Download Zipped Introduced WordPerfect SB0069S03.ZIP
[Status][Bill Documents][Fiscal Note][Bills Directory]

Third Substitute S.B. 69

Representative David Clark proposes the following substitute bill:


             1     
PROTECTION OF INFORMATION IN

             2     
CONSUMER CREDIT DATABASES

             3     
2006 GENERAL SESSION

             4     
STATE OF UTAH

             5     
Chief Sponsor: Carlene M. Walker

             6     
House Sponsor: David Clark

             7     
             8      LONG TITLE
             9      General Description:
             10          This bill addresses the integrity of consumer credit databases.
             11      Highlighted Provisions:
             12          This bill:
             13          .    defines terms;
             14          .    requires a person maintaining personal information in connection with a business to
             15      implement procedures to protect personal information;
             16          .    requires destruction of certain records;
             17          .    requires disclosure of breaches of databases containing personal information; and
             18          .    provides for enforcement by the attorney general.
             19      Monies Appropriated in this Bill:
             20          This bill appropriates from the General Fund to the attorney general:
             21          .    as an ongoing appropriation subject to future budget constraints, $89,400 for fiscal
             22      year 2006-07; and
             23          .    $23,000 for fiscal year 2006-07 only.
             24      Other Special Clauses:
             25          This bill takes effect on January 1, 2007.


             26      Utah Code Sections Affected:
             27      ENACTS:
             28          13-42-101, Utah Code Annotated 1953
             29          13-42-102, Utah Code Annotated 1953
             30          13-42-201, Utah Code Annotated 1953
             31          13-42-202, Utah Code Annotated 1953
             32          13-42-301, Utah Code Annotated 1953
             33     
             34      Be it enacted by the Legislature of the state of Utah:
             35          Section 1. Section 13-42-101 is enacted to read:
             36     
CHAPTER 42. CONSUMER CREDIT PROTECTION ACT

             37     
Part 1. General Provisions

             38          13-42-101. Title.
             39          This chapter is known as the "Consumer Credit Protection Act."
             40          Section 2. Section 13-42-102 is enacted to read:
             41          13-42-102. Definitions.
             42          As used in this chapter:
             43          (1) (a) "Breach of system security" means an unauthorized acquisition of unencrypted
             44      computerized data maintained by a person that compromises the security, confidentiality, or
             45      integrity of personal information.
             46          (b) "Breach of system security" does not include the acquisition of personal
             47      information by an employee or agent of the person possessing unencrypted computerized data
             48      unless the personal information is used or disclosed in an unauthorized manner.
             49          (2) "Consumer" means a natural person.
             50          (3) (a) "Personal information" means a person's first name or first initial and last name,
             51      combined with any one or more of the following data elements relating to that person when
             52      either the name or date element is unencrypted or not protected by another method that renders
             53      the data unreadable or unusable:
             54          (i) Social Security number;
             55          (ii) (A) financial account number, or credit or debit card number; and
             56          (B) any required security code, access code, or password that would permit access to


             57      the person's account; or
             58          (iii) driver license number or state identification card number.
             59          (b) "Personal information" does not include information regardless of its source,
             60      contained in federal, state, or local government records or in widely distributed media that are
             61      lawfully made available to the general public.
             62          (4) "Record" includes materials maintained in any form, including paper and
             63      electronic.
             64          Section 3. Section 13-42-201 is enacted to read:
             65     
Part 2. Protection of Personal Information

             66          13-42-201. Protection of personal information.
             67          (1) Any person who conducts business in the state and maintains personal information
             68      shall implement and maintain reasonable procedures to:
             69          (a) prevent unlawful use or disclosure of personal information collected or maintained
             70      in the regular course of business; and
             71          (b) destroy, or arrange for the destruction of, records containing personal information
             72      that are not to be retained by the person.
             73          (2) The destruction of records under Subsection (1)(b) shall be by:
             74          (a) shredding;
             75          (b) erasing; or
             76          (c) otherwise modifying the personal information to make the information
             77      indecipherable.
             78          (3) This section does not apply to a financial institution as defined by 15 U.S.C.
             79      Section 6809.
             80          Section 4. Section 13-42-202 is enacted to read:
             81          13-42-202. Personal information -- Disclosure of system security breach.
             82          (1) (a) A person who owns or licenses computerized data that includes personal
             83      information concerning a Utah resident shall, when the person becomes aware of a breach of
             84      system security, conduct in good faith a reasonable and prompt investigation to determine the
             85      likelihood that personal information has been or will be misused for identity fraud or theft
             86      purposes.
             87          (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal


             88      information for identity fraud or theft purposes has occurred, or is reasonably likely to occur,
             89      the person shall provide notification to each affected Utah resident.
             90          (2) A person required to provide notification under Subsection (1) shall provide the
             91      notification in the most expedient time possible without unreasonable delay:
             92          (a) considering legitimate investigative needs of law enforcement, as provided in
             93      Subsection (4)(a);
             94          (b) after determining the scope of the breach of system security; and
             95          (c) after restoring the reasonable integrity of the system.
             96          (3) (a) A person who maintains computerized data that includes personal information
             97      that the person does not own or license shall notify and cooperate with the owner or licensee of
             98      the information of any breach of system security immediately following the person's discovery
             99      of the breach if misuse of the personal information occurs or is reasonably likely to occur.
             100          (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
             101      breach with the owner or licensee of the information.
             102          (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
             103      under Subsection (1) at the request of a law enforcement agency that determines that
             104      notification may impede a criminal investigation.
             105          (b) A person who delays providing notification under Subsection (4)(a) shall provide
             106      notification in good faith without unreasonable delay in the most expedient time possible after
             107      the law enforcement agency informs the person that notification will no longer impede the
             108      criminal investigation.
             109          (5) (a) A notification required by this section may be provided:
             110          (i) in writing by first-class mail;
             111          (ii) electronically, if provided in accordance with the consumer disclosure provisions of
             112      15 U.S.C. Section 7001;
             113          (iii) by telephone, including through the use of automatic dialing technology not
             114      prohibited by other law; or
             115          (iv) by publishing notice of the breach of system security in a newspaper of general
             116      circulation.
             117          (b) If a person maintains the person's own notification procedures as part of an
             118      information security policy for the treatment of personal information the person is considered


             119      to be in compliance with this chapter's notification requirements if the procedures are otherwise
             120      consistent with this chapter's timing requirements and the person notifies each affected Utah
             121      resident in accordance with the person's information security policy in the event of a breach.
             122          (c) A person who is regulated by state or federal law and maintains procedures for a
             123      breach of system security under applicable law established by the primary state or federal
             124      regulator is considered to be in compliance with this part if the person notifies each affected
             125      Utah resident in accordance with the other applicable law in the event of a breach.
             126          (6) A waiver of this section is contrary to public policy and is void and unenforceable.
             127          Section 5. Section 13-42-301 is enacted to read:
             128     
Part 3. Enforcement

             129          13-42-301. Enforcement.
             130          (1) The attorney general may enforce this chapter's provisions.
             131          (2) (a) Nothing in this chapter creates a private right of action.
             132          (b) Nothing in this chapter affects any private right of action existing under other law,
             133      including contract or tort.
             134          (3) A person who violates this chapter's provisions is subject to a civil fine of:
             135          (a) no greater than $2,500 for a violation or series of violations concerning a specific
             136      consumer; and
             137          (b) no greater than $100,000 in the aggregate for related violations concerning more
             138      than one consumer.
             139          (4) In addition to the penalties provided in Subsection (3), the attorney general may
             140      seek injunctive relief to prevent future violations of this chapter in:
             141          (a) the district court located in Salt Lake City; or
             142          (b) the district court for the district in which resides a consumer who is affected by the
             143      violation.
             144          Section 6. Appropriation.
             145          (1) There is appropriated from the General Fund to the attorney general:
             146          (a) as an ongoing appropriation, subject to future budget constraints, $89,400 for fiscal
             147      year 2006-07; and
             148          (b) $23,000 for fiscal year 2006-07 only.
             149          (2) It is the intent of the Legislature that:


             150          (a) the monies appropriated under Subsection (1)(a) be used to fund investigatory
             151      activities that may lead to an enforcement action by the attorney general under Section
             152      13-42-301 ; and
             153          (b) the monies appropriated under Subsection (1)(b) be used to purchase equipment
             154      required for investigatory activities that may lead to an enforcement action by the attorney
             155      general under Section 13-42-301 .
             156          Section 7. Effective date.
             157          This bill takes effect on January 1, 2007.


[Bill Documents][Bills Directory]