of this section and RCW 19.182.180 through
19.182.210, a "victim of identity theft" means:
(a) A victim of identity theft as defined in RCW 9.35.020; or
(b) A person who has been notified by an agency, person, or
business that owns or licenses computerized data of a breach in a
computerized data system which has resulted in the acquisition of that
person's unencrypted personal information by an unauthorized person or
entity.
(3) A consumer reporting agency shall place a security freeze on a
consumer's credit report no later than five business days
after receiving a written request from the consumer.
(4) The consumer reporting agency shall send a written confirmation
of the security freeze to the consumer within ten business days and
shall provide the consumer with a unique personal identification number
or password to be used by the consumer when providing authorization for
the release of his or her credit report for a specific party or period
of time.
(5) If the consumer wishes to allow his or her credit report to be
accessed for a specific party or period of time while a freeze is in
place, he or she shall contact the consumer reporting agency, request
that the freeze be temporarily lifted, and provide the following:
(a) Proper identification, which means that information generally
deemed sufficient to identify a person. Only if the consumer is unable
to sufficiently identify himself or herself, may a consumer reporting
agency require additional information concerning the consumer's
employment and personal or family history in order to verify his or her
identity;
(b) The unique personal identification number or password provided
by the credit reporting agency under subsection (4) of this section;
and
(c) The proper information regarding the third party who is to
receive the credit report or the time period for which the report is
available to users of the credit report.
(6) A consumer reporting agency that receives a request from a
consumer to temporarily lift a freeze on a credit report under
subsection (5) of this section((,)) shall comply with the request no
later than three business days after receiving the request.
(7) A consumer reporting agency may develop procedures involving
the use of telephone, fax, the internet, or other electronic media to
receive and process a request from a consumer to temporarily lift a
freeze on a credit report under subsection (5) of this section in an
expedited manner.
(8) A consumer reporting agency shall remove or temporarily lift a
freeze placed on a consumer's credit report only in the following
cases:
(a) Upon consumer request, under subsection (5) or (11) of this
section; or
(b) When the consumer's credit report was frozen due to a material
misrepresentation of fact by the consumer. When a consumer reporting
agency intends to remove a freeze upon a consumer's credit report under
this subsection, the consumer reporting agency shall notify the
consumer in writing prior to removing the freeze on the consumer's
credit report.
(9) When a third party requests access to a consumer credit report
on which a security freeze is in effect, and this request is in
connection with an application for credit or any other use, and the
consumer does not allow his or her credit report to be accessed for
that specific party or period of time, the third party may treat the
application as incomplete.
(10) When a consumer requests a security freeze, the consumer
reporting agency shall disclose the process of placing and temporarily
lifting a freeze, and the process for allowing access to information
from the consumer's credit report for a specific party or period of
time while the freeze is in place.
(11) A security freeze remains in place until the consumer requests
that the security freeze be removed or the security freeze expires.
(a) A consumer reporting agency shall remove a security freeze
within three business days of receiving a request for removal from the
consumer, who provides both of the following:
(((a))) (i) Proper identification, as defined in subsection (5)(a)
of this section; and
(((b))) (ii) The unique personal identification number or password
provided by the consumer reporting agency under subsection (4) of this
section.
(b) A security freeze expires two years after the date it is put in
place by the consumer reporting agency unless the consumer is a member
of the national guard on active duty or the United States military on
active duty.
(12)(a) A consumer reporting agency may not charge a victim of
identity theft a fee to place or remove a security freeze.
(b) A consumer reporting agency may charge a reasonable fee, not to
exceed ten dollars, to consumers that are not victims of identity theft
and are sixty-five years or older.
(c) A consumer reporting agency may charge a reasonable fee, not to
exceed twenty-five dollars, to consumers that are not victims of
identity theft and are less than sixty-five years of age.
(13) This section does not apply to the use of a consumer credit
report by any of the following:
(a) A person or entity, or a subsidiary, affiliate, or agent of
that person or entity, or an assignee of a financial obligation owing
by the consumer to that person or entity, or a prospective assignee of
a financial obligation owing by the consumer to that person or entity
in conjunction with the proposed purchase of the financial obligation,
with which the consumer has or had prior to assignment an account or
contract, including a demand deposit account, or to whom the consumer
issued a negotiable instrument, for the purposes of reviewing the
account or collecting the financial obligation owing for the account,
contract, or negotiable instrument. For purposes of this subsection,
"reviewing the account" includes activities related to account
maintenance, monitoring, credit line increases, and account upgrades
and enhancements;
(b) A subsidiary, affiliate, agent, assignee, or prospective
assignee of a person to whom access has been granted under subsection
(5) of this section for purposes of facilitating the extension of
credit or other permissible use;
(c) Any federal, state, or local entity, including a law
enforcement agency, court, or their agents or assigns;
(d) A private collection agency acting under a court order,
warrant, or subpoena;
(e) A child support agency acting under Title IV-D of the social
security act (42 U.S.C. et seq.);
(f) The department of social and health services acting to fulfill
any of its statutory responsibilities;
(g) The internal revenue service acting to investigate or collect
delinquent taxes or unpaid court orders or to fulfill any of its other
statutory responsibilities;
(h) The use of credit information for the purposes of prescreening
as provided for by the federal fair credit reporting act;
(i) Any person or entity administering a credit file monitoring
subscription service to which the consumer has subscribed; ((and))
(j) Any person or entity for the purpose of providing a consumer
with a copy of his or her credit report upon the consumer's request;
(k) An insurance company authorized to do business in Washington
state;
(l) A mortgage broker licensed and regulated by the department of
financial institutions; and
(m) A vehicle dealer as defined in RCW 46.70.011.
(14) A consumer reporting agency is not required to place more than
ten thousand security freezes at any one time. If a consumer reporting
agency does not place a security freeze because the ten thousand
maximum is met, the consumer reporting agency must place the consumer
on a list based on when the request for a security freeze was received
by the consumer reporting agency. The first name on the list is the
consumer whose request was received first. When a security freeze is
removed or expires, the consumer reporting agency must place a freeze
on the credit report of the consumer who is first on the list. A
consumer who is a member of the national guard on active duty or the
United States military on active duty does not count toward the total
number of security freezes.
(15) For the purpose of this section, "active duty" means deployed
outside the United States.
Sec. 13 RCW 28A.300.460 and 2004 c 247 s 5 are each amended to
read as follows:
The task of the financial literacy public-private partnership is to
seek out and determine the best methods of equipping students with the
knowledge and skills they need, before they become self-supporting, in
order for them to make critical decisions regarding their personal
finances. The components of personal financial literacy examined shall
include, at a minimum, consumer financial education, personal finance,
strategies to safeguard personal information and to recover from
identity theft, and personal credit. The partnership shall identify
the types of outcome measures expected from participating students, in
accordance with the definitions and outcomes developed under RCW
28A.300.455.
NEW SECTION. Sec. 14 (1) The sum of twenty-five thousand
dollars, or as much thereof as may be necessary, is appropriated for
the fiscal year ending June 30, 2007, from the general fund to the
Washington financial literacy public-private partnership account for
the purposes of RCW 28A.300.465.
(2) The sum of twenty-five thousand dollars, or as much thereof as
may be necessary, is appropriated for the fiscal year ending June 30,
2008, from the general fund to the Washington financial literacy
public-private partnership account for the purposes of RCW 28A.300.465.
(3) The amounts in this section are provided solely for the
purposes of RCW 28A.300.465. The superintendent of public instruction
or the superintendent's designee may authorize expenditure of the
amounts provided in this section when equal matching amounts from
nonstate sources are received in the Washington financial literacy
public-private partnership account.
NEW SECTION. Sec. 15 A new section is added to chapter 43.10 RCW
to read as follows:
(1) The attorney general shall develop a grant program to provide
funding for persons and organizations that provide:
(a) Education to aid seniors in preventing identity theft;
(b) Assistance to aid seniors in recovering from identity theft;
(c) Education to aid persons with a developmental disability and
their legal representatives in preventing the theft of the identity of
persons with a developmental disability;
(d) Assistance to aid persons with a developmental disability and
their legal representatives in recovering from the identity theft of
the identity of persons with a developmental disability; or
(e) Any combination of the above.
(2) The attorney general shall make an annual report regarding the
development and the implementation of the grant program to the
legislature by December 1st. The first report is due December 1, 2007.
NEW SECTION. Sec. 16 The sum of one million five hundred
thousand dollars, or as much thereof as may be necessary, is
appropriated for the fiscal year ending June 30, 2007, from the general
fund to the attorney general for the purposes of section 15 of this
act.