State Codes and Statutes

Statutes > South-carolina > Title-37 > Chapter-20

Title 37 - Consumer Protection Code

CHAPTER 20.

CONSUMER IDENTITY THEFT PROTECTION

SECTION 37-20-110. Definitions.

For purposes of this chapter:

(1) "Consumer" means an individual residing in the State of South Carolina who undertakes a transaction for personal, family, or household purposes.

(2) "Consumer credit-reporting agency" or "consumer reporting agency" means a person that, for monetary fees or dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information about consumers for the purpose of furnishing consumer reports to third parties.

(3) "Consumer report" or "credit report" means any written, oral, electronic, or other communication of information by a consumer credit-reporting agency regarding a consumer's creditworthiness, credit standing, credit capacity, character, debts, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part for the purpose of establishing a consumer's eligibility for any of the following:

(a) credit or insurance to be used primarily for personal, family, or household purposes;

(b) employment purposes, meaning the use of a consumer report for the purpose of evaluating a consumer for employment, promotion, reassignment, or retention as an employee; or

(c) any other purpose authorized pursuant to 15 USC Section 168lb.

"Consumer report" or "credit report" does not include a report containing information as to a transaction between the consumer and the person making the report; an authorization or approval by the issuer of a credit card or similar device, directly or indirectly, of a specific extension of credit; a communication of information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among those persons and the consumer has the opportunity, to direct that the information not be communicated among them, or a report in which a person conveys an adverse decision in response to a request from a third party to make a specific extension of credit, directly or indirectly, to the consumer, if the third party advises the consumer of the name and address of the person to whom the request was made and the person makes the required disclosures to the consumer pursuant to the provisions of the federal "Fair Credit Reporting Act".

(4) "Credit card" has the same meaning as in Section 103 of the Truth in Lending Act, 15 USC Section 160 and includes a lender credit card, as defined in Section 37-1-301(16) and a seller credit card, as defined in Section 37-1-301(26).

(5) "Creditworthiness" means an entry in a consumer's credit file that affects the ability of a consumer to obtain and retain credit, employment, business or professional licenses, investment opportunities, or insurance. Entries affecting creditworthiness include, but are not limited to, payment information, defaults, judgments, liens, bankruptcies, collections, records of arrest and indictments, and multiple credit inquiries.

(6) "Debit card" means a card or device issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account holding assets of the consumer at that financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor, or services.

(7) "Disposal" means the:

(a) discarding or abandonment of records containing personal identifying information; or

(b) sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal identifying information, other nonpaper media upon which records of personal identifying information are stored, or other equipment for nonpaper storage of information.

(8) "File" means all information on a consumer that is recorded and retained by a consumer credit-reporting agency, regardless of how the information is stored.

(9) "Financial identity fraud" and "identity fraud" are as defined in Section 16-13-510 and include the term "identity theft".

(10) "Person" means a natural person, an individual, or an organization as defined in Section 37-1-301(20).

(11)(a) For purposes of this chapter, "personal identifying information" means personal identifying information as defined in Section 16-13-510(D).

(b) "Personal identifying information" does not mean information about vehicular accidents, driving violations, and driver's status.

(12) "Proper identification" means information generally considered sufficient to identify a person. If a person is reasonably unable to identify himself or herself with the information described in item (11), a consumer reporting agency may require additional information concerning the consumer's employment and personal or family history in order to verify the consumer's identity.

(13) "Publicly post" or "publicly display" means to exhibit in a place of public view.

(14) "Records" means material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.

(15) "Security breach" means an incident of unauthorized access to and acquisition of records or data that was not rendered unusable through encryption, redaction, or other methods containing personal identifying information that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the consumer. Good faith acquisition of personal identifying information by an employee or agent of the person for a legitimate purpose is not a security breach, if the personal identifying information is not used for a purpose other than a lawful purpose of the person and is not subject to further unauthorized disclosure.

(16) "Security freeze" means a notice placed in a consumer credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer credit-reporting agency from releasing a credit report containing all or any part of the consumer's credit report or any information derived from it without the express authorization of the consumer.

SECTION 37-20-120. Verification of addresses.

(A) A consumer credit-reporting agency must give notice to each creditor who uses a consumer report if the agency becomes aware that an application to a card issuer to open a new seller or lender credit card account bears an address for the consumer that is different from the address in its file of the consumer.

(B) A seller or lender credit card issuer that mails an offer or solicitation to receive a credit card and, in response, receives a completed application for a seller or lender credit card listing an address that is substantially different from the address on the offer or solicitation shall verify the change of address by contacting the person to whom the solicitation or offer was mailed, or by using other reasonable means of verifying the account holder's identity.

(C) When a seller or lender credit card issuer receives a written or oral request for a change of the cardholder's billing address and within a period not to exceed thirty days after the requested address change receives a written or oral request for an additional credit card, the credit card issuer may not mail the requested additional credit card to the new address or activate the requested additional credit card unless the issuer has verified the change of address.

(D) This section does not apply to a person that sends or receives address discrepancy notices in compliance with 15 USC 1681c(h) or regulations promulgated pursuant to it.

SECTION 37-20-130. Initiating law enforcement investigation of identity theft.

A person who learns or reasonably suspects that he is the victim of identity theft may initiate a law enforcement investigation by reporting to a local law enforcement agency that has jurisdiction over his actual legal residence. The law enforcement agency shall take the report, provide the complainant with a copy of the report, and begin an investigation or refer the matter to the law enforcement agency where the crime was committed for an investigation.

SECTION 37-20-140. Reflection of innocence of identity theft victim of crime committed using name in court records of person convicted of committing identity theft; petition for expedited judicial determination of factual innocence.

(A) If a person is convicted of unlawfully obtaining the personal identifying information of another person without the other person's authorization and using that information to commit a crime, the court records must reflect that the person whose identity was falsely used to commit the crime did not commit the crime.

(B) A person who reasonably believes that he is the victim of identity theft may petition the circuit court or have the County Office of Victims' Assistance petition the circuit court on his behalf, for an expedited judicial determination of his factual innocence, if the identity thief was arrested for and convicted of a crime under the victim's identity, or if the victim's identity has been mistakenly associated with a record of criminal conviction. A judicial determination of factual innocence made pursuant to this section may be heard and determined upon declarations, affidavits, police reports, or other material, relevant, and reliable information submitted by the parties. If the court determines that the petition is meritorious and that there is no reasonable cause to believe that the petitioner committed the offense for which the identity thief was arrested and convicted, the court shall find the petitioner factually innocent of that offense and issue an order certifying the determination and ordering the expunction of the erroneous conviction.

(C) A court may at any time vacate the determination of factual innocence if information submitted in support of the petition is found to contain material misrepresentation or fraud.

SECTION 37-20-150. Records of individuals who have been victims of identity theft to be maintained by State Law Enforcement Division; submission of fingerprints and other required information by victims.

(A) The State Law Enforcement Division shall establish and maintain appropriate records of individuals who have been the victims of identity theft. The records will be maintained in a computerized database at such time that funds are appropriated to the State Law Enforcement Division. Access to the records is limited to criminal justice agencies, except that a victim of identity theft, or his authorized representative, shall have access to the records in order to establish that he is a victim of identity theft.

(B) A victim of identity theft must submit to the State Law Enforcement Division a copy of the police report, a full set of fingerprints, or other relevant information required by the State Law Enforcement Division for the inclusion in the records of identity theft victims. The State Law Enforcement Division shall verify the identity of the victim against a driver's license or other identification records maintained by the Department of Motor Vehicles or by other agencies.

SECTION 37-20-160. Security freezes on consumer files; request for replacement personal identification number or password; consumer reporting agency duties and responsibilities; exceptions.

(A) On written request sent by certified mail or electronic mail that includes proper identification provided by a consumer, the consumer's attorney-in-fact, or the consumer's legal guardian, if the consumer has not been a victim of identity theft or if the consumer has reason to believe that he is the victim of financial identity fraud, as evidenced by a copy of a valid police report, investigative report, or complaint made pursuant to Section 16-13-510, a consumer reporting agency shall place a security freeze on the consumer's consumer file not later than the fifth business day after the date the agency receives the request.

(B) On written request for a security freeze from a consumer pursuant to subsection (A), a consumer reporting agency shall disclose to the consumer the process of placing, removing, and temporarily lifting a security freeze and the process for allowing access to information from the consumer's consumer file for a specific requester or period while the security freeze is in effect.

(C) A consumer reporting agency, not later than the tenth business day after the date the agency receives the request for a security freeze shall:

(1) send a written confirmation of the security freeze to the consumer; and

(2) provide the consumer with a unique personal identification number or password to be used by the consumer to authorize a removal or temporary lifting of the security freeze.

(D) A consumer may request in writing a replacement personal identification number or password. The request must comply with the requirements for requesting a security freeze pursuant to subsection (A). The consumer reporting agency, not later than the third business day after the date the agency receives the request for a replacement personal identification number or password, shall provide the consumer with a new unique personal identification number or password to be used by the consumer instead of the number or password that was provided earlier.

(E) If a security freeze is in place, a consumer reporting agency shall notify the consumer in writing of a change in the consumer file to the consumer's name, date of birth, social security number, or address not later than thirty calendar days after the date the change is made. The agency shall send notification of a change of address to the new address and former address. This section does not require notice of an immaterial change, including a street abbreviation change or correction of a transposition of letters or misspelling of a word.

(F) A consumer reporting agency shall notify a person who requests a consumer report if a security freeze is in effect for the consumer file involved in that report and the consumer report may not be released without express authorization by the consumer.

(G)(1) On a request by a consumer electronically, in writing, or by telephone and with proper identification provided by a consumer, including the consumer's personal identification number or password provided pursuant to subsection (C)(2), a consumer reporting agency shall remove a security freeze not later than the third business day after the date the agency receives the request at a point designated by the agency to receive the request.

(2)(a) On a request by a consumer electronically or by telephone and with proper identification provided by a consumer, including the consumer's personal identification number or password provided pursuant to subsection (C)(2), a consumer reporting agency, within fifteen minutes of receiving the request, shall lift the security freeze temporarily for a:

(i) certain properly designated period; or

(ii) certain properly identified requester.

(b) It is not a violation of this item if the consumer reporting agency is prevented from timely lifting the freeze by an act of God, a fire, a storm, an earthquake, an accident, or other event beyond the agency's control.

(H) A consumer reporting agency may develop procedures involving the use of a telephone, a facsimile machine, the Internet, or another electronic medium to receive and process a request from a consumer pursuant to this section.

(I) A consumer reporting agency shall remove a security freeze placed on a consumer file if the security freeze was placed due to a material misrepresentation of fact by the consumer. The consumer reporting agency shall notify the consumer in writing before removing the security freeze pursuant to this subsection.

(J) A consumer reporting agency may not charge a fee for a freeze, removal of a freeze, temporary lifting of a freeze, or reinstatement of a freeze.

(K) A security freeze does not apply to the use of a consumer report provided to:

(1) a state or local governmental entity, including a law enforcement agency or court or private collection agency, if the entity, agency, or court is acting pursuant to a court order, warrant, subpoena, or administrative subpoena;

(2) a child support agency acting to investigate or collect child support payments or acting pursuant to Title IV-D of the Social Security Act (42 USC Section 651 et seq.);

(3) the Department of Social Services acting to investigate fraud;

(4) the Department of Revenue acting to administer state tax laws;

(5) a local official authorized to investigate or collect delinquent amounts owed to a public entity;

(6) a person for the purposes of prescreening as provided by the Fair Credit Reporting Act (15 USC Section 1681 et seq.), as amended;

(7) a person with whom the consumer has an account or contract or to whom the consumer has issued a negotiable instrument, or the person's subsidiary, affiliate, agent, assignee, prospective assignee, subcontractor, or private collection agency, for purposes related to that account, contract, or instrument;

(8) a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted pursuant to subsection (G)(2);

(9) a person who administers a credit file monitoring subscription service to which the consumer has subscribed;

(10) a person for the purpose of providing a consumer with a copy of the consumer's report on the consumer's request;

(11) a depository financial institution for checking, savings, and investment accounts;

(12) an insurance company for the purpose of conducting its ordinary business; or

(13) a consumer reporting agency that:

(a) acts only to resell credit information by assembling and merging information contained in a database of another consumer reporting agency or multiple consumer reporting agencies; and

(b) does not maintain a permanent database of credit information from which new consumer reports are produced.

(L) The requirement of this section to place a security freeze on a consumer file does not apply to:

(1) a check service or fraud prevention service company that issues consumer reports:

(a) to prevent or investigate fraud; or

(b) for purposes of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payment;

(2) a deposit account information service company that issues consumer reports related to account closures caused by fraud, substantial overdrafts, automated teller machine abuses, or similar negative information regarding a consumer to an inquiring financial institution for use by the financial institution only in reviewing a consumer request for a deposit account with that institution; or

(3) a consumer reporting agency's database or file that consists of information concerning, and used for, one or more of the following, but not for credit granting purposes:

(a) criminal record information;

(b) fraud prevention or detection;

(c) personal loss history information; and

(d) employment, tenant, or individual background screening.

(M) A consumer reporting agency shall honor a security freeze placed on a consumer file by another consumer reporting agency.

(N) If a third party requests access to a consumer report on which a security freeze is in effect, this request is in connection with an application for credit or another use, and the consumer does not allow his credit report to be accessed, the third party may treat the application as incomplete. The presence of a security freeze on the file of a consumer must not be considered an adverse factor in the consumer's creditworthiness, credit standing, or credit capacity.

(O) The provisions of this section are cumulative, and an action taken pursuant to this section is not an election to take that action to the exclusion of other action authorized by law.

SECTION 37-20-170. Disputes as to accuracy of consumer records; penalties for wilful or negligent violations; attorney fees; civil damages and injunctive relief.

(A) If a consumer disputes the accuracy of an item in the consumer's records with a consumer reporting agency, the consumer may give notice in writing to the consumer reporting agency specifying in what manner the report is inaccurate and the consumer reporting agency shall reinvestigate the inaccuracy at no charge to the consumer, provide the consumer with sufficient evidence that the information is true and accurate information as it relates to that consumer, and record the current status of the disputed information. The consumer reporting agency shall provide forms for that notice and shall assist a consumer in preparing the notice when requested.

(B) Within thirty days after receiving a notice of inaccuracy, a consumer reporting agency shall deny or admit the inaccuracy to the consumer in writing. If the consumer reporting agency denies the inaccuracy, the consumer reporting agency shall include the following information with the written results of the reinvestigation:

(1) the basis for the denial;

(2) a copy of the consumer's file that is based on the consumer's file as revised as a result of the reinvestigation, including the business name and address of any furnisher of information who was contacted in connection with that information and, if reasonably available, the telephone number of the furnisher;

(3) a notice that, if requested by the consumer, the consumer reporting agency shall provide the consumer with a description of the procedure used by the consumer reporting agency to determine the accuracy and completeness of the information; and

(4) sufficient evidence that the information is true and accurate information as it relates to that consumer.

(C) If the consumer reporting agency admits that the item is inaccurate, it shall correct the item in its records and, on request by the consumer, it shall inform any person who within the last six months has previously received a report containing that inaccurate information.

(D) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that knowingly and wilfully violates a provision of this chapter is liable for three times the amount of actual damages or three thousand dollars for each incident, whichever is greater, as well as reasonable attorney's fees and costs.

(E) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that negligently violates this chapter is liable for the greater of actual damages or one thousand dollars for each incident, as well as reasonable attorney's fees and costs.

(F) In addition to the damages assessed pursuant to subsections (D) and (E), if the injury is to the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, employment options, or eligibility for insurance, and results from the failure to take inaccurate information off of a credit report and the failure is not corrected by the consumer credit-reporting agency within ten days after the entry of a judgment for damages, the assessed damages must be increased to one thousand dollars each day until the inaccurate information is removed from the consumer's record.

(G) A consumer seeking damages pursuant to this section also may institute a civil action to enjoin and restrain future acts constituting a violation of this chapter.

(H) The remedial provisions of this chapter are cumulative of and in addition to any other action at law and any action taken by the Department of Consumer Affairs pursuant to Chapter 6 of this title.

(I) This section is not intended, and must not be construed, to confer liability on a person who acts reasonably and who does not act wilfully or negligently.

SECTION 37-20-180. Restrictions on publication and use of social security numbers; exceptions.

(A) Except as provided in subsection (B) of this section, a person may not:

(1) publicly post or publicly display or otherwise intentionally communicate or make available to the general public a consumer's social security number or a portion of it containing six digits or more;

(2) intentionally print or imbed a consumer's social security number or any portion of it containing six digits or more on any card required for the consumer to access products or services provided by the person;

(3) require a consumer to transmit his social security number or a portion of it containing six digits or more over the Internet, unless the connection is secure or the social security number is encrypted;

(4) require a consumer to use his social security number or a portion of it containing six digits or more to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site;

(5) print a consumer's social security number or a portion of it containing six digits or more on materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed;

(6) sell, lease, loan, trade, rent, or otherwise intentionally disclose a consumer's social security number or a portion of it containing six digits or more to a third party without written consent to the disclosure from the consumer, unless the third party seeking disclosure of the social security number does so for a legitimate business or government purpose or unless authorized or specifically permitted by law to do so or unless the disclosure is otherwise imperative for the performance of the person's duties and responsibilities as prescribed by law. A legitimate business purpose of the third party includes, but is not limited to, locating an individual to provide a benefit to that individual, such as a pension, insurance, or unclaimed property benefit, or to find an individual who is missing or a lost relative, or to serve civil process. A legitimate purpose of the third party does not include the bulk purchase or rental of social security numbers or use in marketing.

(B) This section does not apply:

(1) if a social security number is included in an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the social security number for the purpose of obtaining a credit report pursuant to the federal Fair Credit Reporting Act. A social security number that is permitted to be mailed pursuant to this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope or may not be visible on or through the envelope;

(2) to the collection, use, or release of a social security number for internal verification or administrative purposes;

(3) to the opening of an account or the provision of or payment for a product or service authorized by a consumer;

(4) to the collection, use, or release of a social security number to investigate or prevent fraud, conduct background checks, conduct social or scientific research, collect a debt, including a debt collected pursuant to the Setoff Debt Collection Act, Section 12-56-10, and the Governmental Enterprise Accounts Receivable Collections program, Section 12-4-580, or obtain a credit report from or furnish data to a consumer reporting agency, pursuant to the federal Fair Credit Reporting Act or to undertake a purpose permissible pursuant to the Gramm-Leach-Bliley Act or Driver's Privacy Protection Act;

(5) to a person acting pursuant to a court order, warrant, subpoena, or other legal process;

(6) to a person providing the social security number to a federal, state, or local government entity, including a law enforcement agency or court, or their agents or assigns;

(7) to a financial institution as defined in the Gramm-Leach-Bliley Act;

(8) to the submission and use of a social security number or other personal identifying information as part of the maintenance and reporting of employment records, employment verification, or in the course of the administration or provision of employee benefits programs, claims, and procedures related to employment including, but not limited to, termination from employment, retirement from employment, injuries suffered during the course of employment, and other such claims, benefits, and procedures;

(9) to a recorded document in the official records of a county; or

(10) to a document filed in the official records of the court.

SECTION 37-20-190. Requirements for disposition of business records; exceptions.

(A) When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.

(B) A business is considered to comply with subsection (A) if it contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with subsection (A).

(C) This section does not apply to:

(1) a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act;

(2) a health insurer that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996; or

(3) a consumer credit-reporting agency that is subject to and in compliance with the federal Fair Credit Reporting Act.

SECTION 37-20-200. Penalties imposed on consumer credit-reporting agencies for violation of chapter.

(A) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that wilfully violates a provision of this chapter is liable for three times the amount of actual damages or not more than one thousand dollars for each incident, whichever is greater, as well as reasonable attorney's fees and costs.

(B) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that negligently violates this chapter is liable for actual damages and reasonable attorney's fees and costs.

(C) In addition to the damages assessed pursuant to subsections (A) and (B), if the injury is to the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, employment options, or eligibility for insurance, and results from the failure to place and enforce the security freeze provided for in Section 37-20-160 and the failure is not corrected by the consumer credit-reporting agency within ten days after the entry of a judgment for damages, the assessed damages must be increased to not more than one thousand dollars each day until the security freeze is imposed.

(D) A consumer seeking damages pursuant to this section also may institute a civil action to enjoin and restrain future acts constituting a violation of this chapter.

(E) The remedial provisions of this chapter are cumulative of and in addition to any other action at law and any action taken by the Department of Consumer Affairs pursuant to Chapter 6 of this title.

(F) This section is not intended, and must not be construed, to confer liability on a person who acts reasonably and who does not act wilfully or grossly negligent.

(G) Damages provided by this section do not apply to Section 37-20-170.



State Codes and Statutes

Statutes > South-carolina > Title-37 > Chapter-20

Title 37 - Consumer Protection Code

CHAPTER 20.

CONSUMER IDENTITY THEFT PROTECTION

SECTION 37-20-110. Definitions.

For purposes of this chapter:

(1) "Consumer" means an individual residing in the State of South Carolina who undertakes a transaction for personal, family, or household purposes.

(2) "Consumer credit-reporting agency" or "consumer reporting agency" means a person that, for monetary fees or dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information about consumers for the purpose of furnishing consumer reports to third parties.

(3) "Consumer report" or "credit report" means any written, oral, electronic, or other communication of information by a consumer credit-reporting agency regarding a consumer's creditworthiness, credit standing, credit capacity, character, debts, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part for the purpose of establishing a consumer's eligibility for any of the following:

(a) credit or insurance to be used primarily for personal, family, or household purposes;

(b) employment purposes, meaning the use of a consumer report for the purpose of evaluating a consumer for employment, promotion, reassignment, or retention as an employee; or

(c) any other purpose authorized pursuant to 15 USC Section 168lb.

"Consumer report" or "credit report" does not include a report containing information as to a transaction between the consumer and the person making the report; an authorization or approval by the issuer of a credit card or similar device, directly or indirectly, of a specific extension of credit; a communication of information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among those persons and the consumer has the opportunity, to direct that the information not be communicated among them, or a report in which a person conveys an adverse decision in response to a request from a third party to make a specific extension of credit, directly or indirectly, to the consumer, if the third party advises the consumer of the name and address of the person to whom the request was made and the person makes the required disclosures to the consumer pursuant to the provisions of the federal "Fair Credit Reporting Act".

(4) "Credit card" has the same meaning as in Section 103 of the Truth in Lending Act, 15 USC Section 160 and includes a lender credit card, as defined in Section 37-1-301(16) and a seller credit card, as defined in Section 37-1-301(26).

(5) "Creditworthiness" means an entry in a consumer's credit file that affects the ability of a consumer to obtain and retain credit, employment, business or professional licenses, investment opportunities, or insurance. Entries affecting creditworthiness include, but are not limited to, payment information, defaults, judgments, liens, bankruptcies, collections, records of arrest and indictments, and multiple credit inquiries.

(6) "Debit card" means a card or device issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account holding assets of the consumer at that financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor, or services.

(7) "Disposal" means the:

(a) discarding or abandonment of records containing personal identifying information; or

(b) sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal identifying information, other nonpaper media upon which records of personal identifying information are stored, or other equipment for nonpaper storage of information.

(8) "File" means all information on a consumer that is recorded and retained by a consumer credit-reporting agency, regardless of how the information is stored.

(9) "Financial identity fraud" and "identity fraud" are as defined in Section 16-13-510 and include the term "identity theft".

(10) "Person" means a natural person, an individual, or an organization as defined in Section 37-1-301(20).

(11)(a) For purposes of this chapter, "personal identifying information" means personal identifying information as defined in Section 16-13-510(D).

(b) "Personal identifying information" does not mean information about vehicular accidents, driving violations, and driver's status.

(12) "Proper identification" means information generally considered sufficient to identify a person. If a person is reasonably unable to identify himself or herself with the information described in item (11), a consumer reporting agency may require additional information concerning the consumer's employment and personal or family history in order to verify the consumer's identity.

(13) "Publicly post" or "publicly display" means to exhibit in a place of public view.

(14) "Records" means material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.

(15) "Security breach" means an incident of unauthorized access to and acquisition of records or data that was not rendered unusable through encryption, redaction, or other methods containing personal identifying information that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the consumer. Good faith acquisition of personal identifying information by an employee or agent of the person for a legitimate purpose is not a security breach, if the personal identifying information is not used for a purpose other than a lawful purpose of the person and is not subject to further unauthorized disclosure.

(16) "Security freeze" means a notice placed in a consumer credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer credit-reporting agency from releasing a credit report containing all or any part of the consumer's credit report or any information derived from it without the express authorization of the consumer.

SECTION 37-20-120. Verification of addresses.

(A) A consumer credit-reporting agency must give notice to each creditor who uses a consumer report if the agency becomes aware that an application to a card issuer to open a new seller or lender credit card account bears an address for the consumer that is different from the address in its file of the consumer.

(B) A seller or lender credit card issuer that mails an offer or solicitation to receive a credit card and, in response, receives a completed application for a seller or lender credit card listing an address that is substantially different from the address on the offer or solicitation shall verify the change of address by contacting the person to whom the solicitation or offer was mailed, or by using other reasonable means of verifying the account holder's identity.

(C) When a seller or lender credit card issuer receives a written or oral request for a change of the cardholder's billing address and within a period not to exceed thirty days after the requested address change receives a written or oral request for an additional credit card, the credit card issuer may not mail the requested additional credit card to the new address or activate the requested additional credit card unless the issuer has verified the change of address.

(D) This section does not apply to a person that sends or receives address discrepancy notices in compliance with 15 USC 1681c(h) or regulations promulgated pursuant to it.

SECTION 37-20-130. Initiating law enforcement investigation of identity theft.

A person who learns or reasonably suspects that he is the victim of identity theft may initiate a law enforcement investigation by reporting to a local law enforcement agency that has jurisdiction over his actual legal residence. The law enforcement agency shall take the report, provide the complainant with a copy of the report, and begin an investigation or refer the matter to the law enforcement agency where the crime was committed for an investigation.

SECTION 37-20-140. Reflection of innocence of identity theft victim of crime committed using name in court records of person convicted of committing identity theft; petition for expedited judicial determination of factual innocence.

(A) If a person is convicted of unlawfully obtaining the personal identifying information of another person without the other person's authorization and using that information to commit a crime, the court records must reflect that the person whose identity was falsely used to commit the crime did not commit the crime.

(B) A person who reasonably believes that he is the victim of identity theft may petition the circuit court or have the County Office of Victims' Assistance petition the circuit court on his behalf, for an expedited judicial determination of his factual innocence, if the identity thief was arrested for and convicted of a crime under the victim's identity, or if the victim's identity has been mistakenly associated with a record of criminal conviction. A judicial determination of factual innocence made pursuant to this section may be heard and determined upon declarations, affidavits, police reports, or other material, relevant, and reliable information submitted by the parties. If the court determines that the petition is meritorious and that there is no reasonable cause to believe that the petitioner committed the offense for which the identity thief was arrested and convicted, the court shall find the petitioner factually innocent of that offense and issue an order certifying the determination and ordering the expunction of the erroneous conviction.

(C) A court may at any time vacate the determination of factual innocence if information submitted in support of the petition is found to contain material misrepresentation or fraud.

SECTION 37-20-150. Records of individuals who have been victims of identity theft to be maintained by State Law Enforcement Division; submission of fingerprints and other required information by victims.

(A) The State Law Enforcement Division shall establish and maintain appropriate records of individuals who have been the victims of identity theft. The records will be maintained in a computerized database at such time that funds are appropriated to the State Law Enforcement Division. Access to the records is limited to criminal justice agencies, except that a victim of identity theft, or his authorized representative, shall have access to the records in order to establish that he is a victim of identity theft.

(B) A victim of identity theft must submit to the State Law Enforcement Division a copy of the police report, a full set of fingerprints, or other relevant information required by the State Law Enforcement Division for the inclusion in the records of identity theft victims. The State Law Enforcement Division shall verify the identity of the victim against a driver's license or other identification records maintained by the Department of Motor Vehicles or by other agencies.

SECTION 37-20-160. Security freezes on consumer files; request for replacement personal identification number or password; consumer reporting agency duties and responsibilities; exceptions.

(A) On written request sent by certified mail or electronic mail that includes proper identification provided by a consumer, the consumer's attorney-in-fact, or the consumer's legal guardian, if the consumer has not been a victim of identity theft or if the consumer has reason to believe that he is the victim of financial identity fraud, as evidenced by a copy of a valid police report, investigative report, or complaint made pursuant to Section 16-13-510, a consumer reporting agency shall place a security freeze on the consumer's consumer file not later than the fifth business day after the date the agency receives the request.

(B) On written request for a security freeze from a consumer pursuant to subsection (A), a consumer reporting agency shall disclose to the consumer the process of placing, removing, and temporarily lifting a security freeze and the process for allowing access to information from the consumer's consumer file for a specific requester or period while the security freeze is in effect.

(C) A consumer reporting agency, not later than the tenth business day after the date the agency receives the request for a security freeze shall:

(1) send a written confirmation of the security freeze to the consumer; and

(2) provide the consumer with a unique personal identification number or password to be used by the consumer to authorize a removal or temporary lifting of the security freeze.

(D) A consumer may request in writing a replacement personal identification number or password. The request must comply with the requirements for requesting a security freeze pursuant to subsection (A). The consumer reporting agency, not later than the third business day after the date the agency receives the request for a replacement personal identification number or password, shall provide the consumer with a new unique personal identification number or password to be used by the consumer instead of the number or password that was provided earlier.

(E) If a security freeze is in place, a consumer reporting agency shall notify the consumer in writing of a change in the consumer file to the consumer's name, date of birth, social security number, or address not later than thirty calendar days after the date the change is made. The agency shall send notification of a change of address to the new address and former address. This section does not require notice of an immaterial change, including a street abbreviation change or correction of a transposition of letters or misspelling of a word.

(F) A consumer reporting agency shall notify a person who requests a consumer report if a security freeze is in effect for the consumer file involved in that report and the consumer report may not be released without express authorization by the consumer.

(G)(1) On a request by a consumer electronically, in writing, or by telephone and with proper identification provided by a consumer, including the consumer's personal identification number or password provided pursuant to subsection (C)(2), a consumer reporting agency shall remove a security freeze not later than the third business day after the date the agency receives the request at a point designated by the agency to receive the request.

(2)(a) On a request by a consumer electronically or by telephone and with proper identification provided by a consumer, including the consumer's personal identification number or password provided pursuant to subsection (C)(2), a consumer reporting agency, within fifteen minutes of receiving the request, shall lift the security freeze temporarily for a:

(i) certain properly designated period; or

(ii) certain properly identified requester.

(b) It is not a violation of this item if the consumer reporting agency is prevented from timely lifting the freeze by an act of God, a fire, a storm, an earthquake, an accident, or other event beyond the agency's control.

(H) A consumer reporting agency may develop procedures involving the use of a telephone, a facsimile machine, the Internet, or another electronic medium to receive and process a request from a consumer pursuant to this section.

(I) A consumer reporting agency shall remove a security freeze placed on a consumer file if the security freeze was placed due to a material misrepresentation of fact by the consumer. The consumer reporting agency shall notify the consumer in writing before removing the security freeze pursuant to this subsection.

(J) A consumer reporting agency may not charge a fee for a freeze, removal of a freeze, temporary lifting of a freeze, or reinstatement of a freeze.

(K) A security freeze does not apply to the use of a consumer report provided to:

(1) a state or local governmental entity, including a law enforcement agency or court or private collection agency, if the entity, agency, or court is acting pursuant to a court order, warrant, subpoena, or administrative subpoena;

(2) a child support agency acting to investigate or collect child support payments or acting pursuant to Title IV-D of the Social Security Act (42 USC Section 651 et seq.);

(3) the Department of Social Services acting to investigate fraud;

(4) the Department of Revenue acting to administer state tax laws;

(5) a local official authorized to investigate or collect delinquent amounts owed to a public entity;

(6) a person for the purposes of prescreening as provided by the Fair Credit Reporting Act (15 USC Section 1681 et seq.), as amended;

(7) a person with whom the consumer has an account or contract or to whom the consumer has issued a negotiable instrument, or the person's subsidiary, affiliate, agent, assignee, prospective assignee, subcontractor, or private collection agency, for purposes related to that account, contract, or instrument;

(8) a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted pursuant to subsection (G)(2);

(9) a person who administers a credit file monitoring subscription service to which the consumer has subscribed;

(10) a person for the purpose of providing a consumer with a copy of the consumer's report on the consumer's request;

(11) a depository financial institution for checking, savings, and investment accounts;

(12) an insurance company for the purpose of conducting its ordinary business; or

(13) a consumer reporting agency that:

(a) acts only to resell credit information by assembling and merging information contained in a database of another consumer reporting agency or multiple consumer reporting agencies; and

(b) does not maintain a permanent database of credit information from which new consumer reports are produced.

(L) The requirement of this section to place a security freeze on a consumer file does not apply to:

(1) a check service or fraud prevention service company that issues consumer reports:

(a) to prevent or investigate fraud; or

(b) for purposes of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payment;

(2) a deposit account information service company that issues consumer reports related to account closures caused by fraud, substantial overdrafts, automated teller machine abuses, or similar negative information regarding a consumer to an inquiring financial institution for use by the financial institution only in reviewing a consumer request for a deposit account with that institution; or

(3) a consumer reporting agency's database or file that consists of information concerning, and used for, one or more of the following, but not for credit granting purposes:

(a) criminal record information;

(b) fraud prevention or detection;

(c) personal loss history information; and

(d) employment, tenant, or individual background screening.

(M) A consumer reporting agency shall honor a security freeze placed on a consumer file by another consumer reporting agency.

(N) If a third party requests access to a consumer report on which a security freeze is in effect, this request is in connection with an application for credit or another use, and the consumer does not allow his credit report to be accessed, the third party may treat the application as incomplete. The presence of a security freeze on the file of a consumer must not be considered an adverse factor in the consumer's creditworthiness, credit standing, or credit capacity.

(O) The provisions of this section are cumulative, and an action taken pursuant to this section is not an election to take that action to the exclusion of other action authorized by law.

SECTION 37-20-170. Disputes as to accuracy of consumer records; penalties for wilful or negligent violations; attorney fees; civil damages and injunctive relief.

(A) If a consumer disputes the accuracy of an item in the consumer's records with a consumer reporting agency, the consumer may give notice in writing to the consumer reporting agency specifying in what manner the report is inaccurate and the consumer reporting agency shall reinvestigate the inaccuracy at no charge to the consumer, provide the consumer with sufficient evidence that the information is true and accurate information as it relates to that consumer, and record the current status of the disputed information. The consumer reporting agency shall provide forms for that notice and shall assist a consumer in preparing the notice when requested.

(B) Within thirty days after receiving a notice of inaccuracy, a consumer reporting agency shall deny or admit the inaccuracy to the consumer in writing. If the consumer reporting agency denies the inaccuracy, the consumer reporting agency shall include the following information with the written results of the reinvestigation:

(1) the basis for the denial;

(2) a copy of the consumer's file that is based on the consumer's file as revised as a result of the reinvestigation, including the business name and address of any furnisher of information who was contacted in connection with that information and, if reasonably available, the telephone number of the furnisher;

(3) a notice that, if requested by the consumer, the consumer reporting agency shall provide the consumer with a description of the procedure used by the consumer reporting agency to determine the accuracy and completeness of the information; and

(4) sufficient evidence that the information is true and accurate information as it relates to that consumer.

(C) If the consumer reporting agency admits that the item is inaccurate, it shall correct the item in its records and, on request by the consumer, it shall inform any person who within the last six months has previously received a report containing that inaccurate information.

(D) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that knowingly and wilfully violates a provision of this chapter is liable for three times the amount of actual damages or three thousand dollars for each incident, whichever is greater, as well as reasonable attorney's fees and costs.

(E) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that negligently violates this chapter is liable for the greater of actual damages or one thousand dollars for each incident, as well as reasonable attorney's fees and costs.

(F) In addition to the damages assessed pursuant to subsections (D) and (E), if the injury is to the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, employment options, or eligibility for insurance, and results from the failure to take inaccurate information off of a credit report and the failure is not corrected by the consumer credit-reporting agency within ten days after the entry of a judgment for damages, the assessed damages must be increased to one thousand dollars each day until the inaccurate information is removed from the consumer's record.

(G) A consumer seeking damages pursuant to this section also may institute a civil action to enjoin and restrain future acts constituting a violation of this chapter.

(H) The remedial provisions of this chapter are cumulative of and in addition to any other action at law and any action taken by the Department of Consumer Affairs pursuant to Chapter 6 of this title.

(I) This section is not intended, and must not be construed, to confer liability on a person who acts reasonably and who does not act wilfully or negligently.

SECTION 37-20-180. Restrictions on publication and use of social security numbers; exceptions.

(A) Except as provided in subsection (B) of this section, a person may not:

(1) publicly post or publicly display or otherwise intentionally communicate or make available to the general public a consumer's social security number or a portion of it containing six digits or more;

(2) intentionally print or imbed a consumer's social security number or any portion of it containing six digits or more on any card required for the consumer to access products or services provided by the person;

(3) require a consumer to transmit his social security number or a portion of it containing six digits or more over the Internet, unless the connection is secure or the social security number is encrypted;

(4) require a consumer to use his social security number or a portion of it containing six digits or more to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site;

(5) print a consumer's social security number or a portion of it containing six digits or more on materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed;

(6) sell, lease, loan, trade, rent, or otherwise intentionally disclose a consumer's social security number or a portion of it containing six digits or more to a third party without written consent to the disclosure from the consumer, unless the third party seeking disclosure of the social security number does so for a legitimate business or government purpose or unless authorized or specifically permitted by law to do so or unless the disclosure is otherwise imperative for the performance of the person's duties and responsibilities as prescribed by law. A legitimate business purpose of the third party includes, but is not limited to, locating an individual to provide a benefit to that individual, such as a pension, insurance, or unclaimed property benefit, or to find an individual who is missing or a lost relative, or to serve civil process. A legitimate purpose of the third party does not include the bulk purchase or rental of social security numbers or use in marketing.

(B) This section does not apply:

(1) if a social security number is included in an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the social security number for the purpose of obtaining a credit report pursuant to the federal Fair Credit Reporting Act. A social security number that is permitted to be mailed pursuant to this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope or may not be visible on or through the envelope;

(2) to the collection, use, or release of a social security number for internal verification or administrative purposes;

(3) to the opening of an account or the provision of or payment for a product or service authorized by a consumer;

(4) to the collection, use, or release of a social security number to investigate or prevent fraud, conduct background checks, conduct social or scientific research, collect a debt, including a debt collected pursuant to the Setoff Debt Collection Act, Section 12-56-10, and the Governmental Enterprise Accounts Receivable Collections program, Section 12-4-580, or obtain a credit report from or furnish data to a consumer reporting agency, pursuant to the federal Fair Credit Reporting Act or to undertake a purpose permissible pursuant to the Gramm-Leach-Bliley Act or Driver's Privacy Protection Act;

(5) to a person acting pursuant to a court order, warrant, subpoena, or other legal process;

(6) to a person providing the social security number to a federal, state, or local government entity, including a law enforcement agency or court, or their agents or assigns;

(7) to a financial institution as defined in the Gramm-Leach-Bliley Act;

(8) to the submission and use of a social security number or other personal identifying information as part of the maintenance and reporting of employment records, employment verification, or in the course of the administration or provision of employee benefits programs, claims, and procedures related to employment including, but not limited to, termination from employment, retirement from employment, injuries suffered during the course of employment, and other such claims, benefits, and procedures;

(9) to a recorded document in the official records of a county; or

(10) to a document filed in the official records of the court.

SECTION 37-20-190. Requirements for disposition of business records; exceptions.

(A) When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.

(B) A business is considered to comply with subsection (A) if it contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with subsection (A).

(C) This section does not apply to:

(1) a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act;

(2) a health insurer that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996; or

(3) a consumer credit-reporting agency that is subject to and in compliance with the federal Fair Credit Reporting Act.

SECTION 37-20-200. Penalties imposed on consumer credit-reporting agencies for violation of chapter.

(A) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that wilfully violates a provision of this chapter is liable for three times the amount of actual damages or not more than one thousand dollars for each incident, whichever is greater, as well as reasonable attorney's fees and costs.

(B) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that negligently violates this chapter is liable for actual damages and reasonable attorney's fees and costs.

(C) In addition to the damages assessed pursuant to subsections (A) and (B), if the injury is to the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, employment options, or eligibility for insurance, and results from the failure to place and enforce the security freeze provided for in Section 37-20-160 and the failure is not corrected by the consumer credit-reporting agency within ten days after the entry of a judgment for damages, the assessed damages must be increased to not more than one thousand dollars each day until the security freeze is imposed.

(D) A consumer seeking damages pursuant to this section also may institute a civil action to enjoin and restrain future acts constituting a violation of this chapter.

(E) The remedial provisions of this chapter are cumulative of and in addition to any other action at law and any action taken by the Department of Consumer Affairs pursuant to Chapter 6 of this title.

(F) This section is not intended, and must not be construed, to confer liability on a person who acts reasonably and who does not act wilfully or grossly negligent.

(G) Damages provided by this section do not apply to Section 37-20-170.




State Codes and Statutes

State Codes and Statutes

Statutes > South-carolina > Title-37 > Chapter-20

Title 37 - Consumer Protection Code

CHAPTER 20.

CONSUMER IDENTITY THEFT PROTECTION

SECTION 37-20-110. Definitions.

For purposes of this chapter:

(1) "Consumer" means an individual residing in the State of South Carolina who undertakes a transaction for personal, family, or household purposes.

(2) "Consumer credit-reporting agency" or "consumer reporting agency" means a person that, for monetary fees or dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information about consumers for the purpose of furnishing consumer reports to third parties.

(3) "Consumer report" or "credit report" means any written, oral, electronic, or other communication of information by a consumer credit-reporting agency regarding a consumer's creditworthiness, credit standing, credit capacity, character, debts, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part for the purpose of establishing a consumer's eligibility for any of the following:

(a) credit or insurance to be used primarily for personal, family, or household purposes;

(b) employment purposes, meaning the use of a consumer report for the purpose of evaluating a consumer for employment, promotion, reassignment, or retention as an employee; or

(c) any other purpose authorized pursuant to 15 USC Section 168lb.

"Consumer report" or "credit report" does not include a report containing information as to a transaction between the consumer and the person making the report; an authorization or approval by the issuer of a credit card or similar device, directly or indirectly, of a specific extension of credit; a communication of information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among those persons and the consumer has the opportunity, to direct that the information not be communicated among them, or a report in which a person conveys an adverse decision in response to a request from a third party to make a specific extension of credit, directly or indirectly, to the consumer, if the third party advises the consumer of the name and address of the person to whom the request was made and the person makes the required disclosures to the consumer pursuant to the provisions of the federal "Fair Credit Reporting Act".

(4) "Credit card" has the same meaning as in Section 103 of the Truth in Lending Act, 15 USC Section 160 and includes a lender credit card, as defined in Section 37-1-301(16) and a seller credit card, as defined in Section 37-1-301(26).

(5) "Creditworthiness" means an entry in a consumer's credit file that affects the ability of a consumer to obtain and retain credit, employment, business or professional licenses, investment opportunities, or insurance. Entries affecting creditworthiness include, but are not limited to, payment information, defaults, judgments, liens, bankruptcies, collections, records of arrest and indictments, and multiple credit inquiries.

(6) "Debit card" means a card or device issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account holding assets of the consumer at that financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor, or services.

(7) "Disposal" means the:

(a) discarding or abandonment of records containing personal identifying information; or

(b) sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal identifying information, other nonpaper media upon which records of personal identifying information are stored, or other equipment for nonpaper storage of information.

(8) "File" means all information on a consumer that is recorded and retained by a consumer credit-reporting agency, regardless of how the information is stored.

(9) "Financial identity fraud" and "identity fraud" are as defined in Section 16-13-510 and include the term "identity theft".

(10) "Person" means a natural person, an individual, or an organization as defined in Section 37-1-301(20).

(11)(a) For purposes of this chapter, "personal identifying information" means personal identifying information as defined in Section 16-13-510(D).

(b) "Personal identifying information" does not mean information about vehicular accidents, driving violations, and driver's status.

(12) "Proper identification" means information generally considered sufficient to identify a person. If a person is reasonably unable to identify himself or herself with the information described in item (11), a consumer reporting agency may require additional information concerning the consumer's employment and personal or family history in order to verify the consumer's identity.

(13) "Publicly post" or "publicly display" means to exhibit in a place of public view.

(14) "Records" means material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.

(15) "Security breach" means an incident of unauthorized access to and acquisition of records or data that was not rendered unusable through encryption, redaction, or other methods containing personal identifying information that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the consumer. Good faith acquisition of personal identifying information by an employee or agent of the person for a legitimate purpose is not a security breach, if the personal identifying information is not used for a purpose other than a lawful purpose of the person and is not subject to further unauthorized disclosure.

(16) "Security freeze" means a notice placed in a consumer credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer credit-reporting agency from releasing a credit report containing all or any part of the consumer's credit report or any information derived from it without the express authorization of the consumer.

SECTION 37-20-120. Verification of addresses.

(A) A consumer credit-reporting agency must give notice to each creditor who uses a consumer report if the agency becomes aware that an application to a card issuer to open a new seller or lender credit card account bears an address for the consumer that is different from the address in its file of the consumer.

(B) A seller or lender credit card issuer that mails an offer or solicitation to receive a credit card and, in response, receives a completed application for a seller or lender credit card listing an address that is substantially different from the address on the offer or solicitation shall verify the change of address by contacting the person to whom the solicitation or offer was mailed, or by using other reasonable means of verifying the account holder's identity.

(C) When a seller or lender credit card issuer receives a written or oral request for a change of the cardholder's billing address and within a period not to exceed thirty days after the requested address change receives a written or oral request for an additional credit card, the credit card issuer may not mail the requested additional credit card to the new address or activate the requested additional credit card unless the issuer has verified the change of address.

(D) This section does not apply to a person that sends or receives address discrepancy notices in compliance with 15 USC 1681c(h) or regulations promulgated pursuant to it.

SECTION 37-20-130. Initiating law enforcement investigation of identity theft.

A person who learns or reasonably suspects that he is the victim of identity theft may initiate a law enforcement investigation by reporting to a local law enforcement agency that has jurisdiction over his actual legal residence. The law enforcement agency shall take the report, provide the complainant with a copy of the report, and begin an investigation or refer the matter to the law enforcement agency where the crime was committed for an investigation.

SECTION 37-20-140. Reflection of innocence of identity theft victim of crime committed using name in court records of person convicted of committing identity theft; petition for expedited judicial determination of factual innocence.

(A) If a person is convicted of unlawfully obtaining the personal identifying information of another person without the other person's authorization and using that information to commit a crime, the court records must reflect that the person whose identity was falsely used to commit the crime did not commit the crime.

(B) A person who reasonably believes that he is the victim of identity theft may petition the circuit court or have the County Office of Victims' Assistance petition the circuit court on his behalf, for an expedited judicial determination of his factual innocence, if the identity thief was arrested for and convicted of a crime under the victim's identity, or if the victim's identity has been mistakenly associated with a record of criminal conviction. A judicial determination of factual innocence made pursuant to this section may be heard and determined upon declarations, affidavits, police reports, or other material, relevant, and reliable information submitted by the parties. If the court determines that the petition is meritorious and that there is no reasonable cause to believe that the petitioner committed the offense for which the identity thief was arrested and convicted, the court shall find the petitioner factually innocent of that offense and issue an order certifying the determination and ordering the expunction of the erroneous conviction.

(C) A court may at any time vacate the determination of factual innocence if information submitted in support of the petition is found to contain material misrepresentation or fraud.

SECTION 37-20-150. Records of individuals who have been victims of identity theft to be maintained by State Law Enforcement Division; submission of fingerprints and other required information by victims.

(A) The State Law Enforcement Division shall establish and maintain appropriate records of individuals who have been the victims of identity theft. The records will be maintained in a computerized database at such time that funds are appropriated to the State Law Enforcement Division. Access to the records is limited to criminal justice agencies, except that a victim of identity theft, or his authorized representative, shall have access to the records in order to establish that he is a victim of identity theft.

(B) A victim of identity theft must submit to the State Law Enforcement Division a copy of the police report, a full set of fingerprints, or other relevant information required by the State Law Enforcement Division for the inclusion in the records of identity theft victims. The State Law Enforcement Division shall verify the identity of the victim against a driver's license or other identification records maintained by the Department of Motor Vehicles or by other agencies.

SECTION 37-20-160. Security freezes on consumer files; request for replacement personal identification number or password; consumer reporting agency duties and responsibilities; exceptions.

(A) On written request sent by certified mail or electronic mail that includes proper identification provided by a consumer, the consumer's attorney-in-fact, or the consumer's legal guardian, if the consumer has not been a victim of identity theft or if the consumer has reason to believe that he is the victim of financial identity fraud, as evidenced by a copy of a valid police report, investigative report, or complaint made pursuant to Section 16-13-510, a consumer reporting agency shall place a security freeze on the consumer's consumer file not later than the fifth business day after the date the agency receives the request.

(B) On written request for a security freeze from a consumer pursuant to subsection (A), a consumer reporting agency shall disclose to the consumer the process of placing, removing, and temporarily lifting a security freeze and the process for allowing access to information from the consumer's consumer file for a specific requester or period while the security freeze is in effect.

(C) A consumer reporting agency, not later than the tenth business day after the date the agency receives the request for a security freeze shall:

(1) send a written confirmation of the security freeze to the consumer; and

(2) provide the consumer with a unique personal identification number or password to be used by the consumer to authorize a removal or temporary lifting of the security freeze.

(D) A consumer may request in writing a replacement personal identification number or password. The request must comply with the requirements for requesting a security freeze pursuant to subsection (A). The consumer reporting agency, not later than the third business day after the date the agency receives the request for a replacement personal identification number or password, shall provide the consumer with a new unique personal identification number or password to be used by the consumer instead of the number or password that was provided earlier.

(E) If a security freeze is in place, a consumer reporting agency shall notify the consumer in writing of a change in the consumer file to the consumer's name, date of birth, social security number, or address not later than thirty calendar days after the date the change is made. The agency shall send notification of a change of address to the new address and former address. This section does not require notice of an immaterial change, including a street abbreviation change or correction of a transposition of letters or misspelling of a word.

(F) A consumer reporting agency shall notify a person who requests a consumer report if a security freeze is in effect for the consumer file involved in that report and the consumer report may not be released without express authorization by the consumer.

(G)(1) On a request by a consumer electronically, in writing, or by telephone and with proper identification provided by a consumer, including the consumer's personal identification number or password provided pursuant to subsection (C)(2), a consumer reporting agency shall remove a security freeze not later than the third business day after the date the agency receives the request at a point designated by the agency to receive the request.

(2)(a) On a request by a consumer electronically or by telephone and with proper identification provided by a consumer, including the consumer's personal identification number or password provided pursuant to subsection (C)(2), a consumer reporting agency, within fifteen minutes of receiving the request, shall lift the security freeze temporarily for a:

(i) certain properly designated period; or

(ii) certain properly identified requester.

(b) It is not a violation of this item if the consumer reporting agency is prevented from timely lifting the freeze by an act of God, a fire, a storm, an earthquake, an accident, or other event beyond the agency's control.

(H) A consumer reporting agency may develop procedures involving the use of a telephone, a facsimile machine, the Internet, or another electronic medium to receive and process a request from a consumer pursuant to this section.

(I) A consumer reporting agency shall remove a security freeze placed on a consumer file if the security freeze was placed due to a material misrepresentation of fact by the consumer. The consumer reporting agency shall notify the consumer in writing before removing the security freeze pursuant to this subsection.

(J) A consumer reporting agency may not charge a fee for a freeze, removal of a freeze, temporary lifting of a freeze, or reinstatement of a freeze.

(K) A security freeze does not apply to the use of a consumer report provided to:

(1) a state or local governmental entity, including a law enforcement agency or court or private collection agency, if the entity, agency, or court is acting pursuant to a court order, warrant, subpoena, or administrative subpoena;

(2) a child support agency acting to investigate or collect child support payments or acting pursuant to Title IV-D of the Social Security Act (42 USC Section 651 et seq.);

(3) the Department of Social Services acting to investigate fraud;

(4) the Department of Revenue acting to administer state tax laws;

(5) a local official authorized to investigate or collect delinquent amounts owed to a public entity;

(6) a person for the purposes of prescreening as provided by the Fair Credit Reporting Act (15 USC Section 1681 et seq.), as amended;

(7) a person with whom the consumer has an account or contract or to whom the consumer has issued a negotiable instrument, or the person's subsidiary, affiliate, agent, assignee, prospective assignee, subcontractor, or private collection agency, for purposes related to that account, contract, or instrument;

(8) a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted pursuant to subsection (G)(2);

(9) a person who administers a credit file monitoring subscription service to which the consumer has subscribed;

(10) a person for the purpose of providing a consumer with a copy of the consumer's report on the consumer's request;

(11) a depository financial institution for checking, savings, and investment accounts;

(12) an insurance company for the purpose of conducting its ordinary business; or

(13) a consumer reporting agency that:

(a) acts only to resell credit information by assembling and merging information contained in a database of another consumer reporting agency or multiple consumer reporting agencies; and

(b) does not maintain a permanent database of credit information from which new consumer reports are produced.

(L) The requirement of this section to place a security freeze on a consumer file does not apply to:

(1) a check service or fraud prevention service company that issues consumer reports:

(a) to prevent or investigate fraud; or

(b) for purposes of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payment;

(2) a deposit account information service company that issues consumer reports related to account closures caused by fraud, substantial overdrafts, automated teller machine abuses, or similar negative information regarding a consumer to an inquiring financial institution for use by the financial institution only in reviewing a consumer request for a deposit account with that institution; or

(3) a consumer reporting agency's database or file that consists of information concerning, and used for, one or more of the following, but not for credit granting purposes:

(a) criminal record information;

(b) fraud prevention or detection;

(c) personal loss history information; and

(d) employment, tenant, or individual background screening.

(M) A consumer reporting agency shall honor a security freeze placed on a consumer file by another consumer reporting agency.

(N) If a third party requests access to a consumer report on which a security freeze is in effect, this request is in connection with an application for credit or another use, and the consumer does not allow his credit report to be accessed, the third party may treat the application as incomplete. The presence of a security freeze on the file of a consumer must not be considered an adverse factor in the consumer's creditworthiness, credit standing, or credit capacity.

(O) The provisions of this section are cumulative, and an action taken pursuant to this section is not an election to take that action to the exclusion of other action authorized by law.

SECTION 37-20-170. Disputes as to accuracy of consumer records; penalties for wilful or negligent violations; attorney fees; civil damages and injunctive relief.

(A) If a consumer disputes the accuracy of an item in the consumer's records with a consumer reporting agency, the consumer may give notice in writing to the consumer reporting agency specifying in what manner the report is inaccurate and the consumer reporting agency shall reinvestigate the inaccuracy at no charge to the consumer, provide the consumer with sufficient evidence that the information is true and accurate information as it relates to that consumer, and record the current status of the disputed information. The consumer reporting agency shall provide forms for that notice and shall assist a consumer in preparing the notice when requested.

(B) Within thirty days after receiving a notice of inaccuracy, a consumer reporting agency shall deny or admit the inaccuracy to the consumer in writing. If the consumer reporting agency denies the inaccuracy, the consumer reporting agency shall include the following information with the written results of the reinvestigation:

(1) the basis for the denial;

(2) a copy of the consumer's file that is based on the consumer's file as revised as a result of the reinvestigation, including the business name and address of any furnisher of information who was contacted in connection with that information and, if reasonably available, the telephone number of the furnisher;

(3) a notice that, if requested by the consumer, the consumer reporting agency shall provide the consumer with a description of the procedure used by the consumer reporting agency to determine the accuracy and completeness of the information; and

(4) sufficient evidence that the information is true and accurate information as it relates to that consumer.

(C) If the consumer reporting agency admits that the item is inaccurate, it shall correct the item in its records and, on request by the consumer, it shall inform any person who within the last six months has previously received a report containing that inaccurate information.

(D) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that knowingly and wilfully violates a provision of this chapter is liable for three times the amount of actual damages or three thousand dollars for each incident, whichever is greater, as well as reasonable attorney's fees and costs.

(E) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that negligently violates this chapter is liable for the greater of actual damages or one thousand dollars for each incident, as well as reasonable attorney's fees and costs.

(F) In addition to the damages assessed pursuant to subsections (D) and (E), if the injury is to the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, employment options, or eligibility for insurance, and results from the failure to take inaccurate information off of a credit report and the failure is not corrected by the consumer credit-reporting agency within ten days after the entry of a judgment for damages, the assessed damages must be increased to one thousand dollars each day until the inaccurate information is removed from the consumer's record.

(G) A consumer seeking damages pursuant to this section also may institute a civil action to enjoin and restrain future acts constituting a violation of this chapter.

(H) The remedial provisions of this chapter are cumulative of and in addition to any other action at law and any action taken by the Department of Consumer Affairs pursuant to Chapter 6 of this title.

(I) This section is not intended, and must not be construed, to confer liability on a person who acts reasonably and who does not act wilfully or negligently.

SECTION 37-20-180. Restrictions on publication and use of social security numbers; exceptions.

(A) Except as provided in subsection (B) of this section, a person may not:

(1) publicly post or publicly display or otherwise intentionally communicate or make available to the general public a consumer's social security number or a portion of it containing six digits or more;

(2) intentionally print or imbed a consumer's social security number or any portion of it containing six digits or more on any card required for the consumer to access products or services provided by the person;

(3) require a consumer to transmit his social security number or a portion of it containing six digits or more over the Internet, unless the connection is secure or the social security number is encrypted;

(4) require a consumer to use his social security number or a portion of it containing six digits or more to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site;

(5) print a consumer's social security number or a portion of it containing six digits or more on materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed;

(6) sell, lease, loan, trade, rent, or otherwise intentionally disclose a consumer's social security number or a portion of it containing six digits or more to a third party without written consent to the disclosure from the consumer, unless the third party seeking disclosure of the social security number does so for a legitimate business or government purpose or unless authorized or specifically permitted by law to do so or unless the disclosure is otherwise imperative for the performance of the person's duties and responsibilities as prescribed by law. A legitimate business purpose of the third party includes, but is not limited to, locating an individual to provide a benefit to that individual, such as a pension, insurance, or unclaimed property benefit, or to find an individual who is missing or a lost relative, or to serve civil process. A legitimate purpose of the third party does not include the bulk purchase or rental of social security numbers or use in marketing.

(B) This section does not apply:

(1) if a social security number is included in an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the social security number for the purpose of obtaining a credit report pursuant to the federal Fair Credit Reporting Act. A social security number that is permitted to be mailed pursuant to this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope or may not be visible on or through the envelope;

(2) to the collection, use, or release of a social security number for internal verification or administrative purposes;

(3) to the opening of an account or the provision of or payment for a product or service authorized by a consumer;

(4) to the collection, use, or release of a social security number to investigate or prevent fraud, conduct background checks, conduct social or scientific research, collect a debt, including a debt collected pursuant to the Setoff Debt Collection Act, Section 12-56-10, and the Governmental Enterprise Accounts Receivable Collections program, Section 12-4-580, or obtain a credit report from or furnish data to a consumer reporting agency, pursuant to the federal Fair Credit Reporting Act or to undertake a purpose permissible pursuant to the Gramm-Leach-Bliley Act or Driver's Privacy Protection Act;

(5) to a person acting pursuant to a court order, warrant, subpoena, or other legal process;

(6) to a person providing the social security number to a federal, state, or local government entity, including a law enforcement agency or court, or their agents or assigns;

(7) to a financial institution as defined in the Gramm-Leach-Bliley Act;

(8) to the submission and use of a social security number or other personal identifying information as part of the maintenance and reporting of employment records, employment verification, or in the course of the administration or provision of employee benefits programs, claims, and procedures related to employment including, but not limited to, termination from employment, retirement from employment, injuries suffered during the course of employment, and other such claims, benefits, and procedures;

(9) to a recorded document in the official records of a county; or

(10) to a document filed in the official records of the court.

SECTION 37-20-190. Requirements for disposition of business records; exceptions.

(A) When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.

(B) A business is considered to comply with subsection (A) if it contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with subsection (A).

(C) This section does not apply to:

(1) a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act;

(2) a health insurer that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996; or

(3) a consumer credit-reporting agency that is subject to and in compliance with the federal Fair Credit Reporting Act.

SECTION 37-20-200. Penalties imposed on consumer credit-reporting agencies for violation of chapter.

(A) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that wilfully violates a provision of this chapter is liable for three times the amount of actual damages or not more than one thousand dollars for each incident, whichever is greater, as well as reasonable attorney's fees and costs.

(B) In addition to all other penalties that may be imposed, a consumer credit-reporting agency or other person that negligently violates this chapter is liable for actual damages and reasonable attorney's fees and costs.

(C) In addition to the damages assessed pursuant to subsections (A) and (B), if the injury is to the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, employment options, or eligibility for insurance, and results from the failure to place and enforce the security freeze provided for in Section 37-20-160 and the failure is not corrected by the consumer credit-reporting agency within ten days after the entry of a judgment for damages, the assessed damages must be increased to not more than one thousand dollars each day until the security freeze is imposed.

(D) A consumer seeking damages pursuant to this section also may institute a civil action to enjoin and restrain future acts constituting a violation of this chapter.

(E) The remedial provisions of this chapter are cumulative of and in addition to any other action at law and any action taken by the Department of Consumer Affairs pursuant to Chapter 6 of this title.

(F) This section is not intended, and must not be construed, to confer liability on a person who acts reasonably and who does not act wilfully or grossly negligent.

(G) Damages provided by this section do not apply to Section 37-20-170.