SENATE, No. 2665

 

STATE OF NEW JERSEY

 

211th LEGISLATURE

 

INTRODUCED JUNE 20, 2005

 

 

Sponsored by:

Senator LEONARD T. CONNORS, JR.

District 9 (Atlantic, Burlington and Ocean)

 

 

 

 

SYNOPSIS

    "Identity Theft Prevention Act."

 

CURRENT VERSION OF TEXT

    As introduced.

 


An Act concerning identity theft, amending and supplementing P.L.1997, c.172 and supplementing Title 2C of the New Jersey Statutes and Title 56 of the Revised Statutes.

 

    Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

    1. (New section) This act may be known and shall be cited as the "Identity Theft Protection Act."

 

    2. (New section) a. A person who has learned or reasonably suspects that he has been the victim of identity theft in violation of N.J.S.2C:21-1, section 1 of P.L.1983, c.565 (C.2C:21-2.1) or N.J.S.2C:21-17 may contact the local law enforcement agency that has jurisdiction over his actual residence, which shall take a police report of the matter, and provide the complainant with a copy of that report. Notwithstanding the fact that jurisdiction may lie elsewhere for investigation and prosecution of a crime of identity theft, the local law enforcement agency shall take the complaint and provide the complainant with a copy of the complaint and may refer the complaint to a law enforcement agency in that different jurisdiction.

    b. Nothing in this section interferes with the discretion of a local law enforcement agency to allocate resources for investigations of crimes. A complaint filed under this section is not required to be counted as an open case for purposes such as compiling open case statistics.

 

    3. (New section) a. A person who reasonably believes that he is the victim of identity theft in violation of N.J.S.2C:21-1, section 1 of P.L.1983, c.565 (C.2C:21-2.1) or N.J.S.2C:21-17 may petition a court, or the court, on its own motion or upon application of the prosecuting attorney, may move for an expedited judicial determination of his factual innocence, where a defendant was charged with, arrested for or convicted of a crime under the victim's identity, or where a criminal complaint has been filed against a defendant in the victim's name, or where the victim's identity has been mistakenly associated with a record of criminal conviction. Any judicial determination of factual innocence made pursuant to this section may be heard and determined upon declarations, affidavits, police reports, or other material, relevant and reliable information submitted by the parties or ordered to be part of the record by the court. Where the court determines that the petition or motion is meritorious and that there is no reasonable cause to believe that the victim committed the offense for which a defendant was arrested, charged, convicted, or subject to a criminal complaint in the victim's name, or that the victim's identity has been mistakenly associated with a record of criminal conviction, the court shall find the victim factually innocent of that offense. If the victim is found factually innocent, the court shall issue an order certifying this determination.

    b. After a court has issued a determination of factual innocence pursuant to this section, the court may order the name and associated personal identifying information contained in court records, files, and indexes accessible by the public deleted, sealed, or labeled to show that the data is impersonated and does not reflect the defendant's identity.

    c. Upon making a determination of factual innocence, the court must provide the victim written documentation of such order.

    d. A court that has issued a determination of factual innocence pursuant to this section may at any time vacate that determination if the petition, or any information submitted in support of the petition, is found to contain any material misrepresentation or fraud.

    e. The Administrative Office of the Courts shall develop a form for use in issuing an order pursuant to this section.

    f. The Administrative Office of the Courts shall establish and maintain a data base of persons who have been victims of identity theft and that have received determinations of factual innocence. The Administrative Office of the Courts shall provide a victim of identity theft or his authorized representative access to the data base in order to establish that the person has been a victim of identity theft. Access to the data base shall be limited to criminal justice agencies, victims of identity theft, and any other persons and agencies authorized by the victims.

    g. The Administrative Office of the Courts shall establish and maintain a toll-free number to provide access to information under subsection f. of this section.

    h. In order for a victim of identity theft to be included in the data base established pursuant to subsection f. of this section, he shall submit to the Administrative Office of the Courts a court order, a full set of fingerprints and any other information prescribed by the Administrative Office of the Courts.

    i. Upon receiving information pursuant to subsection h. of this section, the Administrative Office of the Courts shall verify the identity of the victim against any driver's license or other identification record maintained by the New Jersey Motor Vehicle Commission.

 

    4. Section 3 of P.L.1997, c.172 (C.56:11-30) is amended to read as follows:

    3. As used in this act:

    "Adverse action" has the same meaning as in subsection (k) of section 603 of the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681a.

    "Consumer" means an individual.

    "Consumer report" (1) means any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for:

    (a) credit or insurance to be used primarily for personal, family or household purposes;

    (b) employment purposes; or

    (c) any other purpose authorized under section 4 of this act.

    (2) The term "consumer report" does not include:

    (a) any:

    (i) report containing information solely on transactions or experiences between the consumer and the person making the report;

    (ii) communication of that information among persons related by common ownership or affiliated by corporate control; or

    (iii) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among those persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that the information not be communicated among those persons;

    (b) any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device;

    (c) any report in which a person, who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer, conveys his decision with respect to that request, if the third party advises the consumer of the name and address of the person to whom the request was made, and the person makes the disclosures to the consumer required under 15 U.S.C. s.1681m; or

    (d) communication excluded from the definition of consumer report pursuant to subsection (o) of section 603 of the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681a.

    "Consumer reporting agency" means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages, in whole or in part, in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility for the purpose of preparing or furnishing consumer reports.

    "Credit header information" means written, oral or other communication of any information by a consumer reporting agency regarding the Social Security number of the consumer, or any derivative thereof, and any other personally identifiable information of the consumer, except the name, address and telephone number of the consumer if all are listed in a residential telephone directory available in the locality of the consumer.

    "Director" means the Director of the Division of Consumer Affairs in the Department of Law and Public Safety.

    "Division" means the Division of Consumer Affairs in the Department of Law and Public Safety.

    "Employment purposes" means, when used in connection with a consumer report, a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.

    "File" means, when used in connection with information on any consumer, all of the information on that consumer recorded and retained by a consumer reporting agency regardless of how the information is stored.

    "Investigative consumer report" means a consumer report or a portion thereof in which information on a consumer's character, general reputation, personal characteristics or mode of living is obtained through personal interviews with neighbors, friends or associates of the consumer who is the subject of the report or with others with whom the consumer is acquainted or who may have knowledge concerning any of those items of information. However, this information shall not include specific factual information on a consumer's credit record obtained directly from a creditor of the consumer or from a consumer reporting agency when the information was obtained directly from a creditor of the consumer or from the consumer.

    "Medical information" means information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics, or other medical or medically related facilities.

    "Security freeze" means a notice placed in a consumer's consumer report, at the request of the consumer, that prohibits the consumer reporting agency from releasing the report or any information from it without the express authorization of the consumer, but does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer report.

(cf: P.L.1997, c.172, s.3)

 

    5. (New section) a. A consumer may elect to place a security freeze on his consumer report by:

    (1) making a request in writing by certified mail to a consumer reporting agency;

    (2) making a telephone request by providing certain personal identifying information to a consumer reporting agency; or

    (3) making a request directly to the consumer reporting agency through a secure electronic mail connection, if an electronic mail connection is provided by the consumer reporting agency.

    b. A consumer reporting agency shall place a security freeze on a consumer report no later than five business days after receiving a written or telephone request from the consumer or three business days after receiving a secure electronic mail request from the consumer.

    c. The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within five business days of the freeze and shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his credit for a specific party or period of time.

    d. If the consumer wishes to allow his consumer report to be accessed for a specific party or period of time while a freeze is in place, he shall contact the consumer reporting agency, request that the freeze be temporarily lifted, and provide the following:

    (1) Information generally deemed sufficient to identify a person;

    (2) The unique personal identification number or password provided by the consumer reporting agency pursuant to subsection c. of this section; and

    (3) The proper information regarding the third party who is to receive the consumer report or the time period for which the consumer report shall be available to users of the consumer report.

    e. A consumer reporting agency that receives a request in writing sent by mail from a consumer to temporarily lift a freeze on a consumer report pursuant to subsection d. of this section shall comply with the request no later than three business days after receiving the request.

    f. (1) A consumer reporting agency shall, within one year of the effective date of this section, develop secure:

    (a) procedures that enable a consumer to use the telephone to request that the consumer reporting agency temporarily lift a freeze on the consumer report pursuant to subsection d. of this section, within 24 hours of the consumer's telephone request; and

    (b) procedures that enable a consumer to use the Internet, and, in the consumer reporting agency's sole and absolute discretion, other electronic media to request that the consumer reporting agency temporarily lift a freeze on the consumer report pursuant to subsection d. of this section within 24 hours of the consumer's Internet or other electronic media request.

    (2) A consumer reporting agency shall, within two years of the effective date of this section, develop secure:

    (a) procedures that enable a consumer to use the telephone to request that the consumer reporting agency temporarily lift a freeze on the consumer report pursuant to subsection d. of this section, within six hours of the consumer's telephone request; and

    (b) procedures that enable a consumer to use the Internet, and, in the consumer reporting agency's sole and absolute discretion, other electronic media, to request that the consumer reporting agency temporarily lift a freeze on the consumer report pursuant to subsection d. of this section, within six hours of the consumer's Internet or other electronic media request.

    (3) A consumer reporting agency shall, within three years of the effective date of this section, develop secure:

    (a) procedures that enable a consumer to use the telephone to request that the consumer reporting agency temporarily lift a freeze on the consumer report pursuant to subsection d. of this section, within one hour of the consumer's telephone request; and

    (b) procedures that enable a consumer to use the Internet, and, in the consumer reporting agency's sole and absolute discretion, other electronic media, to request that the consumer reporting agency temporarily lift a freeze on the consumer report pursuant to subsection d. of this section, within five minutes of the consumer's Internet or other electronic media request.

    g. A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer report only in the following cases:

    (1) Upon consumer request, pursuant to subsection d. or j. of this section; or

    (2) If the consumer report was frozen due to a material misrepresentation of fact by the consumer. If a consumer reporting agency intends to remove a freeze upon a consumer report pursuant to this paragraph, the consumer reporting agency shall notify the consumer in writing five business days prior to removing the freeze on the consumer report.

    h. If a third party requests access to a consumer report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his consumer report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

    i. (1) At any time that a consumer is required to receive a summary of rights required under section 609 of the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681g, the following notice shall be included:

 

New Jersey Consumers Have the Right to Obtain a Security Freeze

 

    You may obtain a security freeze on your credit report at no charge to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a “security freeze” on your credit report pursuant to New Jersey law.

    The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.

    The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  When you place a security freeze on your credit report, within five business days you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties or period of time after the freeze is in place.  To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

    (i) The unique personal identification number or password provided by the consumer reporting agency;

    (ii) Proper identification to verify your identity; and

    (iii) The proper information regarding the third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report.

    A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request.

    A security freeze does not apply to circumstances where you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.

    If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around, or specifically for a certain creditor, a few days before actually applying for new credit.

    You have a right to bring a civil action against someone who violates your rights under the credit reporting laws.  The action can be brought against a consumer reporting agency or a user of your credit report.

 

    (2) If a consumer requests information about a security freeze, he shall be provided with the notice provided in paragraph (1) of this subsection and with information about how to place, temporarily lift and permanently lift a security freeze.

    j. A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days of receiving a request for removal from a consumer who provides the following:

    (1) Proper identification; and

    (2) The unique personal identification number or password provided by the consumer reporting agency pursuant to subsection c. of this section.

    k. A consumer reporting agency shall require proper identification of the person making a request to place or remove a security freeze.

    l. The provisions of this section do not apply to the use of a consumer report by the following:

    (1) A person, or subsidiary, affiliate, or agent of that person, or an assignee of a financial obligation owing by the consumer to that person, or a prospective assignee of a financial obligation owing by the consumer to that person in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this paragraph, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements;

    (2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subsection d. of this section, for purposes of facilitating the extension of credit or other permissible use;

    (3) Any State or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena;

    (4) A State or local child support enforcement agency;

    (5) The use of credit information for the purposes of prescreening as provided for by the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681 et seq.;

    (6) The New Jersey Department of Health and Senior Services or its agents or assigns acting to investigate fraud;

    (7) The New Jersey Department of the Treasury or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;

    (8) A person for the purposes of prescreening as defined by the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681 et seq.;

    (9) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed; or

    (10) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer’s request.

    m. (1) A consumer shall not be charged for any security freeze services, including but not limited to, the placement or lifting of a security freeze.

    (2) A consumer may be charged a reasonable fee, not to exceed $5, if the consumer fails to retain the original personal identification number provided by the consumer reporting agency and must be reissued the same or a new personal identification number. A consumer, however, shall not be charged for the first reissue of his lost personal identification number.

    n. (1) If a consumer reporting agency negligently or willfully violates the security freeze by releasing credit information that has been placed under a security freeze, the affected consumer shall be entitled to:

    (a) Notification within five business days of the release of the information, including specificity as to the information released and the third party recipient of the information;

    (b) File a complaint with the Federal Trade Commission and the Attorney General; and

    (c) Civil relief against the consumer reporting agency, including, but not limited to, injunctive relief to prevent or restrain further violation of the security freeze, and a civil penalty in an amount not to exceed $10,000 for each violation plus any damages available under other civil laws, and reasonable expenses, court costs, investigative costs and attorney’s fees.

    (2) Each violation of the security freeze shall be counted as a separate incident for purposes of imposing penalties under this subsection.

 

    6. (New section) If a security freeze is in place, a consumer reporting agency shall not change any of the following official information in a consumer report without sending a written confirmation of the change to the consumer within 30 days of the change being posted to the consumer's file: name; date of birth; Social Security number and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.

 

    7. (New section) The provisions of sections 5 through 9 of this amendatory and supplementary act shall not apply to a consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the data base of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a permanent data base of credit information from which new consumer reports are produced, except that such a reseller of credit information shall honor any security freeze placed on a consumer report by another consumer reporting agency.

 

    8. (New section) The following entities are not required to place a security freeze in a consumer report, pursuant to section 5 of this amendatory and supplementary act:

    a. A check services company, which issues authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments; and

    b. A demand deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a demand deposit account at the inquiring bank or financial institution.

 

    9. (New section) A consumer reporting agency shall not provide a consumer's credit header information unless the requester has a permissible purpose to obtain the consumer's consumer report pursuant to section 604 of the federal "Fair Credit Reporting Act," 15 U.S.C. 1681b.

 

    10. (New section) As used in sections 10 and 11 of this amendatory and supplementary act:

    "Data collector" means, but is not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity which, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.

    "Individual" means a natural person.

    "Personal information" means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

    (1) Social Security number;

    (2) Driver’s license number or State identification card number;

    (3) Account number, credit or debit card number, if circumstances exist where that number could be used without additional identifying information, access codes, or passwords; or

    (4) Account passwords or personal identification numbers (PINs) or other access codes.

    Any item listed above shall also constitute personal information when not used in connection with the individual’s first name or first initial and last name if that information was compromised and would be sufficient to perform or attempt to perform identity theft against that individual.

    Personal information shall not include publicly available information that is lawfully made available to the general public from federal, State or local government records.

    "Security breach" means the unauthorized acquisition of any data that compromises the security and confidentiality, or integrity of personal information maintained by the consumer reporting agency. Good faith acquisition of personal information by an employee or agent of the consumer reporting agency for a legitimate purpose of the agency is not a security breach, provided that the personal information is not used for a purpose unrelated to the agency or subject to further unauthorized disclosure.  A security breach of non-computerized data may include, but is not limited to, unauthorized photocopying, facsimiles or other paper-based transmittal of documents.

 

    11. (New section) a. Except as provided in subsection b. of this section, any data collector that owns or uses personal information in any form that includes personal information concerning a New Jersey resident shall notify the resident that there has been a security breach related to that data following discovery or notification of the security breach, without regard for whether or not the data has or has not been accessed by an unauthorized third party for legal or illegal purposes. If the data collector does not own the information whose security was breached, the data collector shall notify the owner or licensee of the information of the security breach. The disclosure notifications shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection b. of this section, or with any measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data system.

    b. The notification required by this section may be delayed if a law enforcement agency determines that the notification may impede a criminal investigation. The notification shall only be made after the law enforcement agency determines that it will not compromise the investigation.

    c. For purposes of this section, notice may be provided by one of the following methods:

    (1) Written notice;

    (2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in section 101 of the federal "Electronic Signatures in Global and National Commerce Act," 15 U.S.C. s.7001; or

    (3) Substitute notice, if the data collector demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information. Substitute notice shall consist of all of the following:

    (a) E-mail notice when the data collector has an e-mail address for the New Jersey resident whose personal information was affected by the breach;

    (b) Conspicuous posting of the notice on the website page of the data collector, if the data collector maintains one; and

    (c) Notification to major statewide media.

    d. Any waiver of the provisions of this act is contrary to public policy, and is void and unenforceable.

    e. Any individual injured by a violation of this section may institute a civil action to recover damages. Any business that violates, proposes to violate, or has violated this section may be enjoined. The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.

 

    12. (New section) As used in section 12 through 15 of this amendatory and supplementary act:

    "Business" means sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit. The term includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. The term also includes an entity that destroys records.

    "Dispose" means the discarding or abandonment of records containing personal information, and the sale, donation, discarding or transfer of any medium, including computer equipment, or computer media, containing records of personal information, or other non-paper media upon which records of personal information is stored, or other equipment for non-paper storage of information.

    "Personal information" means any information that identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, a name, signature, Social Security number, fingerprint, photograph or computerized image, physical characteristics or description, address, telephone number, passport number, driver's license or State identification card number, date of birth, medical information, bank account number, credit card number, debit card number or any other financial information.

    "Records" means any material on which written, drawn, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics. Records do not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address or telephone number.

 

    13. (New section) Any business that conducts business in New Jersey and any business that maintains or otherwise possesses personal information of residents of New Jersey shall take all reasonable measures to protect against unauthorized access to or use of that information in connection with, or after its disposal. The reasonable measures shall include, but may not be limited to:

    a. Implementing and monitoring compliance with polices and procedures that require the burning, pulverizing or shredding of papers containing personal information so that the information cannot practicably be read or reconstructed;

    b. Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed;

    c. After due diligence, entering into and monitoring compliance with a written contract with another party engaged in the business of record destruction to dispose of personal information in a manner consistent with this amendatory and supplementary act. Due diligence should ordinarily include, but may not be limited to, one or more of the following: reviewing an independent audit of the disposal company's operations and its compliance with this amendatory and supplementary act; obtaining information about the disposal company from several references or other reliable sources and requiring that the disposal company be certified by a recognized trade association or similar third party with a reputation for high standards of quality review; reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal company; and

    d. For disposal companies explicitly hired to dispose of records containing personal information: implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information in accordance with subsections a. and b. of this section.

 

    14. (New section) Procedures relating to the adequate destruction or proper disposal of personal records must be comprehensively described and classified as official policy in the writings of the business entity, including corporate and employee handbooks and similar corporate documents.

 

    15. (New section) a. Any person or business that violates the provisions of sections 12, 13 or 14 of this amendatory and supplementary act shall be liable for a civil penalty not to exceed $3,000 for each violation.

    b. Any individual aggrieved by a violation of sections 12, 13 or 14 of this amendatory and supplementary act may bring a civil action in this State to enjoin further violations and to recover actual damages, costs and reasonable attorney's fees.

 

    16. (New section) a. Except as provided in subsection b. of this section, no person, including any public or private entity, shall:

    (1) Intentionally communicate or otherwise make available to the public an individual's Social Security number.

    (2) Print an individual's Social Security number on any card required for the individual to access products or services provided by the person.

    (3) Require an individual to transmit his Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted.

    (4) Require an individual to use his Social Security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website.

    (5) Print an individual's Social Security number on any materials that are mailed to the individual, unless State or federal law requires the Social Security number to be on the document to be mailed.

    (6) Sell, lease, loan, trade, rent, or otherwise disclose an individual's Social Security number to a third party for any purpose without written consent to the disclosure from the individual.

    (7) Refuse to do business with an individual because the individual will not consent to the receipt by that person of the Social Security number of that individual, unless that person is expressly required under State or federal law, in connection with doing business with an individual, to submit to the State or federal government, as applicable, that individual's Social Security number.

    b. Nothing in this section shall prevent a State or local unit of government from using a Social Security number for internal verification and administrative purposes, so long as the use does not result in, or require the release of, the Social Security number to persons not designated by the public agency to perform associated functions authorized by law.

 

    17. (New section) a. Any person who negligently violates section 16 of this amendatory and supplementary act shall be liable for a civil penalty not to exceed $3,000 for each violation.

    b. Any person who knowingly violates section 16 of this amendatory and supplementary act shall be guilty of a crime of the fourth degree and, notwithstanding the provisions of N.J.S.2C:43-3 and N.J.S.2C:43-6, punishable by imprisonment of not more than 15 days or a fine of not more than $5,000, or both.

    c. A person aggrieved by a violation of section 16 of this amendatory and supplementary act may bring a civil action against the violator for recovery of actual damages or $5,000, whichever is greater, plus reasonable attorney's fees and court costs.

 

    18. This act shall take effect on the 180th day after enactment, except that section 2 of this act shall take effect immediately.

 

 

STATEMENT

 

    This bill allows victims of identity theft to obtain an official incident record from their local law enforcement agency if the victim has learned or reasonably suspects that he has been a victim of identity theft. The victim may contact their local law enforcement agency to make a complaint and provide the victim with a police report.

    In addition, this bill establishes a procedure whereby a victim of identity theft could obtain a factual determination of innocence and access a Statewide identity theft registry. Under the provisions of the bill, if a person reasonably believes that he is a victim of identity theft that person, or the court on its motion or upon application by the prosecuting attorney, may move for an expedited judicial determination of his factual innocence if a defendant has been arrested for, charged with or convicted of a crime under the victim's identity or where a criminal complaint has been filed against a defendant in the victim's name or if the victim's identity has been mistakenly associated with a record of criminal conviction. If the court determines that the petition or motion is meritorious and that the victim has not committed the offense, the court shall issue a judicial determination of factual innocence. After an order has been issued, the court may order that the name and personal identifying information of the victim contained in court records, files and indexes be deleted, sealed or labeled to show that the data is impersonated and does not reflect the defendant's identity.

    This bill also requires the Administrative Office of the Courts (AOC) to establish and maintain a data base of persons who have been victims of identity theft and that have received determinations of factual innocence. Access to the data base would be limited to criminal justice agencies, victims of identity theft and any other persons and agencies authorized by the victims. The AOC would also be required to establish a toll-free number to provide access information to victims of identity theft.

    This bill also amends and supplements the "New Jersey Fair Credit Reporting Act," to require that a consumer reporting agency place a security freeze on a consumer credit report within five business days of receiving a request to do so either in writing by certified mail or by a telephone request with certain accompanying personal identifying information; or within three business days of receiving a secure electronic mail request, and prohibits the release of information from the report while the freeze is in place, except as provided by the bill.

    As defined in the bill, "security freeze" means a notice placed in a consumer's credit report, at the request of the consumer, that prohibits the consumer reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer, but does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.

    The bill also provides that the consumer reporting agency shall provide notice to a consumer of the availability and mechanics of the security freeze in a notice, the form of which is provided in the bill, at any time a consumer is required to receive a summary of rights under section 609 of the federal "Fair Credit Reporting Act."

    The bill requires a consumer reporting agency to provide a consumer with an identification number to be used for temporarily lifting a freeze upon a consumer credit report or authorizing the subsequent release of information from a consumer credit report that is subject to a security freeze. Further, the bill stipulates that a security freeze shall remain in place until either the consumer requests to have the security freeze removed, or upon discovery by the consumer reporting agency that the consumer's credit report was frozen due to a material misrepresentation by the consumer. Also, if a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other benefit, and the consumer does not allow the report to be accessed, the third party may treat the application as incomplete.

    A consumer reporting agency shall be required to lift the security freeze within three business days of receiving a written request to do so. However, within one year of the effective date of this bill, a consumer reporting agency must have mechanisms in place to allow a consumer to lift the freeze by either use of the telephone or the Internet. If the telephone or Internet is used, the consumer reporting agency must lift the freeze within 24 hours of receiving the request. Within two years of the bill's effective date, the freeze must be lifted within six hours of a telephone or Internet request. Finally, within three years of the bill's effective date, a consumer reporting agency must lift the freeze within one hour of a telephone request and five minutes of an Internet request.

    The bill also provides that when a security freeze is in place, a consumer reporting agency shall not modify any of the consumer's basic identifying information in the report without sending a written confirmation of the change to the consumer, including, in the case of an address change, a written confirmation sent to both the new and the former address. Also, the bill prohibits a consumer reporting agency from charging any fees to freeze, remove a freeze, or temporarily lift a freeze regarding access to a consumer credit report. However, a consumer reporting agency may charge up to $5 if a consumer fails to retain his personal identification number, but shall not charge for the first reissue of that number.

    A consumer reporting agency that negligently or willfully violates the security freeze sections of the bill shall notify the consumer of the misconduct within five business days and may be subject to civil and injunctive penalties.

    Any data collector that owns or uses personal information concerning a New Jersey resident shall notify the resident that there has been a security breach related to the data following discovery or notification of the breach. The disclosure notifications shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. The disclosure may be delayed, however, if a law enforcement agency determines that notification will impede a criminal investigation.

    Any data collector that maintains computerized data that includes personal information that the data collector does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery.

    For purposes of this bill, notice may be written or electronic. If the data collector demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information, it may provide substitute notice, which must consist of all of the following: (1) e-mail notice when the data collector has an e-mail address; (2) conspicuous posting of the notice on the website page of the data collector, if the data collector maintains one; and (3) notification to major statewide media.

    Any individual injured by a violation of the security breach section of the bill may institute a civil action to recover damages or injunctive relief.

    This bill also requires any business that conducts business in New Jersey and any business that maintains or otherwise possesses personal information of New Jersey residents must take all reasonable measures to protect against unauthorized access to or use of that information in connection with or after its disposal. Further, the procedures used in the destruction and disposal of the personal records must be comprehensively described and classified as official policy in the writings of the business entity.

    A violation of the destruction of records provisions of the bill shall be punishable by a civil penalty not to exceed $3,000 for each violation, injunctive relief and actual damages, costs and reasonable attorney's fees.

    The bill also prohibits any person, including a public or private entity from: (1) intentionally communicating or otherwise making available to the public an individual's Social Security number; (2) printing an individual's Social Security number on any card required for the individual to access products or services provided by the person; (3) requiring an individual to transmit his Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; (4) requiring an individual to use his Social Security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website; (5) printing an individual's Social Security number on any materials that are mailed to the individual, unless State or federal law requires the Social Security number to be on the document to be mailed; (6) selling, leasing, loaning, trading, renting, or otherwise disclosing an individual's Social Security number to a third party for any purpose without written consent to the disclosure from the individual; or (7) refusing to do business with an individual because the individual will not consent to the receipt by that person of the Social Security number of that individual, unless that person is expressly required under State or federal law, in connection with doing business with an individual, to submit to the State or federal government, as applicable, that individual's Social Security number.

    Unauthorized use of a Social Security number is punishable by a $3,000 fine for a negligent violation, and a $5,000 fine or up to 15 days imprisonment, or both, for knowingly violating this section. An aggrieved individual may recover actual damages or $5,000, whichever is greater, plus reasonable attorney's fees and court costs.