skip to main content

H.R. 4028 (115th): PROTECT Act of 2017

The text of the bill below is as of Oct 12, 2017 (Introduced).


I

115th CONGRESS

1st Session

H. R. 4028

IN THE HOUSE OF REPRESENTATIVES

October 12, 2017

introduced the following bill; which was referred to the Committee on Financial Services

A BILL

To amend the Federal Financial Institutions Examination Council Act of 1978 to establish cybersecurity supervision and examination of large consumer reporting agencies, and for other purposes.

1.

Short title

This Act may be cited as the Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017 or the PROTECT Act of 2017.

I

Consumer reporting agency cybersecurity

101.

Cybersecurity supervision and examination of large consumer reporting agencies

The Federal Financial Institutions Examination Council Act of 1978 (12 U.S.C. 3301 et seq.) is amended by adding at the end the following:

1012.

Cybersecurity supervision and examination of large consumer reporting agencies

(a)

In general

Large consumer reporting agencies shall be subject to cybersecurity supervision and examination by the designated agency.

(b)

Rulemaking

The Council shall—

(1)

establish uniform cybersecurity supervision and examination procedures for purposes of subsection (a); and

(2)

designate a Federal banking agency, as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809), to serve as the designated agency under subsection (a).

(c)

Large consumer reporting agency defined

The term large consumer reporting agency has the meaning given the term consumer reporting agency that compiles and maintains files on consumers on a nationwide basis under section 603(p) of the Fair Credit Reporting Act.

.

II

National Security Freeze

201.

National security freeze and additional protections for files and credit records of protected consumers

Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is amended by adding at the end the following:

(i)

National security freeze and additional protections for files and credit records of protected consumers

(1)

Definitions

For purposes of this subsection:

(A)

The term proper identification has the meaning of such term as used under section 610.

(B)

The term consumer reporting agency means a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.

(C)

The term security freeze means a restriction placed on making consumer reports of a consumer, at the request of the consumer, that prohibits a consumer reporting agency from making a consumer report with respect to the consumer to any person for the purpose of opening a new account involving the extension of credit.

(2)

Request for security freeze, processing time, confirmation of freeze and personal identification number or password

(A)

Request

A consumer may request that a consumer reporting agency place a security freeze by sending a request via mail, telephone, facsimile, internet, or other electronic media to the consumer reporting agency in a manner designated by the consumer reporting agency to receive such requests.

(B)

Placement of security freeze

A consumer reporting agency shall place a security freeze no later than 5 business days after receiving from the consumer—

(i)

a request described under subparagraph (A);

(ii)

proper identification; and

(iii)

payment of the required fee, if applicable.

(C)

Confirmation and additional information

Not later than 10 business days after placing a security freeze, the consumer reporting agency shall—

(i)

send confirmation of the placement to the consumer;

(ii)

inform the consumer of the process by which the consumer may temporarily lift the security freeze and allow the consumer reporting agency to make a consumer report with respect to the consumer for a specific entity or a specific period of time;

(iii)

provide the consumer with a unique personal identification number or password to be used with the process described under subparagraph (B); and

(iv)

inform the consumer of the process by which the consumer may remove the security freeze.

(D)

Notice to third parties

A consumer reporting agency may advise a third party that a security freeze has been placed with respect to a consumer.

(3)

Requests to temporarily lift freeze, timing, request procedures

(A)

In general

If a consumer with a security freeze in place wishes to temporarily allow a consumer reporting agency to make a consumer report with respect to the consumer for a specific entity or a specific period of time, the consumer may notify the consumer reporting agency using a method of contact designated by the consumer reporting agency, requesting that the freeze be temporarily lifted, and providing, to complete the request, all of the following:

(i)

Proper identification.

(ii)

The unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (2)(C).

(iii)

The applicable information regarding the entity or time period with respect to which the consumer wishes the security freeze to be lifted.

(iv)

The required fee, if applicable.

(B)

Temporary lifting of security freeze

A consumer reporting agency that receives a request described under subparagraph (A) shall comply with the request not later than 3 business days after receiving the request.

(C)

Procedures

A consumer reporting agency may develop procedures involving the use of telephone, facsimile, the internet, or other electronic media to receive and process a request from a consumer described under subparagraph (A) in an expedited manner.

(4)

Mandatory removal or temporary lifting of freeze, notice to consumer, and third party requests

(A)

In general

A consumer reporting agency shall remove or temporarily lift a freeze placed on the consumer report of a consumer only in the following cases:

(i)

Upon consumer request.

(ii)

The security freeze was placed due to a material misrepresentation of fact by the consumer.

(B)

Notice if removal not by request

If a consumer reporting agency intends to remove a security freeze with respect to a consumer, and is not doing so at the request of the consumer, the consumer reporting agency shall notify the consumer in writing prior to removing the security freeze.

(C)

Third party requests

If a third party requests access to a consumer report of a consumer with respect to which a security freeze is in effect, where such request is in connection with an application for credit or any other use, and the consumer does not allow such consumer report to be accessed, the third party may treat the application as incomplete.

(5)

Removal of freeze by consumer request

A security freeze shall remain in place until the consumer requests, using a method of contact designated by the consumer reporting agency, that the security freeze be removed. A consumer reporting agency shall remove a security freeze within 3 business days of receiving such a request for removal from the consumer, who provides along with it—

(A)

proper identification;

(B)

the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (2)(C); and

(C)

the required fee, if applicable.

(6)

Exceptions

A security freeze shall not apply to the making of a consumer report for use by the following:

(A)

A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owed by the consumer to that person or entity, or a prospective assignee of a financial obligation owed by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owed for the account, contract, or negotiable instrument. For purposes of this subparagraph, reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

(B)

A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted for purposes of facilitating the extension of credit or other permissible use.

(C)

Any Federal, State or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena.

(D)

A child support agency acting pursuant to part D of title IV of the Social Security Act.

(E)

A State or its agents or assigns acting to investigate fraud or acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities, provided such responsibilities are consistent with a permissible purpose under section 604.

(F)

A person using credit information for the purposes described under section 604(c).

(G)

Any person or entity administering a credit file monitoring subscription or similar service to which the consumer has subscribed.

(H)

Any person or entity for the purpose of providing a consumer with a copy of the consumer’s consumer report or credit score, upon the request of the consumer.

(I)

Any person using the information in connection with the underwriting of insurance.

(J)

Any person using the information for employment, tenant, or background screening purposes.

(7)

Fees

(A)

In general

A consumer reporting agency may charge a fee of no more than $5 to a consumer for each security freeze, removal of a security freeze, or temporary lifting of a security freeze.

(B)

Exception

A consumer reporting agency shall not charge any fee described under subparagraph (A) to—

(i)

a victim of identity theft who has submitted, at the time the security freeze is requested, a copy of a valid investigative or incident report or complaint with a law enforcement agency about the unlawful use of the victim’s identifying information by another person;

(ii)

except as provided in subsection (j), a consumer who is a minor or 65 years of age or older for the initial placement and removal of a security freeze; or

(iii)

a consumer who has submitted a copy of the consumer’s orders calling the service member to military service and any orders further extending the service member’s period of service if currently active.

(8)

Modification of official information

(A)

In general

If a security freeze is in place, a consumer reporting agency shall not change any of the following official information in the file of a consumer without sending confirmation of the change to the consumer within 30 days of the change being posted to the file of the consumer:

(i)

Name.

(ii)

Date of birth.

(iii)

Social Security number.

(iv)

Address.

(B)

Exception for technical modifications

Subparagraph (A) shall not apply to technical modifications of official information of a consumer, including name and street abbreviations, complete spellings, or transposition of numbers or letters.

(C)

Address changes

In the case of an address change, the confirmation described under subparagraph (A) shall be sent to both the new address and to the former address.

(9)

Notice of rights

At any time a consumer is required to receive a summary of rights required under section 609, the following notice shall be included:

Consumers Have the Right To Obtain a Security Freeze—You have a right to place a security freeze on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, government services or payments, rental housing, employment, investment, license, cellular phone, utilities, digital signature, internet credit card transaction, or other services, including an extension of credit at point of sale. When you place a security freeze on your credit report, you will be provided a personal identification number or password to use if you choose to remove the security freeze on your credit report or authorize the release of your credit report to a particular entity or for a period of time after the freeze is in place. To provide that authorization you must contact the consumer reporting agency by one of the methods that it requires, and provide all of the following:

(1)

The personal identification number or password.

(2)

Proper identification to verify your identity.

(3)

The applicable information regarding the entity or time period with respect to which the consumer wishes the security freeze to be lifted.

(4)

The payment of the appropriate fee, if applicable.

A consumer reporting agency must authorize the release of your credit report no later than 3 business days after receiving all of the above items by any method that the consumer reporting agency allows.

A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

You have a right to bring a civil action against anyone, including a consumer reporting agency, who willfully or negligently fails to comply with the Federal law on security freezes (section 605C of the Fair Credit Reporting Act).

A consumer reporting agency has the right to charge you up to Five Dollars ($5.00) to place a security freeze, up to Five Dollars ($5.00) to temporarily lift a security freeze, and up to Five Dollars ($5.00) to remove a security freeze. However, you shall not be charged any fee if you are a victim of identity theft who has submitted, at the time the security freeze is requested, a copy of a valid investigative or incident report or complaint with a law enforcement agency about the unlawful use of your identifying information by another person, or if you are a minor or sixty-five (65) years of age or older for the initial placement and removal of a security freeze.

.

(j)

National protections for files and credit records of protected consumers

(1)

Definitions

As used in this subsection:

(A)

The term consumer reporting agency means a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.

(B)

The term protected consumer means an individual who is—

(i)

under the age of 16 years at the time a request for the placement of a security freeze is made; or

(ii)

an incapacitated person or a protected person for whom a guardian or conservator has been appointed.

(C)

The term record means a compilation of information that—

(i)

identifies a protected consumer;

(ii)

is created by a consumer reporting agency solely for the purpose of complying with this subsection; and

(iii)

may not be created or used to consider the protected consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

(D)

The term representative means a person who provides to a consumer reporting agency sufficient proof of authority to act on behalf of a protected consumer.

(E)

The term security freeze means—

(i)

if a consumer reporting agency does not have a file pertaining to a protected consumer, a restriction that—

(I)

is placed on the protected consumer’s record in accordance with this subsection; and

(II)

prohibits the consumer reporting agency from releasing the protected consumer’s record except as provided in this subsection; or

(ii)

if a consumer reporting agency has a file pertaining to the protected consumer, a restriction that—

(I)

is placed on the protected consumer’s consumer report in accordance with this subsection; and

(II)

prohibits the consumer reporting agency from releasing the protected consumer’s consumer report except as provided in this subsection.

(F)

The term sufficient proof of authority means documentation that shows a representative has authority to act on behalf of a protected consumer and includes—

(i)

an order issued by a court of law;

(ii)

a lawfully executed and valid power of attorney; or

(iii)

a written, notarized statement signed by a representative that expressly describes the authority of the representative to act on behalf of a protected consumer.

(G)

The term sufficient proof of identification means information or documentation that identifies a protected consumer or a representative of a protected consumer and includes—

(i)

a Social Security number or a copy of a Social Security card issued by the Social Security Administration;

(ii)

a certified or official copy of a birth certificate issued by the entity authorized to issue the birth certificate; or

(iii)

a copy of a driver’s license, an identification card issued by the Motor Vehicle Administration, or any other government-issued identification.

(2)

Exceptions

This subsection shall not apply to the making of a consumer report for use by the following:

(A)

A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owed by the consumer to that person or entity, or a prospective assignee of a financial obligation owed by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owed for the account, contract, or negotiable instrument. For purposes of this subparagraph, reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

(B)

A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted for purposes of facilitating the extension of credit or other permissible use.

(C)

Any Federal, State or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena.

(D)

A child support agency acting pursuant to part D of title IV of the Social Security Act.

(E)

The State or its agents or assigns acting to investigate fraud or acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities, provided such responsibilities are consistent with a permissible purpose under section 604.

(F)

A person using credit information for the purposes described under section 604(c).

(G)

Any person or entity administering a credit file monitoring subscription or similar service to which the consumer has subscribed.

(H)

Any person or entity for the purpose of providing a consumer with a copy of the consumer’s consumer report or credit score, upon the request of the consumer.

(I)

Any person using the information in connection with the underwriting of insurance.

(J)

Any person using the information for employment, tenant or background screening purposes.

(3)

Placing a freeze for a protected consumer

(A)

In general

A consumer reporting agency shall place a security freeze for a protected consumer if—

(i)

the consumer reporting agency receives a request from the protected consumer’s representative for the placement of the security freeze under this subsection; and

(ii)

the protected consumer’s representative—

(I)

submits the request to the consumer reporting agency at the address or other point of contact and in the manner specified by the consumer reporting agency;

(II)

provides to the consumer reporting agency sufficient proof of identification of the protected consumer and the representative;

(III)

provides to the consumer reporting agency sufficient proof of authority to act on behalf of the protected consumer; and

(IV)

pays to the consumer reporting agency a fee as provided under this subsection.

(B)

Creation of file

If a consumer reporting agency does not have a file pertaining to a protected consumer when the consumer reporting agency receives a request under subparagraph (A), the consumer reporting agency shall create a credit record for the protected consumer.

(C)

Placement of security freeze

Within 3 days after receiving a request described under subparagraph (A), a consumer reporting agency shall place a security freeze for the protected consumer.

(4)

Prohibition on release of record or file of protected consumer

Unless a security freeze for a protected consumer is removed in accordance with this subsection, a consumer reporting agency may not release the protected consumer’s consumer report, any information derived from the protected consumer’s consumer report, or any record created for the protected consumer.

(5)

Timeline for a freeze for a protected consumer

A security freeze for a protected consumer placed under this subsection shall remain in effect until—

(A)

the protected consumer or the protected consumer’s representative requests the consumer reporting agency to remove the security freeze in accordance with paragraph (6); or

(B)

the security freeze is removed in accordance with paragraph (9).

(6)

Removal of a protected consumer security freeze

If a protected consumer or a protected consumer’s representative wishes to remove a security freeze for the protected consumer, the protected consumer or the protected consumer’s representative shall—

(A)

submit a request for the removal of the security freeze to the consumer reporting agency at the address or other point of contact and in the manner specified by the consumer reporting agency;

(B)

provide to the consumer reporting agency—

(i)

in the case of a request by the protected consumer—

(I)

proof that the sufficient proof of authority for the protected consumer’s representative to act on behalf of the protected consumer is no longer valid; and

(II)

sufficient proof of identification of the protected consumer; or

(ii)

in the case of a request by the representative of a protected consumer—

(I)

sufficient proof of identification of the protected consumer and the representative; and

(II)

sufficient proof of authority to act on behalf of the protected consumer; and

(iii)

pay to the consumer reporting agency a fee, if applicable, as provided in paragraph (8).

(7)

Timing of removal of a protected consumer freeze

Within 3 days after receiving a request described under paragraph (6), the consumer reporting agency shall remove the security freeze for the protected consumer.

(8)

Fees for a protected consumer freeze

(A)

In general

Except as provided in subparagraph (B), a consumer reporting agency may not charge a fee for any service performed under this subsection.

(B)

Reasonable fee permitted

A consumer reporting agency may charge a reasonable fee, not exceeding $5, for each placement or removal of a security freeze for a protected consumer.

(C)

Exceptions

Notwithstanding subparagraph (B), a consumer reporting agency may not charge any fee under this subsection if—

(i)

the protected consumer’s representative has obtained a police report or affidavit of alleged identity fraud against the protected consumer and provides a copy of the report to the consumer reporting agency; or

(ii)

a request for the placement or removal of a security freeze is for a protected consumer who is under the age of sixteen years of age at the time of the request and the consumer reporting agency has a consumer report pertaining to the protected consumer.

(9)

Deletion of file or record created based on a material misrepresentation

A consumer reporting agency may remove a security freeze for a protected consumer or delete a record of a protected consumer if the security freeze was placed or the record was created based on a material misrepresentation of fact by the protected consumer or the protected consumer’s representative.

.

III

Credit rating agency use of social security numbers

301.

Prohibition on the use of Social Security numbers

(a)

In general

Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c), as amended by title II, is amended by adding at the end the following:

(k)

Prohibition on the use of social security numbers

A consumer reporting agency that compiles and maintains files on consumers on a nationwide basis—

(1)

may not make any consumer report containing a Social Security number; and

(2)

may not use the Social Security number of a consumer as a method to identify the consumer, or for any other purpose.

.

(b)

Conforming amendment

Section 609(a)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681g(a)(1)) is amended by striking except that— and all that follows through (B) nothing and inserting except that nothing.

(c)

Effective date

The amendments made by this section shall take effect on January 1, 2020.